IT Pros: Still Cautious Over XP SP2 Security Rewards

Security experts discussed the merits and flaws of Microsoft’s Windows XP SP2 (Service Pack 2) in a panel discussion Tuesday as part of Ziff Davis Media’s Security Virtual Tradeshow. Across the board, they highly recommended that enterprises quit their flinching and install the upgrade, although they still offered several caveats.

“An absolute, resounding yes, you should deploy,” said Oliver Lavery, chief software architect at PivX Solutions, Inc. of Newport Beach, Calif. “Should you upgrade tomorrow? That’s a resounding no.”

Lavery and other panelists stressed the need to carefully test systems and applications—particularly third-party and business-critical software—prior to widescale enterprise deployment.

“The only reason not to deploy is if you’re facing insurmountable application compatibility issues within your organization,” said Bernie Robichau, who has deployed SP2 as the network administrator and security officer for South Carolina’s department of parks, recreation and tourism.

But he said the installation tools offered by Microsoft alleviate most of those risks.

“Almost every issue you would have with installing SP2 can be mitigated by implementing Group Policies during and after installation,” Robichau told the online audience.

However, Mary Jo Foley, editor of Ziff Davis Internet’s Microsoft Watch, was more cautious. She said that while Microsoft termed SP2 a “basic upgrade,” customers, partners and competitors agree that it’s a “completely new operating system,” with inherent weaknesses.

“Microsoft released SP2 publicly on Aug. 6, but that doesn’t mean it’s bulletproof,” Foley said. Microsoft itself initially had listed some 200 applications that “lose functionality” when paired with SP2, and that number still stands at about 40.

Foley also said Microsoft has elected not to support updates to systems and programs not running on XP, which has caused concern in the industry that the company is forcing customers to upgrade to XP in order to reap the increased security of SP2.

Panelist Shawn Bernard, senior security engineer at Hudson, Mass.-based Networks Unlimited, said he thinks many of those security enhancements are enterprise-strength, but that the weak Windows firewall is not a solid desktop solution.

“They do provide you with a functioning firewall, but not one that is easily managed within a corporate environment,” Bernard said. He compared the firewall to the basic document functionality found in Microsoft WordPad, and stressed the importance of installing third-party firewalls at the desktop level.

Security Center editor Larry Seltzer says your excuses for not installing SP2 aren’t good enough anymore. Click here for his column.

While all of the panelists agreed that enterprises should shortly implement SP2, in a straw poll of online participants during the panel discussion, about half were still testing SP2, seemingly in line with the panel’s recommendations.

“SP2 isn’t perfect, but it’s the biggest improvement Microsoft has made,” said PivX Solutions’ Lavery. “It’s not going all the way. But frankly, it’s impressive.”

The panel discussion will be archived at www.securityshow.eseminarslive.com. The Security Virtual Trade Show continues Wednesday at 11 a.m. EST, 8 a.m. PST, with panel discussions, keynotes and sponsor exhibits.

Editor’s Note: The Ziff Davis Media Security Virtual Tradeshow is run by eSeminars, a division of Ziff Davis Media, parent company of eWEEK.com.

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.