Since its 2001 release, Windows XP—Microsoft's predominant client OS—has been a favorite attacker target. XP Service Pack 1 (SP1) contains critical software and security patches but didn't bring fundamental changes to the client security experience. Since releasing XP SP1, Microsoft has optimized its security patching process through better patch distribution and installation automation. An optimized patching process is nice, but it doesn't improve your security unless you apply the patches. XP SP2 adds important security features for clients who have a lax attitude toward security and security patching. It provides intelligent and automated security configuration and locks down the platform by default, thus better protecting even unpatched systems against intruder attacks.
In XP SP2, Microsoft Internet Explorer (IE) includes important security enhancements. Headlines are an add-on manager, a pop-up blocking mechanism, and Local Machine security zone lockdown.
At the time of writing, SP2's release date was set for August 2004. Later this year or in early 2005, Microsoft plans a similar security release for its current enterprise OS: Windows Server 2003 SP1.
Intelligent Add-On Management
Browser add-ons are ActiveX controls, browser helper objects, and browser and toolbar extensions that browser users install intentionally or unintentionally. Users can intentionally install add-ons while running an executable or unknowingly install them while viewing Web pages. Both types of add-ons can create security risks, but unintentional add-ons are especially worrisome—a user might, for example, accidentally install an add-on that records all user credentials and sends them to a server on the Internet. The XP SP2 IE add-on manager lets users view, enable, disable, and update all IE add-ons. Updating means that the add-on manager lets a user connect to the add-on publisher's Web site and download the most recent version to his or her browser. The add-on manager also comes with add-on crash detection. When an add-on causes IE to crash, IE prompts the user to disable the add-on.
Figure 1, page 2, shows the new add-on manager. Users can access it by selecting Tools, Manage Add-ons or by selecting Tools, Internet Options, then going to the Programs tab and clicking Manage Add-ons. Alternatively, users can open the Internet Options dialog box from the Windows Control Panel. The Show drop-down box lets the browser user control which add-ons are displayed: Add-ons currently loaded in Internet Explorer or Add-ons that have been used by Internet Explorer. The latter option includes add-ons that are installed but not currently loaded. To enable or disable an add-on, select it, then select the Enable or Disable option in the Settings section at the bottom left of the dialog box. To update an ActiveX add-on, click Update ActiveX in the Update section at the bottom right of the dialog box.
Administrators can use registry settings to control the add-on manager's behavior and users' access to its configuration features. For example, to disable a user's ability to manage add-ons, set the NoExtensionManagement entry (type REG_DWORD) under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions subkey or HKEY_CURRENT_USER\Software\PoliciesMicrosoft\Internet Explorer\Restrictions subkey to 0. You can also use the AllowList and DenyList registry entries to create explicit allow and deny add-on lists. When you use the AllowList entry, IE denies all add-ons except for the ones specified in the AllowList entry. When you use the DenyList entry, IE allows all add-ons except for the ones specified in the DenyList entry. To uniquely identify add-ons in the AllowList and DenyList entries, you use the add-ons' class ID (CLSID). Table 1 shows the add-on management registry settings, including AllowList and DenyList.
You can use Group Policy Object (GPO) settings to centrally control the registry settings in Table 1 . In Group Policy Editor (GPE), the GPO settings are in the User Configuration\Administrative Templates\Windows Components\Internet Explorer GPO container. To update your existing GPOs with XP SP2's new inetres.adm administrative template settings, log on to an XP SP2 machine by using an account that's a member of the Domain Administrators, Enterprise Administrators, or Group Policy Creator Owners security group. In the GPE, right-click User Configuration\Administrative Templates and select Add/Remove Templates. In the Add/Remove Templates dialog box, select the new XP SP2 inetres.adm file to load it into your existing GPOs.
In SP2, Microsoft has also enhanced the IE add-on download and installation dialog boxes so that they inform the user about the risks of installing IE add-ons. Figure 2 shows the warning that appears when a user downloads a file from the Web; Figure 3 shows the caution that pops up when the user accesses a Web site that tries to install add-ons (such as ActiveX controls) from an untrusted publisher. Untrusted publishers are Web content providers whose content contains an invalid digital signature. By default, IE in SP2 won't run untrusted content. The RunInvalidSignatures registry entry in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Download subkey or HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download subkey controls this behavior and has a default value of 0.
Browser pop-ups—windows that automatically appear when you're browsing the Web and that typically advertise something—are a major annoyance for today's Internet users. Before XP SP2, IE users had to install additional software to block pop-ups (e.g., you can download the Google Toolbar or MSN Toolbar, which perform this service, for free from http://
toolbar.google.com or http://toolbar.msn.com, respectively). But XP SP2 comes with built-in IE pop-up blocking support, which is turned on by default.
