Windows XP Service Pack 2

When Windows XP was shipped, it was built for the threats and risks on the Internet at that time. But then the world changed, and so did the operating system. Although XP Service Pack 2 is merely called a "service pack," there are many changes, enough to arguably call it nearly a new operating system. The reason that administrators have taken time to deploy it is indeed due to these changes and the interaction with line-of-business applications.

The major changes for XP SP2 include the Windows Firewall, Internet Explorer, Outlook Express, Data Execution Prevention, Automatic Updates, and the Security Center. These changes are detailed in the following sections.

Windows Firewall

First and foremost, in Windows XP SP2, the firewall is enabled by default for standalone workstations and when joined to the SBS domain, has minimal ports exposed for optimum network connectivity. The administrator then has two options: Allow the end user to manually add applications exceptions to work through the firewall, or allow the exception via group policy at the server level. Regardless of the choice taken, keep in mind that it is safer to build a firewall exception for the application instead of building a port exception. The reason for this is that if you build a port exception, the port will remain open at all times. If you, instead, build an exception based on the application, when the application is not in use, the opening to the Internet will be closed.

For SBS 2003 SP1, the settings can be found in the Group Policy Management Console under Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall.

There are two profiles: one is a Domain profile, and the other is a Standard profile for those times the machine is "off" the domain. The system understands when you are on and off the domain. Everything that is needed to ensure a near fully functioning workstation is prebuilt into the SBS 2003 SP1 platform.

Chapter 20, "Group Policy," covers the key elements of this group policy, but one area needs to be identified here as a potential issue with workstations, and that is antivirus settings. The policy in particular that allows an end user's machine to build its own exceptions is the following settings:

Windows Firewall:  Define Program Exceptions:  ENABLED Windows Firewall:  Define Port Exceptions:  ENABLED Windows Firewall:  Allow local port exceptions:  ENABLED

These settings are detailed in the following three sections.

Windows Firewall:  Define Program Exceptions:  ENABLED

From the Explanation inside the group policy screen, it states that Define Program Exceptions allow you to view and change the program exceptions list defined by group policy. Windows Firewall uses two program exception lists: One is defined by group policy settings, and the other is defined by the Windows Firewall component in Control Panel.

If you enable this policy setting, you can view and change the program exceptions list defined by group policy. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any port that it asks Windows Firewall to open, even if that port is blocked by another policy setting, such as the Windows Firewall: Define Port Exceptions policy setting. To view the program list, enable the policy setting, and then click the Show button. To add a program, enable the policy setting, note the syntax, click the Show button, click the Add button, and then type a definition string that uses the syntax format. To remove a program, click its definition and then click the Remove button. To edit a definition, remove the current definition from the list and add a new one with different parameters. To allow administrators to add programs to the local program exceptions list that is defined by the Windows Firewall component in Control Panel, also enable the Windows Firewall: Allow Local Program Exceptions policy setting.

If you disable this policy setting, the program exceptions list defined by group policy is deleted. If a local program exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow Local Program Exceptions policy setting.

The selections in this screen that are placed by the SBS preselections are

[View full width]

%WINDIR%\PCHealth\HelpCrt\Binaries\Helpctr.exe:*Enabled.Remote Assistance Windows

Messenger and Voice %WINDIR%\PCHealth\HelpCrt\Binaries\Helpsvc.exe:*Enabled.Offer Remote Assistance %WINDIR%\SYSTEM32\Sessmgr.exe: *Enabled:RemoteAssistance Windows Firewall: Define Port Exceptions: ENABLED

The syntax here is Port, Transport, Scope, Status, and Name. Port is defined as a decimal port number, Transport is either TCP or UDP, Scope can be a "*" for all networks or specifically listing a range of IP addresses, Status is Enabled or Disabled, and Name is a text string.

In the case of SBS 2003 SP1, it's

135:TCP:*:Enabled:Offer Remote Assistance-Port

Remember though that it's better to build the exception based on the application name and not the port address.

Windows Firewall:  Allow Local Port Exceptions:  ENABLED

From the Explanation in the group policy console:

This setting allows administrators to use the Windows Firewall component in the Control Panel to define a local port exceptions list. Windows Firewall uses two port exceptions lists; the other is defined by the Windows Firewall: Define Port Exceptions policy setting.

If you enable this policy setting, the Windows Firewall component in the Control Panel allows administrators to define a local port exceptions list.

