Results 1 to 9 of 9

Thread: WinXP SP2 = security placebo?

  1. #1
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668

    WinXP SP2 = security placebo?

    Anyone got any thought about the following??There is three more pages to the article that can be found here:
    http://www.theregister.co.uk/2004/09...curity_review/


    Reg Review We evaluated the security features of Windows XP SP2 on a test machine, following a clean install of XP Pro with no configuration changes and no third-party software or drivers installed. We installed XP with the NTFS file system, choosing all of the factory defaults, then patched it with each recommended security update including SP-1 (required), before installing SP2.

    While we found that there are indeed a few minor improvements worthy of acknowledgment, in particular, some rather low-level improvements that don't show to the admin or user, overall, SP2 did little to improve our system's practical security, leaving too many services and networking components enabled, bungling permissions, leaving IE and OE vulnerable to malicious scripts, and installing a packet filter that lacks a capacity for egress filtering.

    The new Security Center utility with its frequent Security Alert popups will certainly give users the impression that SP2 is a security-oriented package, as Microsoft's PR boilerplate promises. However, The Security Center does little beyond warning users that the firewall is disabled, that automatic updating is disabled, or that antivirus software has not been installed. It may look impressive, but the SP2 package fails to provide several of the most important, basic modifications required to run Windows safely on an Internet-connected machine.

    Windows Services
    Microsoft has long enabled a number of services related to networking by default, most of which are unnecessary, even dangerous, on Internet-connected machines, and all of which a competent admin should know well enough to enable as necessary. Turning them on by default is a minor inconvenience to admins, who need to disable what they don't need (but usually know how to go about it), and a major source of trouble for home users, who can't be expected to know what services they do and don't need, or how to harden their systems by disabling superfluous ones.

    SP2 does disable a few Windows services related to networking that have not previously been disabled by default, which certainly is an improvement. Unfortunately, too many services remain. And home users are given short shrift.

    According to netstat, our machine had the following services listening on the Internet by default:

    DCE endpoint resolution (epmap), port 135. This is basically the UNIX/BSD/Linux portmap daemon, and unnecessary on home machines.
    NetBIOS name service, port 137. This is the WINS (Windows Internet Naming Service) server for a NetBIOS network, and unnecessary on home machines.
    NetBIOS datagram service, port 138. This is used by the SMB (Server Message Block) browser service, and is unnecessary on home machines.
    Microsoft-ds (Server Message Block), port 445. SMB can run directly over TCP/IP, without NetBT by using this service, which is unnecessary on home machines.
    NetBIOS Session, port 139. This is used for Windows File and Printer Sharing, unnecessary on most home machines, and extremely dangerous on any machine connected to the Internet unless the owner knows how to run it securely.
    Error Reporting is on by default. However, there is no reason why a machine should phone home every time it encounters an error. This is better left disabled.
    Automatic Update is off by default. Microsoft would very much like everyone to enable it, and now urges users to do so every time Windows Update is run manually; but it is never a good idea to let a third party decide what software should be installed on your machine, or when. This service should remain off, and users should update Windows manually, though regularly, paying attention to the various update options and their relevance to one's system.
    Looking alphabetically at the Services dialog, we encountered the following settings (Note: "manual" means that the service will be started if invoked by a user, an application, or another service, while "automatic" means that it will be started at boot time whether it's needed or not).

    ClipBook (used to store information, cut / paste, and share it among computers) disabled. About time.

    DCOM Server Process Launcher, automatic. The process launcher implies that DCOM is enabled, as indeed it is (more below).

    DHCP Client, automatic. Unnecessary on most home machines. Should be disabled by default.

    DNS Client, automatic. Unnecessary on most home machines. Should be disabled by default.

    NetMeeting Remote Desktop Sharing, manual. Unnecessary on most home machines. Should be disabled by default.

    Network DDE, disabled. About time.

    Network DDE DSDM, disabled. About time.

    Remote Access Connection Manager, manual. Unnecessary on most home machines. Should be disabled by default.

    Remote Desktop Help Session Manager, manual. Unnecessary on most home machines. Should be disabled by default.

    Remote Procedure Call (RPC), automatic. This is one of Microsoft's greatest security holes. RPC enables one machine to execute code remotely on another. On UBIX/BSD/Linux, it can be disabled safely. On Windows, it cannot be disabled, as MS has made a plethora of necessary services dependent on it. It's a huge security hole that simply cannot be avoided. It must be blocked by a firewall.

