XP Security Features

According to Microsoft, one of the top reasons for upgrading to XP is new security features. These include its Encrypted File System, a built-in firewall, configurable Access Control Lists (ACLs) and Group Policies, and Smart Card support. With the EFS, individual files and folders on NTFS volumes can be designated with an encryption attribute. When an administrator turns this attribute on, EFS automatically encrypts all new files created in the folder and all plain text files are copied or moved to the folder. As an option, all existing files and subfolders can be designated for encryption. XP includes predefined templates to establish security levels during creation of a resource, applying ACLs and establishing Group Policies. Administrators have the option of accepting the defaults or using any of the thousands of individually configurable security settings.

The biggest XP security news has been the new Internet Connection Firewall (ICF) that works as a packet filter to block unsolicited connections. It does this by using the Network Address Translation (NAT) flow table. It allows incoming data flows only when there is an existing NAT flow table mapping. ICF works only when a computer is part of a work group or is operating as a stand-alone device. If it is operating as part of a domain, the IT administrator sets the protection features. So, should an enterprise rely on the ICF? Probably not. Gartner Group believes that pulling complex application software into operating system software represents a substantial security risk. More lines of code mean more complexity, which means more security bugs. Worse yet, it often means that fixing one security bug will cause one or more new security bugs.

Not surprisingly, it did not take long before the first XP security hole was discovered. Within three weeks of its release, eEye Digital Security, Inc. (Aliso Viejo, California) had already located three major flaws, one of which would let hackers take over a computer at the system level. Although Microsoft quickly released a patch, the FBI's National Infrastructure Protection Center still recommended that users disable XP's Universal Plug and Play features to avoid any problems.

According to Gibson Research Corporation (Laguna Hills, California), ICF only masks the machine from the Internet in order to block inbound packets. Because many worms spread by users clicking on an e-mail attachment, XP would not block spyware or prevent the computer from being used in a denial-of-service attack. XP's built-in firewall, in fact, does not attempt to manage or restrict outbound communications at all; therefore, a good third-party personal firewall will still be necessary to manage and control outbound connections from a system.

To adequately protect the network, then, a third-party software or hardware firewall is an absolute must in any enterprise. The XP firewall feature is worth using on laptops or home computers that do not have an enterprise-strength version already installed, but mobile users can achieve far greater security by installing any of several products on the market. One of the better ones is McAfee Personal Firewall ($29.95 for a one-year subscription) from McAfee.com Corporation (Sunnyvale, California; www.mcafee.com).