WinXP SP2 = security placebo?

Feature richness defeats commonsense


Reg Review We evaluated the security features of Windows XP SP2 on a test machine, following a clean install of XP Pro with no configuration changes and no third-party software or drivers installed. We installed XP with the NTFS file system, choosing all of the factory defaults, then patched it with each recommended security update including SP-1 (required), before installing SP2.

While we found that there are indeed a few minor improvements worthy of acknowledgment, in particular, some rather low-level improvements that don't show to the admin or user, overall, SP2 did little to improve our system's practical security, leaving too many services and networking components enabled, bungling permissions, leaving IE and OE vulnerable to malicious scripts, and installing a packet filter that lacks a capacity for egress filtering.

The new Security Center utility with its frequent Security Alert popups will certainly give users the impression that SP2 is a security-oriented package, as Microsoft's PR boilerplate promises. However, The Security Center does little beyond warning users that the firewall is disabled, that automatic updating is disabled, or that antivirus software has not been installed. It may look impressive, but the SP2 package fails to provide several of the most important, basic modifications required to run Windows safely on an Internet-connected machine.

Windows Services

Microsoft has long enabled a number of services related to networking by default, most of which are unnecessary, even dangerous, on Internet-connected machines, and all of which a competent admin should know well enough to enable as necessary. Turning them on by default is a minor inconvenience to admins, who need to disable what they don't need (but usually know how to go about it), and a major source of trouble for home users, who can't be expected to know what services they do and don't need, or how to harden their systems by disabling superfluous ones.

SP2 does disable a few Windows services related to networking that have not previously been disabled by default, which certainly is an improvement. Unfortunately, too many services remain. And home users are given short shrift.

According to netstat, our machine had the following services listening on the Internet by default:

  • DCE endpoint resolution (epmap), port 135. This is basically the UNIX/BSD/Linux portmap daemon, and unnecessary on home machines.
  • NetBIOS name service, port 137. This is the WINS (Windows Internet Naming Service) server for a NetBIOS network, and unnecessary on home machines.
  • NetBIOS datagram service, port 138. This is used by the SMB (Server Message Block) browser service, and is unnecessary on home machines.
  • Microsoft-ds (Server Message Block), port 445. SMB can run directly over TCP/IP, without NetBT by using this service, which is unnecessary on home machines.
  • NetBIOS Session, port 139. This is used for Windows File and Printer Sharing, unnecessary on most home machines, and extremely dangerous on any machine connected to the Internet unless the owner knows how to run it securely.
  • Error Reporting is on by default. However, there is no reason why a machine should phone home every time it encounters an error. This is better left disabled.
  • Automatic Update is off by default. Microsoft would very much like everyone to enable it, and now urges users to do so every time Windows Update is run manually; but it is never a good idea to let a third party decide what software should be installed on your machine, or when. This service should remain off, and users should update Windows manually, though regularly, paying attention to the various update options and their relevance to one's system.

Looking alphabetically at the Services dialog, we encountered the following settings (Note: "manual" means that the service will be started if invoked by a user, an application, or another service, while "automatic" means that it will be started at boot time whether it's needed or not).

ClipBook (used to store information, cut / paste, and share it among computers) disabled. About time.

DCOM Server Process Launcher, automatic. The process launcher implies that DCOM is enabled, as indeed it is (more below).

DHCP Client, automatic. Unnecessary on most home machines. Should be disabled by default.

DNS Client, automatic. Unnecessary on most home machines. Should be disabled by default.

NetMeeting Remote Desktop Sharing, manual. Unnecessary on most home machines. Should be disabled by default.

Network DDE, disabled. About time.

Network DDE DSDM, disabled. About time.

Remote Access Connection Manager, manual. Unnecessary on most home machines. Should be disabled by default.

Remote Desktop Help Session Manager, manual. Unnecessary on most home machines. Should be disabled by default.

Remote Procedure Call (RPC), automatic. This is one of Microsoft's greatest security holes. RPC enables one machine to execute code remotely on another. On UBIX/BSD/Linux, it can be disabled safely. On Windows, it cannot be disabled, as MS has made a plethora of necessary services dependent on it. It's a huge security hole that simply cannot be avoided. It must be blocked by a firewall.

Remote Registry, automatic (allows remote users to make Registry changes). Unnecessary and dangerous on most home machines. Should be disabled by default, and enabled only as needed.

Routing and Remote Access, disabled. About time.

Secondary Logon, automatic (enables starting processes under alternate credentials). Unnecessary on most home machines. Should be disabled by default.

SSDP Discovery Service (UPnP discovery), manual. Unnecessary on most home machines. Should be disabled by default.

TCP/IP NetBIOS Helper, automatic (enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution). Unnecessary on most home machines. Should be disabled by default.

