In January, Microsoft issued a semi-public beta of its upcoming Service Pack 2 (SP2) release for Windows XP, a major upgrade for XP users that's focused largely on security. The Windows XP SP2 Beta isn't feature-complete--Microsoft tells me it's still fine-tuning the final feature set--but it does provide an interesting look at the direction the company is taking with its so-called "Springboard" security technologies, which are designed to retroactively apply recent security thinking to pre-existing products. (XP SP2 isn't the only Springboard release you can expect to see this year: Office 2003 Service Release 1, due in May, will also feature Springboard security technologies, as will Windows Server 2003 Service Pack 1, due in late 2004.)
"We've got quite a bit of work to do before its end-user ready," Matt Pilla, senior product manager for the Windows group, told me during a recent visit to the Microsoft campus. "The goal here is to get security features out to customers as soon as possible, but make sure its customizable enough that it doesn't block deployments." Pilla told me that 500 or so beta testers are evaluating the SP2 Beta code, in addition to MSDN Universal members. The goal now is to get feedback on the changes. The SP2 Beta isn't writ in stone: Microsoft has already made some changes since the SP2 Beta release and will significantly change the user interface for updated features like the Windows Firewall and wireless networking between now and the final release, Pilla said.
"This is a significant effort for the company," Pilla noted. "We're committed to security, and to getting customers secure. XP SP2 is about exposing features that are already in Windows, and making them more effective. We want people to install this. There will be major marketing activities around getting people to turn this on when it comes out. Microsoft wants to see broad adoption of this release. So we'll turn the crank on what types of things we'll do, get the OEM update out right away, getting the retail release to shelves right away."
I asked Pilla if XP SP2 would be added to the retail version of Windows XP, creating a new boxed version that would replace existing XP boxes on store shelves, but he said Microsoft hadn't committed to a final plan, though that was definitely a possibility. At a bare minimum, XP SP2 will be distributed as other service packs have been, via Windows Update and the Microsoft Web site. "Will be go above and beyond that for SP2?" Pilla asked. "That's to be determined."
Service Pack 2 Evolution
Originally, Service Pack 2 was to have been the simple, standard collection of post-RTM bug fixes that users now expect. But a spate of nasty electronic attacks against Windows computers last summer caused the company to step back and reassess what it could do with this release. The result was a far more ambitious service pack. "Viruses and worms are accelerating over time," Pilla told me. "They're costly to everyone--consumers and enterprises alike. We took feedback from our customers and our experiences with Trustworthy Computing over the years, our gained knowledge. And we asked, how do we bubble that up a level? We looked at some of the security technologies we were developing that provide protection above the patch level, like the firewall, security technologies that shield the lower pieces below it. We realized we could make a big impact with a few features without churning through the code again. So we decided to put these security technologies in place [with SP2]."
Obviously, with a dramatically more feature-rich SP2 release than originally planned, one might wonder how this impacts Microsoft's delivery schedule, especially for Longhorn, the next major Windows release, which seems to be perpetually due two years from now. I also wondered whether people had to be pulled over from other projects to work on SP2; historically, Microsoft has deployed a relatively small number of people for service pack releases. Pilla tells me that, while the decision to improve SP2 dramatically obviously affected SP2's schedule--it was originally due in fall 2003--it will have no bearing on Longhorn.
"Organizationally, [the new SP2] required no changes," Pilla said. "But it's a series of priorities, shifting from day to day. [The Windows team is working on] Windows Server Service Pack 1 (SP1), XP SP2, and Longhorn now." What Microsoft did, instead, was shift the focus on specific technologies--wireless networking and the new Windows Firewall, for example--away from Longhorn and into XP SP2. "Some of the technologies from SP2 are platform improvements that will carry over into the Longhorn time frame," Pilla explained. "We were working on them for Longhorn. So we just timed the timing because they were ready now. There's nothing we actually pulled back from Longhorn from a code perspective, it's more of an idea perspective."
So what is new in XP SP2? While this release isn't feature complete, it still provides a stunning amount of new code, the biggest improvement we've seen to Windows since the final shipping release of XP itself in October 2001. Here's an overview of the new features in the XP SP2 Beta.
Security Center
Windows XP SP2 build 2082, issued to testers February 24, 2004, added a number of new features (for more information, see my 2082 screenshot gallery). The most obvious of them is the new Security Center, a Web application-like dashboard with quick links to your system's security-related features (Figure). Security Center also brings with it an annoying tray notification icon, which is made all the more annoying in this initial build because the application is broken: When the Windows Firewall is turned on, Security Center warns you that it's turned off (Figure). And naturally, the reverse is also true: When you turn off Windows Firewall, Security Center believes that it's on. Just a guess, but I suspect Microsoft will be fixing that before the next release.
In any event, the idea behind Security Center is a good one: Put security information up front and center, and provide even the most inexperienced newcomer with the information they need to get their system secure when it's not. The Security Center UI is divided into three parts, Security essentials, which lists the status of your firewall, Automatic Updates, and virus protection; Security controls, which lets you quickly access Internet Options, the System control panel, and Windows Firewall; and a Resources list that provides access to related information (such as "Get the latest security and virus information from Microsoft" and the like). It's a reasonably attractive front-end.
In Security essentials, you can view and change the status of Windows Firewall, Automatic Updates, and the third, curious, choice of Virus Protection. I say "curious" because Microsoft doesn't bundle any virus protection features with Windows, and won't in SP2 either, so presumably this works with third-party virus protection, though I haven't tested that yet. Each feature can be listed as "On" (colored blue, for "good"), "Off" (colored red for "bad"), or "Unknown" (colored orange). When a feature is listed as "Off" or "Unknown," you'll see a Recommendations button that you can press to see Microsoft's recommended solution to the problem. In the case of Windows Firewall, Microsoft obviously recommends turning it on (Figure), but the company does include an option where you can specify that you have your own firewall solution that you'll monitor yourself. I was curious to see how Microsoft handled virus protection, since it doesn't make anti-virus software, but the feature is incomplete in build 2082 (Figure).
Wireless networking improvements
When XP first shipped in October 2001, it arrived as the first Windows version to include integrated wireless networking features, and for the uninitiated, it was a great feature: You could simply pop open a wirelessly-equipped notebook anywhere near a wireless access point and be online, automatically and instantly. There was just one problem: Most wireless networks, especially in the 2001-2002 era, were insecure, so you were often putting yourself at risk connecting to such networks.
In early 2002, Microsoft embarked on its Trustworthy Computing code review of Windows XP and other operating systems, halting development of its core products and identifying and fixing key vulnerabilities. In keeping with the Trustworthy Computing initiative, Windows XP Service Pack 1 (SP1), released in fall 2002, included a number of security-oriented changes. The most obvious of these involved wireless networking, and it significantly changed the way XP users interacted with wireless network.
From the end user perspective, wireless networking was no longer the seamless affair it was under the original XP, though it was more secure. With SP1, XP users were prevented from automatically connected to insecure wireless networks (meaning, of course, most wireless networks), and could only manually connect after checking a box authorizing the connection. This was in keeping with Microsoft's Trustworthy Computing ideals: Security first, and then convenience. But it was a pain in the butt.
To that end, wireless networking has been significantly overhauled in XP SP2 to be friendlier, more graphical and obvious, and easier to use. You're still prompted when you connect to an insecure wireless network, but XP now remembers that you authorized an insecure connection and automatically connects when that network is available in the future. The window for selecting from available wireless networks is likewise easier to use, with big, colorful graphics, a networks arranged logically by signal strength (figure). Basically, it combines the best features of the original XP and XP SP1 into a nicer-looking package. It's wireless networking done right.
New Windows Firewall
In the original version of Windows XP, Microsoft supplied Windows with an integrated firewall for the first time, which was a nice nod towards security: ICF is a stateful firewall, meaning that it inspects all incoming network traffic to your PC. There are just two (major) problems: XP's Internet Connection Firewall (ICF) isn't enabled by default and it isn't particularly configurable; assuming you can find the place to turn it on in the first place, all you get was a simple check box: It is either on or off. The Advanced Settings for ICF--where you can configure which services the firewall allows through--is even harder to find.
