Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
1 edit | Analysis of Microsoft XP Service Pack 2
There have been discussions elsewhere about Microsoft's XP Service Pack 2
Front Page News
MS Help: Preview of some XP SP2 Features
but I haven't seen a targeted review of the security aspects of it. I have studied the Microsoft documentation on SP2, and I am impressed as Hell. I've been a Windows user for 17 years, and I don't believe I've ever seen such a real effort in security (as opposed to just talking about it).
I have written a Tech Tip on this that goes into some detail based on the publicly available information, but I can summarize the high points here:•New "Windows Firewall": loads before the network stack and unloads after it. Participates in Group Policy in an Active Directory framework. Firewall features themselves should be pretty familiar to users here.
•Local Subnet Restriction: by default, things like Network Neighborhood and UPnP are limited to only the local subnet. This means that your home network runs fine and does not allow the world at large to get in. I love this.
•Remote Procedure Calls: Deep, pervasive changes in the RPC permissions mechanism that make it very difficult to write software that is accidentally insecure. Sloppy security coding will simply not work.
•Disable execute on data pages - when the processors support it, this should cut down on a lot of buffer-overflow exploits.
•"Security Center" GUI - this will be nagware if your firewall is off, your A/V signatures are out of date, or the like. It will be much harder to be insecure and oblivious.
•Attachment Execution Service - A clearinghouse for attachments, it's much smarter than just looking at extensions. Used by OE, Windows Messenger, and IE.
•Restricted preview in OE - Very limited HTML preview reduces bad stuff you can get by previewing a message
•Managing Add-Ons in IE - Now there is a centralized way to see and uninstall add-ons in your browser from a single panel. Your idiot user installed Gator? It's visible right in a GUI and can be disabled and the crowd goes wild
•Smarter MIME-type checking in IE - if the Content-Type of an object sent by a webserver doesn't match what it appears to be by sniffing, it no longer just "fixes it for you". Sending up an executable as type text/plain gets properly treated as "dangerous, executable content".
•Alerter and Messenger Service disabled - mostly speaks for itself. No more Messenger spam.
This is not everything, and not even everything I talked about, but it's the highlights.
And I have not seen a single hint of "Trusted Computing", "Digital Rights Management" or anything that smells like they're trying to hurt anybody else. Some of the changes may be impactful to third-party applications (especially the RPC stuff), but these look completely and unambiguously attributed to 'security' and not 'putting the screws to the little guy'.
Those who have thoughtful and considered opposing opinions are encouraged to post them here. "Microsoft sucks" ranting should go elsewhere.
Unixwiz.net Tech Tip: Analysis of Microsoft XP Service Pack 2
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
p00ter_nerd
Wort Wort Wort
join:2003-09-02
East Berlin, PA | I am very impressed. Three w00t's for Microsoft, I am shocked. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by p00ter_nerd  :
I am very impressed. Three w00t's for Microsoft, I am shocked.
Actually, I was too. They have been so focused on the "feature" front that I wondered what it would take for them to go down a road that was unambiguously "about security, even at the cost of functionality", rather than just be some side-effects and/or lip service.
This is that road.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
NunyaBidness
God Bless All Of Us
Premium
join:2001-05-25
Memphis, TN | reply to Steve
sounds like someone at MS finally woke up
--
Nunya Bidness |
|
p00ter_nerd
Wort Wort Wort
join:2003-09-02
East Berlin, PA | reply to Steve
Or is buttering us up for 'TC'. dun dun dun....... j/p |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
|  reply to Steve
Very informative post, Steve. And thanks for putting it into language we can all understand! Hey, he likes it! .....makes me sit up an take notice
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum |
|
StraitShoot
Who Loves Ya Baby? - Theo Kojak
Premium
join:2003-02-08
Clinton, MA | reply to Steve
I can't help myself.. I am NOW a proponent of Tabbed browsing... I hope M$ adds that in...
