Slashdot Mirror
Last Words On Service Pack 2
thejoelpatrol writes "So did Slashdotters call this one? Windows XP SP2 seems not to be so secure after all. A Register reporter goes in depth to find out just how safe a fresh install is. He provides a list of which dangerous ports are left open and which services are left on by default. I guess now we know why Microsoft's security timetable is 10 years." Reader ack154 writes "ZDNet is reporting that many Dell Inspiron users are reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz. Dell claims no responsibility, claiming it is 'externally loaded software' and they don't support it. In the mean time there has been a fix posted on Dell's forums, which rolls back the processor driver." Finally, Marxist Hacker 42 writes "Amid complaints of too much XP Service Pack 2 coverage on ZD Net, David Berlind writes that Service Pack 2 deserved the scrutiny it got- and charges that it failed to live up to Gates' Trusted Computing Initiative." Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.
ZDNet is reporting that many Dell Inspiron users are reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz. Dell claims no responsibility, claiming it is 'externally loaded software' and they don't support it. In the mean time there has been a fix posted on Dell's forums, which rolls back the processor driver."
Aren't 99% of drivers 3rd party software? The only thing MS does is bundle them together, but I believe that AMD or Intel et al are the ones who actually WRITE the device drivers. And if the performance of a new driver sucks, I'd chock that up to being a shitty driver, versus a shitty Service Pack...
Things that i have been disabling as a rule, just like a "normal" procedure after a windows install - are still out there active on default and still need to be disabled. As the article says they are simply not required for home machine (in a vast majority of cases anyway). So what is this major security improvement they speak of if basic things that have been attacked for so long are left open?
If for some reason you DID load SP2 on a spyware infested computer and it is no longer booting just boot with the "Last known good configuration" option in the F8 boot menu. Uninstall SP2 (you may have to use XP system restore before doing this), remove spyware, reinstall SP2.
"Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea."
One word. DUH. If you even install sP1 on a spyware infested computer it can render it unbootable. I've run into atleast 10 machines this week that have had this same problem. I work at a university which is forcing students to install service pack 1. there are a lot of machines that can't even take the service pack because of the spyware the installs just hang or destroy the install on the computer. I feel bad for the students because they have to either format or pay to get thier comptuer fixed. It not thier fault or the universities fault. who would have thought forcing college students to update thier microsoft patches would be a bad idea.
"reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz"
From the MS website regarding minimum requirements for running Windows XP:
PC with 300 megahertz or higher processor clock speed recommended (source)
which seems to be just enough to keep the system running. Coincidence? I think not....
This sig contains repetition and redundancy.
That was the other bit- RPC and DCOM are ON after an SP2 install, because if you actually read the documents from Microsoft, under SP2 there's a whole new accessibility layer built into the DCOM Server that checks the registry to see if this COM component can really be activated by a remote procedure call- and the default setting is "Yes, but authentication required, no anonymous connections." I know this because we've got a lot of DCOM here, and for EACH component we're going to need a separate group policy setting in Active Directory to get it all to run right.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
"DHCP Client, automatic. Unnecessary on most home machines. Should be disabled by default."
Now, I'm no fan of Microsoft (Windows free for over 5 years now), but this is insane. Evey home user I have ever helped needs a DHCP client so that their computer can get an IP off the university LAN or off their brand-spankin'-new broadband router. To disable the DHCP client means to turn off the interweb for the majority of users. Greene went a little over the top it seems.
There are a bunch of other things which are actually useful:
- Popup blocking in IE
- Warnings when you try to download a file, run a downloaded file, or access a page with an ActiveX control
- Enhanced wireless networking; now I no longer have to use the program from my wireless card manufacturer if I want WPA-PSK
- Firewall on as soon as the system starts up
I'll repost something I've written today:
:P~ - this means only good things for Linux, bad things for Micro$oft and sadly bad things for me (us) as we live in a M$ world - consider getting even more probes
#v+
well SP2 is IMHO funny they really haven't added anything useful to it
1] popup blocker - but hey I've got popup blocker in MSIE for like one yer thanks to - http://toolbar.google.com/ - and it comes with google search feture which is uber-cool. I install it on every XP client I touch so OK - popup blocker. how innovative...
