The first thing users will see when logging into SP2, the newly improved Windows® XP operating system, is a new Security Center informing them of the status of critical security features, such as the firewall, antivirus updates, and automatic updates. Following is a brief look at the major improvements in XP security found within SP2.

Network Protection:

Microsoft has renamed the previous Internet Connection Firewall to Windows Firewall. The newly named firewall is now turned on by default, with ports closed except when they are in use, an improved user interface for configuration, improved application compatibility, and enhanced administration through group policy settings which allow separate policies to be defined for firewall configuration. Inbound connections can be restricted based on their origin, and remote procedure call (RPC) vulnerability is greatly reduced through SP2’s insistence upon secure RPC connections. DCOM also has additional access control restrictions to protect against network attacks.

Memory Protection:

Some attacks exploit vulnerabilities that allow too much data to be copied into areas of the computer’s memory (buffer overflow). To mitigate this vulnerability, core Windows components have been recompiled with protection against buffer overruns. Microsoft has also teamed up with Intel and AMD to implement hardware-based protection against the buffer overflow vulnerability. Using this data execution prevention (DEP) mechanism in the processor, the CPU marks all memory locations in an application as non-executable unless they contain executable code. Thus, when a virus or worm inserts malicious code into an application, the application won’t run it.

Email Handling and Web Browsing:

Many of the more prevalent security breaches have emerged from email, messaging applications, and web browsing. SP2 targets these vulnerabilities through enhanced security default settings and improved attachment control using the Attachment Execution Service (AES) API. SP2 also protects against malicious Active X controls and code by "locking down" the Local Machine security zone much the same way it protects web pages through security zones set within the Internet Options of Internet Explorer. Active X controls can’t run in the local machine zone unless the user gives permission. The same is true of JavaScripts and binary code. Scripts are also prevented from elevating the security zone to a less restrictive setting.

MIME types are handled more safely by renaming files to match their true types before placing them in the cache. SP2 also tightens up access to cached objects by blocking access when navigating away from the page that loaded the object. Finally, SP2 has added a pop-up blocker within the Privacy tab of IE’s Internet Options. Users are notified when pop-ups are encountered, and they can choose to view the pop-ups they want to see. Restrictions are also placed on the size, format, and placement of pop-ups, preventing borderless windows which might cover other pages.

Other Features:

With SP2 Microsoft has added some new features to help manage the configuration and updating of systems. A new Manage Add-ons feature assists in managing Active X controls and other IE extensions. This feature lists add-ons that have been loaded, their status, source, and the validity of their digital signatures. Add-ons can be disabled, and a history of usage is available.

A new mechanism has been added for handling and analyzing add-on crashes. Downloading files is now more secure too. Users are warned not only when they download files, but also when they open downloaded files after they have been saved locally. Files extracted from downloaded zipped files also generate the same warning. Finally, SP2 differentiates between Java virtual machines (JVMs) in general and the Microsoft JVM, allowing users to disable the Microsoft JVM without disabling others.

Availability:

A final release version of SP2 was made available August 9thand is nearly 270MB. Microsoft is making it available on the Internet via a broadband connection. The new Windows Update 5.0 includes a "Checkpoint Restart" feature, allowing resumption of a download when the Internet connection is interrupted.

SP2 can be downloaded in the background and will take about 40% of the available bandwidth. For those who have turned on the auto-update feature of Windows, SP2 will download without the user’s knowledge, and Windows Update will not duplicate any download that the automatic update has already installed. For those without broadband connections, Microsoft is offering a free CD via the mail.

SP2 can be installed using a few different methods. If the computer is already running Windows XP Home Edition or Windows XP Professional, the standalone version of SP2 can be installed separately as an update. For those wanting to upgrade the operating system as well as install SP2, the operating system and service pack can be installed simultaneously.

Potential Issues:

SP2 is surely good news for organizations and the systems administrators who support them. However, there are some issues to be aware of. Most notable among the potential problems are those caused by the new default firewall. Because the firewall restricts access to ports, some applications may be restricted in ways which will require firewall configuration.

Laptop users pose special problems for operating system firewalls, as they require different configurations based upon whether users are behind or outside of the corporate firewall. In such cases separate profiles will need to be used-the Domain Profile for those behind the corporate firewall, and the Mobile Profile for those beyond the domain controller. The Network Location Awareness tool will determine which to use at any given time. Organizations wanting to adopt SP2 without going through the sometimes frustrating task of configuration can turn off the firewall through a group security policy.

Despite the potential complications, however, SP2 is good news for security-minded IT professionals. Be sure to plan for its deployment in your enterprise soon.

About ITX Corp:

ITX Corp is a business consulting and technology solutions firm focused in nine practice areas including Business Performance, Internet Marketing, IT Staffing, IT Solution Strategies and Implementation, Technical Services, Internet Services, and Technology Research. To learn more about what ITX can do for you visit our website at http://www.itx.net or contact us at (800) 600-7785.

About Jonathan Coupal:

Jonathan Coupal is the Vice President and Chief Technology Officer of ITX Corp. Mr. Coupal manages both the day-to-day and strategic operations of the Technology Integration Practice Group. Among Mr. Coupal’s greatest strengths are evaluating customers’ unique problems, developing innovative, cost effective solutions and providing a “best practice” implementation methodology. Mr. Coupal’s extensive knowledge and experience enables him to fully analyze client systems to recommend the most effective technologies and solutions that will both optimize their business processes and fulfill immediate and future goals. Mr. Coupal and his team build a high level of trust with clients, establishing ITX as their IT partner of choice.

Mr. Coupal holds certifications with Microsoft and CompTia, including MCSE, MCSA, Security+, Linux+ and i-Net+, and served as a Subject Matter Expert (SME) for the development of the CompTia Linux+.

The Software 2005 conference is now a wrap. This conference, presented by M.R. Rangaswami and The Sandhill Group, is now an annual event and attendance increased 35% this year over 2004. It is an ideal opportunity for those in the enterprise software industry to see what’s new and what’s coming, as well as to catch up with old colleagues and make new connections. It is also a perfect forum for startups to gain exposure as well as solicit funding and key partnerships.

According to Sandhill, there were 1500 attendees this year, including 100 press and 100 VCs. Half of those in attendance were CEOs. We spotted a number of them, including entrepeneur/CEO (now a VC) Ken Ross, Indus CEO Greg Dukat, Composite SW and entrepeneur Jim Green, former webMethods CEO Phillip Merrick, and a host of others.

M.R. has a rolodex that anyone would die for, and he put it to good use in attracting the top executives from major enterprise software and services companies such as Oracle, Intuit, McKinsey and others for keynote addresses. There were also a number of breakout tracks on the latest trends in our industry, including SaaS, open source and offshoring.

There were a couple of unique forums made available for select startups. including the Launch and the Funding Forum, where startups were given a fixed amount of time to present their business plan to investors, who were invited back to the conference floor for further discussions if interested. Mark Cosway, a member of our board of advisors and President of ActStream Technologies, participated in Launch, and reported new contacts with a number of interested investors.

After taking in this conference, we think that it is safe to say that enterprise software as an industry is ‘cautiously optimistic’. Venture investments are picking up, M&A activity is growing, and the overall buzz was a good one, after the last 4-5 years of doom and gloom. Many of the people that we talked to had taken long sabbaticals after the dot-com bust, and are just now getting back in the game.

All in all, the feeling was that it is a good time to be in the software and information technology business. We hope they’re right - we certainly feel that way.

Ash Seha is a partner at The Launch Factory LLP, a consultancy specializing in marketing, sales, and product management strategy for software and IT companies. Their expertise, garnered from such IT highflyers as i2, webMethods, SAP, and Baan, is focused on breaking the growth bariers that stand between high-growth software and IT companies and their revenue and marketshare goals.