Despite significant advances in security software and configurations, experts say that Microsoft XP's Service Pack 2 (SP2) shouldn't be implemented without first educating the user base about the potential ramifications of their decisions. Incompatibility issues are another concern.
"From the security manager's perspective, SP2 is certainly a step in the right direction," said Chuck Adams, CSO of NetSolve in Austin, Texas. "However, in practice, SP2 oversimplifies security management tasks and will likely cause significant disruptions to normal operating processes due to poor user choices -- especially in larger organizations with thousands of users."
Adams said that with the release of SP2, Microsoft has empowered users to decide their own fate. A wealth of new endpoint security capabilities will be enabled by default, but users will immediately be prompted to make decisions. "Once SP2 is installed, users can locally configure their system security policies," Adams said. "While this seems like a good thing, there is little education or information available to associate any potential implications of making these changes. The risk is users' poor risk management choices because their system is prompting them with a decision to either allow or disallow certain types of activities."
This would lead to inconsistent application of policies on user systems because the new security capabilities are locally configured by users who may not understand what they should or shouldn't allow.
Additional concerns about SP2 are focused on interoperability issues.
"Set up a couple of test machines -- one representing a server, the other a desktop -- and install SP2 on them," recommended Eric Schultze, chief security architect for Shavlik Technologies LLC of Roseville, Minn. "Test it for a couple of weeks, then deploy SP2 and go about your business."
Schultze said the primary focus should be on the firewall function in SP2 and how it reacts with other applications. He said it's important to have it configured in a way that the administrator can have remote management.
"Some corporations may turn off the firewall. I don't believe that's a strong solution, though," he said. "Shavlik recommends installing SP2 and keeping the firewall running, but then configure it so you can still use the other ports and services you need. Leave the firewall running at all times. But at the office, have it configured so it'll only open ports and services needed for your business."
Adams agreed, "Test, test and test. Ensure defined system, operating system and software version standards exist, and quantify the exceptions identified through the testing process.
Small businesses may prefer other options and then a lengthy and expensive testing process.
Gordon Corzine, principal of Marblehead, Mass.-based Corzine IT Consulting, provides network security for businesses that typically have only three to seven employees. In an e-mail interview, he recommended contacting customer support for the software vendors that provide the most critical application(s) and asking them if they support SP2. If they say they support it, check whether the application needs to be upgraded or reconfigured to be compatible with the new release.