Windows XP SP2

The first thing users will see when logging into SP2, the newly improved Windows® XP operating system, is a new Security Center informing them of the status of critical security features, such as the firewall, antivirus updates, and automatic updates. Following is a brief look at the major improvements in XP security found within SP2.

Network Protection:

Microsoft has renamed the previous Internet Connection Firewall to Windows Firewall. The newly named firewall is turned on by default, with ports closed except when they are in use, an improved user interface for configuration, improved application compatibility, and enhanced administration through group policy settings, allowing separate policies to be defined for firewall configuration. Inbound connections can be restricted based on their origin, and remote procedure call (RPC) vulnerability is greatly reduced through SP2’s insistence upon secure RPC connections. DCOM also has additional access control restrictions to protect against network attacks.

Windows XP

Memory Protection:

Some attacks exploit vulnerabilities that allow too much data to be copied into the computer’s memory (buffer overflow). Core Windows components have been recompiled to mitigate this vulnerability with protection against buffer overruns. Microsoft has partnered with Intel and AMD to implement hardware-based protection against the buffer overflow vulnerability. Using this data execution prevention (DEP) mechanism in the processor, the CPU marks all memory locations in an application as non-executable unless they contain executable code. Thus, the application won’t run when a virus or worm inserts malicious code into an application.

Email Handling and Web Browsing:


Many more prevalent security breaches have emerged from email, messaging applications, and web browsing. SP2 targets these vulnerabilities through enhanced security default settings and improved attachment control using the Attachment Execution Service (AES) API. SP2 also protects against malicious Active X controls and code by “locking down” the Local Machine security zone much the same way it protects web pages through security zones set within the Internet Options of Internet Explorer. Active X controls can’t run in the local machine zone unless the user gives permission. The same is true of JavaScript and binary code. Scripts are also prevented from elevating the security zone to a less restrictive setting.

MIME types are handled more safely by renaming files to match their true types before placing them in the cache. SP2 also tightens access to cached objects by blocking access when navigating away from the page that loaded the thing. Finally, SP2 has added a pop-up blocker within the Privacy tab of IE’s Internet Options. Users are notified when pop-ups are encountered, and they can choose to view the pop-ups they want to see. Restrictions are also placed on pop-ups’ size, format, and placement, preventing borderless windows that might cover other pages.

Other Features:

With SP2, Microsoft has added some new features to help manage system configuration and updating. A new Manage Add-ons feature assists in managing Active X controls and other IE extensions. This feature lists add-ons that have been loaded, their status, source, and the validity of their digital signatures. Add-ons can be turned off, and a history of usage is available.

A new mechanism has been added for handling and analyzing add-on crashes. Downloading files is now more secure, too. Users are warned not only when they download files but also when they open downloaded files after being saved locally. Files extracted from downloaded zipped files also generate the same warning. Finally, SP2 differentiates between Java virtual machines (JVMs) and the Microsoft JVM, allowing users to disable the Microsoft JVM without turning off others.


A final release version of SP2, nearly 270 MB, was made available on August 9th. Microsoft is making it available on the Internet via a broadband connection. The new Windows Update 5.0 includes a “Checkpoint Restart” feature, allowing the resumption of a download when the Internet connection is interrupted.

SP2 can be downloaded in the background, taking about 40% of the available bandwidth. For those who have turned on the auto-update feature of Windows, SP2 will download without the user’s knowledge. Windows Update will not duplicate any download the automatic update has already installed. For those without broadband connections, Microsoft offers a free CD via the mail.

SP2 can be installed using a few different methods. If the computer is already running Windows XP Home Edition or Windows XP Professional, the standalone version of SP2 can be installed separately as an update. The operating system and service pack can be installed simultaneously for those wanting to upgrade the operating system and install SP2.

Potential Issues:

SP2 is surely good news for organizations and the systems administrators who support them. However, there are some issues to be aware of. Most notable among the potential problems are those caused by the new default firewall. Because the firewall restricts access to ports, some applications may be limited in ways requiring firewall configuration.

Laptop users pose special problems for operating system firewalls, requiring different configurations based on whether users are behind or outside the corporate firewall. In such cases, separate profiles will need to be used: Domain Profile for those behind the corporate firewall and the Mobile Profile for those beyond the domain controller. The Network Location Awareness tool will determine which to use at any given time. Organizations that adopt SP2 without going through the sometimes frustrating configuration task can turn off the firewall through a group security policy.


Alcohol scholar. Bacon fan. Internetaholic. Beer geek. Thinker. Coffee advocate. Reader. Have a strong interest in consulting about teddy bears in Nigeria. Spent 2001-2004 promoting glue in Pensacola, FL. My current pet project is testing the market for salsa in Las Vegas, NV. In 2008 I was getting to know birdhouses worldwide. Spent 2002-2008 buying and selling easy-bake-ovens in Bethesda, MD. Spent 2002-2009 marketing country music in the financial sector.