Windows XP SP3 Security
The reality is that not every organisation has upgraded to Windows Vista. With Windows XP (launched in 2001 and still being sold) Microsoft have released service pack 3, the latest and probably the last version.
What does WXP SP3 mean to organisations that have Windows XP and how will it impact on operating system upgrades?
What's it about? Microsoft's goal is not to rock the boat with Service Pack 3 and this release is more like service pack 1 than service pack 2 with subtle feature changes. The focus being placed more on Operating System stability, performance and patch amalgamation. With an install base of over a billion Windows XP users, this update is going to impact on the security, stability and performance of many computers.
The future of XP: Microsoft plans to drop XP mainstream support in 2009 and drop extended XP support in 2014, however Microsoft have "backported" some Windows Vista features into Windows XP SP3. Let us take a closer look at the changes.
What's inside XPSP3?
- Stability updates: These updates impact on how the already stable XP runs increasing the availably and reliability of the operating system.
- Performance updates: These updates improve XP performance and enhance interoperability and hardware compatibility.
- Security Updates: These updates include previous security updates and new updates.
- Out of band releases: These updates include some releases that Microsoft has developed like MMC 3.0 and core XML services 6.0.
- Minor feature updates: Features like NAP have been added so that customers can now take advantage of Windows 2008 server. Support for WPA2 is also available as a separate download.
Microsoft recommends Windows XP Service Pack 3 as the de facto standard for users running Windows XP. Service Pack 3 is the baseline update for customers still using Windows XP. Microsoft have elected for the latest version of Internet explorer to not be installed with Service Pack 3. If IE7 or IE6 is detected during the installation respective updates and security patches are applied to match the correct version.
Service Pack 3 Security Elements
Some of the new features found in Windows XP SP3 are:
- Network Access Protection compatibility (NAP). Announced a while back, this feature enables Windows XP computers to leverage the NAP feature in Windows Server 2008. This is also found in Windows Vista. From a compliance perspective this is a big win, as this element enables users to better protect their network by evaluating the connected system's heath status, for example, the antivirus pattern level and the patch level of the respective machine. If the computer at time of connection complies with the prerequisite policy element then the machine is allowed network access, if the policy is not met then the machine is quarantined to a network segment, which has limited access to resources. This limited access allows for the machine to be updated to an acceptable level before being scanned again and approved to be used on the production network.
From a remote access perspective this feature is useful as travelling users are known to be in "promiscuous mode", meaning they will connect to any network or computer that they may come across during their time away from the office. This in turn may leave the computer exposed and the vulnerability could be exploited or malware could slip past the antivirus defences. This would potentially lead to a compromise and result in unauthorised access or the malicious software could propagate once the remote user connects. The quarantine option scans and verifies that the computer is protected and set to an acceptable level before being allowed access through to the remote environment. This is a long awaited feature and is welcome in many circles. For more information see Network Access Protection.
- Product Key-less install option. As with Windows Vista, XP SP3 installs can proceed without entering a product key during setup. But keep your product key handy as thirty days later you will have to enter the key in or your operating system will be reduced to a limited mode version.
- Kernel Mode Cryptographic Module. This feature is a kernel module that "encapsulates several different cryptographic algorithms," not quite sure what that entails but I am sure this feature is going to be used to better enhance how XP handles crypto requests at the application layer. More encryption, more protection, as long as the keys are secure. I look forward to this feature and am interested in how vendors will leverage this.
- "Black hole" router detection algorithm. This feature enables the XP client to identify routers that drop packets. This is a backported feature found in Windows Vista.
- Simple Policy Update for Windows XP: A welcome feature that helps make things easier when it comes to the mysterious topic of XP IPSec; the creation and maintenance of IPSec filters. The simplification of this feature makes it a lot easier to rollout IPSec for domain and network communication.
- Digital Identity Management Service (DIMS): This feature enables the users logged into any domain based computer to seamlessly access their certificates and private keys for applications and services.
- Wi-Fi Protected Access 2 (WPA2): This feature adds support for WPA2, or IEEE 802.11i standard. More security for wireless communication is a true relief as natively XP lacked the ability to do this without a third party component. From a security perspective this is a welcome change. I am not sure how many organizations will implement this technology just yet as previously it has suffered from complex design.
1,073 fixes are part of this update. These updates upgrade Windows XP to the very latest version including all the hardware support and software upgrades that are not included in Windows update. A common question is: do I need to install service pack 1 and 2 before installing service pack 3; the simple answer is no, service pack 3 already contains the updates and features of service pack 1 and 2.
After installing it was found that the performances on the laptop improved by 16%. Figures have been reported in the industry of up-to 25% but this still needs to be clarified. The official figures are closer to 10%.
Some companies are still rolling out Windows XP; in the European banking and trust sector. XP is now the standard and because of the significant effort and resources required in changing an Operating System I do not see organizations changing their tack in the near future. Microsoft would be better off making small changes to the operating system that would eventually amount to an upgrade by using windows update, than by versioning and completely changing the platform every few years. In this way the hardware would limit the feature set and the customer experience would be dynamic.
Windows XP is not going to disappear overnight. It has become a stable platform used by many organisations internationally and the investment in the product by the customers with regards to skills and software is great. Installation of service pack 3 for Windows XP is recommended as it establishes a new baseline for organisations and users still deploying and running Windows XP. If you are considering implementing features like NAP, XP SP3 is a must. This update extends the life of Windows XP and the few additional features make this update worth the installation.