Much has been written about the security benefits of Microsoft's upcoming Windows XP Service Pack 2 (SP2) for end-users. Less has been said about how SP2 will change things for businesses - and how much trouble IT managers are likely to face in rolling out such a major release.
Microsoft always planned a second service pack, but after a particularly nasty round of Windows worms late last year the company decided to put a major effort into SP2, turning it into an XP security overhaul. The company has even said Longhorn's delays are partly due to the developer effort diverted to SP2, though such claims are best taken with a grain of salt. What is clear, however, is that "this is not a normal service pack", as David Overton, Microsoft's UK technical specialist for SP2, puts it.
In rolling the software out, IT managers should expect an experience somewhere between a routine service pack and a point release, Overton says. It will need to go through a testing process like any application, though Microsoft says it has tried to keep this process as painless as possible.
Where the difficulties could come in is that Microsoft has made an explicit departure from its usual policy of placing ease of use and backward compatibility above all else: changes to APIs and default settings will mean the user experience will change, and some applications will no longer work. Both could mean deployment hassles, but Microsoft argues that the improvements for enterprises - such as new tools for managing patches and security policies - will make it worth the trouble.
In March it became clear that the scope of SP2's changes would break some applications, including Microsoft's own Visual Studio products and the .Net Framework. "It may surprise some of the developers that we are changing some defaults and that may affect the way some of the older applications run," said Tony Goodhew, a product manager in Microsoft's developer group, at the time.
"Developers should absolutely be checking their applications against Windows XP SP2." Microsoft is helping companies get their software SP2-compliant. But if software vendors find they need to release updates, installing these will only add to the task of getting SP2 running. Microsoft is planning Visual Studio and .Net Framework updates for around the same time as SP2's third-quarter release.
SP2 promises to simplify the way patches are rolled out, introducing "delta patching", which installs only the files that need to be updated, rather than every file that might need updating. The upshot will be an 80 percent reduction in patch sizes, Microsoft claims, and since the smaller patches will overwrite fewer locked files, system reboots will be less frequent. For businesses rolling out patches to thousands of PCs from an internal server, this could ease a significant bottleneck. "Even if it was only a 4MB patch, over 1,000 PCs that is a big spike in traffic," says Overton. "This will be great for their network." Delta patching will also affect PCs connecting directly to Microsoft's Windows Update servers.
The patches will include more specific metadata so that IT managers can determine how urgent a patch is and what files and dependencies will be affected. IT managers will be able to set policies for particular patches, for example requiring that users install and reboot their PCs by a certain date. Over time, this system will be extended from Windows OS patches to applications such as Office and Exchange, Microsoft says.
This is not the only new framework SP2 is putting into place: another involves tweaks to the Security Center component. This allows users to monitor changes to XP's security status, for example whether the desktop-level firewall is turned on, whether antivirus definitions are up-to-date and whether necessary security patches are installed. Eventually Security Center will give IT managers more centralised, tighter control over the security status of PCs. For example, future updates to Windows Server will allow it to verify the security of a machine before allowing it to the internal network. For now, SP2 lets Security Center recognise more third-party components such as firewalls and antivirus packages.
Norton and McAfee have been added as of SP2 release candidate 2 (RC2); others include Etrust, Kaspersky, Panda, Sophos and Trend Micro. As of RC2 Microsoft says Security Center can detect the presence of Ahnlab and Norton antivirus, but nothing more specific.
Firewalling for laptops
As part of its new security-conscious image, Microsoft is heavily promoting the use of Windows Firewall (formerly Internet Connection Firewall) for businesses, in a way that some industry observers find a bit impractical. Enterprises generally rely on perimeter firewalls, but the growing popularity of laptops means a machine could be infected while outside this protection. The infected machine can then bring a worm into the internal network when the user returns to the office. Microsoft argues laptops should run desktop-level firewalls for this reason, but the company also thinks stationary desktops should have firewalls.
This means a user would be kept safe in the event that a Sasser or a Blaster did make its way on to the internal network, Microsoft says. "The real question is, why would companies not want to have that extra level of protection?" says Overton.
Ovum analyst Graham Tittering says desktop firewalls are mainly useful in homes and small offices, but could help protect enterprise desktops against particular types of attacks. "They could also help where data is imported directly to the desktop, e.g. via a wireless card or a USB token," he says.
If companies do decide to use Windows Firewall - it can be set on or off by policy - they may need to educate users. The firewall turns all ports off by default, but Microsoft recommends company-wide policies are used to set which applications are allowed to exchange data over the network. A new user interface aims to clarify the process of allowing or disallowing application communications for users. With SP2, the firewall is turned on by default, with all ports closed, and is on during the boot process, closing a loophole that had been exploited by some worms.
SP2 will bring in a feature Microsoft calls No Execute (NX), designed to stop viruses from exploiting buffer overflows to execute malicious code. However, the feature requires processor support that is currently not widely available, so it is unlikely to find wide usage in the near term. Support will be included in Transmeta's existing and future Efficeon chips, and is found in Intel's Itanium and AMD's Opteron and Athlon 64 chips. The Pentium M won't support NX until next year.
A number of other less dramatic security tweaks will also appear, some of which can be centrally managed. For example, Internet Explorer will require more user interaction to put sites and ActiveX controls on the "trusted" list; alternatively, businesses can determine a trusted list and roll this out across the company. Access to RPC and DCOM will be tightened up, disallowing anonymous access by default; these have been exploited by several recent worm attacks. Again, anonymous access can be turned on by company policy.
SP2 is not just a new kind of service pack, it represents a new situation for Microsoft, analysts say: for the first time the company is putting out a major piece of software not as a money-spinner but in order to protect its reputation. As such, it has an interest in getting the software as widely deployed as possible, as quickly as possible, and will be pushing SP2 through free CDs and a huge promotional campaign - the first time it has actively promoted a service pack.
The company says it's confident businesses will rush to deploy SP2 because of its security improvements, though it has declined to discuss what kind of take-up it expects. Partly, the success of SP2 depends on how much of an improvement it's seen to be, weighed against the difficulty of deployment, which Microsoft downplays. "Rolling this out and setting security policies is not going to be a 10-week exercise, it's going to be a short period of time. You can take a first stab at it in 10 minutes," says Overton. "But it's not going to be half a day either."