Evaluating Windows XP Service Pack 2 RC2

dncsky1530 writes "Information Week has a good evaluation of Windows XP SP2, excerpt: "The code for release candidate 2 finally looks like a real release candidate. And sure enough, it will help you big-time with security. But what sorts of headaches will the eventual final version mean for IT shops? We'll take it piece by piece... Remember when Microsoft said service packs wouldn't deliver any new functionality? That lasted for about six months back in 1997. Windows XP Service Pack 2 is jammed-packed with both invisible and visible improvements to Windows XP. The biggest boon is that the free update, which will probably ship some time in September, does in fact make Windows XP far more secure""

Re:New features, yes.

[Gilesx]

Unfortunately, it doesn't really do a lot to protect against spyware. It's mostly a pretty front end to remind you to a) install a virus checker, b) install a firewall (or enable the default Windows firewall - and given the Microsoft security track record, who in their right mind would rely on that?!) and c) reboot your machine after you've installed an update. This last reminder is particularly annoying as it pops up from the system tray approximately every 10 minutes, with the default dialog option set to reboot. In the middle of typing something? Just hit enter right at the moment that the reboot reminder box pops up? Tough - you're rebooting whether you relike it or not! Poor poor POOR UI design there, Bill...

Re:Will this kill ZoneAlarm?

[hoyty]

It does checking on pre-allowed programs. I used a beta version of the PC Satisfaction Trial which the code from this SP is based on. When I upgraded MSN Messenger it saw it as a different progam and asked if I wanted to allow it. I realize there may be still some gaps in this, but isn't quite as bad as it might seem.

I think it's very positive...

[danielrm26]

Three things strike me about the release:

1. The firewall's on by default. This is a huge shift for Microsoft and I am glad to see it happen. This alone will stop a ton of worm infections.

2. Browser security. From what I can tell, these enhancements are going to go a long way toward stopping the problems that CERT and everyone have been complaining about.

3. Email security. OE is getting hardened in a way similar to IE, and this also is a very much welcomed move.

Between worm propogation and the two most common ways for a user to infect themselves, if they were to even modestly improve in all three of these areas it would make a significant impact on the security posture of people running the update.

I applaud them in advance for even trying.

Re:Won't matter, they won't install it.

[fuzzix]

Nah, I really doubt that the single reason people are moving to Mozilla FF and Opera are for tabbed browsing. I surf daily and probably at greater lengths than the average person and I don't find tabbed browsing to be my #1 concern.

Tabbed browsing was actually one of the main reasons I stuck with mozilla (first used it on Windows pre 1.0 - probably the early 0.9 versions).

Security concerns, standards support and do on only entered the equation later as I learned of them. IE soon found itself blocked at the firewall. Any operations that required IE just didn't happen.

Funnily enough, mozilla was a catalyst in my eventual adoption of Linux. A simple comparison of the quality of proprietary, closed software and open, Free software.

But what started it all was how impressed I was with tabbed browsing - I usually consume sites like the inquirer and /. by opening all the stories I want to read in background tabs and working my way through - nowhere near the clutter I had with IE.

Re:Yeah, good for those with broadband

[kawika]

If you paid $300 retail or even the $40 or so from an oem, you should be entitled to a free update CD with no shipping cost.

Hmm, like this free CD available directly from Microsoft? You don't even need to show a proof of purchase.

Re:Won't matter, they won't install it.

[haruchai]

Javascript, PDF and Flash all work like a charm in Firefox. About the only reason I or any of my friends revert back to IE is to run Windows Update.
Also, IE and Netscape/Mozilla/Firefox usually detect when a plugin is needed and tell you to click to install it. And, in most cases, the plugin functionality is immediately available, without restarting the browser. What more do you need than that?

Re:SP2 = more of what I don't like about XP

[tehcyder]

stupid animated dog

So turn it off.

CD burning

You object to having CD burning facilities built in? Why?

thumbnail view you can't seem to turn off

It's quite simple, just tick "details" instead of "thumbnail" view.

Et cetera.

If this wasn't an anti-Windows rant it would be modded as an obvious troll by now.

Re:"Deny" for certificate?

[dzym]

At last check, that functionality is present. There is a "never trust" option in a drop-down on the ActiveX plugin download dialog box. Although most (unsigned?) BHOs and plugins are already silently blocked.

Re:"Deny" for certificate?

[Anonynnous+Coward]

I'm not sure if the dialog has changed, but the text here says

Internet Explorer File Download Prompt

Detailed description

When a user uses Internet Explorer to download a file, the dialog box that appears has the following changes:

• A file handler icon has been added.
• A new information area has been added to the bottom of the dialog box that provides slightly different information, depending on whether the downloaded file type is of higher or lower risk.
• All executable files that are downloaded are checked for publisher information.

After downloading an executable file, Internet Explorer displays the publisher information of the file. The Authenticode dialog box presents this information to the user, who can then make a more informed decision about running the file.

two quick things

[TubeSteak]

1. For some reason, i'm not a fan of tabbed browsing. I like to have multiple windows scattered about my desktop like a cascade of... windows. It'd be nice if i could corral them occasionaly, but mostly i like to see my desktop/shortcuts/open apps while i'm browsing. I'm working with Opera & slowly getting used to it, but Alt-Tab is a hard habit to break. And I still haven't figured out how to turn off the 'features' i don't want/like.

2. v5.windowsupdate.microsoft.com is the new windows update and i personally think it sucks. You have to have two services running (Automatic Updates & Background Intelligent Transfer Service) which i had turned off as unnecessary. Oh and Automatic Updates doesn't just need to be running, it needs to be set to Automatic, you can't just turn it on and off manually. My biggest problem is that they don't show you what you're installing by default! They hide it away behind small print that says "Details" with an inverted ^ to its left. Right below that is a nice wide button that says "download and install now". v5 looks prettier, but once again, MS is trying to hide the details away from you. Under v4 i have 13 not-so-critical updates that aren't installed because i bothered to browse through and see what i was getting into.

but thats all just me

Re:two quick things

[inquisitor]

The new Windows Update does not need to be on permanently. It's configured from the same place as the old one, the Automatic Updates control panel, also within System. Sure, Security Center will complain at you but you can just turn that off (click on "Change the way Security Center alerts me"). The services will still be running, but no-one cares about that; they aren't doing anything. And besides, it doesn't install until you click "Install".

Also, there is a reason for simplifying the screens for users; the standard home user is way more likely to be turned off by screens with weird Q53893589-type numbers on them, no matter how important it actually is. WUv5 is a huge improvement on WUv4 usability-wise, and as you say the information is still there if you want it, which is entirely correct interface design.

As you've found, AU and BITS are actually important services. (AU probably needs to be running permanently because it might need to perform certain configuration stuff on a post-update restart; this is just a guess, mind.) Besides, I've always found that these services tutorials, excepting on really-low-end-PCs (below or equal to 128MB RAM), make absolutely no measurable difference speedwise and usually impede at least some functionality, which is why I don't put much stall by them. YMMV, but be warned.

Re:New features, yes.

Absolutely. TweakUI used to allow turning on 'don't move focus', but I'm not where the associated registry key is located.

Another Firewall Issue

[pgrst]

In addition to the issues already raised by other posters, there is another problem that the article does allude to but doesn't explain: The firewall keeps turning itself on!

I have run SP2 since the first release candidate. I don't use the windows firewall since I already have hardware + software firewalls. XP SP2 detects the software firewall correctly (mcafee). But at least once every other day Windows turns on the damn XP SP2 firewall. It's a pain in the ass and the real problem is that you don't know it's on. You only realize it's turned itself back on when it announces that it has blocked a connection.

Repeat after me, everyone!

[Eric_Cartman_South_P]

Repeat after me, "I WILL NOT TRUST MS SOFTWARE FOR SECURITY."

Now go and keep your 3rd party hardware firewall + 3rd party software firewall (on EVERY box, of course) up and running.

HARDWARE:

- Cheap Linksys box: Ugg but better than nothing.
- Cheap Netgear box: Better.
- Expensive Nethear box: Very nice IMO, around $300 USD with 802.11g too.
- *BSD Box you build yourself: Awesome, but too geeky, if you have life+job and want somehting to plug in and forget, buy a firewall appliance.
- Very Expensive Cisco/Bay Networks: The one you stole from the NOC on your last job as any good BOFH would do: Best.

SOFTWARE

-Free Zone Alarm: Ugg but better than nothing.
-Sygate Personal Firewall Pro: VERY VERY nice IMO around $50
- *BSD/*nix s/w: Aso very geeky, better know your shit or else. Stick with vendor stuff to mostly install and forget.

Re:Won't matter, they won't install it.

[inquisitor]

This is Adobe's fault; the PDF Netscape plugin sucks in ways that the PDF ActiveX control does not.

Best way around it? Stop Firefox's plugin infrastructure from handling .PDF, and open PDF files in the real Acrobat Reader instead. Tools/Options/Downloads/Plug-Ins, uncheck PDF. Then when you next click on a PDF file, you'll get a box from which you can select to open directly with Acrobat or save to disk. Choose whichever you prefer.

Re:New features, yes.

[Lazyhound]

It still does. It's under General>Focus.

Re:New features, yes.

[operagost]

I'm sure you're counting the cookies. They're not really spyware, and unless you turn cookies off you're likely to have a few from Doubleclick.

Re:New features, yes.

[BrokenHalo]

Doubleclick doesn't have to be a problem. What I do is symlink my cookies.txt to /dev/null and allow everybody to set whatever cookies they want. They only stick for the current session, then disappear when you close your browser. On a winbloze box you can simulate this (with mozilla/firefox/netscape) by simply creating a cookies.txt directory in the appropriate location.

Most of us don't really need persistent cookies anyway, since there are probably more sites that abuse the system than otherwise.

Of course, if you're running IE you're on your own, and deserve to be. :-D

Re:New features, yes.

[Zone-MR]

Ummm, if TweakUI can change the setting, it means there MUST be a registry setting for it.

