Feeds

WinXP SP2 = security placebo?

Feature richness defeats commonsense

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Networking components

In addition to services, Windows also installs a number of networking components that are unnecessary on the vast majority of machines, especially home machines. SP2 has done nothing to change this.

Most home users don't know that TCP/IP is the only networking component needed for an Internet connection to work. Nevertheless, Client for Microsoft Networks, File and Print Sharing, and the QoS Packet Scheduler are all installed by default, and SP2 does little to address these issues - although, presumably, file and print sharing are limited to machines on the same subnet. At least we hope so.

Furthermore, NetBIOS over TCP/IP is enabled, and that is never a good thing on home machines.

Most absurdly, Remote Assistance ("allow script kiddies to control this computer remotely?") is enabled by default, as is Remote Registry ("allow script kiddies to modify your Registry remotely?"). The Remote Desktop "feature" was off, thankfully.

Windows Firewall

The new "Windows Firewall" packet filter is turned on by default, finally. However, an exception for Remote Assistance connections is enabled, which is preposterous, although file and printer sharing, and UPnP, are blocked by the firewall as they should be. The putatively new "Windows Firewall" is actually not much different from its predecessor, the "Internet Connection Firewall", with all its weaknesses. Indeed, the only improvements are that the Security Center pops up a warning if the firewall is turned off, and the firewall alerts users to software willing to accept an outside connection.

Most importantly, the new packet filter, like the old, is incapable of egress filtering, although there were numerous press reports predicting such a capacity before its release, perhaps due to aggressive blogging by overeager MS shills. This particular omission is one of the greatest disappointments in SP2.

Because of the vast amount of malware, spyware, and adware plaguing Windows, it is crucial that a packet filter warn users whenever a program attempts to send data to the Internet. SP2 is of no value in this regard. It does, however, warn users of third-party clients that will accept incoming connections, and offers users an opportunity to block or enable them individually.

Nevertheless, Windows users must monitor outgoing connections, and must therefore continue to deploy a third-party firewall or packet filter capable of egress filtering in order to run Windows XP safely.

Policies

Default security policies with SP2 are basically sensible. However, there are exceptions. For example, to prevent NetBIOS null sessions, which are extremely dangerous, the Security Accounts Manager (SAM) should be configured to reject them. SP2 has done half the work. In the Network Access policy settings, the option "Do not allow anonymous enumeration of SAM accounts" is enabled, as it should be. Unfortunately, "Do not allow anonymous enumeration of SAM accounts and shares" is disabled, although it should be enabled. This arcane setting is not something that a home user should even have to know about, much less play with.

Permissions

If making Windows so dependent on RPC is one of Microsoft's greatest security stuff-ups, allowing Windows XP to be set up as a single user system is the most spectacular of all time.

Windows XP is the first genuine multiuser Windows system marketed to home users, yet Microsoft has stubbornly declined to enforce, or even encourage, its inherent security benefits. SP2 does nothing to improve the situation.

The chief weakness of a single-user system is that whoever sits at the keyboard is the administrator, or root in UNIX parlance, capable of taking any action he pleases. He can install programs and delete files or wipe out whole directories; he can alter system settings with the same privileges as the owner.

This is bad in two ways. First, anyone with physical access to the machine can reconfigure it and possibly destroy important files, whether intentionally or accidentally. Second, when everyone is automatically an administrator, any malware that a user picks up will run with the administrator's level of access - that is, with unlimited privileges.

Establishing less-privileged user accounts, even for the machine's owner, is the single most productive step one can take towards reducing the impact of malware. WinXP makes this possible, but, unfortunately, not necessary.

The level of system access that a user is granted affects the potential of malware, and vectors such as browsers, -mail, and IM clients, to deliver and execute malicious code. It is generally, though not universally, true that we can limit the impact of malicious code by limiting the user's access to the system. Generally, an unprivileged user will run unprivileged malware. This is why even the sole user of a system should always work from a limited-access account, except when performing administrative chores. UNIX-compatible systems enforce this worthwhile discipline strictly; Microsoft still does not even encourage it.

Build a business case: developing custom apps

Next page: Internet Explorer

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.