A couple of weeks back I was at a Microsoft-hosted event to prepare partners for Windows XP Service Pack 2 (SP2).
The invitation to the event had intrigued me – after all I seem to remember Microsoft making a statement that there would be no new functionality in service packs – how could there be a 1-day event in preparation for a service pack?
Well, it seems that SP2 will be a big headache for many system administrators – and some of the reasons why are pointed out below.
Don’t confuse SP2 with XP Reloaded!
XP Reloaded is not a product – Microsoft says itâ€™s a value-added initiative for XP (marketing hype to you and I).
So what is SP2?
SP2 is part of Microsoft’s Springboard initiative, which is basically about getting secure and staying secure. Springboard starts with SP2, but also includes Windows Update 5.0, Windows Installer 3.0, Windows Update Services (formerly Software Update Services) 2.0 and Windows Server 2003 Service Pack 1.
Springboard is a direct response to the ever closing gap between security updates and the associated exploits. Looking at some recent exploits, the days between patch release and exploit is become alarmingly close – especially when many of us need to test patches fully before deployment. Hiding behind a corporate firewall is no good either – many threats are from within the perimeter – laptops taken home, personal e-mail, etc. According to Microsoft: Nimda followed the Microsoft patch 331 days later; SQL Slammer 180; Welchia/Nachi 151; Blaster 25; and Sasser took just 17 days.
SP2 is a collection of patches and operating system enhancements, designed to improve security. The top line is that XP systems running SP2 will offer enhanced security through:
- Resilience – through networking protection; data execution prevention; greater control when browsing; and more secure e-mail/instant messaging.
- Management – through group policy enhancements.
- Visibility -through Windows Security Center; and Internet Explorer (IE) user interface enhancements to provide more information.
And what isn’t SP2?
SP2 is not a “silver bullet”. It doesn’t protect customers from viruses and prevent data loss. What it does do is make it harder for a hacker to get through multiple levels of security.
So what does SP2 mean to you?
If you run Windows XP on your organisationâ€™s PCs, or if your customers run Windows XP you cannot ignore SP2.
The key messages are:
- For everyone with a web presence: Alert your customers that their web site experience may change if they run SP2.
- For ISVs: Test your products against SP2 and make code changes where necessary.
- For Windows XP customers: Rigorously test applications against SP2 before deployment.
When Microsoft rolled out SP2 internally, the key issues were around IE and the new Windows Firewall. 73% of issues were IE-related. 68% of these problems are fixed in later versions of SP2, but 32% require further action in order to make the application compatible.
Some SP2 features
The following gives a flavour of some of the new features in SP2:
- The new Windows Security Center ties together many security elements into a new control panel applet. The most significant of the new features is the Windows Firewall (previously Internet Connection Firewall), which is now turned on by default for all connections and is loaded earlier in the boot process (in the kernel). For organisations using Microsoft Active Directory (AD), the firewall is controllable via group policy, with both domain and standalone profiles. It supports exceptions on a global or a subnet level, as well as the concept of application ports, which are opened only when an application is running, with any outbound traffic being allowed, but inbound only for a few seconds following an outbound request. The firewall also disables file and print sharing for all but the local network.
- The Windows Firewall can be configured using a variety of methods including: the netsh command (which is scriptable); the netfw.inf file (during installation – developers can find the information they need on this in the Windows XP Service Pack 2 SDK); through the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter; using a new group policy template; or directly through the Windows user interface.
- Some administrative tools will not work under SP2 as the Remote Procedure Call (RPC) service no longer allows anonymous logons (although exceptions can be configured in a new RestrictRemoteClients registry key).
- DCOM now separates Everyone from Anonymous such that it now behaves more like Authenticated Users. This means that there are now two permissions levels (Launch and Access) for each of three security contexts (Administrator; Everyone; and Anonymous), configurable in Component Services.
- The Add/Remove programs applet has some user interface enhancements including a new “show updates” checkbox.
- The Alerter and Messenger services are now disabled by default.
- Windows Messenger will now block unsafe file transfers (using a MIME sniff to check the file type – so its no good just changing the extension).
- Outlook Express now uses plain text by default with an link to view HTML content where appropriate. There are also changes to the dialogs around attachment opening.
- Basic authentication over HTTP is disabled by default under SP2 RC1, although it is rumoured that this will be dropped from the RC2 and RTM version of SP2.
- The MS JVM is not removed or installed by SP2 (just left at the current state); however there is a new Microsoft Java VM which will only disable the MS JVM, rather than all JVMs (Sun JRE etc.).
- IE now includes a popup blocker, as well as changes to the default security options. The new IE information bar traps ActiveX content in websites until the user enables it and all ActiveX components must be signed (including the installer). The popup blocker could have a major impact on websites that resize windows, etc. – and even adding a site to the trusted sites list (stored in HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow) will not allow some code to execute. Some of these settings can be overridden using group policy, although Microsoft were at pains to stress that these security enhancements are there for a reason and should not simply be turned off. As for Windows Messenger, MIME handling is used to enforce file type restrictions within IE. All of the security enhancements for IE are per security zone and exceptions can be specified.
- SP2 supports No eXecution (NX) zones, although hardware support for this is limited at this time. These avoid buffer overrun attacks by splitting RAM into data (NX) and executable. Just In Time code will fail, unless explicitly marked with execute permissions when memory is allocated.
- There are also changes to the Automatic Updates default client settings.
- The Windows Security Center runs as a service and slightly annoyingly (but this is always going to be a problem where the code base is shared between consumer and professional versions of an operating system), it uses a different UI when running in workgroup mode; however it does highlight to users when they are not running up-to-date anti-virus (AV) software. Beware that some AV products may not be picked up by the Security Center even if they are present – of course Microsoft say that they have been working with leading vendors, but expect to see a raft of new AV products hitting the market soon.
- Under SP2, wireless networking now has a new interface and there are new wizards for establishing WiFi and Bluetooth connections.
Other Springboard products
Windows Update 5 will feature a number of enhancements with a revised layout, drawing together content from the current Windows Update and Microsoft Update sites.
Windows Installer 3 will allow: smaller and more reliable patches; patch removal; and sequencing of patches.
Another new upcoming feature is an uninstaller for Windows Media Player 9 (only if installed on top of Windows XP – not if slipstreamed), along with revised license management.
So when are we going to see SP2?
The current estimate is for release to manufacturing (RTM) in Summer 2004. According to Microsoft, over a million people are running the release candidate 1 (RC1) version, and RC2 is imminent (May/early June – but as the event was on 27 May, that seems unlikely).
And Windows Server 2003 SP1? The current estimate is Q1/05.
Preparing for SP2
The key areas in preparing for SP2 are to:
- Plan testing and resources – this will identify how big a problem SP2 will be for your organisation to try and see what issues will be hit;
- Test external web sites against SP2 – as part of their contracts, OEMs must move to SP2 within 90 days of RTM. That means that external clients with new PCs will be rolling SP2 out almost straightaway. There is also a rumour that Microsoft may classify SP2 as a critical update to force adoption;
- Test internal applications on SP2;
- Install all packaged applications (MSIs) and try each one on an SP2 computer – the main problems will be with DLL conflicts where the SP2 version is overwritten by the MSI installation.
- Plan and test a deployment technique – this could be via SUS, SMS or Windows Update, but beware, SP2 is big!
Testing applications with SP2
Microsoft provides an Application Compatibility Toolkit which can be used to identify installed applications and then verify them to allow identification of known fixes, or where required to target remedial work with developer/vendors; although the SP2-aware version (v4.0) is some way off at the time of writing.
Applications should be tested on SP1 and SP2 PCs, to allow comparisons to be made and if necessary, any issues to be rectified. Following testing, applications can be ranked to allow an assessment of deployment risks, i.e. application is compatible; application requires basic compatibility modifications; application requires extensive modifications; application is incompatible. Once this analysis has taken place, the application benefits can be compared with the risk of not applying SP2.
- Installation: I have not installed SP2 (because I don’t run pre-RTM code on my laptop) but from what I have heard, even once you have downloaded a copy, it takes a considerable time to install (30 minutes, if virus checking is turned off). Most of the known issues with installation are hardware issues on tablet PCs, but there may also be problems where permissions have been changed in local policies. Also, some product keys that are known to have been compromised will no longer work under SP2.
- Internet Explorer: Due to the significant changes that SP2 introduces to the browsing experience, IE will be one of the areas where many problems occur. Issues can be isolated by: attempting to replicate the problem on a computer with SP2 and all subsequent updates; adding the problem site to the trusted sites list; lowering security; and finally by switching off features introduced in SP2 via group policy or in the Tools menu. Once isolated, appropriate action can be taken and any features that have been disable may be re-enabled as appropriate.
- Windows Firewall: The Windows Firewall is another significant change. Under SP2 it is enabled by default, for both domain and standalone profiles and because the firewall also disables file and print sharing for all but the local network there will be some inevitable problems for laptop users who take their PCs home. Exceptions may be required for management agents and administrative tools to work as required, and for remote desktop. Firewall activity is logged to %systemroot%\pfirewall.log.
- DCOM and RPC: DCOM and RPC no longer allow unauthenticated connections by default. For DCOM, this can be changed in Component Services, and for RPC via the registry. Remember that DCOM is reliant on RPC.
Getting hold of SP2
SP2 is currently around 275MM, although this includes debug code at present and will shrink before RTM. It will be made available on CD, or via a smaller “express installation” for the web, although even that is 80Mb (about 9 hours on a dial-up connection!). Registered users will receive a free CD with SP2. A fully slipstreamed build will also be made available, and other languages will follow approximately 4 weeks after RTM.
Windows XP Service Pack 2 Technical Preview Program
Group Policy Settings Reference for Windows XP Professional Service Pack 2 Release Candidate 1
Windows Application Compatibility Toolkit 3.0
Windows Update Version 5 Beta
Windows Update Services Open Evaluation Version