Windows XP: A Firewall for All
By Alex Salkever
On Apr. 10 at the RSA Security Conference in San Francisco, Microsoft executive David Thompson, who heads the Windows business group, declared war on hostile code. Translation? Gates & Co. were making a dedicated effort to shore up security flaws in the company's software and cast off a reputation as an easy target for malicious hackers.
It looks like he really meant it, too. The company has redoubled efforts to create more secure code, hired security engineers, and stepped up auditing processes. Evidence of these efforts: Improved encryption and security features in the latest Windows 2000 software that runs corporate networks. Next up: the Windows XP operating system for individual and SOHO users. For the first time, the little guys will also get a bit of a security boost from Redmond.
XP doesn't ship until October, 2001, but security experts who have tested beta versions of the software agree that Microsoft has taken some big steps to make this OS an improvement over the previous versions of Windows. For the first time, Microsoft has built a firewall into the OS. The way XP stores and retrieves files has also been changed to make it more difficult for intruders to hack into hard drives. At a more prosaic level, Microsoft includes capability that can allow home computers with multiple users or companies with shared desktop PC access to better control who gets to access which files and applications.
Bottom line: From a security standpoint, it's a much better OS. "I think it will be a powerful tool for home-office users to have network-level security out of the box," says Joel Scambray, a managing principal at online security consultancy Foundstone.
Let's take a look under the hood. First, the firewall. Dubbed the Internet Connection Firewall, the offering is a belated but welcome admission that significant numbers of Microsoft users have always-on Internet connections, which make them easy targets for malicious hackers. Security experts agree that the OS is the logical place to bundle a firewall.
Although XP doesn't ship with the firewall turned on, the default configuration will hide the computer from hackers turning digital doorknobs. It does this by the simple expedient of ignoring any queries not initiated from within the firewall. "The hacker's first step is to find the machine. But our firewall won't even respond to a 'ping' command," explains Mark Croft, a Windows product manager for Microsoft.
That's pretty standard. Unlike other firewalls, however, XP will prompt users to launch the firewall application in situations where they might be putting themselves at risk. For example, if a user has a network of PCs and is initiating an Internet connection, a dialogue box will pop up on the screen suggesting that the user launch the firewall. And unlike some personal firewalls, the XP version has full "network address translation" capability. You can use it to protect a small network of computers, and the firewall masks their individual Internet addresses from anyone on the outside.
Still, it's a very basic firewall that lacks some functionality. At their best, firewalls serve a dual purpose: They keep hostile code out of your machine by serving as a perimeter defense, and they prevent your computer from becoming an unwitting pawn in cyberattacks by foiling hackers' attempts to hijack it. Unlike other personal firewalls on the market, such as Zone Alarm or Norton Personal Firewall, the Microsoft product fails to block suspicious outbound traffic coming from your desktop because it assumes any data traffic originating from your desktop must be valid.
"It still doesn't seem as comprehensive as ZoneAlarm or some of the built-in firewalls for Linux," says Chris Wysopal, research and development director at Web security company @stake. But security experts figure Microsoft usually starts off this way and later builds advanced system fixes into its products. The best part is that the XP firewall is part of an integrated panel that consolidates most of the security settings. That's a welcome change from past consumer and small-business versions of Windows, which required a user to go through a maze of menus to find and switch on all the optimal security features. Using XP's panel, you can set up your own virtual private network that allows you to dial into your home XP machine.
In the past, this has often been a complicated process that presented many chances for security breaches. But XP lets users set up a VPN through a simple wizard. All of this security integration and simplicity is definitely a step in the right direction. "I think that's what going to happen going forward so that turning everything off becomes one button," says Foundstone's Scambray.
Another big plus for desktop XP is the shift from the old file allocation table (FAT) system to the newer NT file system. These are the two systems that locate files on a hard drive and keep track of where different file fragments are stored. The old version has been a favorite playground for hackers because it made it easy for them to insert malicious code that could hijack a desktop or use it for untoward purposes, unbeknownst to the machine's owner.
The newer NT file system allows an administrator to designate who can access or alter specific files on a system. It also allows a user to encrypt the file directory system, making it very difficult for an intruder to pin down any information on the computer's filing scheme. This was a capability previously reserved for Windows NT-class enterprise software.
In a similar vein, Microsoft has given XP the ability to store multiple user preferences on a single desktop and keep them securely partitioned. That means a small business can create a user profile for a temporary worker who might need a word-processing file but has no need to access financial documents that might also be stored on the same computer.
Similarly, mom can make sure junior doesn't erase all her tax files by dragging the wrong folder into the trash. When junior logs on, he won't even be able to find mom's tax folder since each profile can be password-protected.
While all of this sounds good, the system still has some clear flaws. "Right now, if you download a chunk of malicious code and run it, and a hacker has designed it to make it look like it does one thing but it is actually doing something else, there's no protection in the OS against that," says Chris King, a security analyst at consultancy Meta Group.
And most security experts still take a wait-and-see approach with regard to truly critical functions. "For kids playing games and folks surfing the Net, have a ball. When you start doing things like taking accounts payable and taking credit-card orders, that's when it gets dicey," says William Malik, a security analyst at IT consultancy Gartner. With 45 million lines of code -- a few million lines more than the last version of Windows -- XP is more, not less, complex. More complexity means more chances for security holes.
Steve Lipner, manager of the Microsoft Security Response Center, says enhancing the system's functionality to meet customer demands necessitates more code. That may be, but I still don't blame Malik, who plans to rely more on a dedicated firewall appliance to protect his home network.
Windows XP is definitely a big improvement over past desktop systems in terms of security features. And with XP, Microsoft has clearly shown it's thinking more seriously about the welfare of home- and small-office users. But using what is essentially a brand-new product as the sole protection for your home computer or small-business network might be asking for trouble.
Kudos to Microsoft -- but let's see a bit more. When we do, chances are that plenty of small-business owners will be prepared to put their e-commerce server behind an XP firewall.
Salkever covers computer security issues twice a month in his Security Net column, only on BW Online
Edited by Douglas Harbrecht