First Look At Windows XP Service Pack 2

InformationWeek's Security Pipeline obtained access to the first widespread beta of Microsoft's forthcoming Windows XP Service Pack 2 (SP2) during the holidays. Microsoft has said that this beta represents a subset of what will be released when the software is finalized sometime during the first half of the year.

We tried the software on a couple of test machines and found it to be very reliable during a couple of days' use. It is not recommended that you install this beta in a production environment, however.

Unlike many Windows service packs, this one adds new functionality. There are four main areas where Microsoft has made user interface changes:

Full Automatic Updates
With the beta of Windows XP SP2, Microsoft appears to be shaking a finger at users because they tend not to turn on Automatic Updates--or limit its ability to do its job by not allowing updates to be installed automatically. The first screen you see after installing SP2 and rebooting is a blue warning page that asks you to turn on Automatic Updates. You have two choices:

• Yes, help me protect my PC by automatically downloading and installing updates (strongly recommended)

• Ask me again later

The properties screen that controls Automatic Updates settings has been changed. There are now four radio-button options (it's really the same number of options presented differently), and the first is the most automatic, the same one that Microsoft calls "strongly recommended." By default, it automatically downloads and installs patches at 3 a.m. every day. This time may be a mistake. Many people turn off their computers at night (both employees and home users). We haven't tested the point, but the default time may prevent patches from being installed automatically on many PCs. A better default time might be 12:30 p.m., with a dialog that pops up and waits for 10 minutes, asking you what time of day is best for you.

In general, the changes to Automatic Updates are a good idea. Some businesses may not want Automatic Updates to be quite so automatic, but on most consumer desktops, this is the correct setting.

Workable Windows Firewall

What used to be called Internet Connection Firewall (and is still called that in build 2055 of the product tested for this story) has been upgraded and rechristened "Windows Firewall." There are several minor changes, but the biggest and best changes are that, according to Microsoft, XP's firewall will work much better with applications. In part, that's delivered by the new default On setting that's something like a medium level of protection. There's also an "On with no exceptions" setting that provides a high security level.

The feature we like best is Windows Firewall's properties new Network Connections tab, which automatically detects network connections that you can opt to disable firewall protection for--an excellent feature for LANs and wireless networking. Most software firewalls, including ZoneAlarm, offer some semblance of this feature. Without it, Internet Connection Firewall was nearly impossible to use in more complex networking environments. It's still not ideal in a business setting, but in our tests its default configuration stayed out of the way for the most part. And that's a good thing because Microsoft intends to turn Windows Firewall on by default.

As will likely be the case with Automatic Updates, some IT managers are bound to be concerned that a software firewall will be turned on by default in Windows XP SP2. While it's easy to turn off, and presumably turning it off by default using enterprise Windows installation tools will be a very simple thing, it could be a mixed blessing. Although this requires Windows servers, Microsoft has said that central administration of Windows Firewall will be available through Active Directory Group Policy.

Easier Wireless Networking?

Microsoft has added a unified wireless networking client whose main focus appears to be providing standard client services for third-party wireless hot-spots without having to install proprietary software. Microsoft is basing this enhanced wireless-hot-spot functionality on Wireless Provisioning Services. We weren't able to test the workings for this review, but one of the aspects clearly present in the revamped wireless-networking-related property sheetings and settings pages is the notion of automatic connection to wireless networks.

The new Choose A Wireless Network dialog replaces the functionality of property sheets in the original Windows XP. Our initial tests of this dialog found it not to be functional. After a lot of contact with Microsoft on this point, it turned out that something was wrong with the XP machine we were testing this feature with. A clean install of Windows XP and reinstallation of the SP2 beta did the trick.

Microsoft has also tweaked the wireless-networking settings screens in positive ways, but we still found some areas that we think need improvement:

• You may not be aware of this, but it's possible to make a small icon appear in the system tray, or "notification area" (the icon area next to the clock), for each network to which your system is connected. To turn this on, open the Network Connections Control Panel, then right-click each network connection in turn and put a check in the box beside "Show icon in notification area when connected." Experienced XP users rely on this icon to monitor their network connections. But there's also another benefit. The icon provides a shortcut by giving you the ability to right-click it and choose "Open Network Connections" to access the wireless networking (or regular networking) properties. Accessing the properties this way is definitely sort of round-about, but it winds up being the fastest set of steps to get there, just not the most obvious route. This is notably improved in SP2, since the "Open Network Connections" is what was replaced by the better "Choose A Wireless Network."

But there's something missing from the context menu for each notification area network-connection icon--a properties menu item. Microsoft should take this opportunity to make accessing the wireless or wired network connection properties easier for experienced users by adding that menu item in this release. The alternative is a continuation of the confusing, multiple-click process that even experienced network administrators sometimes forget how to do.

