Slashdot Mirror
WinXP SP2 Sacrifices Compatibility for Security
goldragon writes "TechRepublic is reporting that "Microsoft is pulling out all the stops to improve security. So much so, in fact, that it will cause many problems because SP2 will de-emphasize backward compatibility with legacy systems and code for the sake of security." One small step forward for Microsoft, one giant leap backwards for mankind?"
Giant leap backwards?
Let's face it, you can't remain compatible with old software forever. It causes, well, Windows XP. XP is trying so hard to be everything to everyone, that it can't even pop up a delete confirmation fast enough to not make me wait for it (On an Athlon XP 2700+ with 1GB of DDR333, fresh from boot).
Compatibility is an important issue, but at some point shouldn't the ten-year-old programs run in a virtual environment separate from the OS?
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
Keep your eyes to the sky.
...for the comments? I know this is slashdot and all, but that really has no place in the article summary.
Finally M$ catches on to what Telephony vendors and various other technology developers have been doing for years.
Had they started with a secure product, then being backwards compatible would not be that much of a problem. Hopefully the M$ code monkeys will not make more problems than they fix.
-Ghost
Can't say I'm suprised this happened at all really... seems noone else has problems fixing security while moving forward in developement and backwards compatibility.. *coughlinuxcough*
Even a stopped clock gives the right time twice a day.
less people to patch? I can bet it is going to drive IT managers crazy because now they will have to do hardcore tests of all their software to make sure it still works after the patch.
This might just make things less secure overall because nobody is going to want to bork their software. Will it be possible to roll back the patch quickly if someone finds they cannot run program X anymore?
But then again, who knows, it might "accidentally" break Office 97 so people think they need to upgrade to Office 2003.
I wouldn't call this a small step forward. I'd call it a huge leap. It shows that Microsoft actually cares about security. You can't keep an API exactly the same forever. It'll get crufty eventually.
Hopefully, there'll be more breaking for the sake of security.
TheMadRedHatter
while(1)
{
}
Ah, the story of life.
Aren't all Windows users already sacrificing security for compatibility just by using Windows? Perhaps this is just meant to level the playing field.
I'm sure Microsoft will be releasing an update full of application compatibility fixes shortly after the SP2 release. Even in vanilla XP, you can run applications in Win95/98 compatibility mode. I don't see any reason to change it now.
-- Stu
/. ID under 2,000. I feel old now.
Microsoft is making it more secure by not allowing their applications to run!
The article indicates that most of the things being broken will be viruses and trojans.
And that the only other major change will be to Finally honor the NX(Non-executable) memory designation, IOW if you want self-modifying code, you can still have it, but you can't place a call to an area that has been marked as Data-only or NX.
Seems to be all good to me...
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
Just another reason for folks to migrate away from their closed systems with forced expensive updates and security holes.
You mean a free service pack that improves security somehow translates into expensive updates with security holes? I'm sorry I fail to get your bizarro logic.
SP2 represents a big change in Microsoft's security vs. ease-of-use stance.
In the past, Windows shipped with many unlikely-to-be-useful services such as the NetBIOS Messenger service turned on by default installations, meaning that a user who wanted to use the service just needs to start using it and it'll already be there ready to work. Of course, we all know how this has been exploited by spammers.
Now, such non-essential services will default to the "off" position, and the user will have to take a step to affirmatively activate the services they want to use. This makes plug-and-play operation a little harder to accomplish, but Microsoft has finally decided that the security gained is worth more than the ease lost.
It was overrated when Apple told its users, "deal with it." And it's overrated now. If you want backwards compatibility, use a Win2k emulator.
!#@%*)anks for hanging up the phone, dear.
this is a giant step FORWARD. if it can keep my network from being bombarded by all those damned windows viruses it's GOOD no matter what. and i don't even use windows.
i'd say this is the brightest idea microsoft had in the last decade (if they deliver that is)
It says there's a pop-up ad blocker enabled by default...
How innovative, I've never seen that before!
