Windows XP SP2 30 June 2004

1
Windows XP SP230 June 2004
Mark Smylie HartNetwork Security Officer
Campus Information Technologies and Educational
ServicesUniversity of Illinois at
Urbana-Champaign
2
Port 445

• Default firewall config blocks incoming traffic
  on port 445 (Microsoft Directory Services)
• Not an issue for Group Policy GP requests are
  initiated from the client at login
• Ports 137, 138 and 139 can be closed or open
  locally while 445 is open globally.
• You can enable port 445 (or any port) via command
  line
• C\netsh firewall set portopening tcp 445 enable

www.cites.uiuc.edu
M.S.Hart / 30 June 04 / 2
3
Firewall
Microsoft predicts application incompatibility if
the app doesnt work with stateful filteringand
the firewall MAY conflict with other
hardware/software based firewalls BOOT TIME
POLICY prohibits inbound connections during
bootand if the firewall service fails, all
incoming connections are BLOCKED (remote admin
issue) Enabling file and print sharing allows
access from LOCAL SUBNET ONLY by default RPC will
not work by default
www.cites.uiuc.edu
M.S.Hart / 30 June 04 / 3
4
Firewall
ALL outbound connections are allowed. TCP
sessions are only allowed from a particular
targetno redirections. UDP requests to a
particular port will be allowed for 90 seconds
(from ANY IP on that port ) Multiple profiles
are supported (one for office network one for
home) Most applications will request permission
to access the Internet now (not IE). Windows
Messenger is one of them.
www.cites.uiuc.edu
M.S.Hart / 30 June 04 / 4
5
Internet Explorer
Popup Blocker and auto-install blocker (Active-X,
Java, .exe) Popup blocker is on by default.
Youll get a small notification bar at the top of
the window. Popups are blocked by default with a
sound notification (gets old in a hurry!) You can
make an exception for a popup by holding the CTRL
key and clicking a linkor clicking the refresh
button on the browser (F5 also works) Microsoft
is still working on a plan to support SP2. One
decision has been made, however Microsoft will
offer no-charge, worldwide telephone support for
the service pack.
www.cites.uiuc.edu
M.S.Hart / 30 June 04 / 5
6
Outlook Express
Provides you a PlainText mode to help avoid
security issues related to HTML You can also
specify no download of HTML contentavoid
repeated spam mailings! NO HTML is enabled by
default. This also minimizes the impact on
dialup usersonly the images they specifically
request will be downloaded!
www.cites.uiuc.edu
M.S.Hart / 30 June 04 / 6
7
Windows Update
New version(s) will allow Office to be updated as
well as other products (exchange/SQL/etc.) Hide
the updates you dont want to seeWindows Media
Player (you can unhide them at any
time) Auto-resume featurecontinues a download
where you left off, rather than starting again at
the beginning (great for dialup users!) Express
Install installs only the High Priority and
Critical patches
www.cites.uiuc.edu
M.S.Hart / 30 June 04 / 7
8
Fin
www.cites.uiuc.edu
M.S.Hart / 30 June 04 / 8