Understanding the future security of Windows SP2

[pooh sun tzu]

Greetings,

Recently there was a large topic debating Microsoft's soon-to-be released SP2 patch, which would include many security fixes, changes to the OS, and build in functionality such as firewall configurability. The time has come to put things to rest, and show a few people what SP2 will be doing to help make Windows XP an amazingly secure box with the tools to do it already at your fingertips, while giving a glimps into how secure Longhorn release will be. Dedicated to helping the community see windows security in a fresh light, I became a beta tester for the SP2 release. Bare with me, have patience, and smile at least once during this. Remember, this does not speak of all the security updates and fixes, but it focuses on the primary ones that people are most concerned about. It is time, perhaps, to begin respecting Microsoft's strides to improve the security of it's distrobutions.


Internet Connection Firewall

On by default. What once was a horrible use of firewall technology, has sprung up to the level near ZoneAlarm Pro. This is a huge upgrade in terms of enhanced and maintained security. The ability for Windows to be able to protect itself by default on this level means people will start have to look for different Windows jokes, as the security ones may be phased out and invalid very soon.

- It has it's own specific icon on the Control Panel for much easier access to new users

Control Panel Icon -

- Default *quick* settings. It allows you to run the fire wall on with your configurations, with total lockdown configurations, or even the ability to still turn it off completely.

Firewall Main Settings -

- It has advanced firewall ruleset handling and configuration. Making rule exceptions for protocol, port, or program exe name based (or all combined), we can see the possibilities avalaible to this builtin firewall.

Ruleset Control -

- Profile based settings for multiple connections, save settings to a profile for multiple NIC handling. Windows will also notify you when a program tries to access the internet that is not listed on the ruleset.

Profile Control -

- Logging options. Moderate ability to log all illegal firewall activity, as well as log legal activity to a logfile.

Logfile Control -

- ICMP control settings to fine tune how you want ICMP handled.

ICMP Control -


Internet Explorer Security Enhancements

IE now comes with quite a few features to make browsing much more enjoyable and secure. While the plugin feature is common place in other browsers, don't forget to merely be happy that they did finally put it in IE.

- Pop up window blocking! Built in, and with settings that look strikingly similar to Firebird. Wildcards allowed as well.

IE Popup Control -

- You can now manage add on's, plug-ins, and features built into IE from 3rd part software not directly related to the IE software.

IE plugin management -


Outlook Express Security Enhancements

While not overhauled, they have added vital features for Outlook Express in a sense of worm and virus handling. From automatically letting you know when something is taking advantage of your Outlook, as well as the "Block images" selection now to prevent email hijacking. Activated by default, and even though a small feature, it should prove usefull to normal users.

- Quite a few new features, just look at the image.

Outlook Security panel -


Windows Update Security and Management

Another update that isn't large, but useful. More compact, easier to understand and use, the Windows Update process has been cleaned up quite a bit.

- Windows update is now handled differently, with more security and configuration in mind than before. With more choices and information up front, it is easier for admins to decide what patches they want, while allowing uber geeks to learn exactally what the patches do.

Windows Update Control -

- Much cleaner and easier to understand dialogs

Dialog boxes and interface -


Automatic Update Settings

Some hate Automatic updates because they want to see what is going on, and not have them automatically installed. Worry no longer.

- Automatic update has been given a slight overhall to give the adminitrators more control over what is downloaded, when, why, and the choice to install or be reviewed first.

Automatic Update Control -



And there you have it. I hope you are looking foward to the official SP2 release as much as I am. This will be a huge milestone for Microsoft, in which they finally figure out the balance between usability, configurability, and security. I wish you all a wonderful day, and may the Tao bring great things upon your path today!

regards,
Pooh Sun Tzu


PS: SP2 will NOT be including any sort of AV software built in. Microsoft tried it, but are far from satisfied with what they want to do with it.

[.:front2back:.]

Interesting read that was, although it still doesn't convince me that Microsoft is any better. Just give it time, and there will be another patch for another Vulnebility..
It seems that no matte what they do, there always seem's to be something not quite right with Microsoft products, it's a label with a huge problem. And to be honest i really don't see this improving anytime soon.
Just look at those leaked sorce codes, you can see that there programmers don't have a clue on what there doing. I mean what sort of company would let there programmers right sorce codes, for an important product and let them leaves lines such as (this goes here, well not to sure on that.)
Now how is that meant to convince the public that Microsoft can be trusted, that you can use there Products and not be worried that your box might get infected? Your server won't get taken down due to a Vulnebility?
How can they say that, just look at some of the statistics on the thread that MemorY made, how are the general public meant to trust microsoft? Well i know that i don't, infact i wouldn't trust them with my children.
It just seems that they seem to make one mistake to many, and i can see that in the near future Microsoft will be nothing.

well that's just my 2 cents

cheers
.:front2back:.

