Might be a bad idea to install Win XP SP2 at the moment.

[Hesten]

Just found these lists about problems with Win XP SP2. Note that these are NOT complete error lists, only what been found so far. So if youre planning to install it, you might wanna hold a few weeks first.

Some programs seem to stop working after you install Windows XP Service Pack 2
http://support.microsoft.com/default.aspx?kbid=842242

Programs that may behave differently in Windows XP Service Pack 2
http://support.microsoft.com/default.aspx?kbid=884130

[Niffoni]

I'd make a joke about this but I'm just not that fucking funny.

[Hesten]

Hehe, youre not the only one. Its a joke how they released it, should have waited and tested. Notice that on the long problem list, over 20 programs are MS own programs.
This patch crossed the line from emparassing to tragedy.

Almost like something SoE could have done

[Neost]

I don't see anything in there to indicating a major problem.

Those programs will work if you open the correct port in the newly enabled firewall. If you don't like it, disable the firewall completely, as if you had never installed the patch.

The top link actually lists how to open the proper ports for each program on that list.

SUMMARY

After you install Microsoft Windows XP Service Pack 2 (SP2), some programs may seem not to work. By default, Windows Firewall is enabled and blocks unsolicited connections to your computer. This article discusses how to make an exception and enable a program to run by adding it to the list of exceptions. This procedure permits the program to work as it did before the service pack was installed.

I've been running sp2 for a few days now on a couple of different machines and not experienced any issues with anything. I've heard of some vpn client issues in the computer forum on this board but I play CoH with no issues.

[Aslanna]

I've only had a problem with Nero so far. But Ahead released a new update that (should) fix it. I haven't burned anything since I applied it.

[Bubba Grizz]

What about for things like ICQ?

[miir]

Its a joke how they released it, should have waited and tested. Notice that on the long problem list, over 20 programs are MS own programs.
This patch crossed the line from emparassing to tragedy.

Uh, it was tested...
If you actually read that page, the fix to get the programs working takes about 20 seconds.

[Voronwë]

i have to kill the process that runs my scanner to get to desktop

[murr]

Some antivirus programs don't work period without updating (Symantec corporate, for one) so I get to update a helluva lot of computers when I get to college in a few days. Working for Resnet as they pay my housing if I do so. Also, all the notebooks they handed out to freshmen have sp1 on them a the image for them was created back in May. Sweet.

[noel]

As has been said, this doesn't look negative to me at all. Not only has Microsoft identified programs that are blocked by the default firewall configuration, they've also explained what ports to open on the firewall to allow those programs access to the network.

There are two ideas behind a firewall. The first and most obvious is to keep bad network traffic from coming into your computer/network. The second is to prevent malicious programs that either you've installed, or have been installed on your computer/network from accessing the network/Internet from your computer/network. As an example, I don't want users on my network participating in DDoS attacks on hosts internal or external to my network.

A firewall allows you to determine which programs do and do not have access to the network, and it will also show you what programs are accessing the network, so that if you see something that looks wrong, you can investigate. A big part of having a firewall is configuring the firewall. It's not that the SP is bad, it's that the firewall is doing its job. ANY program that you want to access the network/Internet needs to be allowed within the firewall. There is a set of applications that are predefined, but other than that you need to explicitly allow it.

Bubba, I didn't have a problem with any of my IM clients when I had SP2 installed.

[Hesten]

Hehe, personally my workplace are gonna shun this SP like the plague.

This are just a list of known programs. If we were to use this patch we could first spend maybe 50 hours making scripts to open the ports to all our known programs (since half the suppliers are medical companies due to it being a hospital, and theyre NOT very helpfull in cases like this), then we can try to figure out exactly which programs are used at the hospital.
My estimate is around 50-100 random DOS based programs we got no clue about.
Around 100 homemade/small company windows based programs we got no clue about.
Around 100 varios bigger programs (Visual studio, Reference Manager and the like) that we might know about, but cant be sure (since departments can buy software without talking to the IT department).
Around 50 various medical company software where the supplier will claim that this patch = the devil, and say it will break their software if we put it on the computers. Good example are Agfa, who got a server that keep all our XRay pictures, a old NT4 server, no SP6, no patches since, IE 4.0. I cant even load the windowsupdate page on it, have to download the patches manually and install them, when im allowed to do it. The patch to shut the Sasser hole i had to threaten the danish director of Agfa to pull the PDS cable on the server if he didnt allow me to install the patch, they refused to let me do it before that.
Or GE Medical, which system got some blocks from them when it arrive, so we cant patch it. AND they got no clue how their system works.

