Official Windows XP SP2 New Features Overview

[Chris Allen Veteran]

I had a training session for SP2 at work today. Here are some notes and screenshots I grabbed for the Neowin Community. Enjoy.

Official Windows XP SP2 New Features Overview

Overview of Key Changes

Service Pack 2 introduces a set of security technologies whose goal is to help improve the ability of Windows XP-based computers to withstand malicious attacks from viruses and worms.

The key technologies enhancements are:

Network Protection

Memory Protection

Safer E-Mail and Instant Messaging

Safer Browsing

Improved Computer Maintenance

Overview of Security Enhancements

The key technologies enhancements are:

Network Protection

Changes in Windows Firewall, RPC handling, and DCOM Control Restrictions

Memory Protection

Adds No Execute (NX) restrictions on processors that support it to enforce separation of application code and data

Safer E-Mail and Instant Messaging

Allows for more secure and reliable attachment control in Outlook Express and Windows Messenger

Safer Browsing

Enables better restrictions, user controls and interfaces with regard to Internet use that help prevent malicious code and spyware from running on systems without customer knowledge and consent

Improved Computer Maintenance

Helps customers monitor usage of latest security tools and allows for easier methods to keep system updated with the latest security patches and fixes.

Network Protection ? Windows Firewallb>

Previously known as Internet Connection Firewall in SP1 but was not turned on by default

Turned on by default in SP2

Boot time and shutdown protection

Multiple configuration options available via UI, group policy, command line, and unattended setup

RPC support and better control of RPC services exposed over the network

Global configuration for all connections making it easier to manage firewall policies across all network connectionsWindows Firewallb>

New UI easily accessible directly from Control Panel icon called Windows Firewall. Old location in Advanced tab of the network connection property?s dialog box will now have a link to the new UI.

All outbound connections are automatically allowed, regardless of the program or user context.

E.g. Web browsing with Internet Explorer, checking email in Outlook Express

When an application makes an inbound connection that has been permitted by the user, the port(s) will be dynamically enabled as necessary, only for as long as necessary, and disabled again when done.

E.g. Hosting a game server, transferring files in Windows Messenger

When a service makes an inbound connection that has been permitted by the user, fixed ports will be statically open and remain open and should be limited to only traffic on the local subnet whenever possible.

E.g. File and Print Sharing, Universal Plug and Play (UPnP), Remote Desktop

When an application attempts to allow an inbound connection such as setting up a multiplayer game host, a security alert will be displayed that allows the user to configure the firewall permission for the application:

Exceptions list is configurable list that allows users to specify which applications or services have permission to receive inbound connections from outside sources through the firewall.

Users can edit an application?s firewall properties or manually add applications to the exceptions list by browsing for it.

Local Subnet Restriction ? By default, enabling permissions for services such as File and Print Sharing and Universal Plug and Play will only make ports available to other units on the same local subnet. This will help mitigate attacks from external sources.

Supports Multiple profiles and allows user to have separate firewall restrictions for different networks.

E.g. One profile for wired connection at work and another profile for a wireless hotspot connection on tNetwork Protection ? RPC and DCOMand DCOM

Changes done to help reduce RPC/DCOM attack surface exposed to network

Improved Remote Procedure Call (RPC) protection

Requires authenticated access

Executes with reduced privilege

Disabled over UDP by default

Improved Distributed Component Object Model (DCOM) protection

Greater restrictions when launching DCOM apps

Enhanced control over what DCOM apps are alloMemory Protection tection

The top security hole that MS has been attempting to address are buffer overruns which are vulnerabilities that allow too much data to be copied into areas of the computer?s memory

To help mitigate these types of attack, SP2 uses the No Execute Protection (NX) for systems that support it by using a computer?s microprocessor to separate application code from data

NX prevents code execution from data pages such as the default heap, various stacks, and memory pools. This helps protect from malicious code executing in memory.

NX support requires 64 bit processors (like AMD Hammer used in Diaz) or newer 32-bit processors with NX feature

SP2 automatically enables NX support when NX supported microprocessor is detected

Adds /noexecute parameter in Boot.ini to the boot partition that contains SP2

If exception is detected due to no execute protection, the process is typically either terminated or raises a bugcheck

Settings are configurable from System Properties > Advanced Tab > Performance Options.

This UI enables users to configure execution protection for either the entire computer or selectively disable execution protection for individual applications.

These options will be grayed out for units that do not support NX protection.

Security Center

Security Center analyzes current settings for Firewall, Automatic Updates, and Virus Protection.

Security Center will alert the user if any of these settings is not in the recommended state. Security Center will recommend users to enable a firewall, turn on Automatic Updates, and load an antivirus software.

If any of the current security settings are not at the recommended level, Security Center warnings will appear in system tray and warn user of possible problems during start up or when the settings change.

New Security Center applet will be Additional Enhancementsel

Additional Enhancements

Alerter and Messenger services are now disabled by default

Windows Media Player 9

DirectX 9.0b

Windows Movie Maker 2.1

MSN Explorer 9

New BluetootZeroConfig Wirelessreless

ZeroConfig Wireless

New client that works with broad range of wireless hotspots

UI change to ?View Available Wireless Networks? to support additional branding and information about wireless hotspots.

Enables user to connect easier to wireless hotspots without having to install or update a 3rd party client.

Update to Network connections folder and system tray icon to allow users to easily disconnect from wireless hotspots

The new UI for ?View Available Wireless Networks? shows security settings and signal strength of available hotspots

Major Risk Areas for SP2

Active X Lockdown

when an application or web site runs an ActiveX component in the incorrect Security Zone, the user will be warned and will have to grant permission for it to work properly

To prevent warning message, ISVs and OEMs will have to spin the software

Due to new security restrictions in SP2, majority of software using ActiveX components will have this problem.

HP Bluetooth originally had this problem as well but MS has inserted workaround to automatically permit it to load

HP Image Zone currently causes security warning and will not run until user permits it. Workaround to allow HP Image Zone is currently being investigated.

HP Bluetooth -

Installation of BT drivers will display two warning messages to users

First warning that driver is not signed

Second warning that recommends user check for a signed driver on Windows Update

Automatic Updates - installation of updates during shutdown could be problem because user may transport laptop before shutdown is complete potentially causing data loss or hard drive problems

New security restrictions detect that the majority of softpaq files for HP web deliverables have an unknown publisher and issues a security warning to the user that these fileSchedule and Buildstal signature.

Schedule and Builds

Beta 1 Build 2.055 was released on 12/16/03.

The current build in test is Build 2.094 which was released on 3/12/04.

The next targeted milestone is RC1 on 3/17/04.

RC2 is targeted for 4/30/04.

RTM is targeted for 5/28/04. MS is curreAddendument of meeting this date.

Addendum

Screen shots were captured from Build 2.089.

Since SP2 is still in a development phase, please be aware that some of the new UI?s and tools are still being modified and are subject to change prior to RTM.

All scheduled milestone dates are the current MS target dates and also subject to change.

[dL]

Nice review :)

Thanks for the share.

dL

[Mister Lamar]

yea man, nice review, Im sure it will help and hype alot of users

[b3ta]

(Y) Awesome! thanks for that!

[giga Veteran]

Indeed. Thanks for the great pics also. (Y)

[todd]

That's a lot of info, nice work (Y)

[L3thal Veteran]

Just makes me want it even more :D

[shihchiun]

Thanks! I've been looking for something like this.

[scoobydoobie]

How is this any different than just going to Microsoft's website to get the same type of information? Can we stop with all this service pack 2 crap? Anyone who hs been following it already knows about these features and most likely has already deployed them.

Give it a rest people..save the bandwidth

[dL]

Some bugs I found in your article:

RTM release date not 5/28/04, you mean 8/25/04?

This is something I need to clairfy. Is DirectX 9c going to be equipped in SP2, since SP2 RC1 and RC2 had it?

dL

[L3thal Veteran]

^^Not everyone knows what has changed in SP2. Now go back to your little corner and make yourself believe you know it all.

[scumdogmillionaire]

wireless control panel icon changed?

[xxdesmus]

nice review indeed :yes:

[Kriz]

Awesome review (Y)

Shows everyone how good SP2 will actually be :)

[AOXOMOXOA]

good stuff, thanks.

[nivek7]

Excellent review :yes:

[slang123]

very nice. a few problems though:

"This will also held minimize the common problem of dial-up connections"

"NX support requires 64 bit processors (like AMD Hammer used in Diaz) or newer 32-bit processors with NX feature" < so processors with nx support then!

"DirectX 9.0b" < i thought 9.0c is going to be used. or am i wrong?

Anyway nice overview

[Help]

Internet Explorer has been modified to not turn off the status bar for any windows. <-- I hope windows explorer is like that too

RTM is targeted for 5/28/04. MS is currently 90% confident of meeting this date. <-- Needs update?

[matt74441]

A+ review. Nice work (Y)

[Bearded Kirklander]

Posts like this are so freakin cool! Thanks man! (Y)

[MrBear5587]

Thanks very much, looking good :turned:

[Crunch]

nice review

[Agent_of_Knowledge]

Schedule and Builds

Beta 1 Build 2.055 was released on 12/16/03.

The current build in test is Build 2.094 which was released on 3/12/04.

The next targeted milestone is RC1 on 3/17/04.

RC2 is targeted for 4/30/04.

RTM is targeted for 5/28/04. MS is currently 90% confident of meeting this date

hahahahhahah, what Bull Sh**. :pinch:

Be the way, excellent review. :yes:

[vbagaria]

nice work. thanks.

[Chris Allen Veteran]

Just an addition, my trainer installed S2P over SP1 and SP1a with not a single issue. She uninstalled and re-installed it 15x just to make sure nothing went wrong and no files were left around or damaged.

She also uses Zone Alarm, a router and two other firewalls and the SP worked flawlessly with them.

Looks like MS might have gotten it right with this one (Y)