SP3 Adds NAP to XP

Other updates are minor

Executive Summary:

Windows XP Service Pack 3 (SP3) brings Network Access Protection support to XP machines. Other improvements are the inclusion of Wi-Fi Protected Access 2 (WPA2) and new versions of the Microsoft Kernel Mode Cryptographic Module, Microsoft Management Console (MMC), Remote Desktop Connection (RDC), and Background Intelligent Transfer Service (BITS). However, XP SP3's main virtue is combining the many patches since SP2 in one package.

If you do a clean installation of Windows XP SP2 today, when the installation is finished, you're presented with about 100 updates to download from the Windows Update site to bring your system up to date and make it as secure as possible. In my view, the time for a new service pack for XP has definitely come, although Microsoft seemed to waffle for a time about whether XP SP3 was necessary.

SP3 will be the last "big" update to XP; however, it's not as big as SP2 was. XP SP2 introduced Windows Firewall, the first advanced and usable firewall solution in Windows, and Security Center, one central point for securing the whole system. SP3's most notable enhancement is its support for Microsoft's Network Access Protection (NAP) endpoint hygiene solution. After SP3, XP will receive only security and other critical updates until the support lifecycle ends.

If you haven't yet moved all your clients to Windows Vista, and many haven't, SP3 is important to you. Installing SP3 on an XP SP2 machine will definitely take less time than downloading and installing all post-SP2 patches, and SP3 brings a few useful new features. There are no radical OS updates in SP3, so there will probably be no compatibility problems with existing software. Thus, you have good reason to install SP3 and little reason to wait. So, let’s look at the changes SP3 brings to XP.

Installation Options and Requirements
To install XP SP3, you must have at least SP1 already installed. Although SP3 is a cumulative update, installation on the release-to-manufacturing (RTM) version of XP isn't supported. You can download SP3 as a standalone installation package (approximately 330MB), or you can obtain it as an incremental upgrade from the Windows Update site. The latter option is recommended for users with SP2 installed because it will require significantly less time to download.

For a successful installation, SP3 will require around 1GB of free space on a system hard disk—550MB for unpacking itself (to C:\WINDOWS\ServicePackFiles\i386, by default) and 450MB for backup files. (SP3 replaces about 2,800 files on an XP SP2 system and backs them up to C:\WINDOWS\$NtServicePackUninstall$.) The installation procedure is pretty simple but time consuming. For business environments, the easiest way to distribute SP3 is to use Windows Server Update Services (WSUS).

Integrating SP3 into XP Installation Files
SP3 can be integrated, or slipstreamed, with your XP SP2 installation files. This technique is especially useful for companies that install XP on machines over the network because it lets you keep OS binaries up to date for deployment. Also, having SP3 integrated into your XP installation files is necessary if you want to add or remove Windows components after installing SP3.

To slipstream SP3 with XP, copy the installation files from your XP CD-ROM or network share to a folder on your hard drive (e.g., C:\winxpsp3) and unpack SP3 to another folder. On a command line, navigate to the folder that contains the unpacked SP3 files, go to the \i386\update subfolder, and type the command

update.exe /integrate:c:\winxpsp3

After the integration process has been completed, you'll have to copy the files in C:\winxpsp3 back to the network share or burn the files back to a CD-ROM and make that CD-ROM bootable. When you install XP from that network share or CD-ROM, the installation files for XP will have SP3 integrated. If you want to see all the available options and switches for update.exe, run the command

update.exe /?

More about slipstreaming can be found at "Slipstreaming Service Packs and Hotfixes" (http://www.windowsitpro.com/Article/ArticleID/26111/26111.html).

As of this writing, Microsoft hasn't said it will release XP with integrated SP3 through retail channels. However, it's possible that the company will make XP with SP3 available as a download package for MSDN and Technet subscribers and companies that have volume license agreements.

