Windows XP Service Pack 2 with Advanced Security Technologies Review

Review index

New Security Center dashboard
Enhanced firewall protects your system, even during boot time
Internet Explorer: Say goodbye to pop-up ads and drive-by downloads
Block unsafe attachments in Outlook Express and Windows Messenger
Better Bluetooth discovery and configuration
Automatic Updates improvements
Simple wireless configuration
A cleaner Add or Remove Programs
Under-the-hood code changes
Windows XP Media Center Edition 2004 ("Harmony")
Windows XP Tablet PC Edition 2004 ("Lonestar")
Multimedia enhancements
Problems with Windows XP SP2
What's missing in Windows XP SP2?
Conclusion

Last summer, Microsoft was prepping a dramatically different Windows XP Service Pack 2 (SP2) release than the one we're soon going to get. Back then, the plan was to deliver a simple set of critical security patches and hot-fixes in a convenient single install, combined with all of the updates and fixes the company had shipped a year earlier in XP Service Pack 1 (SP1). Then the Slammer worm hit and everything changed. Microsoft corporate vice president Jim Allchin, who knew the company was prepping a sweeping set of security improvements for inclusion in Longhorn, the next major release of Windows, also knew that Longhorn was years away and would arrive far too late to stop future Slammer-type attacks. Finally, Allchin decided enough was enough. He ground Longhorn development to a virtual standstill and told the Windows development team it had a new priority: Deliver a reenergized Windows XP SP2 that would include many of the security enhancements Microsoft had planned for Longhorn. And get it done as soon as possible.

The sudden change meant delays in Windows XP SP2, which was originally slated for a fall 2003 release. It meant delays for Windows Server 2003 Service Pack 1 (SP1), originally due in late 2004. And it also meant delays for Longhorn, with Microsoft officials finally admitting in early 2004 that the company would delay its Longhorn Beta 1 release from late 2004 to February 2005, and the final release of the product to 2006 at the earliest. Internally at Microsoft, the changes were jarring: XP SP2 was placed back in the main build lab as Microsoft engineers struggled to adapt Longhorn security features to the XP code base.

What they came up with is impressive, though it falls short in a few critical areas. In the following sections, I'll detail the changes in Windows XP Service Pack 2 and how they will change your computing experience.

New Security Center dashboard

A new dashboard called the Security Center (Figure) will appear any time the system detects that your firewall, anti-virus (AV), or automatic updating functionality is turned off or unavailable, providing you with a front-end to correct these problems. Security Center isn't perfect--because Microsoft doesn't offer its own AV package, it integrates with only some of the available third party AV utilities out there--and only works with the built-in Windows Firewall (see below), and not popular third party firewalls like Zone Alarm. On the other hand, it's a good first step, and Microsoft representatives tell me that the company will offer XP SP2 users "competitive" offers for a variety of third-party AV products. For third party firewall users, your only option is to turn off Windows Firewall and set Security Center's "Firewall" setting to "Unknown," which tells the system you'll manually monitor your own firewall settings, thank you very much. You can also use its Alert Settings to turn off firewall (and Automatic Updates and virus protection) alerts if you don't want to be nagged.

As a security dashboard of sorts, Security Center also provides links to security resources on your local hard drive and at Microsoft.com, including help files and other documentation, information about security and viruses, and the like. Security Center can be manually launched from Control Panel--a fairly logically place--or buried deep in the Start Menu under Programs -> Accessories -> System Tools for you spelunkers.

Overall, Security Center is a handy tool for quickly accessing the security of your system, assuming that you own a compatible AV product. But it does nothing to assess other critical security states, such as whether you have any spyware, anti-spam, or privacy protection software installed. I suspect we'll see some dramatic improvements to this functionality as we move to Longhorn.

Enhanced firewall protects your system, even during boot time

The new Windows Firewall is arguably XP SP2's most important feature, and it's certainly the most well-known: That's because the Windows Firewall's predecessor--XP's Internet Connection Firewall (ICF)--could have prevented Slammer and other electronic attacks last year if only the company had decided to ship it turned on by default. Instead, millions of customers were infected with worms and viruses. Well, Microsoft got the message, and Windows Firewall's single biggest feature is that it's turned on by default.

