Windows XP SP2: A bandage, not a panacea

SAN FRANCISCO -- Unless you've been living in a cave for the past few months, you already know Microsoft Corp. has released Windows XP SP2 (Service Pack 2), the biggest update ever to XP. You also know that it's supposed to fix the security holes that have become all too apparent in Windows XP SP1. You know what SP2 is; what you might not know is what it actually does and how it works.

With SP2, Microsoft has delivered much in the way of security improvements. But before you let it loose on production machines throughout your company, you'd be well served to run it on test machines: Some additions can actually break your applications.

In my tests, I loaded the SP2 disk into a fast, well-equipped HP Workstation xw8000 running XP Professional SP1. Installation requires you to wait for the autoload to bring up a menu, agree to the license agreement, and let it go.

I did run into problems when trying to install SP2 on a nearly identical xw8000; the computer wouldn't boot. After spending an hour on the phone with Microsoft's India-based support team, I resolved the problem. Unfortunately, I never figured out the cause or the fix; things were just suddenly working.

After reboot, the first thing you see is the new Windows Security Center, which provides a central location for the most critical security features: the firewall, the antivirus software, and Windows Automatic Update. At a glance, you'll see whether these three features are running and up to date.

Of course, there's more to the improvements than just the Security Center. The more obvious changes include launching the Windows firewall by default unless the installer detects another firewall already running. Additionally, the Windows firewall now communicates with users on a more detailed level. Unfortunately, the Windows firewall still doesn't attempt to control outgoing traffic, so you'll need a personal firewall from a third-party vendor for full protection. SP2 also blocks anonymous RPCs, and those that run are set at a lower privilege level.

Changes to Internet Explorer now prevent masking the address bar, a tactic often used in phishing. Other changes include preventing the masking of dialog boxes that carry out certain actions, such as switching the home page, and revising Active X controls to prevent forced downloading of code. Internet Explorer now features an add-on manager so you can see whether you've inadvertently installed something you don't want.

SP2 also offers a series of changes to how Windows executes code. These changes prevent attachments from launching and reduce the chance that malware will execute as a result of some simple action. An additional processor-based "no-execute" feature is expected to be offered in forthcoming Intel and AMD processors.

The result of all these changes is a version of Windows in which users and admins have to do less to make a machine reasonably secure.

SP2 is not a cure-all, however. For example, the default pop-up blocking and the changes to ActiveX will break some apps. Moreover, many computers will need driver updates before they can run SP2. You should check with the manufacturer of your computers and the company that makes your critical applications, and you should run tests on hardware as identical as possible to the machines on which you plan to install SP2. Even then, you may find problems, but at least you'll keep them to a minimum.

Wayne Rash is an InfoWorld senior contributing editor.

This story, "Windows XP SP2: A bandage, not a panacea" was originally published by InfoWorld.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon