Posted on 07/05/2004 2:53:13 PM PDT by demlosers
The code for release candidate 2 finally looks like a real release candidate. And sure enough, it will help you big-time with security. But what sorts of headaches will the eventual final version mean for IT shops? We'll take it piece by piece.
Remember when Microsoft said service packs wouldn't deliver any new functionality? That lasted for about six months back in 1997. Windows XP Service Pack 2 is jammed-packed with both invisible and visible improvements to Windows XP. The biggest boon is that the free update, which will probably ship some time in September, does in fact make Windows XP far more secure. Many of the other user interface bits are aimed more at protecting Microsoft, you, me, and everyone from what consumers don't know about securing their computers. As a result, they just don't matter that much to IT shops.
But Microsoft isn't wrong on that point: Many home and casual users really aren't paying close enough attention to security. And when blended-threat household-name viruses and worms start using multiple means of spreading themselves around the planet, the fact that several million consumer boxes have been plugged up (as soon as SP2 ships!) is a very good thing indeed.
Nevertheless, just how much might all that consumer touchie-feelie stuff get in the way? I'm going to explore all major aspects of the service pack in a multiple-part series on Windows XP SP2, based on the recently released RC2 code.
Windows Firewall
In retail boxes, Microsoft is enabling its revised Windows Firewall software firewall utility by default. Large enterprise customers will, of course, be able to disable the new Windows Firewall on network installations. But not every company installs or updates Windows that way.
For the rest of us, some consideration may be in order to avoid potential software firewall conflicts. In my tests, the problem never cropped up. So the firewall is on. Turn it off if you're running another one. Microsoft provides a new Windows Firewall Control Panel just for that purpose.
There are also some advantages of a firewall onboard. Windows Firewall offers solid basic protection; it's better than ICF (Internet Connection Firewall, the utility it replaces), and it's a lot better than nothing. Windows Firewall is easier to configure, and more important, it's better about staying out of the way of your applications. It also now has improved protection during boot and shutdown, something all top-notch software firewalls provide.
The biggest benefit, though, is probably as stand-in protection for mobile PCs connected to hotels and hot-spot wireless networks. They're protected back in the office, but on the road or when working at home, they're often sitting ducks. It's very easy to turn Windows Firewall on, and the "Don't Allow Exceptions" mode locks things down with a very simple control.
Even so, Windows Firewall's intrusion prevention and outbound monitoring are not as robust as those of some other firewalls. In RC2, Windows Firewall also has a tendency to turn itself on after system updates, system restores, or in conjunction with the Windows Security Center (which we'll address in a future installment).
For my money, either ZoneAlarm 4.5 or 5.0 Pro or Symantec's Personal Firewall 2004 would be better bets for protecting road warriors out in the wild. On the other hand, Windows Firewall is about to be onboard, and you already paid for it.
Windows Firewall may be the largest feature in Windows XP Service Pack 2, but from an enterprise perspective, it's pretty small potatoes.
Internet Explorer The Windows XP Service Pack 2 version of Internet Explorer 6 may be the largest bone of contention for companies. Test it first, and expect Microsoft to do its utmost to clear the way for major incompatibility issues with enterprise Web apps.
According to a Microsoft product manager, Microsoft's last major delay of Windows XP Service Pack 2 was caused by a hue and cry from enterprise evaluators about largely invisible new security measures, especially those in Internet Explorer that affect Web applications. Very likely you'll be able to see this for yourself after you install SP2. Mainstream Web sites that employ unsigned ActiveX applets, downloads, pop-up windows, browser helper objects, and other code- or scripting-based functions may encounter difficulty with SP2 version IE 6. Most of these activities are prevented by default, and until thousands of Web sites and Web-based applications are upgraded to more gracefully deal with the new IE's many security precautions, a lot of Web stuff is going to be broken--or, at least, temporarily halted.
That doesn't mean nothing works properly; a check of sites that offer more-advanced Web-based functionality showed no significant problems at all. But even when things do work, they may be halted by Internet Explorer requiring user acceptance to continue.
In many cases, that level of prevention is handled by Internet Explorer's "Information Bar," which halts suspicious processes on a site-by-site basis, presenting options for defeating or selectively defeating IE's automatic protections. Since that exception processing applies only to the specific Web page you're on, the decisions you make create a custom Web-security configuration on the fly. Microsoft got this part right. The only drawback I can see is that the text-based Information Bar doesn't jump out at you. It appears as a single line below the browser toolbars and above the Web page. When you click the words "Click here," a context menu of configuration options opens. The words and menus vary considerably in context. We'll all become intimately familiar with the Info Bar, I fear. On the other hand, I can't think of a better way to bolster security in Internet Explorer--one of the most vulnerable facets of Windows.
One of the best new features of SP2's Internet Explorer is the Add-On Manager, available from the Internet Control Panel's Programs tab. It gives you a way to enable, disable, and configure ActiveX controls, browser help objects, and browser extensions. The primary purpose of this tool is to provide a user interface for controlling things that have already been added to your Internet Explorer installation. When, for example, you have already said yes to an ActiveX program Information Bar query and later decide you don't want that program on your computer, the Add-On Manager is the tool that solves that problem.
When you disable an ActiveX applet and you visit a site that wants to use it, the IE status bar shows a balloon pop-up informing you that the program is disabled and can be re-enabled in Add-On Manager. Add-On Manager is a very useful addition to Internet Explorer.
SP2 also provides a new Attachment Manager that works with Outlook Express, Windows Messenger, and Internet Explorer by identifying and preventing potentially unsafe attachments during the opening process. When this occurs, the attachment is prevented from opening and a pop-up is offered to both warn you and offer options for controlling it. IE also has download monitoring that offers the same sort of protection for downloads from Web sites.
Internet Explorer has also been strengthened internally to thwart several specific exploits and plug a wide swatch of identified vulnerabilities. One of the more notorious vulnerabilities was a series of little-known IE security controls that protected the local machine. These controls could previously be adjusted by a malicious program, opening up the browser and thus the computer to attack.
With the browser battle long since won, there's nothing forcing Microsoft to do much of anything about improving the functionality of Internet Explorer. But there's one feature IE has sorely missed. Virtually all its competitors provide tabbed browsing--the ability to house multiple Web windows within a single browser window and let their users click tabs to switch among them. This is the underlying principle of the current Windows user interface, introduced with Windows 95. Yet Internet Explorer continues to lack the capability.
Microsoft just isn't that interested in upgrading Internet Explorer's feature set. As a result, it's unlikely we'll see tabbed browsing before Longhorn, and it's not even guaranteed for that release. No wonder so many people are jumping ship for Mozilla Firefox and Opera.
Despite obvious potential difficulties, especially for enterprise Web applications and some higher-end consumer Web sites, there's no major reason to avoid installing SP2. But heed this advice: Download RC2 now and test all your internal applications, as well as your intranet and your public Web site. That's the only way to be sure that you won't have significant problems later on when a lot more people are running this new version of Internet Explorer.
Despite that caveat, the security benefits outweigh the potential negatives, which will be fixed with time. And the nifty pop-up blocker should reduce the annoyance factor.
(Excerpt) Read more at informationweek.com ...
It's a lot faster than microslop. And is completely FREE.
I can't wait for all those firewall savvy consumers to install SP2. That will fix the Internet. No more adware, spyware, malware.
Good News Tech Ping
You might want to check and see if Microsoft will mail you the CD. Even though I have broadband, I ordered the latest windows update CD in order to mail it to my mother who is still on dial-up. Microsoft sent me the CD for free.
So far the word I've heard on RC2 has been good. But I still hesitate to install a beta operating system. I think I'll wait a month or so and see if RC2 is made official, perhaps with a few tweaks. This is a nice evaluation article. I agree that it makes sense to install SP2 as soon as it is finalized.
Also, before my most recent reformat, I had installed SP1 for XP, and had a marked decrease in performance. I didn't repeat the mistake with my latest setup.
I don't know if it will be fixed in SP2, but it seems that MS was made aware of the issue and re-did the patch.
It's rooted in Windows XP Hotfix Q811493. You can see it in Add/Remove Programs in Control Panel. Also, it's been reported that this problem affects between 40% and 60% of XP users who installed SP1.
But once bitten, twice shy, ya know? I won't install SP2 until I get the full green light that it won't muck up my system with tons of useless BS, or restart all those damned useless services I went to so much trouble to disable.
For now, I'm running fast and lean with the original XP install, with a few performance mods to the registry, of course. ;-)
I have a question.
I've got XP, but I've never installed SP1. I have, however, installed all the Windows updates. I assume I'll have to install SP1 before I install SP2. The questions is -- do I have to reinstall all the Windows updates after I install SP1?
Given the nature of Microsoft products... let's just say I think the hotfix should stay in place.
I did some research, and Microsoft figured out the problem, but only distributed a corrective program internally. It was never made publically available. Hopefully it'll be in SP2...
Can anyone help me????
I have Windows XP and just now when I was typing on a forum a large screen size pop-up arrived - it was first announced on my toolbar at the bottom of my screen. $50 reward it said....I hit it and an ad came up: SHOULD GEORGE BUSH BE RELECTED? yes..... no...... $50 reward for reply.
I deleted it.....
Does anyone know who is responsible for these ads? Move-On or Soros????
Thanks for any information you can give me....
"For my money, either ZoneAlarm 4.5 or 5.0 Pro or Symantec's Personal Firewall 2004 would be better bets for protecting road warriors out in the wild" ping
Better yet a linksys, why put the guard in the vault? better to put him at the door..
Um. Explain please? Are you suggesting I carry some Linksys device when on the road?
No but I am suggesting for *home* use its better..
Installing SP2 on my main computer effectively wiped out my home network (2 desktops, 3 laptops and a wireless media center) until I disabled the new Windows Firewall. If you have a wireless base (I use a Netgear G unit), you will have problems with the firewall. Contacting Netgear, they told me that the base has a built-in firewall. I'm also using WEP encryption, so I turned the Windows Firewall off and everything came back on line as before. Problem solved.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.