Slashdot Mirror
Survey Shows Admins Avoiding SP2
bonch writes "Tom's Hardware Guide is running an article about Windows XP Service Pack 2 and its limited acceptance by IT administrators. AssetMetrix is cited in the article as reporting that fewer than 24% of over 136,000 Windows XP PCs in 251 North American corporations even had SP2 installed. THG goes on to describe the reasons given by admins and discusses the advantages and disadvantages of installing SP2."
A heck of a lot of apps are NOT certified for sp2
1) People have enough problems with Windows without worrying about an upgrade that they've heard countless times will BREAK existing applications. 2) Some percentage of the population is simply pirating Windows and is afraid they'll get "caught" if they try to upgrade. 3) SP2 is seen as the first step in Microsoft's "Trusted Computing" initiative. 4) It breaks Halo. C'mon.
Going back to school for entry-level jobs?
I spent just over 3 months testing SP2 with all of our internal and external applications as well as stress tests for performance differences between SP1a and SP2. SP2 got the green flag the second time round (it failed because some internal applications failed, these were updated as was decided by IM).
I finished doing the last update about 3 weeks ago and have not had any problems relating to SP2 yet which is great.
IMO the only negative thing about SP2 is its size/time to install. It has slowed down deployment because of the bandwidth it uses and the the time it takes to install which is a major impact to production, which means it needs to be down out of office hours which means IT support need to work over time, etc.
While deployment of SP2 was tiring and long I would rather got on with it than wait it out like some companies are doing.
While there might be good reasons for not installing here and there, I suspect most of the so called "admins" are just to lazy or simply clueless when it comes to large scale software distribution.
Installing SP2 in a large corporate environment is nothing to sneeze at, I agree, but that's no excuse for not patching.
Really, am I the only one thinking that something is very broken in Windows when Microsoft has to convince us to apply a (free) upgrade to the system?
I'm not surprised at the reluctance. :-)
Given that many of the SP2 changes relate to networks and firewalls, the bigger the corporate network the bigger the chance the upgrade will take some time to get working for everyone in a company.
If you are used to fixing problems remotely and the upgrade prevents the problem PC connecting to the network... you see the issue
I recently obtained a copy of Visual Studio 2005 which I wanted to play around with. Install went fine (on XP) UNTIL I tried to install the DOCUMENTATION...which insisted that XP SP2 had to be installed!!
So I installed it. It broke SQL Server 2000 because I hadnt patched it (but wrote information to the event log about how to fix it) but apart from that things went well...
Until I tried to run the spidering app Ive been working on at which point I discovered that XP Pro + SP2 = Castrated System! SP2 limits the number of connections pending opening to 10 (down from 50) and provides no way to change this limit!!!! Unimpressed....
Anyways, given that many pieces of software will only run on systems patched to a certain SP level Id expect that it wont take long before its a required upgrade...having to install it for documentation to work though....that rubbed me the wrong way I must say..
To be honest this was the first I heard about it. I just naturally assumed that shareza didn't peform as well as other dedicated P2P software applications. That registery entry seems to be missing and according to what i've read is hard coded in tcpip.sys. I found software to change the number of connections permited in tcpip.sys here and it might be covered in XP-antispy though I've not tested it yet.
In all fairness I have had few problems with XP SP2. Unfortunatly any problem I've had has been hardware related.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
I had to install SP2 here at work, because of the machine analysis program that examines all the machines connected to this network.
I was just tired to see each and every monday the same email that was telling me it was *mandatory* to install the latest Service Pack on my machine.
Since I'm not using that many programs here, SP2 works fine anyway.
-- Personal Blog: http://www.delymyth.net/ (italian)
Admins threaten corporate IT security by avoiding to fix vunerable machines
:)
It's not avoiding to fix them, it's just trying not to have to install the machine again.
And I heard of people having BIG problems with SP2 installations.
It's better to get a firewall, an antivirus, change email client and browser.
Less things to worry about
-- Personal Blog: http://www.delymyth.net/ (italian)
For your info, this service pack may cause BSsOD when non-compliant programmes are used. Think about that: a service pack that changes an operating system so that the kernel can be killed by an application. No wonder admins are loathe to roll it out! Imagine the crap you'd get from the board if it turned out your in-house programs now kill Windows?
Wake me up when Microsoft do the right thing...
Justin.
You're only jealous cos the little penguins are talking to me.
Yeah, but when they fixed security did they have to break the USB port at the same time?
It's not just patches. If you want to install extra Linux software these days you had better have a broadband connection t'interweb. Without yum or apt-get resolving all the dependancies will take you a long time and some effort (broken dependancy xyz.lib, now where do I get that.)
