The dust is finally settling after Microsoft's long-anticipated release of Windows XP Service Pack 2. This gargantuan set of patches and new features, which weighs in at a whopping 270 megabytes, is chock-full of new security fixes and capabilities. In fact, this release is more security-centric than any Service Pack we've seen from Microsoft ... ever! Of the myriad security features built into XP SP2, including software and hardware-based Data Execution Prevention, pop-up blocking software for IE and improved Outlook Express attachment management, I'd like to zoom in on just two: the new Security Center and the default-on Windows firewall.
XP SP2's Security Center looks quite promising (You can review its settings via Start->Settings->Control Panel->Security Center). It features a minimalist screen that shows the current state of antivirus, personal firewall and automatic Windows update on the machine. If malicious code disables these tools or a user lets them get out-of-date Security Center will pester the user with annoying balloon dialog boxes and a little red broken heart icon in the tool tray until the given security capability is reactivated and updated.
It's important to note that the Security Center is merely an overview of the security settings on the box and is focused on reporting the machine's security status to the user. That means an administrator doesn't have centralized management capabilities like remotely locking down a machine or assigning stronger security settings if a user is delinquent in addressing expired or disabled security features. However, fortunately the user can't disable the Security Center either. The user can choose to ignore its recommendations and make them disappear temporarily, but they keep coming back to warn the user. In essence, Windows can self-patrol some of the rudimentary security settings on behalf of a user. I recommend that you add a description of the Security Center to your corporate security awareness training, and specify help desk support staff or operations team for users to go to if they need assistance with the Security Center's warning messages.
Another ballyhooed capability of XP SP 2 is the default-on Windows personal firewall. I've spoken to several organizations whose corporate plans for personal firewalls are going to focus on this built-in Windows firewall. These folks argue that the Windows firewall is built-in, deploys automatically with XP SP 2 and offers the requisite firewall functionality. Seems like a no-brainer, right?
Well, not exactly. The built-in firewall offers only minimal functionality -- blocking only inbound connections, thereby thwarting some of the buffer-overflow exploiting worms and network-listening backdoors we're constantly seeing. But, that's barely half of the defenses users need! The fact is, increasingly, malicious code installed on a box communicates outbound with the attacker, polling the bad guy for commands to execute and pushing out results from those commands. In effect, the malicious code is shoveling a shell or control of the GUI to the attacker. Such backdoors easily slice right through the built-in Windows XP personal firewall.
While you might be thinking, "If the Windows firewall blocks incoming malware, how would the malicious code get on the box in the first place to communicate outward?" There are numerous potential vulnerabilities that could let an attacker get code on the box, with or without an inbound-filtering firewall. Perhaps the easiest way involves a clueless user executing an e-mail attachment or otherwise installing untrusted software. Also, we will likely continue to see a large number of browser-based vulnerabilities. For example, if a user surfs to the wrong Web site, an attacker can squirt back code via HTTP that runs inside the browser and gives the attacker control. Why, we just saw such a flaw in many Microsoft products last month, called the GDI+ driver buffer-overflow vulnerability, which was based on a buffer-overflow flaw in Windows' JPEG image processing. That means if you view the wrong image with an unpatched version of IE, Outlook or other image-viewing software the attacker owns your box -- no inbound connections required. Although the GDI+ flaw has an available patch, certainly other as-yet-undiscovered flaws certainly lie beneath the surface. The bottom line here is that XP SP2's built-in firewall lacks filtering for outbound connections, leaving the system exposed to numerous attack vectors.
Given these concerns, you should consider the built-in default Windows XP SP 2 firewall a minimal level of half-baked software that helps protect some consumer-grade Windows users while surfing the Internet for fun and e-commerce. It doesn't offer the protection required in most corporate environments. For corporate-level protection, you should consider another personal firewall, such as Zone Alarm, the Tiny Personal Firewall or one of the many others that are available.
This tip originally appeared on SearchSecurity.com.
Ed Skoudis, CISSP, is cofounder of Intelguardians Network Intelligence, a security consulting firm, and author of Malware: Fighting Malicious Code (Prentice Hall, 2003).
More Information on SearchWindowsSecurity.com:
This was first published in October 2004