Windows XP Service Pack 2 and Windows Small Business Server

Introduction

Microsoft® Windows® XP Service Pack 2 (SP2) offers many enhancements to the Windows XP operating system. However, when you install Windows XP SP2 on client computers in a Microsoft® Windows® Small Business Server 2003 network, you must also install an update for Windows Small Business Server to gain all the security benefits of the service pack and to avoid application incompatibilities. This update configures the firewall policy in Windows Small Business Server so that the firewall in Windows XP SP2 is enabled, enables the security management features in Windows XP SP2, and opens or closes ports for applications as appropriate. This update is available as a download at the Windows Small Business Serverpage of the Microsoft Windows Server System Web site at https://go.microsoft.com/fwlink/?LinkId=31929.

This paper provides an overview of the features of Windows XP SP2, information about the update for Windows Small Business Server 2003, and information about how to further configure your network for optimal use with the service pack.

In order to take advantage of the new features of Windows XP SP2 in a Windows Small Business Server environment, you can use the following steps:

  1. Notify the users on the network about the service pack. See “Information for the User” later in this paper for a sample e-mail.
  2. Install the update for Windows Small Business Server.
  3. Install Windows XP SP2 on Windows XP-based client computers.
  4. If necessary, manually configure further settings on the server.

For sources of information about installing Windows XP SP2 update on Windows XP-based client computers and the update for Windows Small Business Server, see “Additional Resources” later in this paper.

Definitions

Port

In a TCP/IP-based network such as the Internet, a port is a number assigned to an application running on the computer. The number is included in the transmitted packets to link the incoming data to the correct service.

Firewall

A combination of hardware and software that provides a security system, usually to prevent unauthorized access from outside to an internal network or intranet. A firewall prevents direct communication between network and external computers by routing communication through a proxy server outside of the network. The proxy server determines whether it is safe to let a file pass through to the network. It is also called a security-edge gateway.

Overview of Windows XP Service Pack 2

Windows XP SP2 provides a set of security technologies that improve the ability of Windows XP-based computers to withstand malicious attacks from viruses and worms, along with increased manageability and control and an improved experience for users. Together, these security technologies make it more difficult to attack Windows XP. These technologies are not intended to replace future periodic security updates as they are released, but rather to help strengthen the overall defenses of Windows XP against malicious attacks.

Windows Firewall

Windows XP SP2 includes the new Windows Firewall. (Internet Connection Firewall (ICF) is the firewall formerly provided in Windows XP.)

Network protection features of Windows Firewall include:

  • Windows Firewall enabled by default for installations of Windows XP SP2
  • Firewall ports closed except when they are in use
  • Improved user interface for configuration
  • Improved application compatibility when Windows Firewall is enabled
  • Enhanced enterprise administration of Windows Firewall through Group Policy
  • Reduced attack surface of the Remote Procedure Call (RPC) service
  • Ability to run RPC objects with reduced credentials
  • Added access control restrictions to the DCOM infrastructure to reduce the risk of a successful network attack

When enabled, Windows Firewall provides a level of protection from malicious users and programs that gain access to a network by sending unsolicited incoming traffic to attack computers on a network. Windows Firewall runs on the client computer and drops incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic).

In Windows XP SP2, there are many other new features for Windows Firewall, including the following:

  • New global configuration options that apply to all connections
  • New set of dialog boxes for local configuration
  • Improved security at startup
  • Local subnet restriction
  • New configuration options with Group Policy

Because Windows Firewall is enabled by default, it can affect application compatibility and the ability to manage the computers on the network. However, the absence of host firewalls such as Windows Firewall on intranet connections leaves computers vulnerable to malicious programs brought onto the intranet by computers that attach directly to the intranet.

For example, an employee connects an organization portable computer to a home network that does not have adequate protections. Because this computer does not have a host firewall enabled on the home network connection, it gets infected with a malicious program (such as a virus) that uses unsolicited incoming traffic to spread to other computers. The employee then brings the portable computer back to the office and connects it to the organization intranet, effectively bypassing the security systems that are at the edge of the intranet. Once connected to the intranet, the malicious program begins to infect other computers.

If Windows Firewall was enabled by default on the portable computer, it might not get infected with the malicious program when connected to a home network. Even if it did get infected, when it connected to the intranet, computers on the local intranet might not become infected if they also have Windows Firewall enabled. For more information about Windows Firewall, see “Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2” at the Microsoft Download Centerat https://go.microsoft.com/fwlink/?LinkId=30582.