If you disable this policy setting, the Windows Firewall component in the Control Panel does not allow administrators to define a local port exceptions list.

If you do not configure this policy setting, the ability of administrators to define a local port exceptions list depends on the configuration of the Windows Firewall: Define Port Exceptions policy setting. If that setting is not configured, administrators can define a local port exceptions list. If it is enabled or disabled, administrators cannot define a local port exceptions list.

All these domain settings allow for full functioning of the network. In your environment you may need to add exceptions for antivirus or other programs. One of the easiest ways to determine what software is being blocked by the XP SP2 firewall is to review the blocked settings in the firewall log file located at C:\WINDOWS\pfirewall.log (ensuring that you have enabled the dropped packets logging).

Internet Explorer

The next major change is tighter security for Internet Explorer and additional options for control of ActiveX controls. ActiveX is the proprietary set of rules for how web browsers and programs should share information. ActiveX controls have full access to the operating system. As such, it can and historically has caused security issues. Therefore, as part of your overall security strategy, you can present those allowed ActiveX components using group policy as well.

The default for Windows XP SP2 is to disable the execution of ActiveX controls and Active Scripting in the Local Machine zone. Specifically the new settings are

URLACTION_ACTIVEX_ RUNResolves to Disallow.
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETYResolves to Disallow.
URLACTION_SCRIPT_ RUNResolves to Prompt.
URLACTION_CROSS_DOMAIN_ DATAResolves to Prompt.
URLACTION_BINARY_BEHAVIORS_BLOCKResolves to Disallow.
URLACTION_JAVA_PERMISSIONSResolves to Disallow.

Additional ActiveX Restrictions

In addition to the built-in protection, you can add additional restrictions via group policy as described in Microsoft KB article 883256 (http://support.microsoft.com/?id=883256).

For the SBS server, the XP SP2 template is already installed on the server. Click on Start, Run; then type gpedit.msc, and press Enter.

Expand Computer Configuration or User Configuration, Administrative Templates, Windows Components, Internet Explorer, and Security Features, and then click on Add-on Management.

Under there are two settings. The first, Deny All Add-ons Unless Specifically Allowed in the Add-on List, enables the Deny setting.

From the Explanation:

This policy setting allows you to ensure that any Internet Explorer add-ons not listed in the Add-on List policy setting are denied.

By default, the Add-on List policy setting defines a list of add-ons to be allowed or denied through group policy. However, users can still use the Add-on Manager within Internet Explorer to manage add-ons not listed within the Add-on List policy setting. This policy setting effectively removes this option from users; all add-ons are assumed to be denied unless they are specifically allowed through the Add-on List policy setting.

If you enable this policy setting, Internet Explorer allows only add-ons specifically listed (and allowed) through the Add-on List policy setting.

If you disable or do not configure this policy setting, users may use Add-on Manager to allow or deny any add-ons not included in the Add-on List policy setting.

Note

If an add-on is listed in the Add-on List policy setting, the user cannot change its state through Add-on Manager (unless its value has been set to allow user managementsee the Add-on List policy for more details).

Now select the next policy entitled Add-on List and define the allowed ActiveX components to look similarly to Figure 10.1.

Figure 10.1. Sample of allowed ActiveX add-ons.

