Testing Windows XP SP2’s role in client security

We also reviewed Microsoft’s recently introduced Windows XP Service Pack 2, which is intended to make the operating system more secure.

We also reviewed Microsoft’s recently introduced Windows XP Service Pack 2, which is intended to make the operating system more secure.

XP SP2 includes a new firewall, application execution protection features, a new system management component for security, and security modifications to the browser and e-mail processing features of XP. We tested the XP upgrade on a Pentium 4, 3-GHz system with 2G bytes of RAM.

XP SP2’s firewall is a stripped-down packet-filtering mechanism with limited configuration and logging capabilities. The update provides a new execution-protection mechanism that, when configured properly and supported with appropriate underlying hardware, should help block attacks that use data buffers to execute malicious code.

Modifications to the browser should prevent at least some types of malicious Web content from attacking systems because they disallow pop-up windows by default. The mechanism used to process e-mail attachments has been modified, so there should be less unchecked execution of programs that help spread viruses.

The firewall, execution protection and new security center component – a new GUI to control the firewall, virus scanner, and update monitoring features – provide features similar to most third-party client security products.

The firewall is quite crude by modern standards. It only logs to a text file on the client, and you can’t rotate the logs (changing to a new log file periodically is a conventionally sound security practice) without shutting down the firewall. The firewall rules let you select inbound ports to block, but don’t offer any further detail (such as only allowing connections from a specific IP address, for example).

Microsoft says you can centrally manage firewall settings, but there appears to be no mechanism in the service pack to make that possible, such as integration with the standard Windows event log or a means to deliver notifications to a central Windows-based server or syslog file.

Instead of blocking a specific executable or API call, XP SP2 blocks the use of data memory to execute code. In principle, this will inhibit a large class of exploits because many current attacks are based heavily on buffer overflows and other schemes that execute code located in an area of memory that is designated for data. Full support for this mechanism will require using 64-bit processor-based systems, which include the appropriate memory protection mechanisms.

There is no specific intrusion-detection or intrusion-prevention capability in XP SP2, although many of its security features will have the beneficial side effect of blocking intrusions. The firewall will block incoming network connections that an attacker would use for some kinds of intrusions, for example. It doesn’t provide the same features as the client security products we reviewed, but it does address the general requirement of “making the client more resilient to attack.”

We also asked endpoint security vendors in our test whether SP2 was certified to work with their products. All nine said their products worked now, worked with modifications or would be updated soon to work with XP SP2.

Our overall assessment of XP SP2 boils down to two questions: “Does it offer useful defenses?” and “Are there any risks?”

Yes, it offers defenses, but you might want to go with a third-party product if you need more detailed access controls and more useful reporting tools. The browser changes, although they appear to improve the overall safety, might break legitimate Web sites that your users visit regularly, and so that change might be painful to deploy in the short term.

The execution-protection mechanism has great potential, but the hardware support requirement probably will limit its usefulness (it’s not clear how much the software-only variant can do), and some companies might find significant issues with driver compatibility.

And XP SP2 introduces some new risks. The firewall is controlled through a simple API that an exploit could reach as easily as the client user. This means turning off the firewall is now a potential target attack. The event reporting from the new security features has major gaps that have to be examined, like no centralized logging and no logging at all of pop-up block events. If execution protection can affect device drivers that perform complex memory-access operations, there might be new ways for exploits to cause system failures until the compatibility issues are all worked out.

Back to review: “Endpoint security products aid in client defense”