Security Watch
Windows XP SP2 Strategies
To install or not to install SP2 is all up to you.
- By Roberta Bragg
- 08/16/2004
Service Pack 2 for Windows XP is here. Should you immediately download and
install it? What if you don't want XP SP2 but still want to continue to receive
critical updates through Automated Updates? The answers aren't easy; here's
some guidance.
If you haven't tested a beta version, don't know if all the software you use
is compatible, and don't like surprises, visit the XP SP2 support center at
http://snipurl.com/8gjz or http://snipurl.com/8gk2
(the former is for all users, the latter for IT pros). I've been following the
reports of beta testers and dabbling myself, and believe that, for most people,
XP SP2 won't present problems. However, SP2 is, in many ways, a new XP, and
there's no way to test every possible combination of hardware and software on
which it might be installed. Practice due diligence and evaluate your specific
XP deployment before installing XP SP2. (Editor's note: Most of the Microsoft
URLs referenced in this story are very long; the "snipurl" versions
don't break, and will not expire).
If you can't immediately start deploying XP SP2, there are several pre-installation
steps you should consider.
1. Understand the benefits of installing the service pack:
- Malware attachment warnings
- Malware download warnings
- Pop-up blocker
- Firewall turned on by default
- Windows Security Center GUI that lets end users see and manage security
settings (this can be blocked in a managed environment)
- Enhancements to auto updates, including improvements for dial-up users
- Better management of browser add-ons and e-mail addresses
- A new wireless deployment wizard useful for small businesses
2. Grab a copy of the recovery document from http://snipurl.com/8gju.
This document discusses how to recover from a problem XP SP2 installation. If
you're like me, when you take the precaution of printing out recovery instructions,
you never have to use them. At any rate, you'll be prepared when priorities
change and you've got to get XP SP2 installed immediately. When you're rushed,
you might not think to look for recovery information before installing.
Of course, not everyone's going to want, or need, to immediately install XP
SP2.
For example, home users, small businesses and organizations with unmanaged
computers that normally use Automatic Updates might want to continue receiving
the benefits of automatic patch updates, but hold off on XP SP2 until they've
had time to figure out what issues there may be with current hardware or software.
Those on dial-up might also be candidates for blocking XP SP2, as they may
want to wait and get the update on CD. Downloading any large file via dial-up
is a pain, especially if connection costs are paid by the minute; and history
shows that attempting to push huge files through dial-up may result in frustration
and the turning off of automatic updates by many users.
How to handle XP SP2 is also an issue for IT departments using SUS for updates,
since it may need to be blocked from some SUS client computers and approved
for others. Remember that the service pack will have to be approved in the SUS
server database before clients can receive it, giving an extra layer of protection
to SUS shops.
If any of these scenarios applies, here are some resources. Start with the
free Microsoft tool at http://snipurl.com/8gjw.
It includes an executable, a script, ADM template to use with Group Policy,
and sample e-mail text to be used to inform users on how to block and unblock
delivery of XP SP2.
You can read about blocking at:
For those who like to do things the hard way, you can edit the Registry to
block XP SP2 delivery. Go to the following key:
HKEY_LOCAL_MACINE\Software\Policies\Microsoft\Windows\WindowsUpdate
and add the new value DoNotAllowXPSP2. Set the value to 1. This will block
delivery of XP SP2 via SUS or Automatic Updates for up to 120 days. Removing
the value will allow delivery of XP SP2, as will the passage of time. This isn't
a permanent solution; it just affords a little more breathing room.
And finally, don't believe everything you read. Contrary to some rumors, XP
SP2 doesn't break things; it fixes things. (Sometimes closing holes means good
software will need to be revised or reconfigured, too.)
About the Author
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.