Table 10.1. ActiveX Components to Allow in Group Policy
Component	GUID	Description
Remote Web Workplace	`{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}`	Javascript
	`{B54F3741-5B07-11cf-A4B0-00AA004A55E8}`	VBScript
	`{7584C670-2274-4EFB-B00B-D6AABA6D3850}`	Microsoft RDP Client Control (redist)
Outlook Web Access	`{8D91090E-B955-11D1-ADC5-006008A5848C}`	`DEGetBlockFmtNamesParam` Class
	`{2D360201-FFF5-11D1-8D03-00A0C959BC0A}`	DHTML Edit Control Safe for Scripting
	`{2933BF90-7B36-11D2-B20E-00C04F983E60}`	XML DOM document
	`{F6D90F11-9C73-11D3-B32E-00C04F990BB4}`	XML DOM document
	`{F6D90F16-9C73-11D3-B32E-00C04F990BB4}`	XML HTTP
	`{ED8C108E-4349-11D2-91A4-00C04F7969E8}`	XML HTTP request
	`{3050f4f8-98b5-11cf-bb82-00aa00bdce0b}`	Microsoft HTML component
	`{B45FF030-4447-11D2-85DE-00C04FA35C89}`	SearchAssistantOC
	`{8856f961-340a-11d0-a96b-00c04fd705a2}`	Microsoft web browser
WSS	`{3050F819-98B5-11CF-BB82-00AA00BDCE0B}`	`HtmlDlgSafeHelper` class
	`{47B0DFC7-B7A3-11D1-ADC5-006008A5848C}`	`DEInsertTableParam` class
	`{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}`	Office 11 `name.dll`
	`{9F9C4924-C3F3-4459-A396-9E9E0D8B83D1}`	SharePoint OpenDocuments class
	`{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}`	SharePoint Spreadsheet Launcher
	`{65BCBEE4-7728-41A0-97BE-14E1CAE36AAE}`	Microsoft Office List 11.0
	`{E543A17A-F212-49C0-B63D-BF09B460250E}`	`OISClientLauncher` class
	`{07B06095-5687-4D13-9E32-12B4259C9813}`	STSUpld `UploadCtl` class
	`{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}`	SharePoint Spreadsheet Launcher
	`{BDEADEF4-C265-11D0-BCED-00A0C90AB50F}`	SharePoint Stssync handler
	`{003FAFEF-54E3-4D94-9765-44C55997A91C}`	`MsSvAbw.AddrBookWrapper`
ConnectComputer (client setup)	`{485D813E-EE26-4DF8-9FAF-DEDF2885306E}`	`NSHelp` class
Microsoft Office	`{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}`	Office 11 `Name.dll`

You can use a workstation to determine the baseline settings. Inside Internet Explorer on XP SP2, click on Tools, Manage Add-ins; then right-click on the top of the menu bar and enable ClassID so that you can view the code. Although this is a valuable add-on, you may need to do the legwork and manually type in these ActiveX codes. An additional resource for these CLSID codes can also be found at http://castlecops.com/ActiveX.html.

Additional Internet Explorer Security Changes

Additional changes include a built-in pop-up blocker and changes in MIME type handling that better defend social engineering and phishing attacks.

Outlook Express

Although typically not a major impact to a small firm using Outlook 2003, the email changes in Outlook Express add the capability to block external HTML content such as those in web bugs. Web bugs are little bits of code that can track that email through the Internet. Web bugs tell the system how far that email has traveled.

Data Execution Prevention (DEP)

Included both in XP SP2 and Windows 2003 SP1 is a new feature that adds memory protection to help prevent malicious code from executing on your machines. Although more available in hardware, software DEP does give a layer of protection, nonetheless. If it sees a pattern of malicious software, it prevents the execution of the code, thus blocking any potential for damage.

Automatic Updates

Windows XP SP2 has the necessary updates to be easily attached to a Windows Software Update Service patch management system as well as automatically updating itself.

Best Practice: Use Windows XP SP2

There is no doubt that XP SP2 goes a long way toward better protecting your network. The built-in defense in depth layers that it has available are still severely underused by the entire tech industry. Install it and take advantage of the power it has built in.

Security Center

Finally, one of the most important features is the Security Center that monitors antivirus, automatic updates, and firewall settings. If any of the three are set in an unsafe manner, a red icon shows up in the system tray alerting the end user to an insecure system. Make sure that employees in the firm are trained on this icon and, if they see it, that they alert you to the problem if you are unaware of the noncompliance.

An excellent resource for the specific Windows XP SP2 group policy settings as well as all the other group policy settings can be found at http://www.microsoft.com/downloads/details.aspx?familyid=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en.

If you find that applications are being blocked by the XP SP2 firewall, you may want to review the log file at C:\WINDOWS\pfirewall.log (the default location) and make sure that dropped packets are tracked. Remember that if you are still running Windows with full rights for the end user, that workstation should be able to make any outbound connection. If you need a static entry for a "listening" port, the easiest way to determine this is to enter netstat -ano at the desktop and review the ports shown as Listening. On a workstation, click Start, Run, cmd. Type in at the DOS prompt netstat -ano. Now click on Task Manager, then on the Processes tab, and click View to add "select columns," and add the PID. Look for the image name of the antivirus software and write down the PID number. In the netstat window, look to see what port that PID application is using that is marked as Listening. This will still be the port the antivirus uses and must be open to function properly. You should see programs such as antivirus software running and using a specific port. Add this port to your group policy deployment to push this out to all workstations.