WEB SECURITY ADVISOR
XP SP2's effect on your Web site
Mike Chapple, CISSP
09.08.2004
Rating: -4.20- (out of 5)
|
Last month's XP SP2 rollout was one of the highest-profile software releases yet. Unlike previous service packs and hotfixes, SP2 (justifiably) received lots of media hype. Rapid deployment on a significant portion of XP systems is also expected. What's more, the changes introduced by SP2 may significantly impact your Web site's usability.
XP SP2 introduces a complete shift in the security philosophy of Microsoft: Rather than pursuing the old "find a bug and fix it" strategy of rolling out hotfix, upon hotfix, the software giant has adopted a "lock it down unless you need it" strategy, bringing Windows into compliance with industry best practices.
XP SP2's functionality may impact the way users view your Web site. Given an expected widespread deployment, there are steps you can take to ensure that XP SP2 will minimally impact your Web site users' experience.
Top issues to consider:
- Authenticode and ActiveX controls
Windows IE now blocks the installation of ActiveX controls with invalid signatures by default. While you can override this setting on systems that you administer (for internal applications), you should no longer depend upon Internet users overcoming this issue.
- ActiveX blacklist
Users now have the option to permanently reject all ActiveX installation requests from a particular publisher by selecting "Never install software from 'Publisher,'" when prompted to install a control.
- ActiveX installation blocking
IE now provides an information bar warning users about installing new ActiveX controls. Under the old philosophy, users were presented with a "Yes/No" dialog box, prompting them to install the new software. Now, a browser message states: "To help protect your security, Internet Explorer stopped this site from installing software on your computer. Click here for options..." making it less likely that users will blindly install controls required by your site. However, users will see informational text in place of the control on their screen, which may detract from the visual appeal of your Web site.
- Automatic file download blocking
Users will see a similar prompt (as noted above) if your site pushes software downloads to them (as opposed to downloads that the user initiates through a click or keypress).
- Pop-up blocker
Lastly, IE provides a new built-in pop-up blocker that may (by default) affect the usability of your Web site, unless it's in the user's "Trusted Sites" or Intranet zone.
For more information on the changes in SP2 (and a code snippet that allows you to detect whether a user has SP2 installed), read the MSDN article: "Fine-Tune Your Web Site for Windows XP Service Pack 2" available from Microsoft.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the author of the About.com Guide to Databases.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
