Understanding the future security of Windows SP2

[R0n1n]

I`m glad to hear that they are moving in the right direction, or at least one possible right direction. Windows is always going to be bashed about, partly due to users experience with it and partly because they are in the spotlight so much.

As for the features, any improvement over the current internet firewall would be good, I half expected MS to buy Zonelabs or something....IE security enhancements, well pop up blockers are nice, as is the abiltiy to manages 3rd party plugins, but aren`t most of IE's problem IE based? And the rest all look like useful additions.

Although I believe that MS's decision not to release patches has nothing to do with the threat of a lawsuit (to the best of my knowledge no such lawsuit has ever materialised) and is more to do with the business of PR, if you hold of telling anyone about the bug until you have a patch (or nearly have a patch) then you look far better in the eyes of the masses.

In fact, MS's reaction to security is again a PR exercise, and this is where I still think the problem lays, they provide security now due to the bad press they have received in the past couple of years regarding Windows security. There are now several viable alternatives to Windows, so its time to address the security issues and start making a stand. Security is however still not in the culture at MS due to the fact that they are forever bolting security on to an OS that is inherently unsecure (that was a rallying cry to every OpenBSD fan..).

What i would like to see in the future is an OS where security is an integral part, how about Windows Server editions having mandatory access controls in place and behave more like the secure computing platforms (i.e. B Level operating systems). Oh, and do we now have the trusted computing platform to look forward to.....

[pooh sun tzu]

In fact, MS's reaction to security is again a PR exercise, and this is where I still think the problem lays, they provide security now due to the bad press they have received in the past couple of years regarding Windows security. There are now several viable alternatives to Windows, so its time to address the security issues and start making a stand. Security is however still not in the culture at MS due to the fact that they are forever bolting security on to an OS that is inherently unsecure (that was a rallying cry to every OpenBSD fan..).

Very solid point, and never thought of it that way before in terms of PR being a primary variable. Microsoft may now take a stand because their userbase is slowly catching onto the important of security beyond the call of duty. And I am a flaming OBSD user.

What i would like to see in the future is an OS where security is an integral part, how about Windows Server editions having mandatory access controls in place and behave more like the secure computing platforms (i.e. B Level operating systems). Oh, and do we now have the trusted computing platform to look forward to.....

Then you are going to adore Longhorn release (minus the palladium chip, if they *force it*). It's going to have the base benifits of SP2 release, of course, but with a direct focus towards the auditing process of OBSD. No documentation to prove that, just inside source gossip. Longhorn is going to be a massive leap in terms of security (yes yes, so maybe I've used Longhorn release 4051) and default security. The dream you seek, may be viable in many distrobutions in the future, which will most certainly be including Microsoft Windows this time around.

Good reply Thanks for your comments.

[tabich]

This may be all well and good for home users, which will make life a bit better for the rest of us that actually have a clue, but ,How does this help me do my job? Seems to me that it just makes it more dificult.

Having a choice of firewalls and Antivirus due to fair competition is a good thing, will Microsofts, security "improvements" trully be improvements, or have they just decided that they don't like currently available antivirus and firewalls becuase they don't make any money off them, and are going to force those producers out of business by using unfair competition pratices. The availability of these functions internal to windows is a mixed blessing.

Do I have to add even more complexity to our Group Policy's to FIX the problems created by this, and by doing so add more opportunity for someone in IT to make bad mistakes?

Does it BREAK Outlook's connection to Exchange servers like Internet Connection Firewall currently in XP does? Can you disable the built Antivirus?

With the current ICF enabled new messages never appear in your inbox, unless you select another folder, and then reselct your inbox because Internet Connection Firewall does not allow the Exchange server to communicate with the client except when the client originates the request.

Applications run by a good number of our scientists and engineers require the ability to turn off AV software for certain functionality to work. Matlab for instance.

Seems like all this does for me is make my job harder.

[RoadClosed]

I will ask one thing: PZT, where you getting the SP before release? You on beta testing or something?

MS Mittens, in addition to what Poo has mentions, Microsoft Technet Plus subscription comes with all beta licensed software in current betta construction along with all resource kits etc... Love it. I didn't mention it in the other thread but I am typing this on service pack2. In fact I was looking for the antivirus stuff that was supposed to ship buut then got bored with it.

I have given a few plugs for Technet because it's a valuable tool asset to windows administrators and engineers.

[pooh sun tzu]

Home users? If you are a network admin and you can't realise how this helps easily scale controlled networking abilities.....

Having a choice of firewalls and Antivirus due to fair competition is a good thing, will Microsofts, security "improvements" trully be improvements, or have they just decided that they don't like currently available antivirus and firewalls becuase they don't make any money off them, and are going to force those producers out of business by using unfair competition pratices. The availability of these functions internal to windows is a mixed blessing.

