First Look At Windows XP Service Pack 2

Security Pipeline obtained access to the first widespread beta of Microsoft's forthcoming Windows XP Service Pack 2 (SP2) during the holidays. Microsoft has said that this beta represents a subset of what will be released when this software is finalized sometime during the first half of 2004.

We tested the new software on a couple of test machines, and found it to be very reliable during a couple of days of use. It's not recommended that you install this beta in a production environment, however.

Unlike many Windows service packs, this one adds new functionality. There are four main areas where Microsoft has made user interface changes. They are:

1. Automatic Updates

2. Windows Firewall (previously known as Internet Connection Firewall, or ICF).3. Wireless Networking network controls

4. A new pop-up blocker for Internet Explorer

Full-Automatic Updates

With the beta of Windows XP SP2, Microsoft appears to be shaking a finger, figuratively, at users because they tend not to turn on Automatic Updates--or to limit its ability to do its job by not allowing updates to be installed automatically. The first screen you see after installing SP2 and rebooting is a blue warning page that asks you to turn on Automatic Updates. You have two choices:

1. Yes, help me protect my PC by automatically downloading and installing updates (strongly recommended)2. Ask me again later.

The properties screen that controls Automatic Updates settings has been changed. There are now four radio button options (it's really the same number of options presented differently), and the first is the most automatic option; the same one that Microsoft calls "strongly recommended." By default, it automatically downloads and installs patches at 3AM every day. This time may be a mistake. Many people turn off their computers at night (both employees and home users). We haven't tested the point, but the default 3AM time may prevent patches from being installed automatically on many PCs. A better default time might be 12:30PM, with a dialog that pops up and waits for 10 minutes asking you what time of day is best for you.

In general the changes to Automatic Updates are a good idea. Some businesses may not want Automatic Updates to be quite so automatic, but on most consumer desktops, this is the correct setting.

Workable Windows Firewall

What used to be called Internet Connection Firewall (and is still called that in build 2055 of the product tested for this story), has been upgraded and rechristened "Windows Firewall." There are several minor changes, but the biggest and best changes are that, according to Microsoft, XP's firewall will now work much better with applications. In part, that's delivered by the new default On setting that's something like a medium level of protection. There's also an "On with no exceptions" settings that provides a high security level.Windows Firewall's Network Connections Tab

The feature we like best is Windows Firewall's properties new Network Connections tab that automatically detects network connections that you can opt to disable firewall protection for--an excellent feature for LANs and wireless networking. Most software firewalls, including ZoneAlarm, offer some semblance of this feature. Without it, Internet Connection Firewall was nearly impossible to use in more complex networking environments. It's still not ideal in an enterprise setting, but in our tests its default configuration stayed out of the way for the most part. And that's a good thing because Microsoft currently intends to turn Windows Firewall on by default.

As will likely be the case with Automatic Updates, some IT managers are bound to be concerned that a software firewall will be turned on by default in Windows XP SP2. While it's easy to turn off, and presumably turning it off by default using enterprise Windows installation tools will be a very simple thing, it could be a mixed blessing. Although this requires Windows servers, Microsoft has said that central administration of Windows Firewall will be available through Active Directory Group Policy.

Not-Ready Wireless Networking?

Microsoft has added a new unified wireless local area network client whose main focus appears to be providing standard client services for third-party wireless hotspots without having to install proprietary software. The new Choose A Wireless Network dialog replaces the functionality of property sheets in the original Windows XP. But when we tested it, we found that the scanning feature didn't work, which made it hard to work with. A test with one wireless network doesn't mean the beta won't work everywhere.Another type of wireless, Bluetooth, also receives an update with SP2. Not tested for this story, Microsoft says the point of the update is to provide support for a wider range of the latest Bluetooth devices, including wireless keyboards, mice, and connections with cell phones and PDAs.

It's a small feature, but certain to be a favorite. Windows XP SP2 will add automatic pop-up blocking to Internet Explorer. The feature is well designed with a simple-but-functional white list (for sites whose pop-ups you want to see). So far, we've only seen it choke on one Web site (ESPN), and the next day it worked fine there.

