Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News

      Windows XP SP2 Plugs Security Holes

      Written by

      Jason Brooks
      Published August 23, 2004
      Share
      Facebook
      Twitter
      Linkedin

        eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

        Executive Summary

        Two and a half years after the initial release of Windows XP, Microsoft Corp.s Service Pack 2 advances the state of Windows security: The update plugs long-standing vulnerabilities in Windows services and modifies key applications, such as its Internet Explorer and the system firewall, to make it easier for users and administrators to monitor and control whats happening on Windows XP machines.

        Click here to read the full review of Windows XP Service Pack 2.

        Introduction

        Two and a half years after the initial release of Windows XP, Microsoft Corp.s Service Pack 2 advances the state of Windows security: The update plugs long-standing vulnerabilities in Windows services and modifies key applications, such as its Internet Explorer and the system firewall, to make it easier for users and administrators to monitor and control whats happening on Windows XP machines.

        With the appropriate amount of testing before deployment to production systems—to identify and work around potential application compatibility issues—eWEEK Labs believes the improvements in SP2 are compelling enough to recommend the upgrade for all Windows XP systems.

        That said, work remains to be done on Windows security. Wed like to see Microsoft improve the operating systems user permission controls—its still a hassle to run applications as a regular user without administrative privileges. Also, although Windows Update Version 5, the release of which coincides with SP2, has undergone some nice improvements, wed like to see a unified packaging and software update system on par with the Debian Linux distributions Advanced Package Tool.

        Weve been testing SP2 throughout its beta cycle and have found it relatively free of problems. Most of the products with which we tested SP2 had updates available. This is likely due in large part to SP2s long and very public beta program.

        /zimages/5/28571.gifClick here to see an SP2 slideshow.

        Of course, in the nearly 300MB across which this service pack stretches, theres plenty of potential for application breakage, particularly with networked and Web-based applications that companies have developed in-house. It will be important for companies to test SP2 in their environment before fully deploying the update.

        In fact, SP2 brings to light applications developed with lax security. SP2 enforces tighter adherence to the security models within Windows than did the gold or SP1 releases of XP, so a good deal of the breakage we saw resulted from products that werent developed securely in the first place.

        SP2 is available for download for multiple-computer installation at Microsofts Web site; individual users can upgrade to SP2 via Automatic Updates.

        /zimages/5/28571.gifFor more on deploying the service pack, click here.

        Microsoft has produced excellent SP2 documentation, and an in-depth overview of what has changed in SP2 is available at www.microsoft.com/technet/prodtechnol/winxppro/maintain/
        sp2chngs.mspx.

        Users wont notice many changes in XP once SP2 is installed, so the update shouldnt require retraining beyond a brief period of familiarization.

        Next page: Internet Explorer.

        Internet Explorer

        Internet Explorer

        As the worlds most widely used window to the Web—and the primary platform for many enterprise applications—Microsofts Internet Explorer browser is a vital application for most companies. But its also an all-too-common point of vulnerability.

        SP2 brings a set of changes to the Windows browser (available only through Windows XP) that should help make IE safer by granting users more control over and information about its operation.

        For instance, in SP2, IE includes an add-on manager that lists all ActiveX controls loaded in IE, alongside information about the digital signatures of these controls and buttons that enable, disable or update the controls. Along similar lines, Windows will provide information about which add-ons were loaded during an IE crash to help administrators determine the cause.

        The updated IE also does a better job of alerting users when pages attempt to download and install these controls. Using a new information bar at the top of the Web page, IE provides notification of attempted ActiveX installs, downloads and blocked pop-up windows.

        Microsofts decision to build pop-up blocking into IE moves the browser toward feature parity with alternatives such as Mozilla and Opera, and, we hope, will reduce the use of this annoying Web feature on most sites.

        We did encounter a problem with IEs new notification bar and pop-up blocking while browsing at a computer game demo download site. The site appeared to launch a pop-up window that tried to install an ActiveX control before closing immediately and opening another pop-up.

        In earlier versions of Windows, this wouldnt have been a problem because the IE dialog asking for permission to install the control would have remained open, pending user approval. With SP2, however, the approval prompt closed too quickly for us to approve the controls installation. We had to add the game site temporarily to our Trusted Sites list to use the application.

        IE now blocks the privilege elevation that occurs when pages that have been loaded in a particular IE Security Zone, such as the Internet Zone, link to a page in a less restrictive zone, and IE also now enables users to opt never to install code from particular publishers. This prevents users from having to deal with recurring prompts to install controls theyve already rejected.

        Next page: Windows Firewall.

        Windows Firewall

        Windows Firewall

        One of the windows features that has been most heavily overhauled in SP2 is Windows Firewall, a facility previously known as Internet Connection Firewall, or ICF.

        Managed systems running Windows XP within a company are likely to sit behind a corporate firewall already, but now that the threat of worms has increased, its become important for individual systems to have firewall protection. In addition, the presence of a built-in firewall is important for mobile enterprise users connecting to the Internet from outside the corporate network, and Windows Firewall is considerably improved over ICF.

        To begin with, Windows Firewall is active by default on systems running SP2; ICF, by contrast, was shut off by default. All new network connections created on SP2 machines also have firewalls by default, and Windows Firewall plugs the gap ICF left open when network connections on a machine were unprotected for a short period during startup.

        During tests, we could use Windows Firewall to open ports statically, to allow application-specific exceptions and to adjust the scope of our exceptions based on a subnet.

        Theres an “on with no exceptions” check box in the firewall configuration dialog, which is a good setting to have while using a machine in a potentially insecure environment, such as a hotel room or public hot spot.

        We could configure these settings through Group Policy or with a command-line tool called Netsh.

        Its not possible to use Windows Firewall interactively, where the firewall requests user approval to allow an application access to a blocked port, unless logged in with administrator privileges. Regular users will see a pop-up directing them to ask their administrator to open the port. However, this message does not include the port number, so it will be of limited aid in filling out a help desk request.

        Also, Windows Firewall does not block outbound traffic, which may leave companies looking elsewhere for a more capable alternative.

        Next page: Network protection.

        Network protection

        Network protection

        Microsoft has made numerous improvements under the covers in Windows XP, including default disabling of nonvital, often-abused services such as Windows Alerter and Messenger. The Windows Messenger service, in particular (which is different from the MSN Messenger IM client), has been a prime target of spammer abuse.

        SP2 features tighter rules governing Windows DCOM (Distributed Component Object Model), in which new access controls ensure that COM applications abide by a minimum security level and do not pose a threat to the system.

        SP2 also includes new restrictions on Windows RPC (Remote Procedure Call) service, such as eliminating remote anonymous access to RPC interfaces. Applications that depend on this anonymous access will have to be modified to use RPC security, or administrators must modify the Windows registry to revert to SP1s settings.

        In addition, SP2 includes a change to the WebDAV (Web-based Distributed Authoring and Versioning) redirector—the facility that manages access to shares using the WebDAV protocol—that will disallow access if a WebDAV server is not configured to authenticate securely.

        Next page: Memory protection.

        Memory protection

        Memory protection

        SP2 provides for DEP (data execution prevention), where areas of system memory, such as those in which data is meant to reside, are marked as nonexecutable. This should help prevent buffer overrun attacks.

        DEP in SP2 is enforced by hardware, requiring an Advanced Micro Devices Inc. processor with no-execute page protection or an Intel Corp. chip with the Execute Disable bit feature. SP2 also provides for software enforcement of DEP in core Windows XP code. Administrators can shut off DEP in Windows on a systemwide or per-application basis.

        Next page: Wi-Fi and Bluetooth.

        Wi


        -Fi and Bluetooth”>

        Wi-Fi and Bluetooth

        In SP2, Microsoft has re-worked the Wireless Network Connection dialogs to provide more information about available access points. Theres also a new Wireless Setup Wizard that lets administrators configure security settings for multiple machines for use with a wireless network.

        /zimages/5/28571.gifClick here to read more about SP2s wireless configuration tools.

        SP2 includes native support for Bluetooth, using drivers and configuration tools that are now part of Windows. After installing SP2 on a test notebook, we uninstalled our vendor-supported Bluetooth drivers and switched over to Microsofts Bluetooth software without incident.

        Next page: Windows Security Center.

        Wi

        ndows Security Center”>

        Windows Security Center

        Windows XP with SP2 includes a Security Center that lets users check the status of automatic updates, their firewall and their anti-virus application. We tested this feature with a handful of anti-virus applications, and the Security Center did a good job of detecting the presence, virus definition file freshness and on/off state of our anti-virus applications.

        In some cases, however, we did have to download patches for use with SP2. For example, after installing SP2 on a system running Symantec Corp.s AntiVirus Corporate Edition 9.0, the Security Center could tell we had anti-virus software installed, but it couldnt determine the softwares state. After installing an update from Symantecs Web site, the feature worked properly.

        Senior Analyst Jason Brooks is at [email protected].

        Check out eWEEK.coms Windows Center at http://windows.eweek.com for Microsoft and Windows news, views and analysis.

        Be sure to add our eWEEK.com Windows news feed to your RSS newsreader or My Yahoo page

        Jason Brooks
        Jason Brooks
        As Editor in Chief of eWEEK Labs, Jason Brooks manages the Labs team and is responsible for eWEEK's print edition. Brooks joined eWEEK in 1999, and has covered wireless networking, office productivity suites, mobile devices, Windows, virtualization, and desktops and notebooks. Jason's coverage is currently focused on Linux and Unix operating systems, open-source software and licensing, cloud computing and Software as a Service.

        Get the Free Newsletter!

        Subscribe to Daily Tech Insider for top news, trends & analysis

        Get the Free Newsletter!

        Subscribe to Daily Tech Insider for top news, trends & analysis

        MOST POPULAR ARTICLES

        Artificial Intelligence

        9 Best AI 3D Generators You Need...

        Sam Rinko - June 25, 2024 0
        AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
        Read more
        Cloud

        RingCentral Expands Its Collaboration Platform

        Zeus Kerravala - November 22, 2023 0
        RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
        Read more
        Artificial Intelligence

        8 Best AI Data Analytics Software &...

        Aminu Abdullahi - January 18, 2024 0
        Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
        Read more
        Latest News

        Zeus Kerravala on Networking: Multicloud, 5G, and...

        James Maguire - December 16, 2022 0
        I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
        Read more
        Video

        Datadog President Amit Agarwal on Trends in...

        James Maguire - November 11, 2022 0
        I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
        Read more
        Logo

        eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

        Facebook
        Linkedin
        RSS
        Twitter
        Youtube

        Advertisers

        Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

        Advertise with Us

        Menu

        • About eWeek
        • Subscribe to our Newsletter
        • Latest News

        Our Brands

        • Privacy Policy
        • Terms
        • About
        • Contact
        • Advertise
        • Sitemap
        • California – Do Not Sell My Information

        Property of TechnologyAdvice.
        © 2024 TechnologyAdvice. All Rights Reserved

        Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

        ×