Strategic Technology Planning Group, Windows Development
Microsoft Product Development Ltd.
Windows XP Service Pack 2 with Advanced Security Technologies was released to general users in September 2004. The update includes improvements in IPv6-related features. PART 1 offers the overview of the features added or changed in SP2.
Windows XP Service Pack 2 with Advanced Security Technologies, the latest service pack for Windows XP, has various changes for improving security.
;)
Figure 1
The new service pack adds network-related features in addition to problem fixes.
Normal Windows service packs are released to offer packages of problem fixes and other patches. They are not intended for adding features. But SP2 is offered with security enhancements as one of its main purposes.
SP2 enhances security in three areas:
- Network security improvements such as firewall feature enhancements
- Security improvements for Internet Explorer, Outlook Express, and others.
- DEP (Data Execution Protection), a memory protection mechanism that works with CPU to protect against buffer overrun.
- A new firewall called Windows Firewall, an enhanced version of Internet Connection Firewall (ICF)
- New API sets to control Windows Firewall
- Security enhancements in DCOM
- Security enhancements in RPC
- Integration of Advanced Networking Pack for Windows XP
Windows Firewall
Advanced Networking Pack for Windows XP, released last year, offered IPv6 Firewall. Unfortunately, IPv6 Firewall is not integrated with ICF. For example, ICF (IPv4) offered GUI, but advanced Networking Pack (IPv6) offers only command line interface using netsh. SP2 integrates Advanced Networking Pack IPv6 firewall and IPv4 firewall (IPv4) at API level, and offered with a new name of Windows Firewall. Windows Firewall is given significant improvements from ICF. These improvements impact both IPv4 and IPv6 applications in the following way.
Firewalls are enabled for all network interfaces by default.
With SP1 and earlier, firewall was not enabled by default with a few exceptions. Some applications do not work properly in SP2 if firewall exceptions are not properly configured.
Firewall is always on in OS startup and shutdown.
With SP1 and earlier, there was a small window of unprotected time from network stack startup to launch of ICF.
netsh interface for IPv4 firewall and IPv6 firewall were integrated and enhanced.
But this requires change in IPv6 firewall configuration scripts used with Advanced Networking Pack, as they do not work as they are.
Firewall can now be configured with user-specified network scope.
Users can make a simple scope setting against the subnet the user belongs. This feature is very useful when a specific service needs to be used by users in the local subnet, such as file sharing.
With firewalling enabled by default, you need to configure exceptions for applications and services used. Firewalling works differently for outband and inbound communications.
Outbound communications, which occurs when Windows XP SP2 works as clients and request communications to outside hosts, gets stateful filtering applied. This means that response packets from the outside hosts can be treated differently based on outbound packet type (TCP or UDP, ICMP, broadcast or multicast).
With TCP, firewall allows only response packets with ACK from the host to which Windows host requested session. UDP does not have a concept of session. Therefore, firewall allows incoming packets from any IP addresses for 90 seconds after the request is sent, only to the same port. A window of 3 seconds is given to unicast response packets to broadcast and multicast.
Therefore, for most cases, applications are not affected by the new firewalling feature, as long as the applications work as clients. But it may be necessary to punch holes if restriction to UDP communication causes troubles in the working of applications, in the same way as exception setting for inbound communications explained later.
On the other hand, when SP2 works as a server, accepting inbound packets, you need to configure exception to firewall. In other words, you need to punch holes in firewall.
SP2 offers various ways to set exceptions to firewall. Specifically, following methods are available.
- Configuration based on ports and protocols (same as previous firewall)
- Specify applications. Firewall automatically punches holes to the ports used by the application.
- Above two methods can be used by applications using APIs offered by SP2. Microsoft recommends using these APIs to application developers.
- For some applications, it is difficult to know which ports these applications are using.
- Such configuration is subject to another security risk that other applications might accept traffic from the ports opened for intended application, whether intentionally or by accident, because the configured ports must be always open even if the application is not using the port or if the application is not running.
- Firewall needs to be configured with a large exception when the applications use a wide range of ports. Some applications require firewall to open all ports room 1024 and above, which makes firewalling useless.
Reference
Windows XP Service Pack 2
http://www.microsoft.com/windowsxp/
sp2/default.mspx
Changes to Functionality in Microsoft Windows XP Service Pack 2
http://www.microsoft.com/technet/prodtechnol/
winxppro/maintain/sp2chngs.mspx
New Networking Features in Microsoft Windows XP Service Pack 2 (The Cable Guy - January 2004)
http://www.microsoft.com/technet/community/
columns/cableguy/cg0104.mspx
Windows XP Service Pack 2 - Security Information for Developers
http://msdn.microsoft.com/security/productinfo/
XPSP2/default.aspx
この記事のトラックバックURL
http://www.ipv6style.jp/trackback/564
