Windows XP SP2 - Enhanced Security

The default security configuration for Windows XP will change dramatically with the installation of Service Pack 2.  The Internet Connection Firewall will be enabled by default, Messenger service will be disabled by default, and a pop-up blocker has been turned on by default. In addition to the default configuration, there will also be new features.  One particularly useful feature for Internet Explorer could be the bane of the Spyware community.

Microsoft has introduced 2 new features called Internet Explorer Add-on Management and Crash Detection.  Add-on Management allows for a more detailed control of the add-ons that can be loaded by IE, and shows the presence of some add-ons that were previously not shown and could be difficult to detect.  Add-on Crash Detection attempts to detect crashes in IE that are related to add-ons.

Add-ons include:

Browser help objects
ActiveX controls
Toolbar extensions
Browser extensions.

In other words – many of the items we now remove as spyware and adware.

Users can enable and disable add-ons individually.  They can view a list of add-ons currently loaded in IE, or a list of add-ons that have been used by IE and are still installed. Disabling an add-on does not remove it from the computer.

Logged in as administrator, operation of the add-on management can be set in 3 modes: Normal, Allowlist, and DenyList.  Normal is the default mode.  AllowList specifies the add-ons that are allowed.  All others are denied.  DenyList specifies add-ons that are denied.  All others are allowed. Denying add-ons keeps them from being installed.

From Microsoft’s document, Changes to Functionality in Microsoft Windows XP Service Pack 2:
“Why is this change important? What threats does it help mitigate?"

Windows Error Reporting data has shown that add-ons are a major cause of stability issues in Internet Explorer.  These add-ons significantly affect the reliability of Internet Explorer. These add-ons can also pose a security risk, because they might contain malicious and unknown code.

Many users are unaware of the add-ons they have installed on their computer.  So9me add-ons are loaded whenever Internet Explorer is started, but cannot be detected unless the user searches the registry. When users experienced crashes, there was no easy way to diagnose whether the issue was related to an add-on.  Even if they suspected that the problem stemmed from recently-installed software, it was difficult to isolate the cause and often impossible to resolve if the software did not provide an uninstall option. Internet Explorer Add-on Management, together with Add-on Crash Detection, gives users the ability to improve the security and stability of their systems by identifying and disabling problematic add-ons.  Administrators are also provided with a powerful administrative tool to control add-on use in their organization.”

There are plenty of reasons to install WinXP SP2.  It is recommended though, that before installing on production machines, WinXP SP2 should be installed on a test machine first.  That way, legacy applications can be tested with the new version of Windows XP to make sure that they will work correctly, and that any configuration can be worked out before installing on all machines on a network.

More information on Windows XP Service Pack 2 can be found at:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx