21
Thu, Nov
1 New Articles

Windows XP SP2: The Good, the Bad, and the Ugly

Commentary
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Microsoft's release of the XP Service Pack 2 (XP SP2) last month created a bit of a stir: The security patch was significant, relatively comprehensive and--for many users--automatically downloaded. Part of the stir was a result of the automatic nature of the download.

Some educational institutions had to shut down access to the Microsoft download site because returning students with new XP computers overwhelmed local college networks with the automatic update to their machines. IT administrators claimed that bandwidth speed was cut in half during the most critical registration period of their academic year. Clearly, in the future, the method by which Microsoft delivers updates needs some better coordination with these and other large institutions.

Hidden in the news, however, has been the effect that XP SP2 is having on pre-existing applications and services that resided on XP computers prior to the release of the update. Of significance to IT is what Microsoft has done to TCP/IP and Remote Procedure Calls (RPC).

Microsoft says that all users who connect to the Internet (and who doesn't?) should be aware of these changes to their system. But most users today treat TCP/IP like electricity, and RPC--a process by which another computer can start a program on a user's machine--is normally and legitimately used only by a few that have advanced custom-written applications. So what has Microsoft done to these important services?

TCP/IP and RPC Changes in XP SP2

TCP/IP stands for Transmission Control Protocol/Internet Protocol, and it's the base service by which millions of computer users attach their computers to the Internet. It's obviously not something that Microsoft developed, but Microsoft's implementation affects nearly 80% of all systems that attach to the global Internet.

Microsoft Windows operating systems have been vulnerable to hijacking through a number of well-documented worms and viruses. Some of these rogue programs use a combination of the services to inflict severe damage to the Internet. Unbeknownst to the user, these worms and viruses have opened TCP/IP ports and enabled the user's machine to receive commands through the RPC function; the purpose of these commands is to spread infection and coordinate Denial of Service (DoS) attacks against specific targets on the Internet.

In essence, the user's computer becomes a robot, controlled by other computers connected to the Internet. Often, the rogue code that has infected the user's computer will send out millions of copies of itself to other computers, using any email address or IP address it can find in the infected machine's hard drive. Then, the code goes into hibernation and waits for a signal from other machines (through the RPC function) to start a DoS attack.

Microsoft itself has several times been the target of these DoS attacks. The DoS attacks use something called the User Datagram Protocol (UDP) to overwhelm the targeted Internet site, making it impossible for legitimate users to access the resources of the target. So effective is the hijacking of computers via this method that a virus can infect millions of machines in just a few minutes, before it can even be detected. During the hibernation period, the user's machine appears normal, but it can be turned into a robot at the behest of its controllers, conducting massive DoS attacks against targets.

Clearly, with so many vital services connected through the Internet--including government services, emergency response systems, and others--this potential threat required Microsoft's attention. The changes to TCP/IP and RPC functions within the Windows XP SP2 represents Microsoft's current attempt to close these vulnerabilities.

Restricting Raw IP Socket Use

Microsoft had a few tactical problems in addressing the above security scenario. First of all, Microsoft does not control the technologies of TCP/IP or RPC. If it did (as IBM owned the SNA and SDLC protocols), it could change anything within these technologies, and everyone would have to comply. However, Microsoft obviously doesn't own either technology: They are standard protocols that are controlled by international standards organizations. Second, non-Windows computers on the Internet--servers and routers and non-Microsoft PCs--could not be negatively impacted by Microsoft's fiddling with the protocols. For instance, Microsoft could not use it's famous "embrace and extend" engineering tactics to break or enhance their interactions on the Internet with others.

Within the Windows operating system itself, Microsoft had to devise some strategy that would minimize the operating system's vulnerabilities, while simultaneously creating the lowest possible change to its interface with other Internet computers and services. In short, Microsoft had to make its versions of the protocols operate as "good citizens" within a much larger community of Internet computers. Microsoft's choices of actions were to eliminate the transmission of data through the raw IP sockets protocol and to restrict the level of transmission of packets that use the UDP with raw IP sockets.

A very small number of Windows applications use raw IP sockets, which provide an industry-standard way for applications to create TCP/IP packets with fewer integrity and security checks by the TCP/IP stack. The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:

  • TCP data can no longer be sent over raw sockets.
  • UDP transmissions with invalid source addresses will not be sent over raw sockets. The IP source address for any outgoing UDP transmission must exist on a network interface; otherwise, the datagram is dropped.

How does this impact the operating system's security? This tactic, according to Microsoft, limits the ability of rogue code to create distributed DoS attacks and limits the ability of the operating system to send spoofed packets (TCP/IP packets with a forged source IP address).

Limiting TCP Connection Attempts

Another means by which XP SP2 has changed the innards of TCP/IP within Windows XP is through the monitoring of TCP/IP connection attempts. Previously, rogue computers infected with viruses often reached uninfected computers by trying to open simultaneous connections to random IP addresses. Most of those random addresses resulted in failed connection attempts, but the speed at which they occurred went unnoticed by the Windows operating system.

Now, under XP SP2, the TCP/IP stack limits the number of simultaneous incomplete outbound attempts, and after that limit has been reached, the rest are placed in a queue and resolved at a fixed rate. According to Microsoft, under normal conditions, when an application is connecting to an available host at a valid IP address, no connection governor will be activated. When the governor does kick in, an event is logged in the system's event log.

Microsoft says that the only probable result of this change to the TCP/IP stack will be that some security tools--including port scanners--will run more slowly. But they will, according to Microsoft, run.

Other WinSock Enhancements

Microsoft has also added a couple of enhancements to its WinSock protocol: the ability to remove applications that impact the Layered Service Provider (LSP) mechanism, and two new Netshare commands to reset and show the parameters of a network share configuration.

RPC Changes

Of equal significance to the security of a Windows XP are the changes that have been implemented to the RPC function of Windows XP. These changes allow the Windows server application to restrict the access to the RPC interface. Microsoft envisions a security callback process in which a registry key verifies access when the computer receives a remote program call. The server, after verifying that the calling program is from a valid IP address, calls the initiating computer back. The registry key forces RPC to perform additional security checks for all interfaces, even if the interface has no registered security callback.

This new RPC functionality could break an existing application if the application expects to receive calls from remote anonymous RPC client machines. They won't be able to connect to the server application. Likewise, the DCOM objects that use this function won't work either. Additionally, because secure RPC calls over connectionless protocols, such as UDP and IPX, use a lower level of security than calls over connection-oriented protocols, these calls will always be considered insecure and will fail by default.

To fix these applications, the new registry key--called RPC_RESTRICT_REMOTE_CLIENT_NONE--will need to be altered. Microsoft provides a number of settings to help overcome this limitation. The actual settings that need to be implemented are too specific for this article to address, and you may be required to change the RPC applications in order to make things work as you planned.

Is XP SP2 Worth the Hassle?

It's too soon to predict the impact--positive or negative--that the changes implemented to Windows XP will bring. Certainly, the changes seem, on the surface, to be a substantial reengineering of how XP deals with the Internet. But still missing are significant security control mechanisms within Windows that treat services and functions as more than just entries on a registry table, things like object security control mechanisms and better change-management security. In this regard, Windows security implementations of services still resemble the table-driven operating systems of years gone by.

And too, as Microsoft continues to resolve security issues with XP and future releases of the operating system, it should address the issue of patch distribution through other means besides automatic download distribution.

Finally, this article doesn't address all the enhancements and patches that XP SP2 provided. Many more are important, though the TCP/IP and RPC patches are probably most significant.

Nonetheless, XP SP2 is a very good beginning. Unfortunately, it is only a beginning for Microsoft. As the corporation evolves over the next five years, it will be important for IT management to monitor how Microsoft performs its role as a secure provider.

Thomas M. Stockwell is Editor in Chief of MC Press Online, LP.

Thomas Stockwell

Thomas M. Stockwell is an independent IT analyst and writer. He is the former Editor in Chief of MC Press Online and Midrange Computing magazine and has over 20 years of experience as a programmer, systems engineer, IT director, industry analyst, author, speaker, consultant, and editor.  

 

Tom works from his home in the Napa Valley in California. He can be reached at ITincendiary.com.

 

 

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: