FYI...

IT Admins Not 'Trusting' SP2 Security
- http://www.eweek.com/article2/0,1759,1638441,00.asp
August 23, 2004
"More than two years after company officials claimed Microsoft Corp. would emphasize security over features in all products, the whopping update to the company's Windows XP operating system is being hit for introducing new vulnerabilities. IT administrators and security experts who have had a chance to install, work with and investigate the changes Windows XP Service Pack 2 makes to the operating system said last week the upgrade doesn't live up to the spirit of Microsoft's Trustworthy Computing campaign announced by Chairman and Chief Software Architect Bill Gates in January 2002. Within about a week of its limited release two weeks ago, a German security researcher found two issues with SP2 that changed the way Microsoft products typically warn users about dangerous online content...ZoneID changes are not experts' only SP2 concerns. One of the added features of SP2 is a default installation of the IIS (Internet Information Services) Web server package, which includes an HTTP server and an SMTP server. Although IIS—which is not known for its security—is not enabled by default, the fact that it is installed as part of a security update worries many in the security community..."

FYI...maybe by the time we get this, it'll be on "Rev 2":

XP SP2 on 'FREE' CD - order Online from M$
- http://www.desktoppipeline.com/showArticle.jhtml?articleID=32900008
August 25, 2004
"... The installation, which requires 1.6GB of available hard disk space, was previously only available in a 75MB download (for individual PCs; the full "Network Install" version is 266MB). This could be time-consuming for most XP users, and nearly impossible for those consumers still using dial-up connections to access the Internet. According to the site, the CD, which is available free of charge, will take about 4-6 weeks to reach those users who request it. As of August 25th, it was available in English and German; versions in 25 different languages will be available within another two months."

>>> http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx

.

thx i oredered one!!!!!

FYI...

M$ Posts SP2 Compatibility Guide
- http://www.techweb.com/wire/story/TWB20040825S0002
August 25, 2004
"Microsoft has released a kit to help IT professionals spot compatibility problems between Windows XP Service Pack 2 (SP2) and other applications, and how to roll out fixes. The kit, which includes several Visual Basic scripts and a Word document in excess of 100 pages, “describes the security technologies implemented by [SP2] and provides guidance for mitigating application compatibility issues that were identified by extensive testing of Microsoft and third party applications.” The Word-formatted guide targets IT staff and administrators working in support, application testing, security, and network admin, said Microsoft. “The guide does not assume a particular size or complexity of network, and covers peer-to-peer, domain and Active Directory environments. The security information is relevant even for networks that do not have Internet access,” the kit went on to state...The do-it-yourself “Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2” can be downloaded from the Microsoft Web site."

>>> http://www.microsoft.com/downloads/details.aspx?FamilyId=9300BECF-2DEE-4772-ADD9-AD0EAF89C4A7&displaylang=en
(File Name: AppCompat-XPSP2.msi
Download Size: 2956 KB
Date Published: 8/25/2004
Version: 1.0)
...which requires 10MB of HD space to be installed (There -will- be a test...).

.

As of date/time of this post, with 1366 entries, 18% (still on the rise) had serious trouble:

- http://isc.sans.org/xpsp2.php

.

FYI...

Although the forum below is only one vendor, it stands to reason that the XP/SP2 install experience runs along the same lines for the average user of all hardware vendors. Good info:

- http://forums.us.dell.com/supportforums/board?board.id=sw_svcpacks

FYI...

PC makers: Look before taking SP2 leap
- http://news.com.com/2102-1016_3-5343593.html?tag=st.util.print
September 2, 2004
" Although Microsoft has recommended consumers turn on Windows' Automatic Update feature to get Windows XP Service Pack 2, PC makers are reminding Windows XP users to do their homework before installing the security update...Many PC makers have a list of revised drivers and patches that should be installed before downloading the OS update...For example, Dell...HP...Sony..."

.

FYI...

Microsoft: Spyware Could Bungle SP2 Update
- http://www.crn.com/showArticle.jhtml?articleId=46200892&printableArticle=true
Sep. 02, 2004
" Though Windows XP SP2 is all about protecting systems from worms, viruses and spyware, it can't do much about what's already on computers -- and that could pose a problem. (MS) is warning users of the Windows XP operating system to check for spyware before downloading the free massive security update, called Service Pack 2. Barry Goff, a group product manager at Microsoft, said some spyware could cause computers to freeze up upon installation of the update...Microsoft recommends that users clean their PCs of spyware and back up their data before turning on the auto update feature that automatically downloads Service Pack 2, or SP2..."


( I hear backpedaling in the distance, through the foggy mist...)

FYI...

MS Doubles Blocking Time For SP2
- http://www.techweb.com/article/printableArticle.jhtml?articleID=46802611
September 08, 2004
"Microsoft on Tuesday doubled the time that businesses can block Windows XP Service Pack 2 (SP2) from downloading automatically, giving them until mid-April, 2005, to test the update...Other updates, such as the security patches that Microsoft releases the second Tuesday of each month, however, would still make their way to machines...Bottom line: business have a bit more than seven months from now to test applications against SP2 before the update becomes more-or-less mandatory."

.

As of date/time of this post, with 1814 entries, 21% (still on the rise) had serious trouble:

- http://isc.sans.org/xpsp2.php

FYI...from Fred Langa:

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=46200911
Sept. 6, 2004
"...After all, punditry and prognostication only go so far: At some point, it's better to hear about real-life experiences in real production environments and on real desktops...I still recommend against full-scale roll-out of SP2 until and unless:
* You've successfully completed a pilot roll-out in your environment and
* You have a full backup (preferably a disk image) of each system you'll be upgrading.
Although the overall reader experiences are encouraging--more positives than negatives--there clearly are enough rough edges to warrant great caution before opening the floodgates to SP2 in your enterprise..."

.

FYI...

SP2 on XP Home
- http://www.theregister.co.uk/2004/09/17/xphome_sp2/
17th September 2004
"...We evaluated SP2 on a single test machine, following a clean install of XP Home with no configuration changes and no third-party software, additional applications, or drivers. We installed XP with the NTFS file system, choosing all of the factory defaults and obeying all prompts, then patched it with each recommended security update including SP1 before installing SP2, to be certain we didn't miss anything.

Busy box
According to netstat, our machine had the following services listening by default:

* DCE endpoint resolution (epmap), port 135. This is basically the UNIX/BSD/Linux portmap daemon, and unnecessary on most home machines.
* NetBIOS name service, port 137. This is the WINS (Windows Internet Naming Service) server for a NetBIOS network, and unnecessary on most home machines.
* NetBIOS datagram service, port 138. This is used by the SMB (Server Message Block) browser service, and is unnecessary on most home machines.
* Microsoft-ds (Server Message Block), port 445. SMB can run directly over TCP/IP, without NetBT by using this service, which is unnecessary on most home machines.
* NetBIOS Session, port 139. This is used for Windows File and Printer Sharing, unnecessary on most home machines, and quite risky on any machine connected to the Internet unless the owner knows how to run it securely.

This was identical to the Pro edition.

Furthermore, Error Reporting (which phones home to Microsoft), was enabled; Remote Assistance was enabled; file and printer sharing were installed; Client for Microsoft Networks was installed; and QoS Packet Scheduling was installed, just as they were on XP Pro. These are all features that should not be enabled unless they're needed. Again, the firewall defaulted to providing an exception for Remote Assistance, a great boon to script kiddies. And, as we noted earlier, the firewall, though now enabled by default, is inadequate due to its lack of egress filtering, which is crucial on Windows. The WINS settings were insecure, meant to enable NetBIOS; and DCOM was on..."

(More...use the URL link at the top)

not very secure is it!

FYI...

SP1 + SP2 leads to a catastrophic error
- http://www.pcwelt.de/know-how/extras/103039/
17.09.2004
"...Due to the bug carried over from SP1 as well as a new bug, the firewall configuration with SP2 has a catastrophic effect. The SP2 installation simply uses the previous configuration of the firewall: If it was active for the dial-up connection, now it also has been activated for the network adapter. At the same time, an exception is determined for file and printer sharing: For the internal network card - and astonishingly also for all adapters. With the first use of the dial-up connection after installing SP2, all of your shared data are available on the Internet. Now, other users can start guessing your passwords for administrator and guest and you basically are no more secure than the first Windows 95 users with an Internet connection - thanks to Service Pack 2.

How to correct the problem
- It is not advisable to keep this defective default configuration. However, the previous environment cannot be restored: The configuration for the firewall was changed, which does not allow the setting of active or inactive conditions or exceptions for each network adapter anymore. Now this only works for network areas.
- Choose "Windows Firewall" in the in the Windows Control Panel and the there the tab "Exceptions". Select "File and Print Services" and click on "Edit". Now you can see four ports which are used by the file and print sharing service. To lock the service to the outside and keep it open for the internal LAN, you have to individually select and change its area with the respective button. Our reader Yves Jerschov notified us of another bug: The value for the area set by default "Only for own network (Subnet)" only works, if the Internet Connection Sharing is activated. If this is not the case, your shared data are visible worldwide. This error can be corrected by choosing "User defined List" and entering the IP addresses that are supposed to have access - the IP addresses of your LAN. A whole range of an IP area can be entered as "192.168.x.0/255.255.255.0", if the respective addresses start with 192.168.x.

- After these measures, you can be sure to be as safe as you were with SP1. Great, don't you think?"