http://security-protocols.com/

This summary focuses specifically on security enhancements. All in all it is an axcellent summary. Here is a summary of the summary:

Network Security

Firewall

• Statefull
• Enabled early in boot. Disabled late in shutdown.
• New GUI.
• Enabled on all interfaces by default.
• Exceptions by application.
• Domain control through Group Policy.

RPC

• New Permission levels. (blocked, local subnet, global)
• Firewall integration of permissions and allowed RPC servers.

DCOM

• Authentication. (You mean they didn't have this before?!)
• Finer control of individual services.

Local Security

NX Memory Pages
We've read about it a hundred times. NX capable processors allow for an extra bit to mark a page non-executable. This will be supported by the OS (i.e. will make certain pages non-executable). If used correctly (like most security isn't) this will significantly reduce successfull buffer overflow attacks.

Sandboxing
No this has nothing to do with camels in silly gloves.

• Most binaries recompiled with buffer checking code.
• 'Cookies' used to detect heap overflows.

Application Security

Outlook Express

• Remote Image and HTML blocking.
• Warn about unauthorised mail sending.
• Control saving an opening of attatchments with Application Execution Service(tighter sandbox?)
• Plain text only option (finally).

Windows and MSN Messenger

• Also use Application Execution Service.

Internet Explorer

• Manages plugins and adds plugin crash detection.
• Disallow certain binary behaviour (heuristics?).
• Applies ActiveX runtime control to all URL objects.
• Restricts Local Machine Zone.
• Proper File type checking, to ensure conformance to type. (unix file anyone?)
• Disallows access to cached scriptable objects. HTML pages can only script their own objects. (haha)
• Pop-Up blocking.
• Object level signature support. ("Will only display once prompt per object per page", that's millions)
• Prevents scripts from moving and resizing windows or status bars.

Alerter and Messenger Service

• Now disabled by default.

Dirext X 9 & Windows Media Player 9

• http://www.microsoft.com/windows/directx/
• http://www.microsoft.com/windows/windowsmedia/
  

Patch Management

Windows Update (ver 5)

• Express Install for quick patching of critical and security fixes.
• SUS client GUI.
• Smaller patches (delta compression technology ala BigFix)

Security Center
Centralised GUI for security information.

Windows Installer (ver 3.0)

• Avoid downloading of uneeded, superceeded or obsolete patches.
• Delta Compression of patches.
• Pretty GUI.

User Implications

Users

• Security by exception. "Do you want to allow this program to communicate on port xxxx?"
• Security Center nags about lack of Antivirus, out of date signatures or patches and a disabled firewall.

Administrators

• Explicitly allow server access.
• Ensure permission levels are correct. (blocked, local, global)
• More

Developers

• Review RPC and DCOM applications.
• Patch tools.
• Ensure they are granted remote access to applications and machines.

Conclusion

Some great updates coming through. I was shocked by a few very basic updates that really should have been applied a few years ago. As I am not a regular windows user the impact of some of these might not be completely obvious, but I know updates like IE's prevention of window manipulation and pop-up blocking will be very welcome. These updates bring windows almost on a par to what the *nix world has had for years. The advantage is that Windows is making most of these defaults.