In XP SP2, ICF has been replaced with a new firewall, appropriately named Windows Firewall. Like ICF, Windows Firewall is a stateful firewall that monitors inbound network traffic, turning away unsolicited connections. Unlike ICF, Windows Firewall is enabled by default, and it protects traffic moving in two ways--inbound and outbound--and not just one-way (inbound), as with ICF. And it includes more functionality as well as a more obvious and more configurable management interface, similar to third party firewall products you might have tried, like ZoneAlarm.
First, Windows Firewall provides boot-time protection against network-based intrusion, eliminating a flaw in ICF where your XP-based computer was left unprotected for a short period of time. What I like about the boot-time protection feature is that it cannot be configured: While booting up, your computer is able to access basic network services like DHCP and DNS, but that's it. Once boot-up is complete, Windows Firewall switches into its normal runtime mode, which you can configure.
With Windows Firewall, XP adopts a global firewall strategy for the first time This contrasts to ICF, where each network adapter had its own firewall settings. A global policy means a firewall change is automatically transmitted to all network adapters, making it less likely that you'll forget to configure a single network adapter correctly. Also, enterprises that wish to rollout company-wide Group Policy (GP) via Active Directory (AD) can now do
But wait, there's more. Windows Firewall can also be configured to accept certain traffic only from the local network, but to deny it from the wider Internet. The obvious application here is file sharing: You may want to open up a share on your PC to other PCs in your home network, but you don't want people to access that share remotely. This local network restriction also makes the controversial Universal Plug and Play (UPnP) less dangerous; With SP2, XP-based PCs will only communicate with UPnP devices on the local network.
From the end user's perspective, Windows Firewall is far more obvious in the UI than was ICF. It's now available directly from the main Control Panel page and features a multi-tabbed configuration UI that lets you manage the feature (figure). You can set up the oddly-named "exceptions" (programs and services that are allowed through the firewall), for example, without having to drill down into a specific network adapter's advanced settings (figure). But the fun starts once you actually start using XP SP2: You will quickly begin noticing pop-up warnings--essentially a challenge-response system--as various applications and services attempt to get out past your firewall. As with Zone Alarm-type products, this process can get pretty annoying, and the confusingly-named buttons on the warning dialog don't do much to dispel any innate fears you may have. I've been told this UI will likely change before the final release, so it's too early to pass judgment. But stick with it: After a flurry of warnings early on, the Windows Firewall warning dialogs will slow down and appear infrequently.
So why bother with the challenge-response system? It turns out that XP's original ICF, while potentially less annoying, was also silently failing in certain scenarios and not providing any feedback to the user or to applications that were trying to communicate across the Internet for legitimate reasons. "A big category there is online gaming," Pilla explained. "Install a game like Age of Mythology, for example, with your firewall on and then host a LAN game. It looks like it works, but it's not working, and no one can connect. The game's docs will explain which port you have to open in the firewall, but that's not the right thing to expect the customer to do. It's not an obvious failure, and most applications don't handle it well, or at all. A pop-up is the best way to keep customers from turning their firewall into Swiss cheese."
"We're keenly aware of the annoyances of using a firewall," Pilla told me. "But the home networking environment is changing, and we need to have more baseline functionality. People are more aware of issues too. There's an education piece to this. Some of that will be online at Microsoft.com, and we'll also have more information right in the product, probably around the Help and Support stuff. We're trying to improve the information explaining the new features and how they will impact users."
Internet Explorer changes
Potentially the most-often-used end user application in Windows XP, Internet Explorer (IE) has been given an ignoble fate of late. The product hasn't seen a major upgrade, arguably, since IE 4.0 was released in 1997, and each of the subsequent releases has offered only minor tweaks and changes. This contrasts sharply with the development paths IE's competitors have taken in the time since. Today, leading-edge browsers like Apple Safari (Mac OS X 10.3 only) and Mozilla Firebird (various platforms) offer features consumers can really use, like integrated Google searching, pop-up ad blocking, and a tabbed user interface that lets users open multiple windows without cluttering the desktop. IE, meanwhile, looks more and more old-fashioned by comparison with each passing day.
