Windows XP SP2: Coming to a PC Near You

The next major version of Windows may still be hovering just out of sight, but today's security problems are very much with us and looming larger all the time.

The next major version of Windows may still be hovering just out of sight, but todays security problems are very much with us, looming larger all the time. And though a properly configured Windows XP system with the latest security patches is fairly well-protected from most Internet-borne threats, many XP systems arent set up correctly or fully updated.

Longhorn, the next major Windows update, should ameliorate the situation, but no one can wait that long. As an interim solution, Microsoft soon will release the security-centric Windows XP Service Pack 2 (SP2) update. (For more on Windows XP, click here.)

If Microsoft hasnt managed to get SP2 out the door by the time you read this, you should still be able to download the current release candidate here.


SP2 is dedicated to enhancing security in a variety of ways. Microsoft had originally planned for SP2 to turn on Automatic Updates by default to ensure that as many users as possible installed important patches. But this turned out to be illegal in some countries.

Instead, users will be forced to choose "on" or "off" (see Figure 1) during installation (or, we assume, on first boot for machines that come with SP2 preinstalled).

Automatic Updates currently install only critical patches for Windows; in SP2, theyll install both critical and security patches for Windows as well as some other Microsoft applications. If a download is interrupted, Windows Update will restart at the point where the interruption occurred. At shutdown, if updates have been downloaded but not installed, Windows will offer to install them and then shut down.


The new Security Center keeps essential security information visible. Its tray icon turns red (see Figure 2) if theres a problem or yellow if new updates are available. Double-clicking on the icon brings up the Security Center window, showing the current security status in three areas: Firewall, Automatic Updates and Virus Protection (see Figure 3).

Though the final lists of supported applications arent yet available, SP2 will monitor a number of third-party antivirus and firewall products and warn users if they are turned off or out of date. The Security Center also includes direct links to configuration of Automatic Updates, Internet Options and the Windows Firewall.


Many of SP2s security enhancements are hidden. It offers tighter control of communications protocols such as RPC (Remote Procedure Call), DCOM (Distributed Common Object Model) and WebDAV (Web-based Distributed Authoring and Versioning). The system is protected against buffer-overrun exploits used by many Trojans. The Local Zone Lockdown prevents Trojans from taking advantage of reduced restrictions for programs running on the local machine.

Although these wont make a visible difference in your day-to-day experience, theyre important steps toward keeping you safer. Now, well take a detailed look at three areas where SP2s changes will be apparent: Windows Firewall, Internet Explorer and Outlook Express.

If all Windows XP users had enabled the operating systems Internet Connection Firewall (ICF), they would have been protected from worms like Nimda, Blaster and Sasser. But the ICF was disabled by default, and its low profile meant many users never noticed it. In addition, when users did enable it, the ICF blocked desired tasks such as sharing a network printer, except for those users expert enough to open specific ports manually.

Microsoft has learned something from experience: The Windows Firewall in SP2, which replaces the ICF, is substantially easier to use and configure, and offers greater security—and its enabled by default. And protection now begins the moment the computer boots up.

During the boot process, the firewall watches network traffic by using stateful packet inspection (SPI), checking every incoming data packet against the record of outgoing requests for data. If any incoming packet doesnt match a request, Windows Firewall discards it.

When system initialization is complete, this simple boot-time policy is replaced by Windows Firewalls run-time policy, which may permit incoming traffic on specific ports or for specific programs.

Where the ICF was hidden away on the last tab of the Properties dialog for each network connection, Windows Firewalls status is immediately visible in the Security Center. If its not on, the Security Centers tray icon will turn red. Users can reach the Windows Firewall configuration page directly from the Security Center. And Windows Firewall settings apply to all network connections.

A complete lockdown by Windows Firewall would provide total protection—but block file and printer sharing, instant messaging, remote access and other useful functions. Windows Firewall automatically offers to enable file and printer sharing, restricted by default to the local network. A number of other common exceptions are predefined in the configuration dialog.

Users also can open specific ports to allow incoming (unrequested) packets for any program, or to allow a program unlimited access to inbound traffic on all ports. Its not possible to do both at once—you cant limit a specific program to inbound traffic only on specific ports—but you can limit the scope of each exception to just the local network or to a specific list of trusted IP addresses.


This program-specific exceptions feature is not the same as the "program control" offered by third-party personal-firewall products such as Norton Internet Security and ZoneAlarm Security Suite. Those products also prevent unknown programs from sending traffic out to the Internet; Windows Firewall does not.

But the first time an unauthorized program tries to open itself to receiving incoming packets, Windows Firewall pops up a notice similar to those youd see from NIS or ZoneAlarm (see Figure 4). Users can unblock the program, keep blocking it without further notices, or block it without changing its "first-time" status.


To read the full story,

click here.