Questions About Windows XP SP2

[Link19]

About a month ago, I slipstreamed SP2 into my Windows XP install CD, and did a format and clean install of Windows XP Pro with SP2 integrated into the install. Now, I know there has been a lot of hype about how SP2 includes all these new security enhancements and how many state that they don't need SP2 because they don't want the new bloated extra security features it contains. I've also heard from others that SP2 is not an optional upgrade and that you should install it. I certainly don't blame the ones who don't want to install it because it contains extremely overly cautious and annoying security features that the average power user won't need. But at the same time, why not just install just as you would any other MS service pack so you have the whole core OS updated and then just disable the extra security bloat you don't need that can get in the way of what you do. That's what I did and I wish there was more saying to that as to why you should install SP2, rather than just saying you should, considering almost all the attention SP2 is getting about it's new security features and hardly anything about what a usual new MS service pack gets when it comes out. Therefore, when most people here the term XP SP2, the only thing that probably comes to mind is it's new overly strict security features, and not about the whole core OS being updated with new drivers, previous hotfixes and such. That's an important emphasis I think that must be stressed whem talking about SP2 for XP, not just the new security features which I don't like, because you can always disable them and still have the core of your OS updated

Now I disabled DEP, the Windows Firewall/Internet Connection Sharing Service, Security Center, and raised the maximum number of TCP/IP connections to get rid of that annoying limit at 10. I already have a hardware firewall and a good AntiVirus software constantly up to date, and I feel that is plenty of security and disabling those extra security features will improve performance and I won't have any compatibility issues. Now obviously, I know you are less secure overall than if you left those security features enabled, but that is ok beause I have a secure setup with what I just mentioned. Now my question is, am I still just as secure with Windows XP SP2 with the things I disabled as I would be with a fully patched Windows XP SP1 system or fully patched Windows 2000 SP4 system as long as I keep up with security patches for XP SP2? I would think so, but just want to make sure that future security patches don't assume that XP SP2 is considered non-affected software, but only with the new security features turned on. I would think the new security features are just extra security in XP SP2, but not essential for keeping an XP SP2 system just as safe or maybe a little safer than a fully patched WIN 2000 SP4 or WIN XP SP1 system. But I just want to make sure that's the case.

 

[bsobel]

Now I disabled DEP

Why?

and raised the maximum number of TCP/IP connections to get rid of that annoying limit at 10

There is no connection limit, since you don't actually know what the security measures are, why they are important, and why they should be enabled, you don't have enough knowledge to be messing with them.

Bill

 

[n0cmonkey]

Originally posted by: bsobel
. . . since you don't actually know what the security measures are, why they are important, and why they should be enabled, you don't have enough knowledge to be messing with them.

Bill

I wonder about that in regards to most of the tweaking that people do to their systems.

 

[Nothinman]

I certainly don't blame the ones who don't want to install it because it contains extremely overly cautious and annoying security features that the average power user won't need.

How would you know what the average user does and doesn't need? Given the number of machines still infected with CodeRed, I would say just about everyone needs a lesson in security and why it's important.

Now I disabled DEP, the Windows Firewall/Internet Connection Sharing Service, Security Center, and raised the maximum number of TCP/IP connections to get rid of that annoying limit at 10

There is no such limit, please stop spreading misinformation.

I already have a hardware firewall and a good AntiVirus software constantly up to date, and I feel that is plenty of security and disabling those extra security features will improve performance and I won't have any compatibility issues

That hardware firewall won't stop any outbound traffic so when you do get some spyware installed you won't know it until it starts causing more noticable problems.

 

[Link19]

The Windows firewall doesn't stop outbound traffic either. You need a good 3rd software firewall to do so. That's what I've heard anyway about the Windows Firewall and why you should use something else. I scan my mahcine every week for viruses, trojans, and spyware. I use NOD32, Spybot S&D, and Ad-Aware SE. I always ensure I have the latest definitions and am up to date. So don't try and tell me I know nothing about security. I am not a technical expert, but I do know what I need to do to be secure. I know the average user doesn't know much about security, and therefore probably needs most of these things for a lesson in security. What I was saying is that not everbody needs them. I disabled DEP because that has been the cause of many application compatibility problems with Windows XP SP2 and it slows performance if you don't have a hardware supported DEP capable CPU which I don't. I see DEP as a good thing to use in the future when almost every PC sold has a CPU that supports hardware enforced DEP and almost no compatibility problems exist with the most widely used software. But DEP was implemented too early now considering all the compatibility problems there have been.

The whole point is, I simply asked a question at the end of my first post. I didn't ask for people to come and be critical because of the way I choose to setup my PC!!!! It is my decision how I choose to setup my system and it is not your place to ccome and shout off as if I'm stupid for doing such and asking a simple question. I basically wanted the SP2 update for the same reason there was to update to SP1 when it came out for Windows XP and SP4 for Windows 2000 users. It updates the core of the OS and contains all previous fixes just as all MS Service Packs do. That's why I and I'm sure many others installed SP2. I never wanted it merely because of the overly cautious new security restrictions it has. I feel very comfortable with the level of security I have on my system and the precautions I take, and no need for all that extra crap XP SP2 has on by default which has been the major cause of compatibility issues.

 

[n0cmonkey]

There is no such thing as "being secure," only working towards security.

You're fine. Take time to think about what you are doing, and you'll be farther ahead of most of the world.

 

[bsobel]

I disabled DEP because that has been the cause of many application compatibility problems with Windows XP SP2 and it slows performance if you don't have a hardware supported DEP capable CPU which I don't.

The software DEP functionality is always active, it's the excpetion handlers decision to allow continuation or termination that the setting controls. What 'slow performance' are you seeing? Please provide the benchmarks your refering to.

:roll:

So don't try and tell me I know nothing about security

So far all I've seen you do is repost misinformation

Bill

 

[n0cmonkey]

Oh, just so you know, the 3 people that have responded to you are security professionals.

 

[Link19]

The software DEP functionality is always active, it's the excpetion handlers decision to allow continuation or termination that the setting controls. What 'slow performance' are you seeing? Please provide the benchmarks your refering to.

Let me just say this. When the time comes where I have a hardware supported DEP capable CPU, and don't use any applications that were made before Windows XP SP2 has been around, i will always use DEP. But for now, it is not something I want with all the compatibility probems there have been and a decrease in performance. There is a decrease in performance I have seen when using my PC. There is no benchmarks I'm referring to. And yes, I have seen benchmarks where the performance score was lower with DEP on than with it off.

There is no such thing as "being secure," only working towards security.

You're fine. Take time to think about what you are doing, and you'll be farther ahead of most of the world.

I know that nothing is ever 100% secure and that there are always risks. But for that last statement, are you another words saying that I am just as secure with my current setup as I would be with an older version of Windows fully patched?

 

[n0cmonkey]

Originally posted by: Link19

There is no such thing as "being secure," only working towards security.

You're fine. Take time to think about what you are doing, and you'll be farther ahead of most of the world.

I know that nothing is ever 100% secure and that there are always risks. But for that last statement, are you another words saying that I am just as secure with my current setup as I would be with an older version of Windows fully patched?

Not really. I'm saying that you are as secure as you are. Kinda "WTF" huh? Over all, if you keep up a slightly paranoid mindset when using the machine, you will probably be fine.

 

[Link19]

Not really. I'm saying that you are as secure as you are. Kinda "WTF" huh? Over all, if you keep up a slightly paranoid mindset when using the machine, you will probably be fine.

So are you telling me that I am less secure with Windows XP SP2 fully patched with DEP and the Windows firewall disabled than I would be if I were running a Windows 2000 SP4 fully patched or Windows XP SP1 fully patched? I ask based on the fact that the same security precautions and same software would be installed on each OS.

 

[n0cmonkey]

Yes, sure, fine, ok. You're as safe as any random person using a different, and fully patched, OS than you are. Is that what you want to hear? :roll:

 

[mechBgon]

Link19, from what I read into Microsoft's DEP info, it seems to say that the hardware DEP is another measure than the software DEP. It isn't like... oh... software 3D rendering versus hardware-accelerated Direct3D or something.

Software-enforced DEP

An additional set of data execution prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to mitigate exploits of exception handling mechanisms in Windows. Software-enforced DEP runs on any processor which is capable of running Windows XP SP2. By default, software-enforced DEP only protects limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.

Bigger picture: if you want to enhance your security, one measure that will help is to switch to a Limited-class user account for daily usage. This seems to be the norm for the *nix guys (am I right, *nix gurus?) but not for Windows users who are all accustomed to having full Administrator powers on tap 24/7, whether they need them or not. Keeping the weapon unloaded when you don't need to shoot stuff... what a concept

 

[n0cmonkey]

Originally posted by: mechBgon
Bigger picture: if you want to enhance your security, one measure that will help is to switch to a Limited-class user account for daily usage. This seems to be the norm for the *nix guys (am I right, *nix gurus?) but not for Windows users who are all accustomed to having full Administrator powers on tap 24/7, whether they need them or not. Keeping the weapon unloaded when you don't need to shoot stuff... what a concept

As usual, you are correct.

 

[mechBgon]

Originally posted by: n0cmonkey

Originally posted by: mechBgon
Bigger picture: if you want to enhance your security, one measure that will help is to switch to a Limited-class user account for daily usage. This seems to be the norm for the *nix guys (am I right, *nix gurus?) but not for Windows users who are all accustomed to having full Administrator powers on tap 24/7, whether they need them or not. Keeping the weapon unloaded when you don't need to shoot stuff... what a concept

As usual, you are correct.

:beer:

 

[dawks]

Just a note, Windows XP SP2 was compiled with a new switch that allows for a dramatic decrease in the amount of buffer overflows possible. One of the big but little known enhancements to XP. I dont think this has been implemented in any Windows 2000 Service Packs.

As stated before, there is no connection limit, unless we're talking about IIS 5.1 on Windows XP. The IIS that ships with Windows XP is limited to 10 connections, and has been since the day it was released. This is also the case for Windows 2000 Pro.

Disabling the Security Center Service will not lessen your security level. Its just a program that is meant to inform the user about the state of three keys to security on their system (Firewall, AntiVirus, and Windows Updates).

The bottom line, Windows XP SP2, and Windows Server 2003 are the most secure and safe operating systems currently available from Microsoft.

 

[spyordie007]

Let me just say this. When the time comes where I have a hardware supported DEP capable CPU, and don't use any applications that were made before Windows XP SP2 has been around, i will always use DEP. But for now, it is not something I want with all the compatibility probems there have been and a decrease in performance. There is a decrease in performance I have seen when using my PC. There is no benchmarks I'm referring to. And yes, I have seen benchmarks where the performance score was lower with DEP on than with it off.

I'm not aware of compatability "problems" with DEP; software-enforced DEP only protects a small amount of system binarys so it shouldnt cause compatability issues or performance problems with 3rd party software or hardware. If you've got solid information that states otherwise I'd like to see it, but all you've stated so far about DEP seems to be your opinion and nothing more.

Bigger picture: if you want to enhance your security, one measure that will help is to switch to a Limited-class user account for daily usage. This seems to be the norm for the *nix guys (am I right, *nix gurus?) but not for Windows users who are all accustomed to having full Administrator powers on tap 24/7, whether they need them or not. Keeping the weapon unloaded when you don't need to shoot stuff... what a concept

I agree whole-heartedly! And considering how easy it is is to launch the handfull of things you *might* need admin privilages for using run-as there really isnt a reason not to do this (aside from lazyness).

Just a note, Windows XP SP2 was compiled with a new switch that allows for a dramatic decrease in the amount of buffer overflows possible. One of the big but little known enhancements to XP. I dont think this has been implemented in any Windows 2000 Service Packs.

This is correct. All the executable code in Windows was recompiled in a way that will help make it much less suceptable to these types of attacks (which have become increasingly common in the past years). This is not something available for Win 2K.

So are you telling me that I am less secure with Windows XP SP2 fully patched with DEP and the Windows firewall disabled than I would be if I were running a Windows 2000 SP4 fully patched or Windows XP SP1 fully patched? I ask based on the fact that the same security precautions and same software would be installed on each OS.

Actually even with DEP and the windows firewall disabled XP SP2 is going to be more secure "out of the box" than Win 2K.