Windows XP Service Pack 2 (SP2) will change some of that with a set of security-oriented improvements. Some of the changes are less visible than the pop-up ad blocking and browser add-on management that many users will find themselves investigating quickly. "We're trying to make the browsing experience more secure," Pilla said, "so we're enforcing the zones model that's been in there forever. The functionality and privileges in the Local Machine Zone are clearly understood: This is the highest level of privilege. In the Intranet Zone, things are a little less safe, but still safer than Internet Zone. The behavior we're changing here involves the elevation of privileges across zones. This can no longer happen, because it used to be possible to spoof the Local Machine Zone."
In the SP2 Beta, there isn't much new UI around the zone changes, but that's coming, along with more education around the potentially unsafe acts that can occur in less safe zones. "This change shouldn't impact a lot of Web sites," Pilla added. "But it might impact some Intranet Web sites that make assumptions about crossing zones." Pilla cited an example involving Microsoft Office, where if you save an Excel file as an MHT Web page, save it to the local file system, and then open it with IE, the file is rendered in the Local Machine Zone, even though it could be doing inline loading of binary code from a remote location. "We're still tweaking the behavior," he added. "We don't want to break applications or every Internet site." While the company hopes to uncover any incompatibilities during the beta, Microsoft did roll out SP2 to thousands of people at its Redmond campus and experienced no Intranet-based problems.
Pop-up ad blocking
While all of IE's major competitors provide basic pop-up ad blocking, IE users have been forced to turn to third-party add-ons like the Google toolbar to get this functionality. In XP SP2, however, Microsoft finally adds pop-up window blocking to IE. And unlike a lot of Microsoft's in-your-face technology, this one is done right. The first time you hit a Web site that attempts to pop-up an additional browser window (typically to serve an advertisement above or below the current window), IE displays its own window, asking "Do you want to block pop-up windows?" (figure) The dialog notes that the current page has tried to launch a pop-up window without your permission (that is, you didn't click on a link explicitly), and gives you the opportunity to prevent this type of activity in the future. Nice.
There are two management points for pop-up ad blocking in IE. The first is through a new icon in IE's status bar. When you click on this icon, you get a menu of choices, including "Show Blocked Pop-up Window," "Allow Pop-up Windows from This Site," "Block Pop-up Windows" (which will be checked if you've chosen to do so), and "Pop-up Windows Options," which launches the Pop-up Window Management window; here, you can populate a list of sites that you wish to receive pop-up windows from, and configure other pop-up window options. (figure)
The other entry point is through the new Pop-up Manager choice in IE's Tools menu. Here, you have two choices, "Block Pop-up Windows" (which, again, will be checked if you've enabled this feature) and Pop-up Window Options, which launches the Pop-up Window Management window.
In use, IE's pop-up ad blocking feature appears to work well. As with any pop-up blocker, the occasional window mysteriously arrives unbidden. But as a long-time Mozilla user who relies on this functionality, I can say that pop-up ad blocking is most welcome. You're definitely going to want to turn this on and leave it on.
Brower add-on management
New to IE in XP SP2 is an IE Add-on Management tool that helps you view and manage the list of plug-ins, toolbars, and other IE add-ons you may have installed on your system. The Add-on Management tool has two basic functions, from what I can tell. First, it allows you to arbitrarily deactivate or uninstall any plug-in that's been installed in Internet Explorer, whether you installed it manually or it was installed for you, surreptitiously or not, when you visited a Web site. Second, it prevents new plug-ins from being installed going forward, unless of course you want them there.
"This feature is designed to make sure folks can understand what add-ons are installed on their systems," Pilla told me. "It gives them the ability to disable the ones that they don't need. And when you visit a site that wants to download and install an ActiveX control, you'll get a pop-up window with choices like 'always run automatically,' 'let this run now,' or 'never run.'" Bravo. One of the things I've always detested about IE is that the dialog asking you to install Macromedia Shockwave or whatever doesn't have a "Never install, and stop asking me" option. Now it does.
