Security Watch

Inside Windows XP SP2 Security Enhancements

Control of external connections made easier through Windows Firewall.

Windows Firewall

One of the most significant changes in XP SP2 is the default firewall placed on the local network interfaces. In deference to its new role, the firewall has been renamed from Internet Connection Firewall to Windows Firewall.

The major operational update in Windows Firewall lies in its control of connections initiated outside the local machine. Microsoft called these "exceptions." The old ICF allows opening ports for inbound connections such as Web or FTP or remote desktop. Windows Firewall makes this process much simpler by allowing the user to select a service or application then opening the ports requested by that application. You can add services or ports to the list.

The real news, though, is the ability to restrict inbound connections based on their origin. You can configure a port or ports to accept connections only from the local subnet. This significantly reduces the ability to attack the desktop.

Buffer Overflow Protection

Microsoft has teamed with Intel and AMD to reduce the vulnerability of Windows to buffer overflows by protecting memory using tags that either allow or deny executables to launch. This No Execute (NX) scheme is currently supported by AMD Athlon and Opteron chips. The newest Intel Prescott-based Pentium 4 chips will also support NX.

With execution protection enabled, the processor will throw an exception when asked to execute code exposed by a buffer overflow. The Performance Options section of System Properties applet has a new tab called Data Execution Prevention that allows you to disable the NX feature if you need to maintain compatibility with a legacy application. The new Application Compatibility Toolkit has settings to disable DEP for specific applications, though, so try that first.

Internet Explorer Restrictions

Many exploits target Internet Explorer, so it's not surprising that XP SP2 adds quite a few new security features to Internet Explorer and its cousins, Outlook Express, Infopath, Microsoft Messenger and MSN Messenger. Some of the most important security enhancements include:

  • MIME handling and MIME sniffing: When Internet Explorer analyzes the content of a Web page or downloaded file, it decides how to handle the file based on the MIME type assignments and an analysis of the content itself. XP SP2 takes this content analysis to the next level by automatically renaming a file to match its true content before placing the file in the Internet cache. It also prevents promoting one MIME type to another (text to HTML, for example) if the second MIME type has additional functionality.
  • Pop-up blocking: In the Internet Properties window, select the Privacy tab to see the Block Pop-up Windows option. Although this feature isn't turned on by default, the first time you encounter a site with a pop-up, you'll be prompted to enable pop-up blocking. Once enabled, when you encounter a site with a pop-up, a notification icon appears in the status bar and the user also sees a notification in the new Information Bar (right under the toolbar). You can choose to see one pop-up or all pop-ups from a site.
  • If a user decides to allow pop-ups, you don't want the pop-up to fool the user into performing an exploitable act by hiding important warnings or by covering a page with an alternate page. For this reason, the Windows_Restrictions feature constrains the size, position, and format of pop-up windows. Windows Restrictions also mandates that pop-ups have a status bar and a menu bar. This prevents borderless pop-ups from hiding important security information that would ordinarily be displayed in the status bar or notification area.

    RPC Restrictions

    As we've all come to realize over the last few bloody months of worms and viruses, the Remote Procedure Call (RPC) in Windows is a powerful tool, whether used for good or nefarious purposes.

    Many RPC vulnerabilities leverage the willingness of an RPC service to accept anonymous connections. XP SP2 demands a secure connection, even if the application doesn't require it. You can see the beneficial effect using the Rpcdump utility in the Windows 2003 Resource Kit. Point Rpcdump at a standard XP desktop and you'll get a full list of the RPC services running on the machine. Point Rpcdump at an XP SP2 machine and you get a brusque "Access Denied."

    About the Author

    Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.


    comments powered by Disqus

    Subscribe on YouTube