How will Windows XP cope with security?

During the past year, Microsoft has made a concerted

effort to develop secure products. Windows XP, for example,

contains a wide variety of security features that

proactively protect systems and make security a little

easier for the end-user, including the addition of the

Internet Connection Firewall (ICF) and automatic updates as

well as advancements in the Encrypting File System (EFS),

security templates, and smart card support.

ICF, activated by default when you use the networking

wizard, blocks all inbound traffic to the system. You can

easily tell if the firewall is active by looking at your

network connections. Any network connection protected by ICF

is red.

ICF is a powerful packet firewall, but it does not have

all the features and functionality of an enterprise

solution. Its main purpose is to protect stand-alone systems

with broadband Internet connections. ICF is ideal protection

for telecommuters and corporate remote-access solutions.

ICF is either on or off; you cannot selectively protect

specific ports or protocols. You do have the ability to

allow a few protocols to pass, such as HTTP, FTP, and L2TP.

You also have the ability to define additional ports. ICF

also includes logging capabilities that allow you to record

unsuccessful inbound traffic and successful outbound

traffic. Recording all successful outbound traffic will

generate some large, unwieldy log files, but monitoring

unsuccessful inbound attempts will give you a good picture

of what attacks are being attempted against the system. The

log files can be accessed by an administrator and copied to

other administrators via the network, giving them the

ability to determine if individual machines are under

attack.

In an enterprise environment, system administrators want

to limit the control individual users have over the ICF

settings. Users should not have the ability to disable the

firewall or open ports without proper authorization and

approval. If they do have this ability, an administrator

might be lured into a false sense of security, thinking all

users have systems protected from inbound connections when

they really have disabled its functionality. To prevent this

from happening, ICF settings for Windows XP Professional can

be controlled through Group Policy settings. Group Policy

can force users to enable the firewall when not connected to

the corporate network, for example.

To protect systems from malicious code execution, XP also

includes support for software restriction policies.

Administrators define rules in Group Policy that control

when software is allowed to execute. These rules can be

defined based on the file's extension, hash, path, signed

certificate, or zone. For example, execution of Visual Basic

Script (VBS) files can be denied unless digitally signed by

a specified organization or group. Corporate administrators

can now sleep well at night knowing their network is safe

from users who continue to open suspect e-mail

attachments.

EFS, first introduced in Windows 2000, now has the

ability to allow multiple users to access an encrypted

document. In its default setting, encrypted files appear

green to enable easy identification when displayed in a file

listing. EFS also works with client-side caching (or Offline

Folders) to maintain file encryption when files are on and

off the network.

Sharing encrypted files via the Internet without

purchasing separate third-party products is now possible

with WebDAV, a file-sharing protocol that uses HTTP. IIS 5.0

and the upcoming IIS 6.0 support WebDAV as Web folders,

making file sharing as easy as pointing and clicking.

Windows XP also includes security templates

(preconfigured collections of security-related policies) for

Group Policy to ensure the appropriate level of system

security. These templates represent low, medium, and high

security configurations, which can be customized to meet the

specific security needs of the organization.

To ease the administrative burden of distributing and

installing security patches and system updates, Microsoft

has included an automatic update feature in XP. You can

configure systems to automatically download new updates from

the Windows update site. Administrators have a wide variety

of options for configuring the mechanism and timing of

applying service packs, which can be installed

automatically. Microsoft is also working with some success

to create service packs and hot fixes that do not always

require system reboots.

Windows 2000 added the ability to log on to a system with

a smart card. Windows XP extends this functionality to

Terminal Servers and administrators. Users with a smart-card

reader on their client machine can perform smart-card

operations on the Terminal Server machine. XP also adds

smart-card support for running administrator tools and

utilities. These applications can be very powerful and can

easily compromise corporate security if they end up in the

wrong hands. XP gives administrators the ability to control

access to these tools, such as net.exe, by requiring smart

cards to run them.

Windows XP represents an important step forward for

Microsoft in its commitment to help secure the enterprise.

The features and functionality included in XP ease the

security burden for both administrators and users.