Professor Windows - July 2004

Windows XP Service Pack 2: Where Will You Be the Day after Tomorrow?

By Professor Windows and
Erez Paz, Rapid Adoption Manager, Microsoft Israel

Who Is a Security Fanatic?

Hmm anyone heard of the Blaster worm? Yes, I am sure most of you have seen its damages or maybe even experienced it yourself. After this experience, what have you done to improve the level of security in your computers? Did you really think about it? Have you installed, upgraded, or tightened the firewall in your organization? What about enhancing your policy rules or changing your password more often? Have you established a policy of making your users work with "Normal user rights" and not with "Administrative user right" on their PCs?

I didn't do all that. Most of my clients didn't do that. This doesn't make it ok.

Every time I have the chance, I urge my customers to pay more attention to security. Unfortunately, most of them would rather have user comfort than security. The "comfort" could reach to a level where the bank won't restrict a screen save lock after 15 minutes

Service Pack 2 to the Rescue

This is your wake up call, folks! Hackers deceive us right under our nose! I think you'll be quite amazed to read the "Changes to Functionality in Microsoft Windows XP Service Pack 2" document. Just think of how many ways hackers can spoof us using Internet Explorer today. They can create a popup window that will hide important information like the address bar or the notification bar and make us believe that this is a secure site. They can pop-up an ActiveX install request as many times as they want, interfering our web browsing experience. Without the defense of a firewall, they can connect to our computers in unsolicited inbound connections through TCP/IP.

Service Pack 2 for Windows XP has more then 150 changes designed to improve the security and stability of our operating system. Although some of the improvements are not security related, most of them are.

Who Needs a Personal Firewall?

Today almost every corporate environment has an edge firewall protecting it from unsolicited inbound connections. That obviously means that the network is protected and Windows XP SP2 new firewall should only be used at home... Wrong! Anyone can bring today to his organization some software in a USB disk stick, floppy disk, camera flash memory and many more. That person can be even one of your help-desk employees with access to all the environments. You should have a very strict policy in place to prevent it from happening.

The new Windows Firewall (formerly called Internet Connection Firewall) has changed. It now provides a level of protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers.

Here are the main changes in the new Windows Firewall:

  • The Windows Firewall is enabled by default during the installation.
  • Ability to control all its features from Group Policy, Netsh command line, or from Netfw.inf file.
  • New friendlier and more helpful user interface (see figure 1).
  • An exception list containing all the ports or programs to which you allow receiving an unsolicited connection from the network (see figure 2).
  • Subnet control – you can now configure a port or program in the exception list to only receive network traffic with a source address from the local subnet (see figure 3).
  • On with no exceptions – In case of a worm attack on you network, you can configure the Windows firewall to drop all inbound connections by enabling "Don't allow exceptions" in the Firewall main UI, command line, or Group Policy.
  • Global configuration – The former Internet Connection Firewall was configured on a per-interface basis. This means that each network connection had its own firewall policy: for example, one policy for wireless, another policy for Ethernet. With Global Configuration, whenever a configuration change occurs, it applies to all network connections.
  • Multiple profiles - Multiple profiles support in Windows Firewall allows you to create two sets of firewall policy: one used when the computer is connected to the corporate network and another used when the computer is not.

The new Windows Firewall has been designed to help you secure your home and business connections. By using it, you will decrease to minimum the attacks within and outside your organizations.


Fig. 1 Windows Firewall


Fig. 2 Windows Firewall Exception list


Fig. 3 Configuring Exception Scope

Solving Today's Internet Experience Frustrations

How many times did you get to a web page where you are asked to install an ActiveX and would not let you continue until you accept? How many times did you get to a web page that covers you screen with so many pop-ups that after you close them all, you discovered that you also closed your main page and don't remember what was its address?

Windows XP SP2 changes Internet Explorer behavior significantly to prevent malicious web pages from deceiving you and installing add-ware or spy bots that will harm your computer.

