TechEds Desktop Push: Deploying Windows XP SP2

With Windows XP Service Pack 2 due to market in a few weeks, the company's mantra is that you need to start testing now, Rob Enderle writes.

Disclaimer: Microsoft, Transmeta, Intel and VIA are clients of mine.

SAN DIEGO—TechEd is one of three important shows from Microsoft, the other two being the Windows Hardware Engineering Conference, focused on hardware companies; and the Professional Developers Conference, focused on developers.

For IT, TechEd is the most important because it focuses on the people who deploy technology, and there are 11,000 IT people here. Looking around in the huge keynote room, it isnt hard to believe that they are all here with me in the room.

And TechEd also can showcase just how hard it is to do certain kinds of things in this new, wireless world.

Im carrying the new Sharp MM20 that I showcased in an earlier column, and while it can see a wireless access points spread liberally throughout the show, the connection is going up and down.

I am unable to create a VPN or make contact with my Exchange Server, even though I can browse the Web intermittently.

Having this many people in close proximity remains a huge problem, but I cant help but think that Microsoft is trying to showcase one of its new solutions in this instance.

That solution, which works only on current versions of Office, Exchange and Windows Server 2003 platforms, is RPC over HTTP. This allows you to connect, in a secure fashion, to Exchange without opening a VPN and opening an organization to attack through the trusted link that a VPN represents.

One of the announcements here is that this connection, which is Exchange-only at this time, will be expanded to a variety of products next year with an interim drop of Windows 2003 server.

I first became aware of this when my ISP, LAN Logic, which hosts my Exchange Server, suggested it to me several months ago.

It is interesting to note that while my own technicians appear to be up on this, and clearly the IT folks attending are being trained on it, the technicians on the floor have never heard of this improvement.

You also can use several thousand HP desktops to access your e-mail if it is exposed to a Web client, and I cant help but wonder how many of these machines may have password-caching turned on—once again pointing to the need for a USB dongle I highlighted in my column on hoteling a few weeks ago.

If there is a central message from Microsoft with regard to the desktop, it is the drive to deploy Windows XP Service Pack 2 (SP2), due to market in a few weeks. In the platform sessions, the repeating message is that you need to start testing now.

It is so strong that it is becoming clear to me that shortly after SP2 is released, messaging that focuses more on the responsibility of the IT manager and less on the product will roll.

And this messaging will go a long way toward creating the belief in non-IT management that anyone who is on Windows and is not running SP2 is taking an unnecessary risk.

This will undoubtedly upset a large number of folks, but the practical aspect is that this is really the only strong lever Microsoft has to drive massive adoption of the most important patch, with regard to security, that it has ever provided.

We can argue that it is overdue, but once it arrives, the pressure shifts to us to deploy it—and Microsoft is already driving this hard.

It takes about nine days from the time a regular patch is released until some idiot reverse-engineers it to create a virus that exploits unpatched systems.

It takes the virus companies about 24 hours to identify the virus and distribute the definitions that allow the virus to be accurately identified, disabled and removed.

In that 24-hour period, the viruses may infect thousands of machines and mutate, making it virtually impossible to respond to these newer threats.

Some of the most recent viruses actually turn off popular virus protection programs. Like an athlete who plays without the proper protective gear and gets injured, once SP2 is out, those who are hit with a virus and havent installed this comprehensive patch are more likely to be seen as the problem, not the victim. And were that to happen, it would clearly be career-limiting.

One related announcement is that all of the patching services will be combined in a few months into something called SAS 2.0. Then, an IT department can set up its own intermediate service to make sure the patches are tested before being deployed.

Given that patching is killing the desktop staffs, most here at TechEd appear to agree that this is one of the more powerful desktop fixes. But remember that at least one patch requires a change in hardware and that, without this change, desktop hardware will remain uncomfortably exposed.

Next Page: The importance of Data Execution Protection, formerly called NX.