Users Approach XP SP2 with Enthusiasm, Caution
- By Stephen Swoyer
- August 18, 2004
Users generally like what they see in Windows XP Service Pack 2 and are planning aggressive rollouts of the major security overhaul of Microsoft's flagship client operating system.
At the same time, Microsoft's new tool to prevent client systems from automatically installing SP2 and the latest delay on Automatic Update deployments dovetail nicely with users' plans to continue thorough testing of SP2 before deploying it.
"In my opinion, SP2 is a definite must have," says Andrew Baker, director of network services with a prominent media conglomerate. Baker is one of many users impressed by the many security improvements -- which include the on-by-default Windows Firewall, a security dashboard, recompiled code that prevents malicious code execution when combined with supported hardware, a hardened browser and more granular control of security settings through Group Policy.
A recent survey by Russ Cooper, a senior scientist with security specialist TruSecure and editor of the NTBugtraq mailing list, indicates that IT wants to deploy SP2 quickly. Of the 578 NTBugtraq members who responded to his SP2 survey, says Cooper, 30 percent plan to deploy SP2 within the next 30 days. Another 25 percent say they’ll deploy SP2 over the next three months, and a surprising number – 13 percent – plan to roll-out the service pack in the next seven days. After taking into account the six months and above time frame, only 17 percent of NTBugtraq respondents don’t plan to deploy SP2. Cooper's response pool is biased toward organizations of 100 or fewer users, which can move more quickly and with less complicated testing scenarios than larger organizations.
Whatever the organization's size, testing is the major hang up. While the security improvements are generally welcome, those features, especially the new firewall, are known to break almost 50 Microsoft and major third-party applications. Many more internal applications will stop dead when the firewall's shields go up.
Microsoft released Windows XP Service Pack to manufacturing on Aug. 6. Last week, the company released a tool for network administrators to allow them to turn off the Automatic Update feature of Windows XP, preventing the automated download and installation of the service pack for 120 days. At the same time, Microsoft disclosed that Automatic Update-enabled systems would begin pulling down XP SP2 on Aug. 16. Negative user reaction to the short window for applying the tool helped convince Microsoft to push back the Automatic Update delivery schedule. As of now, Automatic Update for Windows XP Home Edition will begin Wednesday, while Professional Edition will begin sometime later in the month. Users will be able to put the added time to good use.
Gavin Burris, a senior systems programmer at Penn State, says Microsoft’s delay in making SP2 available via Automatic Update -- and providing tools to prevent service pack downloads -– makes a lot of sense for users like him. "I’m holding off on Service Pack 2 for about a month until all the vendors catch up. It’s a production facility for education, and I just can’t have applications not working because of service pack incompatibilities," he says. "One of my main production applications runs on Windows XP, [and] these systems are configured to automatically download updates once a day at 5 a.m. So I don't mind the delay, because it plays into my plans. I'd probably be upset with [Microsoft] if they weren't doing this."
Michael Wassell, a network administrator with PT Marketing Group, will use his time to test SP2 exhaustively in his environment. "Our rollout plan includes vigorous testing with fully patched Windows XP SP2 systems, with emphasis on frequently used software packages, both custom and commercial," Wassell says.
Because of the almost unprecedented amount of testing, Wassell and other users say that the timetables for their SP2 rollouts could take some time. "Yes, we will deploy SP2. Because of the wide range of changes, we will do more than our normal amount of testing," says Dennis Depp, a Windows administrator with a federal research organization. "If all goes well, we will implement SP2 within the next two months."
Those who have already kicked the tires of the service pack are reacting strongly to Windows Firewall. Most seem to love and fear it at the same time.
Cooper, a dogged Microsoft critic, argues that SP2 represents Microsoft's first substantial commitment to the security best practice of default deny. "When you consider the fact that the firewall is turned on, this is a significant default deny configuration," he says. "You cannot take such a dramatic approach without giving up a couple of things." Cooper also applauds Microsoft's addition of many new Group Policy settings for the firewall.
Paul Green, a Windows administrator with a non-profit organization, calls the firewall one of his favorite aspects of SP2. He predicts it will be especially helpful to home users. Still, Green is wary of the firewall. "I think it's a good idea, but I'm not as optimistic as Microsoft that it is going to not cause any Internet connection problems during the Windows Update process. They must be pretty confident."
Some IT professionals go so far as to express doubts about why Microsoft even turned the firewall on by default in Windows XP Professional. "[It] seems kind of silly, however, to have the firewall on by default on XP Pro. Most of us already have a firewall solution," says Ray Zorz, a Windows administrator with UCP Central Arizona, a non-profit advocacy organization for people with disabilities.
Eric Peeters, a Windows administrator with a food marketing company based in the Southwest, does expect to see a benefit in his PC network. "The revamped firewall … [will] benefit my network for some PCs where I need better security than what is available out of the box," he says. "[B]ut I'm worried about what it can do to the PCs of several of our smaller partners who may install SP2 and find themselves unable to connect to our VPN without having the in-house skills to figure out why."
Sooner or later, everyone who's sticking with the Windows client platform will need to upgrade to the technology, so it might as well be sooner, argues Oleg Bestseny, a network administrator with Enterprise Corporation of the Delta, a community credit union in Mississippi.
"Many people argue that SP2 is the most revolutionary thing Microsoft has done since launching Windows 95, and I totally agree with them," Bestseny says. "Microsoft has gone in the new direction, from Swiss cheese usability to an environment with security as an apex. Organizations have to simply put up with that if they don't want to be running XP SP1 until the end of the days. I'm positive this type of tightened security will be built-in in Longhorn from the start."
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.