In-Depth

SP2: More Ammo for the Security Battle

Rollout pain aside, users laud the long overdue enhancements that SP2 brings to IE, along with new GPOs, RPC lockdown and more.

• By Stephen Swoyer
• 02/01/2005

With Windows XP Service Pack 2 (SP2), Microsoft intended to show its critics, including many of its biggest users, that it "gets" security. While nobody is willing to declare that the war has been won, SP2 implementers give Microsoft credit for stepping up the security fight.

SP2 introduces features including a Security Center console, the now-familiar on-by-default firewall and out-of-the-box support for Automatic Updates. Further under the hood you'll find enhancements including more granular support for Group Policy Objects (GPOs); Remote Procedure Call (RPC) improvements; a new Execution Protection feature that protects against malware; pop-up blocking and other security restrictions to help lock down Internet Explorer (IE) 6.0; and features that make it more difficult for users to download potentially malicious code.

Has all Microsoft's tinkering resulted in a more secure operating environment? Users seem split over the issue: They laud Microsoft for what they see as substantive improvements in SP2, but stress that much of the responsibility for securing Windows XP rests with administrators, not with Microsoft.

"SP2 is a solid product that shows Microsoft's heart is in the right place. The updates are exactly what we administrators asked for," says Edward Ko, a network and systems analyst with the Pennsylvania State University's Division of Student Affairs. He's quick to point out, however, that SP2 isn't a panacea—administrators still need to understand the software and implement it correctly. "We keep up our end, they keep up theirs."

Installation Woes
Microsoft bluntly warned that some new SP2 features—especially the on-by-default firewall, which restricts access to many commonly used ports—could cause custom and third-party applications to break. Not surprisingly, then, most adopters say they've experienced at least one application compatibility issue with SP2, with most involving the firewall.

Of course, Microsoft didn't just drop an on-by-default firewall into Windows XP and expect IT managers to fend for themselves. The software giant built more than 600 new GPO templates into SP2, many of which let administrators turn the firewall on or off, manage program and port exceptions, and define exceptions for specific scenarios, such as the Remote Desktop feature that allows remote access to client workstations. The problem with GPO administration is that some users can't take advantage of it, particularly those still running Windows NT 4.0 domains or Windows 2000 domains configured for backward compatibility, Ko says. "If you aren't running an Active Directory domain, you'll have to make firewall changes to each machine locally," he says.

Many AD shops had no difficulty using GPO Editor to configure their SP2 machines. In most cases, it's a matter of simply defining a few exceptions for the Windows Firewall, usually opening TCP or UDP ports needed for certain applications. "I have not had any negative Windows Firewall experiences, although in testing, some of our admins found that it interfered with the ADMT [Active Directory Migration Tool]," says Andrew Baker, a director of network services with a global media conglomerate.

Windows XP Service Pack 2 at a Glance Cost: No charge to licensed Windows XP users Vendor: Microsoft Corp. www.microsoft.com Pros: Adds more than 600 new GPO templates to address security concerns Offers on-by-default firewall Adds long-awaited enhancements to IE 6.0, including pop-up blocking and download management Offers ability to lock down RPC to reject anonymous connections Data Execution Prevention capabilities protect against viruses and other exploits Cons: Installation can be difficult; firewall causes some apps to break GPO settings can be difficult to configure, especially for larger shops Firewall has limited effectiveness in enterprise environment Windows Security Center dashboard offers little enterprise help Pop-up blocking can create confusion, especially for firms that use ActiveX control

Fighting the Firewall
Large users, however, report more problems, in part because of the number and complexity of the applications in their environments. "The upgrade itself is extremely easy," says Jim Holmgren, a senior network engineer with Advertising.com. "The difficulty is in properly configuring the Windows Firewall in a domain. There are so many applications that require various types of connectivity."

In domains with several hundred users, Holmgren says, it's difficult to identify and test all the individual pieces of software for which you must configure GPO settings. But that's not the only issue. "One of the biggest problems is the amount of time it takes to make a change in the firewall configuration and push it out to the user," he says.

Stephen van Vuuren, a consultant with the Pinnacle Benefits Group, says the firewall is a mixed bag. He agrees that group policy makes it easy to set up and configure. But the firewall's effectiveness is limited because it lacks many options that enterprise customers require, such as the ability to specify exceptions on a subnet-only basis. In this respect, more than a few users suggest, Windows Firewall should have more of a direct impact among home users. Enterprises will use it largely as a complement to enterprise firewalls and other tools.

The Windows Security Center
By far the most visible change SP2 brings is the new Windows Security Center, a dashboard-like console that's designed to provide an at-a-glance view of the health of a Windows system. Security Center monitors the status of critical security services such as anti-virus, Windows Firewall and Automatic Updates, and provides administrative shortcuts to help configure them.

But Security Center elicits a mostly ho-hum reaction from IT professionals, who seem to view it as a consumer-oriented innovation—when they're not viewing it as a nuisance, that is. Take Benjamin Zachary, a Windows administrator with IT services specialist Net Worth Systems Inc. In the SP2 environment, anti-virus programs are supposed to register with Security Center to let it know they're installed. That's fine, as far as it goes, but because his organization's systems were running an unsupported version of Symantec Anti-Virus, Security Center reported that no anti-virus software was installed, Zachary explains.

IE Changes Abound
While stopping short of delivering a new version of IE, SP2 at least brings Microsoft's browser into the 21st century. Microsoft last released a new version (6.0) of IE in August 2001. By contrast, the Opera and Netscape Web browsers have been updated several times over the last three years, and the open source Mozilla Project fields two cutting-edge browsers, Mozilla and Firefox. All these IE competitors feature pop-up blockers, which prevent a site from launching secondary or unauthorized windows, and other security enhancements, such as download managers.

