Microsoft adds detail to XP 'hardening'

This column last week had barely been handed to the printer when Microsoft NZ held a conference on its topic: upcoming security changes. Managing director Ross Peat and his lieutenants were more than happy to spill the beans on the company's plans for the next update for XP.

This column last week had barely been handed to the printer when Microsoft NZ held a conference on its topic: upcoming security changes. Managing director Ross Peat and his lieutenants were more than happy to spill the beans on the company’s plans for the next update for XP.

The event, in a friendly Parnell café, was Microsoft’s opportunity to tell the assembled journos — again — that they are really are taking security seriously. The company confirmed reports last week that XP service pack 2 will enable the built-in firewall and introduce stricter controls over internet content in Internet Explorer and Outlook Express, but added other details.

First, the good news: the changes in XP service pack 2 will also be released in a service pack for Windows 2000. My earlier column was based on an

MSDN technote that referred only to changes in XP, and I thought the company would rather encourage W2K users to upgrade their systems than roll out another service pack. Not so.

Even users running XP or non-Microsoft systems should be pleased to hear that W2K machines will get the security tune-up. Viruses such as Blaster and SQL Slammer consume indecent quantities of bandwidth and CPU time as networks struggle to deal with the worms’ attempts to spread themselves. An Outlook Express virus doesn’t care if names in an address book corresponds with a Windows user — everybody will receive an innocuous-looking email and its malicious payload anyway. Making Windows 2000 machines less susceptible to attack will make networks and mailboxes a little more useable for all of us.

Don’t expect Windows 95, 98 or Me machines to get such a fundamental security makeover, however, as the new security measures will work only in systems with the NT kernel. That’s not surprising, but the onus remains on Microsoft to patch those machines as new security holes are discovered.

Last week we speculated that the next service pack would include changes to Microsoft’s patching system. This was confirmed by Microsoft’s Terry Allen, who says the new system will use one installer for patching the operating system and one for patching all applications. The company will also try to reduce the size of patches and require fewer restarts when patches are installed, he says.

Microsoft will also switch from weekly patch releases to a monthly cycle. We doubt how sustainable that is, given Microsoft’s own figures about the steady reduction in time between release of a patch and exploit attempts. Allen says time-critical patches will still be released as soon as possible.

The company has apparently also found a way to mitigate against the effects of buffer overflow. Allen says he’s not aware of the technical details, but agrees it may indicate a change in user permissions.

Windows servers will also "inspect" machines when they are added to a network, and deny access to machines that are not fully patched or are otherwise questionable — Allen describes inspection as “building fundamental paranoia into servers”. It’s a worthwhile measure, since the most common source of corporate infections is from portable computers that join a network from behind the firewall, but we’re not sure what effect it will have in practice. Computers that fail inspection and are “quarantined” might be denied log-on access to the Windows network, but they’ll still be able to "see" local machines. We hope also that it doesn’t make it harder to add non-Windows computers to a network.

So what’s the downside? Not much; these changes are overdue, but it would be churlish not to welcome them. However, the new service packs aren’t expected until about May next year, leaving plenty of time for some serious new malware to be released. The truth is that we’ve been lucky so far that most viruses haven’t had a more malicious intent, and that data loss or theft hasn’t been more widespread.

And, of course, these changes aren’t a panacea, a fact Microsoft is happy to admit. Crackers will find ways into the "hardened" versions of Windows also. Microsoft knows we’ll all be watching how it reacts.

Cooney is an Auckland reporter for Computerworld. Send letters for publication in Computerworld to Computerworld Letters.

Join the newsletter!

Error: Please check your email address.

Tags Development ID

More about Microsoft

Show Comments
[]