Microsoft's Trustworthy Computing Initiative received plenty of potshots last week in the wake of a 200-day delay releasing a patch for the critical ASN.1 vulnerability that affects all supported Windows OSes.
Prior to this latest transgression, though, people were buzzing about the enhanced security features in service pack 2 (SP2) that move Windows XP closer to "secure by default." SP2 is due to be released this summer.
SP2's security technologies include:
- Turning on the Internet Connection Firewall (ICF) by default, closing ports except when they're in use and improving the firewall configuration interface.
- Recompiled core Windows components to make the OS more resilient to malware-induced buffer overruns.
- More secure default settings in Outlook Express and Windows Messenger.
- Improved Internet Explorer controls and user interfaces to block malicious ActiveX controls and spyware.
"This is a big step toward improving the default security level of a very widely deployed OS," says Jason Chan, a principal security architect for network security provider @stake.
Chan, who is technical leader for the company's Secure Infrastructure Center of Excellence, is particularly interested in improvements in the ICF, which originally was shipped disabled by default. He and others, though, said interoperability could pose a problem.
Another enhancement gaining attention is the restriction of RPC remote anonymous access, which could reduce the number of worms that use RPC to proliferate. Again, compatibility is seen as a potential problem.
"This should increase overall security, but there could be issues with many applications not initially working with ICF, and non-technical users having trouble with ICF configuration," he said. "Also, the fact that ICF can be configured via Active Directory Group Policy (GPO) could be huge for enterprise users looking to roll out a distributed host firewall to users. Previously, this was pretty unwieldy using ICF without GPO support.
"I think organizations will be wise to perform wide and thorough internal compatibility testing as well," Chan advised.