SP2 introduces to IE pop-up blocking, download management, additional security restrictions, improved support for non-Microsoft Java Virtual Machines (JVM), add-on management, and other features. For many organizations, SP2 and its bevy of IE-related enhancements is an eagerly anticipated release.

While pop-up blocking heads the list of IE additions, SP2 adopters give it a mixed review. On balance, most welcome the feature, but some say it's also created more work for them in the short term.

"SP2 is a solid product that shows Microsoft's heart is in the right place." Edward Ko Network and Systems Analyst Pennsylvania State University

When IE blocks a pop-up, an "Information Bar" appears in the browser window. If a user wants the pop-up to open, he can click the Information Bar and select from one of two options to allow pop-ups. One concern is that IE is configured by default to block ActiveX controls, which, if maliciously engineered, can wreak havoc on Windows systems. But IT organizations also use ActiveX controls for many innocuous purposes, and Microsoft itself taps ActiveX controls for its WindowsUpdate.com and OfficeUpdate.com Web sites.

Because of these issues, pop-up blocking has the potential to confuse many end users. "Stuff like this makes our call center very busy. It's a cultural change, so it's going to take some time for users to get used to it," says PSU's Ko. "However, I suppose I'll take the extra abuse if it saves me from having to clean up sneaky spyware down the road."

While likely to cut down on spyware and nuisance-ware, pop-up blocking probably isn't going to deter clever malicious attackers, Net Worth's Zachary says. "Social engineering really has to be the primary issue," he says, noting that if IE blocks a pop-up window, a Web page can be configured to redirect a user to another site from which they can download a malicious ActiveX control. "There is nothing Microsoft, or any vendor, can do about situations like that."

Even so, many adopters, like Pinnacle Benefits' van Vuuren, expect that pop-up blocking will help them save money. "ActiveX blocking works well and will save us $100 per desktop in utilities software, especially with the ability to control spyware infections before they happen," he predicts.

Most SP2 adopters like IE's new download management feature, which introduces an extra layer of protection to help deter users from launching potentially malicious executables. When a user downloads a file from the Web, download management encodes the files with information about the site from which it came. When the user double-clicks the file, IE throws up a Security Warning prompt that gives the option of running or saving the file. Most Windows administrators think that's a good idea. "This is another one of those features that users initially complain about, but which will prove very beneficial because it adds one more step before program execution," says Baker.

SP2 also introduces several new IE Registry settings, including a hardening feature that forces the local machine into a much tougher IE security zone. In this zone, IE denies ActiveX controls by default (unless the end user explicitly grants permission) and prevents binary code and Java scripts from executing.

RPC and DEP Features
Increasingly, worms and viruses exploit vulnerabilities in the RPC protocol, which facilitates communication between Windows applications. Because most such attacks exploit vulnerabilities in RPC's handling of anonymous connections, SP2 introduces new Registry settings that allow administrators to configure the RPC service to reject anonymous connections entirely. The idea, Microsoft says, is to minimize the potential vulnerability of the crucial RPC service.

SP2 adopters laud the new RPC restrictions, which they argue can reduce or eliminate an attack vector that MSBlast and other worms exploited. "This is probably the most critical aspect of the security enhancements," Baker says.

Of course, there's always the possibility that restricting anonymous RPC connections will cause some custom or third-party applications to break. But SP2 adopters who've turned on this feature report smooth sailing. "These seem to work fine thus far," van Vuuren says.

SP2 also includes new Data Execution Prevention (DEP) capabilities. DEP is designed to protect against viruses and other common security exploits (such as buffer overflow attacks) by preventing programs from executing code in unauthorized areas of memory.

Microsoft teamed with Advanced Micro Devices Inc. and Intel Corp. to define a new DEP scheme called No Execute (NX) that's supported at the microprocessor level. AMD's Athlon and Opteron chips support NX, along with Intel's new Prescott-based Pentium 4 chips. Microsoft also has a software-based DEP implementation designed to protect Windows system files that can be enabled for all executables.

Few adopters have played around with DEP, however. Most think it's a technology that has lots of promise, but is a non-starter given the limited available hardware that supports it. "This is a good feature, but really requires CPUs that support the functionality. It's not quite an out-of-the-box feature," Baker says. Chris Cerer, a Windows administrator with Harco National Insurance Co., says he experimented with software DEP and found that it caused instability with older 16-bit programs.

A Long Overdue Release
When all the votes are counted, users say SP2 is a winner. Although few, if any, adopters enjoyed pain-free roll-outs, most believe the sweeping changes in SP2 are for the best. Pinnacle Benefits' van Vuuren, for example, characterizes SP2 as "long overdue," and not just because it arrived several months late. "Our biggest hope is that this is not a one-time effort, but will continue throughout future product versions," he says.

Deployment issues notwithstanding, adopters say SP2 is stable in production systems. There's a learning curve associated with new features like pop-up blocking, users say, but SP2 is straightforward enough that re-training isn't required.

Few users are willing to say that SP2 addresses all of their concerns, however. "Many admins these days expect that one firewall in front of their network will be more than enough protection for them," says Mark Hanson, a Windows administrator with food products distributor Gehls Guernsey Farms Inc. "Enhancements inside the network perimeter are where the work needs to be done. SP2 is a small step to address some of these issues."

Network director Baker echoes those sentiments. "Most of my security- related concerns have been addressed with SP2. I would greatly prefer to see a total rewrite of Internet Explorer to address the fundamental flaws which make for frequent security bulletins," he says, citing "significant issues associated with cross-scripting functionality," among other problems. "Overall, SP2 for XP represents a pretty major step for Microsoft with regards to the Windows Desktop. Let's hope that SP1 for 2003 follows in the same vein."