Feeds

SP2 on XP Home

Security opportunities missed

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Review Our previous article on the security disappointments of SP2 drew considerable criticism because we cited very poor service to the security needs of home users, although we tested it on XP Pro. In fairness, we felt it reasonable to repeat the procedure on XP Home, and note any differences.

As before, we evaluated SP2 on a single test machine, following a clean install of XP Home with no configuration changes and no third-party software, additional applications, or drivers. We installed XP with the NTFS file system, choosing all of the factory defaults and obeying all prompts, then patched it with each recommended security update including SP1 before installing SP2, to be certain we didn't miss anything.

Busy box

According to netstat, our machine had the following services listening by default:

* DCE endpoint resolution (epmap), port 135. This is basically the UNIX/BSD/Linux portmap daemon, and unnecessary on most home machines.

* NetBIOS name service, port 137. This is the WINS (Windows Internet Naming Service) server for a NetBIOS network, and unnecessary on most home machines.

* NetBIOS datagram service, port 138. This is used by the SMB (Server Message Block) browser service, and is unnecessary on most home machines.

* Microsoft-ds (Server Message Block), port 445. SMB can run directly over TCP/IP, without NetBT by using this service, which is unnecessary on most home machines.

* NetBIOS Session, port 139. This is used for Windows File and Printer Sharing, unnecessary on most home machines, and quite risky on any machine connected to the Internet unless the owner knows how to run it securely.

This was identical to the Pro edition.

Furthermore, Error Reporting (which phones home to Microsoft), was enabled; Remote Assistance was enabled; file and printer sharing were installed; Client for Microsoft Networks was installed; and QoS Packet Scheduling was installed, just as they were on XP Pro. These are all features that should not be enabled unless they're needed.

Again, the firewall defaulted to providing an exception for Remote Assistance, a great boon to script kiddies. And, as we noted earlier, the firewall, though now enabled by default, is inadequate due to its lack of egress filtering, which is crucial on Windows. The WINS settings were insecure, meant to enable NetBIOS; and DCOM was on.

Data hygiene

If one upgrades an older image, say Win-9x using FAT-32, the XP Home installer will keep your filesystem. But if you do a clean install, as we did, the installer will 'suggest' building your Windows XP system on the journaling NTFS filesystem. As noted previously, we accepted all defaults; but NTFS, like any journaling filesystem, makes data hygiene extremely difficult, and compromises the effectiveness of data wipe utilities significantly. FAT-32 is very much preferable for those who need to ensure selective data destruction.

Worse, the Indexing Service was on by default. The galling thing here is Microsoft's cheerful boilerplate in the configuration dialog: "Allow Indexing Service to index this disk for fast file searching?" it asks. It sounds like a great thing with no downside. In fact, it is a useful thing with a significant downside in terms of data hygiene. The Indexing Service scatters data traces all over the disk; it is a trade-off between convenience and security. Microsoft's chirpy, uncritical encouragement to use it is an example of its security ignorance and feature enchantment.

The default file view in Windows Explorer is wrong for anyone interested in practicing data hygiene. System directories and files are concealed by default. But it is impossible to maintain a tidy system when one can't conveniently see what files are on one's computer.

Services

Here we will mention differences only. Some were disappointing, while others were quite pleasant. Unless noted, our services configuration for XP Pro and XP Home were identical.

In the Services dialog, we found a new hassle: Server, set to automatic, meaning that it is enabled by default. This gimmick supports file, print, and named-pipe sharing over a network. Again, these are things that should be enabled deliberately, by those who know that they need them, and know how to use them safely.

On a more positive note, Remote Registry was not visible, thankfully; Telnet was not visible, a very good thing; and UPnP Device Host was disabled, another good thing. Otherwise, the configuration was the same. There were many services set either to manual or automatic that should be disabled by default, and enabled only as needed.

Odds and ends

As one might expect, SP2 does nothing to address the security tragedy encapsulated in the fact that Windows XP, the first multiuser system for everyday users, can be set up as a single user system. Indeed, Both XP Pro and XP Home almost encourage one to set them up as single user systems. There are fundamental security advantages to running a multiuser system, and it is a disgrace that Microsoft should fail even to encourage it.

We found that settings for Internet Explorer and Outlook Express were the same as they were on XP Pro, which implies that SP2 may have done nothing to tighten them. There appear have been no fundamental changes to either client, and one can only substitute Mozilla, or Firefox and Thunderbird, for them.

SP2 does a lot 'under the hood' so to speak, to make Windows more resistant to exploitation, and this is to be commended. However, it does little to address the fundamentally insecure Windows setup, which pretty well trumps the former accomplishment. A simplified and hardened Windows system will be nicely enhanced by SP2. But the average Windows system will not even be touched by this effort: it remains leaky, almost incomprehensible to its owners, except those served by professional admins.

Windows remains too difficult for the average person to administer, and therefore profoundly unsafe on the internet. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, malware protection, online anonymity, encryption, and data hygiene for Windows and Linux.

Related Stories

WinXP SP2 = security placebo?
Reg readers sabotage their Windows boxes
Windows XP SP2 features security crater - report
XP SP2 über patch already needs fixing
200 apps clash with XP SP2
WinXP SP2: stop moaning and get downloading

Next gen security for virtualised datacentres

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.