With problems like that, we cant afford to install the patch, way too much that could go wrong. And when its life and death on a hospital, its limited how much that CAN be allowed to go wrong.


And if we look at it from a user perspective, how many average users who heard they should use Windows update to protect their computers are actually able to find the relevant info in the MS knowledge base and open the ports in the firewall? I bet maybe 20%, the rest are fucked if they dont know anyone who can fix it.

[noel]

And if we look at it from a user perspective, how many average users who heard they should use Windows update to protect their computers are actually able to find the relevant info in the MS knowledge base and open the ports in the firewall? I bet maybe 20%, the rest are fucked if they dont know anyone who can fix it.

Your points are for the most part valid. That said, there are many ways of approaching the rollout of an important SP like SP2, and they take a lot of time and planning. That's why they pay IT personnel good money. It's our job to figure things like that out.

If you work in a hospital, chances are you have a decent firewall package already, and perhaps (hopefully) an IPS (Intrusion Prevention System). If you have those things, you can make the argument that you don't really need the firewalls on the clients, and disable it across the board. Additionally, it's rather easy to push out firewall policies to XP users during their domain login, so you can do a mass configuration if you need to.

The ideal thing to do would be to group common sets of users together with application sets you know about, and then take each group on a case by case basis. Test the applications on a test client, and evaluate the functionality. Either certify that SP2 will or will not work for you. There's no reason you can't benefit from the numerous other security enhancements in SP2 when you can just disable of the firewall.

I'd go into a long lecture about the pitfalls of the IT staff not having centralized control of departments installing applications, OSes, etc. but, it's easier to see that then for me to explain it.

[Niffoni]

Wait.. is SP2 just a firewall? I'm no network guru, but if that's all it is, I don't need it. I have one o_O Surely there's more to it than that.

[noel]

The firewall is just one aspect of the SP2 enhancements...

http://www.microsoft.com/technet/prodte ... chngs.mspx

Bear in mind, I'm not telling anyone to upgrade to SP2, or that if they don't they're a bad person. I'm just presenting some ideas. I do think that SP2 is a long overdue, and very good enhancement to the security of XP, but there is a learning curve for some of the new features, and as such, it can cause some initial headache.

[Neost]

There is more to it than just the firewall. The most well known portion of sp2 is that it turns no the internet connection firewall, which I believe is disabled by default on the initial XP install.

[Animalor]

Is SP2 can get Kylere to STFU about IE vulnerabilities then it'll be worth it =P

On a side note, SP2 intruduces a very decent popup blocker in IE that is tied in to it's security zones. Is your website on a security zone? then popups allowed.

It's security console is also very user friendly as well. It examines if you have AV, Firewalls and Automatic Windows Updates and will explain the risks of not having either turned on.

MS has also compiled a list of AV vendors with offers on their products. Computer Associates offers a full year of AV and free defs. McAfee ponyed up 90 days while Symantec came in with a piddly 30 days free.

This is the first step in MS's Trustworthy Computing initiative and it's a damn good one imho.

[noel]

Oh, and one other thing about SP2...

It's easily uninstallable.

That way, you can upgrade, and if you have issues, you can easily role back. When you roll back, it preserves all of your statuses on critical updates, etc.

[Animalor]

Oh btw - The Network install is alreadey available to the general public

http://www.microsoft.com/downloads/deta ... laylang=en

MS doesn't recommend this for single computer upgrades because the download is significantly bigger than the express install that'll be on Windows update however the end result will be the same.

Full details of SP2 can be found here http://www.microsoft.com/technet/prodte ... chngs.mspx

[Aslanna]

Oh btw - The Network install is alreadey available to the general public

http://www.microsoft.com/downloads/deta ... laylang=en

IT Professionals and Developers != General public!

[Dregor Thule]

Why hasn't Kylere shown up on this thread yet to jerk his load onto anything anti-Microsoft?


It's easy enough to fix the problems that showed up with SP2 for someone with a fraction of intelligence. It's just sad that there's so many truly unintelligent people out there

[Winnow]

Much for Gates!

SP2 works great.

[Kylere]

You know I never touch a new OS for like 6 months after release and I am treating this like a partially new OS. Giving it 3 months first, especially since on my test system it drastically changes some of the basic TCPIP parameters.

[noel]

You know I never touch a new OS for like 6 months after release and I am treating this like a partially new OS. Giving it 3 months first, especially since on my test system it drastically changes some of the basic TCPIP parameters.

I install as soon as possible and work with it as much as possible so I know what the issues/problems/features are before users/co-workers experience them.

[Neost]

same thing here. I try to get ahead of the curve by using it every where that I can prior to it hitting the general user population.

As for corporate/legacy apps, we typically install it on a typical user pc with the standard corporate image that is loaded on all our equipment. We just recently started rolling XP out as new machines are purchased and probably only have about 700-1000 people on XP at this point. Our testing allowed us to get patches/fixes in place for the XP gotchas we ran into and it will do the same thing for 99% of the issues we would see with sp2. There may be one or two really arcane applications that would affect a few users but we'll catch the biggies on the front end.

I'd rather rush to get sp2 out and installed than go through any more marathon sessions trying to track down virus infected users in a geographically disperse, large enterprise network.

[noel]

More information for all...

http://securityfocus.org/columnists/259

Redmond's Salvation
Service Pack 2 for XP represents a sea change in Microsoft's security posture. Here's why you should ignore the naysayers and start planning your upgrade.
By Tim Mullen Aug 11 2004 08:42AM PT

At long last, Service Pack 2 for XP has arrived. Like many in the security community, I'm excited about this, as it represents real, true progress for Microsoft and their commitment to security. This is not just a Service Pack -- it really includes functionality, usability, and core changes in the underlying code extensive enough to be called "XP2." In fact, I think I'll just call it that from here on out.

In addition to code changes, XP2 also represents a tangible shift in the way Microsoft is embracing security: they are putting security concerns before functionality, and in some cases, this will actually break existing applications. Though it will make some developers out there continue to work overtime, this too is a very, very good thing.

XP2's feature set is a veritable laundry-list of security enhancements, as well as new functionality: Windows Firewall, new IE security features, wireless provisioning, memory protection schemes, and even new peer-to-peer functionality... The list goes on and on.

With that in mind, it is important for you to deploy XP2 with a plan. While no one should ever deploy a service pack without planning and testing, some IT folks do it all the time. In the case of XP2, that will probably cause some problems.

For instance, in our shop we use Remote Desktop all the time as a secure means of remotely administering clients and troubleshooting issues. By default, Windows Firewall blocks remote desktop (TCP 3389) connections, even if the system was configured to allow remote desktop connections when SP2 was applied. While WF is very easily (and extensively) customizable both through Group Policy and via the Netfw.inf file during install, one should know this type of thing going in.

Another example is the difference between the default WF settings on domain members versus workgroup systems: File and Printer Sharing is enabled by default on domain members (allowing TCP 139, TCP 445, UDP 137, and UDP 138 from other IP's in the same subnet), while it is not on non-domain systems belonging to a workgroup. While these options may be intuitive, they are far more intuitive when you know them up front.

If you are part of the IT staff, it is highly recommended that you spend time at the XP2 site. If you manage the IT staff, then give your people the time and resources they need to deploy XP2 correctly. You'll be happy you did. More importantly, you'll be really put out if you don't.

Everyone's a Critic
Now, even with these tremendous advancements in XP, some people are going out of their way to find fault with it, as they seem to do with all things Microsoft. In fact, some of this is just downright hypocritical. Security researchers and analysts continually blast Microsoft for security issues, and have done so forever (I've even done it.) But now that the company has responded in a significant way, it gets bad press for releasing a Service Pack that might break ISV applications.

The truth here is that if an application breaks, it really did need fixing anyway. And it's not like XP2 snuck up on us, either: most development documentation has been around since last year. Its just that some are waiting until now to get on board. We as a security community have to embrace and support XP2 if we want to continue to make headway in this space.

And for heaven's sake, stop with the "Microsoft should backport XP SP2 into SP's for earlier OS's." Even if you still consider Windows 2000 "current," the fact is that it began development over 9 years ago, and there is no way any backport of a Service Pack will ever bring Win2k to the level of XP/2003. People who think it can clearly don't understand the development model or the code base. Fortunately, there is a front-port for Win2k: it's called "XP." If you care about security, and want a powerful platform that is easily to manage while maintaining extremely granular controls from an administrative standpoint, then upgrade to XP. XP2 really makes this the way to go.

In an earlier column I identified old software as a contributing factor to security issues, prompting a flood of "Who the hell do you think you are telling me I have to upgrade?" e-mails. Well, I'm someone who cares about computer security. I'm not telling anyone they "have" to upgrade, but I will say that if you make the choice (or your company does for you) to maintain older, less secure software when you know something far better is out there, then you must take responsibility for your security posture.