'Generic Host Process for Win32 Services' from your computer wants to connect to law15-f93.law15.hotmail.com [64.4.23.93], port 80
Oh no, Microsoft isn't trying to integrate everything...they're not a monopoly...weirdos.
Hey, given the choice between the two, I think MS is right to choose security. You're often forced to lean toward security at the expense of some convenience, or vica-versa. And in this case, given the recent (past 10 years) track record, security is more important right now.
I, for one, welcome our new Antichrist overlord.
There's one item to highlight this week. Silicon.com and other sources are reporting that Apple's recent patch to fix a major threat in Mac OS X wasn't completely successful, and that a highly dangerous problem still exists in the operating system. The threat is especially noteworthy because it is the first important vulnerability discovered in the Mac OS X operating system that was not due to a flaw in the underlying FreeBSD UNIX on which Apple based OS X. This problem lies in the part of the code created by Apple, and it appears that it is quite difficult to repair. This is the first real challenge to Apple, and it will be interesting to see how the company responds to this critical threat. Previous patches were simply carried over from the Linux/UNIX community. Apple is on its own this time.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
1. Launch Windows Update.
2. Prepare sacrificial animal in accordance with the EULA.
3. Open CD tray.
4. Allow some blood to drain into computer and close tray.
5. Smear remaining blood on monitor frame.
6. When install completes, reboot and enjoy the ritually clean goodness!
particlesphere.com - quantum
Does that mean they will finaly ditch program manager? I realy hope there isn't any one still using programs for win 3.1 that still require that. And if so, why are they running it on XP anyway...
Don't believe me, or just feeling nostalgic for windows 3.1, go to run, or a comand promt and execute progman.
It was me, I did it, I moved your cheese
The majority of XP users aren't using that many old apps anyway... the average XP user is just using XP, Office 2000+, IE6, and MSN. And the majority of 3rd party apps such as those from Adobe, Macromedia, etc will get free updates to be compatible. Its not such a big deal for the average user. I've often felt that M$ would be well served to release a new OS based on an entirely new codebase... get a group of developers that have never seen Windows source code, only the GUI and let them rewrite it without backwards. Then get the major vendors to release compatible versions of their software. Sure... things will lag for a bit, but Windows will get better and the app support will follow. Windows is still based on an almost 15 year old code base. Its time to rewrite it from the ground up. Screw the backwards compatibility. Move on.
OS X did this brilliantly with the Classic compatibility layer. 99% of the time the layer was app-compatible and it ran at least as fast as running OS 9 alone. Many people bitched at first, but when they started using OS X, it was pretty clear that there was a huge advance in stability that made people actively dump their Classic applications and invest in the X architecture. We're still in the transition phase but with Apple proclaiming 9 dead last year, it has been successful for the OS transition.
The reason Windows is in such a hurt is compatibility with everything. Even most Linux distros dont offer the level of backwards compatibility that windows xp or less does. You can still to this day run Win16 apps under windows and still print and save, as if it were no big deal. Thats just not possible with Linux. Try downloading or running a binary from 1994 that was compiled for linux and see if it works, im sure libc and glibc and aout and elf will make things fun.
Its kinda sad how things are around here for Microsoft, Damned of they do, Damned of they dont. Somebody shows progress and they get pounced.
"...one giant leap backwards for mankind?"...And recreating an OS from the 70's isnt? Thats pretty narrow thinking.
http://www.freebsd.org
Ie this message is moreso for the submitter. Love the tone of your voice. We see almost daily MS lack-of security woes and now MS does something about it. Then you have to bitch about not supporing legacy this or that in the name of security. I think I would rather choose security. hell, all you need to be considered a computer security expert is just say "everything's insecure."
One small step forward for Microsoft, one giant leap backwards for mankind?"
/. are met with "All your base are belong to us". Or with slight improvisation, "All your versions are belong to us".
