Neowin.net - Changes to Functionality in Windows XP Service Pack 2

Changes to Functionality in Windows XP Service Pack 2

Posted by Tom Warren on 13 December 2003 - 14:17 · 84 comments & 14744 views

In Microsoft Windows XP Service Pack 2, Microsoft is introducing a set of security technologies that will help to improve the ability of Windows XP-based computers to withstand malicious attacks from viruses and worms. The technologies include network protection, memory protection, safer e-mail handling, more secure browsing, and improved computer maintenance.

Together, these security technologies will help to make it more difficult to attack Windows XP, even if the latest updates are not applied. These security technologies together are particularly useful in mitigation against worms and viruses.

This document specifically focuses on the changes between earlier versions of Windows XP and Windows XP Service Pack 2 and reflects Microsoft’s early thinking about Service Pack 2 and its implications for developers. Examples and details are provided for several of the technologies that are experiencing the biggest changes. Future versions of this document will cover all new and changed technologies.

Download: Changes to Functionality in Windows XP Service Pack 2

News source: Microsoft Download Center

The Major Updates in Nero 6 are:

New features Nero 6.3.0.0

Significant usability improvements
AMD64bit support
Hyperthreading support

New features NeroVision Express 2.1.0.0

DVD-VR import
Export to DV camera
Improved capture quality and hardware support
Powerful Undo/Redo function
Choose between 1-Pass and 2-Pass encoding
Default template for new project
DVR-MS (Windows XP Media Center Edition file format) support for Win XP SP1
New filters/effects
- Invert Color
- Multiply pixel
- Gamma correction
- Edges detection
- Emboss
- Enhance details
- Enhance edges
- Enhance focus
- Light edges
- Shift edges
- Soften filter
Splitting function for slideshows with a large number of pictures
Half-D1 resolution for DVD supported
AMD64bit support

New features Recode 2.0.0.0

1:1 DVD to DVD Copy with original menu
Remake a DVD from one or multiple DVD movies
Convert DVDs in amazing quality to Nero Digital while using the Nero Digital profile templates
Fit the Nero Digital files to DVD, CD or custom size
5.1 channel audio support
Unique Watch-while-you-Burn mode
Burn-at-once technology
Quick and advanced analysis model
AMD64bit support

New features Showtime 1.5.0.0

AB Bookmark repeat
Added time search feature (direct input of the target time to jump)
Subtitle and chapter support for Nero Digital
All player features available through right-click
Double-click on display changes to full screen
Double-click on full screen changes to normal window
IFO and DAT files playback support
Powerful post-processing for Nero Digital available
New image settings for film effects
Dynamic Noise Control (DNC) for CD/DVD during playback
AMD64bit support

New features InCD 4.1.0.0

DVD-RAM support
DVD-RW quick format
Significant performance improvements on high-speed media

New features BackItUp 1.2.0.0

On-the-fly compression/recording (Compression can be done without using any temporary storage of hard disc while burning on CD/DVD)
Hot plugging of recorders
Support for HD-Burn recorder
Read-me file on every disc to tell the backup name, disc number and backup information file location
Significant usability improvements
AMD64bit support

PowerPack
The PowerPack includes:
DVD to Cd
DVD9 to DVD5
Many DVDs to DVD

Dolby Digital ® 5.1 playback
Dolby Digital ® stereo encoding
Nero Digital™

Hide additional information

About the Author
Full name: Tom Warren
Forum name: creamhackered
Contact: via forum PM
Submissions: Normal · Headline

Total votes: 0

Bookmark on del.icio.us

Advertisement

(2 replies) #1 Posted by aStRaLgOd on 13 Dec 2003 - 14:23: Hmmmm Changes eh? I hope it's good changes...