Security Center

The Security Center provides a central location to view and manage the security status of your computer. To open the Security Center, click Start, click ControlPanel, and then double-click Security Center. When you install Windows XP SP2, the Security Center provides a portal to information and configuration options for the client computer. When you enable the Security Center, it provides the further functionality of detecting and displaying the status of and recommendations for the following security essentials:

  • Firewall. Windows checks to make sure that your computer is protected by a firewall. If no firewall is found on your computer, the Security Center provides recommendations for how to install one.
  • Automatic Updates. Windows checks to make sure that Automatic Updates is set up to download and install security and other important updates to your computer automatically. If Automatic Updates is not enabled or not set up to best protect your computer, the Security Center provides recommendations for fixing it.
  • Virus protection. Windows checks to make sure that your computer is using a full, up-to-date antivirus program. If no antivirus program is found, or if your antivirus program is out of date or not running, the Security Center provides recommendations for fixing the problem.

Note

The update to Windows Small Business Server 2003 for Windows XP SP2 enables the Security essentials of the Security Center. For information about this update, see “Windows Small Business Server 2003 Update for Windows XP SP2” later in this paper.

The Security Center provides a resource center for quick and centralized access to the following:

  • The latest information about viruses or other security threats.
  • The latest updates available through Windows Update.
  • Support for security-related issues.
  • Help and Support Center and alert configuration for the Security Center.

The Security Center also provides a central location from which to manage security settings for:

  • Internet Options
  • System Properties
  • Windows Firewall

Enhanced browsing security

Security technologies in Microsoft® Internet Explorer provide improved protection against malicious content on the Web invading your company’s computers. One enhancement is a locked-down Local machine zone setting to prevent the running of malicious scripts and to fortify against harmful Web downloads. Additionally, better user controls and user interfaces are provided that help prevent malicious ActiveX® controls and spy ware from running on your customers’ systems without their knowledge and consent when they access information from the Internet. Windows XP SP 2 also includes an Internet pop-up blocker.

Safer e-mail handling

New default settings that have enhanced security and improved attachment control help to stop viruses that spread through e-mail and instant messaging. Potentially unsafe attachments are isolated so that they cannot affect other parts of the system. This improves the security and reliability for communications applications such as Microsoft® Outlook®, Outlook Express, and Windows® Messenger.

Improved computer maintenance

A very important part of any security plan is keeping computers updated with the latest software and security updates, and understanding the role they play in protecting your computer. New technologies have been included in the service pack to help keep client computers up-to-date. These technologies include Security Center, which provides a central location for information about the security of your computer, and Windows Installer, which provides more security options for software installation.

Memory protection

Microsoft has added a number of security technologies to lessen attacks caused by malicious software. These attacks take advantage of software security vulnerabilities that allow too much data to be copied into areas of the computer’s memory and cause buffer overruns. Core Windows components have been recompiled with the most recent version of Microsoft’s compiler technology, which provides added protection against buffer overruns.

Windows Small Business Server 2003 Update for Windows XP SP2

The update for Windows Small Business Server 2003 enables Windows Firewall on Windows XP SP2-based computers, configures Group Policy for common applications and ports used in a small business, and enables the Security essentials of the Security Center.

Configuration of Policy for Windows Firewall

In a Windows Small Business Server 2003 environment, ICF, the firewall formerly provided in Windows XP, is disabled on client computers because ICF causes application compatibility issues. The firewall functionality included in Windows Small Business Server protects the computers in the network. However, Windows Firewall, included with Windows XP SP2, greatly improves application compatibility and is more flexible to configure.

The update for Windows Small Business Server 2003 enables Windows Firewall on Windows XP-based computers and configures Group Policy for common applications and ports used in a small business. This section describes the configurations performed by the update. The update is available as a download at the Windows Small Business Serverpage of the Microsoft Windows Server System Web site at https://go.microsoft.com/fwlink/?LinkId=31929.

Note

If you have existing Windows XP SP1-based clients in your network, and if you configured Group Policy settings for them, you need to verify that these settings are not changed after installing the update for Windows Small Business Server. For example, if you enabled the Windows Internet Connection Firewall (ICF) on the computers running Windows XP SP1 in your network, you should verify that ICF is still enabled after you apply the update for the server.

Important

When you install the update on the computer running Windows Small Business Server, the Windows Firewall on existing Windows XP SP2-based clients is enabled 90 minutes later. If a new Windows XP SP2-based client is added to a network which includes the update for Windows Small Business Server, the new settings are applied immediately. Hence the firewall is enabled as soon as the Windows XP SP2-based client joins the domain.

Group Policy Settings for Domain and Standard Profiles

Windows XP SP2 defines two Group Policy “profiles” for Windows Firewall that are applied based on where a computer is located:

  • Domain Profile. This profile is applied when a computer is within the Windows Small Business Server network.
  • Standard Profile. This profile is applied when a computer is outside the network.

For example, if you log your portable computer on to the Windows Small Business Server network in the office, the Domain Profile is applied. When you take your portable computer to a location outside of the company network such as a café and log on to a wireless network, the Standard Profile is applied.

These profiles initially contain identical policy settings but they can be configured independently to allow different settings on computers depending on where the computers are currently located. When you apply the update to Windows Small Business Server 2003, the Windows Firewall Group Policy settings get configured for the two profiles as shown in Table 1. These policies are located in the Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall in Group Policy Object Editor.

Table 1   Group Policy Profile Settings Configured by the Update

Setting Domain Profile Standard Profile

Enable Windows Firewall: Protect all network connections

 

 

Enable Windows Firewall: Allow local program exceptions

 

 

Enable Windows Firewall: Define program exceptions

 

 

Enable Windows Firewall: Allow local port exceptions

 

 

Enable Windows Firewall: Define port exceptions

 

 

Enable Windows Firewall: Allow file and printer sharing exception

 

 

Enable Windows Firewall: Allow Remote Desktop exception

 

 

Program and Port Exceptions

The update defines several specific program and port exceptions in Group Policy for application compatibility. These settings are set on the server running Windows Small Business Server and cannot be changed by users on the client computers.

The update also allows for further configuration of program and port exceptions from the server on all the computers in the company. However, to prevent the users from downloading unknown applications that might contain viruses, you should define only the exceptions that your users really need.

Table 2 summarizes the program exceptions that the update configures. Ports corresponding to these programs are also opened by configuring these exceptions.

Table 2   Program Exceptions Configured by Update

Executable Associated Program Global or Local

CeAppMgr.exe

ActiveSync

Local

WCESMgr.exe

ActiveSync

Local

WCESComm.exe

ActiveSync

Local

Sessmgr.exe

Help and Support Center

Global

Helpsvc.exe

Help and Support Center

Global

Helpctr.exe

Help and Support Center

Global

Table 3 lists the port openings that the update configures.

Table 3   Port Openings Configured by Update

Port Description

135

Allows Remote Assistance to the client

When you install the Windows Small Business Server update, it configures the Standard Profile to allow program and port exceptions, but does not define these exceptions. Users can manually define the exceptions they need on the local computer, unless they have already been defined from the server.

Note

Because the Windows Firewall: Define program exceptions and the Windows Firewall: Define port exceptions settings are not enabled for the Standard Profile by default, program and port exceptions are not defined for mobile user. Therefore, if your mobile users need to use certain applications or open certain ports, you need to define program and port exceptions manually from the server. For information about configuring program and port exceptions manually from the server, see “Configuring Windows Firewall for Your Windows Small Business Server Environment” later in this paper.

Security Essentials

The update also enables Security essentials detection through the Security Center. You can open the Security Center from Control Panel on the client computer. Figure 1 displays the Security essentials page.

Important

After installing the update on the Windows Small Business Server, you need to wait 90 minutes for all the new settings to be available to the Windows XP SP2-based clients existing in the network. After 90 minutes, you need to restart each of the Windows XP SP2-based clients to enable the Security Center.

Figure 1   Security Essentials in the Security Center

Configuring Windows Firewall for a Windows Small Business Server Environment

In addition to the settings that are configured by the Windows Small Business Server update, you can configure exceptions for known applications and ports in frequent use in your environment. Configuring custom exceptions prevents Security Alert pop-up messages from appearing when users open applications for the first time after installing Windows XP SP2.

Important

Before configuring Group Policy settings from the server, you need to install an update for Microsoft® Windows Server™ 2003 on your computer running Windows Small Business Server. If the update is not installed on the server, the Group Policy settings will still apply to your clients; however, you will not be able to edit these policies from the server running Windows Small Business Server. For more information about this update, see article 867766, “The following entry in the [strings] section is too long and has been truncated" error message when you edit or view Group Policy in Windows Server 2003, in Windows XP, or in Windows 2000,” in the Microsoft Knowledge Baseat https://go.microsoft.com/fwlink/?LinkId=4441.

