Firms should take five steps to keep systems secure when installing SP2, says Kelvyn Taylor.
Although Service Pack 2 (SP2) for Windows XP has been widely available for weeks, it will be some time before many firms have tested it enough to be confident that full deployment is a good idea. The update has generally had favourable press, but in some cases it could cripple mission-critical apps.
For IT managers who want to go ahead with deployment now, I’m going to suggest five steps that should be taken first.
1. If you’re worried about users running off with sensitive data downloaded onto a USB memory stick or MP3 player, the first thing you should do is make a change to the Registry on your users’ systems. Change (or create) the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control \StorageDevicePolicies\WriteProtect and set the key’s DWORD value to 1. This newly-implemented feature makes any USB storage devices read-only.
2. If you use Windows 2000 or earlier versions of Windows to remotely schedule tasks on Windows XP clients – for example by using the Windows command AT.EXE – make sure you install the latest service pack on those systems once the XP machines have been updated. SP2 increases the security of the RPC interface used by the Scheduler service. Hotfixes are available for those who can’t install the full service packs. Check out the security bulletin at the first link below.
3. If you have users running Outlook Express, make sure they all take advantage of the new “Read all messages in plain text” option in the Tools/Options/Read menu tab. This will help prevent malicious code being downloaded via email formatted in HTML.
4. If your client PCs have the Windows Firewall enabled, be aware that the new version in SP2 blocks incoming network traffic on TCP port 445. This port is used for two system-generated dialog boxes widely used in the Client Administrative Tools MMC snap-ins. The dialog boxes are “Select Users, Computers or Groups” and “Find Users, Computers or Groups”.
If TCP port 445 is blocked, you will likely get an obscure error message. To open the port on the client PC, open a command prompt and type “netsh firewall set portopening TCP 445 enable”.
5. If you don’t want to use Windows Firewall, you’re going to have to turn it off on all your client PCs, as SP2 enables it by default. Some applications may not work with firewalls that perform stateful packet inspection. Fortunately, Microsoft has added a new command line tool – netsh – to Windows that allows you to change the state of the firewall via login scripts or remote management tools.