The main changes are:

Add-on Install Prompt

Any web page that tries to install an ActiveX will be blocked. You will not be bothered with a large message box asking you to install it. You will see the web page immediately be notified by a new security bar under the address bar that this web site tried to install an ActiveX on your computer (see Figure 4). Right-click on the security bar and you can choose to install the ActiveX. In this case, a new window will present only the most important information about this ActiveX: Name, Publisher, Warning message (see Figure 5). You can choose to ignore future ActiveX installation requests.


Fig. 4 ActiveX Blocking Notification in IE

If your browser does not support inline frames, click here to view on a separate page.

Fig. 5 The New ActiveX Security Warning

Add-on Manager

If you already installed an ActiveX either intentionally or by accident, you can remove it at will using the new Add on manager. Using the Add-on manager, you can enable or disable any Add-on in IE.

Note With the Add-on manager you cannot uninstall add-ons, just disable them.

TIP I used the Add-on Manager to disable "Shockwave Flash Object". This setting disables all the flash objects in the sites I visit because all those flash commercials are usually annoying. You can use a script to disable or enable Flash so you can have one shortcut to IE with flash and another shortcut to IE without Flash.

Pop-up blocker

If a web page tries to open a pop-up, this will be blocked automatically. You will get the same security bar notification as in the case of an attempt to install an ActiveX control. Right-click on the security bar and choose allow for the pop-up to appear. You can manage the pop-ups behavior through Tools->Pop-up blocker settings. By default, there are no allowed sites in the Allowed Site list.

Spoofing mitigation

To protect you from spoofing, pop-ups cannot appear off screen, without borders, without notification bar, on top of the address or notification bars of the parent page or in full screen.

Other Changes

There are many more changes in IE that will help you browse the Internet more smoothly and protect you from web spoofing. If you are a web developer and are concerned that your web site will not work correctly after Windows XP SP2 releases, please check the following link for more information:

Bottom Line – Is my PC Secure?

It sure can be more secure than it is today. In Windows XP Service Pack 2 there is a new service called Security Center. It is a new service that provides a central location for changing security settings, learning more about security, and ensuring your computer is up to date, with the essential security settings that are recommended by Microsoft. It runs as a background process and checks the state of your Personal Firewall, Antivirus and Windows update components. It will check 3rd party software as long as it has a WMI provider. If a component is found to be missing or out of compliance with your Security Policy, the Security Center places a red icon in the notification area of the user's taskbar and also provides an Alert message at logon.

Much More than Meets the Eye

Windows XP Service Pack 2 includes many more changes. Here is a quick list of some of them:

  • Any programs that work with RPC, DCOM or WebDAV will not use anonymous connections anymore. They must be authenticated.
  • A new wireless client supporting the new RADIUS server to be shipped in Service Pack 1 of Windows Server 2003.
  • Outlook Express does not download external HTML content automatically and helps users to avoid getting repeated spam mailings by preventing the user from unknowingly validating their e-mail address to spam originators.
  • NX ("No Execute") Technology - Execution protection is a new technology that works along with a supported CPU to protect the computer memory from programs that cause buffer overruns.
  • AES – Attachment Exaction Service helps IE, Windows Messenger, and Outlook Express to sniff executable files and to determine if they are safe.
  • Bluetooth support for most of the known devices.
  • MSI3 – Microsoft Installer 3 that supports Binary Data Compression for smaller patches.
  • Client for Windows Update Server that will be out soon.
  • Tablet PC enhancements to help you write more smoothly.

Where Will You Be the Day after Tomorrow?

Windows XP Service Pack 2 contains a lot more than just a number of security fixes. It is not just the largest Service Pack ever released by Microsoft but it demonstrates the approach of increasing your PC Security by significantly reducing its attack surface. It's not a patching approach. It's not about fixing things when a new exploit comes out. It's about reducing chances for future exploits in a far more robust way than today. So we come back to the biggest problem a system administrator has: the choice between security and usability. Today's PC security is far too important, and this is where Windows XP Service Pack 2 can help you by protecting you better by default and still keep your users productivity.

Here are some links that you can use for more information:

For any feedback regarding the content of this column, please write to Microsoft TechNet. Please be aware that this is not a support alias and a response is not guaranteed.