Windows & .NET Magazine UPDATE--Windows XP SP2 Beta In-Depth; NSA Guidelines on XP Security--January 6, 2004

This Issue Sponsored By

Executive Software: New Diskeeper 8.0

Exchange & Outlook Administrator


1. Commentary: Windows XP SP2 Beta In-Depth; NSA Guidelines on XP Security

2. Hot Off the Press
- Tech Consortium Claims to Have Solved Intellectual Property Security Problems

3. Announcements
- Register for Windows & .NET Magazine Connections!
- The Windows & .NET Magazine Network VIP Web Site/Super CD Has It All!

4. Instant Poll
- Results of Previous Poll: Patch Management
- New Instant Poll: IT Job Market

5. Resources
- Featured Thread: Changes In Password Policy
- Tip: If I have only one domain, which servers should be Global Catalog (GC) servers?

6. Event
- New--Microsoft Security Strategies Roadshow! 7. New and Improved
- Organize and Manage Your Windows
- Remotely Access Console and DOS Legacy Applications
- Tell Us About a Hot Product and Get a T-Shirt!

8. Contact Us
- See this section for a list of ways to contact us.

==== Sponsor: Executive Software: New Diskeeper 8.0 ====
Maintain system speed with NEW Diskeeper 8.0
You know fragmentation kills system speed. NEW Diskeeper 8.0 makes it easier than ever to eliminate speed-robbing fragmentation across your entire network! NEW performance index shows you exactly how much speed you're losing to fragmentation. NEW Terabyte Volume Engine quickly defragments ultra-large server volumes. NEW Administrator Edition provides centralized management and automated e-mail alerts. NEW user interface allows for faster, easier scheduling. 30-day money-back guarantee. Try the new version FREE - download the fully-functional trial edition now!


==== 1. Commentary: Windows XP SP2 Beta In-Depth; NSA Guidelines on XP Security ====
by Paul Thurrott, News Editor, [email protected]

Last week, I examined the events leading up to Microsoft's dramatically changed Windows XP Service Pack 2 (SP2) release, a set of updates to the software giant's latest client release that has changed significantly since its original design. Today's XP SP2 is almost entirely centered on what Microsoft calls "safety technologies," so although the release will contain a collection of bug fixes, XP SP2 will also include a slew of new features. The following is a list of new features in the first XP SP2 beta; however, Microsoft tells me this beta isn't complete and that the company will add other features in future betas.

The new Internet Connection Firewall (ICF) version in XP SP2 is on by default and now offers two-way (i.e., inbound and outbound) protection. ICF boasts several new administration-related features, including a full set of configuration options, Active Directory (AD) administration capabilities through Group Policy, command-line support that's compatible with logon scripts and remote management, and multiple-profile support. The new ICF version is also enabled earlier in the boot process, eliminating the possibility that intruders could insert errant code over a network before the system fully comes up.

Network Attack Protection
In addition to the new ICF version, XP SP2 includes a refined version of the remote procedure call (RPC) technology, which reduces the attack surface of XP machines attached to remote resources. RPC also runs under reduced privileges in XP SP2, reducing the chance that errant code can gain a foothold in your system and cause problems.

IE Improvements
XP SP2 provides an improved Microsoft Internet Explorer (IE) version that contains several new features. A new opt-in pop-up ad blocking feature announces itself the first time you access a page that tries to open a pop-up window. (IE won't block pop-ups you enable by clicking a hyperlink.) This feature is configurable, so you can create a list of trusted sites if needed. The new IE also removes the capability of Web sites to open child windows that have certain features removed. For example, it's no longer possible to open a pop-up window with the address bar, title bar, status bar, or toolbars removed. Microsoft added this feature so that users can close any pop-up windows that do open. Furthermore, scripts can't position windows so that the title bar or address bar are above the top of the display or so the window's status bar is below the bottom of the display. IE also includes a new locked-down Local Machine security zone to help prevent malicious scripts and other dangerous Web downloads from compromising the system.

Microsoft has also overhauled IE's add-on subsystem, a move that will require plug-in makers to revamp their products. The end result, however, is better safety for users. Inadvertently installing spyware or malicious ActiveX controls will now be more difficult, and the programs will also be easier to remove. The add-on manager also monitors IE crashes caused by add-ons, letting you disable unstable add-ons. Perhaps most important, the IE add-on manager is fully manageable: You can centrally configure IE's crash-management options and which add-ons are allowed or denied.

Outlook Express and Windows Messenger Improvements
The Microsoft Outlook Express version in XP SP2 includes more secure default settings and isolation of potentially unsafe attachments, helping to ensure that email-borne attacks can't affect the system. Outlook Express also picks up a neat feature from Microsoft Office Outlook 2003: It won't download images in HTML email by default (spammers often use tracking devices in HTML images to ensure you're getting their email). Like Outlook Express, the Windows Messenger version included with XP SP2 isolates any transferred files that might be unsafe.

Memory Protection
Over the years, an amazing number of buffer overrun errors have been at the root of various Windows compromises. Although Microsoft sought to find and remove any potential exploits during its infamous 2002 Trustworthy Computing code review, many problems remain. So XP SP2 includes several new security technologies, originally designed for Windows Longhorn, that battle buffer overruns. Some of these changes are software based and will aid all XP users; others require the new "no execute" (NX) microprocessor feature that's built in to all modern Intel and AMD microprocessors. The NX feature uses the computer's microprocessor to separate application code from data, ensuring that an electronic attack won't be able to insert virulent code into memory reserved for data.

New Windows Update
XP SP2 connects to a new version of Windows Update, which offers a convenient Express Install feature that automatically selects and installs all critical updates. You can also use a new optional updates section to choose features, including software updates (e.g., Microsoft Windows Movie Maker 2, Microsoft Windows Journal Viewer) and system-specific drivers. XP SP2 contains many other computer-maintenance-related technologies, but Microsoft says it will document them in the future. Expect a second beta release by the end of March: I'll have more information about other new features as they become available.

NSA Publishes Windows XP Security Guidelines
In a related bit of news, I want to alert you to an interesting release from the National Security Agency (NSA), which this week published a guide to securing XP. According to the site, "To assist our Windows XP user community, NSA has developed security configuration guidance for Windows XP, with the cooperation of other government agencies and industry partners who provided their expertise and extensive technical review." Check out the guide at the following URL:


==== Sponsor: Exchange & Outlook Administrator ====
Try a Sample Issue of Exchange & Outlook Administrator!
If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and down time. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now!


==== 2. Hot Off the Press ====
by Paul Thurrott, [email protected]

Tech Consortium Claims to Have Solved Intellectual Property Security Problems
Project Hudson, a tech consortium consisting of Intel, Matsushita, Nokia, Samsung, and Toshiba, claims to have solved the problem of digitally securing intellectual property. The consortium says it will soon issue a new system for securing digital music, video, and software that offers content providers the first truly safe digital delivery system. If true, the system neatly bypasses competing efforts--most notably the Microsoft Digital Rights Management (DRM) scheme, which has been the most successful intellectual property security system so far--while ignoring other offerings from record companies, RealNetworks, Apple Computer, and others. For the complete story, visit the following URL:

==== 3. Announcements ====
(from Windows & .NET Magazine and its partners)

Register for Windows & .NET Magazine Connections!
Windows & .NET Magazine Connections will be held April 4-7, 2004, in Las Vegas, Nevada. Complete details about workshops, breakout sessions, and speakers are now online. Save $200 if you hurry and register before the early bird discount expires. Register now on the Web or by calling 203-268-3204 or 800-505-1201.

The Windows & .NET Magazine Network VIP Web Site/Super CD Has It All!
With a VIP Web site/Super CD subscription, you'll get online access to all our publications, a print subscription to Windows & .NET Magazine, and a subscription to our VIP Web site, a banner-free resource loaded with articles you can't find anywhere else. Click here to find out how you can get it all at 25 percent off!

==== 4. Instant Poll ====

Results of Previous Poll: Patch Management
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "Do you think Microsoft's plan to release monthly security updates will significantly help enterprises with patch-management tasks?" Here are the results from the 269 votes:
- 39% Yes
- 52% No
- 9% I don't know

New Instant Poll: IT Job Market
The next Instant Poll question is, "Do you think the IT job market will improve in 2004?" Go to the Windows & .NET Magazine home page and submit your vote for a) Yes, b) Probably, c) Probably not, or d) Definitely not.

==== 5. Resources ====

Featured Thread: Changes In Password Policy
User kkenne is having problems trying to get the server to take anything besides the default seven characters for the password. He has changed the password-length policy to two or three characters and also disabled Group Policy, but he still has to put in seven characters for the password for any user. What's he doing wrong? If you can help, join the discussion at the following URL:

Tip: If I have only one domain, which servers should be Global Catalog (GC) servers?
by John Savill,

If you have just one domain, Microsoft recommends that you make all the domain controllers (DCs) GC servers so that your network won't incur any extra space usage or processing. In essence, the infrastructure Flexible Single Master Operation (FSMO) role still checks the GC for many operations. By making all DCs GC servers, you can spread the FSMO's request load to all DCs and prevent one DC from asking another DC for information that the first DC already has. Although the FSMO can't typically reside on a GC, you won't encounter any problems as long as only one domain exists because the FSMO won't need to keep track of any external domain objects.

==== 6. Event ====
(brought to you by Windows & .NET Magazine)

New--Microsoft Security Strategies Roadshow!
We've teamed with Microsoft, Avanade, and Network Associates to bring you a full day of training to help you get your organization secure and keep it secure. You'll learn how to implement a patch-management strategy; lock down servers, workstations, and network infrastructure; and implement security policy management. Register now for this free, 20-city tour.

==== 7. New and Improved ====
by Carolyn Mader, [email protected]

Organize and Manage Your Windows
Actual Tools released Actual Window Menu, window menu-extension software that provides users with alternative ways of organizing and managing windows. Actual Window Menu adds several menu items to a standard window menu. New commands include Roll Up and Unroll window, Set Window Transparency, Change Program Priority, Minimize to Task tray and Keep Window on Top. The program is available in English, German, Spanish, French, Portuguese, and Italian. Actual Window Menu runs on Windows XP/2000/NT/Me/9x and costs $14.95.

Remotely Access Console and DOS Legacy Applications
Zilab Software released Zilab Remote Console Server 3.0, software that gives you remote access to console and DOS legacy applications. The software is a remote access server that runs as a regular network service for Windows XP/2000/NT. Zilab Remote Console Server dynamically displays the console panel without distortions. The program also provides access time management, session monitoring and reviewing, the capability to set restrictions by IP and domain address, and forced online session disconnection. Pricing is $99 for one copy of the server-side component.

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]

==== Sponsored Link ====

Microsoft(R) Security Readiness Kit
Get your free kit for creating an enhanced risk-management plan.;6600432;8214395;e?;6576037;8608804;t?


==== 8. Contact Us ====

About the newsletter -- [email protected] About technical questions -- About product news -- [email protected] About your subscription -- [email protected] About sponsoring UPDATE -- [email protected]

This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

Copyright 2004, Penton Media, Inc.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.