Ready or not, here comes secure Windows XP

Three warnings about XP Service Pack 2

  • To foil worms and viruses, Windows XP Service Pack 2 has a new way of handling e-mail attachments. If your office has a business process using attachments that execute automatically, 'You probably need to look at that, because it's probably going to break,' Microsoft's Todd Gagorick said.

  • The built-in firewall now blocks unsolicited calls to services. But some applications, including remote-management and scanning tools, need to make such calls, so firewall policy must be altered to allow them.

  • SP2's Internet Explorer browser is less friendly to mobile code. If you use Web applications that load lots of mobile code, make sure Explorer controls are configured properly.
  • Systems administrators and IT security vendors are bracing for what Microsoft Corp. has called the most significant security upgrade ever to a Windows operating system.

    Todd Gagorick, a Microsoft senior technical specialist, said he is guardedly optimistic about the disruption that will be caused by Windows XP Service Pack 2.

    'It's a pretty reasonable assumption that you can deploy SP2 with a minimum of pain,' he said. But he warned that enterprise users should look carefully at the service pack's compatibility with the applications they routinely use.

    Firewall and antivirus vendors whose products compete with SP2's new security features are announcing compatibility with the service pack, although some products will require upgrades.
    Chad Harrington, director of enterprise products for Zone Labs Inc. of San Francisco, advised caution in rolling out SP2 to the enterprise. 'It makes sense to be prudent and take your time and test,' he said.

    Ready or not, said Justice Department IT security staff director Kevin Deeley, 'This is going to hit us. No matter what, it's coming down the pike.'

    SP2 officially began its trip down the pike Aug. 6. New PCs will have the operating system upgrade next month. Preferred customers and then the public will get it via CDs and downloads to be phased in over several weeks.

    The file size is about 70M for XP Home and 92M for XP Professional.

    Gagorick called SP2 one of the first fruits of Microsoft's 2-year-old trusted computing initiative. It has stronger default desktop security settings and a new Security Center management console. Also, Windows' built-in firewall has been reworked, and a host of buffer-overrun problems in Internet Explorer have been fixed, he said.

    Although attacks still can crash the browser, it will stop malicious code from executing, he said.
    Deeley said Justice primarily runs Windows 2000 on its desktop systems. 'We're much smaller on the XP side,' he said, and the department will not rush to install SP2. 'We're not upgrading everything at once. It will be part of day-to-day business.'

    Justice has a strong configuration management process and 'a solid test bed for testing before we implement it,' Deeley said.

    Although SP2 will bolster desktop defenses, Harrington said its lack of central management likely will deter Zone Labs' enterprise customers, including government.

    'If you're an enterprise, it's probably not going to meet your requirements,' he said.

    Zone Labs sells its own firewalls, and Harrington said most customers probably would not turn on the Windows firewall, which he called 'very basic' because it automatically trusts all computers on the same network segment. Also, its application programming interface lets programs disable the firewall or open ports without being validated first, Harrington said.

    'Being able to programmatically turn the firewall off is a security nightmare,' he said.

    Symantec Corp. of Cupertino, Calif., recommended that users of its firewall products disable the Windows firewall, although all Symantec products are compatible with SP2.

    'Both firewalls can be on at the same time without causing software conflicts,' the company said, but 'running both products simultaneously will cause minor performance degradation.'

    Symantec officials also are ironing out a wrinkle with the Windows security console. It might not properly register some Symantec products, which have tamper-protection features to make it difficult to scan their status.

    The problem will be corrected in a product update available now for current versions of Symantec Client Security and Antivirus, and in the next maintenance release for earlier versions, company officials said.

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above