All such posts on
So much for compatibility
http://efil.blogspot.com/
This is a good thing. It's basically going to break applications that make assumptions about the (in)security of DCOM and RPC. It's very easy to add an application as an exception to the firewall. DCOM and RPC are going to be the major issues, so it's not going to affect Grandma's cute shareware apps any. Any app broken by the NX flag was already broken to begin with. I'm looking at you, XFree86...
Compared to this relatively minor loss, the potential security gains are enormous. It remains to be seen how well it all works though...
I wonder how much of the copy protection on software this is going to break. Gamers are probably going to be the loudest yelling demographic when this hits.
You think the spam zombie/pwned newbie PCs will be upgraded?
I've been looking at XP SP2's release canadidate for a couple days now, and it's pretty obvious that it will cause nightmares for Windows admins for quite a while. However, it looks like they're making steps towards better security, which will be better in the long run.
Anyone who works in Windows shops knows the proliferation of COM-based software that was thrown together in Visual Basic, and this software often performs critical functions. It will take lots of testing/planning to make sure SP2 doesn't break these extremely fragile apps. There are many, many in-house applications that are still chugging along, even in compatibility mode, because they simply can't be replaced easily. Unfortunately, Microsoft can't test these in-house apps.
We'll see what happens...
Well then the area in memory where your virus is will be changed to NX and it won't be able to run.
Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
Microsoft tries to make their operating systems backwards-compatible to the point of running about half of the old 16-bit DOS programs that are still floating around out there. If you've studied WinAPI, you'll note that about half of the arguments and functions are never used, legacies of decisions made by Microsoft in the elder days. Yet those functions are still implemented and, for the most part, work the same way they did when they were first created.
This isn't fuel to bash Microsoft, this is good news for those of us who use their operating system, whether by choice or necessity.
If my answers frighten you, stop asking scary questions.
Might be a little off-topic, but does M$ not realize that it may be worth it to sacrifice what they consider $, for the safety of your O/S and reputation? Are the people that are using pirated copies really going to buy your O/S anyways? Probably not.
Will this leave any issues with things like SMB?
Looking at the article it was mostly talking about default firewalling, NX bits, and disabling some services which have recently been abused.
Would they go so far as to disallow plaintext passwords for logins, or SMB sharing?
Other than that minor concern this is good news for all people who have to share a network with Windows users.
I run Linux at home, and am constantly hit by port 137/445 scans from Windows boxes on the same range as my cable modem. Sucks.
Blame microsoft for the problems brought on by bad programs made by other companies. Then bitch because windows is insecure. Then bitch because they're trying to fix the situation and remove backwards compatibility to lessen the problems. Then say how microsoft is only doing this so people have to buy updated software. Well sometimes you have to bite the bullet and upgrade. If you're using some ten year old word processor on top for windows XP, then you better have a good reason of doing so. If you don't want to spend the money, switch to open office.
/. uses linux and other 1337 shit.
I can't understand how microsoft gets bashed for having the security holes and then again for trying to fix them. Besides, how many people on here still use windows? I'm always under the impressions that everyone on
"I expect to hear screams of pain as people deploy SP2 and discover that legacy applications no longer work, but those are probably the same people who complain so loudly (and legitimately) that Microsoft doesn't deploy secure systems."
Here goes my karma, but how true will this statement be here at slashdot?
One small step forward for Microsoft, one giant leap backwards for mankind?
Spoken like a true zealot. I'm an OOS advocate, but I disagree with this type of statement. It's a damned if you do/damned if you don't situation when someone makes comments like this. Hey, security is important here, and I'm sure Microsoft gauged this responce carefully before making these changes. Sure it's going to break some systems, but sometimes something has to give to move forward. I don't know about you, but security is very important to me. If the patch breaks your system, don't install it untill you're ready for the change. No one is forcing the service pack down your throat.
OTOH, Microsoft just about HAS to break some programs to get security halfway decent. There's no good solution, but I think MS is justified in breaking some compatability in this case.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Other things that I find good include port management that both handle the opening and closing of ports, but also allows some applications to run as a regular user instead of administrator.
