IT Pros: Still Cautious Over XP SP2 Security Rewards

At a virtual security conference, industry experts advise the security rewards from Windows XP SP2 far outweigh the risks. Still, much of the audience say they are still "testing" the update.

Security experts discussed the merits and flaws of Microsofts Windows XP SP2 (Service Pack 2) in a panel discussion Tuesday as part of Ziff Davis Medias Security Virtual Tradeshow. Across the board, they highly recommended that enterprises quit their flinching and install the upgrade, although they still offered several caveats.

"An absolute, resounding yes, you should deploy," said Oliver Lavery, chief software architect at PivX Solutions, Inc. of Newport Beach, Calif. "Should you upgrade tomorrow? Thats a resounding no."

Lavery and other panelists stressed the need to carefully test systems and applications—particularly third-party and business-critical software—prior to widescale enterprise deployment.

"The only reason not to deploy is if youre facing insurmountable application compatibility issues within your organization," said Bernie Robichau, who has deployed SP2 as the network administrator and security officer for South Carolinas department of parks, recreation and tourism.

But he said the installation tools offered by Microsoft alleviate most of those risks.

"Almost every issue you would have with installing SP2 can be mitigated by implementing Group Policies during and after installation," Robichau told the online audience.

However, Mary Jo Foley, editor of Ziff Davis Internets Microsoft Watch, was more cautious. She said that while Microsoft termed SP2 a "basic upgrade," customers, partners and competitors agree that its a "completely new operating system," with inherent weaknesses.

"Microsoft released SP2 publicly on Aug. 6, but that doesnt mean its bulletproof," Foley said. Microsoft itself initially had listed some 200 applications that "lose functionality" when paired with SP2, and that number still stands at about 40.

Foley also said Microsoft has elected not to support updates to systems and programs not running on XP, which has caused concern in the industry that the company is forcing customers to upgrade to XP in order to reap the increased security of SP2.

Panelist Shawn Bernard, senior security engineer at Hudson, Mass.-based Networks Unlimited, said he thinks many of those security enhancements are enterprise-strength, but that the weak Windows firewall is not a solid desktop solution.

"They do provide you with a functioning firewall, but not one that is easily managed within a corporate environment," Bernard said. He compared the firewall to the basic document functionality found in Microsoft WordPad, and stressed the importance of installing third-party firewalls at the desktop level.

/zimages/2/28571.gifSecurity Center editor Larry Seltzer says your excuses for not installing SP2 arent good enough anymore. Click here for his column.

While all of the panelists agreed that enterprises should shortly implement SP2, in a straw poll of online participants during the panel discussion, about half were still testing SP2, seemingly in line with the panels recommendations.

"SP2 isnt perfect, but its the biggest improvement Microsoft has made," said PivX Solutions Lavery. "Its not going all the way. But frankly, its impressive."

The panel discussion will be archived at The Security Virtual Trade Show continues Wednesday at 11 a.m. EST, 8 a.m. PST, with panel discussions, keynotes and sponsor exhibits.

Editors Note: The Ziff Davis Media Security Virtual Tradeshow is run by eSeminars, a division of Ziff Davis Media, parent company of

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.