Several weeks ago, I discussed the upcoming Service Pack 2 (SP2) for Windows XP, which will include OS enhancements that improve security for networking, memory, email, and Web browsing. More detailed information is now available about the changes to networking and memory, and some changes in SP2 will affect applications, so developers and administrators will need to be aware of the changes.
Changes to the network will include modifications to Internet Connection Firewall (ICF), the remote procedure call (RPC) interface, and Distributed COM (DCOM). ICF will be modified so that it starts much earlier during the boot sequence. This way, the network stack won't be active for a window of time when the ICF isn't. ICF will also include an application white list that will help automate access-port provisioning. ICF will also include support for RPC traffic, such as file sharing and remote administration traffic, and a new shielded mode that can prevent unsolicited inbound traffic from entering the system.
RPC has been a sore spot in Windows for quite some time, presenting a few dangerous security holes that have been exploited to the dismay of countless users around the world. SP2 will improve RPC by eliminating remote anonymous access to RPC interfaces by default and requiring NT LAN Manager (NTLM) authentication for connections. As a result, you'll need to modify RPC-based client software.
Microsoft will change DCOM behavior in SP2 so that computerwide restrictions as well as granular COM permissions exist. A new ACL check will be introduced for activation, launch, and calls to COM servers and will be configurable through the Microsoft Management Console (MMC) Component Services snap-in. The new computerwide restrictions will cause a computerwide ACL check (in addition to server-specific ACL checks) before a COM action is allowed on that computer. Microsoft doesn't anticipate that the new restrictions and permissions will require modifications to software, but configuration adjustments might be required.
In addition to the standard anonymous COM calls that XP permits, SP2 will introduce four new rights: remote launch, local launch, remote activate, and local activate. The rights require authentication, and you'll need to modify ACLs if you implement the rights. The new rights allow for backward compatibility with existing software that relies on default COM security settings.
SP2 also introduces support for execution protection features built into some processors. The SP2 capability, called "no execute" (NX), will mark some memory space (i.e., the heap, stacks, and memory pools) as nonexecutable space. This action will help protect systems against buffer overruns, which worms such as MSBlaster have used to compromise systems. Microsoft said that in the case of MSBlaster, NX would have caused the system to generate a memory access violation and terminate the process. A Denial of Service (DoS) condition would have been created; however, the worm couldn't have spread to other systems. Currently only AMD's K8 processor and Intel's Itanium processors have execution protection features.
Microsoft has said it will also improve the security of Outlook Express and Windows Messenger so that attached files will become isolated and less prone to breach system security. Microsoft Internet Explorer (IE) improvements will help mitigate problems presented by malicious scripts, downloads, ActiveX controls, and spyware, which in many cases enters and is executed on a system without a user's awareness.
You can read more information about SP2 in "Windows XP Service Pack 2: A Developer's View" at the URL below. Whether you're an administrator or a developer, be sure to check it out so that you have a head start on planning for an SP2 rollout.
http://msdn.microsoft.com/library/en-us/dnwxp/html/securityinxpsp2.asp