 

[mechBgon]

I did run into one DEP abort on my Athlon64 rig, with DEP enabled for all programs. Adobe Acrobat 6.0.1, I went to Help > Updates and tried to get the 6.0.2 update and the Atmosphere 1.0 player. The Adobe Update Manager got shut down by the DEP protection. It's repeatable. I sent off the error reports and I suppose it will get fixed in due time. No biggie, I can make an exception if I want to... pic

 

[spyordie007]

Originally posted by: mechBgon
I did run into one DEP abort on my Athlon64 rig, with DEP enabled for all programs. Adobe Acrobat 6.0.1, I went to Help > Updates and tried to get the 6.0.2 update and the Atmosphere 1.0 player. The Adobe Update Manager got shut down by the DEP protection. It's repeatable. I sent off the error reports and I suppose it will get fixed in due time. No biggie, I can make an exception if I want to... pic

Sorry I should have been more specific in my post. I was refering to problems with software-enforced DEP (Windows components). There are inevitably going to be issues with hardware-enforced DEP and 3rd party software.

 

[mechBgon]

True. And it's not exactly an apocolyptic event or anything where it does happen, a guy just has to click a checkbox and an OK button to make an exception to DEP enforcement if appropriate. I'd rather be given the option, especially if the program turns out to be Something Nasty?. Call it a tripwire

 

[Link19]

I have read many things stating that Windows XP SP2 does have a TCP/IP connections limit. Links to some of the articles below:

http://www.speedguide.net/read_articles.php?id=1497
http://www.lvllord.de/?lang=en&url=4226patch/faq
http://www.msfn.org/comments.php?shownews=9017
http://packetfour.com/page.php/26_0_1_0_M/

And I'm sure you can find many more referrences that state the same thing about SP2 limiting inbound coneections to 10.

 

[spyordie007]

Bill knows more about this one than I do (as he is the one who origionally brought it to my attention).

As I understand it this is not a 10 connection limit; it's a queue that is designed to limit the number of unestablished tcp connections that are open at one point in time. You can still have hundreds of inbound and outbound connections (they would just get queued so they wouldnt open all at once). This should not interfere with legitimate program behavior because legitimate programs are going to complete the proper 3-way handshake connection establishment process (as all legitimate tcp connections should).

The reason for doing this is not to limit how many people you can connect to (say with P2P applications) but rather to slow the spread of blaster and sasser type worms. The worms are specifically written to not finish establishing the TCP session so they can drop their payload and move on faster. This additional security feature of SP2 is not designed to stop the spread of these types of attacks alltogether; however by queueing them it simply slows them down.

If I'm off on any of my technical details please feel free to correct.

The sites that keep saying XP is limiting connections are just spreading FUD.

-Erik

 

[Link19]

Originally posted by: spyordie007
Bill knows more about this one than I do (as he is the one who origionally brought it to my attention).

It's not a 10 connection limit; it's a queue that is designed to limit the number of unestablished tcp connections that are open at one point in time. You can still have hundreds of inbound and outbound connections (they would just get queued so they wouldnt open all at once). This should not interfere with legitimate program behavior because legitimate programs are going to complete the proper 3-way handshake connection establishment process (as all legitimate tcp connections should).

The reason for doing this is not to limit how many people you can connect to (say with P2P applications) but rather to slow the spread of blaster and sasser type worms. The worms are specifically written to not finish establishing the TCP session so they can drop their payload and move on faster. This additional security feature of SP2 is not designed to stop applications from opening un-established connections; however by queueing them it simply slows them down.

The sites that keep saying XP is limiting connections are just spreading FUD.

-Erik

I guess that's a better way to put it in that it slows them down, and doesn;t limit them. Therefore, I raised the queue so things won't slow down.

 

[spyordie007]

Therefore, I raised the queue so things won't slow down.

This really is unneccisary.

Any application that is operating correctlly is going to open the TCP connections and correctly establish them (even P2P applications, which are the ones that most people seem to be concerned about). There really shouldnt be a noticable "slow down" to any applications that are behaving properly.

 

[bsobel]

Originally posted by: Link19
I have read many things stating that Windows XP SP2 does have a TCP/IP connections limit. Links to some of the articles below:

http://www.speedguide.net/read_articles.php?id=1497
http://www.lvllord.de/?lang=en&url=4226patch/faq
http://www.msfn.org/comments.php?shownews=9017
http://packetfour.com/page.php/26_0_1_0_M/

And I'm sure you can find many more referrences that state the same thing about SP2 limiting inbound coneections to 10.

From your OWN first list "Keep in mind this is a cap only on incomplete outbound connect attempts per second, not total connections".

So, you went and patched tcpip.sys to change this? Brilliant, just brilliant.

Bill