Although we were unable to test this, Microsoft has apparently added a new feature that blocks remotely-initiated downloads. It's designed to protect Windows users from accidentally downloading and installing potentially malicious programs from Web sites. The feature is apparently designed to block unsolicited download prompts only. When users initiate a download, that process is unhindered. According to a Microsoft document, an indicator in the form of a download link will appear below the browser toolbar when a download is blocked, and users can opt to install anyway by clicking it.

Windows Longhorn build 4051, the alpha release of the next major version of Windows, has the same pop-up blocker that Windows XP SP2 displays. It also adds a new Download Manager whose functionality is sketchy, but presumably it will allow Windows to interrupt and resume downloads initiated by Windows users. It doesn't appear this functionality will make it into Windows XP SP2.

New functionality in IE has been scarce for quite some time. We're hoping that Microsoft is also considering the addition of "tabbed browsing," or multiple browser windows within a single launched instance of the browser. Many people prefer that paradigm, and virtually all IE's competitors now offer it, including Mozilla and Opera.Security Baked In

There are also some significant areas of security improvement that are invisible in SP2, but they represent some of the more important changes. Windows Messenger Service, the network messaging feature (not to be confused with Windows Messenger, the instant-messaging client), is turned off by default in SP2. The Windows Messenger Service has been the target of spam pop-ups for more than a year. More recently, it has been identified as a possible area of exploit by hackers and malware.

If you make use of Microsoft's Outlook Express e-mail program or Windows Messenger instant-messaging client, the software maker is tweaking these products very slightly to prevent security problems. File attachments to emails or files passed with Windows Messenger will be treated with more suspicion by default. Attachments will be able to open and execute with the fewest permissions possible. Outlook Express will also no longer download external content (such as graphics) in HTML mail by default. Windows XP SP2 will also deliver the latest versions of Windows Media Player 9 and DirectX 9.0b, both of which have numerous security tweaks.

Microsoft has also partially disabled the Remote Procedure Call aspect of Windows, which was targeted by MS Blaster and its variants. It runs with reduced privileges in SP2 and will no longer accept unauthenticated connections by default.

The Distributed Component Object Model (DCOM) has been extended "more granular COM permissions to give administrators the flexibility to control a computer's COM permission policy," according to a Microsoft document. In the current environment, it's not possible to allow a local-area network access to COM without also implicitly allowing that application access via the Internet too.Microsoft is also going after the most-often cited cause of computer attacks, the buffer overrun. Just how it is working to minimize buffer overruns in Win XP SP2, the software maker isn't saying in great detail--except to say that all Windows code changed since the original Windows XP was released has been recompiled using Microsoft's Visual Studio compiler, which the company says, reduces the likelihood of some certain buffer-overrun vulnerabilities.

Said And Done

Enterprises will clearly benefit from the changes that Windows XP Service Pack 2 brings, but it's important to note that SP2 is not aimed primarily at businesses. It's best to think of this service pack as Microsoft's response to the MS Blaster worm. Consumer PC users increasingly have always-on broadband connections, and they're leaving their PCs on. At the same time, they may not be protecting those PCs well enough. Microsoft is taking the bull by the horns to ensure that more and more end-users are protected. Given that worms and Trojans not only infect unprotected PCs, but use them as staging areas to infect other PCs, this is an important step for Microsoft to take.

Nevertheless, there are some concerns for IT professionals. If Windows Firewall causes too many problems, it's possible that Microsoft will decide to minimize it further or even turn it off by default. We wouldn't bet on that last option though. We think fewer IT pros will be troubled by Automatic Updates being turned on by default. Microsoft has done a better job of testing its security patches over the last 18 months. That improvement was key, because it makes it much easier for more and more companies and individuals to simply install every update that comes along--or let Windows do it for you--than most of us would have been comfortable with two or three years ago.

All in all, SP2 is a solid set of improvements. While not earth-shaking, it's a somewhat more ambitious Windows service pack than most, and everything about it is labeled "security." So it's a welcome update as soon as Microsoft straightens out all the kinks.