You can either configure exceptions from the computer running Windows Small Business Server for all users or allow users to configure their own custom exceptions. If users in the network use a common application or require access to the network, you should configure Windows Firewall settings from the server. If a particular application is used by only a few users on the network, you should allow users to configure firewall settings on their individual client computers. However, exceptions that are defined from the server cannot be modified by the user on the client computer.

As a best practice, configure only the exceptions the users in your organization need, in order to keep your environment as secure as possible. For example, if your organization has a mobile sales force that uses portable computers or Microsoft® NetMeeting® on a regular basis, you can configure NetMeeting as an exception from the computer running Windows Small Business Server for all users. Use the following procedure to configure exceptions for applications.

To define custom exceptions in Windows Firewall from the Windows Small Business Server

  1. Log on to the computer running Windows Small Business Server 2003 by using the administrator account.

  2. Open Server Management.

  3. In the console tree, double-click Advanced Management, and then double-click Group Policy Management Console.

  4. In the Group Policy Management Consoletree, double-click Forest:forestname, double-click Domains, right-click Small Business Server Windows Firewall*,* and then click Edit. This opens Group Policy Object Editor.

  5. In Group Policy Object Editor, navigate to Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall.

  6. Double-click Windows Firewall, and then click one of the following:

    1. Domain Profile, if you want to define program and port exceptions for users within the network.
    2. Standard Profile, if you want to define program and port exceptions for mobile users.
  7. In the details pane, double-click one of the following:

    1. Windows Firewall: Define program exceptions.
    2. Windows Firewall: Define port exceptions.
  8. On the Setting tab select Enable if it is not already selected, click the Show button, and then click Add in the Show Contents dialog box

  9. Enter the syntax for the program or port according to the appropriate example shown in Table 4 or Table 5, and then click OK. You can continue to add as many ports or applications as you need.

  10. Click OKin the Show Contentsdialog box, and then click OKin the Windows Firewall dialog box to complete creating custom exceptions.

Table 4 provides example syntaxes for program exceptions with explanations about when to use each.

Table 4   Example Syntaxes for Program Exceptions

Syntax for Program Exceptions <Path>:<Scope>:<Status>:<Name> Description

%PROGRAMFILES%\NetMeeting\Conf.exe:*:enabled: NetMeeting

Allows the NetMeeting application to listen as an exception for all IP addresses.

%PROGRAMFILES%\NetMeeting\Conf.exe:localsubnet:enabled: NetMeeting

Allows the NetMeeting application to listen as an exception for only IP addresses in your local network.

Table 5 provides example syntaxes for port exceptions with explanations about when to use each.

Table 5   Example Syntaxes for Port Exceptions

Syntax for Port Exceptions <Port>:<Transport>:<Scope>:<Status>:<Name> Description

80:TCP:*:enabled:Web Server

Opens port 80 as an inbound exception for all IP addresses.

80:TCP:localsubnet:enabled:Web Server

Opens port 80 as an inbound exception for only IP addresses in your local network.

Users who are local administrators on their computers can also define exceptions if the exceptions they want to define have not already been defined on the server. Windows Small Business Server Client Setup configures users as local administrators by default. For information about how users can configure the firewall, from a Windows XP SP2-based client, click Start, click Help and Support, and then search for “Windows Firewall.”

When a Windows XP SP2-based client that has port and program exceptions already configured is added to a network that includes the update for Windows Small Business Server, the firewall settings of the client are not retained; instead, the new program and port exceptions get configured as set by the Windows Small Business Server Windows Firewall policy. Therefore, the user will need to manually add in other program and ports exceptions as needed.

Information for the User

After installing Windows XP SP2 and the update for Windows Small Business Server, users might begin to receive security alerts when they open applications or attempt to perform certain actions. In order to reduce confusion, you can send out a company-wide e-mail to explain what users can expect. Use the following sample as a guide for your e-mail. Send your e-mail out prior to installing Windows XP SP2.

Sample E-mail to Users about Windows XP SP 2

Hello,

Service Pack 2 (SP2) for Windows XP will be installed on desktop computers in the company currently running Windows XP. SP2 has several new security features that might have effects that you will notice on your computer. While the network has been configured to minimize these effects, you might receive a security alert when you open an application or try to perform a task, such as printing a document. When you receive one of these security alerts, examine the name of the application. If the name is the same as the application you are attempting to open, select Unblock this program. If you do not recognize the name of the application, do not select anything in the security alert. Contact me immediately for more information about how to proceed.

Thank you

Additional Resources

See the following resources for further information: