Victor R. Garza
Published: 01 May 2004
Imagine walking into work tomorrow to find that none of your mission-critical applications is working. A new virus or worm, perhaps? Nope. Something much simpler: Windows XP Service Pack 2.
Microsoft promises many security benefits with this service pack, scheduled for general release this summer. While these changes may keep the hackers and worms at bay, they also make me feel a little uneasy. Think interoperability--or lack thereof.
Best practices call for regression and interoperability testing on your enterprise desktops and legacy applications before any program goes live. But, there's no need to wait until the last minute.
Running a few preliminary tests with the SP2 beta will give you a heads up on many of the issues you'll encounter during deployment, and will give you some time to resolve or plan for them.
Microsoft's changes will affect nearly every browser-based and custom application in your enterprise. Any app that uses unauthenticated or anonymous connections through RPC and DCOM is disallowed by default, which will stop worms like MS Blaster from slamming your desktops. But, it will also render many internal business apps inoperable. You'll have to adjust those apps or alter configurations in the service pack if want to take advantage of the security improvements.
In SP2, Windows Firewall is turned on by default, so you'll have to tweak it for any ports used by custom applications. If you decide to use Windows Firewall instead of a third-party personal firewall, expect pop-up alerts whenever a new app tries to access a closed port. You can also anticipate a fair number of help desk calls to open ports or to complain about broken apps. The good news is that you can use Active Directory's Group Policies to configure Windows Firewall to stifle the pop-up alerts.
At this point, you must be thinking, "I'll just skip SP2 and not burn any cycles configuring, changing and modifying my apps or my desktops." Wrong.
SP2 offers tangible security and productivity advantages. When Microsoft finally introduces a pop-up blocker for Internet Explorer, it must mean business.
The new SP2 Security Center includes numerous enhancements, and Automatic Updates has been overhauled for better handling of interrupted downloads. Automatic Updates also includes Delta Patching, which modifies files and negates the need to completely replace faulty DLLs.
The Systems Management Server (SMS) will ease the planning, testing and deployment of SP2, making it the tool of choice for most enterprises. SP2 is somewhat easier to deploy using Group Policies, which, for example, allows you to configure highly granular Windows Firewall settings. If you're not using AD, you can still use login or batch scripting. Regardless of which one you choose, the level of fine-tuning will make deployment a headache.
While we're waiting for the next version of SQL Server (due in '05) and Longhorn ('06), Microsoft is getting XP security enhancements ready now. You have many other projects tugging at you today, but testing the SP2 beta and getting your enterprise ready in advance will pay off in the long run.
About the author:
Victor R. Garza is a freelance author and network security consultant in the Silicon Valley.