A report from the trenches
Windows XP Service Pack 2 (SP2) engendered more controversy and debate than most major upgrade releases. XP SP2 is supposed to greatly improve Windows security. However, upgrading involves a major commitment. XP SP2 is a several-hundred-megabyte download, and some users have experienced problems after installing it. According to a fall 2004 study by Insight Express, 80 percent of IT managers expected to upgrade to XP SP2 within 6 months of being interviewed, despite only 5 percent expecting to have no problems with the upgrade. By the end of October, more than 106 million copies of the update had been downloaded from Microsoft's Web site, not including copies shipped on disk or duplicated from downloads. Considering that XP SP2's success and rate of adoption affects all Windows users (more than 90 percent of computer users worldwide), the impact on computer security can't be overestimated. Now that the smoke has cleared, a postmortem on XP SP2 is in order.
XP SP2 brought wholesale changes to the way some XP applications work, especially security-related ones. Windows Firewall, formerly Internet Connection Firewall (ICF), is where many of these changes were made. Another improvement is that a number of services that are unnecessary for most users or downright dangerous have been disabled or aren't installed by default. Some services that are potentially useful from a security standpoint are now enabled automatically, including Windows Firewall and a new Security Center program that shows your firewall, Automatic Updates, and antivirus settings and provides links to let you change the settings. XP SP2 also adds a pop-up blocker and other security controls to Microsoft Internet Explorer (IE), stack and heap protection to the OS, additional privacy features to Microsoft Outlook Express, and an attachment manager to Outlook Express to check for unsafe attachments in email messages. It also improves XP's wireless support and adds Bluetooth support. You can learn more about XP SP2's major improvements in the Windows IT Pro articles "What You Need to Know About New Security Features in Windows XP SP2," May 2004, InstantDoc ID 42266, and "What You Need to Know About Windows XP Service Pack 2," February 2004, InstantDoc ID 41299.
The security improvements are so extensive that they can break some network-aware applications. The primary concern is that the firewall might interfere with third-party or in-house-written applications, especially those written for older Windows versions such as Windows NT or Windows 98/95. Problems with SQL Server, RPC (because, among other changes, anonymous RPC has been disabled by default), and many homegrown applications have been widely reported. Most of the time, people can fix the problems by twiddling with the firewall settings or turning the firewall off altogether. And some security professionals maintain that these applications are being broken because they didn't work securely to begin with. We all knew that at some point we'd have to bite the bullet and deal with insecure applications. But if that work must be done before XP SP2 is installed, some shops will delay installing the service pack.
Reports from the Field
I decided to find out whether companies were deploying this über-patch or waiting until others work out the kinks before deploying it themselves. I interviewed IT managers from a collection agency, a bank, and a real-estate-management company. Although most users that upgraded reported that XP SP2 improved overall performance, some had marked performance declines. XP SP2 might use slightly more RAM because the firewall and some other services are on by default, so machines with 128MB or less of RAM might benefit from a RAM upgrade. Also, you might be able to shut down some services to conserve RAM. You can find some suggestions for XP SP2 services tuning at http://www.blackviper.com/winxp/servicecfg.htm. According to this site, of the 34 services enabled by default by XP SP2, only six are needed for basic operation.
J.T. Clark of the Gila Group said that his collections firm has deployed XP SP2 throughout the company and has had few problems with it, except for some difficulties with terminal-server-type applications. His opinion was that embracing the technology and learning to live with it is better than being left potentially vulnerable to the security problems that continue to plague preXP SP2 computers.
Mike Hubmer of Horizon Capital Bank has also deployed XP SP2 across all his bank branches and locations, using a patching tool to install it remotely networkwide. He deployed XP SP2 with the firewall turned off, figuring that he'd avoid most application compatibility issues this way and that his external firewalls and Intrusion Detection System (IDS) would protect his inner LAN sufficiently. He realizes that he's passing up the benefit of added firewall protection on each box, though.
Chris Panto, MIS manager at MetroNational, a real-estate-management firm, has been unable to deploy XP SP2 thus far because one of his company's third-party applications is incompatible with the service pack. However, as soon as the application vendor provides a patch, Panto intends to upgrade. He said that the few machines on which his company has tested XP SP2 seem to perform fine and that the new IE pop-up blocker and IE ActiveX-control blocker were attractive to him. He also thought that the firewall was a nice feature for home users and telecommuters but that he would probably disable it on internal-LAN machines.
My personal experience when we upgraded our consulting business's computers was that there was little or no effect other than a slight performance decline in some of the slower machines. We like the fact that the new features make security settings much more visible and easier to manage.
Of course, XP SP2 isn't a silver bullet for all security woes. Vulnerabilities have been announced in it since it was released. A variant of the Bagle virus disables the new firewall. And Microsoft continues to release security updates for exploits that affect XP SP2. XP SP2 does raise the bar a little higher for computer bad guys, and any effort toward that end is welcome, but securing computers is an ongoing process. With that in mind, let's look ahead toward XP SP3 or Longhorn (the next major Windows release, due in 2006). Here's a little wish list for security improvements in XP SP3 or Longhorn, whichever comes next:
Firewall presets. Include along with Windows Firewall several preset configurations that contain optimal settings for common situations such as a home computer with a dial-up Internet connection, a home office computer with a broadband Internet connection, and a computer on a corporate LAN.
Pop-up blocker and ActiveX-control-blocker tuning. Provide the ability to exempt certain IP addresses, such as internal addresses or popular Web sites, from having items blocked. Microsoft could also include an editable white list of the 100 or 1000 most popular Web sites.
Spyware detecting and blocking. Integrate spyware detection and blocking software into the OS. Microsoft has taken a big first step by acquiring GIANT Company Software and releasing Microsoft Windows AntiSpyware, free beta software that the company based on GIANT AntiSpyware. The beta seems to be quite able, but questions remain, such as whether it will continue to be free and separate from the OS. I think that the beta is a step in the right direction and that if there's any technology that one could justify including in Windows, it's spyware-blocking technology. For now, you can download Microsoft Windows AntiSpyware at http://www.microsoft.com/athome/security/spyware/software/default.mspx.
Administrator logon verification. One way to verify administrator logons is to display obfuscated or blurred characters the first time the administrator enters them and ask the administrator to type the characters again. This logon security method requires intelligence that viruses and worms don't have and would cripple many viruses that rely on blank or easy-to-guess administrator accounts. I don't think administrators would complain about an additional logon step if it meant fewer viruses and worms to clean up.
Buffer-overflow prevention. Ultimately, Windows must do a better job of containing buffer overflows, which are the goal of most kernel-level exploits. The No Execute (NX) flag in Windows Server 2003 for 64-Bit Extended Systems—buffer-overflow protection supported by processors such as the 64-bit Intel Itanium and AMD Opteron—is a move in the right direction.
Will these security improvements break more applications? Of course—a lot of programs (and lazy programmers) rely on Windows' historically poor security. But Microsoft, third-party vendors, and Windows users are going to have to bite the bullet if we're really serious about fixing security problems. The difficulty for Microsoft lies in allowing users to do the things they need to do, while not letting them do things that are dangerous. That's a difficult line to tread.