Since the firewall is able to be turned off, don't see the problem.

Do I have to add even more complexity to our Group Policy's to FIX the problems created by this, and by doing so add more opportunity for someone in IT to make bad mistakes?

No.

Does it BREAK Outlook's connection to Exchange servers like Internet Connection Firewall currently in XP does? Can you disable the built Antivirus?

No it doesn't break outlook. And did you read the article? Because I specifically said Antivirus software was not going to be included in sp2

With the current ICF enabled new messages never appear in your inbox, unless you select another folder, and then reselct your inbox because Internet Connection Firewall does not allow the Exchange server to communicate with the client except when the client originates the request.

So keep the configuration and use the firewall ruleset configuration to allow full access to exchange. Yes, this means read the parent post completely.

Applications run by a good number of our scientists and engineers require the ability to turn off AV software for certain functionality to work. Matlab for instance.

All of these new features (if you viewed the images) can be turned off.

Seems like all this does for me is make my job harder.

That is because you are misinformed, and didn't read the whitepaper

[lessthanzero]

Has anyone examined the hardware-linked security features (NX or execution protection I believe they're calling it...) introduced with sp2?

I cannot help but correlate this with the TCG platform. Sure, there's no "Fritz" chip or encrypted cpu instructions (well, maybe there is...isn't the CPU responsible for NX?), but isn't sp2 a step in that direction? Certainly MS is looking at this from the tortoises' view- slow and steady wins the race- rather than attempting to pearl harbor their user base with TCG all at once.

What does everyone think?


Pooh: does the beta sp2 version have a EULA? I wouldn't mind reading through it if so...or if you could point out any relevant parts i'd appreciate it.

Cheers,
<0

[pooh sun tzu]

Has anyone examined the hardware-linked security features (NX or execution protection I believe they're calling it...) introduced with sp2?

Very little has been changed in the hardware part of SP2, but it does have beginning structures for the Intel anti-bufferoverflow chip.

What does everyone think?

I think it may not be, or it may be a step in that direction. For now, it's SP2 and not Longhorn, and thus I don't see it getting near Palladium. I also don't see them *forcing* palladium. And even then, since I only run legit software, I don't have anything to worry about.

I'll get the white paper, edit this post, and give you some actual documentation on what SP2 will be doing and fowarding to.

SP2 information links:

Deep, deep review into the components of SP2 :
http://www.winsupersite.com/reviews/...2_preview2.asp

The official Whitepaper :
http://www.microsoft.com/downloads/d...DisplayLang=en

Pooh: does the beta sp2 version have a EULA? I wouldn't mind reading through it if so...or if you could point out any relevant parts i'd appreciate it.

I'll include the EULA attachment to the sp pack here, and thanks for your comments

[mohaughn]

Just look at those leaked sorce codes, you can see that there programmers don't have a clue on what there doing. I mean what sort of company would let there programmers right sorce codes, for an important product and let them leaves lines such as (this goes here, well not to sure on that.)

Have you never seen how almost all AMD and Intel chips have hidden messages incribed into them? I would venture to guess that almost 95% of the code out there has messages and other "easter eggs" hidden in it.

With the current ICF enabled new messages never appear in your inbox, unless you select another folder, and then reselct your inbox because Internet Connection Firewall does not allow the Exchange server to communicate with the client except when the client originates the request.

This is true of all firewalls, so it is not an issue that is isolated to ICF. This is an issue with all firewalls because in exchange when you first connect to the endpoint mapper on port 135 exchange tells the client which ports it is going to use to continue communicating. These ports are usually in the range of 1024 and higher. Exchange does this so that it can have an unlimited of connections at the same time, and not have conflicts between clients. This issue is pretty much resolved by using RPC over HTTP in exchange 2003. Well, it would be resolved if your firewall allows all port80 packets to reach the workstation. If not, the problem still exists.

[pooh sun tzu]

And if he would have read the article instead of skimming it (obvious), he would have noticed the ruleset configurations can be fined tuned for exchange servers, or any other service.

[MrLinus]

MS Mittens, in addition to what Poo has mentions, Microsoft Technet Plus subscription comes with all beta licensed software in current betta construction along with all resource kits etc...

I remember TechNet Plus subscriptions when I got it as part of being an MCSE NT. *bah* I wasn't interested in paying for well over $1000CDN for certs and then an additional $1000+ CDN for TechNet on the maybe chance I'd be using it somewhat... Eh. I miss it sometimes but not that much.

Hey Pooh, Check it out. I never understand this. MS is in the process of releasing what looks like a decent SP and then the PR department opens it's yap and, IMHO, makes MS look like idiots!