Here’s why SP2 is such an important update for Windows XP
On This Page
There’s a lot of information elsewhere on Microsoft.com, highlighting the business benefits of Windows XP, the consumer benefits of SP2, the important security enhancements it contains, and so on. But what seemed to be missing was an article written from the perspective of the IT pro, on what admins and, well, “non-casual” users should expect from this super-size (266 MB!) update. This article looks at the changes in Windows XP SP2 that affect IT pros, and why we think you will find it a worthwhile update. This service pack has an impact on everything from web browsing to wireless networking. But make no mistake: Windows XP SP2 is, first and foremost, about helping you stay secure. So let’s start there.
1. You’ve probably heard the marketing message: “Service Pack 2 for Windows XP delivers proactive protection against malicious code by blocking exploits at the point of entry as opposed to simply focusing on patching known vulnerabilities.” For the technically inclined, this means that Windows XP SP2 recompiles many core system binaries with a new GS flag that helps mitigate buffer overruns. This, in fact, is the main reason the service pack is so big—and the newly compiled code optimizes performance in many instances, as well. Windows XP SP2 introduces for the first time, support for the NX “no-execute” flag that, with a supported CPU (currently, AMD's K8 and Intel Itanium), provides enhanced protection against memory-based attacks, by preventing code that has been injected via a buffer overrun attack on a data page from executing.
There’s proactive protection aimed at users of more mainstream CPUs, too: Windows XP SP2 gets you all the bits for SP1, as well as all service bulletin updates through MS04-25. The overall attack surface area is significantly reduced, with changes to core Windows components such as DCOM and RPC.
Outlook Express, Internet Explorer and Windows Messenger have all been updated with the ability to identify and isolate malicious file attachments as they are being opened.
And, as discussed in more detail below, pop-up blocking is now available, providing further protection against this form of annoying and occasionally malicious intrusion.
2. Compatibility. Every IT pro knows it: there always seem to be a few unforeseen compatibility issues when service packs are deployed. There’s already been wide trade-press coverage of compatibility issues discovered—embarrassingly, rather late in the beta process—with Microsoft’s own CRM software and the popular Halo game. Fortunately, these issues have already been resolved (see the products’ respective websites), as have a few other snags with third-party firewalls and other tools. But the lesson remains: IT pros need to be cautious and methodical when rolling out this, or any new software update. Fortunately, we’ve put together a terrific library of documentation, Knowledge Base articles and deployment guides to help you roll out Windows XP SP2 efficiently. Be sure to check out the IT Pro Portal on TechNet, where these guides will help you get started.
The good news is: this service pack has already been tested by literally hundreds of thousands of beta testers, in a vast array of hardware and software environments, and the feedback and fixes incorporated into the final release. Indeed, many of the very best programmers at Microsoft were pulled off other projects to give Windows XP SP2 the quality and polish it deserves. Sure, it was delayed a few times. It’s no secret that recent rounds of worms and network-borne attacks made this a top priority for the company and, as a result, Windows XP SP2 evolved into a much more security-centric update than was originally planned.
As you might know, Microsoft has been encouraging its employees and partners to use the beta releases of Windows XP SP2 since the earliest release candidates became available. The TechNet team has been tracking user feedback about Windows XP SP2 for months and we have seen remarkably few issues. You should still carefully test your mission-critical systems before rolling out Windows XP SP2 across your enterprise, but the feedback we’ve received about the last few release candidates has been incredibly encouraging.
3. Windows XP Service Pack 2 provides improved manageability of security settings with 609 new Active Directory Group Policy Objects specific to security configuration
Run gpedit.msc and you’ll find some interesting new entries in the list of Administrative Templates, including a whole new category of “Attachment Manager” entries allowing admins to control, for example, the default risk level for file attachments, the inclusion list for high-risk file types, and so on. You can also elect to “notify antivirus programs when opening attachments,” using these new SP2-specific entries.
4. There’s more and better security information for users, so that when faced with a trust decision, the user is more likely to take an action that preserves his or her privacy and security.
Windows XP SP2 significantly changes the default behavior of Web pages with ActiveX scripts and other executable code to advise the user of possible risks.
In addition to the obvious-to-some basics, such as information on recommended security essentials (in short: use a firewall, install critical updates, and keep antivirus software up to date), the new Security Center Control Panel explains less obvious details, such as why—and, in brief, how—security settings on corporate computers are managed by a network administrator when the computer is part of a domain.
Incidentally, the red “alert” shield that appears by default in the system tray when an unrecognized anti-virus package is used, automatic updates are disabled or the firewall is turned off, can be reconfigured or disabled, if you wish. Here's how: Go into the "Security Center" under the Control Panel. There, you’ll find a link on the left under "Resources" that says "Change the way Security Center alerts me." Uncheck the appropriate alert type. This feature, too, can be controlled or access to it disabled via Group Policy.