[pooh sun tzu]

Front, have you ever read bugtraq? Ever searched for a *nix security exploit?

*nix has just as many security problems as windows, and patches are made for both. You can not critisize windows for creating patches to HELP security, while Linux does the exact same thing.

You are, however, correct. Microsoft is not any better. Windows and Linux are 100% equal so long as you take the time to learn both.

The leaked source code was incomplete and the beta release of 2000. I don't expect it to be solid code yet. You also can not confirm that it was 100% Microsoft and not tampered for fun by the distrobutor.

And in the same sense, since Linux is opensource... would you dare say that they would suddenly be open to massive bugs and exploits? Open source makes little difference in terms of open exploiting.

MemoryY's thread is also biased, and uses statisics like good old CNN, only to their benifit rather than show both full sides of the story, of both topics.

How can we trust MS? I want to see you crack my box. Enough said. I honestly don't think you understand programming, Microsoft, or how the OS world works as a whole.

[MrLinus]

It'll be interesting to see and personally I won't pass judgement until it's in production and running. I've seen some ugly Service Packs released (I remember SP6 and Lotus Notes -- UGH!). I think one can honestly say that at least they are addressing the issues rather than ignoring them -- and that in itself is a big step up for MS. They have kept to that promise of putting security first.

While I'm personally happy on Linux I still muck around in WinXP at work. And it still is out there. In some ways, I'm sorta sad that MS is doing all this. Now I can't say to my students when an MS product doesn't work "Just remember.. as long as they maintain it like this, you'll be employed".

I will ask one thing: PZT, where you getting the SP before release? You on beta testing or something?

[pooh sun tzu]

Well put Ms Are the images working fine? Testing the new ruleset and making sure I properly configured that firewall. And yes, I am on the Microsoft Beta Testing Team.

[MrLinus]

Ah.. so your sorta as biased as Memory then? And yes, the images seem to be working fine.

[pooh sun tzu]

Not, not biased at all, truthfully. Just because I am on the beta testing team does not mean I hold Microsoft in higher regards. I am also a faithful assistant to bugzilla on many projects, as well as a lover of the bugtraq mailing list. You can't confuse an eagerness to learn with zealotry

I always see Microsoft and Linux as 100% similar in terms of "Getting it to do what you want to do". Methods are different, but both can accomplish the same. This does mean, I can grow excited for both when one or the other acheives something special. Be it Gentoo finally reaching a solid, unmasked package, or Windows XP SP2 fixing a ton of security concerns.

As a matter of fact, my entire opinion regarding zealotry, and hate towards any OS is well defined and discussed in my tutorial:

http://www.antionline.com/showthread...hreadid=254589

Solo as it may be, there you have it.

[owensleftfoot]

"*nix has just as many security problems as windows, and patches are made for both. You can not critisize windows for creating patches to HELP security, while Linux does the exact same thing."

Linux distros announce any security problem straight away. MS dont even acknowledge most security problems until they have a fix to release.

[pooh sun tzu]

Do you know why? Or did you hear that from someone else?

They fully acknowledge the security holes, but the descision on how to handle them and what information to disclose is a very difficult buisness descision. Linux patches don't have to worry about lawsuits and staying 100% within the limitations of buisness protocol/ethics. Microsoft has a lot to consider when it comes to things like this, and not just themselves. Understanding buisness allows one to see the difference and reason between why Linux can release patches, and then patches of patches, and then patches of those patches, nightly and quickly, versus Microsoft's "hold back information so it can't be exploited by the entire public, solve situation on a coder level, figure out which way to distrubute, calculate side costs to damage or threat to subsidiaries, and then release"


What amazes me though, is that out of the entire post of how Microsoft security is improving, you bypass all of it and focus on a comment I sided out about nix.

[owensleftfoot]

"What amazes me though, is that out of the entire post of how Microsoft security is improving, you bypass all of it and focus on a comment I sided out about nix."

It was the bit that caught my eye