--
I'm Mad With Power! |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL | reply to Steve
Let's just hope this thread does not get hi-jacked. Steve, you could not of stated it any easier. You always seem to make everything very concise and clear.
--
One man's customer loyalty is another man's miguided arrogance. |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
|  reply to Steve
Can I question what you have said about the "On with no exceptions" feature in the firewall.
Are you absolutely sure that this will mean the firewall will reject all incoming initiated connections?
I was under the impression that this option simply meant that ports left permanently open for use by applications like Messenger etc in the default setting (On with exceptions) were closed.
However, this doesn't mean all incoming connections are rejected - I would assume the firewall would function the same as in XPSP1 with it's "statefulness".
I believe it's quite easy to have incoming traffic pass through ICF unhindered.
Perhaps you are referring to the "Total Lockout" option which I have heard mentioned, or is that the same as "On with no exceptions"? - in which case "Total Lockout" is misleading. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to StraitShoot
said by StraitShoot :
I can't help myself.. I am NOW a proponent of Tabbed browsing... I hope M$ adds that in...
That's a feature...not security, right? In this forum we worry about security 
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to ghost16825
said by ghost16825 :
Can I question what you have said about the "On with no exceptions" feature in the firewall.
Are you absolutely sure that this will mean the firewall will reject all incoming initiated connections?
I only know what I read, but I believe that "no exceptions" means in Redmond what it means every else in the English-speaking world. said by Microsoft:
When in this mode, all static holes are closed and any existing connections are dropped. Any API call to open up a static hole will be allowed and the configuration stored, but it will not be applied until the operational mode switches back to normal operation. All listen requests by applications will also be ignored.
That looks like "closed" to me.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
Ctrl Alt Del
Premium
join:2002-02-18 | reply to Steve
Best use of my Thumbs Up feature this week. |
|
major marco
Res Firma Mitescere Nescit
Premium
join:2003-02-13
Stepford, CA
clubs:
2 edits | reply to Steve
Well people, I don't want to be the one to piss on your parade and stop the M$oft lovefest but we'll soon see how worthy SP2 is of the accolades because so far, Steve's analysis is all theory. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by major marco :
Well people, I don't want to be the one to piss on your parade and stop the M$oft lovefest but we'll soon see how worthy SP2 is of the accolades because so far, Steve's analysis is all theory
Huh?
Are you suggesting that Microsoft will not implement the features they claim, or that even if they do it won't make any difference?
We're not talking hypothetical, blue-sky things here like "how to stop spam", but hard, technical and specific approaches to reducing the exposure of a computing platform to the bad guys. In my mind these are all overwhelmingly positive and are likely to stop a large category of attacks.
But I do smell a straw-man argument here: it's a sure thing that users will still be stupid and will still be tricked into running badware on their own machines, and you'll come 'round trolling with "See! I told ya so!"
Some people may agree with you, but those with a clue will not.
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
Hawk
Premium
join:2003-08-25
La Quinta, CA
1 edit | Thanks for the great info Steve !. I still remain somewhat cynical but looking forward to the update and hoping for the best. |
|
bendjo
join:2003-08-10
Saint Paul, MN
| reply to Steve
Re: Analysis of Microsoft XP Service Pack 2
Regarding the security center GUI that indicates if virus definitions are up to date. How does it accomplish this? Will AV companies need to interface with it?
--
Anarchy sounds good to me. Then someone asks, "Who'd fix the sewers?" Jello Biafra (1986. Bedtime For Democracy) |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by bendjo :
Regarding the security center GUI that indicates if virus definitions are up to date. How does it accomplish this? Will AV companies need to interface with it?
That is a great question, and I wondered about it myself. I don't know, but my guess is that there is some kind of "Antivirus API" that they will introduce. They have done this in the past with their "Source Code Control System API" (which interfaces to Source Safe, or Perforce, or whatever), and as far as I know it worked well in a vendor-neutral basis.
I might have this information on my XP Beta discs, but I'm not sure I'd be allowed to talk about it if I had.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