There first complaint with SP2 was the NX command - which isn't available on most current processors. The second sounds like a benefit, not a complaint:
Then they go on to complain about not offering to pirated copies, but forget to mention it's only the ten most pirated product keys. It's still a large number, I imagine, but not the whole picture.That what was all this school was for... to teach us how to solve our own problems. -- janeowit
The WinXP article is dated June 7. The link points to a Silicon.com article about a security flaw in OS X, and that article is dated May 26.
It was on June 7, the same day, that Apple released a second Security Update that fixed the remaining vulnerabilities.
~Philly
Ironically, apple has often chosen the path microsoft has now taken - the compatibility with outdated OSes should not be a priority over advancement or security.
Don't worry - its just stigmata. Pass me a napkin and don't you dare tell my mother.
Spam zombie/pwned newbie machines will be running dog slow. The owners of said machines will either pay a techie to "fix AOL for them" at which point the techie removes viruses and spyware and installs the latest Windows updates (i.e. SP2) or the machines will simply be considered 'broken' by the owners (you'd be suprised how many people think they need to upgrade their hardware because they broke the software by installing crap) at which point Dell/PC World/Emachines will ship them a shiny new box complete with a patched up version of SP2. It might take a year or two, but assuming SP2 is as secure as MS is making out its proliferation will be very good for the internet at large.
It seems that these changes won't break any well-designed applications, with the exception of viruses and worms.
Granted, MS is taking a "giant leap backward" in compatibility - with viruses! Apparently, the author misses having Blaster auto-install itself upon reboot, and still longs for the days when he had to close 5 or 10 popups to view the web page he really wanted.
How could Microsoft do this? After having spent so much time and effort to guarantee that viruses would run on their platforms, now they pull the plug!? The NERVE!
Quite frankly, this is what they should have done a long time ago. If there's any fault to be found, it's that they didn't do this sooner. Any app which breaks because of these changes wasn't well designed in the first place, and deserves to break. As far as I can tell, none of the Windows apps I've written will be affected by this. The only reason MS estimates that 1 in 10 will be affected is because Microsoft considers viruses to be an application for marketing purposes. This way, they can legitimately claim that there are "50,000 applications written for Windows..." True, 45,000 are viruses, but that hardly matters now, doesn't it....
And for once, they're doing the right thing - they're telling users beforehand that this patch is going to break things, rather than letting the user find out unexpectedly... This is an improvement for them.
The society for a thought-free internet welcomes you.
Microsoft should be applauded for taking such a bold step. This is definately the right move from a company who has always put usability at the top of the list for their programmers.
/., security is only as good as the vigilence of the system administrator. If users don't patch because it makes their machine 'hard' to operate, they will definately look for applications that will defeat security systems.
But I think that it will only be implemented by corporate users and tech-savy Windows users. I see a new generation of TweakUI-like applications on the horizion that will allow inexperienced users to defeat the controls that MS is building into this service pack.
Consider what will happen when someone wants to install an application that is not set up to override the port restrictions that are default in this SP. I can see a whole bunch of folks googling for hack-packs that will disable all of the port protection so that the app will run.
Keep in mind that not all software vendors are responsible corporations who have an image to protect. The smaller niche vendors may worry about their reputation, but they are more interested in making their product work despite what MS has done to the OS to provide better security.
As has been pointed out several times
No offense intended, but when you make an OS so simple that a five-year-old can operate it, you should expect five-year-old reasoning from the system administrator.
"Rocky Rococo, at your cervix!"
Far too many Windows applications require that the user be logged in as Administrator. So many apps unreasonably require admin privledges that many users opt to be permanently logged in as Administrator. This in itself is a huge security hole.
Microsoft needs to close this hole and improve the application install/uninstall process. Many of the other fixes in XP sp2 are just window dressing without these necessary loopholes being closed.