5. The new Windows Firewall is on by default and enabled even before the network starts up, as Windows XP SP2 boots. It’s another important security feature that gains even more functionality in the domain environment, where firewall profiles for mobile scenarios can be configured using Group Policy—a feature of Windows 2000 Server and Windows Server 2003 that is built on Active Directory—to accommodate dual configuration profiles on systems that are members of a domain. For enterprise users of notebooks or Tablet PCs, this is incredibly useful.
With that said, there are still some reasons you might want a more full-featured firewall – almost no outbound traffic checking is performed, and all machines on the local subnet are trusted, but if you know anything about firewalls, you’ll also know that these features are also much less likely to cause users to want to turn off the firewall, or worse, go running to the Helpdesk for support. In short, the new firewall is advanced enough to easily allow you to custom-configure open ports for UDP traffic, instant messaging and the like, but secure enough (and turned on by default) to block common attack vectors.
In our tests, the Windows XP SP2 Firewall passed the Shields Up test at GRC.com with a perfect “TruStealth” rating. Not a single packet – solicited or otherwise – was received from TechNet’s Windows XP SP2-updated test system as a result of GRC’s security probing tests. See GRC for details on how these tests work and what these results mean. From the standpoint of the hacker, the machine looks like it does not even exist on the Internet. In short, passing this test is a very good thing.
And yes, you can use a third-party firewall if you’d rather, although there are some known issues with a few third-party firewalls not being recognized by the Windows Security Center if they are used in place of the new Windows Firewall. Even when it’s not recognized by the Security Center, most third-party firewalls will work as they should.
By supporting the new Security Center APIs in Windows XP SP2, security software vendors can make their products work even more seamlessly with the Security Center’s management interface. It’s also worth mentioning that it’s possible to centrally configure Windows Firewall on all the workstations on your network, to customize the operational mode and exception list entries.
See the Windows Firewall articles on our IT Pro Portal page to learn more about this powerful new feature and how to modify its settings before or after installation.
6. Automatic blocking of internet pop-ups. Pop-ups are more than a nuisance; they are another common attack vector and the pop-up blocking capabilities of SP2 are important to maintain the security that is expected of Microsoft products. The new Pop-up Manager feature in the Windows XP Service Pack 2 release of Internet Explorer is turned off by default, but it’s a feature most users will probably want to enable. Here’s how:
Enabling Pop-up Manager
You can enable Pop-up Manager by three different methods.
Prompt at first occurrence. A prompt appears before the first pop-up window appears that asks the user to enable Pop-up Manager.
Tools menu. In Internet Explorer, you can click Tools, point to Pop-up Manager, and then click Block Pop-up Windows.
Internet Options. In Internet Explorer, on the Tools menu, click Internet Options, click the Privacy tab, and then click Block pop-up windows. You can then click Options to configure Pop-up Manager settings.
When a pop-up window is blocked
If a site opens a pop-up window that is blocked by Internet Explorer, a notification appears in the status bar and a sound is played. If you click the notification in the status bar, you see a menu with the following options:
Show Blocked Pop-up Window. Reloads the pop-up window.
Allow Pop-up Windows from This Site. Adds the current site to the Allow list.
Block Pop-up Windows. Toggles Pop-up Manager on and off.
Pop-up Window Options. Opens the Pop-up Window Management window.
Internet Explorer provides advanced configuration of Pop-up Manager settings.
Website Allow List
You can add sites to the Allow list. Any site on the Allow list can open pop-up windows.
Block All Pop-up Windows
Pop-up Manager allows sites to open a pop-up window when the user clicks a link. This setting changes that behavior by blocking windows that are opened from a link. If this setting is enabled, you can allow pop-up windows to open by pressing ALT at the same time that you click the link.
When Block All Pop-up Windows is enabled, you can allow pop-up windows to open by pressing ALT at the same time that you click the link.
You can toggle whether or not Pop-up Manager plays a sound when a pop-up is blocked through the Advanced settings in Internet Options. You can also change the sound that plays. To do this, click Start, click Control Panel, and then double-click the Sounds and Audio Devices icon.
Users can expand the scope of Pop-up Manager to include the Local Intranet or Trusted Sites zones in the Security tab of Internet Options.
When pop-up blocking functionality is enabled, automatic and background pop-up windows are blocked, but windows that are opened by a user click will still open in the usual manner. Note that sites in the Trusted Sites and Local Intranet zones never have their pop-up windows blocked, as they are considered safe. This can be configured in the Security tab in Internet Options.
When will users see pop-up windows while Pop-up Manager is enabled?
Users will still see pop-ups windows opened in the following cases:
The pop-up is opened by a link which the user clicked.
The pop-up is opened by software that is running on the computer.
The pop-up is opened by ActiveX controls that are instantiated from a website.
