When Microsoft released the first public beta for Windows XP Service Pack 2 a few weeks ago, it knew the built-in security enhancements could cripple some corporate applications.
Companies testing XP SP2 say they are seeing some of that, but note a more significant development: Corporate users will have to change the way they develop applications and build networks to compensate for the security changes Microsoft is making to its desktop and server operating systems.
"The more secure the (operating system), the harder it is to use; it's always a trade-off," says Tom Gonzalez, senior network administrator for the Colorado State Employees Credit Union.
With XP SP2, most of the trade-offs revolve around the built-in Internet Connection Firewall (ICF), which is turned on by default and will disrupt communication for existing applications, such as remote administration and patch management tools, performance monitors and other programs that communicate over file- and print-sharing channels, hard drive shares that operate over specific ports, and peer-to-peer and file-sharing programs.
New security restrictions placed on Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) services, which are often exploited by worms and viruses, also could choke existing applications. New memory-protection features, which will stifle code generated by just-in-time compilers, could do the same.
Companies are paying attention and conducting thorough testing to avoid problems. Users can configure the firewall to accommodate specific applications, open needed ports or turn the firewall off completely. They also can centrally manage firewall settings using Microsoft's Group Policy Objects feature in Active Directory.
But given the range of applications in any given company, it won't be easy.
"We have 1,800 applications and if you change something there is a chance that something can go wrong," says Mike McCaffrey, operating systems manager for engineering company Bechtel Corp. in San Francisco. McCaffrey says SP2 is not a big issue now because Bechtel has not migrated many desktops to XP, but he expects rigorous testing will mean a long deployment cycle.
The credit union's Gonzalez is aware of the SP2 issues but is not fretting. He will turn off ICF because the credit union already has desktop firewalls in place. He says DCOM and RPC changes are not a big risk because his financial applications were designed with security in mind.
"DCOM and RPC should already have been taken care of by people who care about security in their applications," says a software configuration manager for a large consulting firm, who asked not to be identified.
The manager says he isn't worried about the effects of RPC and DCOM changes after testing his applications against SP2. "I suppose a few things might still break, but we will go back and fix them," he says.
As for ICF, he will not use it to replace his Zone Labs desktop firewall because he feels ICF is not enterprise ready. "Its lack of reporting tools and outbound filtering make it undesirable," he says.
Microsoft didn't include the outbound filtering because it would have caused even more problems for applications, according to Patrick Hynds, CTO for CriticalSites, a custom application development firm in Burlington, Mass. Microsoft made other concessions, including not restricting RPC clients that use its named pipe protocol sequence. This also would have caused significant backward-compatibility problems, the company says.
"Microsoft has to keep these security improvements from becoming a backward-compatibility issue," Hynds says. He says he thinks it will succeed. "The SP2 issues are not exactly as hyped as Y2K, but they will have the same impact," he says. In 2000, gloomy Y2K predictions ended with a whimper.
Hynds says the real enduring impact might be "preventing people from being terminally naive about security."
"I can't say what percentage of applications will be affected, but we know we will affect certain categories of applications," says Tony Goodhew, a product manager in Microsoft's developer division.
The debugging feature in Microsoft's Visual Studio.Net development tool is one break point. The company is providing a workaround until Visual Studio 2005 ships, but versions before Visual Studio 2002 will not be upgraded. Microsoft also will issue upgrades to its .Net Framework to support new memory-protection features.
Spreading the word
In the meantime, the company continues its relentless security public relations campaign. Last week, Chief Software Architect Bill Gates distributed an open letter outlining Microsoft's progress on its newfound security commitment. Microsoft also has been spreading the word about SP2 by issuing a white paper in December and posting online training courses for developers in February. Over the next few months it will offer a Webcast and host training sessions at its TechEd conference.
Microsoft's changes are needed to improve security in its operating system, according to McCaffrey, Gonzalez, Hynds and others.
"This might be the point we look back on and say that is when Microsoft started to treat the client as a mission-critical utility," says Peter O'Kelly, an analyst at Burton Group.
However, that transition will have rough spots, he says. Because it will be hard to test all corporate applications for compatibility with SP2, companies will simply have to react as applications break.
"As Microsoft flips the defaults, we will have to work harder," says Eric Schultze, chief security architect at Shavlik Technologies LLC, which develops patch management tools that will be affected by ICF. The company plans to release documentation to help users configure ICF to work with their tools.
The cascade of security changes also will affect the way companies approach Windows Server.
"Microsoft is definitely changing the landscape," says Jon Box, senior architect for Quilogy Inc., a professional services firm in St. Charles, Mo. "Developers and systems administrators will have to take some more time to figure things out."
The final release of XP SP2 is expected to emerge this summer, and be followed by the delivery of Service Pack 1 for Windows Server 2003, which will incorporate server-specific security features found in XP SP2. Microsoft also is creating server security guidelines for legacy, enterprise and high-security configurations for settings such as passwords and accounts that will force users to closely evaluate and test changes.
"The higher the settings, the more chance you have to break applications," says Dan Blum, an analyst with Burton Group. "Enterprises will have to start doing risk analysis for applications and see how safe it is to unlock (operating system) features as opposed to how much it will cost to rewrite applications."