Now windows installers are huge. But at least it's usually just a case of downloading and running setup.exe and all is done done for you.
Philip
Signatures are broken
We have tricked SUS server to run on XP home editions here ( so we DO have a choice in deploying Suckpack2 ) ( ps SUS officially has to run on a server version of winblows , but this in ONLY to sell more of them, It runs fine on XP ones you alter the installation ).
But even the small updates break loads of stuff.
Yesterday the SUS server was told to deploy the 8 updates MS brought out 2 days ago.
One of the patches totally broke the antivirus software. ( f*#$^&#kers ).
On a SP2 test machine it even had the nerf to tell us that the computer is freakin insecure because no fucking antivirus package was running.
retep vosnul.
Secondly, and more importantly, no application, no matter how it is written, should be able to kill the kernel! That is just ridiculous, and in other circumstances would be referred to as a local denial of service vulnerability.
Please now hit yourself with a clue-stick.
J.
You're only jealous cos the little penguins are talking to me.
I work for a large oil company, and our worldwide (probably hundreds of thousands of PCs) rollout of SP2 killed Exceed, Samba, and a couple of inhouse apps. Turns out the NT guys hadn't even considered it. As a UNIX admin, I had to work quite a few long nights to repair the damage.
Avoiding it means your systems are running on a legacy OS.
You say that like that's a bad thing.
How long before the legal or finance departments need to use a business-critical Web site that requires IE7 for access?
I don't know, you tell me: how long before some criminally stupid web developer creates a business-critical website that requires a specific version of a browser to even work? Not just "doesn't work on Firefox" (which is already in the "criminally stupid" department) but "doesn't work on recent versions of Internet Explorer"? Yes, I know, that's already happened... but in my case it was a website that didn't work on anything later than IE 5.5. Or older, either. Basically, Doctor Evil, this is a sword that cuts both ways.
When Microsoft do the "right thing" (such as XP SP2),
Microsoft has yet to do the right thing. The security community has been beggng them to back out of the tight browser/desktop integration and "security zones" since 1997, and split the rendering and access functionality of the HTML control into separate components so you CAN run a locked-down sandboxed version of Internet Explorer if you want to... but instead Microsoft refuses to admit they made a mistake and patches symptom after symptom instead of attacking the disease.
That's why I, wearing my "security hat", banned all internet-capable applications that used the MS HTML control for rendering... back in 1997. As long as that ban was in effect we had zero virus and security panics, and we were the only division of our company for which that was the case.
The fundamental design of the HTML control is broken and unfixable. THe only solution is to back out of that design at a very low level, and rewrite all the applications that use it to handle access themselves. In 1997 I expected that Microsoft would do that... by now, it's obvious that they won't. They're afraid of losing face.
The right thing, from a security point of view, is to stop using Internet Explorer, Outlook, Outlook Express, Windows Media Player, Realplayer, and all other applications that use the MS HTML control to display potentially untrusted data whether they're shipped by Microsoft or some third party. Microsoft has proven over and over again for the last seven years that there is no other rational course of action.
SP2 and every other "security" patch that Microsoft provides are just smoke and mirrors.
"enough list that something will probably not work on a high percentage of machines in any sizable deployment of Windows XP."
From experience, larger deployments of machines tend to have a much smaller pool of applications that are used. This is partly down to administration overheads, machine build overheads and user permissions - most in a large deployment won't have the ability to add new software themselves. If you use a piece of software widely, then it's easier to replace/patch/whatever. A worse scenario would be a small number of machines that are managed by their users.
"Windows admins have a good reason to be a bit careful here. Windows Service Packs have a long tradition of making systems or applications no longer function."
I'd agree with you here, although I'd also point out that a big deployment would also point towards some decent testing and a rollout plan. XP SP2 has been around for a year now, as has the knowledge that some applications break. For an IT admin to sit on a known problem for a year is a little daft, especially in a large setup. Even a gradual rollout, or rebuilding/deploying new machines with SP2 would have given useful knowledge vital to their specific setup. Instead, 12 months down the line, they're still flying blind.
The point is; the risks of upgrading to XP SP2 are known and can be managed. The risks of not upgrading to it are unknown, and potentially problematic to everyone.
Security might have to restrict potentially dangerous functionality, but if your security is breaking functionality that wasn't a vulnerability in the first place, it's not really security, it's just a bug.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Yes, I use Wordperfect in my office, and why not? Works great for me. I suppose if I am to feel ashamed or silly for using WordPerfect just because everyone else is using MS Word, then I should feel ashamed and silly for using Firefox. Maybe I should give up Firefox and go back to IE, or give up Eudora and go back to Outlook? Maybe all of us who use *any* non MS software product should throw in the towel, give up, crawl back to the throne of the mighty Bill Gates and beg forgiveness for daring to use a product other than MS word. :)
:) Not saying I cannot be nailed - is there any such thing as a machine 100% hack proof? But sometimes physically watching and paying attention where you surf, what you install, and what you do is every bit as important as what kind of security software you have installed. I mean, how many people get nailed everyday with spyware or worse because they fall for that bull**** of "click here for a free game/wallpaper/screensaver/smileyface" or whatever. Ain't no such thing as a free lunch, to quote the sci-fi authour.
Also, for what it is worth, look at that list of incompatable software. Not only is WordPerfect on there, also, Zone Alarm (I use the bought version), Nortons, and Adobe (I use a few Adoboe products for years - in fact, been using Pagemaker since Windows 3.1). Right now, instaling SP2 would be a nightmare for me.
I use firewalls - hardware and software. I watch security like a hawk on my machines. I've got scanners of various sorts comming out of my wazoo.
Never had a problem in a long time, even on my old laptop running Windows ME - and how many of you can say you ran ME without a problem?
I'll probally be forced into installing it someday, but not today.
We have this methodology at work. I call it, 'Patch when it hits the fan'. Last time we did a major patch is when Nimda kicked our butts. Of course the patch was out weeks before.
The issue is that admins and systems support are lazy. We haven't moved to SP2 because no one wants to get off their butts and test.
Of course, all my systems are tested out on XP SP 2. :-p
In God we trust, all others require data.
Please, please, please... Let's try to make ourselves a cut (however slight) above the rest of the wailing masses. I am so tired of the anti-MS cattle on /. Are they a big evil corporation? YES. Do they do mean, nasty things, often... YOU BET. Do they occasionally get something right.. (here's the tough one).. YES!
On to SP2. Although I don't work in the IT dept any longer, I know most of the people quite well and hear about when stuff is bad(tm). There are over 300 machines in the dept. that I work in. # of problems with SP2? ZERO. Is it perfect right after install - no way, lots of stuff doesn't work. HOWEVER, once the TCP Limit is fixed (yes, 3rd party fix, and MS should include it, but they, it exists), NX disabled (not ready yet) and assorted registry keys tweaked, it works fine.
Now, for the apostles of Linux - How many of you install the standard base sytem and change nothing? That's right, ZERO! You can't take stuff 'out of the box' and expect perfection. Same with SP2.
Is SP2 perfect, HELL NO. Is a PROPERLY setup install of it, tweaked by IT people with a clue better than SP1, YES.
Considerable improvements exists in SP2 (USB, wireless, etc). Granted, some things are garbage (windows firewall.. hahahaha!) but they are easily dealt with, removed, or ignored. It is foolish to ignore the good parts of SP2 just to complain about a cheesy built in firewall.
Broken apps. I have yet to hear of a broken app that doesn't have a patch, hasn't been replaced by a newer version, or can't be fixed with a couple of tweaks. We author and utilize a lot of in-house software, and the only thing an MS patch or upgrade, including SP2, has broken involved new security permission in .NET (and can be fixed either in the software, or by the blocked requests)
At least be thankful that MS fixes some of it's mistakes.
If you have problems deploying something thats 200MB in size to your enterprise I am scared at how you deploy applications to your enterprise, I sure hope you dont sneaker net the whole thing. Have you ever heard of Systems Managment Server, or how about Altiris? You can easily hit 90% of your entire enterprise over night, we did this for SP4 for 2000, and we plan to deploy XP this way also using the OS Deployment Feature Pack which is an extension for SMS, whenever microsoft gets it to work right and work on more than 35% of the computers they support with XP...But thats an entirely different discussion.
Personally I think the positives outweigh the negatives for deploying XP SP2, any administrator that chooses not to install it does not know what there doing, or does not understand how they can manage SP2 with Group Policy. If you turn off the Firewall your software compatability issues are rare, for the most part your enterprise should have a list of accepted hardware, you test on that hardware, work out the issues, and then deploy to your sandbox, once everything is working you deploy to your enterprise. The only issues I have ever seen are from lack of competence from the Engineering team, most of the time companies hire these least denominator people that have no clue where there brain is let alone the ability to test, and deploy a service pack to the enterprise.
I would bet the percentage given in the article is the same percentage of competent Engineers to incompetent ones.
Hmmmmm interesting....
"If I was smarter I could rule the world!"