More security in Windows XP Service Pack 2

As a follow-up to my previous tip which dealt with security enhancements planned for Windows Longhorn (Microsoft's next desktop release, due out in 2006/2007), Bill Gates has penned an Executive E-mail entitled Microsoft Progress Report: Security. In that missive, he provides all kinds of information about what Microsoft is doing, and what they're planning, to boost security protection and coverage in upcoming releases.

For this tip, my focus is security enhancements planned for Windows XP Service Pack 2 (SP2), which Gates says will be released in "late spring/early summer" 2004. Gates identifies these enhancements as relating to isolation and resiliency. By isolation, he means techniques to limit the spread of potential malware infections, once contracted; by resiliency, he means the operating system's abilities to identify and respond to what he calls "suspicious or bad behavior."

• Read this exclusive article, XP SP2 finally arrives. Now what?.
• Here are some precautions you should take to ensure you keep your cool during an XP SP2 installation.
• Find out what XP SP2 has to offer in this overview of security features.

Examination of the security items for Windows XP SP2 help clarify this terminology:

• Network Protection: the Windows Firewall will be active by default, with global firewall settings and centralized configuration administration also enabled. The idea is to limit potential attack points to the bare minimum.
• Safer Web Browsing: Internet Explorer will block unsolicited downloads and pop-ups, and security settings subject to administrative policy controls.
• Safer E-mail/Instant Messaging: Improved file attachment handling in Outlook Express and Windows Messenger, plus better download controls, should limit exposure to infected e-mails or downloads.
• Memory protection: Buffer overruns—by far, the biggest single category of Microsoft vulnerabilities—are targeted using numerous techniques: recompilation to stymie stack and heap overruns, plus cooperation with vendors for hardware-enforced data execute protection, to mark data as non-executable (to foil malware that attempts to load instructions as data, then execute them).
• Windows Update will get security enhancements, including status checks for key security components such as firewall, automatic update, and anti-virus. A new Security Center applet in the Windows XP Control Panel will also indicate if security capabilities are enabled and up-to-date.

All in all, these planned changes sound like Microsoft has been analyzing its traditional sources of vulnerability, and is taking serious steps to mitigate them. The real proof will be in how well what's delivered in Windows XP SP2 works. Thus, only time (plus testing and experience) will tell if Microsoft finally succeeds in raising the Windows security bar, and abandons optimistic "out of the box" defaults for secure alternatives.

This tip originally appeared on SearchWin2000.com

About the author
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years of experience in the networking industry and co-author of several books on networking, most recently, CCSP^TM: Secure PIX and Secure VPN Study Guide published by Sybex.