2] hardened MSIE - well it is a myth. it is still the same MSIE, nothng changed beneath. still to deeply integrated in system, still with unsecure features like ActiveX - it is just they are turned off by defaut so first thing you will do is reebable thise features since without them nothing works. nice patch... really.
3] NX technology - well it is something but right now it makes no difference as it requires modern hardware and only few chips support that. and I'am (and I'am not alone here) probably not going to change (meaning networks I administer) hardware till it dies... so few more years to go without NX... and also to mention Linux has similar options (executable stack protection) for ages - aviable as patches f.e. PaX. (for kernel) and also few options (like pro-police-gcc) to glibc... and if you need you can recompile everything against those features as it is Open Source... again MS - innovative... really
4] new firewall - well good to see it but it has it's flaws. like it runs in user space, it is worse than other offerings. but still - this is feature I find nice.
what other things left? lets see...
5] new Windows Update - new but it sucks ass like ever. why can't make a decent patching service. it only requires a server and decent GUI for client. I mean jesus I can make such thing myself, just give me specs and some time and I could make it. options I would include:
* decent GUI for configuration with Active Direvtory support tu push configuration to domain
* setup proxy server for updates (f.e. local proxy server to limit bandwith use)
* free local proxy server software for updates. it even could be only on Windows. to have one machine cacheing updates in LAN - jesus it's being done in Linux so easly, I can set up my own updates proxy with Linux in like 3 minutes...
* option to choose which connection can be used for automatic downloads (f.e. I wouldn't like my system to pull updates when I am connected via GPRS mobile modem, but I wouldn't mind when it does when I am on corporate LAN)
* some better handling of applying those patches. maybe just downloading them and waiting (I mean waiting not bothering me to reboot manually) for next boot to apply patches while booting (no files locked)...
what else left "new"... oh the funniest thing! new Security Center applet in Control Panel - a place where you can se that you are "secured" (not to mention that you still can be 0wned) - weeeeeeelll in one thing Micro$oft is brilliant - marketing: people wan't secure Windows, tell them they are secure, show them nice icons telling them that they are secure - people can actually belive it that is in some way brilliant isn't it? too bad it does not work better security for me (and you)...
and also this hype with Longhorn delays due to shifting literally everybody to develop SP2 - what they actually developed? few icons? changed default settings? this requires whole resources of multibilion software gigant? that is pathetic for me... Fedora community alone (backed by Red Hat but still it is different scale than M$) can do amazing things like incorporating advanced MAC security with SELinux in months, and software giant can't make a basic security level with all theirs resources (oh and they do leave things unpatched, or issue things like disable login from URL as a patch, oh and update breaks like every 1 of 10 setups)? and still they say open source model is not superior? mehehehahhwhw...
This is normal. This is another in a long line of articles that does little more than say:
...get this... ...MANUAL. Manual is another word for "not on unless I need it," which is a nice long way of saying "OFF" -- you damned chowderheads.
L0LZ@Micro$0ft!111!!11oneeleven1!! because your firewall choices and services defaults aren't what I would have picked.
There's still service bloat in XP. There's little doubt about that, but suggesting that you turn off DHCP when 51% of us use broadband? I mean, DHCP only has an effect for people that actually, you know - HAVE A FRICKIN NETWORK CABLE PLUGGED INTO THEM! Can we make an assumption that a pretty fair percentage of people who have network cables plugged into their computer use DHCP? Good lord almighty.
Also, he complains because the service type on most services is set to...
Sure, XPSP2 isn't perfect, but articles like this, these "If I had made it, I'd have made it stupid!" articles - they're just drivel.
I otherwise agree with most that was written - I totally agree that "less is more" when it comes to security (although there often ends up being hooks for stuff like RPC all over the place) and I couldn't believe it when I saw "Remote Assistance" enabled on my computer by default when I loaded it - WTF!
Hulk SMASH Celiac Disease
-Lucas
I have been having this problem on my Inspiron ever since I installed SP2. I have tried a lot of things, and I highly suggest http://www.blackviper.com/WinXP/servicecfg.htm for tweaking your services settings.h tml has a great article on how to do it.r toys/xppowertoys.mspx./ .
Another way to boost your speed is hanging your Prefetch setting, http://techrepublic.com.com/5100-6270_11-5165773.