When SP2 IE detects a pop-up, it automatically displays a pop-up Information Bar at the top of the browser and a pop-up notification icon in the IE status bar at the bottom of the browser, as Figure 4 shows. If you click the bar or icon, you have the following options: show the blocked pop-up, allow pop-ups from this site (which adds the site's URL to the pop-up allow list, which I discuss later), block pop-ups, or open the Pop-up Blocker Settings dialog box.
Alternatively, you can select Tools, Pop-up Blocker to open the Pop-up Blocker Settings dialog box. Or you can select Tools, Internet Options, or open the Control Panel's Internet Options applet, then go to the Privacy tab, select Block pop-ups and click Settings in the Pop-up blocker section, as Figure 5, page 4, shows, to open the box.
The pop-up blocker configuration options let you determine blocking behavior and exclude Web sites from pop-up blocking. You can tell IE to play a sound and display the pop-up Information Bar when it blocks a pop-up. You can set pop-up blocking behavior for links that you click at a particular Web site. If you enable the Block pop-ups opened from links I click option, you can press the Alt key at the same time you click a link to override the blocking. To exclude a Web site from pop-up blocking, type its URL in the address field, then click Add. This action adds the URL to the Allowed sites list, which is stored in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow registry subkey. Although the new inetres.adm template file doesn't include this subkey, you can use the template to centrally enable and disable pop-up management on your users' desktops. To do so, use the Disable pop-up management and its UI setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer container. This setting affects the HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoPopupManagement registry subkey.
SP2 IE's pop-up blocker doesn't block pop-ups that appear when you click a Web link or URL (unless you set it to do so, as described above). It also doesn't block pop-ups from Web sites included in the IE Trusted Sites and Local Intranet security zones. You can control IE's behavior when browsing sites in these zones by using the Internet Options dialog box's Security tab.
Hidden IE Security Changes
XP SP2 IE includes more interesting security features under the hood. Most important are more secure object caching, window restrictions, zone elevation blocking, and Local Machine security zone lockdown.
Object caching in SP2 is more secure because IE now prohibits Web pages from accessing Web content cached by Web pages in other domains (in this context, a domain is a Fully Qualified Domain Name—FQDN). For example, IE can block Web pages that contain scripts that monitor for events such as browser users entering credit card numbers on Web pages that are part of other domains. More secure object caching is enabled by default in SP2 and can be controlled through the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING\Iexplore.exe registry subkey (a value of 1 means that secure caching is enabled). You can centrally control this feature by using the GPO settings in the User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Object Caching Protection container.
IE window restrictions restrict scripts' ability to programmatically open new windows, resize existing windows, or turn off a window's title or status bar. This feature effectively blocks windows that try to spoof desktop objects or overlay the IE address bar. It also ensures that IE users can always see a Web page's security zone. Window restrictions are enabled by default for IE processes, and you can control this feature through the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOWS_RESTRICTIONS\Iexplore.exe registry subkey (a value of 1 means that window restrictions are enabled). You can centrally control this feature by using the GPO settings in the User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions container.
SP2 IE's zone elevation blocking feature prevents Web pages from calling pages that are part of a less-restrictive IE security zone. Malicious Web pages may attempt to do so in order to elevate their privileges on the local machine. In this context, the IE security zones are ranked as follows from the most restrictive to the least restrictive: Restricted Sites zone, Internet zone, Local Intranet zone, Trusted Sites zone, and Local Machine zone. Remember that a Web page's security zone is determined by its location. For example, Internet pages are automatically assigned to the Internet security zone.
In previous IE versions, the Local Machine security zone lets Web content run with relatively few restrictions. Web content is automatically assigned to the Local Machine security zone if it's stored on the local file system—even if it's just cached locally by IE. As I mentioned earlier, intruders exploit this feature to elevate privileges and compromise a computer. In SP2, Web content in the Local Machine security zone has fewer privileges. Every time Web content attempts a Local Machine security zone restricted action, the following text appears in the IE Information Bar:
This page has been restricted from running active content that might be able to access your computer. If you trust this page, click here to allow it to access your computer. Local Machine lockdown is enabled by default for IE processes, and you can control this feature through the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Iexplore.exe registry subkey (a value of 1 means that the feature is enabled). You can centrally control this feature by using the settings in the User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Local Machine Zone Lockdown Security container.
XP SP2 includes crucial security enhancements for both users and developers. Most important is the fact that XP SP2 offers more security resilience: It increases the level of security and protection even on systems that don't have the latest security patches installed. XP SP2 is Microsoft's first step in offering more proactive (instead of reactive) security protection for its platforms and applications.