A Look Behind the Windows XP SP2 Beta

Back in mid-1996, Microsoft was improving Internet Explorer (IE) at an amazing rate, at one point running the IE 3.0 beta simultaneously with the IE 4.0 alpha. That original version of IE 4.0 was a far different beast than the version the software giant unleashed in late 1997; the original version looked very much like IE 3.0 but included such features as Site Map--a Windows Explorer-style treeview of the layout of the site that you were currently visiting--and integrated FTP capabilities. But then Netscape announced that it would replace the Windows desktop with a project code-named Constellation, describing Windows as nothing more than a buggy set of device drivers. In Redmond, those were fighting words, and if you ever doubted that Microsoft took the Netscape threat seriously, consider what happened next: The company abandoned its original IE 4.0 project and started from scratch on the IE 4.0 version we eventually received. That IE 4.0 version included Active Desktop, which blended HTML and "push content" with the Windows desktop; an integrated IE/Windows Explorer shell; the Channel Bar so that third parties could deliver content to users' desktops; and other features that, in retrospect, were pretty obviously a reaction to features that Netscape had announced.

We know how that story turned out: Netscape imploded under its unobtainable lofty goals and a reinvigorated Microsoft dominated the Web, with IE surpassing, then destroying Netscape's offerings for good. Several years have passed since this milestone moment in Microsoft history, but history is repeating itself again this year with Windows XP Service Pack 2 (SP2). This time, however, the challenge hasn't come from a competitor like Netscape. Instead, the challenge has come from the hacker community, which has branded Microsoft's products as insecure with the many massive security compromises these intruders have unleashed over the past year. For Microsoft, the timing is somewhat embarrassing because the software giant has spent the past 2 years telling its customers that the vaunted Trustworthy Computing initiative it had launched would set things right, from a security perspective. However, because Microsoft had indeed turned itself around internally, from a security perspective, it's uniquely positioned to deliver a more secure product in XP SP2 than the company originally envisioned. And that's exactly what the company decided to do.

However, increased security wasn't Microsoft's original goal for this service pack. In February, internal Microsoft documentation described a feature planned for XP SP2 called "concurrent sessions." This would have enabled XP Professional Edition systems with Fast User Switching (FUS) enabled (i.e., nondomain systems) to support two concurrent interactive users. The current XP version is limited to one interactive user at a time; this user can be sitting at the XP machine locally or connecting to it remotely through Remote Desktop Connection (RDC), Microsoft's desktop version of Windows Terminal Services. Under the original plan for XP SP2, XP Pro would have supported two users, one local and one remote. This capability would have accomplished two goals. First, it would further differentiate XP Pro from XP Home Edition (an ongoing concern in Redmond) and make the more expensive XP Pro more enticing to users. Second, this feature would make Smart Displays more functional; under the current scheme, when a user accesses his or her XP Pro desktop from a Smart Display, the local system is logged out. Microsoft CEO Steve Ballmer, responding to complaints about Smart Displays, had promised that the company would add concurrent sessions functionality to the product in the future; XP SP2 was one way to accomplish this goal.

But, as noted before, things change. First, Microsoft removed the concurrent sessions feature from XP SP2, deciding instead to add the functionality to a future Smart Displays update. (That update, incidentally, might never happen. I haven't confirmed this news yet, but apparently Microsoft is dropping the Smart Displays product line.) So a svelte new XP SP2, containing only bug fixes and security fixes, was scheduled for early fall 2003, about a year after Microsoft released XP SP1. The company sent out several XP SP2 betas to testers and, as you might expect from a service pack, testers had little to say: The updates worked fine and didn't appear to affect the stability or usability of the system.

Then summer 2003 came and Microsoft customers were hit by SoBig.F and MSBlaster, two virulent electronic attacks that crippled Windows installations across the globe. Looking suddenly like a deer in headlights, Microsoft's response to these attacks was muted at best. Feebly arguing that it had fixed the code that allowed the attacks weeks or months earlier, Microsoft seemed to be putting the blame on Windows administrators who weren't keeping their systems up-to-date. (For what it's worth, this was the stance I took in a somewhat infamous editorial.) But internally, the company was scrambling to right things, and the first prong of its response would be a reengineered XP SP2.

Changing SP2 that dramatically at such a late stage of the game would mean delays, and Microsoft quietly issued a new road map on its Web site that mentioned a second quarter 2004 date, about 9 months later than originally expected and more than a year and a half since the first XP service pack. But although XP SP2 would indeed add new features, to the chagrin of users who took Microsoft's legendary but oft-abused "no new features in service packs" promise at face value, few can complain about the steps the software giant is taking to secure Windows through this release. Indeed, thanks to a variety of safety technologies, the release of SP2 should significantly improve XP's security situation.

I've installed the XP SP2 beta on various XP installations and will provide you with a report next week about the new security features Microsoft is adding to this release. I'll also look quickly at Windows Server 2003 SP1, a similar update to the company's server line. Until then, Happy New Year, and thanks for reading!

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.