In this case it's:

HKEY_CURRENT_USER\Control Panel\desktop\ForegroundLockTimeout

The value, in milliseconds, is the amount of time after any user input which programs will not be allowed to steal focus for.

In fact with Windows 2000 and later it's set to 20000, which means that programs cannot steal the focus while you are using the computer.

XP SP2 is still annoying. The reboot reminders don't actually pop up in front, so hitting enter at the wrong time won't cause you to accidentally reboot. However since they keep popping up in the background, sooner or later you will see the message and click the default button before even realising that it's "reboot" and not "bugger off".

Personal experience

[DarkMantle]

I decided to try out SP2 RC2 on my computer, boy... was that a mistake

Here's the hardware i have to give u a heads up... AMD 3200+, DFI NFII Ultra Infinity Motherboard (nForce 2 chipset) nVidia FX 5700, 1GB RAM, DVD+-RW, and 2 hard drives....

Here's what happened...

• Random re-boots: claiming my video drivers where at fault, so i installed older drivers... same thing.. hacked/leaked drivers... same thing
• Random re-boots: claiming some other drivers where causing the problem, but M$ couldn't tell which ones
• I used my Linux computer to nmap (and otherwise attack) the windows new firewall... took 8 minutes to break in (good thing i'm behind a HW firewall)
• Unreal Tournament 2004 was drawing textures funny alerting me to an upcomming re-boot

After removing SP2 RC2... everything works fine....

Re:Personal experience

[John+Starks]

How much you want to bet that the new firewall doesn't block ICMP packets?

I'd be willing to bet a great deal of money that it does since the original XP firewall blocks ICMP packets. You can even choose which types of ICMP packets to allow.

Re:Pirated copies?

[dave420]

On my Windows (corp -usual story), you can install the SP2 fine. Afterwards, however, windowsupdate will not work. I guess that means they've done enough to XP to make it secure enough to be left alone...

Cisco VPN Client

[sean23007]

My biggest problem with SP2 is that it is incompatible with the Cisco VPN Client. I need to use that to work from home or the road, and as such it was impossible for me to do work when I installed SP2RC1. Until Microsoft and Cisco work that out, I don't think many of the laptops and tablets at my workplace will get this update.

Re:MS lock in

[dave420]

If they do such a poor job as Netscape did, then fair enough... Let's not make Netscape out to be some sort of betrayed jesus or something. Netscape made crappy software, and they lost out because of that single fact.

Re:New features, yes.

[choovanski]

> Where do I find General? Is this under Settings, > control panel, the registry, and app..? Throw me > a bone here! You need to run TweakUI, it is listed in there. If you don't have TweakUI for WinXP get it here... http://www.microsoft.com/windowsxp/downloads/power toys/xppowertoys.mspx

Re:New features, yes.

[silicon+not+in+the+v]

Here where I work, they use Outlook, and until I turned it off, it had a default setting to bring up a notificatioon box when a new email came in. It was "You have new mail. Would you like to read it now?" YES | NO
YES was the highlighted box, of course, so a space bar would bring up the new message instead of the email I was typing. The time I remember, though, was when I was typing, and I saw it flash on the screen for a split second and disappear. I looked at where I had just been typing and it had stolen the "n" out of one of my words to answer that dialog box.

Check it out for yourself

[fishdan]

IT's only in Beta, so be warned. Don't upgrade a critical machine. http://v5.windowsupdate.microsoft.com/ to upgrade a windows box (remember to go there in IE)

Re:New features, yes.

[RzUpAnmsCwrds]

"Unfortunately, it doesn't really do a lot to protect against spyware."

Are you kidding!!!!

XP SP2 ELIMINATES drive-by downloads. IE is set, by default, NOT to prompt to install ActiveX controls (e.g. Gator). Instead, it pops up a little bar at the top of the screen. It now takes three clicks and a much improved security dialog to install spyware.

"This last reminder is particularly annoying as it pops up from the system tray approximately every 10 minutes, with the default dialog option set to reboot."

Of course it is annoying! It's supposed to be annoying! The patch isn't applied until you reboot, so it is is essential that you reboot *as soon as is reasonably possible*.

"or enable the default Windows firewall - and given the Microsoft security track record, who in their right mind would rely on that?"

The Windows Firewall has proven to be as effective as any hardware firewall. It does not, however, block outgoing traffic.

Oh, and SP2 isn't just a "front end". It is a new version of IE which is immune to all of the IE holes posted on securityfocus. It is a new security-zones system which should eliminate nearly all cross-zone flaws (currently the #1 security flaw in IE). It is an IE with a popup-blocker. It is an IE that prevents drive-by downloads. It is an IE that warns users when they are about to download a dangerous file. It is an Outlook Express that prevents users from opening dangerous attachments or from being subjected to spam "bugs". It is a service pack that takes advantage of no-execute (on AMD64 CPUs) to prevent buffer-overruns from becoming security holes. It is a service pack that includes recompiled versions of system DLLs - versions compiled with a compiler that is designed to eliminate most buffer overrunns.

XP SP2 is the single largest update to (consumer) Windows since the introduction of Windows XP. It is not just a "front-end".