-- "Most people prefer a popular myth to an unpopular truth"
Part of the problem is that Windows has traditionally been so lax on security that programmers have got away with bodges that would be considered unforgivable on a system that had been designed with security in mind from the word go. At some stage, though, something has to give. If all this legacy software is depending for its very operation on the same things as the viruses, worms, adware and spyware -- and it is -- then that is the choice you have to make: whether to allow sloppily-written programmes to take advantage of the security holes but unavoidably also permit malware to use them; or to prevent malware taking a hold, but in the process, unavoidably break sloppily-written legacy software. The two are indistinguible.
Now, if SP2 breaks compatibility with so much legacy software, then surely this spoils one of the arguments against switching to an alternative operating system that also would break compatibility with legacy software?
On a slightly different topic, why is anti-virus and spyware removal software closed source? If I cannot view the source code of an anti-virus programme then how do I know it is not simply going to infect my system with a virus every so often just so it looks like it has done some good? How do I know it is not going to infect other people's systems with viruses just so they will buy their own copies of anti-virus software? How do I know it is not installing its own spyware? If the software is not a Trojan horse then why will the makers not just show me the source code?
Je fume. Tu fumes. Nous fûmes!
Are you guys ever happy? I honestly don't think you are. First, you biatch endlessly about the lack of security in XP. Then, when MS does something about it, you start right up biatching for more! I'm willing to bet 80% of the people who read this site hate Microsoft because it's the "cool" thing to do around here. I'll wait for the 20% to reply with their reasons for hating Microsoft, most of which will probably be the same babble I hear in every anti-MS thread.
> If you've studied WinAPI, you'll note that about half of the arguments and functions are never used, legacies of decisions made by Microsoft in the elder days.
Then just create new entries in the API and "deprecate" the oldest ones. They can give up on CreateWindow[Ex], mantaining the implementation but dissalowing its use on newer VC++ compilers , then create a new API function, like XPCreateWindow() or something.
From a linux user, I see backwards compatability as the biggest nightmare of linux today. There is just too much of it, and it's holding back progress. Many of the points I'm about to address come from OS X, as I'm also a happy user of that system, and think it's a model for what can be improved about operating systems if you're willing to sacrifice some backwards compatability.
/usr/include, /usr/lib, /usr/share. This conventional *nix approach practically requires a package manager to keep things straight. Then, all that is required to compile against it, both finding includes and library search path, is a simple '-framework foo' argument to gcc, which follows a single search path. Easier to write makefiles, without wasting your time in autoconf.
Over 4 years ago slashdot was full of posts about how it would take the OOS community a couple weeks, months at most, to match Apple's nifty new compositing window system. Well, today 99% of us are still using X, and it really hasn't changed significantly. Even the extensions being worked on at FreeDesktop aren't in wide use, and it doesn't look like they will be soon.
We're still stuck with an ancient standard directory hierarcy, and multiple search paths meant to find the same thing (what? I still have to have a huge autoconf macro in order to find both the LDFLAGS and CFLAGS necessary to include library foo?). This obviously isn't the best it could be, and yet no one even considers trying to change, because 'that's the way it was always done'. Again, look towards OS X. Headers, libraries, resources, documentation, XML files with library metadata, everything associated with libfoo is contained in a single directory 'foo.framework', not scattered in
A lot of lessons have been learned since these systems have been designed. If you insist on supporting everything ever made, you're never going to get anywhere.
They are two seperate product lines. If you'll compare XP to the previous iterations of the desktop line - 95, 98, ME - then you'll see that it is indeed a "a pretty giant leap forward in desktop computing".
You'd be surprised how stupid most people are. Have you been following any of the recent virus and spyware debacles at all? The current arrangement is actually fairly close to ideal. The people intelligent/capable/informed/(insert appropriate term) enough to know what a file system is will also be aware of the existance of windows 2000 as well as various ways to make XP less idiot-friendly. This arrangement does not work the other way around.
Work is punishment for failing to procrastinate effectively.
While I fully applaud what MS is doing, it seems like the wrong time to be breaking legacy apps. Put out an actual new Windows release, rather than just a point update. People will be far less surprised when old software breaks with a full release, but with an update to the old system you shouldn't be breaking compatibility.
