In-Depth

Top 10 Security Modifications in Windows XP Service Pack 2

This XP Service Pack should be called a Security Pack

Whether you run Windows XP Professional or Home, you will soon be able to install Service Pack 2, in beta (in release candidate stages) for almost one year. At press time, Microsoft is promising that the Service Pack will be released shortly, but a delay would surprise no one.

There are plenty of security updates with Service Pack 2, with some more important than others. Here are the top 10 security features and modifications that you can expect.

Change #1: Firewall Enabled by Default

What was once called Internet Connection Firewall is now simply called Firewall. After you install Service Pack 2, the behavior of Windows XP will change dramatically, because the built in firewall is enabled during installation. Enabling the Firewall will change the way Windows XP functions in almost every environment: many applications, tools, and services will fail to run. Of course, the failures are expected, since the firewall is protecting the computer from communications on the ports that these tools use. Some of the applications that have been reported to fail include virus updates, remote administration tools, and network printing.

Figure 1: New Firewall interface in Windows XP SP2
Click to enlarge

Firewall also comes with a new interface, as shown in Figure 1, as well as some new features such as exceptions and ICMP controls.

If you work for the help desk at your company you should get lots of sleep now, because the call volume will likely increase dramatically once XP Service Pack 2 is installed.

Change #2: Messenger is Disabled by Default

If your company currently uses the Messenger service, you might be shocked to hear that it's disabled by default after installing the Service Pack. Many companies use the Messenger service without even knowing it. They might use it to send messages to employees for servers or networks being offline. The main reason the Service Pack disabled the messenger service is because most corporations simply don't want it running, since it serves as a gateway for many popups and other annoyances from the Internet.

Change #3: Firewall Protects the Computer at Boot Time

A new feature that Microsoft is including with Firewall is protection while the computer boots. Now, while the operating system loads, the firewall is protecting the computer from Trojans and other viruses. However, it still allows the computer to communicate with DNS and DHCP. Firewall provides this by including a static stateful filter, which is disabled after the computer boots. Once boot-up is complete, the normal firewall filters are put back in place.

Change #4: Hundreds of New GPO Settings

I have been saying for years that it is impossible to talk about security without mentioning group policy objects. Well, Microsoft has made my case here. There are 611 new group policy object settings available on a computer running Service Pack 2. As you can imagine, the settings control different aspects of the computer, including the new Firewall, IM, general security settings, and much, much more. You'll find the new list of GPO settings at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=ef3a35c0-19b9-4acc-b5be-9b7dab13108e&displaylang=en

Change #5: Messenger Can Block Unsafe File Transfers

If you decide to enable Messenger, you can now protect the computer from unsafe file transfers. File transfers and the new Messenger require that the sender is listed on your contacts list. In addition, the file must meet some stringent restrictions, primarily focusing on the file extension.

Change #6: Memory Protection

This new memory protection technology, called Data Execution Prevention (DEP), prevents code from running in areas of memory where it shouldn't.. Although the memory protection built into the Service Pack requires that the application support this advanced technology, some hardware can support memory protection without it.

Change #7: Outlook Express E-mail Controls

It is a common ploy for an attacker to use an HTML header in an e-mail to attempt to compromise your computer. The new OE can be configured to render all incoming mail in plain text, protecting your computer from e-mails that use HTML to spread viruses or put Trojans on your computer. OE also can prevent external HTML content in e-mails, which can reduce spam and communications with spam originators.

Change #8: Internet Explorer Add-On Management

We all know that different Web sites attempted to install additional Internet Explorer add-ons as we browse their page. The new Service Pack allows you to control the installation in removal of the add-ons in IE. This feature also allows you to see the add-ons that are installed, which were very difficult to see before.

Change #9: Internet Explorer Download Prompting

Microsoft received many reports that some downloads prompted users with too many screens. Now Microsoft has enabled a new download-prompting screen that allows the end user to clearly understand what they're trying to download. This will reduce inadvertent downloads and installations of malicious applications. These new prompts show up in a new information bar.

Change #10 Windows Update Services Support

Even though WUS is not going to be released until early 2005, I could not leave this new feature out of security settings available in the Service Pack. The new WUS will provide the ability to update not only security updates but also device drivers and other application updates. Microsoft is also indicating that the new update service on servers will support the BackOffice products.

Should You Upgrade?

This quick overview of the new Windows XP Service Pack 2 can't address all of the new or changed security features -- just the most important ones. By the time you read this, Service Pack 2 should be available and ready to install. The big question is, should you install it?

I suggest you test the Service Pack thoroughly before you implement. If everyone's guesses and the rumors are true, the fallout from installing this Service Pack might be severe. Of course, security doesn't come without any pain from the end user or the IT staff.


Additional articles by Derek Melber

About the Author

Derek Melber (MCSE, MVP, CISM) is president of BrainCore.Net AZ, Inc., as well as an independent consultant and speaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security and desktop management. As one of only 8 MVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek is the author of the The Group Policy Resource Kit by MSPress, which is the defacto book on the subject.

Must Read Articles