XP SP 2 Will Break Your Network. It's About Time.

By Michael Hall | Jun 22, 2004 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3371931/XP-SP-2-Will-Break-Your-Network--Its-About-Time.htm

Main     Elsewhere     The Week in CrossNodes     The Week in Network News

There's an interesting article over on TechRepublic today that outlines some of the changes coming with Windows XP SP2, which we've been paying our share of attention to over the past month or so.

Among the changes of interest to networkers:

  • The Internet Security Firewall is "on" by default.
  • A new feature called "Windows Security Center" provides a unified panel for basic security information.
  • Port management has been improved, with more sensible policies for closing ports when poorly written apps fail to do so. Apps can also be whitelisted for port access
  • The RPC interfaces have been buttoned down to stop some of the more popular worm attacks less easy.

We don't want to replicate the article, which is worth reading on its own. Rather, we want to point out that SP2 is going to break some things that network admins will probably spend some time scratching their heads over. The default-on firewall, for instance, may well create mass confusion in organizations that trust the inside of their net.

We're going to put on our "shocked and appalled" caps for a moment to note that in the midst of Microsoft doing the exact right thing, making some sacrifices in terms of ease and convenience, there are folks arguing that the company should have forestalled these changes until Longhorn lands, some time in ... we haven't checked lately. One commenter on Slashdot said "By jumping the gun on this, theyll likely piss off users, but if it were longhorn or some interim release then some breakages are simply to be expected."

Color us mean and cranky, but there are a few things at work here:

  1. Pissed off users don't really have much of anywhere to go except back to their pre-SP2 installs. We doubt Apple's going to see inflamed Windows users lining up at the Apple Store to buy new computers because their old ones are now more secure.

  2. Microsoft has been keeping everyone up to date with what's happening. Any corporate IT manger with a half-lidded eye cocked even vaguely in the direction of the trade press knows SP2 will be here soon and will be breaking a few things along the way. In fact, we just dug up a much earlier report on exactly these issues over at internetnews.com, written in March.

  3. We'd rather have people mad and secure than passive and insecure.

There's a minor point to be made about the inconvenience of dealing with a major upgrade and attendant security policy changes: It's a pain in the butt to deal with. It's also easily remedied by setting up a testbed lab and testing, then rolling things out in a sensible and measured manner.

For years, serious professionals have lived in the shadow of Microsoft's single-minded determination to make everything "easy" at the expense of common-sense security measures. We've all paid the price for this attitude in downed networks, overtime hours, and a seemingly monthly panic attack when yet another exploit is discovered and, well, exploited. If Redmond has wised up enough to start reining in its security problems, it isn't our job to whine and hope they'll put off the changes for just another two or three years: It's our job to thank them for getting it right, then take the time to get it right ourselves by testing the changes and putting them into effect.

If we can't be bothered to do that, we're no better than the clueless users we routinely condemn for their complacent ways.

Elsewhere:

» With SUPERCOMM in full swing, the inevitable trend stories are being written. The theme for today is "What's next after VoIP?".

» Motorola has joined the WiMax Forum and says it will be releasing gear in "early 2005."

» Cisco also had some MAN news, announcing the Cisco Metropolitan Mobile Network solution (MMNS):

Key in Cisco's offering -- which is geared toward private sector city agencies from first responders to city workers to transportation services, at least for now-- is mobility. The products they're offering include a router that can go in a vehicle and support roaming over multiple wireless networks.

[...]

The main outdoor infrastructure would come from Aironet Outdoor AP/Bridges: the model 1300, an 802.11b/g unit for medium range bridging and the Aironet 1400 Series, which supports 802.11a and is used for long range connections. Such units mounted strategically in a city can provide a Wi-Fi cloud that municipal workers can use with any 802.11 wireless device, or provide connections for the roaming when using the 3200 router."

The company says WiMax/802.16 support will be added as it becomes available.

» Too early in the day for coverage, so we'll just link to the press release from the Anti-Spam Technical Alliance (ASTA), a consortium of major ISPs, which has released a list of "best practices" for fighting spam. Much of this stuff should probably be familiar to anyone with a mail server running on her network, but some of it apparently isn't. The press release is probably worth printing and treating like a checklist. We're on the record as being all about at least one recommended measure: Blocking port 25 unless the user who wants it open has a really good reason and asks nicely.

The Week in Network News

» Monday: Cisco's Self-Defending Network Takes Shape

Cisco's vision of a self-defending network took more form today as a bevy of NAC-supporting products were announced and the company moves ahead with third-party outreach. Also: Your enterprise IM choices just narrowed by one as AOL and Yahoo reconsider their IM strategies, and SUPERCOMM kicks off in Chicago.

The Week in CrossNodes

» NFS/NIS: Lessen Your Legacy Security Liabilities

You may be an old-school holdout, or you may have inherited a network with NFS/NIS driving some of the file-sharing load. Either way, here's how you can button down these venerable but potentially dangerous services.

» VoWLAN: The Wireless Voice Future is Here ... Almost

VoWLAN might be the chocolate and peanut butter of networking, but the convergence of VoIP and wireless freedom has its share of snags. Here's what you need to know.

» Squid Puts the Squeeze on Net Wrongdoers (Part 2)

Between online deathmatches, hearts tournaments, and sports bookies, your network might be looking more like a playground than a place to get work done. Here's how to use Squid to button down the traffic and make sure your more slippery users don't slide out of its grasp.

» Three LDAP Browsers for the Asking

Getting your information in a directory is just half the battle: The other half is finding it. Here are three LDAP browsers, free of charge and up to the task of digging through your data.

Network News Break is CrossNodes' daily summary of networking news and opinion, served up fresh daily. Please send your comments and suggestions to the editor.