S 2.329 Introduction of Windows XP SP2

Initiation responsibility: Administrator, IT Security Officer

Implementation responsibility: Administrator

Since August 2004, the Windows XP Service Pack 2 has been available from Microsoft. On 12 April 2005, the period in which the installation of SP2 can be prevented by a special Microsoft tool despite an enabled internet-based Windows Update Service ends. Only organisations that operate their own update server can continue to prevent the installation of SP2.

Service Pack 2 contains some security-relevant changes and extensions in addition to error corrections and improvements to existing mechanisms. They include, for example:

• Altogether, more than 600 new security policies (Windows Firewall, Security Center, Internet Explorer etc.).
• Improvements to the Windows Firewall (the former Internet Connection Firewall, ICF), particularly the option of central administration.
• Improvements to the Internet Explorer: Add-on Management, Pop-up Blocker, Zone Elevation Blocking, consistent MIME processing, more restrictive handling of ActiveX control elements.
• Integration of anti-virus software by third-party manufacturers into the so-called "Security Center", which is intended for the central administration and auditing of Windows security settings.
• Memory protection against buffer overflows: The system kernel and the libraries were translated with specific compiler flags, which is to ensure protection against buffer overflows. This "No Execute" Flag (NX) is used by several current processors.
• Marking downloaded files and attachments on NTFS drives (Attachment Execution Service).
• The use of raw sockets and the direct manipulation of IP packets have been considerably restricted; denial-of-service precautions are integrated into the TCP/IP stack.
• USB write protection has been implemented so that only read access is possible to USB memory devices such as USB sticks and USB disks with an appropriate configuration (unauthorised data export to USB media is thus prevented).

The configuration of new settings and group policy settings, in particular, must be determined prior to installing SP2. Changes to group policies can have far-reaching effects in companies and government agencies with Windows XP clients and must therefore be carried out with great care by administrators.

Preventing problems

Due to the extensive changes, there is a danger that the installation of Service Pack 2 can lead to problems, especially in the event of larger installations in companies or government agencies. This is particularly critical if applications are no longer operable or firewall and anti-virus programs are affected. To prevent these problems, the introduction of SP2 must be precisely planned and first tested extensively. The functionality of the application software, in particular, must be checked in advance.

The following problems can be caused by the installation of Service Pack 2:

• Problems with the administration of GPOs using old tools, because new administrative templates contain long character strings
• MMC snap-in Group Policy Resultant Set no longer functions with the remote requests due to the firewall which is enabled by default following the installation
• Problems with DCOM applications, since a new DCOM authentication model has been implemented (e.g. when delegating Group Policy Resultant Set tasks to non-administrative users)
• Application problems due to the firewall which is enabled by default
• Application problems due to changes to the TCP/IP stack (restriction of the use of raw sockets)
• Script and ActiveX error messages, problems displaying images when opening stored websites in applications (including Microsoft Office products)
• Additional software is also installed automatically (Windows Movie Maker). Under certain circumstances, they have to be uninstalled again.

Nowadays, there are now a number of solutions to the mentioned problems available on the Internet and in technical magazines. Administrators should inform themselves of these solutions prior to installing SP2.

Review questions:

• Is the configuration of new settings and the group policies specified before installing Windows XP SP2?
• Is each new configuration tested prior to the roll-out?