#2 Posted by stezo2k on 13 Dec 2003 - 14:30: about time

(14 replies) #3 Posted by cope on 13 Dec 2003 - 14:35: This document makes my XP WordPad crash... good going MS

#4 Posted by leebobs on 13 Dec 2003 - 14:52: Added to the SP2 Thread

(4 replies) #5 Posted by Imaginos on 13 Dec 2003 - 14:58: Good step in the right direction, but I'm bothered that *ALL* outgoing connections are still allowed with no restrictions.. A trojan can send keylogs and personal info anywhere, anytime..

(1 reply) #6 Posted by leebobs on 13 Dec 2003 - 15:08: Read through this document, in skim mode... the changes look impressive, but long overdue. This version of XP as far as I am concerned will be known as XPTEWMTR (XP The Edition We Meant To Release)... Bring on Monday and SP2 BETA1.

(6 replies) #7 Posted by riahc3 on 13 Dec 2003 - 15:53: wait.........is security the only real change??

i hope not because although that it is important the average customer isnt really intrested and wont get hacked or anything.

(1 reply) #8 Posted by xStainDx on 13 Dec 2003 - 16:57

about the Firewall..

QUOTE

Detailed description
ICF is turned on by default for all network interfaces. This provides more network protection by default for Windows XP on new installations and upgrades

I'm going to pick this apart and say if you already have your Firewall Off and then update to SP2 it will stay off. It will only be "On-By-Default" on NEW INSTALLATIONS and UPGRADES (9x/Me/2000 ---> XP).

I may be wrong but from that document thats what I'm getting out of it.

QUOTE

Boot time security
Detailed description
In earlier versions of Windows, there is a window of time between when the network stack was running and when ICF provides protection. This results in the ability for a packet to be received and delivered to a service without ICF filtering and potentially exposes the computer to vulnerabilities. This was due to the firewall driver not starting to filter until the firewall service was loaded and had applied appropriate policy. The firewall service has a number of dependencies which causes the service to wait until those dependencies are cleared before it pushes the policy down to the driver. This time period is based upon the speed of the computer.
In Windows XP Service Pack 2, the firewall driver has a static rule to perform stateful filtering. This static rule is called a boot-time policy. This allows the computer to perform basic networking tasks such as DNS and DHCP and communicate with a domain controller to obtain policy. Once the firewall service is running, it loads and applies the run-time ICF policy and removes the boot-time filters. The boot-time policy cannot be configured.
There is no boot-time security if Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) is set to Disabled.

Very cool of them to have Firewall Protection During Boot-Up. Try that ZA or NIS.

QUOTE

Global configuration
Detailed description
In earlier versions of Windows, ICF was configured on a per-interface basis. This meant that each network connection had its own firewall policy (for example, policy1 for wireless, policy2 for Ethernet). This made it difficult to synchronize policy between connections. Additionally, new connections would not have any of the configuration changes that had been applied to the existing connections.
With global ICF configuration, whenever a configuration change occurs, it applies to all network connections. This includes new connections when they are created. Configuration can still be performed on a per-interface basis as well. Non-standard network connections will only have global configuration.
This change applies to ICF for IPv4. IPv6 ICF already supports global and per-interface configuration.

This is an awesome improvement I have many different Network Adapters.

QUOTE

Memory protection technologies
This section provides detailed information about the memory protection technologies included in Windows XP Service Pack 2.
Execution Protection (NX)
What does execution protection do?
Execution protection (also known as NX, or no execute) prevents code execution from data pages such as the default heap, various stacks, and memory pools. Protection can be applied in both user and kernel-mode.
It also forces developers to avoid executing code out of data pages without explicitly marking the pages as executable. This promotes good software engineering and best practices for application and driver developers.
Execution protection is an operating system feature that relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory. Execution protection functions on a per-virtual memory page basis, most often changing a bit in the page table entry (PTE) to mark the memory page.
The actual hardware implementation of execution protection and marking of the virtual memory page varies by processor architecture. However, processors that support execution protection are capable of raising an exception when code is executed from a page marked with the appropriate attribute set. The 32-bit version of Windows currently leverages the “no-execute page protections” processor feature as defined by Advanced Micro Devices (AMD). This processor feature requires that the processor run in Physical Address Extension (PAE) mode.
Although the only processor families with Windows-compatible hardware support for execution protection that are currently shipping are the AMD K8 and the Intel Itanium processor families, it is expected that future 32-bit and 64-bit processors will provide execution protection. Microsoft is preparing for and encouraging this trend by supporting execution protection in its Windows operating systems.
Who does this feature apply to?
Application and driver developers should be aware of execution protection and the requirements of software running on a supporting platform. Applications that perform just-in-time (JIT) code generation or execute memory from the default process stack or heap should pay careful attention to execution protection requirements.
Driver developers are encouraged to be aware of PAE mode on platforms supporting execution protection. PAE mode behavior on Windows systems with less than 4 gigabytes (GB) of physical address space has been changed to reduce driver incompatibilities.
Microsoft is supporting emerging processors that incorporate execution protection by making additions to Windows, beginning with Microsoft® Windows XP Service Pack 2. Execution protection has obvious advantages concerning buffer overrun exploits and promoting general good coding practices for Microsoft and third-party developers.

Brilliant.

Last edited by 335 on 13 Dec 2003 - 17:09

#8.1 Posted by trance on 14 Dec 2003 - 01:22: Not true... even in upgrade mode the ICF will be turned ON. Whether you do a clean install, a cd install, or a web install, it will be on.

#9 Posted by MoRiA on 13 Dec 2003 - 17:03: i assumed that meant that it would be turned on when you install SP2 and you must manually disable it...

#10 Posted by iampedro on 13 Dec 2003 - 18:14: It would be just nice if MS would finnish testing of this product released it...

(2 replies) #11 Posted by tommie on 13 Dec 2003 - 18:14: I don't know a lot about Service Packs, but will SP2 include all of the SP1 updates or will we have to install SP1 and then SP2 if we were to do a fresh Windows XP install?

(2 replies) #12 Posted by djtaylor on 13 Dec 2003 - 18:32

Quote from the download centre page:

QUOTE

System Requirements
Supported Operating Systems: Windows Server 2003

So it's for Windows XP, but only Windows 2003 supports it? Trust Ms to get this bit wrong!

#12.1 Posted by tommie on 13 Dec 2003 - 22:32: haha I think they mean that you can install this SP on 2003 as well or something

#12.2 Posted by djtaylor on 15 Dec 2003 - 00:24: No, it's for Windows XP. That's why it's called Windows XP SP2. Windows 2003 has (or will have) its own set of service packs, just like Windows NT and 2000.

#13 Posted by Mav Phoenix on 13 Dec 2003 - 19:02: So no outbound protection for ICF?

(7 replies) #14 Posted by MR_Candyman on 13 Dec 2003 - 20:08

QUOTE

Personally, I DON'T want this feature. What if oyu have computers connecting to one computer and that one to the net? Why have say, 4 computers AND the net on the firewall??? Why not just have the net on the firewall and leave the network of the others alone???

#14.1 Posted by xStainDx on 13 Dec 2003 - 20:34: The other computer has its own policy.

PER-INTERFACE MEANS PER ETHERNET CARD / DIALUP MODEM on that machine.

#14.2 Posted by MR_Candyman on 13 Dec 2003 - 22:36: yes, but if you have multiple ethernet cards in one machine, which others connect to, then each ethernet card on the one machine will have a firewall, this seems VERY pointless to me as you would only need the firewall active for the one connecting to the net (or other ones you WANT behind one).

To have multiple firewalls of the same kind is very much pointless as it does not improve security in the slightest.

EDIT: Made this very simply diagram explaining what is really happening.

Last edited by 26264 on 13 Dec 2003 - 22:53

#14.3 Posted by mipra on 14 Dec 2003 - 09:54: nice diagram..thanks

#14.4 Posted by Xeron on 14 Dec 2003 - 11:44

QUOTE

With global ICF configuration, whenever a configuration change occurs, it applies to all network connections. This includes new connections when they are created. Configuration can still be performed on a per-interface basis as well.

So, for what you want to do you just set the Global Policy to off and the individual internet connection to On.

#14.5 Posted by MR_Candyman on 14 Dec 2003 - 15:48: ok, can you HONESTLY SAY that you will truly be allowed to change it on a per-interface basis? As it is already the settings of one connection bleed to the others, so I really doubt any changes you make will affect one connection and not the rest

#14.6 Posted by mrk on 14 Dec 2003 - 20:52: I have 3 nics on my machine routed through 3 machines,

IF you have this type of setup you are an intermediate or advanced user and have teh knowledge of turning off and on the ICF servicem no need to moan about (the other guy) about it being on all all client machines too because the user simply can turn it off on them

#14.7 Posted by MR_Candyman on 14 Dec 2003 - 22:16: Apparently you haven't noticed the setting from one affecting the other nics aswell, even if the settings are different Windows chooses to prioritize one and usually it's settings affect the others aswell

#15 Posted by SidVicious on 13 Dec 2003 - 20:44: Good changes, but, what about more changes in Internet Explorer...more than just pop-up blocker and add-on management?

(4 replies) #16 Posted by Mav Phoenix on 13 Dec 2003 - 21:16: I want to see the Visual Style engine reworked so we don't have a mish-mash of styles (luna with classic buttons and scrollbars, etc).

(7 replies) #17 Posted by badnbusy on 13 Dec 2003 - 21:22: I just hope they fix the missing images (they appear as red X) in IE6!

You know, the pics that are actually there if u refresh, or right click->show picture!

(1 reply) #18 Posted by INFERNO2k on 13 Dec 2003 - 21:32: How is the security going to be like when we install SP2?

Considering the FCKGW crew

(2 replies) #19 Posted by werejag on 13 Dec 2003 - 23:15: wow still no out going firewall to stop programs from unauthorized access

icf doesnt stop stuff like slammer etc, what is microsoft even thinking

(1 reply) #20 Posted by cdcase on 14 Dec 2003 - 02:51: I would would like it if they would fix the weirdnesses in the visual styles that came with XP. they all 3 have subtle graphics gliches... always seemed half-baked to me.

#21 Posted by Mr. Black on 14 Dec 2003 - 03:33: I hope that SP2 has an option NOT to enable some of it's "features"...

(1 reply) #22 Posted by ripgut on 14 Dec 2003 - 09:35: when the f**** is sp2 gonna be released? thats what i want to ****en know

(1 reply) #23 Posted by jami_welch on 14 Dec 2003 - 10:48: is sp2 gunna be free to download?

#24 Posted by MitchShrader on 14 Dec 2003 - 13:25

QUOTE

well considering they couldn't install SP1 I would assume SP2 will be the same

uh. how am i sposed to be positive you were using sarcasm when you left off the sarcasm tag?
anyway, while i see that MS is tightening up security in a couple of important places, i have a couple of minor caveats.. SEEMS like , to me, this has a faint smell of Palladium type functions.. ok, yeah, i'm paranoid, but this is MS, our friendly but passionate overgrown gorilla here.. now i am all for security, and even security by default.. but i'd be the first one to applaud a hacker who built an off switch for ANYTHING billy stuck in.. it can be default. but let it be optional, and removable, or configurable, or bluidy ignorable.. its not his OS any more..

(3 replies) #25 Posted by xavalon on 14 Dec 2003 - 18:46: While there are some good improvements to ICF, it is way off what is offered by some others (even Free ones).

Problem is that is doesn't filter outbound calls; so spyware can still go ahead, and MS can still send some secret information to their servers. I am glad I blocked clr.microsoft.com, codecs.microsoft.com etc etc. I first want to know what they are sending, before I agree (i am specially curious about that clr.microsoft.com site). And so far, even when ignoring connections to those sites, my applicatios work fine.

[1]

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Scroll to the Top