Perhaps unsurprisingly, Windows Firewall includes other improvements over ICF. Most obviously, it presents a far simpler and accessible user interface for configuring its myriad of features, many of which weren't present in ICF (Figure). For example, the default state of Windows Firewall is on, but with exceptions. These exceptions are basically a list of the programs that you allow to receive messages from the outside world (Windows Firewall doesn't prevent outbound, application-initiated communications). On my laptop, I'm currently allowing File and Printer Sharing, HotSync Manager, iTunes, Microsoft Office FrontPage, Remote Assistance, and Virtual PC to receive messages from the outside world. But the Messenger service, Remote Desktop, and other services are cut off.

When you access the Internet from a potentially unsafe place, like a hotel, airport, or coffee shop, you can configure the Windows Firewall for "On, but don't allow exceptions," which will ignore the settings in your Exceptions list. This is a great idea, but poorly implemented in SP2. First, it's not semi-automatic, as it should be (with appropriate communication about what the system is doing after it detects the network settings). Second, there's no easy way to turn it on or off. The fastest route to this feature is to click Start -> Control Panel -> Security Center, and then select the "Windows Firewall" icon, a multi-step process at best. Then you need to remember to reset it to "On" when you're back at home or the office, going through the same navigational steps. Ah well.

You can also turn your firewall off, of course. Doing so will launch an annoying series of pop-ups, which is probably for the best, though you can turn them off by delving into Security Center's Alert Settings.

One other important note about Windows Firewall: Because you may have multiple network connections (many XP users have a separate wireless and wired connection, for example), the Windows Firewall settings apply to all network connections by default, and it can only be configured on a connection-by-connection basis by navigating through the Advanced tab of the Windows Firewall settings window. I suspect the rationale for this decision was simplicity: Microsoft wants people to simply turn on this feature and leave it on, not worrying about it further. That's my advice as well.

In use, Windows Firewall is slightly less annoying than competing firewalls like Zone Alarm, and it's even on during boot-up, which will provide additional protection during a usually vulnerable time. In Windows, the first time an application receives a message from over a network connection, Windows Firewall will pop-up a dialog box, which you must respond to before any data transfer takes place. This places a bit of responsibility squarely on the user's shoulders, which is probably for the best. On the other hand, I can't help but wonder what kind of support calls this feature is going to cause. Naturally, Microsoft is smart enough to correctly handle its own features: If you turn on file and print sharing elsewhere in the UI, Windows Firewall won't prompt you the first time someone tries to access a printer you may be sharing. Windows Firewall gets a hearty thumbs-up.

Internet Explorer: Say goodbye to pop-up ads and drive-by downloads

It's hard to even remember when Internet Explorer (IE) was on the front burner at Microsoft: This once proud Web browser has languished in the background in recent years as speedier competitors like Mozilla Firefox steal all the press with innovative features and standards-compliant Web page rendering. With XP SP2, IE gets a small polish, and the result is a product that answers about 50 percent of my IE complaints. The obvious change is that IE now blocks pop-up ads by default, and it's a welcome addition. Over the past few years, IE users have fallen victim to insidious pop-up (and so-called pop-under) ads, IE windows that arrive unbidden when you visit malicious Web sites. You know what I'm talking about.

In XP SP2, the pop-up ad blocking feature is particularly well done, and it doesn't require an additional IE toolbar like other similar solutions. Each time you hit a Web site that attempts to open a pop-up window, IE opens a small yellow panel called the Information Bar at the top of the browser display area, alerting you (Figure). If you wish to open the window, just click in the Information Bar and a small menu offers you that ability. You can also configure whether certain sites can always launch pop-ups, which might be valuable in certain cases. You can also optionally configure IE's pop-up blocker to play a sound when pop-ups are blocked, or hide the Information Bar.

The second major improvement is that Microsoft is finally preventing drive-by downloads in IE, another major problem with pre-SP2 systems. Previously, properly configured Web sites could silently install code on your system that would provide new functionality to IE. But this feature--called drive-by downloading--could be used by malicious Web sites to infect your system with viruses, worms, or other malware. So Microsoft has turned off the capability in IE, finally saving users from an invisible and silent danger on the Web. Instead, you're presented with a dialog box explaining the risk, and if the download is from a source you trust, you can elect to install it.

Of course, most people have been using IE for some time, and if you upgrade to SP2, you might already have some suspicious code on your system. For these users, Microsoft is also providing a Manage Add-ons applet in IE that lets you view the IE add-ons that are installed, and disable any previously-installed add-ons you don't want (Figure). Like many related security changes in SP2, this feature might eventually be the root of support calls, as overly-cautious users disable necessary add-ons and then wonder why Web sites they visit regularly don't work properly any more. In the interests of security, it's better to be safe than sorry, however.

Sadly, IE is still missing two crucial features. First, IE doesn't offer the handy tabbed browsing feature that virtually every single other browser product on the market now offers. This feature lets you open secondary windows inside the same browser window, and not in separate windows, as IE requires. It lets you open multiple Web pages at a time without the mess of having multiple IE windows cluttering your desktop and taskbar. Well, at least it would if Microsoft offered it. Right now, you have to turn to competitors like Mozilla Firefox and Opera to get tabbed browsing.

Second, IE's somewhat laughable compliance with Web standards has fallen far behind that of the competition, including the afore-mentioned Firefox and Opera. As I write this, IE holds a commanding 95 percent market share among Web surfers, and most Web sites are tested in IE first, or only with IE, making this complaint seem somewhat silly on first blush. But the Web is built on standards, and there are advanced text and graphics rendering capabilities--particularly in the CSS specifications--that IE cannot take advantage of. And Microsoft's ignorance of these standards is slowing Web and Web application development to a standstill, requiring Web developers that really do care about their users to create stupid workarounds for different browser versions.

Overall, IE's improvements are welcome, though I wish the company would take the extra time to bring IE up-to-speed with the competition. I use Mozilla Firefox for my daily browsing needs and will continue to do so.

Block unsafe attachments in Outlook Express and Windows Messenger

Generally speaking, the number one reason most Windows systems get infected with viruses is that users open email attachments from senders they don't know. Despite high profile news campaigns to alert people to the danger of this activity, every day, all around the globe, people continue opening attachments. Those people need help. Literally, they need to be saved from themselves.

With SP2, Outlook Express (OE), Microsoft's freebie (and barely supported) email client, and Windows Messenger, Microsoft's bundled (and barely understood) instant messaging client for business users, finally get unsafe attachment blocking. So when someone sends you an email message or instant message (IM) attachment with an EXE or similar extension, OE or Windows Messenger, respectively, will prevent you from double-clicking and opening that attachment. As with a similar feature in Microsoft Outlook, you can get around this limitation, but OE and Windows Messenger include a handy additional feature that will soon be made available to third party email applications: Any unsafe attachments that are downloaded are swept into a special folder that is logically separated from the rest of the system. If you attempt to run the program, it will fail. If you attempt to move the file to a new, unsafe, location (like the desktop), or rename the file, it will still fail. Ultimately, you can get around this behavior by accessing the file's Properties dialog and accessing a new option. But It's heartening to see Microsoft providing an OS-level improvement that will ultimately benefit all email users. Well done.

I still have questions about the viability of Outlook Express, however. To my knowledge, OE was barely updated during the XP development cycle, and I do know that the MSN email and OE teams were recently combined to create a new low-end email client that will ship in Longhorn. It seems to me that OE is somewhat of a dead-end. Someone please tell me I'm wrong.

Better Bluetooth discovery and configuration

Thanks to a coincidence of timing, Windows XP shipped without support for Bluetooth, an ever-emerging replacement for IR wireless communications between devices. However, beginning in 2002, Microsoft began adding Bluetooth support to Windows XP through a software update and drivers for its Bluetooth mice and keyboards. In XP SP2, Bluetooth-equipped users will see huge improvements in the way XP detects and interacts with Bluetooth devices.

