Windows DevCenter    
 Published on Windows DevCenter (
 See this if you're having trouble printing code examples

Kicking the Tires of XP Service Pack 2, Part 1

by Ron White

With Windows XP Service Pack 2 (SP2) Microsoft has finally shut the barn door -- several doors, actually, most of which have been open invitations to attacks by hackers, worms, and viruses. The service pack, distributed to Windows developers in a beta release, and scheduled to be final around mid-year, concentrates primarily on fixing security flaws that have plagued Windows XP since it was released in 2001.

In this first part of a two-piece article, we'll take a look at major changes SP2 makes to the XP's built-in Internet Connection Firewall (ICF), which Microsoft plans to rename Windows Firewall. One caveat before beginning: SP2 is still in beta, and Microsoft has said that it may change before release, so there may be differences between what you read here and the final version.

New Firewall Defaults

Microsoft apparently decided that past attempts to allow network users to make their own decisions about security matters may have been too charitable in estimating that those users would do the right thing. Previously ICF was turned off by default. No longer -- with SP2, it will be automatically turned on. Because any firewall may disable certain applications, this may be a cause of concern for network administrators. But Microsoft has said that the firewall will be able to be centrally administered using Active Directory Group Policy, so administrators should be able to easily turn it on and off on networked PCs.

With SP2 the default will be to close ports except when they are being used. And in a move unrelated to the firewall itself, the Windows Messenger Service will be turned off as well, because of the flood of spam the service receives. The Windows Messenger Service is unrelated to instant messaging programs -- instead, it was designed for sending messages over local area networks. (For more details on how to now turn it on and off yourself, see Shooting the Windows Messenger Service.)

Boot-up Security

Before SP2, the driver for the Internet Connection Firewall didn't start filtering incoming packets until a computer loaded the firewall policy that tells the firewall what to filter. The delay in throwing up the firewall practically dared malicious packets to squeeze their way into the system.

SP2 provides a rule -- a boot-time policy -- for the Windows Firewall driver to follow immediately. This driver provides basic security and allows the computer to safely perform basic networking jobs, one of which is to download the full-time policies to replace the boot-time policy.

Greater Customization

One of the firewall's most welcome new features is how easily you can customize it on a per-connection basis. You can now set global configurations, as well as change settings on a per-connection basis, from a new Control Panel applet. Its tabbed dialog boxes, shown in Figure 1, provide one-stop shopping for firewall configurations for all your network connections.

Figure 1
Figure 1. SP2's new firewall can be configured via this new Control Panel applet.

You can now also disable or enable the firewall on a per-connection basis, particularly useful for those equipped with laptops who may use multiple network connections with varying degrees of security. For example, an Ethernet connection on a network that includes a hardened corporate firewall may not require XP's firewall to be turned on, while a WiFi connection used primarily for public WiFi hotspots will be most secure with it enabled.

Using netsh for Firewall Configuration

SP2 will include firewall-specific commands for the netsh command line tool, so that you can configure the firewall directly from the command line. This feature shipped with the Advanced Networking Pack for Windows XP, but will now be on all systems with SP2. You'll be able to control virtually every aspect of the firewall, including setting the default state of the firewall, configuring which ports should be open and which closed, and whether they should have global access to the Internet or are limited to the local network, and so on.

From the command line, type netsh firewall to put netsh into firewall context, and then issue any one of many commands to configure it. For example, to enable port 80 for tcp on the "Local Area Connection" connection, you'd issue this command in firewall context:

set adapter "Local Area Connection" port 80=enable protocol=tcp

For more details on how to configure the firewall using netsh, see this Microsoft TechNet article.

Making Exceptions

The Firewall Permissions List takes care of the problem that crops up when applications act as servers that legitimately need access to an open port. Theoretically, the applications would be running in a high security mode with minimum privileges and would close the port when they're through with it. But as they say, that's theory. In reality, depending on applications to keep a system secure has been one more vulnerability.

With SP2, if an application tries to access the Internet, Windows displays the exceptions list dialog box. (You can open the dialog manually by clicking Start-->Control Panel-->Internet Connection Firewall-->Exceptions, as shown in Figure 1.) There you can give an application permission to talk to the Internet, while still protecting your PC with the firewall.

Ron White is a longtime technology journalist and author of numerous books, including How Computers Work.

Return to

Copyright © 2009 O'Reilly Media, Inc.