    Remote Registry, automatic (allows remote users to make Registry changes). Unnecessary and dangerous on most home machines. Should be disabled by default, and enabled only as needed.

    Routing and Remote Access, disabled. About time.

    Secondary Logon, automatic (enables starting processes under alternate credentials). Unnecessary on most home machines. Should be disabled by default.

    SSDP Discovery Service (UPnP discovery), manual. Unnecessary on most home machines. Should be disabled by default.

    TCP/IP NetBIOS Helper, automatic (enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution). Unnecessary on most home machines. Should be disabled by default.

    Telnet, manual. Unnecessary on most home machines and company workstations. Extremely insecure. Should be disabled by default. Those foolish enough to use it can enable it.

    Universal Plug and Play Device Host, manual. Unnecessary on most home machines. Should be disabled by default.

    WebClient, automatic (enables Windows-based programs to create, access, and modify Internet-based files). Unnecessary on most home machines. Should be disabled by default.

    Additionally, DCOM (Distributed COM) is enabled by default. It is unnecessary on most home machines, and should be disabled unless needed. It's the component that the Blaster worm exploited to get at RPC.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    Well lets see how many years has it been now I've blocked ports 135, 137, 138,139, 445 ohoooo at least 6 or better years (and most often scanned ports blocked at my firewall) and then moving down the list more spooky stuff. I simply believe that M$ is attempting to position and nudge into two areas it has long not understood antivirus and firewalls. Why well it becomes part of their OS that makes pretty windows pop up but provides nothing more then really an Uh oh my system is hacked, I better buy that next upgrade. I believe this service pack to be nothing more or less then a new revnue $tream for Microsoft. XP Service Pack 2 is a way around their antitrust bounds into areas they do not understand so they can make more money and then defend by saying we cannot remove it from our OS. Bill knows he's in trouble I'm moving away from their products as fast as I can on a server level and sitting on thir old W2K Os on the desktop because that's what the apps we need are written for. Business is not in a hurry and neither should the home user be for Service Pack 2 XP.
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  3. #3
    Palemoon, I'm only giving you once chance this time, or I'm not going to bitch about your inablity to research, I'm going to neg you for useless flaming.

    Back up your claims, your whining, your assumptions about MS and their future products, or give it up.


    As for the placebo effect. Right. Because their long list of security fixes on a kernel level (no, I will NOT repost the link for the 456th time) was complete bullshit. In fact, downloading those security patches manually is basically just installing a bunch of fake data to your recycle bin that is never used. Pfft. I've got other things to do tonight.

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Pale: On the contrary, I feel that as long as I keep my system updated/patched, firewalled and locked down, and protected against viruses and spyware/adware that I don't need to keep paying for security products/etc from Microsoft. I don't feel they are doing that at all, point blank.

    Because their long list of security fixes on a kernel level (no, I will NOT repost the link for the 456th time) was complete bullshit.
    Yes, it is complete bullshit. Especially to someone who will atleast take the time and needed precautions to make sure their system is secure. You are correct, Mr. Sun Tzu
    Space For Rent.. =]

  5. #5
    Oh. Well thanks lol . I was being sarcastic in that sentance you quoted me on, though.

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    I was being sarcastic in that sentance you quoted me on, though.
    I believe I noted that
    Space For Rent.. =]

  7. #7
    Senior Member
    Join Date
    Jun 2003
    Posts
    723
    Originally posted here by pooh sun tzu
    In fact, downloading those security patches manually is basically just installing a bunch of fake data to your recycle bin that is never used. Pfft. I've got other things to do tonight.
    Good thing i never bothered, i just can't risk the 10% chance of breakage, how else am i gonna play doom3
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  8. #8
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    feel that as long as I keep my system updated/patched, firewalled and locked down, and protected against viruses and spyware/adware that I don't need to keep paying for security products/etc from Microsoft. I don't feel they are doing that at all, point blank.
    Ok so most of us here can lock down our systems, but what about the thousands of computer users out there that have no idea how to use Administrative Tools, to shut down un-needed services. Lets face it most home computers do not need to run Dcom, but they do. Why?because it is turned on by default and most home users do not have the knowledge. So blaster and the like became a massive problem.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  9. #9
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    jinxy: Oh, I know and it need's to be taught to them. It should be encouraged (by someone, or even done by someone) to turn off such services that aren't needed (dcom, lucom, netBIOS, etc) otherwise they are susceptible to attack.
    Space For Rent.. =]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •