Inside Windows XP SP2 Security Enhancements
Control of external connections made easier through Windows Firewall.
- By Roberta Bragg
One of the most significant changes in XP SP2 is the default firewall
placed on the local network interfaces. In deference to its new
role, the firewall has been renamed from Internet Connection Firewall
to Windows Firewall.
The major operational update in Windows Firewall lies in its control
of connections initiated outside the local machine. Microsoft called
these "exceptions." The old ICF allows opening ports for
inbound connections such as Web or FTP or remote desktop. Windows
Firewall makes this process much simpler by allowing the user to
select a service or application then opening the ports requested
by that application. You can add services or ports to the list.
The real news, though, is the ability to restrict inbound connections
based on their origin. You can configure a port or ports to accept
connections only from the local subnet. This significantly reduces
the ability to attack the desktop.
Buffer Overflow Protection
Microsoft has teamed with Intel and AMD to reduce the vulnerability
of Windows to buffer overflows by protecting memory using tags that
either allow or deny executables to launch. This No Execute (NX)
scheme is currently supported by AMD Athlon and Opteron chips. The
newest Intel Prescott-based Pentium 4 chips will also support NX.
With execution protection enabled, the processor will throw an
exception when asked to execute code exposed by a buffer overflow.
The Performance Options section of System Properties applet has
a new tab called Data Execution Prevention that allows you to disable
the NX feature if you need to maintain compatibility with a legacy
application. The new Application Compatibility Toolkit has settings
to disable DEP for specific applications, though, so try that first.
Internet Explorer Restrictions
Many exploits target Internet Explorer, so it's not surprising
that XP SP2 adds quite a few new security features to Internet Explorer
and its cousins, Outlook Express, Infopath, Microsoft Messenger
and MSN Messenger. Some of the most important security enhancements
MIME handling and MIME sniffing: When Internet Explorer analyzes
the content of a Web page or downloaded file, it decides how to handle the
file based on the MIME type assignments and an analysis of the content itself.
XP SP2 takes this content analysis to the next level by automatically renaming
a file to match its true content before placing the file in the Internet cache.
It also prevents promoting one MIME type to another (text to HTML, for example)
if the second MIME type has additional functionality.
Pop-up blocking: In the Internet Properties window, select the Privacy
tab to see the Block Pop-up Windows option. Although this feature isn't turned
on by default, the first time you encounter a site with a pop-up, you'll be
prompted to enable pop-up blocking. Once enabled, when you encounter a site
with a pop-up, a notification icon appears in the status bar and the user
also sees a notification in the new Information Bar (right under the toolbar).
You can choose to see one pop-up or all pop-ups from a site.
If a user decides to allow pop-ups, you don't want the pop-up to
fool the user into performing an exploitable act by hiding important
warnings or by covering a page with an alternate page. For this
reason, the Windows_Restrictions feature constrains the size, position,
and format of pop-up windows. Windows Restrictions also mandates
that pop-ups have a status bar and a menu bar. This prevents borderless
pop-ups from hiding important security information that would ordinarily
be displayed in the status bar or notification area.
As we've all come to realize over the last few bloody months of
worms and viruses, the Remote Procedure Call (RPC) in Windows is
a powerful tool, whether used for good or nefarious purposes.
Many RPC vulnerabilities leverage the willingness of an RPC service
to accept anonymous connections. XP SP2 demands a secure connection,
even if the application doesn't require it. You can see the beneficial
effect using the Rpcdump utility in the Windows 2003 Resource Kit.
Point Rpcdump at a standard XP desktop and you'll get a full list
of the RPC services running on the machine. Point Rpcdump at an
XP SP2 machine and you get a brusque "Access Denied."
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.