The major security changes in Windows XP Service Pack 2 mean big trouble for developers and users, a fact highlighted by Microsofts introduction this week of the packs second release candidate—the last major test before it hits the streets.
Microsoft has a history of major releases with understated names, and Windows XP Service Pack 2 (SP2) is no exception. Windows for Workgroups 3.11 was a major technical upgrade over Windows for Workgroups 3.10 or Windows 3.11. Windows NT 3.51 had huge changes compared with Windows NT 3.50—a version you didnt want to run.
So it is with Windows XP SP2 and the parallel Service Pack 1 to Windows Server 2003. Like those earlier .01 Windows updates, it implements large changes in the internals of Windows.
But SP2 also adds major new user features. SP2 changes are largely but not exclusively related to security enhancements, with a few nonsecurity touches thrown in, such as a new Bluetooth stack (golly gee, just what I was waiting for).
Release Candidate 2 (RC2) of SP2, released this week, should be the last extensive trial run before SP2 hits the streets in late July, or so the plans go now.
Will XP SP2 cause problems for users and developers? You can bet your last dollar it will. If the security changes in Service Pack 2 were not going to cause problems, they would have been done long ago. Most of them, anyway.
Applications will break. Network connections will fail, or appear to fail. Users will be forced to upgrade programs and devices that may not be under active support. This is something Microsoft tries not to do.
But even in forums reflexively hostile to Microsoft, there is a general recognition that SP2 will make Windows XP a more secure product. Microsoft has done some things that are basically invisible but will make a difference, such as recompiling large amounts of the operating system with compiler options that prevent most buffer overflows.
(Actually, the options the company uses should prevent most stack overflows. Heap overflows are generally more difficult to exploit but wouldnt generally be fixed by this option.)
But the big thing most people will notice is that part of the OOBE (out-of-the-box experience) when you turn on a new PC or an old one with SP2 freshly installed is that you have to go through a security wizard.
The first thing it does is to recommend that you turn on Automatic Updates. You can still leave it off, just as you can walk through a bad part of town flashing a roll of bills, but its on you if you do.
There was speculation at one point that Microsoft would default Windows XP in SP2 to have Automatic Updates on, but choosing instead to force the user to make a decision is the right way to go. Lets just hope that the only people who say no are the ones who know enough to apply the updates themselves.
The user is then sent to the new Security Center, a central place for managing security settings in Windows and some third-party security software. From here, you can manage the Windows Firewall (formerly known as the Internet Connection Firewall or ICF) as well as third-party firewalls and anti-virus products.
In many ways, the most important security change in SP2 is on the Security tab of Internet Properties, or rather what is not on it: There is no longer a My Computer zone to edit; it has been locked down. Many security experts have complained about the My Computer zone for some time, as it has been used as a conduit for a large number of attacks through Internet Explorer.
Its always been possible to lock down the My Computer zone—see this article from Microsoft and Qwik-Fix from Pivx—but with SP2, by default, attackers will no longer be able to use “cross-zone” scripting bugs to trick IE into executing code.
The big deal is the firewall: If you had been running ICF version 1, you would be immune to Blaster and lots of other attacks, but you probably turned it off because it interfered with applications and local networking and was almost completely unconfigurable.
Windows Firewall is much better and more like third-party firewalls—and its on by default. Is it as good as prominent third-party firewalls from companies such as Zone Labs and Sygate? No, and I dont think Microsoft would claim it.
This is a good example of how Microsoft has been forced into the security business. Its in a classic damned-if-you-do, damned-if-you-dont position. If it provides a good firewall as part of Windows, then its using its “monopoly power” to foreclose a third-party market.
If it doesnt, then its providing an insecure operating system. The trick is to make Windows Firewall good enough that users can run it without problems, while still leaving a clear competitive advantage for third parties.
I asked Zone Labs about the gaps between Windows Firewall, and it has plenty of arguments to make. The biggest one is that Microsoft claims its firewall is much more sophisticated about outbound protection, which means protection against outbound communication by potentially unauthorized software on your system.
Windows Firewall does have some protection against this, but it also comes configured with exceptions for some prominent applications, such as Internet Explorer. Doubtless there will be many testing stories soon looking at the practical differences in real-world use.
Manageability can be another big difference. Windows Firewall will be manageable through group policies in Active Directories, but other firewalls, such as the Sygate Secure Enterprise personal firewall, have much more powerful management features and are not tied into Active Directory—although AD integration is good for a lot of people.
Too bad that just by providing an adequate firewall, Microsoft is foreclosing third-party markets to some degree. People are cheap, and some number of users wont buy a third-party firewall because the Windows one is good enough.
This is bad for everyone in a way, but in the big picture its just necessary that a good firewall—but not too good—come with Windows.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer