Microsoft's Windows XP SP2

The download is 232 MB (compressed) if you get it from the SP2 support center for IT professionals; the actual install is more than 400 MB. You'll need about 1 GB of disk space to install it from the download, and about 1.5 GB from the CD.

Microsoft lists programs that suffer from known compatibility problems when SP2 is installed (see support. microsoft. com/ default. aspx? kbid= 884130). Not many of these programs are important to enterprises, and most of the problems are minor. And despite SP2's incompatibilities with security programs, such as Computer Associates' eTrust, Internet Security Systems' BlackIce, Symantec's Norton AntiVirus and Zone Labs' ZoneAlarm, the damage can be minimized. CA, for example, makes remediation procedures available at esupport.ca.com. Microsoft offers information about enterprise deployment at their site.

What's New

• Windows Firewall It's not as robust as commercial firewalls, but it may come in handy if you don't have a corporate standard for desktop firewalls. SP2 adds a user-accessible control panel for Windows Firewall. From here, you can turn the firewall on or off, make a list of apps that allow incoming connections, configure settings for individual network connections, set up logging, allow ICMP access and restore the system to its default state. It's rudimentary but offers more protection than most desktops carry.

Like CA, many application vendors are building pages to help you configure settings so their apps will work with SP2. Windows Firewall configuration will cause most end users headaches--they aren't accustomed to worrying about access rights to ports--so it's our job to come up with ways to make the extra protection invisible to them. Microsoft has provided some tools to accomplish this task (see support. microsoft.com/default.aspx?kbid= 875357). In a domain environment, the firewall can be managed centrally through Group Policy settings.

• Bluetooth Support It's funny how most of the sites that talk about SP2 don't mention Bluetooth, yet this is the first time Microsoft has built support for it into its OS. This may not be big news to some, but if you've been using stopgap measures for years, this is a nice feature.

Updated Features

• Remote Access Remote access to machines is part of systems administration, but the default settings in SP2 shut off remote access. This makes sense: Many exploits attempt to use the same subsystems remote management uses. But if you want remote access to management functionality, you must turn on remote admin by typing the command prompt netsh firewall set portopening TCP 445 ENABLE. This is unlikely to be an issue for home users, and you can script it for the enterprise, so the fact that it's a command line shouldn't be a problem.

• Centralized COM Access Control All versions of COM (Component Object Model) have been a pain in our rears from the start. Each successive version added layers of security and a wider world to worry about: OLE (Object Linking and Embedding) and COM were focused on the machine, then DCOM (Distributed COM) was focused on the machine and the server, then COM+ was focused on the machine, the server and MTS (Microsoft Transaction Server)--each with more rules about access rights and a more difficult configuration.

Microsoft now offers us a place to manage COM rights centrally and systemwide. Implemented as a security measure, this access control will stop you by default from making DCOM calls that do not require the user to be authenticated. The steps to work around this issue are complex but are explained in the Enterprise Deployment document.•TCP/IP There are several changes to TCP/IP that stop known attacks involving raw sockets and unterminated connections. Known routes that hackers use to disrupt systems through compromised systems have been eliminated--these generally are not used by valid apps, so you should see no difference based on the TCP changes. If you have an app that opens random ports or attempts to access random machines on the network, look for alternatives.

• RPC Microsoft introduced a new registry key that lets application developers stop remote clients from opening RPC connections to your machine. But it does nothing without the support of vendors implementing RPC (remote procedure call) interfaces. Note that most vendors handle RPC rights without this new key, so it's unclear how much added security this key offers.

• Basic Authentication Clear Text Authentication is just asking for trouble--any user with a network analyzer can capture passwords sent in clear text. Microsoft addresses this shortcoming by disabling clear-text passwords in WebDAV and WinInet by default. You get the registry keys to turn basic authentication on, but I wouldn't recommend this unless it's necessary.

• Windows Media Player SP2 automatically installs Windows Media Player 9.0. There is no new security code; it is just a rollup of previous bug fixes. Make sure it works as expected in your environment before allowing it.

• Windows Messenger Microsoft blocks unsafe file transfers in Messenger much the same way it does in Outlook. In addition, you must make an exception for Windows Messenger in the Windows Firewall settings.

• Wireless Services Microsoft added enhanced security for logging into wireless networks and new dialogs for configuring wireless network services. The dialogs are a nice touch, but preprovisioning and added authentication require work on the part of app developers and IT staff, so they are unlikely to show benefits early on.Bottom Line

SP2's benefits make it worth implementing, but IT shops must take care. There are enough compatibility problems that if you implement SP2 without testing it first, you deserve those long hours you'll spend recovering from the mess.

Don MacVittie is a technology editor at Network Computing. Previously, he worked at WPS Resources as an application engineer. Write to him at [email protected].