Countdown to XP SP2: More than a Firewall

Windows Firewall might be the icing, but it isn't the whole cake

In my most recent Web Exclusive VIP articles ("Countdown to XP SP2: Forced Protection," April 2004, InstantDoc ID 42496; "Countdown to XP SP2: Dealing with ICF," April 2004, InstantDoc ID 42497; and "Countdown to XP SP2: Planning Ahead," May 2004, InstantDoc ID 42552), I discuss some of the effects that the upcoming Windows XP Service Pack 2 (SP2)—specifically, its Windows Firewall component—will have on your network. But there’s a lot more to SP2 than Windows Firewall. Let's take a moment to review some of the other highlights.

Many changes occur in Microsoft Internet Explorer (IE). The first of these changes—a popup blocker—will be welcomed by many. I’ve used the Google toolbar’s free popup killer, but having a built-in blocker on all my XP boxes will be convenient. (Who knows, perhaps when all the major browsers have popup killers, the annoying things will go away.) You enable the popup blocker from IE's Tools menu. Whenever you visit a Web site that uses popup, a new Information bar (or Notification bar—both labels appear in the SP2 beta version that I ran) appears as a pale yellow rectangle just below the Address Bar. IE uses the Information bar to inform you about a bunch of new-to-SP2 items, of which pop-ups are just one (the other items include heads-up messages about how IE’s blocked shady activity from some Web server). The Information bar that appears after IE blocks a pop-up informs you that a pop-up was blocked; clicking the bar gives you options to let the popup appear, create a rule allowing all pop-ups from the site, or bring up the pop-up blocker's Options dialog box. I find this approach a bit more useful than Google's, which requires me to press the Ctrl key and refresh the page to view an individual pop-up. SP2’s IE also provides an IE status bar icon that lets you know the pop-up blocker is active.

Have you ever wanted to find out quickly which ActiveX controls and other browser plugins are running on an XP system? IE has always seemed to view ActiveX as a secret, requiring you to click Tools, Internet Options, Settings, View Objects to get this information. SP2’s IE makes the process easier: Just click View, Manage Add-ons to get a list of browser extensions (e.g., Windows Messenger) and ActiveX controls.

A lot of the IE changes shore up the application's security. Some Web sites play nasty games to hijack your browser. For example, to trick you into clicking a button, some sites make the entire page one big button, then size the page larger than your screen. Thus, clicking anywhere on the screen causes starts a download. (Yes, you can cancel the download, but many users have become accustomed to clicking OK automatically whenever a download box opens. Plus, some organizations might not yet have patched an IE bug—patched in Microsoft Security Bulletin MS04-004, Cumulative Security Update for Internet Explorer—that makes it possible to launch and complete a download without asking for confirmation.) Other evil scripts use a hole in IE that lets Internet scripts run as if they’d originated on the hard disk, with the result that those scripts have a much higher privilege than you probably want. SP2's IE plugs these and a host of other little holes, something that might make IE the best argument for installing SP2. (You’d think that the logical result of all these IE patches would be a new version of IE or an IE service pack, but the Microsoft folks that I've talked to have indicated that neither will appear for a while. I have to wonder if Microsoft is using IE’s current vulnerabilities to chivy people onto XP!)

Also in SP2: Wireless support gets yet another makeover. SP2 implements a smoother system for browsing wireless networks, and now you can choose a favorite 802.11b Service Set Identifier (SSID). That capability can be useful in today’s business environments, in which the vagaries of your wireless Access Points' (APs') power output can sometimes leave your system automatically hopping to another wireless network every time someone walks in front of your XP box.

Last summer, Microsoft started talking about revising the code it uses to distribute and install patches. These changes make their first appearance in SP2's Windows Installer 3.0. Up to now, Microsoft hasn't often used Windows Installer to deploy patches—hotfixes tend to be simple .exe files—but Windows Installer 3.0 includes a patch sequence table: a tool that Windows Installer can use to install a bunch of patches without letting them step on one another.

SP2 also hardens systems by automatically turning off the Messenger and Alerter services and by changing the way that remote procedure call (RPC) communications work (systems can no longer connect anonymously but will instead have to present some sort of credentials). This move is a good one, I suppose, but it will break some applications, so I suggest you start testing your applications against SP2 systems in a test lab. (If necessary, you can use a registry hack to let your XP SP2 systems permit anonymous access.)

In the end, testing is the most important and most troubling thing about XP SP2. Although the service pack has a lot of nice features, don't roll it out without thorough testing to ensure that it will work with your existing applications. You can get XP SP2 Release Candidate 1 (RC1)—start running it through its paces now.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.