Not withstanding that rant, XP2 is really worth the upgrade. The firestorm of debate among security professionals over whether Microsoft should withhold XP SP2 from users with pirated copies of XP demonstrates the importance of this upgrade. Regardless of your views of this from a policy standpoint, if we are to accept that the Internet as a whole will be in dire peril from worm and virus attacks launched by systems without SP2, then we must also accept that XP/SP2 is an absolute requirement for everyone else. It's somewhat ironic that the more outspoken against Microsoft on this issue actually ended up making a rather compelling argument for upgrading.

But my point here is not to bust on other people. (Did I really say that? I must be getting old.) My point is to bring to your attention the vast improvements that XP2 offers, even in the face of some continued bad press. It really is "all that," and you should take a serious look at what benefits your company can gain from its deployment.

[Kylere]

You know I never touch a new OS for like 6 months after release and I am treating this like a partially new OS. Giving it 3 months first, especially since on my test system it drastically changes some of the basic TCPIP parameters.

I install as soon as possible and work with it as much as possible so I know what the issues/problems/features are before users/co-workers experience them.

I have it on a testbed machine here at home, but I will not have to deal with users since my employer runs 2k still and actually has a Novell Network (LOL) we have an XP rollout planned to start in January, and by then most of the major corporate level issues will have been resolved. Of course I have tested everything we use at work under SP1 already so my only concerns are SP2 specific.

[Animalor]

Oh btw - The Network install is alreadey available to the general public

http://www.microsoft.com/downloads/deta ... laylang=en

IT Professionals and Developers != General public!

It's the same exact product except the package is a bit bigger.

It's designed to be installed over LAN instead of having each single workstation on an office environment download from MS.

[Aslanna]

I know why it's there.. I just disagree on the 'general public' part of your statement. General Public to MS = Windows Update!

[Animalor]

I know why it's there.. I just disagree on the 'general public' part of your statement. General Public to MS = Windows Update!

How about this then -

Available to everyone with an internet connection...

[noel]

I know why it's there.. I just disagree on the 'general public' part of your statement. General Public to MS = Windows Update!

The initial offering is available to the general public. That is to say, if you want it, you can get it, there's nothing that precludes you from getting it if you're not an IT professional. The offering that will be available on the Windows Update site is more for the general idiot who hasn't already upgraded or isn't Internet savvy enough to find it, download it, and install it.

I have no idea if you're a man or a woman, but you've got 'pedantic bitch' down pat. Grats you.

[Aslanna]

I see nothing has changed with you Aranuil. You're still the same pathetic fuck you always were.

[Siji]

I despise the fact that Microsoft feels the need to force feed every type of software to me via an operating system. Make it an operating system. Let me choose my firewall, my multimedia software, my disk defrag program, my antivirus, my web browser, etc. Give me an operating system that's stable first. Then think about building other crap.

Fuck Microsoft.

[noel]

Siji, the whole concept behind this is relatively simple. The average user is entirely too unaware of network security, and as such, Microsoft feels they have a fiduciary responsibility to protect the users from things they're not aware of. SP2 had it been installed prior to today would have prevented many viruses including Blaster, Nachii, MyDoom, agobot, gaobot, bagle, etc. Not only does this protect the users PC, but it protects the networks and PCs of others as well.

I see nothing has changed with you Aranuil. You're still the same pathetic fuck you always were.

Look up the word pedantic, reread your posts, then tell me I'm wrong. Stop nitpicking every little thing. As far as nothing changing, I still don't care what you think.

[Stalker Vacio]

Does it work with EQ?

[Siji]

Siji, the whole concept behind this is relatively simple. The average user is entirely too unaware of network security, and as such, Microsoft feels they have a fiduciary responsibility to protect the users from things they're not aware of.

Ok, I'll give you that. So make a XP Home SP2 and leave XP Corporate and XP Professional alone. People at home generally aren't buying Corp or Pro versions, nor are new computers coming with those installed (usually). People that are buying those versions are usually more knowledgeable and have a clue about how to protect their computers.

[noel]

I'm sorry, but why wouldn't you want XP SP2 installed in the corporate environment?

Any IT staff running XP Pro as clients would want the changes to the browser and to the memory buffer management at a minimum. The other stuff can easily be turned off before it's rolled out if you chose to.

The thing that is weird to me is that you make it sound like SP2 does something bad, and it doesn't at all. I'm trying to understand what's wrong with it that you take such offense to...

The ONLY downside to SP2 is potential application incompatibility which can be tested for and addressed before rollout. No different really than when you roll out a new OS, and test. No competent IT staff would ever roll out a service pack without testing it, so it's nothing new really.