Evaluating Windows XP Service Pack 2 RC2

Remember when Microsoft said service packs wouldn't deliver any new functionality? That lasted for about six months back in 1997. Windows XP Service Pack 2 is jammed-packed with both invisible and visible improvements to Windows XP. The biggest boon is that the free update, which will probably ship some time in September, does in fact make Windows XP far more secure. Many of the other user interface bits are aimed more at protecting Microsoft, you, me, and everyone from what consumers don't know about securing their computers. As a result, they just don't matter that much to IT shops.

But Microsoft isn't wrong on that point: Many home and casual users really aren't paying close enough attention to security. And when blended-threat household-name viruses and worms start using multiple means of spreading themselves around the planet, the fact that several million consumer boxes have been plugged up (as soon as SP2 ships!) is a very good thing indeed.

Nevertheless, just how much might all that consumer touchie-feelie stuff get in the way? I'm going to explore all major aspects of the service pack in a multiple-part series on Windows XP SP2, based on the recently released RC2 code.

Windows Firewall
In retail boxes, Microsoft is enabling its revised Windows Firewall software firewall utility by default. Large enterprise customers will, of course, be able to disable the new Windows Firewall on network installations. But not every company installs or updates Windows that way.

For the rest of us, some consideration may be in order to avoid potential software firewall conflicts. In my tests, the problem never cropped up. So the firewall is on. Turn it off if you're running another one. Microsoft provides a new Windows Firewall Control Panel just for that purpose.There are also some advantages of a firewall onboard. Windows Firewall offers solid basic protection; it's better than ICF (Internet Connection Firewall, the utility it replaces), and it's a lot better than nothing. Windows Firewall is easier to configure, and more important, it's better about staying out of the way of your applications. It also now has improved protection during boot and shutdown, something all top-notch software firewalls provide.

The biggest benefit, though, is probably as stand-in protection for mobile PCs connected to hotels and hot-spot wireless networks. They're protected back in the office, but on the road or when working at home, they're often sitting ducks. It's very easy to turn Windows Firewall on, and the "Don't Allow Exceptions" mode locks things down with a very simple control.

Even so, Windows Firewall's intrusion prevention and outbound monitoring are not as robust as those of some other firewalls. In RC2, Windows Firewall also has a tendency to turn itself on after system updates, system restores, or in conjunction with the Windows Security Center (which we'll address in a future installment).

For my money, either ZoneAlarm 4.5 or 5.0 Pro or Symantec's Personal Firewall 2004 would be better bets for protecting road warriors out in the wild. On the other hand, Windows Firewall is about to be onboard, and you already paid for it.

Windows Firewall may be the largest feature in Windows XP Service Pack 2, but from an enterprise perspective, it's pretty small potatoes.

The Windows XP Service Pack 2 version of Internet Explorer 6 may be the largest bone of contention for companies. Test it first, and expect Microsoft to do its utmost to clear the way for major incompatibility issues with enterprise Web apps.According to a Microsoft product manager, Microsoft's last major delay of Windows XP Service Pack 2 was caused by a hue and cry from enterprise evaluators about largely invisible new security measures, especially those in Internet Explorer that affect Web applications. Very likely you'll be able to see this for yourself after you install SP2. Mainstream Web sites that employ unsigned ActiveX applets, downloads, pop-up windows, browser helper objects, and other code- or scripting-based functions may encounter difficulty with SP2 version IE 6. Most of these activities are prevented by default, and until thousands of Web sites and Web-based applications are upgraded to more gracefully deal with the new IE's many security precautions, a lot of Web stuff is going to be broken--or, at least, temporarily halted.

That doesn't mean nothing works properly; a check of sites that offer more-advanced Web-based functionality showed no significant problems at all. But even when things do work, they may be halted by Internet Explorer requiring user acceptance to continue.

In many cases, that level of prevention is handled by Internet Explorer's "Information Bar," which halts suspicious processes on a site-by-site basis, presenting options for defeating or selectively defeating IE's automatic protections. Since that exception processing applies only to the specific Web page you're on, the decisions you make create a custom Web-security configuration on the fly. Microsoft got this part right. The only drawback I can see is that the text-based Information Bar doesn't jump out at you. It appears as a single line below the browser toolbars and above the Web page. When you click the words "Click here," a context menu of configuration options opens. The words and menus vary considerably in context. We'll all become intimately familiar with the Info Bar, I fear. On the other hand, I can't think of a better way to bolster security in Internet Explorer--one of the most vulnerable facets of Windows.

