Microsoft Windows XP Service Pack 2 amounts to a major "life event" for companies using the Windows platform. The update represents a major step forward in security, and many organizations will seriously consider it for several reasons. Those that plan to deploy the update need to understand several important features. Even those that don't use it still will need to consider the service pack's impact.
Key Changes With SP2
The new service pack includes a desktop firewall, enhancements to Internet Explorer, memory protection and tools for management and remote administration.
- Firewall, Internet Explorer enhancements block intrusion, infection
The desktop firewall arrives installed and turned on by default, and is arguably the most significant aspect of the software. It helps tighten device security on all networks -- especially those in public places.
There have been plenty of horror stories about employees using wireless networks at the airport or in cafes. Although they don't realize it, file sharing is tied to the network on which they're working, so anyone interested in perusing anything available on their laptop can do so, without the users' knowledge or consent.
The firewall in SP2 blocks inbound access attempts according to the local, or group, policy in effect. For outbound connections, the user is alerted to a connection attempt, and asked to allow or deny it. IT administrators can configure devices through group policy to conform to their security policy. SP2 adds roughly 600 new group policy objects, providing a finer degree of control than before.
Enhancements to Internet Explorer block pop-ups and ActiveX controls that can result in inadvertent download of malicious code such as viruses or spyware. Users get an audible signal and warning message that a pop-up has been blocked. They can then unblock the feature for that page.
- Protection against DoS attacks
SP2 should help significantly with denial-of-service (DoS) attacks caused by buffer overflows, when too much data is sent to an application's temporary storage area -- sometimes causing that excess data to act as executable code. One of the most popular DoS exploits, buffer overflows will now be prevented from executing commands and will shut down systems instead. It's an inconvenience that's worth the peace of mind that no code can be launched and the device won't be further damaged.
Several other service pack features strengthen administrative security control. Internet Explorer has a new interface for managing add-ins that extend browser capabilities, such as PDF viewing.
Considerations for Companies That Deploy -- and Those That Don't
Whether or not they roll out the update, we're advising clients on SP2 issues involving application development and deployment, information distribution and use, and testing. There are ramifications for activities that companies may have considered outside the "normal" purview of a service pack security update.
- Application development
We expect a flurry of problems and fixes for off-the-shelf applications. More important, SP2 can interfere with remote procedure call (RPC) and Distributed Common Object Model application architectures. Any client-side application that "listens" for network traffic will need to be explicitly permitted within the firewall rule set.
The service pack also determines application access based on two distinctions: how and where COM components are launched, and whether RPC applications are running on the local system or elsewhere. If greater access to a particular application is required, some software may have to be revised to provide that availability.
Whether or not they plan to deploy the update, companies will need to examine their applications' architecture. Firms that won't use it still need to consider how application design will impact their end users or customers who do implement the service pack. For example, a Web site pop-up request for user sign-in may be blocked by the user's Internet Explorer configuration.
- Infrastructure assessment
The stronger controls built into SP2 will require IT teams to think about how they distribute information and how users get it. Are employees working on the LAN one day, and then wireless the next? How is information distribution managed?
If an employee has Web and FTP services running on a laptop, the service pack will block both of those capabilities. We use this extreme example to underscore the importance of an up-to-date inventory of company assets and usage. This will help IT managers determine whether the service pack will counter daily operations or improve them.
Testing is important for any security update, and SP2 is no exception. For companies planning to deploy the service pack, running it on the company's standard desktop configuration(s) in a test environment will reveal issues that need to be resolved for successful deployment.
Finally, we advise clients to consider the long-term effects of SP2. By blocking some of the major sources of vulnerability outright, SP2 could eliminate any number of patch-and-recover exercises for specific exploits and introduce a greater degree of security by default.
Christopher Burry is a fellow and the technology infrastructure practice director at Avanade, a Seattle-based integrator for Microsoft technology that's a joint venture between Accenture and Microsoft. Steven Chanyi is a senior systems engineer at Avanade. Send comments or questions to Christopher.Burry@avanade.com.