Fallout from SP2

    November 16, 2004

A top expert in aiding corporations and other large-scale enterprises maintain their computer networks says network managers still are experiencing significant fallout from users’ installing for themselves the latest security enhancements to Microsoft’s Windows XP operating system.

Mani Sridharan, vice president of business solutions for BOSS, Inc., strongly advocates installation of the Windows XP Service Pack 2, or SP2, to protect computers from intruders and other security risks. But he added that some users could experience problems if they install the upgrade themselves on networked computers or if they buy new computers for their corporate networks with SP2 already installed.

“It’s a trade-off,” said Sridharan. “You can have the new security in the Windows XP environment, but the price you pay is having to deal with some of the compatibility issues.”

BOSS, a Microsoft Gold Certified software development partner, specializes in assisting large organizations manage computer network resources and deploy operating systems, software and “patches” like Service Pack 2, throughout their organizations. Customers that used BOSS’s DiagWin software to develop scripts and install SP2 reported no major instances of software incompatibility, Sridharan said.

Microsoft continually adds enhancements to its software products and fixes problems that users and developers discover after the product has gone to market. One feature of the Windows XP system is that it allows users to elect to have Microsoft download and install those “patches” automatically.

After Microsoft made SP2 available in August 2004, some of the hardware and software compatibility issues surfaced. In September, Microsoft extended the time that businesses can block Windows XP Service Pack 2 (SP2) from downloading automatically until mid-April, 2005, to allow companies time to test the update. Sridharan said that most of the problems seem to relate to the automatic installation of Windows Firewall that’s part of the SP2 upgrade. Although it does a great job of keeping out hackers and malicious code, like viruses and spyware, he said, it also sometimes restricts legitimate traffic like remote management, peer-to-peer networking, FTP or Microsoft IIS connectivity and general Web browsing. Also, Sridharan added, file and print sharing features are not enabled in the default implementation.

“By default, Windows Firewall blocks activity on most ports,” Sridharan said. “This is a good feature, but it breaks many applications because they need some specific ports open for communications.

“To allow native and third-party software to run, you must identify and then construct and implement a rule in the software to open the port or ports that each application requires,” he said. “The average end user does not know how to do that and even the more tech-savvy users don’t know where to get the information they need to do that.”

Many users who don’t know about the compatibility issues will waste countless hours trying to fix the problem themselves, Sridharan said, before they even call their help desks for assistance.

“That puts a big productivity drain on corporations,” he said. “The users are supposed to be doing other productive tasks for the overall good of their business instead of wasting a lot of valuable time trying to fix problems they don’t really understand.”

As a hypothetical example, consider an enterprise with 1,000 workstations and a client/server application that requires an open Internet-standard communications port. If SP2 is installed automatically on all those machines, either a tech-savvy user or an IT support person will have to write and execute a rule or manually use the firewall settings interface on each desktop to open the port. If that process takes on average 15 minutes for each computer, it will cost the organization about 250 hours in unproductive time.

“The best solution is to implement SP2 enterprise wide with necessary ports/applications open on each for proper communication,” said Sridharan. “This enables enterprises to have complete security on the client side without letting SP2 ‘break’ user applications and cause disruptions in productivity and an unnecessary burden on the already over-extended tech support staff.”

Sridharan said that custom applications written for a specific industry and homegrown applications developed for a specific environment are particularly hard hit. However, Microsoft has posted on its Web site a list of more than 50 “off-the-shelf” software products, including some of its own, that may require some tweaking before they work properly with the SP2 upgrade. Among the applications that are encountering problems are Web servers, remote desktops, file-sharing applications, FTP clients, computer-aided design software, multimedia streaming software, e-mail notifications, systems management applications and, ironically, anti-virus and security applications. In addition some hardware manufacturers, including Dell Inc., Hewlett-Packard Co. and Sony Corp., recommend a series of updates users should make prior to installing SP2 to avoid compatibility issues.

“It’s a real headache and a costly process to do this one machine at a time,” Sridharan said. “But it’s an easy fix for a network administrator who uses the proper tools to uninstall the automatic patch and reinstall a patch configured for the specific environment.”

WinXPdigest keeps you updated on the latest tips, how to’s, and patches that will keep your computer operating at optimum condition.