TCPOptimizer http://darkedge.levels4you.com/review.l4y?file=20 also helped speed up my collection a lot.
Another cool tip is fixing Event ID 4226 which limits your connections in SP2, check it out at http://www.lvllord.de/?url=tools#4226patch.
And, of course get the MS TweakUI for XP at http://www.microsoft.com/windowsxp/downloads/powe
And although they are not freeware I actually bought and really like Registry First Aid http://www.rosecitysoftware.com/reg1aid/ and Registry Compactor http://www.rosecitysoftware.com/RegistryCompactor
I hope you all have as much success as I have with spedding up XP. It is a pain in the butt to do it, but it is worth it in the end.
"Your 'Gin n'tonic Futon Brain' sure makes you smart!"
"That's 'Positronic-photon Brain', you idiot!"
If you still use Roxio Easy CD Creator 5.x, you will not get to use DirectCD for UDF Packet writing to save directly to CD after SP2 is installed. This program comes with every new Dell Optiplex we bought this year. These Computers are supposed to be Supported with SP2. But 2 calls into Dell T.S. resulted in a "Sorry, too bad" response. They recommend Windows native CD burning, but that ain't UDF.
(We have a need to make saving to CD as simple as a floppy for some elderly folks.)
This one isn't listed on Microsoft's list of SP2 incompatible programs.
Nor is anything mentioned on Roxio's site except people complaining. Roxio is up to version 7 now so you know they say to upgrade, but Dell still ships old v.5 out with new PCs. Go figure
Well, just wait 'til Longhorn.
Meanwhile, back in the Short term.
Microsoft disclaims responsibility for OEM software and:
"Dell does not validate any externally loaded software and can therefore make no representations as to their effectiveness, stability, appropriateness, or safety. Any problems encountered with this kind of software should be addressed to the respective manufacturer."
It appears that the actual support that can be relied on is maybe a hair less than what you get from Fedora Core release candidates.
Although I don't have a dell, I noticed the same thing. My wireless connections now work the first time all the time. SP2 improves power management as well. My laptop now comes out of sleep mode every single time in a couple seconds. Pre-SP2 half the time it would reboot or just sit there with a blank screen until I hit the power button.
I just noticed on a clean install of XP SP2 that the integrated video output from an Intel 845G chipset is corrupted. Removing SP2 corrects the issue.
There are alot of 845 chipesets out there; I wonder if they all have the video issue.
-ted
I agree. I don't think he knows what he is talking about. He said services are "listening" and that may be true but the firewall is blocking everything by default.
Today I built a fresh XP machine with SP2. I just scanned that machine with nmap and it showed absolutely nothing open except the VNC port that I specifically configured. The machine doesn't even return pings. I'd say that's a pretty tight default setup.
The ratio of people to cake is too big
Actually, that's not an accurate representation of the situation. The real problem with Win98 is that it has no system-level security. It only has network-level security (including, mind you, PPTP VPNs.) Thus no matter who you log in as, you are root. There are two purposes for the two windows logons. The basic "Windows Logon" has the purpose of setting your name for basic programs which care. The Windows Networking Logon also sets your user context and after validating your password, will use it for network services.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
This script can be used to remotely block or unblock the delivery of Windows XP Service Pack 2 (SP2) from the Windows Update Web site or via Automatic Updates.
To-do List: Receive telemarketing call during a tornado warning. Check.
I don't see how SP2 could be faster. Microsoft added new bloat compared to SP1.
I think the reason it was faster after SP2 might be...
Windoze gets a bad case of registry rot from installing and uninstalling software, and all that spyware in there slows things down a lot, too.
Obvious solution... I gotta see a man about a penguin.
>> My ultraviolent Linux switch video.
I've just recently performed a fresh ("slipstream") install of XP SP2 on my laptop, and my nmap scans and observations of active services are quite different from this article's report. Maybe he upgraded a fresh XP or XP SP1 install?
Honestly, the guy says that services like DHCP and DNS should be disabled by default and that "most home machines" don't need it. I guess he doesn't expect people to read his article from home, then, because without being able to get an IP address lease from an ISP or resolving theregister.co.uk, they aren't going to be able to read it!