Last month's XP SP2 rollout was one of the highest-profile software releases yet. Unlike previous service packs and hotfixes, SP2 (justifiably) received lots of media hype. Rapid deployment on a significant portion of XP systems is also expected. What's more, the changes introduced by SP2 may significantly impact your Web site's usability.
XP SP2 introduces a complete shift in the security philosophy of Microsoft: Rather than pursuing the old "find a bug and fix it" strategy of rolling out hotfix, upon hotfix, the software giant has adopted a "lock it down unless you need it" strategy, bringing Windows into compliance with industry best practices.
XP SP2's functionality may impact the way users view your Web site. Given an expected widespread deployment, there are steps you can take to ensure that XP SP2 will minimally impact your Web site users' experience.Top issues to consider:
- Authenticode and ActiveX controls
Windows IE now blocks the installation of ActiveX controls with invalid signatures by default. While you can override this setting on systems that you administer (for internal applications), you should no longer depend upon Internet users overcoming this issue.
- ActiveX blacklist
Users now have the option to permanently reject all ActiveX installation requests from a particular publisher by selecting "Never install software from 'Publisher,'" when prompted to install a control.
- ActiveX installation
IE now provides an information bar warning users about installing new ActiveX controls. Under the old philosophy, users were presented with a "Yes/No" dialog box, prompting them to install the new software. Now, a browser message states: "To help protect your security, Internet Explorer stopped this site from installing software on your computer. Click here for options..." making it less likely that users will blindly install controls required by your site. However, users will see informational text in place of the control on their screen, which may detract from the visual appeal of your Web site.
- Automatic file download blocking
Users will see a similar prompt (as noted above) if your site pushes software downloads to them (as opposed to downloads that the user initiates through a click or keypress).
- Pop-up blocker
Lastly, IE provides a new built-in pop-up blocker that may (by default) affect the usability of your Web site, unless it's in the user's "Trusted Sites" or Intranet zone.
For more information on the changes in SP2 (and a code snippet that allows you to detect whether a user has SP2 installed), read the MSDN article: "Fine-Tune Your Web Site for Windows XP Service Pack 2" available from Microsoft.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the author of the About.com Guide to Databases.
This was first published in September 2004