One of the best new features of SP2's Internet Explorer is the Add-On Manager, available from the Internet Control Panel's Programs tab. It gives you a way to enable, disable, and configure ActiveX controls, browser help objects, and browser extensions. The primary purpose of this tool is to provide a user interface for controlling things that have already been added to your Internet Explorer installation. When, for example, you have already said yes to an ActiveX program Information Bar query and later decide you don't want that program on your computer, the Add-On Manager is the tool that solves that problem.

When you disable an ActiveX applet and you visit a site that wants to use it, the IE status bar shows a balloon pop-up informing you that the program is disabled and can be re-enabled in Add-On Manager. Add-On Manager is a very useful addition to Internet Explorer.SP2 also provides a new Attachment Manager that works with Outlook Express, Windows Messenger, and Internet Explorer by identifying and preventing potentially unsafe attachments during the opening process. When this occurs, the attachment is prevented from opening and a pop-up is offered to both warn you and offer options for controlling it. IE also has download monitoring that offers the same sort of protection for downloads from Web sites.

Internet Explorer has also been strengthened internally to thwart several specific exploits and plug a wide swatch of identified vulnerabilities. One of the more notorious vulnerabilities was a series of little-known IE security controls that protected the local machine. These controls could previously be adjusted by a malicious program, opening up the browser and thus the computer to attack.

With the browser battle long since won, there's nothing forcing Microsoft to do much of anything about improving the functionality of Internet Explorer. But there's one feature IE has sorely missed. Virtually all its competitors provide tabbed browsing--the ability to house multiple Web windows within a single browser window and let their users click tabs to switch among them. This is the underlying principle of the current Windows user interface, introduced with Windows 95. Yet Internet Explorer continues to lack the capability.

Microsoft just isn't that interested in upgrading Internet Explorer's feature set. As a result, it's unlikely we'll see tabbed browsing before Longhorn, and it's not even guaranteed for that release. No wonder so many people are jumping ship for Mozilla Firefox and Opera.

Despite obvious potential difficulties, especially for enterprise Web applications and some higher-end consumer Web sites, there's no major reason to avoid installing SP2. But heed this advice: Download RC2 now and test all your internal applications, as well as your intranet and your public Web site. That's the only way to be sure that you won't have significant problems later on when a lot more people are running this new version of Internet Explorer.Despite that caveat, the security benefits outweigh the potential negatives, which will be fixed with time. And the nifty pop-up blocker should reduce the annoyance factor.

The most visible new feature in Windows XP Service Pack 2 may well be the least important for most IT people and their organizations. Still, Windows Security Center may be the right tool for some users' desktops.

Windows Security Center is a new Control Panel applet with system-tray notification whose sole purpose is to ensure that you're aware when your computer is not adequately protected by a firewall, antivirus software, and the latest Windows and IE updates. At its heart, WSC is three sensors that check your security configuration and indicate visually when your computer's protection isn't up to snuff. The antivirus sensor is the most complex. It's designed to check whether an antivirus program is installed, whether that program is running, and whether it's updated with the latest antivirus definitions.

When any of the security checks for antivirus, firewall, or critical Windows updates aren't met, Windows Security Center alerts you with system tray pop-up notifications that open the large WSC Control Panel. A colored light system--not unlike the U.S. government's terrorist-threat-level warnings--gives you instant feedback about whether your system is good to go.

So far so good, but in all major prerelease versions of Windows XP Service Pack 2, the ability of WSC's security sensors to accurately detect mainstream third-party security programs was seriously lacking. The desktop security products of vendors that have the largest installed base of users, Symantec and Zone Labs, aren't properly detected by the RC2 version of SP2.Does Windows Security Center Work?

I tested a large selection of commonly available antivirus and firewall products against Windows XP Service Pack 2's RC2's version of Windows Security Center to see how well it detected third-party products. The results were somewhat surprising with a late-stage operating-system update approaching its release date:

Even so, security vendors interviewed for this story, including Symantec and Zone Labs, assured me that their products would be correctly identified by Windows Security Center by the time Windows XP SP2 ships. The hard truth is that Microsoft is requiring third-party vendors to change their software in order to be detected by WSC. Any security software vendor able to issue online program patches (and not just security definitions) should be able to make at least current versions of their applications detectable by Windows Security Center. At press time, none of the products from Symantec or Zone Labs was detected properly by WSC (see table above). But those companies may have been waiting for SP2 to ship before issuing online program patches to their products.

In operation, I found Windows Security Center's sensors to be balky at times. Sometimes a change (such as turning on or off Windows Firewall or updating the antivirus program) wouldn't be detected right away. Even after a reboot, sometimes WSC would be stuck showing the previous state. All in all, Windows Security Center is more a novelty than a truly useful tool for experienced users. Although Microsoft has made Windows Security Center centrally manageable via Active Directory Group Policies, it's hard for me to imagine many companies getting excited about that.

For individual users, if your computer is used by several people, or if you need help figuring security, Windows Security Center could well be a useful warning bell if it works properly with third-party apps. WSC does sense protection levels for the worst threats out there, but it offers no help for adware, spyware, trojans, privacy invasion, and spam. So it's no panacea.Microsoft makes the Automatic Updates critical security patch online updating tool more aggressive in Service Pack 2. The goal is to make less-experienced users turn this feature on, and that's a good thing because if they're protected, we're all a little better protected, too.On page 14-15 of the July 2004 issue of PC Today magazine I wrote about an annoying aspect of Windows XP Service Pack 2's enhanced Automatic Updates feature. Service Pack 2 automatically installs patches in certain conditions when you power down your computer.

The way it works is this: When you have pending critical updates for Windows that haven't been installed, when you shut down (not restart) Windows, the operating system installs the patches before it powers off. If patches are already downloaded, it usually takes only a few minutes to install them. But in my tests of SP2 RC1, I found that it could take more than half an hour for your computer to turn off because of this feature.

To understand why (or at least what I've pieced together as the probable reason why), you have to understand the new Automatic Update options. The new Automatic Updates Control Panel is a solid improvement over the controls found on the Automatic Updates tab buried in the System Control Panel in previous versions of Windows XP. The new Control Panel offers four options:

When you choose option 4, there's no automatic installation of patches when you power-down your computer. But your computer also is unprotected against the most recently discovered Windows vulnerabilities. Except in the case of a computer whose system updates are being managed in an organizational setting, no one should choose the fourth option.If you choose either option 1 or 2, available critical updates for your Windows installation will be already downloaded, so at shut down it'll take a little time for the patches to install before your computer turns off, but not usually long periods of time. (It'll also make your next Windows start-up take longer because part of the patch-installation process occurs on the subsequent restart.)

When I tested the feature, however, I was testing with option 3, "Notify me but don't automatically download or install" security updates. What apparently occurred was that, since available critical updates weren't already downloaded on my computer, Windows SP2 RC1's Automatic Updates code downloaded available critical updates and then installed them before the computer turned off. The process took over half an hour to complete, and it took me the first 10 minutes or so to realize what was probably going on.

At press time, I was unable to discover whether Microsoft had modified the automatic-patch-installation-on-shutdown behavior in RC2. Since Microsoft rarely releases a real online update to pre-release software, when it makes changes to Automatic Updates, it releases sample updates. In other words, it offers you large "updates" that basically do nothing to your PC. They're only there to give you the full user experience. But in the two weeks or so since RC2 was released, none of my test machines have indicated that there are any updates available. In other words, no once can test the Automatic Updates process in RC2.

It should be noted that even though this background download and installation of critical updates is a little heavy handed, it's possible to defeat the annoying aspect. In RC1, the shutdown "Turn off computer" box offers you the option at the bottom to "Click here to turn off without installing updates." My guess is that most people will miss this fine print at first. Of course, for all I know, this user interface has changed. Since there are no updates available, the "Turn off computer" box doesn't show the fine-print option.

What Is Known
I don't want to make too much out of this one annoying aspect of Automatic Updates. It's just the only aspect we don't have a full grasp on yet. In all other regards, Automatic Updates is a boon to Windows users. In fact, Microsoft's ability to automatically update millions of Windows PCs around the globe is especially well handled. You may snicker and say, well, they had to do it, right? But while you may have long since decided that Windows isn't very well engineered, I would have to disagree with you on that point. Windows is simply the only seriously interesting target for hackers, virus and word authors, and spammers.To be sure, Windows is hampered by a huge installed base of Windows versions that barely gave a passing thought to security. But five years from now, that picture will look a lot different. It's as much the user-experience expectations of the people who use Windows that have to change as it is the code that underlies this widespread operating system.

So the Automatic Updates user interface is vastly improved. Another difference from previous versions of XP is that during the SP2 installation, Microsoft also urges (but doesn't require) users to turn on option 1, the most aggressive Automatic Updates setting, the one that automatically downloads and installs critical updates on a daily schedule (or a schedule of your choosing). Even if you go along with Microsoft's recommendation, you can easily change it later. This is intended to get less-experienced people who might never on their own turn on Automatic Updates to turn it on. Since it's not mandated, it's a good thing, because if they're protected, we're all a little better protected, too.

Microsoft also is working on the 5.0 version of Windows Update, its Windows-updating Web site, which handles a lot more than just critical updates. It's primarily a user-interface update, but one of the underlying improvements is that you'll no longer be required to restart your computer so often after applying updates. Windows is now able to wait to install patches on the next restart. Windows Update also is now able to make incremental installs ("delta installation" in Microsoft parlance). This should be of special benefit to dial-up users. Instead of installing the same patches over a patch that's already installed, Windows Update and Automatic Updates are able to install only updates that aren't already on a specific system.

Overall, Automatic Updates has been positively redesigned. In many ways, it's one of the best reasons to install Service Pack 2.

The rest of what's new in Windows XP, highlighted by a new wireless networking client and setup wizard, is only marginally security related. Find out about the rest, and what we ultimately think about Windows XP Service Pack 2.Windows XP includes a new wireless LAN client that provides a much better interface designed to help you understand and work with both secured and unsecured wireless networks. There's also a new Wireless Network Setup Wizard that let's you add a wireless network to your system either with or without security. On the face of it, this interface is much better than original Windows XP and Windows XP SP1 versions of the wireless networking client. And there's nothing wrong with the upgrade. My only problem with it is that it doesn't go far enough.

The software provided by some wireless network device companies designed to run with Windows XP delivers better management of multiple-access-point networks and better access to multiple networks. On a multiple-access-point network, for example, the OEM Wi-Fi hardware utilities let you configure which access point your computer is homed in on. The Windows XP SP2's wireless networking client treats all access points using the same SSID as a single piece of hardware. What that can sometimes mean is that your connection may lose signal strength as you move from one location to another, because Windows hasn't made the switch to the nearest access point.

So I like the two major improvements, the new wizard and the updated user interface, but I want more.

Microsoft has also added an enhanced Bluetooth networking stack in this service pack. Bluetooth, which provides wireless "personal area network" functionality (a replacement for the infrared wireless connections between devices such as computers and printers) missed the original version of XP by only a few months. And, at that time, Microsoft pledged to add this functionality. But while separate downloads and online updates have been available for a long time, this is the first time Bluetooth is being included and improved in a unified way. If your computer and devices are Bluetooth-equipped and you make use of the functionality, you'll be pleasantly surprised by this update. I'll be honest, I'm not all that wild about Bluetooth. It can be a serious boon for handheld devices though.

Finally, Microsoft is throwing updates for a series of its products and platforms, including DirectX 9.0b, Windows Media Player 9, Windows XP Media Edition 2004, and Windows XP Tablet PC Edition 2004 into Windows XP Service Pack 2. This is just a case of Microsoft taking advantage of an opportunity to widely distribute some recent changes to satellite applications. Most of the updates have little to do with security.For more information about what's in Windows XP Service Pack 2, check these Microsoft reference documents:

Real-World Recommendations
The fact of the matter is this: No matter how annoying or substantively lacking in any real advantage other than increased security, there should be no debate in business or home circles about whether this one should be installed. Just do it. We have enough computer security problems without people getting stubborn about whether this upgrade takes away some of their computer liberties. It really doesn't. There are some mostly minor adjustments required. And, for some of us, those changes may be nearly transparent. Corporate IT managers and users may have a bit more to wade through at first. But all in all, this shouldn't be heavy lifting. We're all in this security mess together, and this service pack strikes a blow for the good guys. It should be a no-brainer.

Scot Finnie is Editor, the Pipelines and TechWeb, as well as the author of Scot's Newsletter and previously an editor with Windows Magazine, ZDNet, and PC/Computing. He has been writing about Windows and other operating systems for two decades.