This isn't a damned if you do, damned if you don't situation in reality, it just needs to be managed properly. By jumping the gun on this, they'll likely piss off users, but if it were longhorn or some interim release then some breakages are simply to be expected.
That said, since I don't run Windows on my own machines, I get to be one of those that benefits by not having as much email or log spam due to 0wn3d winboxes (less spam please indeed!) so I can't complain. This is a distinct advantage of the Free software model, since Mozilla, OpenOffice, etc can be updated for no cost if this release happens to break them.
"I may not have morals, but I have standards."
Usually, I'd say this was a good thing. But, as with all things M$, I must adopt the cynical view that this is just another way for them to force people to upgrade to the newer, still buggy, resources hogging software they put out today. Since a large number of places are refusing to upgrade because their systems are stable, and because the reputation of M$ patches and updates is shoddy at best, the promise of something secure, that actually works right seems rather an elusive fantasy.
I mean, who cares about empty promises from a morally bankrupt company that is known for predatory business practices and open hostility toward their customer base?
Apple broke a lot of backward compatibility and it did hurt, but at least the new software at the end of the tunnel didn't blow goats.
In space, no one can hear you moo.
Just a few weeks ago, I heard it quoted that MS used to say "DOS isn't done until Novell won't run", not Lotus.
I have a feeling this one may just be another urban legend, like the "640K should be enough for anyone" quote.
In any case, I think you're *always* going to see a little bit of favoritism when a company builds both an OS and supplies commercial applications made to run on that OS. They may not want to out-and-out break the competitor's app, but they'd at least be willing to make tweaks to their OS code that makes their own apps look better (EG. undocumented API calls). I'm confident that Apple has done/still does this with their OS, just like Microsoft does. The "3rd. parties" are on their own to make their apps run well.
to open ports IN ICF[Internet Connection Firewall]. (Emphasis mine.)
No, you don't need to be an admin to open a socket. But you do need to be an admin (rightly so) to blow open holes in your firewall.
Or, under the new system, you can tell the system, as a non-admin, to let the program open the port, but to take care of closing and what not, rather than trusting the app to do the right thing.
Vintage computer games and RPG books available. Email me if you're interested.
Joel Spolsky recently wrote an *excellent* article on this very topic called How Microsoft Lost the API War. Like almost everything he writes, it's well worth a read.
/big/ thing. He cites VB.NET and Longhorn as two examples, but it looks like Microsoft just gave him another big one.
One of his major points is how MS is breaking with it's past, from when backwards compatibility was a
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
I've written a lot of code, including my share of system libraries. However, there comes a time when you just need to say "Enough. I've changed my mind, that didn't work as well as this will". Particularly with security issues, you sometimes need to just drop the old stuff to move forward, and if it breaks old software, too bad -- that's the POINT of removing insecure library functions.
I'm not a big fan of Microsoft, but I use it at work. The latest versions are no more bloated, clunky and unstable than the latest bloated Linux versions with KDE or Gnome in eye-candy mode. They acknowledged their security faults, and are dropping the old baggage required to address the problem. I fail to see what they've done wrong here. I seem to remember a number of open-source project that have mad API changes over the years to improve security, and we hail that as progressive, proactive, and intelligent design. Where's the foul?
So says the Slashdotter posting through KDE running a taskbar, start menu, minimize/maximize buttons, menus in the same place on the window, similar print dialogs, integrated browser/explorer, and more...
The Internet Connection Firewall is now enabled by default, which should improve security for SOHO users. However, in a corporate environment it could cause problems for users trying to connect to network resources. The firewall will also now activate much earlier in the boot cycle, even before the network stack is enabled. On shutdown, it will now remain active until after the stack is disabled.
A smart start in my eyes - even though network admins might curse until the properly set up all PCs, John Doe is probably safer now.
The Messenger service is now disabled by default.
Praise the Lord, another evil gone (or at least disabled by default)
A pop-up ad blocker has been turned on by default.
Hmmm... probably useful, but as long Internet-"Security Hole"-Explorer is still default, with Active-Security Breach, er.. Active-X turned on it won't help much...
