Testing Windows XP SP2's role in client security

We also reviewed Microsoft's recently introduced Windows XP Service Pack 2, which is intended to make the operating system more secure.

XP SP2 includes a new firewall, application execution protection features, a new system management component for security, and security modifications to the browser and e-mail processing features of XP. We tested the XP upgrade on a Pentium 4, 3-GHz system with 2G bytes of RAM.

XP SP2's firewall is a stripped-down packet-filtering mechanism with limited configuration and logging capabilities. The update provides a new execution-protection mechanism that, when configured properly and supported with appropriate underlying hardware, should help block attacks that use data buffers to execute malicious code.

Modifications to the browser should prevent at least some types of malicious Web content from attacking systems because they disallow pop-up windows by default. The mechanism used to process e-mail attachments has been modified, so there should be less unchecked execution of programs that help spread viruses.

The firewall, execution protection and new security center component - a new GUI to control the firewall, virus scanner, and update monitoring features - provide features similar to most third-party client security products.

The firewall is quite crude by modern standards. It only logs to a text file on the client, and you can't rotate the logs (changing to a new log file periodically is a conventionally sound security practice) without shutting down the firewall. The firewall rules let you select inbound ports to block, but don't offer any further detail (such as only allowing connections from a specific IP address, for example).

Microsoft says you can centrally manage firewall settings, but there appears to be no mechanism in the service pack to make that possible, such as integration with the standard Windows event log or a means to deliver notifications to a central Windows-based server or syslog file.

Instead of blocking a specific executable or API call, XP SP2 blocks the use of data memory to execute code. In principle, this will inhibit a large class of exploits because many current attacks are based heavily on buffer overflows and other schemes that execute code located in an area of memory that is designated for data. Full support for this mechanism will require using 64-bit processor-based systems, which include the appropriate memory protection mechanisms.

There is no specific intrusion-detection or intrusion-prevention capability in XP SP2, although many of its security features will have the beneficial side effect of blocking intrusions. The firewall will block incoming network connections that an attacker would use for some kinds of intrusions, for example. It doesn't provide the same features as the client security products we reviewed, but it does address the general requirement of "making the client more resilient to attack."

We also asked endpoint security vendors in our test whether SP2 was certified to work with their products. All nine said their products worked now, worked with modifications or would be updated soon to work with XP SP2.