"It's a tough thing," Pilla added. "If you look at the ActiveX controls that are on your system, you'll be surprised by how many there are. And what are these things, anyway? We're still looking for feedback about this issue, and how we can identify each add-on accurately so people won't turn off necessary components."
There are other practical reasons to disable add-ons you don't need. Data from Microsoft's highly successful Windows Error Reporting tool shows that browser add-ons are a major source of instability and reliability for IE. In SP2, this tool is used to examine IE crashes: If a non-system component causes a crash, you'll hear about it and can use this information--and the frequency of the crashes, I suppose--to determine whether that add-on needs to be disabled or uninstalled.
Changes in IE scripting capabilities
The security changes to IE don't stop there, however. In XP SP2, IE also prevents script-initiated changes to IE windows. Consider how things work today: If you navigate to an unscrupulous Web site such as the typical pornography site (not that I've ever personally witnessed such a thing), you can often be inundated with multiple pop-up windows and/or windows that suddenly grow to take over the entire screen and don't display the normal IE toolbars and status bars, preventing you from easily closing them. In many cases, these annoying sites can only be completely closed by purposefully crashing IE, which is silly. But it's not just an annoyance. Today, it's possible to place an IE window completely off-screen, and write malicious script code that could compromise your system. So Microsoft is preventing these sites from taking over your system in SP2 by disabling the scripting features that make this possible.
Specifically, Webmasters and other Web site creators will no longer be able to write scripts that position an IE window so that you cannot see or access the title bar, address bar, or status bar. And it will no longer be possible to position windows, via scripts, that are entirely off-screen. Furthermore, the IE status bar will always be on, and impossible to turn off via scripts.
Email and IM protection
Internet Explorer is quite obviously the number one attack vector for anyone trying to infiltrate Windows systems, but there are other high profile attack points that are growing in popularity. Responding to the need to protect users from email- or instant messaging (IM)-based attacks, Microsoft is making changes in SP2 that affect Outlook Express and Windows Messenger, XP's built-in email and IM applications.
Outlook Express changes
In Outlook 2003, Microsoft introduced much-needed email safety features that block images in HTML emails and isolate potentially dangerous email attachments (such as those with the .exe extension). With XP SP2, the company is adding this functionality to Outlook Express, the email client that's integrated with Windows.
These changes are designed to help prevent email virus attacks, such as the infamous SoBig.F virus that infected millions of systems last summer, and prevent spammers from positively identifying you as a valid email recipient. If you're familiar with Outlook 2003, the new Outlook Express behavior is virtually identical. When you display an HTML email message, for example, none of the graphics will load. A new heading will note that, "Some pictures have been blocked to help prevent the sender from identifying your computer." You can click in that area of the heading to display the images if you trust the source (I get HTML email messages from companies like Dell, HP, and Microsoft, and will typically elect to display images from those sources). If you don't trust the source, hang tight: Because you haven't downloaded the remotely-accessible images, that individual (potentially a spammer) has no way of knowing you're a valid contact.
Microsoft implemented this change by placing Outlook Express in IE's Restricted sites zone. You can optionally choose to be in the less secure Internet zone, and block images separately, but neither are recommended, unless you're interested in getting viruses or spam regularly. One thing you can't do is set up a white list of trust sources for which you'd like to have images automatically downloaded. You might think this is an oversight, but Microsoft did this on purpose: Because email is so easily spoofed, it would be trivial for a spammer or virus writer to pose as Dell, Microsoft, or some other trusted source, thus opening me up to the very attacks I'm trying to prevent. Of course, manually enabling images for trust emails is a bit cumbersome, but it's better than the alternative.
On the attachment end, unsafe attachments are isolated from the rest of the system so that viruses can't run rampant and cause damage. "The technology behind that feature is a new API called Attachment Execution Services," Pilla told me. "We allow those attachments to run in reduced privileges, and looked to Outlook 2003 for how to implement it. But now, even the Outlook team is looking at using it in future versions. It's a public API we encourage third parties to use as well."
Windows Messenger changes
Windows Messenger also benefits from the new Attachment Execution Services API, isolating potentially unsafe sent files so that you don't inadvertently infect your system.
