For Businesses, It's Slow Going With Windows XP's SP2
Despite the promise that Microsoft's Windows XP Service Pack 2 release will make PCs more secure, many businesses haven't even begun deploying it.
September 17, 2004
Despite the promise that Microsoft's Windows XP Service Pack 2 release will make PCs more secure, many businesses haven't even begun deploying it. One analyst warns that if companies don't pick up the pace of SP2 rollouts, they could face financial exposure if their computers are compromised without it.
Microsoft made SP2 available to business customers via download on Aug. 9, and by the end of the month, company officials said more than 1 million copies of the superpatch had been downloaded by businesses and many more by consumers. But it appears that many of those copies of SP2 are still running in test environments, as IT professionals check its compatibility with their applications and infrastructure software. "The patch is being applied very slowly," says Rob Enderle, principal analyst with the Enderle Group. "It's a large, complicated patch."
It could be six months before Harris Corp. begins to install SP2 on 5,000 Windows XP PCs and another three months for the process to be completed, says Richard Plane, the company's chief technologist for information services. In testing, Harris has run into "significant issues with applications compatibility," he says. The company's IT staff has identified 14 of its applications that don't work with SP2, including several of Microsoft's own applications. "Although it's deemed a critical patch, we can't idle our business to do it," Plane says.
Harris' Windows XP laptops and PCs already run on Microsoft's earlier Service Pack 1. As long as Microsoft continues to provide fixes to SP1, Plane says, the company's Windows XP computers should be in good shape. Like many other companies, Harris has thousands of desktop computers that run earlier versions of Windows, for which SP2 isn't an option at all.
Steve Wierenga, VP of IT with Ajacs Die Sales Corp., has installed SP2 on two home computers, but he's putting off the upgrade on his company's two dozen PCs until a few more pieces are in place. "Home users have a different experience than enterprise users," Wierenga says. "At home, they should see the firewall and antivirus [functions], because they're the administrator of their own computer. In a corporate environment, that's the job of the system administrator."Within the next couple of weeks, Wierenga intends to replace a Novell NetWare server with Windows Server 2003, which he expects will provide "more intuitive" administration for the Windows XP clients. In addition, he needs to download and test the latest version of Symantec Corp.'s antivirus software for SP2 compatibility. To be sure there's no lingering spyware or Novell code on the PCs, Wierenga may just wipe them clean and reinstall the software, including SP2. He's targeting the first week of October for the upgrade and budgeting two hours per computer to do it. "I don't know if it's headache level yet, but it's getting there," he says.
It's those kinds of complexities that are slowing companies down. Firewall vendor Zone Labs has seen "very quick" adoption of SP2 among its consumer base, but much slower uptake among its 1,600 midsize- and large-business customers, says VP of marketing Frederick Felman. "I don't know of a single customer who has made a wide-scale SP2 deployment," Felman says.
Yet, some companies are finding ways to do it. Darryl Nitke, CIO of Cosa Instruments Corp., last week oversaw an SP2 upgrade on the 60 PCs at his company. "I was very reluctant to do it because of what I had heard, but when we did it on a test machine, it didn't have any problems, so we rolled it out to the entire company," he says. "The paranoia was unwarranted."
A small distributor of process and control equipment, Cosa Instruments uses Microsoft's Office, CRM, and Great Plains applications, Symantec's antivirus software, and applications from Autodesk and Adobe Systems. Nitke downloaded SP2-related patches for Microsoft's CRM and Symantec's antivirus applications and distributed them to the desktops. Then he installed SP2 on a Windows file server and E-mailed instructions to the company's employees on how to install SP2 themselves. Because of its size, Nitke knew it would take up to 40 minutes for users to download the patch, so he instructed them to begin the process before lunch, then reboot when they returned.
The plan went without a hitch. Within two days, all 60 PCs had been updated, no applications broke, and the help desk phone remained mostly quiet. The only sign of trouble came when Internet Explorer failed to interact properly with several Web sites, including a site that one of Cosa Instruments' founders was trying to view. Nitke says those glitches were resolved quickly. "I was pleasantly surprised," he says.But analysts say it could be three to six months or longer before most IT departments are ready to complete their SP2 upgrades, given the preparation involved and scope of the work. "It's going to be difficult for companies to get through the process before year's end," Enderle says.
There's risk in taking too long, and not just from viruses and worms. Pointing to a report on PC management best practices issued last year by the Institute of Internal Auditors Research Foundation, Enderle says insurance companies and government regulators could hold businesses accountable for security breaches caused by a failure to protect their computer systems. "I'm convinced firms are not taking this as seriously as they should," he says. "You absolutely have to patch these systems very quickly."
Gartner analyst Michael Silver says many businesses have taken a cautious approach to SP2, but that "the time for foot dragging is just about over." After months of testing by independent software companies, Silver says, it's not only safe for businesses to begin their own SP2 assessments, but advisable. "If you haven't started testing yet," he adds, "you better get at it."
You May Also Like