Inside Windows XP SP2 Security Enhancements -- Redmondmag.com

Inside Windows XP SP2 Security Enhancements

Control of external connections made easier through Windows Firewall.

By Roberta Bragg
04/28/2004

Windows Firewall

One of the most significant changes in XP SP2 is the default firewall placed on the local network interfaces. In deference to its new role, the firewall has been renamed from Internet Connection Firewall to Windows Firewall.

The major operational update in Windows Firewall lies in its control of connections initiated outside the local machine. Microsoft called these "exceptions." The old ICF allows opening ports for inbound connections such as Web or FTP or remote desktop. Windows Firewall makes this process much simpler by allowing the user to select a service or application then opening the ports requested by that application. You can add services or ports to the list.

The real news, though, is the ability to restrict inbound connections based on their origin. You can configure a port or ports to accept connections only from the local subnet. This significantly reduces the ability to attack the desktop.

Buffer Overflow Protection

Microsoft has teamed with Intel and AMD to reduce the vulnerability of Windows to buffer overflows by protecting memory using tags that either allow or deny executables to launch. This No Execute (NX) scheme is currently supported by AMD Athlon and Opteron chips. The newest Intel Prescott-based Pentium 4 chips will also support NX.

With execution protection enabled, the processor will throw an exception when asked to execute code exposed by a buffer overflow. The Performance Options section of System Properties applet has a new tab called Data Execution Prevention that allows you to disable the NX feature if you need to maintain compatibility with a legacy application. The new Application Compatibility Toolkit has settings to disable DEP for specific applications, though, so try that first.

Internet Explorer Restrictions

Many exploits target Internet Explorer, so it's not surprising that XP SP2 adds quite a few new security features to Internet Explorer and its cousins, Outlook Express, Infopath, Microsoft Messenger and MSN Messenger. Some of the most important security enhancements include:

MIME handling and MIME sniffing: When Internet Explorer analyzes the content of a Web page or downloaded file, it decides how to handle the file based on the MIME type assignments and an analysis of the content itself. XP SP2 takes this content analysis to the next level by automatically renaming a file to match its true content before placing the file in the Internet cache. It also prevents promoting one MIME type to another (text to HTML, for example) if the second MIME type has additional functionality.

Pop-up blocking: In the Internet Properties window, select the Privacy tab to see the Block Pop-up Windows option. Although this feature isn't turned on by default, the first time you encounter a site with a pop-up, you'll be prompted to enable pop-up blocking. Once enabled, when you encounter a site with a pop-up, a notification icon appears in the status bar and the user also sees a notification in the new Information Bar (right under the toolbar). You can choose to see one pop-up or all pop-ups from a site.

If a user decides to allow pop-ups, you don't want the pop-up to fool the user into performing an exploitable act by hiding important warnings or by covering a page with an alternate page. For this reason, the Windows_Restrictions feature constrains the size, position, and format of pop-up windows. Windows Restrictions also mandates that pop-ups have a status bar and a menu bar. This prevents borderless pop-ups from hiding important security information that would ordinarily be displayed in the status bar or notification area.

RPC Restrictions

As we've all come to realize over the last few bloody months of worms and viruses, the Remote Procedure Call (RPC) in Windows is a powerful tool, whether used for good or nefarious purposes.

Many RPC vulnerabilities leverage the willingness of an RPC service to accept anonymous connections. XP SP2 demands a secure connection, even if the application doesn't require it. You can see the beneficial effect using the Rpcdump utility in the Windows 2003 Resource Kit. Point Rpcdump at a standard XP desktop and you'll get a full list of the RPC services running on the machine. Point Rpcdump at an XP SP2 machine and you get a brusque "Access Denied."

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.

Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.

Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.

Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.

comments powered by Disqus

Most Popular

Most Popular Articles

Most Emailed Articles

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft Graph 'Activity Logs' Feature Goes Live

Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

Microsoft and Nvidia Announce Deeper Azure AI Partnership

Subscribe on YouTube

Office 365 Watch

Sign up for our newsletter.

Email Address***Country**

I agree to this site's Privacy Policy

Please type the letters/numbers you see above.

Most Popular Articles

Most Emailed Articles

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft Graph 'Activity Logs' Feature Goes Live

Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

Microsoft and Nvidia Announce Deeper Azure AI Partnership

Upcoming Training Events

0 AM

TechMentor Virtual Training: Migrating to Server 2022 and Azure
May 21-22, 2024

TechMentor Microsoft HQ
August 5-9, 2024

Live! 360 2-Day Hands-On Seminar: Swimming in the Lakes of Microsoft Fabric and AI - A Hands-on Experience
August 20-21, 2024

Live! 360 Orlando
November 17-22, 2024

Upcoming Virtual Summits

AI vs. Security Summit 05/03/2024

Secure, Manage & Recover Microsoft Teams Like an Expert Summit 08/23/2024

More Summits

Webcasts

AI vs. Security Summit

Coffee Talk: Rebounding from Ransomware: An Expert Guide

Coffee Talk: Crash Course: Modern Strategies for Email Security

Coffee Talk: Datacenter Fabrics 101: What They Are, Why You Need Them & How To Implement Them

More Webcasts

Whitepapers

Blending AI with Human Collaboration in Microsoft Teams

Azure CloudOps: How to drive operational efficiency & application performance

How finova saved 70% on Azure cloud spend by optimizing their infrastructure

CloudOps for Azure

More Tech Library