The release of Service Pack 2 (SP2) for Windows XP marks a significant step forwards for Microsoft Windows. Specific features such as its support for NX processor instructions and the enormous list of OS fixes were not tested, but are reasons to upgrade in themselves.
We tested SP2 on a low-powered machine, representative of an average corporate workstation, rather than a high-end system. The impact in performance was immediately apparent: benchmarks run before and after installing the service pack showed a performance hit of around ten percent. But benchmarks taken on a system running no software were only the start: while the test system ran Windows XP and Microsoft Office applications without a hitch, with SP2 installed the applications slowed to a crawl. Organizations with aging desktop systems will need to consider widespread hardware upgrades before rolling out SP2.
Although Microsoft estimates that the service pack will weigh in at about 70 MB when downloaded by Windows' automatic upgrade process, the network install is a hefty 240 MB, including every component updated by the pack.
From the network install, administrators can create custom configurations for their environments to be deployed by patch management software such as Microsoft's own SMS. This is highly recommended: the upgrades in the service pack are extensive and are likely to cause problems if they are rolled out in their default configuration.
Having installed the pack, we rebooted the system and were presented with screens to configure the security settings. Ideally, this should have come after a successful login by an administrator. The configuration includes extensive help, but is simple enough: a strongly-recommended "turn the firewall on" default, or a deprecated "off."
Automatic updates are configured (with similar recommendations for the fully automatic option) and, after logging in, the user is introduced to the Security Center, from where the main security components are configured.
The Security Center aggregates the status and configuration of the Windows firewall, automatic updates, anti-virus software, and the Internet Explorer (IE) security settings. A "green light" indicates that the system is configured in the optimum way – meaning configured to exactly what Microsoft recommends. If you are using a third-party patch management tool instead of Automatic Updates, this setting will be amber or red.
The new firewall is a great improvement over the previous packet filter, but still inferior to commercial personal firewalls. It only blocks incoming traffic, so infected hosts will still propagate malware, but the per-application granularity is well managed and easy to configure. More advanced settings – opening ports, permitting applications access and logging – are all there for advanced users.
Port scans showed that the system was indeed more secure from the outside, although inconsistent results (ports showing closed during a TCP Connect scan versus "stealthed" no-results on a SYN scan) might make identifying SP2 easy for an attacker. Port scanning brings up another contentious point: Microsoft has removed support for TCP Send operations over raw sockets, because the facility is used mainly by malicious software. Sadly, it is also used by security software such as nmap, which does not work under XP SP2 for this reason.
IE has had a refresh. A new security bar alerts the user when a site attempts suspect activity, and does a good job explaining what is going on. Popups can also be blocked, giving Mozilla users one less reason to sneer. If you have a corporate intranet using active content, it will be a good idea to test it thoroughly – although IE and the new firewall trust content and connections on local subnets, VPN users might experience problems. You can easily configure around this before deployment, with sufficient testing.
SP2 offers tighter interfaces for anti-virus developers, enabling users to be alerted when their AV is disabled or when updates are available.
Our attempts to test Microsoft's approved AV partners were not encouraging. From the Security Center, links take the user to a Microsoft page of endorsed AV providers. The first on the list, Computer Associates, took us to a page which showed the personal details of someone else who had downloaded the software, and did not allow us a "second download."
The next, F-Secure, downloaded successfully, but triggered alerts from the firewall during installation without prior warning. Integration to the Security Center was accomplished by downloading a hotfix, at which point the software promptly broke, showing "malfunction" in the status and failing to install signatures. The Security Center then alerted us to the fact that our AV software was not up to date.
Outside the security software, Microsoft has extensively overhauled most of the OS. Comparing checksums showed that the base install weighed in at 9,876 files; 3,579 of those were updated during the install (some trivially during the normal course of operations), and 4,095 new files were installed.
SP2 is a mammoth overhaul of Windows XP, the tightened security is a very important step and there have been substantial internal improvements. But expect performance issues, clunky third-party support, and a lengthy internal test process before deployment. All this, however, should only affect you when you deploy SP2, not if.
