Improving Resiliency with Windows XP Service Pack 2

Part 1 of 2

Steve Riley
Product Manager, Security Business & Technology Unit
Microsoft Corporation

Have you ever thought about what it means to engage in software engineering? One of the early phases of any engineering project is the design phase, and usually the beginning of design is figuring out the environment—where and how a product will be used. As often happens, though, environments change. Such change often requires updates and modifications to a product so that it can continue to operate successfully in new environments.

Computer networks have become hostile places—some of them extremely so. Public networks like the Internet, hotel or trade show LANs, and cable modem subnets really are occupied by bad guys looking to cause damage. Corporate networks, too, can be dangerous: malicious insiders, of course, but also mobile computers. Corporate laptops often leave the safety of an internal network, connect to a public network, and then return. Once an infected computer has been reconnected to your internal network, your network firewall most likely won't mitigate the malware because most current malware can use commonly open ports and protocols to sneak past network firewalls. So what to do?

Improve the resiliency of computers, that’s what. And that’s one of the goals of the service pack’s security enhancements:

  • Increase the security resiliency and management of Windows XP.

  • Decrease end-user and administrator security burden: be more secure out of the box.

  • Reduce the damage of worms and viruses even if the latest updates aren’t installed.

  • Make attackers work harder.

There’s more to keeping a computer secure than simply applying updates. Sometimes it’s difficult to keep a computer up to date because you might need to go through a testing process before deploying an update—and the computer might be vulnerable in the interim. An improved Windows client firewall and Internet Explorer enhancements work to mitigate this threat and to keep malicious traffic out of the computer. These and other technologies help increase security resiliency.

Security features are sometimes difficult to find and even more difficult to manage. Often they are simply ignored out of fear that “something might break.” To better protect all users, many of the new security capabilities in the service pack are switched on by default, have been relocated to ease discovery, and incorporate sophisticated central management abilities to reduce the likelihood of breaking applications. These changes and enhancements will help decrease the security burden.

The features in the service pack address protection scenarios that include:

  • Blocking attacks.

  • Foiling spyware.

  • Stopping mail worms and other malicious code.

  • Reducing buffer overrun exploits.

  • Cutting confusing security dialog boxes.

  • Configuring secure default states.

  • Simplifying security updates.

  • Evolving from edge security to host security.

  • Doing the right thing for users.

In this first of a two-part series, I’ll explore how the service pack can help block attacks. In part two, I’ll explore how the service pack can help foil spyware, stop worms and other malicious code, and reduce buffer overrun exploits.

Block Attacks
Computers can do a lot, but they often are used only for a few things. One of the best ways to protect a computer is to limit what can enter its network interface: Allow only the traffic that’s appropriate to what the user might be doing. A host-based firewall is ideal here, but most people don’t know how to set one up, or if they try they’re confused about how to make it behave properly. And in corporate environments computers running host firewalls can be very difficult to manage—including managing the firewall itself.

Windows Firewall (the replacement for Internet Connection Firewall) is designed to help eliminate these shortcomings. A new user interface is easily discoverable where you expect it: the Control Panel. You can quickly determine whether the firewall is on and whether it is permitting or blocking unsolicited inbound requests for services running on the computer. More importantly, the firewall is switched on by default on upgrades and new installs. This change alone will protect millions of computers.

As in ICF, Windows Firewall (WF) permits all outbound traffic. (Unlike other host firewalls, WF performs no outbound blocking because our user testing indicated that the dialogs and general “chattiness” of outbound blocking confused most users.) WF will normally block any inbound traffic unless what’s arriving is a response to some previous outbound request. You can create exceptions in the firewall’s policy to allow unsolicited inbound traffic in two ways:

  • By granting an application permission to open whatever ports it needs when the application starts; when the application terminates, WF closes the ports.

  • By statically opening a port (the old ICF way).

In a corporate environment WF can be configured to permit inbound traffic for file and print sharing and for Remote Procedure Call (RPC), so you can manage the computer remotely while still keeping it protected. You can restrict the scope of allowed inbound connections, allowing them to originate only from the computer’s own subnet or a defined list of multiple internal subnets.

WF now has two profiles, one for internal corporate use and one for Internet use. Usually your corporate profile will be more relaxed—this is where you’ll permit file/print and RPC and perhaps other services like instant messenger file sharing. Your Internet profile will probably be very restrictive, permitting nothing inbound. New Group Policy objects (downloadable for Windows 2000 Server and Windows Server 2003 Active Directory) permit you to manage most of the firewall’s settings, for both profiles, centrally. You can also configure the firewall from scripts and the command line through additions to the NETSH utility.

Finally, to ease deployments of standard configurations, you can use the firewall’s new unattended setup option to preconfigure it for your environment.

I hope you agree that the improvements in the firewall’s capabilities and management will increase the resiliency of your XP deployments by blocking many common attacks. Because even corporate networks can be hostile (think the returning infected laptop), host firewalls can be the single most effective protection for your critical data and systems if properly configured according to your business and technical needs. Learn more about the service pack and download your copy of Release Candidate 2.

Thanks for reading. We’ll explore more next month.