Microsoft's Windows XP operating system has arrived amid a multi-million dollar worldwide marketing fanfare the like of which we rarely see.
But what difference is it likely to make to a company's information security requirements? Has it solved the security concerns evident in Windows 98 and 2000 or is it still a liability? What challenges does it pose for the information security manager or IT director?
There is no doubt that XP is a great improvement on its predecessors in security terms. The allegation that more than half of web defacements were attributable to insecurities inherent in Microsoft operating systems, as well as several high profile denial-of-service attacks, did some real damage to Microsoft's credibility and the IT whizzes from Redmond seemed determined to address this.
XP is undoubtedly a departure for Microsoft. For example, it is the first time Microsoft has not used DOS as the base code for its operating systems; instead it has built XP primarily using the more stable NT code.
The increase in security functionality is equally notable. For example, XP allows for the controlled sharing of computers by several users through a personalized login. Different users of the same PC can now have different names and passwords which will provide exclusive access to their own documents. It is also possible to switch between users without logging out.
XP also controls the way in which network authentication is performed. In previous operating systems attacks had happened by using blank passwords, but with XP it is no longer possible to gain access to the network without a password.
Internet access has been made more secure through XP's Internet connection firewall (ICF). The ICF serves as an in-built enterprise firewall to dynamically open and close ports, as long as the associated application deems it necessary to move data. This functionality will inevitably pose a threat to some providers of firewalls with active packet filtering.
Microsoft's Internet Explorer version 6.0, which is supplied as standard with Windows XP, also supports the platform for privacy preferences (P3P) standard by offering control of the transmission of personal information to web sites. IE 6.0 specifically controls how cookies are handled when connecting to web sites. This could help, for example to ensure that sites do not breach the U.K.'s Data Protection Act by using cookie-based information to target marketing activity at users without their permission.
XP also allows for automatic encryption of data through its encrypting file system (EFS). EFS, although already an established piece of functionality present in Windows 2000, has been integrated much further into XP. It is now much easier to manage data confidentially and to link in to any corporate PKI infrastructure that has already been established.
It is also possible to have encrypted files that are cached locally on Windows XP systems. Furthermore, it is now viable to have multiple levels of certificate trust hierarchies using the XP operating system. And with the use of certificates, Microsoft has made it easier for users to deploy stronger levels of authentication.
Both Windows XP and Windows 2000 also benefit from the facility to implement network level encryption using IPsec standards-based encryption. This has the added benefit of increasing security in an enterprise, whether computers are connected to the same network or connected via the Internet using a virtual private network, for example. The authentication and management of this facility is controlled by the company using group policies. XP goes even further by embedding smartcard support into the operating system, making the authentication process more secure than using passwords alone.
There is therefore little doubt that Windows XP has gone a long way to dispel many of the security concerns that existed with its predecessors. However, even with this additional functionality, there is a need for enterprises to remain vigilant. For example, it is still possible for unscrupulous users or hackers to steal people's identities and thus effectively become those people for the purpose of accessing documents and internet-based services. Arguably, support for changing socket addressing makes IP address spoofing even more likely.
The issue of keeping the operating system up-to-date with the latest patches also remains a big one for companies. Microsoft issued over 100 security bulletins demanding action in 2000 and over 60 in 2001. Several XP security patches have already been issued at the time of writing. It will be interesting to see what this figure is in 2002!
You only have to read about the latest patches to discover some of the threats that smart security professionals are spotting and reporting to Microsoft all the time. For example, a recent patch on IE 5.5 and IE 6.0 clears up several security holes, including one very serious one related to IE 6.0.
This particular flaw meant that if an attacker altered the HTML header information in a certain way, it would be possible to make IE believe that an executable file was of a different type - such as a text file - that could be opened with minimal risk. This vulnerability meant that a hacker could create a web page or HTML email that, when opened, would automatically run an executable file (containing malicious code) on the user's system. These sorts of vulnerabilities are being spotted, and patches created to block them, as part of an ongoing process.
Even though XP and IE 6.0 provide the tools to update machines across the enterprise with the latest patches, security managers still face the challenge of testing the patches before deploying them across the enterprise. Up to one per week of these deployments may still be needed. And what happens if the damage has already been done before the vulnerability has been spotted and the patch issued?
The other issue with downloading patches from Microsoft for PCs within the enterprise, is that a malicious company or hacker could change the DNS records for WINDOWSUPDATE.MICROSOFT.COM and then, for example, plant a trojan horse in the download. To help mitigate against this type of threat, Integralis advises customers to consider defining a central policy that lays out standard Windows builds that can be deployed to all machines across the enterprise. This will take on the task of testing the new patches from Microsoft and their likely impact on the enterprise will be properly assessed prior to deployment.
So it is clear that despite many improvements built into Windows XP, no operating system can be completely secure in a world that is now connected to the Internet and populated with hackers, crackers and even unscrupulous employees. A company must remain vigilant in the updating and communication of computer usage policies and security procedures, and consider carefully how it is managing and monitoring its security devices around the clock. Without this care, even Windows XP enterprises remain at risk of losing control of their most vital asset - their information.
Paul Barker is technical architect within Integralis' professional services division. Integralis (www.integralis.com) is one of Europe's leading specialists in the IT and e-commerce security market, and has recently entered the U.S. market.