Feeds

WinXP SP2 = security placebo?

Feature richness defeats commonsense

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Networking components

In addition to services, Windows also installs a number of networking components that are unnecessary on the vast majority of machines, especially home machines. SP2 has done nothing to change this.

Most home users don't know that TCP/IP is the only networking component needed for an Internet connection to work. Nevertheless, Client for Microsoft Networks, File and Print Sharing, and the QoS Packet Scheduler are all installed by default, and SP2 does little to address these issues - although, presumably, file and print sharing are limited to machines on the same subnet. At least we hope so.

Furthermore, NetBIOS over TCP/IP is enabled, and that is never a good thing on home machines.

Most absurdly, Remote Assistance ("allow script kiddies to control this computer remotely?") is enabled by default, as is Remote Registry ("allow script kiddies to modify your Registry remotely?"). The Remote Desktop "feature" was off, thankfully.

Windows Firewall

The new "Windows Firewall" packet filter is turned on by default, finally. However, an exception for Remote Assistance connections is enabled, which is preposterous, although file and printer sharing, and UPnP, are blocked by the firewall as they should be. The putatively new "Windows Firewall" is actually not much different from its predecessor, the "Internet Connection Firewall", with all its weaknesses. Indeed, the only improvements are that the Security Center pops up a warning if the firewall is turned off, and the firewall alerts users to software willing to accept an outside connection.

Most importantly, the new packet filter, like the old, is incapable of egress filtering, although there were numerous press reports predicting such a capacity before its release, perhaps due to aggressive blogging by overeager MS shills. This particular omission is one of the greatest disappointments in SP2.

Because of the vast amount of malware, spyware, and adware plaguing Windows, it is crucial that a packet filter warn users whenever a program attempts to send data to the Internet. SP2 is of no value in this regard. It does, however, warn users of third-party clients that will accept incoming connections, and offers users an opportunity to block or enable them individually.

Nevertheless, Windows users must monitor outgoing connections, and must therefore continue to deploy a third-party firewall or packet filter capable of egress filtering in order to run Windows XP safely.

Policies

Default security policies with SP2 are basically sensible. However, there are exceptions. For example, to prevent NetBIOS null sessions, which are extremely dangerous, the Security Accounts Manager (SAM) should be configured to reject them. SP2 has done half the work. In the Network Access policy settings, the option "Do not allow anonymous enumeration of SAM accounts" is enabled, as it should be. Unfortunately, "Do not allow anonymous enumeration of SAM accounts and shares" is disabled, although it should be enabled. This arcane setting is not something that a home user should even have to know about, much less play with.

Permissions

If making Windows so dependent on RPC is one of Microsoft's greatest security stuff-ups, allowing Windows XP to be set up as a single user system is the most spectacular of all time.

Windows XP is the first genuine multiuser Windows system marketed to home users, yet Microsoft has stubbornly declined to enforce, or even encourage, its inherent security benefits. SP2 does nothing to improve the situation.

The chief weakness of a single-user system is that whoever sits at the keyboard is the administrator, or root in UNIX parlance, capable of taking any action he pleases. He can install programs and delete files or wipe out whole directories; he can alter system settings with the same privileges as the owner.

This is bad in two ways. First, anyone with physical access to the machine can reconfigure it and possibly destroy important files, whether intentionally or accidentally. Second, when everyone is automatically an administrator, any malware that a user picks up will run with the administrator's level of access - that is, with unlimited privileges.

Establishing less-privileged user accounts, even for the machine's owner, is the single most productive step one can take towards reducing the impact of malware. WinXP makes this possible, but, unfortunately, not necessary.

The level of system access that a user is granted affects the potential of malware, and vectors such as browsers, -mail, and IM clients, to deliver and execute malicious code. It is generally, though not universally, true that we can limit the impact of malicious code by limiting the user's access to the system. Generally, an unprivileged user will run unprivileged malware. This is why even the sole user of a system should always work from a limited-access account, except when performing administrative chores. UNIX-compatible systems enforce this worthwhile discipline strictly; Microsoft still does not even encourage it.

Intelligent flash storage arrays

Next page: Internet Explorer

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.