If your PC is Bluetooth-equipped, and the Bluetooth receiver is enabled, you'll see a small blue Bluetooth logo in the system tray. From here, you can access various Bluetooth-related tasks, such as adding a device, sending or receiving a file, or joining a Personal Area Network (PAN) (Figure). Bluetooth is also a bit more obvious in the Control Panel (it's listed under Printers and Other Hardware) and includes a slick new Control Panel applet with a nice wizard for adding Bluetooth devices. For security reasons, you can add a passkey to any Bluetooth-compatible device (Figure), ensuring that it's "locked" to your system (you wouldn't want a Bluetooth mouse on one system to control the cursor on another, for example).

It's nice to see Microsoft finally treating Bluetooth like a first class citizen, if you'll excuse the terminology, but I still have my doubts that Bluetooth will ever take off as a mainstream technology. Regardless of my opinion, XP SP2's Bluetooth support is top-notch and much appreciated.

Automatic Updates improvements

Say what you will about Microsoft, but the company has always been at the forefront of delivery software update electronically, and though competitors like Mac OS X and Linux have gained similar facilities over the years, none offer the software update simplicity and automation Windows XP has, thanks to features like Automatic Updates and Windows Update. In XP SP2, these features get a heck of a lot better, further extending Microsoft's lead over the competition.

First, you get a full-screen Automatic Updates advertisement the first time you boot a Windows XP SP2 system, which strongly recommends turning on Automatic Updates (Figure). This is good advice. Furthermore, Automatic Updates is set up, by default, to not only download, but install, any critical updates. This, too, is good advice.

Of course, if you're an idiot, you can turn off this feature. Thankfully, Microsoft has configured Automatic Updates to bug you incessantly if you turn it off. Bravo. Another win for the Good Guys.

On the back-end, Microsoft has dramatically improved the patch management technology that drives Automatic Updates and Windows Update, its manual software update tool, which also sees a usability upgrade in SP2. That means you can take advantage of small patch download sizes, thanks to new compression and delta patching technologies, simply by installing Windows XP SP2. XP SP2 users will also enjoy another unique feature called install on shutdown. If you decide to temporarily ignore a critical update install (maybe it requires a reboot and you want to finish work), Windows XP SP2 will simply install it for you, automatically, the next time you shut down. That way, when you boot up the system the next day, your system is already up-to-date. Good stuff.

I'll be covering Microsoft's patch management work in a future showcase, but the dramatic improvements to Automatic Updates and Windows Update are most welcome. Don't be caught with your pants down again, Slammer victims: Leave Automatic Updates on and let it install patches at 3:00 am or some other time you'll be away from the PC.

Finally, simple wireless configuration

Ah, where to start with XP's wireless networking support? In the original XP release, you could open a wireless-equipped laptop and automatically connect to any insecure wireless network in range; no muss, no fuss. Those were the glory days: Most wireless networks were left wide open, no one cared a whit about security, the grass was greener, and ... well, you get the idea. In the year after XP shipped, however, the problems with insecure wireless networks became readily apparent as hackers quickly figured out how to take over wirelessly-connected systems.

In XP SP1, release in September 2002, Microsoft changed the default behavior of Windows XP so that it would no longer connect to unsecured wireless networks. This was safer, but annoying: You had to click on a yellow balloon window notifying you that one or more networks were present, pick the network, and then agree that, yes, you wanted to connect even though it was insecure. Windows was supposed to remember when you reconnected to previously connected networks, but of course it rarely did. Wireless was still useful, but it became a bit of a pain.

Now, in XP SP2, wireless is back in a big way, and this time it's both convenient and secure, thanks to a new Wireless Connection Application that replaces the boring old dialog from SP1. The new application lets you easily see which wireless networks are in range, whether they're secure or insecure, and it lets you connect to them easily. Once you've OK'd an insecure connection, it even remembers and stops asking you. Nice.

But though the pleasant new interface is much appreciated, the single biggest new wireless feature is the new Wireless Network Setup Wizard, which is just sweet (Figure). The problem with wireless networking, of course, is that it's not only hard to set up a wireless network, it's doubly hard to set up a secure wireless network. No more: Using the Wireless Networking Setup Wizard, you can create a wireless network, assign a secure WEP or WPA network key for security, and then use a USB flash drive to push those settings to other XP SP2 PCs (!!!) -- That's incredible. Or, if you're a wireless wonk (you know who you are), you can set up the network manually. When you're done, the wizard offers to print out the settings so you'll have a hard copy you can reference if you want to manually add your settings to other (non-XP SP2) machines (you can also do this if you don't have a USB flash drive).

What can I say? I'm super-impressed with the wireless networking features in Windows XP SP2.

A cleaner Add or Remove Programs

Though I suspect that the guy who came up with the HTML-like Add or Remove Programs applet in Windows XP still gets surprise wedgies at work for his creation's slow performance, things have improved a bit over the years. But in XP SP2, Microsoft finally cleans up a mess of its own creation by not displaying Microsoft product updates in the default list of applications you see in Add or Remove Programs (Figure), speeding up the rendering time and keeping it confined to items one might construe as "programs". The addition of a new "Show updates" option box at the top of the window lets you toggle product updates (Figure), though arguably these should be under a new "Add/Remove Windows Updates" section of the applications, like "Add/Remove Windows Components." Hey, whatever. It's better than nothing.

Under-the-hood code changes

In addition to the visible features I've described above, Windows XP SP2 also includes a number of low-level coding changes that will make your system more secure. I won't delve into too much detail here, because frankly there isn't much to discuss, but what it boils down to is that XP is now more resilient to network-based attacks thanks to changes in the way it protects its remote access technologies and your PC's memory. 64-bit systems from Intel and AMD are particularly resilient thanks to new features of those processors that Microsoft takes advantage of.

This is one of those areas where, as a reviewer, I have to basically nod my head and pretend I understand what the interviewee is talking about. Time will tell whether Microsoft's under-the-covers coding changes will have any effect, but as with the company's wider Trustworthy Computing code review, I welcome any architectural improvements the company can make.

Windows XP Media Center Edition 2004 ("Harmony")

Users running the original version of Windows XP Media Center Edition (MCE, now renamed to Windows XP Media Center Edition 2003 after the fact) who upgrade to XP SP2 will receive the upgrade to Windows XP Media Center Edition 2004 (see my review), which includes a number of functional and stability improvements, including a revamped UI, support for widescreen displays, a new Media Guide, an Online Spotlight that features third party add-ons, and the like. XP MCE 2004 is a major upgrade over the original XP MCE, and highly recommended.

Windows XP Tablet PC Edition 2004 ("Lonestar")

Tablet PC users who upgrade to Windows XP SP2 will receive the upgrade to Windows XP Tablet PC Edition 2004 (review forthcoming), a major upgrade to the Tablet PC OS which features a vastly improved Text Input Panel (TIP) for a more natural pen and ink experience. I'll have a full review of this exciting new OS version available soon.

Multimedia enhancements

Though the company now denies it, Microsoft once pledged to keep new features out of service packs and instead offer new interim OS features only through so-called Option Packs. After releasing its first NT Option Pack in 1997, a set of updates largely centered on Internet Information Services (IIS) and the then-new Active Server Pages (ASP) technologies, Microsoft quietly reverted to using service packs as a delivery vehicle for new OS features. And sure enough, with each service pack since, the company has come under fire from customers who remembered the no-new-features pledge. As this review makes obvious, however, XP SP2 takes the concept of adding new features via a service pack to new heights. And while I expect a lot of grousing about this decision, most of the new features are arguably necessary and beneficial to all customers.

Not so with the multimedia enhancements Microsoft has added to XP SP2. Inexplicably, the company has decided to quietly slipstream recent digital media technologies into the core Windows code base through XP SP2. Gentlemen, start your complaining.

Direct X 9.0c

DirectX 9.0c is a bug-fix update to DirectX 9.0, which added a number of hardware-accelerated 3D features to Microsoft's venerable multimedia programming interface. Aimed at game makers and multimedia software authors, DirectX debuted in the Windows 95 time frame after Microsoft's first attempt at a multimedia software library, WinG, failed miserably. DirectX, however, has been a smashing success, as shown by the enormous volume of Windows-compatible games. The original version of Windows XP shipped with DirectX 8.1.

Windows Media Player 9 Series

Speaking of the original version of XP, that Windows version also shipped with Media Player for Windows XP (MPXP, nee Windows Media Player 8), a capable all-in-one media player that integrated with the underlying system to provide music and video playback and organization. MPXP wasn't a bad product, but its replacement, Windows Media Player 9 Series, was far more impressive, despite a clutter user interface with numerous, inexplicably similar and unlabeled buttons (see my review). WMP 9 was accompanied by a revolutionary set of audio and video codecs--Windows Media Audio (WMA) 9 and Windows Media Video (WMV) 9--which, to this day, set the standard for compression, quality, and file size.

So what's the controversy? Aside from obvious questions about the need to include this product in SP2--Microsoft will no doubt argue that only the very latest version of its player features all of the latest security fixes, in a tenuous bid to tie this product to the wider security-oriented focus of SP2--there are other, wider issues at work here. Unless you've been living under a rock for the past few years, you are probably aware that the European Union (EU) recently found Microsoft guilty of illegally bundling Windows Media Player with Windows, and the EU ordered the company to ship a special Windows version in Europe that will not include WMP. With an appeal forthcoming, and years of court appearances ahead of it, why would Microsoft chance further legal reprisals by bundling an even newer WMP version in SP2? We may never fully understand the machinations of this software giant, but it seems like a curious move.

Windows Movie Maker 2.1

The original version of Windows XP shipped with Windows Movie Maker (WMM) 1.1, an upgrade to the original WMM that shipped with Windows Millennium Edition (Me) a year earlier. Microsoft shipped a small update, version 1.2 to the Web the day XP arrived, and then later delivered a major update, WMM 2 (see my review /reviews/wmm2.asp) in December 2002. WMM was (and is) an incredible release, more powerful and easy to use than Apple's vaunted iMovie application.

In Windows XP SP2, Microsoft is shipping a small WMM update, Windows Movie Maker 2.1. This release includes better compatibility with other video and audio programs thanks to a new ability to turn off other application's video filters. WMM 2.1 also includes Digital Video (DV) pass-through, which allows you to transfer video from an analog video camera or VCR to your computer by using a DV camera to convert the analog video to a digital format. Finally, there is a new constant bit rate (CBR) default capture setting in WMM 2.1's Video Capture Wizard; previous versions defaulted to a variable bit rate (VBR) profile.

Problems with Windows XP SP2

Given the major changes Microsoft is making to XP in this service pack, you might expect that certain incompatibilities will crop up. These assumptions are correct: During the XP SP2 beta, testers identified a number of problems with existing applications. And in my own tests, I've seen a few issues too, though none are application-related. The biggest one involves my Netgear print server: Pre-SP2 machines have no problem finding and printing to the printer that's attached to it, but it's invisible to SP2 boxes. The culprit, naturally, is Windows Firewall, and now that I've tested XP SP1 with Internet Connection Firewall (ICF) enabled, I can verify that the print server didn't work with that set up either (my pre-SP2 Windows XP boxes didn't use ICF). I haven't found a solution to this problem yet, but I do know that the print server works with both Zone Alarm and Tiny Personal Firewall.

I've also had problems with Internet Explorer's new security features. A classic example involves Web sites that use ActiveX controls to transfer files. I recently purchased a Microsoft Reader-compatible eBook from FictionWise (Isaac Asimov's classic I, Robot if you're curious) but was unable to get the site to download the book to my system. After numerous attempts, involving a whack-a-mole-like effort to click the "Allow ActiveX controls to download applications" option from the IE 6 Information Bar quickly enough before it disappeared, I finally had to resort to downloading it from an infrequently used XP SP1 machine. But even that download was problematic because FictionWise requires you to install and activate Microsoft Reader on a system before it will download files. The entire episode was infuriating, turning what should have been a five-minute shopping experience into a nightmare. I can only think that compatibility problems like this will cause normal users fits. Heck, I barely got through it without screaming.

And that, I suspect, is going to be the problem with SP2. Despite its incalculable security benefits, XP SP2 is going to drive some people crazy. