Windows XP SP2’s Firewall Will Be in Your Face

Windows XP SP2’s Firewall Will Be in Your Face

Larry Seltzer

As we reported recently, Microsoft just released a document going into more detail about the features expected in the upcoming Service Pack 2 for Windows XP. The company on Thursday released a beta of SP2 and will ship for real well into 2004. SP2 is basically about security enhancements to Windows, such as the improved Internet Connection Firewall (ICF).

The information in this document is important and in all likelihood reflects the way things will turn out. But everyone should recognize that this document is a beta document for an almost-beta set of programs, and we have to assume there will be differences as the tests of SP2 proceed. Future changes will be reported at a particular MSDN link: The Microsoft Security Developer Center.

In a previous column, I mentioned that the Internet Connection Firewall will be turned on by default under SP2. Ports not actually being used will be shut by default.

In addition, both RPC and DCOM have been restructured to diminish the possibility of attack and to let the administrator control access rights. Microsoft frequently points out that users with ICF enabled were not vulnerable to Blaster.

The new ICF can be enabled and disabled on a per-interface basis. For instance, you might leave it off for the Ethernet connection, but enable it for your wireless network. You can also make global changes across all interfaces. Through a new UI, command line programs, or programmatically, you can open static ports and perform other configurations, such as basic ICMP options. Logging has been improved to include dropped packets and successful connections.

Beyond just opening a port, you can also restrict its traffic to particular subnets. This feature will be employed by default in some cases, for instance for file sharing and UPnP, both of which will be restricted to the local subnet. This feature should block a lot of attacks that come through the average residential broadband connection. Still, it does leave open the possibility that an otherwise compromised system (for instance one infected with a Sobig-like worm) could compromise other systems on the local subnet. Still, it’s one more worthy tool under the belt.

Next page: More New ICF Features.

SP2’s Internet Connection Firewall will include a new lockdown feature, tentatively called “Shielded Mode,” which blocks all unsolicited inbound traffic. In other words, you could get the data for a Web page in response to an HTTP request, but no incoming HTTP requests would be allowed. Turning something like this on clearly will stop some programs from running, but it’s meant for times when you suspect there have been compromises on the network and you need to deal with them, not as a normal mode of operation.

There will be a new ICF Permissions List to which an administrator may add a trusted application. When an application on this list needs to open a port, ICF will open it automatically.

In earlier versions, apps had to call APIs to open the ports. When the application closes, Windows closes the port, relieving the application of the need to do so. Using the Permissions list means that the application need not be run in a security context sufficient to open a port, i.e. with the administrator. The application can run with relatively-low privileges.

If a computer is joined to a domain, you can set up more than one ICF profile for it, with different sets of restrictions. The settings for when you’re inside the domain might be more permissive, on the assumption that the network is protected; and when you’re not on the domain, such as when you’re on the road dialing into the Internet, the policy could be more restrictive.

Incidentally, the standard ICF is IPv4 only; Microsoft’s IPv6 stack comes with an ICF of its own in the Windows XP Advanced Networking Pack. That ICF was always on by default.

At boot time, prior to SP2, there is a gap between when the network has started and when ICF begins effective filtering, which creates a window of vulnerability. SP2 adds a new feature called boot-time policy to perform filtering from the earliest points. The system can still perform DNS and DHCP queries and communicate with a domain controller, but other operations are restricted. If ICF is disabled, so is boot-time policy, but it cannot be configured.

Why, you might ask, didn’t Microsoft do all this to begin with?

The reason is that turning on a stateful inspection firewall causes some applications to break, and that’s something Microsoft has always worked hard to avoid.

In the document, Microsoft is pretty open with the fact that there will be application problems in the default configuration of SP2. This means that there will be problems with Windows that didn’t occur in the past. The world has changed.

At the same time, some folks might say that the world changed long ago where it comes to security, and Microsoft didn’t change fast enough. They’d have a fair point.

Version 1 of ICF was little more than an item on a feature chart for Windows. Sure, they had the firewall in there because security is important and Microsoft needed to give everyone with Windows some way to protect themselves. But they couldn’t bring themselves to go into the deep end of security and make the tough decisions that will put a real barrier against attacks, which at the same time would also increase the security burden on Microsoft.

Let’s hope Microsoft will take up that burden by helping customers to work within restricted environments and not to toss protections aside when they become inconvenient.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer

Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in eWEEK.