With the Windows XP Service Pack 2 Beta being released to thousands of testers, it’s time for administrators to take a look at the forthcoming changes. With the exception of any unintended consequences that always crop up and some compatibility issues, it looks like XP SP2 will offer some nice changes, especially in the security realm.
Microsoft recently changed its update and patch release schedule from each week (if there were issues to address), to once a month, in part recognising that few administrators have time to apply patches every weekend. Although Microsoft says it will continue to release emergency updates at any time, some serious vulnerabilities were widely known for several weeks in December before the company responded at all, and this raises serious security concerns.
It almost seems as if the new patch policy was, or should have been, implemented after XP SP2 was released instead of now, because the second major upgrade to XP will include a number of changes intended to indirectly simplify security patch management by providing improved default security.
Some applications will have to be changed to remain compatible with SP2 and there are bound to be unforeseen problems introduced by the major changes to XP, but overall this should significantly improve the basic security of XP systems, even without applying every patch as soon as an exploit is discovered and publicised.
Buffer overrun protection
Memory buffers are always at or near the top of the list of security threats that are actually exploited by hackers. This is a serious problem, but not one that is easy to address, and Microsoft is introducing a number of changes to address the threat.
SP2 will include recompiled XP components using the latest compiler, which includes new anti-buffer overrun tools. XP SP2 will also include support for the no execute (NX) feature found in some CPUs. This will permit hardware-enforced safe memory areas that can be used only for data storage, meaning that no buffer overrun into those protected areas can be used to execute code and attack the system. It doesn’t stop buffer overruns, but it does block most of their potential for causing damage.
ICF changes
The rather weak Microsoft Internet Connection Firewall, which has always shipped with XP, will now be turned on by default, improving the native security of the OS out of the box. However, SP2 will also add some other features designed to make it easier and more flexible to run XP with ICF turned on.
The new ICF changes will also allow some additional one-time management adjustments to some applications. Currently some applications will only run in a local administrator mode when ICF is running because they need ports opened and closed for the application to work. By adding an application to a “white” list only accessible to an administrator, P2P or other applications will have port opening and closing controlled automatically and users will not require elevated privileges to use the programs.
Administrators will now be able to fine-tune RPC services so a particular port can be reserved for RPC even when the application itself isn’t placed on the white list. There will also be changes to Outlook Express that will greatly improve the ability to block attachments. In addition, ActiveX controls will be improved, and other changes will help prevent malicious ActiveX exploits and the planting of spyware.
Microsoft estimates that these network-oriented changes in XP SP2 “will reduce the number of patches that customers need to deploy in order to protect their systems and networks, perhaps by as much as 70 to 80 percent.”
Final word
XP SP2 is just going into beta and is scheduled to be deployed in mid-2004, so developers urgently need to begin planning for it. Administrators also need to be aware that big changes are coming, some of which may require a bit of additional work. However, if the changes work as intended, they'll make XP security considerably better in the long run and greatly reduce the vulnerability of systems between the time new exploits are published and patches are deployed.
Much of the information about SP2 in this column is necessarily pretty general; that’s intentional. Although the general outline of changes to XP is known, SP2 is still in beta so many of the low-level details are likely to be changed.
Administrators need to know what's coming, both to prepare for the changes it will force on them and also, perhaps, to alter plans for future software purchases or implementations that would duplicate these changes and security enhancements to XP.
It might also be a good idea to include the new specs in any applications now under development or even delay some purchases to make certain the new software recognises and takes advantage of the forthcoming changes in XP SP2.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2004 TechRepublic, Inc.
7%
3%
