Feeds

WinXP SP2 = security placebo?

Feature richness defeats commonsense

  • alert
  • submit to reddit

Security for virtualized datacentres

Networking components

In addition to services, Windows also installs a number of networking components that are unnecessary on the vast majority of machines, especially home machines. SP2 has done nothing to change this.

Most home users don't know that TCP/IP is the only networking component needed for an Internet connection to work. Nevertheless, Client for Microsoft Networks, File and Print Sharing, and the QoS Packet Scheduler are all installed by default, and SP2 does little to address these issues - although, presumably, file and print sharing are limited to machines on the same subnet. At least we hope so.

Furthermore, NetBIOS over TCP/IP is enabled, and that is never a good thing on home machines.

Most absurdly, Remote Assistance ("allow script kiddies to control this computer remotely?") is enabled by default, as is Remote Registry ("allow script kiddies to modify your Registry remotely?"). The Remote Desktop "feature" was off, thankfully.

Windows Firewall

The new "Windows Firewall" packet filter is turned on by default, finally. However, an exception for Remote Assistance connections is enabled, which is preposterous, although file and printer sharing, and UPnP, are blocked by the firewall as they should be. The putatively new "Windows Firewall" is actually not much different from its predecessor, the "Internet Connection Firewall", with all its weaknesses. Indeed, the only improvements are that the Security Center pops up a warning if the firewall is turned off, and the firewall alerts users to software willing to accept an outside connection.

Most importantly, the new packet filter, like the old, is incapable of egress filtering, although there were numerous press reports predicting such a capacity before its release, perhaps due to aggressive blogging by overeager MS shills. This particular omission is one of the greatest disappointments in SP2.

Because of the vast amount of malware, spyware, and adware plaguing Windows, it is crucial that a packet filter warn users whenever a program attempts to send data to the Internet. SP2 is of no value in this regard. It does, however, warn users of third-party clients that will accept incoming connections, and offers users an opportunity to block or enable them individually.

Nevertheless, Windows users must monitor outgoing connections, and must therefore continue to deploy a third-party firewall or packet filter capable of egress filtering in order to run Windows XP safely.

Policies

Default security policies with SP2 are basically sensible. However, there are exceptions. For example, to prevent NetBIOS null sessions, which are extremely dangerous, the Security Accounts Manager (SAM) should be configured to reject them. SP2 has done half the work. In the Network Access policy settings, the option "Do not allow anonymous enumeration of SAM accounts" is enabled, as it should be. Unfortunately, "Do not allow anonymous enumeration of SAM accounts and shares" is disabled, although it should be enabled. This arcane setting is not something that a home user should even have to know about, much less play with.

Permissions

If making Windows so dependent on RPC is one of Microsoft's greatest security stuff-ups, allowing Windows XP to be set up as a single user system is the most spectacular of all time.

Windows XP is the first genuine multiuser Windows system marketed to home users, yet Microsoft has stubbornly declined to enforce, or even encourage, its inherent security benefits. SP2 does nothing to improve the situation.

The chief weakness of a single-user system is that whoever sits at the keyboard is the administrator, or root in UNIX parlance, capable of taking any action he pleases. He can install programs and delete files or wipe out whole directories; he can alter system settings with the same privileges as the owner.

This is bad in two ways. First, anyone with physical access to the machine can reconfigure it and possibly destroy important files, whether intentionally or accidentally. Second, when everyone is automatically an administrator, any malware that a user picks up will run with the administrator's level of access - that is, with unlimited privileges.

Establishing less-privileged user accounts, even for the machine's owner, is the single most productive step one can take towards reducing the impact of malware. WinXP makes this possible, but, unfortunately, not necessary.

The level of system access that a user is granted affects the potential of malware, and vectors such as browsers, -mail, and IM clients, to deliver and execute malicious code. It is generally, though not universally, true that we can limit the impact of malicious code by limiting the user's access to the system. Generally, an unprivileged user will run unprivileged malware. This is why even the sole user of a system should always work from a limited-access account, except when performing administrative chores. UNIX-compatible systems enforce this worthwhile discipline strictly; Microsoft still does not even encourage it.

Beginner's guide to SSL certificates

Next page: Internet Explorer

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.