So SP2 is not all its meant to be...

WinXP SP2 = security placebo?

So where are all the improvements? Very few changes to security I note. My advice - don't use IE/OE, do use a seperate firewall and ZoneAlarm and a virus checker outdoes SP2.

So why bother installing it, if it doesn't even address basic security issues?

Why did I just know YOU would post this?  Exactly why do you ONLY ever post The Register links?  Come on, who are you really?  Orlowski?  Greene?  Lettice?

Anyway, I saw that earlier and, frankly, the "review" is such a ridiculous hatchet job (as per usual from that cretin, Greene) that its not worth tearing it apart.

Basically, the security model to which Greene subscribes is so dumb, so requiring users to have indepth knowledge of ports and services, so obtrusive, so feature destructive, that had Microsoft done that, we'd have got Greene writing an article about how "SP2 renders XP unusable" (ie. lookie here:  http://www.theregister.co.uk/2004/08/17/xp_sp2_glitches/ and  - imagine that 100 times worse).

imekon wrote:

So why bother installing it, if it doesn't even address basic security issues?

It doesn't dispense ice cream either.  It's a service pack!  Install it and be happy.  It fixes what it fixes.

Only 800 bug fixes. No big deal.

Here's a list: http://support.microsoft.com/default.aspx?scid=kb;EN-US;811113

CERT gave it a thumbs-up.  If it's good enough for the Department of Homeland Security, it's good enough for me.

http://www.us-cert.gov/cas/alerts/SA04-243A.html
Microsoft Windows XP Service Pack 2 (SP2) significantly improves your computer's defenses against attacks and vulnerabilities.

The Channel 9 Team wrote:

Only 800 bug fixes. No big deal.

Here's a list: http://support.microsoft.com/default.aspx?scid=kb;EN-US;811113

Ouch!

imekon wrote:

WinXP SP2 = security placebo?
So where are all the improvements? Very few changes to security I note. My advice - don't use IE/OE, do use a seperate firewall and ZoneAlarm and a virus checker outdoes SP2.

So why bother installing it, if it doesn't even address basic security issues?

This is exactly what I meant....

Importent Notice: Forum Rules

The Channel 9 Team wrote:

Only 800 bug fixes. No big deal.

Wasting your breath.  800 bug fixes doesn't matter.  You know what Imekon says:

"So SP2 is not all its meant to be..."

I'm just curious, what do you think it was meant to be?
  

Cider wrote:

Why did I just know YOU would post this?  Exactly why do you ONLY ever post The Register links?  Come on, who are you really?  Orlowski?  Greene?  Lettice?

"Orlowski" sounds Polish.  But there are no Polish people in the world who are that stupid.  So.

As for "Greene Lettice," I would look for someone who has recently been let go from the Produce Department of a supermarket.

The stuff about having all those services turned off gets ridiculous. Having the firewall on by default means most of the services cannot be reached by incoming connections so there is no need to worry about them.

Things like DHCP client should definatly be on by default, most people with broadband need dhcp to get their IP address either from their ISP or a home network router. You can't expect people to configure things like that when all they want to do is plug it in and go.

Moving to using restricted user accounts I agree with, but something like that will take a long time while so much software refuses to work with anything but administrator rights.

eddwo wrote:

The stuff about having all those services turned off gets ridiculous. Having the firewall on by default means most of the services cannot be reached by incoming connections so there is no need to worry about them.

Well, it is an extra level of defence in case someone decides to run with the firewall off. I've seen a number of people saying they'll turn it off and ignore Security Center, relying on a hardware firewall - I don't recommend this. Hardware firewalls are also susceptible to bugs. Many of them, like the Linksys WAG54G I connect with, run Linux - our firewall at work, a WatchGuard Firebox X, runs Linux 2.0.35 IIRC. Hope WatchGuard have been keeping up with patches, there's nothing worse than a security appliance with known vulnerabilities.

