Windows XP SP2, NSA Guidelines Follow-Up

Last week, I presented a hands-on look at Windows XP Service Pack 2 (SP2) and discussed the National Security Agency's (NSA's) guidelines for securely configuring XP, two somewhat related topics that are probably close to many administrators' hearts these days (see "Windows XP SP2 Beta In-Depth; NSA Guidelines on XP Security" at http://www.winnetmag.com/windows/article/articleid/41363/41363.html ). This week, I follow up on these topics because I've discovered new information about both.

More XP SP2 Features
After previewing XP SP2 last week, I took an XP SP2-enabled notebook computer to Las Vegas, Nevada, for the 2004 International Consumer Electronics Show (CES)--the perfect way to test the new service pack in the real world. I didn't experience any stability problems with SP2, although my one-PC experience is an admittedly nonscientific test. But during the trip, I was able to exercise XP SP2's new wireless networking features and the Internet Connection Firewall (ICF), which Microsoft plans to simply call Windows Firewall when SP2 ships in mid-2004.

XP SP2 and Wireless Networking
When Microsoft first shipped XP in October 2001, the company integrated wireless networking into the product, providing users with a relatively simple method of connecting to secure and insecure wireless networks. The initial XP version supports only 802.11b and the Wireless Equivalency Protocol (WEP) security scheme out of the box; if you recall the wireless security climate of late 2001, most wireless networks were left open and unsecured. In such a network, XP worked well: If you turned on an XP notebook within range of a wireless network, you'd be connected automatically and could get right to work. Of course, that capability exposed users' machines to potential intrusion.
In XP SP1, which shipped in fall 2002, Microsoft added a block that requires the user to manually OK every connection to an insecure network. This new emphasis on security over functionality is well suited for most businesses, but I suspect many consumers were a bit perplexed by the requirement because most home-based wireless networks are still insecure.
In XP SP2, Microsoft overhauled the wireless networking capabilities yet again. The first change is a friendly new UI for managing and connecting to wireless networks. This new interface will likely be much easier to use than the old View Wireless Networks dialog box-based approach used in earlier versions, especially for users in areas with numerous wireless networks. The new UI labels each network as "Non-secure wireless network" or "Security-enabled wireless network." On wireless networks with security, you'll see a message stating that you need a network key, which you can enter when prompted, and the OS offers task lists for getting more information about wireless networking connections or changing your preferred wireless network.
From my standpoint, the biggest change in this release is that wireless connection settings seem to stick better than before. After you've OK'd a connection to an insecure wireless network, you can connect to that network without further prompting in the future, which is nice. In my experience, this functionality would work only intermittently in XP SP1. The wireless network aggregated list is also less likely to display networks that are no longer in range, which was a curious problem with earlier versions.

Windows Firewall
If you're familiar with Zone Labs' Zone Alarm or other firewall products, you've probably spent time configuring which applications and services can and can't send information to and from your machine. XP SP2's new Windows Firewall works the same way. The first time any application or service attempts to access a closed port, you'll get a dialog box that lets you configure whether the application or service can bypass the firewall, or you can simply click Cancel to never allow said access. The new firewall has several advantages over ICF. First, users are more likely to use the firewall because Windows Firewall is much easier to customize than was the ICF in earlier versions. Second, as with commercial firewall products, you get to see which applications are calling home and decide which ones to allow. From a corporate standpoint, this functionality is centrally manageable, which is extremely welcome.
If you want to manage the Windows Firewall settings manually, you can access a list of exceptions, which are applications and services that can receive connections from the outside world. In the past few days, I've received warnings about programs such as Microsoft Virtual PC, Windows Messenger, and RealNetworks' RealPlayer, as well as system services such as File and Print Sharing and ActiveSync. You can manually add programs to the list, which is nice, and determine the network connections to which these settings apply. Overall, the improvements are phenomenal compared with the previous version.

NSA, Security, and XP
Last week, I briefly mentioned the NSA's Windows XP Security Guidelines. I incorrectly noted that these guidelines were new, when in fact they were released in 2002 and last updated in April 2003. Several readers pointed out this discrepancy and that following the NSA guidelines can lead to software incompatibilities related to security because many applications and services rely on certain non-secure configurations to operate correctly, a problem that Microsoft has been wrangling with during its Trustworthy Computing makeover. A Microsoft representative who contacted me last week noted that the software giant worked closely with the NSA, as well as the National Institute of Standards and Technology (NIST) and the SANS Institute's Center for Internet Security (CIS), on the company's own security guides, which you can access from the links below.

Windows Server 2003 Security Guide http://go.microsoft.com/fwlink/?linkid=14845

Threats and Countermeasures Guide http://go.microsoft.com/fwlink/?linkid=15159

Microsoft Windows XP Security Guide Overview http://go.microsoft.com/fwlink/?linkid=14839

Guide to Securing Windows XP in Small and Medium Businesses http://go.microsoft.com/fwlink/?linkid=19453