SP2 on XP Home
Security opportunities missed
Review Our previous article on the security disappointments of SP2 drew considerable criticism because we cited very poor service to the security needs of home users, although we tested it on XP Pro. In fairness, we felt it reasonable to repeat the procedure on XP Home, and note any differences.
As before, we evaluated SP2 on a single test machine, following a clean install of XP Home with no configuration changes and no third-party software, additional applications, or drivers. We installed XP with the NTFS file system, choosing all of the factory defaults and obeying all prompts, then patched it with each recommended security update including SP1 before installing SP2, to be certain we didn't miss anything.
According to netstat, our machine had the following services listening by default:
* DCE endpoint resolution (epmap), port 135. This is basically the UNIX/BSD/Linux portmap daemon, and unnecessary on most home machines.
* NetBIOS name service, port 137. This is the WINS (Windows Internet Naming Service) server for a NetBIOS network, and unnecessary on most home machines.
* NetBIOS datagram service, port 138. This is used by the SMB (Server Message Block) browser service, and is unnecessary on most home machines.
* Microsoft-ds (Server Message Block), port 445. SMB can run directly over TCP/IP, without NetBT by using this service, which is unnecessary on most home machines.
* NetBIOS Session, port 139. This is used for Windows File and Printer Sharing, unnecessary on most home machines, and quite risky on any machine connected to the Internet unless the owner knows how to run it securely.
This was identical to the Pro edition.
Furthermore, Error Reporting (which phones home to Microsoft), was enabled; Remote Assistance was enabled; file and printer sharing were installed; Client for Microsoft Networks was installed; and QoS Packet Scheduling was installed, just as they were on XP Pro. These are all features that should not be enabled unless they're needed.
Again, the firewall defaulted to providing an exception for Remote Assistance, a great boon to script kiddies. And, as we noted earlier, the firewall, though now enabled by default, is inadequate due to its lack of egress filtering, which is crucial on Windows. The WINS settings were insecure, meant to enable NetBIOS; and DCOM was on.
If one upgrades an older image, say Win-9x using FAT-32, the XP Home installer will keep your filesystem. But if you do a clean install, as we did, the installer will 'suggest' building your Windows XP system on the journaling NTFS filesystem. As noted previously, we accepted all defaults; but NTFS, like any journaling filesystem, makes data hygiene extremely difficult, and compromises the effectiveness of data wipe utilities significantly. FAT-32 is very much preferable for those who need to ensure selective data destruction.
Worse, the Indexing Service was on by default. The galling thing here is Microsoft's cheerful boilerplate in the configuration dialog: "Allow Indexing Service to index this disk for fast file searching?" it asks. It sounds like a great thing with no downside. In fact, it is a useful thing with a significant downside in terms of data hygiene. The Indexing Service scatters data traces all over the disk; it is a trade-off between convenience and security. Microsoft's chirpy, uncritical encouragement to use it is an example of its security ignorance and feature enchantment.
The default file view in Windows Explorer is wrong for anyone interested in practicing data hygiene. System directories and files are concealed by default. But it is impossible to maintain a tidy system when one can't conveniently see what files are on one's computer.
Here we will mention differences only. Some were disappointing, while others were quite pleasant. Unless noted, our services configuration for XP Pro and XP Home were identical.
In the Services dialog, we found a new hassle: Server, set to automatic, meaning that it is enabled by default. This gimmick supports file, print, and named-pipe sharing over a network. Again, these are things that should be enabled deliberately, by those who know that they need them, and know how to use them safely.
On a more positive note, Remote Registry was not visible, thankfully; Telnet was not visible, a very good thing; and UPnP Device Host was disabled, another good thing. Otherwise, the configuration was the same. There were many services set either to manual or automatic that should be disabled by default, and enabled only as needed.
Odds and ends
As one might expect, SP2 does nothing to address the security tragedy encapsulated in the fact that Windows XP, the first multiuser system for everyday users, can be set up as a single user system. Indeed, Both XP Pro and XP Home almost encourage one to set them up as single user systems. There are fundamental security advantages to running a multiuser system, and it is a disgrace that Microsoft should fail even to encourage it.
We found that settings for Internet Explorer and Outlook Express were the same as they were on XP Pro, which implies that SP2 may have done nothing to tighten them. There appear have been no fundamental changes to either client, and one can only substitute Mozilla, or Firefox and Thunderbird, for them.
SP2 does a lot 'under the hood' so to speak, to make Windows more resistant to exploitation, and this is to be commended. However, it does little to address the fundamentally insecure Windows setup, which pretty well trumps the former accomplishment. A simplified and hardened Windows system will be nicely enhanced by SP2. But the average Windows system will not even be touched by this effort: it remains leaky, almost incomprehensible to its owners, except those served by professional admins.
Windows remains too difficult for the average person to administer, and therefore profoundly unsafe on the internet. ®
Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, malware protection, online anonymity, encryption, and data hygiene for Windows and Linux.
WinXP SP2 = security placebo?
Reg readers sabotage their Windows boxes
Windows XP SP2 features security crater - report
XP SP2 über patch already needs fixing
200 apps clash with XP SP2
WinXP SP2: stop moaning and get downloading