May 14, 2001, 9:35 AM — During the past year, Microsoft has made a concerted
effort to develop secure products. Windows XP, for example,
contains a wide variety of security features that
proactively protect systems and make security a little
easier for the end-user, including the addition of the
Internet Connection Firewall (ICF) and automatic updates as
well as advancements in the Encrypting File System (EFS),
security templates, and smart card support.
ICF, activated by default when you use the networking
wizard, blocks all inbound traffic to the system. You can
easily tell if the firewall is active by looking at your
network connections. Any network connection protected by ICF
is red.
ICF is a powerful packet firewall, but it does not have
all the features and functionality of an enterprise
solution. Its main purpose is to protect stand-alone systems
with broadband Internet connections. ICF is ideal protection
for telecommuters and corporate remote-access solutions.
ICF is either on or off; you cannot selectively protect
specific ports or protocols. You do have the ability to
allow a few protocols to pass, such as HTTP, FTP, and L2TP.
You also have the ability to define additional ports. ICF
also includes logging capabilities that allow you to record
unsuccessful inbound traffic and successful outbound
traffic. Recording all successful outbound traffic will
generate some large, unwieldy log files, but monitoring
unsuccessful inbound attempts will give you a good picture
of what attacks are being attempted against the system. The
log files can be accessed by an administrator and copied to
other administrators via the network, giving them the
ability to determine if individual machines are under
attack.
In an enterprise environment, system administrators want
to limit the control individual users have over the ICF
settings. Users should not have the ability to disable the
firewall or open ports without proper authorization and
approval. If they do have this ability, an administrator
might be lured into a false sense of security, thinking all
users have systems protected from inbound connections when
they really have disabled its functionality. To prevent this
from happening, ICF settings for Windows XP Professional can
be controlled through Group Policy settings. Group Policy
can force users to enable the firewall when not connected to
the corporate network, for example.
To protect systems from malicious code execution, XP also
includes support for software restriction policies.
Administrators define rules in Group Policy that control
when software is allowed to execute. These rules can be
defined based on the file's extension, hash, path, signed
certificate, or zone. For example, execution of Visual Basic
Script (VBS) files can be denied unless digitally signed by
a specified organization or group. Corporate administrators
can now sleep well at night knowing their network is safe
from users who continue to open suspect e-mail
attachments.
EFS, first introduced in Windows 2000, now has the
ability to allow multiple users to access an encrypted
document. In its default setting, encrypted files appear
green to enable easy identification when displayed in a file
listing. EFS also works with client-side caching (or Offline
Folders) to maintain file encryption when files are on and
off the network.
Sharing encrypted files via the Internet without
purchasing separate third-party products is now possible
with WebDAV, a file-sharing protocol that uses HTTP. IIS 5.0
and the upcoming IIS 6.0 support WebDAV as Web folders,
making file sharing as easy as pointing and clicking.
Windows XP also includes security templates
(preconfigured collections of security-related policies) for
Group Policy to ensure the appropriate level of system
security. These templates represent low, medium, and high
security configurations, which can be customized to meet the
specific security needs of the organization.
To ease the administrative burden of distributing and
installing security patches and system updates, Microsoft
has included an automatic update feature in XP. You can
configure systems to automatically download new updates from
the Windows update site. Administrators have a wide variety
of options for configuring the mechanism and timing of
applying service packs, which can be installed
automatically. Microsoft is also working with some success
to create service packs and hot fixes that do not always
require system reboots.
