Windows XP SP2 Beta In-Depth; NSA Guidelines on XP Security

Last week, I examined the events leading up to Microsoft's dramatically changed Windows XP Service Pack 2 (SP2) release, a set of updates to the software giant's latest client release that has changed significantly since its original design. Today's XP SP2 is almost entirely centered on what Microsoft calls "safety technologies," so although the release will contain a collection of bug fixes, XP SP2 will also include a slew of new features. The following is a list of new features in the first XP SP2 beta; however, Microsoft tells me this beta isn't complete and that the company will add other features in future betas.

The new Internet Connection Firewall (ICF) version in XP SP2 is on by default and now offers two-way (i.e., inbound and outbound) protection. ICF boasts several new administration-related features, including a full set of configuration options, Active Directory (AD) administration capabilities through Group Policy, command-line support that's compatible with logon scripts and remote management, and multiple-profile support. The new ICF version is also enabled earlier in the boot process, eliminating the possibility that intruders could insert errant code over a network before the system fully comes up.

Network Attack Protection
In addition to the new ICF version, XP SP2 includes a refined version of the remote procedure call (RPC) technology, which reduces the attack surface of XP machines attached to remote resources. RPC also runs under reduced privileges in XP SP2, reducing the chance that errant code can gain a foothold in your system and cause problems.

IE Improvements
XP SP2 provides an improved Microsoft Internet Explorer (IE) version that contains several new features. A new opt-in pop-up ad blocking feature announces itself the first time you access a page that tries to open a pop-up window. (IE won't block pop-ups you enable by clicking a hyperlink.) This feature is configurable, so you can create a list of trusted sites if needed. The new IE also removes the capability of Web sites to open child windows that have certain features removed. For example, it's no longer possible to open a pop-up window with the address bar, title bar, status bar, or toolbars removed. Microsoft added this feature so that users can close any pop-up windows that do open. Furthermore, scripts can't position windows so that the title bar or address bar are above the top of the display or so the window's status bar is below the bottom of the display. IE also includes a new locked-down Local Machine security zone to help prevent malicious scripts and other dangerous Web downloads from compromising the system.

Microsoft has also overhauled IE's add-on subsystem, a move that will require plug-in makers to revamp their products. The end result, however, is better safety for users. Inadvertently installing spyware or malicious ActiveX controls will now be more difficult, and the programs will also be easier to remove. The add-on manager also monitors IE crashes caused by add-ons, letting you disable unstable add-ons. Perhaps most important, the IE add-on manager is fully manageable: You can centrally configure IE's crash-management options and which add-ons are allowed or denied.

Outlook Express and Windows Messenger Improvements
The Microsoft Outlook Express version in XP SP2 includes more secure default settings and isolation of potentially unsafe attachments, helping to ensure that email-borne attacks can't affect the system. Outlook Express also picks up a neat feature from Microsoft Office Outlook 2003: It won't download images in HTML email by default (spammers often use tracking devices in HTML images to ensure you're getting their email). Like Outlook Express, the Windows Messenger version included with XP SP2 isolates any transferred files that might be unsafe.

Memory Protection
Over the years, an amazing number of buffer overrun errors have been at the root of various Windows compromises. Although Microsoft sought to find and remove any potential exploits during its infamous 2002 Trustworthy Computing code review, many problems remain. So XP SP2 includes several new security technologies, originally designed for Windows Longhorn, that battle buffer overruns. Some of these changes are software based and will aid all XP users; others require the new "no execute" (NX) microprocessor feature that's built in to all modern Intel and AMD microprocessors. The NX feature uses the computer's microprocessor to separate application code from data, ensuring that an electronic attack won't be able to insert virulent code into memory reserved for data.

New Windows Update
XP SP2 connects to a new version of Windows Update, which offers a convenient Express Install feature that automatically selects and installs all critical updates. You can also use a new optional updates section to choose features, including software updates (e.g., Microsoft Windows Movie Maker 2, Microsoft Windows Journal Viewer) and system-specific drivers. XP SP2 contains many other computer-maintenance-related technologies, but Microsoft says it will document them in the future. Expect a second beta release by the end of March: I'll have more information about other new features as they become available.

NSA Publishes Windows XP Security Guidelines
In a related bit of news, I want to alert you to an interesting release from the National Security Agency (NSA), which this week published a guide to securing XP. According to the site, "To assist our Windows XP user community, NSA has developed security configuration guidance for Windows XP, with the cooperation of other government agencies and industry partners who provided their expertise and extensive technical review." Check out the guide at the following URL:

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.