A unified security application called the Windows Security Center has been added (for more information on this feature, see this News.com article). It is supposed to bring all of the most basic security configuration information into one easy-to-manage place that will show whether your firewall is enabled, if your antivirus software is working, and if you have the latest software updates installed.
Again something good for John Doe, though I don't feel comfortable for MS checking out my PC
NX support is added to Windows XP. NX (no execute) will allow NX-enabled CPUs to mark certain areas of memory as non-executable; that is, any code pushed into those areas (perhaps by malware such as Blaster or other viruses) will just sit there, unable to run and therefore will be rendered harmless. This will harden the OS against the notorious buffer overrun threats. NX is currently only supported for AMD?s K8 and Intel?s Itanium processors, but 32- and 64-bit support for this important security feature is expected in most future processor releases.
Probably a good thing, fixing some of the oldest exploits in programming, but with Palladium sneaking round the same corner I have a not that good feeling
DCOM (the Distributed Component Object Model) gets a new set of restrictions in the form of an access control list for nearly every action of any COM server. There will also be a more detailed set of COM permissions, which will allow administrators to fine-tune COM permission policies.
Sounds reasonable
There is improved port management. It will no longer be up to the application to close ports after it is finished. Before, if a developer left out the closing routine or the application crashed, a port could remain open and leave XP open to attack. SP2 encourages port management with an application white list that only a user with administrator privileges can alter. Placing an application (such as a peer-to-peer program) on the white list causes ports to be managed automatically. Such applications can also now be run as a regular user rather than needing local administrator privileges to open ports in ICF.
As with the other Firewall changes, a sensible thing.
New RPC restrictions help tighten communications. The XP SP2 changes in this area let administrators fine-tune RPC services. This granular control over RPC will allow you to specify that a port be used for RPC even if the application is not on the white list. There are a lot of changes for RPC, including a new RestrictRemoteClients registry key that by default blocks most, but not all, remote anonymous access to RPC interfaces on the system. The RPC interface restriction will require an RPC caller to perform authentication, which makes it much more difficult to attack an interface, and helps mitigate against Trojan attacks.
Good... I guess...
All in all, what are the disadvantages?
Some hassle for Sysadmins till they get the settings right, some compatibility trouble with programs that have dynamic code, but all in all a big plus for security.
Seems good to me
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
When Win2K SP4 rolled out, our network provider decided to patch everyone's system at once. Almost every system in the agency went down. Turned out the for some reason SP4 was not compatible with our old network cards. We had to roll back the patch. On some systems, even that didn't work. We had to install new network cards. What I don't understand is if 10 year old DOS programs work, why my 4 year old network card didn't. I'm going to be very careful about allowing XPSP2 into our environment.
That's gotta fit into your schema somewhere
How about:
1) I already own Win2k Pro.
2) I don't want to mess with product activation.
Slashdot set to fork into MS-tolerant and MS-intolerant editions.
Lameness filters to be adjusted accordingly.
I'm not sure which DOS apps you are thinking about, but I can think of many, many DOS apps that don't work in WinXP, and, as the insightful readers out there have already guessed, I am talking about DOS games!
A few quick examples:
- Star Control 2
- Ultima 7
- Wing Commander 3
(basically anything that Origin ever made was always broken on the next OS upgrade hehe...)
Maybe the simple text DOS apps can still be run in WinXP, but you'll be hard pressed to find many games that still run. DOOM _might_ still run, I'm not even sure about that one. (I know it ran in Win9x)
If DOS compatibility wasn't an issue, then projects like http://dosbox.sf.net wouldn't exist...
XP Pro runs faster than Windows 2000 Pro
XP has some serious issues. My previously mentioned "Confirm File Delete" is the most annoying I come across. I'll detail more in a moment.
