| |
 |
|
Advice by Christopher M. Burry and Steven Chanyi, Avanade
Originally published on August 20. Republished with permission.
Microsoft Windows® XP SP2 amounts to a major "life event" for companies
using the Microsoft Windows platform. The update represents a major step
forward in security, and many organizations will seriously consider it for
several reasons. Those that plan to deploy the update need to understand
several important features. Even those that don't use it still will need to
consider the service pack's impact.
Key Changes with Service Pack 2
Key features and functions in the new service pack include a desktop firewall,
enhancements to Internet Explorer, memory protection, and tools for management
and remote administration.
-
Firewall, Internet Explorer enhancements block intrusion, infection
The desktop firewall arrives installed and turned on by default, and is
arguably the most significant aspect of the software. It helps tighten device
security on all networks - especially those in public places.
There have been plenty of horror stories about employees using wireless
networks at the airport or café. Although they don't realize it, file-sharing
is tied to the network on which they're working, so anyone interested in
perusing anything available on the employee's laptop can do so, without his or
her knowledge or consent.
The firewall in Service Pack 2 blocks inbound access attempts according to the
local, or group, policy in effect. For outbound connections, the user is
alerted to a connection attempt, and asked to allow or deny it. IT
administrators can configure devices through group policy to conform to their
security policy. Service Pack 2 adds roughly 600 new group policy objects
(GPOs), providing a finer degree of control.
Enhancements to Internet Explorer block pop-ups and ActiveX controls that can
result in inadvertent download of malicious code such as viruses or spyware.
Users get an audible signal and warning message that a pop-up has been blocked.
They can then un-block the feature for that page.
-
Protection against DoS attacks
Service Pack 2 should help significantly with denial-of-service (DoS) attacks
caused by buffer overflows. One of the most popular DoS exploits, buffer
overflows will now be prevented from executing commands, shutting down the
system instead. It's an inconvenience that's worth the peace-of-mind that no
code can be launched and the device will not be further damaged.
Several other service pack features strengthen administrative security control.
Internet Explorer has a new interface for managing add-ins which extend browser
capabilities; such as PDF viewing.
Considerations for Companies that Deploy — and Those that Don't
Whether or not they roll out the update, we're advising clients regarding
aspects of application development and deployment, information distribution and
use, and testing. There are ramifications for activities that companies may
have considered outside the "normal" purview of security.
-
Application development
We expect a flurry of problems and fixes for off-the-shelf applications. More
important, Service Pack 2 can interfere with remote procedure call (RPC) and
Distributed Common Object Model (DCOM) application architectures. Any
client-side application that "listens" for network traffic will need to be
explicitly permitted within the firewall rule set.
The service pack also determines application access based on two distinctions:
how and where component object model (COM) components are launched, and whether
RPC applications are running on the local system or elsewhere. If greater
access to a particular application is required, some software may have to be
revised to provide that availability.
Whether or not they plan to deploy the update, companies will need to consider
their applications' architecture. Firms that won't use it still need to
consider how application design will impact their end-users or customers who do
implement the service pack. For example, a Web site pop-up request for user
sign-in may be blocked by the user's Internet Explorer configuration.
-
Infrastructure assessment
The stronger controls built into Service Pack 2 will require IT teams to think
about how they distribute information and how users get it. Are employees
working on the local area network one day, and then wireless the next? How is
information distribution managed?
If an employee has Web and FTP services running on a laptop, the service pack
will block both of those capabilities. We use this extreme example to
underscore the importance of an up-to-date inventory of company assets and
usage. The insight helps IT managers determine whether the service pack will
counter daily operations or improve them.
Testing is important for any security update, and Service Pack 2 is no
exception. For companies planning to deploy the service pack, running it on the
company's standard desktop configuration(s) in a test environment will reveal
issues that need to be resolved for successful deployment.
Finally, we advise clients to consider the long-term effects of Service Pack 2.
By blocking some of the major sources of vulnerability outright, Service Pack 2
could eliminate any number of patch-and-recover exercises for specific exploits
and introduce a greater degree of security by default.
Christopher Burry is a Fellow and the Technology Infrastructure practice
director for Avanade, a technology integrator for Microsoft solutions in the
enterprise. Steven Chanyi is a senior systems engineer at Avanade. Comments or
questions can be sent to Chris at the following e-mail address:Christopher.Burry@avanade.com.
View the article at the ComputerWorld website.
|
|
|