The pop-up is opened from the Trusted Sites or Local Intranet zones.
Why is this change important?
Pop-ups have been misused in many ways. By blocking pop-ups, the Web is safer for users, and the user has more control over his or her browsing experience.
7. Windows XP SP2 provides enhanced protection against spoofing and phishing attacks with changes to Internet Explorer. A more secure IE infrastructure includes changes to object caching, binary behaviors, mime handling, zone elevation, etc. When you’ve installed Windows XP SP2, you’re protected against critical vulnerabilities described in critical update bulletins through MS04-25, updated Aug. 1, 2004. IE includes a new locked-down Local Machine security zone to help prevent malicious scripts and other dangerous Web downloads from compromising the system. Oh, and by the way: the Windows Messenger Service (you know, the network administration tool that has been exploited by spammers) is switched off by default.
There are restrictions on the size and position of pop-up windows in IE, regardless of the Pop-up Manager setting: Pop-up windows cannot be opened larger than or outside the viewable desktop area. You can also centrally manage IE add-ons, to enable or disable browser extensions, browser helper objects and ActiveX controls using an easy graphical interface. Most of us would agree, that’s A Good Thing.
IE’s companion e-mail program, Outlook Express, gains more secure default settings, too. It now blocks potentially unsafe documents by default, and doesn’t download images in HTML e-mail by default. (Many spammers use mail-borne images to track whether you’ve opened their junk mail.)
8. It’s easier to keep Windows up to date. There have been significant improvements to the Automatic Updates service and Background Intelligent Transfer Service (BITS) as used by the Windows Update Web site. These services are designed to minimize impact to the user’s computing experience. Automatic Updates can automatically keep a machine up to date with security updates, while BITS enables background downloading of the updates to minimize bandwidth impact on other Internet activities. A couple of examples of how the Windows Update Web site takes advantage of these services are to leverage the download that Automatic Updates has already started/completed and to resume a download after an Internet connection was dropped.
Windows Update leverages a secure connection over the Internet by sending data about the computer and receiving information about which updates are applicable to the computer over HTTPS. Further, these services do not have remote-able interfaces nor do they listen on any ports.
9. Easier wireless configuration. In versions of Windows XP prior to SP2, the wireless configuration dialog boxes only displayed the name of the network and whether it was an infrastructure mode or ad hoc mode network. Now, the configuration details are more discoverable, and easier to manage.
However, some users moving directly from the original release of Windows XP might be disoriented by the many changes made in the wireless configuration panels since that release. For example, in Windows XP with Service Pack 2 (and Windows XP with Service Pack 1), the Authentication tab has been moved to the properties of a wireless network. To access it, do the following:
Obtain properties of your wireless connection in the Network Connections folder.
Click the Wireless Networks tab.
Click your wireless network name under Preferred networks, and then click Properties.
In the Wireless network properties dialog box, click Authentication.
See http://www.microsoft.com/technet/community/columns/cableguy/cg0804.mspx for more information on Wireless LAN Enhancements in Windows XP Service Pack 2.
More new technologies
10. We haven’t touched upon many of the service pack’s other components, including support for new technologies such as DirectX 9.0c, Bluetooth, Media Player 9, etc. See the Windows XP section at http://www.microsoft.com/windowsxp/sp2/ for more about these features. One point IT pros may find interesting: the 266 MB (network installer) version of SP2 contains all the bits necessary to update the OS on a Tablet PC to the Tablet PC 2005 release code-named “Lonestar.” This release is compatible with Windows-based desktops, portables, tablets and Windows Media Center PCs.
How to Get SP2
The 266 MB network installer is available for download from the TechNet IT Pro portal at http://www.microsoft.com/technet/winxpsp2/
A CD will be freely available upon request, via an order page that will be available soon.
Finally, Microsoft strongly recommends that you do not download Windows XP SP2 from non-Microsoft sources, mirror sites, BitTorrents or peer-to-peer networks. Microsoft’s license agreement does not allow third-party sites to legally distribute this copyrighted code. The Microsoft Download Center site (http://www.microsoft.com/downloads) is your only authorized web source for downloading a licensed copy of Windows XP Service Pack 2. To report a website offering unlicensed copies of Windows XP SP2 for download, please send e-mail to: firstname.lastname@example.org or visit http://www.microsoft.com/piracy/ReportingUs.mspx.
All versions of the Windows XP SP2 code distributed through Microsoft’s site beginning Aug 9 have a genuine Microsoft digital signature that you can verify by right-clicking and viewing properties. The MD5 checksum of the file named WindowsXP-KB835935-SP2-ENU.exe is 59a98f181fe383907e520a391d75b5a7. A network-install version released to MSDN subscribers between August 6–8 did not include this certificate and yields a different MD5 checksum; however, to ensure you have the latest release, we recommend checking for the presence of a valid certificate before installing any network-installable version.