I decided to download and browse through the Service Pack 2 release data from Microsoft (located here). I was mostly looking forward to seeing a few things, and was wondering what other work went into this much-hyped release. I found that I was both pleased and disappointed, and I figured I would highlight some of the new additions coming to XP, and give my opinion on each (one I highlight). This will probably be boring to most people, but for anyone who really likes to get to know what's under the hood of a closed-source software, this is a really educational read. If anyone has anything to add, and if anyone who's been a part of the work done can disclose anything, feel free to chime in.
Disabled Services
This will come as a welcome addition to those of you who like to turn off services. The Messenger and Alerter services are now turned off by default and disabled. The reason for this is, of course, because these services have open ports to the OS that can be theoretically exploited, but we all know they have been taken advantage of by spammers. The down side to this is that any program that has been written that takes advantage of these services will no longer be able to do so (unless you go in and manually turn them on... too much trouble, IMO). There are less programs out now that do so, which mitigates the down side of this some, but the issue still exists. For anyone who still uses such services or works for a group that develops with those two services as a possible use, be sure to scratch them both off the list.
Bluetooth Support
With the growing interestin wi-fi, bluetooth has kinda taken a backseat, but there are still plenty of devices that use the protocolout on the market. XP has always needed a 3rd party driver to handle such devices, but not after SP2. It won't replace any driver you currently have installed, but for those of you who come across a bluetooth device after SP2, you can expect full support. Great for people who love plugging multiple toys into their desktop.
Enhanced DCOM Security
Considering DCOM is platform independant, this security enhancementbest to read the doc for the detailswill tighten permissions attributed to COM objects run on a machine. Since everyone here remembers the Blaster worm and its variants, it's pretty clear how weak DCOM object handling can compromise a machine.
Improved Remote Protocol
Now, the better-secured RPC is part of this, but I mainly want to focus on the Remote Desktop Protocol. I've fallen in love with it, and it's damn nice to see it tightened down a little more on the OS side (never heard of any exploits except brute-force passwording). This is going to make my life loads easier, if all works out, with regard to taking care of some of my clients remotely, not to mention safely accessing my own machines when I'm out on the road.
Windows Firewall
Finally! It's on by default! Not to mention that it's seen some improvement, like the boot-time operation. Even though Windows loads services in a manner that is mostly secure, there's still a (very small) chance that an opening in your protection can occur. With the more popular 3rd-party security software, this is mostly not an issue. It's about damn time Windows started enforcing this on an OS level3rd parties are nice, but if you want something done right...
Also, the firewall policies have global configurations, where pre-SP1 ICF has policies on on a per-interface basis. Since I switch my laptop between wireless and wired and in many different networks, this kicks ass for me. One can still use per-interface policies, but on any policy that hasn't been specified, a global policy of protection will apply. On top of that, I can set my business clients up with a policy for when they're at the office and when they take their laptops home. Exception list configuration has been updated, which makes it easier to get applications communicating more consistently Oh, and did I mention that there's gonna be command-line support for it, as well?
Local Subnet Restriction
Even with a NAT handling all internet traffic, I've always been leery of opening ports just for local addresses. With SP2, I can now specify ports to only the local subnet. This only applies to plug-and-play devices and some server-client programs for me, but this option is nice to have for later. In addition, all of these networking features have IPv6 and IPv4 support. Heck, I don't even use IPv6, so it's nice to know that IPv4 is supported.
Group Policy Additions
Once again, not really falling into the "big, fat deal" for typical end users, but the businesses where I have AD and Group Policies in place, it gives me a little more flexibility. For a full list of options check this out, but some significant ones listed on the doc:
Execution Protection
Awesome. One of those IADT (it's about damn time) deals. I can't really put it better than they did in the doc:
Safer E-mail Handling
This has more to do with having defaults set to safe, and handling HTML a little better, but it's damn nice to see (IADT).
AES API Integration in Outlook Express
Hmmm... I could swear I've seen this before? Maybe in Outlook 2003? Great idea, though.
Internet Explorer Browsing Features
Popup blocking, trusted publisher, and other similar features are very welcome additions to IE. I currently use Avant Browser, which uses the IE engine, but has loads more features. The additions in SP2 help it catch up... some.
Other than that are the patch management, maintenance, and the updated installersomething I find interestingare other parts in the service pack. Not a whole lot I can go into that would be any different from the document.
I'm disappointed that concurrent sessions isn't included in the list, and I really wish they had thrown that in, as well. We know they can do it, I just can't figure out (a good reason) why. It kinda ticks me off.
Maybe in SP3?
Disabled Services
This will come as a welcome addition to those of you who like to turn off services. The Messenger and Alerter services are now turned off by default and disabled. The reason for this is, of course, because these services have open ports to the OS that can be theoretically exploited, but we all know they have been taken advantage of by spammers. The down side to this is that any program that has been written that takes advantage of these services will no longer be able to do so (unless you go in and manually turn them on... too much trouble, IMO). There are less programs out now that do so, which mitigates the down side of this some, but the issue still exists. For anyone who still uses such services or works for a group that develops with those two services as a possible use, be sure to scratch them both off the list.
Bluetooth Support
With the growing interestin wi-fi, bluetooth has kinda taken a backseat, but there are still plenty of devices that use the protocolout on the market. XP has always needed a 3rd party driver to handle such devices, but not after SP2. It won't replace any driver you currently have installed, but for those of you who come across a bluetooth device after SP2, you can expect full support. Great for people who love plugging multiple toys into their desktop.
Enhanced DCOM Security
Considering DCOM is platform independant, this security enhancementbest to read the doc for the detailswill tighten permissions attributed to COM objects run on a machine. Since everyone here remembers the Blaster worm and its variants, it's pretty clear how weak DCOM object handling can compromise a machine.
Improved Remote Protocol
Now, the better-secured RPC is part of this, but I mainly want to focus on the Remote Desktop Protocol. I've fallen in love with it, and it's damn nice to see it tightened down a little more on the OS side (never heard of any exploits except brute-force passwording). This is going to make my life loads easier, if all works out, with regard to taking care of some of my clients remotely, not to mention safely accessing my own machines when I'm out on the road.
Windows Firewall
Finally! It's on by default! Not to mention that it's seen some improvement, like the boot-time operation. Even though Windows loads services in a manner that is mostly secure, there's still a (very small) chance that an opening in your protection can occur. With the more popular 3rd-party security software, this is mostly not an issue. It's about damn time Windows started enforcing this on an OS level3rd parties are nice, but if you want something done right...
Also, the firewall policies have global configurations, where pre-SP1 ICF has policies on on a per-interface basis. Since I switch my laptop between wireless and wired and in many different networks, this kicks ass for me. One can still use per-interface policies, but on any policy that hasn't been specified, a global policy of protection will apply. On top of that, I can set my business clients up with a policy for when they're at the office and when they take their laptops home. Exception list configuration has been updated, which makes it easier to get applications communicating more consistently Oh, and did I mention that there's gonna be command-line support for it, as well?
Local Subnet Restriction
Even with a NAT handling all internet traffic, I've always been leery of opening ports just for local addresses. With SP2, I can now specify ports to only the local subnet. This only applies to plug-and-play devices and some server-client programs for me, but this option is nice to have for later. In addition, all of these networking features have IPv6 and IPv4 support. Heck, I don't even use IPv6, so it's nice to know that IPv4 is supported.
Group Policy Additions
Once again, not really falling into the "big, fat deal" for typical end users, but the businesses where I have AD and Group Policies in place, it gives me a little more flexibility. For a full list of options check this out, but some significant ones listed on the doc:
- Operational mode (On, On with no exceptions, Off)
- Allowed Programs on the exceptions list
- Opened static ports
- ICMP settings
- Enable RPC and DCOM
- Enable File and Printer Sharing
Execution Protection
Awesome. One of those IADT (it's about damn time) deals. I can't really put it better than they did in the doc:
I can't wait to see how this pans out. The 64-bit version looks better than the 32-bit one.Execution protection (also known as NX, or no execute) marks all memory locations in a process as non-executable unless the location explicitly contains executable code. There is a class of attacks that attempt to insert and execute code from non-executable memory locations. Execution protection mitigates this by intercepting these attempts and raising an exception.
Execution protection relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory. Execution protection functions on a per-virtual memory page basis, most often changing a bit in the page table entry (PTE) to mark the memory page.
Safer E-mail Handling
This has more to do with having defaults set to safe, and handling HTML a little better, but it's damn nice to see (IADT).
AES API Integration in Outlook Express
Hmmm... I could swear I've seen this before? Maybe in Outlook 2003? Great idea, though.
Internet Explorer Browsing Features
Popup blocking, trusted publisher, and other similar features are very welcome additions to IE. I currently use Avant Browser, which uses the IE engine, but has loads more features. The additions in SP2 help it catch up... some.
Other than that are the patch management, maintenance, and the updated installersomething I find interestingare other parts in the service pack. Not a whole lot I can go into that would be any different from the document.
I'm disappointed that concurrent sessions isn't included in the list, and I really wish they had thrown that in, as well. We know they can do it, I just can't figure out (a good reason) why. It kinda ticks me off.
Maybe in SP3?