If you have a network that's in any way open - allowing users with laptops to move between home networks and the corporate network, or a wireless network that isn't locked down - a user could pick up a virus or worm from another location, then when they return to the corporate network, the worm could spread to other machines if they're not firewalled. This happened with the Blaster and Slammer worms.

eddwo wrote:

Moving to using restricted user accounts I agree with, but something like that will take a long time while so much software refuses to work with anything but administrator rights.

It'll take a lot longer if we don't start doing it. It's painful to start with - especially apps where the installer doesn't offer an 'Install for all users' option, where you have to run the installer using your own account but as an administrator. See Aaron Margosis' tool MakeMeAdmin for the moment. You can selectively weaken security as necessary by changing permissions on files and registry keys.

One caveat to watch out for is that new objects created by an administrator on XP are, by default, owned by that user. On other versions of Windows, including Server 2003, they're owned by the Administrators group. Any software you installed before changing over to a Limited User account will be owned by you. Windows has a special CREATOR OWNER entry in object permissions, which by default has Full Control, which maps to the object's owner. Unless you change the ownership or the security settings for this software in some way, you won't get some of the benefits of lowering your privilege level.

Most users on older 32-bit-only x86 machines actually won't notice anything much in SP2 apart from the firewall and the IE6 information bar, and maybe Local Machine Lockdown if they do local web page development. There's a lot more going on, but most of it's under the covers - DCOM and RPC security, for example, seriously restricts the possible from-remote attack vectors. Few users will ever see that, because few users expose DCOM or RPC services from their computers. The ability for the RPC subsystem to punch holes in the firewall as required makes it possible to run sensibly with the firewall enabled. Memory protection (DEP, No Execute) is a hardware feature only on the newest x64 and Itanium systems.

Silent changes are absolutely the right way to go. The user doesn't want to be disturbed by functionality that no longer works. It's weird how noisy components like Norton Anti-Virus or Norton Internet Security are considered more highly. Perhaps it's a reassurance that it's actually doing something, but I found it irritating ("I blocked an attempt to connect to a port that nothing was listening on, aren't I brilliant? [OK]")

imekon wrote:

WinXP SP2 = security placebo?
So where are all the improvements? Very few changes to security I note. My advice - don't use IE/OE, do use a seperate firewall and ZoneAlarm and a virus checker outdoes SP2.

So why bother installing it, if it doesn't even address basic security issues?

IMEKON!!! I remember you, did you try it like I suggested? Did you perform any tests like I suggested? Did you TRY ANYTHING after the last conversation?

Like has been mentioned, the one thing I want to see is restricted user access employed more and the "request for privleges" function implemented. So that is the one thing that is still outstanding. But overall, I would say that you REALLY need to try it (I feel like a drug dealser saying it like that). All you are saying does not work right until you actually try it yourself.

P.S. I run with software DEP truned on for everything and so far it has not interfered with anything.

Here's a set of Word docs that explain the changes to functionality in Microsoft Windows XP Service Pack 2.

I wish you guys wouldn't make normal post as 'The Channel 9 Team' unless about policy or a public thread/post.

Sorry, that was me. Sometimes I forget to look how I'm logged in.

You gotta love The Register. First they publish Thomas Greene's article "WinXP SP2 = security placebo?", which lists all the services that SP2 fails to switch off (because Microsoft is of course evil and/or stupid). Then lots of Reg readers fail the gullibility test, start turning off all those services, and find that (shock! horror!) their WinXP boxes stop, y'know, WORKING. Now The Register has posted his followup article, "Reg readers sabotage their Windows boxes":

Nevertheless, Reg readers have, in rather large numbers, been dutifully going through our list of questionable features and services, disabling everything in sight, and innocently sabotaging their Windows boxes.

We beg you to stop.

I wonder if anyone's threatened to sue yet?

If you read that list you can clearly see LOTS of what I consider just plain wrong information.. I mean DNS client is not needed for home users?! DHCP client? Lets hope your not on cable internet .. RPC .. lol! That has just broken about half the Windows services..

Turning off Secondary Login makes the machine less secure, not more.