File Deletion
From Windows 95 on, I was able to press the delete key and immediately press the Enter key to "push" the OK button on the Confirm File Delete dialog. It worked fine with 95, 95 rev A,B, and C, 98, 98SE, NT 4.0, and 2000 Pro. I never used Me, so I can't speak about it. It worked fine with a 486/66 running IE 5.5 on Win98SE on 32MB RAM, it works fine with it works fine with an Athlon XP 2700+ Win 2K Pro SP4 running IE 6 SP1 on 1GB DDR333. It doesn't work under XP. The dialog opens so slowly that I have to for it to open or my keypress will be interpreted as "Open this item", so it launches the application or document before the delete dialog opens.
I have XP Pro on an Athlon XP 1700+ with 768MB of DDR266. I have tried it with other programs running and without, with both interfaces (I stick with the "Classic" interface, BTW). The only thing i haven't actively tested is the result in goddamn Safe Mode. The user interface is slower now than it has ever been. I don't give a shit about startup time - my box runs for weeks at a time. I don't give a shit about program launch - or relaunch - time, I don't spend most of my time opening and closing programs, I spend my time goddamn working.
Convenient Options
I work with a digital camera, a USB keychain, and various CD-RW & audio CDs. I transport pictures, my music files, the occasionaly training video, and various graphics with these different types of media. Every goddamn time I insert one of these items, the very friendly "Windows can perform the same action..." message. Now, I've checked the "Always perform the selected action" checkbox for each device, each time I insert it. I alwasys choose the same action, and it always asks me anyway. I don't care if there is a "fix", I shouldn't have to dick around with it after I've told it to always do something. What, I might change my mind? That's fine. Give me a mechanism to obtain that dialog again, just don't show it to me every time.
XP Search
I hate that fucking XP Search dog. The designer who implemented that should burn in the lowest pit of Hell for all eternity. OK, maybe that's a little harsh. I have a serious dislike of interactive characters that obfuscate the process, especially (slightly off-topic, now) when, like the Office Assistant, they obtain and restrict focus, so you can't ignore them. The entire new search interface is simply cumbersome. When you give someone that many options, a damn sidebar doesn't cut it. If I want to use more any of the additional criteria, the interface is practically unusable.
UI
I mentioned the UI was slower than I've ever experienced it? Sometimes - and I'll attribute much of this to my "25 things open all the time" style - The interface lags. I completely lose interactivity; I can't even move the pointer for seconds at a time while the computer is busy doing whatever the fuck it needs to do right then. What's worse, is anything that happens in the timeframe doesn't always catch up. Mouse movements and keystrokes simply vanish.
Like I said, I'm sure some of it's the way I use the computer. But I run my Windows 2000 Pro box just as hard, and it never lags like that. Even if I can't do anything for seconds as a time, I never lose the ability to move the pointer, even if it does become jumpy and slow.
The "extra touches" like the fading or "windowshade" animations on menus, ClearType (I'm still undecided it it's too blurry) and the like slow the user interface down even more. Those little "amenities" are nothing but a waiting period
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
1) Windows 2000 does everything I want to that Windows XP does.
3) Windows 2000 has fewer dangerous features than Windows XP.
5) Windows XP will run on my Libretto with a Pentium (no MMX no Pro no II) 133 and 64M RAM?
6) I've already paid for Windows 2000.
7) I can upgrade my Windows 2000 PC as much as I want without getting shareware-style nag-screens from Microsoft's product activation demon. Even if I'm still using it after Microsoft has abandoned XP for Longhorn. I've already lost a handful of eBooks to previously abandoned DRM schemes. If my OS is going to throw a hissy fit and lock me out until Microsoft gives me a magic number (assuming Microsoft is still in the magic number business at that point), it better be willing to make breakfast the next morning...
Hope Microsoft keeps it up. And I hope it keeps GPL software authors on their toes as well. If MS keeps tweaking things, it will get painful for vendors of -pardon my expression- "shitty" software. It will raise the bar, so that those who don't properly design or maintain their software will end up without customers (because it just won't run).
If Outlook no longer uses the file types in the registry or the vanilla shell execute calls to handle e-mail attachments, then I'll know they're really serious.
Fred
"A fool and his freedom are soon parted"
-RMS