1,200 Fixes
XP SP3 contains more than 1,200 hotfixes, including more than 130 security fixes. Most of these 1,200 fixes aren't critical; they repair some minor or very specific bugs. SP3 is briefly described in the Microsoft article "Release notes for the Windows XP Service Pack 3 Release Candidate" (http://support.microsoft.com/kb/936929). During the SP3 beta, Microsoft provided the full list of fixes along with their corresponding KB articles, but as of this writing, SP3 is in the public release candidate (RC) 2 phase, and the list of fixes isn't available. Perhaps it will be again when SP3 is generally released.

No IE 7.0, WMP 11.0, or .NET 3.0/3.5
If you haven’t installed Microsoft Internet Explorer (IE) 7.0 on your XP SP2 systems, SP3 won't install it for you. Instead, if your machines are running IE 6.0, SP3 will update it to an SP3 version. Microsoft took this approach because of known compatibility problems between IE 7.0 and some applications. Similarly, Microsoft .NET Framework is not upgraded from version 2.0 to the newer 3.0 or 3.5 version, and Windows Media Player (WMP) isn't upgraded to version 11.0. Users can install the new versions before or after SP3 installation; SP3 won't interfere with them. Of course, for security reasons, you should install the newest versions of these applications as soon as possible.

NAP Support
SP3's most important new feature is that it makes XP computers Network Access Protection (NAP) capable. NAP is a security platform built into Windows Vista, Windows Server 2008, and now XP SP3 that allows you to protect network resources by enforcing clients' compliance with system health requirements. NAP can quarantine clients that don't meet security policies (e.g., clients that aren't up-to-date with the latest patches) until they're compliant. You can find more information about NAP in the Windows IT Pro article "Network Access Protection in Windows Server 2008" at http://www.windowsitpro.com/Article/ArticleID/95617/95617.html.

XP SP3 installs the NAP Agent service, which enables the computer to declare its state of health to the NAP Network Policy server. If you want the NAP Agent service to start automatically when the XP system does, you'll need to configure the startup type to Automatic on that system. XP SP3 lacks Vista's console for administering NAP enforcement agents, so if you want to enable or disable some NAP enforcement agents, you'll have to use the NAP context in Netsh. For example, if you want to enable the DHCP NAP enforcement agent, type the command

Netsh nap client set enforcement ID=79617

Use the same syntax, replacing "ENABLE" with "DISABLE," to disable the NAP enforcement agent. To see the IDs for all the XP SP3 enforcement agents, type

Netsh nap client show configuration

XP SP3 has the same NAP enforcement agents as Windows Vista. After you start the NAP Agent service and enable the proper enforcement agents, your XP SP3 system is ready for NAP.

WPA2 Support
In XP SP2, wireless network security is limited to using Wi-Fi Protected Access (WPA). SP3 has support for WPA2, which uses an Advanced Encryption Standard (AES)-based algorithm rather than WPA’s RC4. WPA2 is recommended for optimal security, but not all Access Points (APs) and client hardware support it. WPA2 was available as a standalone update to XP SP2 prior to SP3's release. To use WPA2, just select it from the options offered by the wizard when you create a new wireless connection.

New Kernel Mode Cryptographic Module
Microsoft Kernel Mode Cryptographic Module is a software module residing at the kernel-mode level of the Windows OS. It runs as a kernel-mode driver (or DLL), encapsulating several cryptographic algorithms in one module easily accessible by other kernel-mode drivers. A new standard for cryptography (FIPS 140-2) has been adopted since XP SP2 was released, so Microsoft updated the Kernel Mode Cryptographic Module in XP SP3 to comply with the new standard. XP SP2's crypto module is certified for the FIPS 140-1 standard. XP SP3's crypto module includes the implementation of the Secure Hash Algorithm-2 (SHA-2) family of hashing algorithms (SHA-224, SHA-256, SHA-384, and SHA-512) and support for the same in X.509 certificate validation.

