Windows XP Service Pack 3: More security

Microsoft officially released Windows XP Service Pack 3 to manufacturing, and according to the company, it’s going to available on the Web on Tuesday, April 29.

It’s been about four years since Windows XP SP2 came out. What does the new version have? According to a Microsoft white paper, “Overview of Windows XP Service Pack 3,” there’s not much beyond roll-ups of previous bug fixes and security enhancements:

Windows XP Service Pack 3 (SP3) includes previously released Windows XP updates, including security updates and hotfixes. It also includes select out-of-band releases, and a small number of new enhancements, which do not significantly change customers’ experience with the operating system.

Windows XP SP3 provides a new baseline for customers still deploying Windows XP. For customers with existing Windows XP installations, Windows XP SP3 fills gaps in the updates they might have missed—for example, by declining individual updates when using Automatic Updates, and updates not available through
Windows Update.

Windows XP SP3 includes all previously released Windows XP updates, including security updates and hotfixes, and select out-of-band releases. Windows XP SP2 was released in August 2004. Since then, Microsoft has released hundreds of updates. Windows XP SP3 includes all of these updates.

Microsoft is not adding significant Windows Vista functionality to Windows XP through SP3. However, SP3 does include Network Access Protection (NAP) to help organizations that use Windows XP to take advantage of new features in the Windows Server 2008 operating system.

There are seven specific areas of new functionality that Microsoft cites: “Black Hole Router” detection, Network Access Protection, Descriptive Security Options User Interface, Enhanced Security for Administrator and Service Policy Entries, Microsoft Kernel Mode Cryptographic Module and Windows Product Activation. These are described as:

“Black Hole” Router Detection: Windows XP SP3 includes improvements to black hole router detection (detecting routers that are silently discarding packets), turning it on by default.

Network Access Protection: NAP is a policy enforcement platform built into Windows Vista, Windows Server 2008, and Windows XP SP3 with which you can better protect network assets by enforcing compliance with system health requirements. Using NAP, you can create customized health policies to validate computer health before allowing access or communication; automatically update compliant computers to ensure ongoing compliance; and optionally confine noncompliant computers to a restricted network until they become compliant.

Descriptive Security Options User Interface: The Security Options control panel in Windows XP SP3 now has more descriptive text to explain settings and prevent incorrect settings configuration.

Enhanced security for Administrator and Service policy entries: In System Center Essentials for Windows XP SP3, Administrator and Service entries will be present by default on any new instance of policy. Additionally, the user interface for the Impersonate Client After Authentication user right will not be able to remove these settings.

Microsoft Kernel Mode Cryptographic Module: Fips.sys is a FIPS 140-1 Level 1–compliant, general purpose, software-based, cryptographic module in the kernel mode level of the Windows operating system. It runs as a kernel mode export driver (a kernel-mode DLL) and encapsulates several different cryptographic algorithms in an easy-to-use cryptographic module accessible by other kernel mode drivers. It can be linked to other kernel mode services to permit the use of FIPS 140-1 Level 1–compliant cryptography.

Windows Product Activation: As in Windows Server 2003 SP2 and Windows Vista, users can now complete operating system installation without providing a product key during a full, integrated installation of Windows XP SP3. The operating system will prompt the user for a product key later as part of Genuine Advantage. As with previous service packs, no product key is requested or required when installing Windows XP SP3 using the update package available through Microsoft Update. Note: This update affects the installation media only and is not a change to how activation works in Windows XP.

I’m glad they’re not messing with the activation protocol — it’s bad enough already.