Last week, Microsoft held its epic Microsoft Professional Developers Conference (PDC) 2003 in Los Angeles. PDC 2003 was a coming out party for Longhorn, the next Windows client OS, and introduced developers to upcoming technologies such as Longhorn, Visual Studio .NET (code-named Whidbey), Microsoft SQL Server (code-named Yukon), and a Microsoft.NET-based Web services infrastructure (code-named Indigo). Because many of these technologies are several months away at best, this week I want to discuss some of the more understated announcements and products Microsoft revealed last week that will more directly affect IT in the short term. Specifically, I'd like to discuss Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP1.
In August, Microsoft found itself in a bit of controversy when it quietly revealed through a Web site posting that it was delaying XP SP2 from fall 2003 until mid-2004. XP SP1, you might recall, shipped in August 2002, or about 10 months after the initial XP release; this new schedule means SP2 will follow SP1 by a whopping 20 months or more. When you factor in all the security hotfixes and other critical updates that Microsoft has released since SP1, that's a long wait, and new installations of XP SP1 face an installation of more than 100MB of updates from Windows Update on first boot. That's unacceptable.
To partially alleviate this problem, Microsoft recently unveiled the Security Rollup Package 1 (SRP1) for XP, a collection of more than 20 post-SP1 security patches for XP rolled into one package that requires just one reboot. But this package doesn't explain the SP2 delays.
XP SP2, as you might recall, was supposed to include all the post-XP SP1 hotfixes and a new feature called "concurrent user sessions." This feature, designed primarily for Windows Powered Smart Display users, allows two concurrent logons on XP Professional Edition machines: one interactive and one remote. Sadly, the concurrent user sessions feature won't be part of XP2; instead, Microsoft will roll this functionality into the software that ships with the next version of Smart Displays, due in early 2004.
XP SP2 will include a bevy of new features, in addition to the aforementioned patches, most of which are designed to make XP more secure. For this reason, XP SP2 is suddenly a much more important release to businesses of all sizes.
First, XP SP2 will mark the first product to come out of Microsoft's new "secure by default" initiative. This means that the Windows Messaging service will be disabled by default, the Internet Connection Firewall (ICF) will be enabled by default, and users will be able to configure multiple profiles safely, with different settings for work and home. Some of these changes will require subtle modifications to the way XP works. For example, Microsoft will enable home network-based file sharing on systems with the firewall turned on. Likewise, the update will contain small changes that enable boot-time protection and smart UIs for configuring Group Policies and unattended setup.
With SP2 installed, XP systems will be better able to fend off common electronic attacks. For example, Microsoft is reducing vulnerabilities to Distributed COM (DCOM) and remote procedure call (RPC) attacks by requiring authentication on default interfaces, restricting RPC interfaces to just the local machine, and disabling RPC over UDP, among other actions. The company will issue new RPC APIs for developers that help take advantage of these changes. For email attacks, Microsoft is creating a system-level mechanism, originally slated for Longhorn, that applications can use to determine whether email attachments are unsafe; this mechanism, called the Attachment Execution Services (AES) API, defaults to not trusting most attachments, and the company will add support for the service to Microsoft Outlook and Outlook Express. For Web-based attacks, Microsoft is locking down the local machine and local intranet zones in Microsoft Internet Explorer (IE), changing the way ActiveX controls and other Web-based applications are installed, and suppressing all non-user-initiated pop-up ads.
At a lower level, XP SP2 will take advantage of new memory-protection features in AMD and Intel microprocessors to reduce common buffer-overrun exploits. This feature is available in most modern 32-bit and 64-bit microprocessors, Microsoft says.
Windows 2003 SP1
Looking ahead to late 2004, Microsoft is planning a similarly major and safety-oriented service pack for Windows 2003. Windows 2003 SP1 will include the roles-based Security Configuration Wizard, along with a slew of as-yet-unnamed protection features aimed at enterprises. Additionally, the company will include support for client network isolation so that Windows 2003 SP1 machines can prevent clients from accessing a corporate network until their security state is verified. A VPN Quarantine feature will let remote Windows clients safely access network features.
Unlike XP SP2, the feature set for Windows 2003 SP1 is still in flux, so we'll know more soon. In the meantime, both XP SP2 and Windows 2003 SP1 are being delivered well after their original release schedules, but they'll be far more secure as a result. Whether the wait is worth it, I suppose, is up to the individual. I'd rather see the company deliver regular security rollups, as it did recently with XP SRP1, for all of its supported OSs. In this increasingly dangerous world, we need simpler and less intrusive ways to keep our new and existing systems up-to-date, and these service packs, along with Microsoft's wide-reaching plans to simplify patch management, will go a long way toward fixing the problems.