No Product Key During Setup
Like Vista, XP with integrated SP3 will let you install the OS without entering the product key during setup. After the setup is finished, you'll be reminded and required to enter the key to activate Windows. This change greatly simplifies the evaluation or short-term usage of XP for end users.

MMC 3.0
Microsoft Management Console (MMC) 3.0 is a new functionality of XP SP3 (and is available as a separate download). MMC 3.0 updates the framework that unifies and simplifies system management tasks on Windows by providing common navigation, menus, toolbars, and workflow for diverse tools. Having MMC 3.0 on an XP machine will let you install management consoles for some new Microsoft server products, such as Windows Server 2008 and Microsoft Exchange Server 2007.

Black Hole Router Detection Improvements
XP SP3 includes improvements to XP's black hole router detection feature and turns it on by default. Black hole routers might dump packets that are trying to traverse a path to a server if the packets are above a certain size. Black hole router detection senses when large TCP segments are being retransmitted and automatically adjusts the Path Maximum Transmission Unit for the connection, rather than relying on the receipt of Internet Control Message Protocol (ICMP) “Destination Unreachable-Fragmentation Needed” messages. In XP SP2, you had to manually enable this feature by editing the registry. The default detection in SP3 will definitely improve the reliability of XP's network connections.

New RDP Client
Remote Desktop Connection (RDC), the RDP client software, is updated to version 6.1 in XP SP3. This update will let you use some advanced technologies from Windows Server 2008, such as Terminal Services (TS) Gateway and TS RemoteApp. You can learn more about TS Gateway in "Terminal Services Gateway in Windows Server 2008" at http://www.securityprovip.com/Article/ArticleID/97209/97209.html. TS RemoteApp is a feature that lets you install and use terminal applications in the same way and with the same user experience as local applications. For more information, see "Windows Server 2008’s RemoteApp," coming April 17 at http://www.securityprovip.com/Article/ArticleID/98358. Also, RDC 6.1 is more secure than previous versions because it supports enhanced authentication methods. Figure 1 shows the RDC Advanced tab, which lets you make your authentication choice and use TS Gateway.

PNRP Support
Peer Name Resolution Protocol (PNRP) support, also part of SP3, lets users communicate with other hosts on a network that are using PNRP. The protocol is used in peer-to-peer, or serverless, environments, to overcome the name resolution problems in such scenarios. Before using peer-to-peer support, you have to add it in the Add/Remove Windows Components wizard. PNRP is located in the Networking Services group in the wizard. PNRP support, called the Windows XP Peer-to-Peer Networking Component, is part of the Advanced Networking Pack for Windows XP, which you can download from "Overview of the Advanced Networking Pack for Windows XP" (http://support.microsoft.com/?kbid=817778).

BITS 2.5
Background Intelligent Transfer Service (BITS) is updated to version 2.5 in SP3. The new BITS version improves the security of this very important service by adding support for certificate-based client authentication to help secure HTTP transports and support for IP version 6 (IPv6). The purpose of BITS is to use spare bandwidth to download files. It suspends download sessions when a user needs more bandwidth. The service can maintain file transfers through network disconnections and computer restarts. Many applications and services such as Windows Update and Windows Live OneCare use BITS.

As you can see, SP3 doesn't bring major system updates to XP like SP2 did a few years ago. However, there are reasons to consider SP3 a required update, even if you aren't interested in any of the new features. SP3 will make your system more secure because it fixes all the vulnerabilities detected since the SP1 version. Also several Web news stories reported in November 2007 that a test conducted by Devil Mountain Software showed that XP SP3 RC1 ran about 10 percent faster than XP SP2. (In your favorite Web search engine, search for "Windows XP performance" to read the reports.) Microsoft doesn't claim that SP3 improves system performance, but my testing suggests that SP3 might be a little faster than SP2. XP SP3 might slow migration to Vista a little, especially in businesses because most of the new features are oriented to business users. We can hope that home users will install SP3 for the security fixes, but they won't benefit much from new functionality in SP3—for new features, they'll have to look to Vista or Vista SP1.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.