• Another area of frustration pertains to the signal scan for available wireless networks. When multiple wireless access points use the same SSID on different channels, they show up as a single network entry, not as individual results identified with their channel numbers. While that's a simpler presentation, there are just times when it's crucial to be able to connect to a specific access point, not just the strongest one with the strongest signal (what we assume Windows is doing). The utility that comes with Netgear's WG511 Wi-Fi card (and others) shows the functionality of a scan for wireless networks that works as we're describing.

Another type of wireless, Bluetooth, also receives an update with SP2. While it wasn't tested for this story, Microsoft says the point of the update is to provide support for a wider range of the latest Bluetooth devices, including wireless keyboards, mice, and connections with cell phones and PDAs.

Blocking Pop-Ups And Minding Downloads

It's a small feature, but certain to be a favorite. Windows XP SP2 will add automatic pop-up blocking to Internet Explorer. The feature is well-designed with a simple but functional white list (for sites whose pop-ups you want to see). So far, we've only seen it choke on one Web site (ESPN), and the next day it worked fine there.

Although we were unable to test this, Microsoft has apparently added a feature that blocks remotely initiated downloads. It's designed to protect Windows users from accidentally downloading and installing potentially malicious programs from Web sites. The feature is apparently designed to block unsolicited download prompts only. When users initiate a download, that process is unhindered. According to a Microsoft document, an indicator in the form of a download link will appear below the browser toolbar when a download is blocked, and users can opt to install anyway by clicking it.

Windows Longhorn build 4051, the alpha release of the next major version of Windows, has the same pop-up blocker that Windows XP SP2 displays. It also adds a Download Manager whose functionality is sketchy, but presumably it will allow Windows to interrupt and resume downloads initiated by Windows users. It doesn't appear this functionality will make it into Windows XP SP2.

New functionality in IE has been scarce for quite some time. We're hoping that Microsoft is also considering the addition of "tabbed browsing," or multiple browser windows within a single launched instance of the browser. Many people prefer that paradigm, and virtually all of IE's competitors offer it, including Mozilla and Opera.

Security Baked In

There are also some significant areas of security improvement that are invisible in SP2, but they represent some of the more important changes. Windows Messenger Service, the network messaging feature (not to be confused with Windows Messenger, the instant-messaging client), is turned off by default in SP2. The Windows Messenger Service has been the target of spam pop-ups for more than a year. More recently, it has been identified as a possible area of exploit by hackers and malware.

If you make use of Microsoft's Outlook Express E-mail program or Windows Messenger instant-messaging client, the software maker is tweaking these products very slightly to prevent security problems. File attachments to E-mails or files passed with Windows Messenger will be treated with more suspicion by default. Attachments will be able to open and execute with the fewest permissions possible. Outlook Express will also no longer download external content (such as graphics) in HTML mail by default. Windows XP SP2 will also deliver the latest versions of Windows Media Player 9 and DirectX 9.0b, both of which have numerous security tweaks.

Microsoft has also partially disabled the Remote Procedure Call aspect of Windows, which was targeted by the Blaster worm and its variants. It runs with reduced privileges in SP2 and will no longer accept unauthenticated connections by default.

The Distributed Component Object Model has been extended to allow "more granular COM permissions to give administrators the flexibility to control a computer's COM permission policy," according to a Microsoft document. In the current environment, it's not possible to allow a local area network access to COM without also implicitly allowing that application access via the Internet, too.

Microsoft is also going after the most-often-cited cause of computer attacks, the buffer overrun. Just how it's working to minimize buffer overruns in Win XP SP2, the software maker isn't saying in great detail--except that all Windows code changed since the original Windows XP was released has been recompiled using Microsoft's Visual Studio compiler, which, the company says, reduces the likelihood of some certain buffer-overrun vulnerabilities.

Said And Done

Companies will clearly benefit from the changes that Windows XP Service Pack 2 brings, but it's important to note that SP2 is not aimed primarily at businesses. It's best to think of this service pack as Microsoft's response to the Blaster worm. Consumer PC users increasingly have always-on broadband connections, and they're leaving their PCs on. At the same time, they may not be protecting those PCs well enough. Microsoft is taking the bull by the horns to ensure that more and more users are protected. Given that worms and Trojans not only infect unprotected PCs, but use them as staging areas to infect other PCs, this is an important step for Microsoft to take.

Nevertheless, there are some concerns for IT professionals. If Windows Firewall causes too many problems, it's possible that Microsoft will decide to minimize it further or even turn it off by default. We wouldn't bet on that latter option, though. We think fewer IT pros will be troubled by Automatic Updates being turned on by default. Microsoft has done a better job of testing its security patches over the last 18 months. That improvement was key, because it makes it much easier for more and more companies and individuals to simply install every update that comes along--or let Windows do it for you--than most of us would have been comfortable with two or three years ago.

All in all, SP2 is a solid set of improvements. While not earth-shaking, it's a somewhat more ambitious Windows service pack than most, and everything about it is labeled "security." So it's a welcome update as soon as Microsoft straightens out all the kinks.