Sunday, September 19, 2004

Windows XP Service Pack 2

After sitting through Steve's session on Windows XP SP2 security enhancement,it kind of relief my concern about SP2. SP2 deliver security enhancement in 3 major areas.

Windows Firewall.
By default Windows firewall will allow all outbound traffics. This sound dangereous huh ? After some explaination, this seem to make sense. User will always want to be able to connect out and will allow the outbound traffics even they have to do it manually. If the eventual result is the same, then why should you block them at the first place ? Well, this is a food for thought. Some of your might not be agree with this kind of thinking.

It is blocking the inbound traffic that is important. Because if an attacker can get their bad stuff into your workstation, then basically they will have control over the workstation. In such case, whether outbound traffic is block by default is not relavent anymore.

Boot time security is another enhancement that is made. Why this is important? When Windows boot up, it take some time for the Windows firewall to start up and provide protection. Meaning in between that time, you Windows is not protected, hence attacker can that advantage of that small window of time to launch attack. With boot time security, only 3 kinds of traffic (which is DNS, DHCP, Netlogon) is allowed in the TCP stack until the Windows firewall start giving protection. This greatly limit what an attacker can do.

There are 2 profile that is provided in SP2. Domain and Internet. The 2 profiles apply different policies and have different restriction level when connected to corporate network and internet. A good question was asked during the presentation. If you establish a connection to Internet, and then using the Internet connection you establish a VPN connection to your corporate network, which profile are you on ?
The answer is, the interface that is connect to the Internet will have Internet profile applied. The second interface which is the VPN will have corporate profile.

Exception list allow an application that need to be act as listening server to open a port. The port will be open when the application run and is closed once the application is shut down. Alternatively, the port can also be configured to permanently open. In order for an application to be added to the exception list, the user must be an administrator. But once added, the application can run under a user with a lower security context.

The second major enhancement area is on Internet Explorer. The irritating popups can be blocked now. You can however has the option to allow popup from certain web sites. This is useful for intranet application.

The ActiveX installation dialog has a more friendly message. Plus you also have the option to configure how you want to trust the publisher.

Scripts can no longer open a window that totally cover the parent window. The new window must fit within the parent window and overlap with it. Before this, scripts can open a window that can cover the desktop and fool user into performing action that have malicious effect. However, this could break some existing application that have code/scipts that rely on this behavior.

Third enhancement area is email. There is new API that is added to check for attachment from email or Messenger and prevent execution of the attachment if suspect
to be unsafe.

All email content in Outlook Express will be default to plain text. Reason is HTML content can carry malicious scripts. Again, you have the option to turn on to display HTML content. External HTML content such as image will not be download by default.

There is a new security zone named Local Machine that is added to IE. This zone has strict policy in executing local contents. In the past, Local Machine has loose restriction on local content and attacker take advantage of this weakness to fool user into executing local content that has bad effect. Now the Local Machine zone has much more stricter policy in dealing with local content. For example, it does not simply allow scripts in the local content to execute.

Hooh... it is a long list. I only highlight a subset of enhancements over here.
There are much more to this.

To learn more about Windows XP SP2, goto :


Post a Comment

<< Home