Telnet, manual. Unnecessary on most home machines and company workstations. Extremely insecure. Should be disabled by default. Those foolish enough to use it can enable it.

Universal Plug and Play Device Host, manual. Unnecessary on most home machines. Should be disabled by default.

WebClient, automatic (enables Windows-based programs to create, access, and modify Internet-based files). Unnecessary on most home machines. Should be disabled by default.

Additionally, DCOM (Distributed COM) is enabled by default. It is unnecessary on most home machines, and should be disabled unless needed. It's the component that the Blaster worm exploited to get at RPC.


Other stories you might like

  • UK science suffers as lawmakers continue to dither over Brexit negotiations

    Horizons Europe carrot dangled amid protocol wrangling

    A report from the UK House of Commons' European Scrutiny Committee has blamed delays in Brussels for choking off revenue streams to British institutions and businesses.

    The UK departed the European Union following a 2016 referendum. One of the results was that UK businesses were no longer able to tender for lucrative contracts within the bloc.

    The Brexit Divorce Bill uncomfortably laid out the facts back in 2018. The satellite navigation system Galileo was one victim despite substantial involvement from the UK in its development. Another was the Copernicus Earth monitoring programme; the UK was infamously snubbed when the European Space Agency (ESA) handed out six juicy contracts to institutions from the Continent.

    Continue reading
  • Warehouse belonging to Chinese payment terminal manufacturer raided by FBI

    PAX Technology devices allegedly infected with malware

    US feds were spotted raiding a warehouse belonging to Chinese payment terminal manufacturer PAX Technology in Jacksonville, Florida, on Tuesday, with speculation abounding that the machines contained preinstalled malware.

    PAX Technology is headquartered in Shenzhen, China, and is one of the largest electronic payment providers in the world. It operates around 60 million point-of-sale (PoS) payment terminals in more than 120 countries.

    Local Jacksonville news anchor Courtney Cole tweeted photos of the scene.

    Continue reading
  • Everything you wanted to know about modern network congestion control but were perhaps too afraid to ask

    In which a little unfairness can be quite beneficial

    Systems Approach It’s hard not to be amazed by the amount of active research on congestion control over the past 30-plus years. From theory to practice, and with more than its fair share of flame wars, the question of how to manage congestion in the network is a technical challenge that resists an optimal solution while offering countless options for incremental improvement.

    This seems like a good time to take stock of where we are, and ask ourselves what might happen next.

    Congestion control is fundamentally an issue of resource allocation — trying to meet the competing demands that applications have for resources (in a network, these are primarily link bandwidth and router buffers), which ultimately reduces to deciding when to say no and to whom. The best framing of the problem I know traces back to a paper [PDF] by Frank Kelly in 1997, when he characterized congestion control as “a distributed algorithm to share network resources among competing sources, where the goal is to choose source rate so as to maximize aggregate source utility subject to capacity constraints.”

    Continue reading
  • How business makes streaming faster and cheaper with CDN and HESP support

    Ensure a high video streaming transmission rate

    Paid Post Here is everything about how the HESP integration helps CDN and the streaming platform by G-Core Labs ensure a high video streaming transmission rate for e-sports and gaming, efficient scalability for e-learning and telemedicine and high quality and minimum latencies for online streams, media and TV broadcasters.

    HESP (High Efficiency Stream Protocol) is a brand new adaptive video streaming protocol. It allows delivery of content with latencies of up to 2 seconds without compromising video quality and broadcasting stability. Unlike comparable solutions, this protocol requires less bandwidth for streaming, which allows businesses to save a lot of money on delivery of content to a large audience.

    Since HESP is based on HTTP, it is suitable for video transmission over CDNs. G-Core Labs was among the world’s first companies to have embedded this protocol in its CDN. With 120 points of presence across 5 continents and over 6,000 peer-to-peer partners, this allows a service provider to deliver videos to millions of viewers, to any devices, anywhere in the world without compromising even 8K video quality. And all this comes at a minimum streaming cost.

    Continue reading
  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading
  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading
  • Singaporean minister touts internet 'kill switch' that finds kids reading net nasties and cuts 'em off ASAP

    Fancies a real-time crowdsourced content rating scheme too

    A Minister in the Singapore government has suggested the creation of an internet kill switch that would prevent minors from reading questionable material online – perhaps using ratings of content created in real time by crowdsourced contributors.

    "The post-COVID world will bring new challenges globally, including to us in the security arena," said Minister for Defence Dr Ng Eng Hen at a Tuesday ceremony to award the city-state's 2021 Defense Technology Prize.

    "For operations, the SAF (Singapore Armed Force) has to expand its capabilities in the digital domain. Whether for administrative or operational purposes, I think that we will need to leverage technology to the maximum," he declared.

    Continue reading

Biting the hand that feeds IT © 1998–2021