New product update features
Microsoft first introduced Windows Update, a Web-based product update service, with Windows 98 almost six years ago. Since then, Windows Update has been augmented with new functionality several times, and Microsoft has also added Auto Update, an automated patch delivery mechanism, to Windows. In Windows XP, Auto Update was even updated to let users optionally download and install critical updates on a regular schedule (daily at 3 a.m. by default). Before Slammer and SoBig.F hit last summer, most Windows users didn't seem too interested in letting Microsoft automatically update their systems. However, that's all changed now, and XP SP2 will include significant updates to both of these technologies.
Windows Update
XP SP2 users are directed to a new version of the Windows Update Web site, which has been streamlined to make the choices simpler and more obvious. A new Express Install provides all of the available critical updates in a single, easily-accessible package. To get at driver updates and non-critical system updates, there is a new Custom Install option. Whichever option you choose, the End-User License Agreement (EULA) and download dialog has changed to a more usable horizontal layout.
Beyond surface-level changes to the UI, the real improvements to Windows Update lie under the hood. By the time SP2 ships in mid-2004, Microsoft will have completely revamped its internal patch management infrastructure, which is being consolidated to ensure that all of the company's customer-touching patch management tools--Windows Update, Auto Update, Systems Management Server (SMS), Software Update Services (SUS), Microsoft Baseline Security Analyzer (MBSA), and so on--will provide consistent results, which is most definitely not the case today. And a wider patch management back-end, dubbed Microsoft Update, will encompass all of Microsoft's updateable products, including Office.
Auto Update
Since XP first shipped, Microsoft updated Auto Update to optionally download and install critical updates. In XP SP2, Microsoft has reversed its previously low-key approach to automatic updating, and will now be more in the face of customers to ensure that as many people as possible are using a feature that could save them a lot of grief. To this end, after you install XP SP2, the system reboots and you're presented with a blue Setup-style screen, essentially an advertisement, which implores you to enable Automatic Updates. My advice is to do it, and to enable automatic installation of patches as well: We're long past the time when suspicion of Microsoft outweighs the potential damage from viruses and worms. Think about it: Would you rather have Microsoft or a script kiddie running code on your PC?
Low-level architectural changes
Most of the changes we've discussed so far are high profile in the sense that you will be confronted by these changes graphically and obviously when you install XP SP2. Other changes, however, will work behind the scenes to make XP more secure, and though you might never be explicitly aware of their existence, they will impact the reliability and security of your system in huge ways.
Network protection
In XP SP2, Microsoft has made changes to the Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) technologies in a bid to reduce the success rate of network-based attacks. This is one of the areas in SP2 that will actually break current applications. Generically speaking, both RPC and DCOM involve the remote activation of code, so the potential vulnerabilities there are probably pretty obvious.
Memory protection
Windows XP SP2 includes support for the modern Execution Protection (NX) hardware execution environment that's included with the AMD Opteron 64 and Athlon 64 family of processors and on Intel's Itanium products (Intel will reportedly include this feature in future versions of the Pentium 4 and Xeon microprocessors as well). NX protects against over 90 percent of buffer overrun errors, one of the most common methods hackers use to inject malware into running software.
"Beyond that," Pilla added, "We're working with the developer division and research groups at Microsoft to promote use of the GS compiler flag [which helps prevent buffer overrun errors]. With SP2, we're recompiling binaries with latest version of our compiler, so if previous code reviews and tools didn't find buffer overrun errors, when it's recompiled with GS, it will be more difficult for exploits to get through to the compiled code. The flag obfuscates any buffer overrun that do get through, and reduces the likelihood of buffer overruns significantly." The result, hopefully, will be a more resilient and reliable Windows.
Conclusions
In my review for Windows XP Service Pack 1 (SP1), I noted that that release wasn't your average service pack. That description is even more apt for SP2, which is in effect a major update to Windows XP, one that will likely replace existing XP versions on store shelves when it ships in mid-2004. XP SP2 is laden with much-needed security features, and a must-have upgrade for all XP users. I recommend that all Windows XP users upgrade to this service pack as soon as possible.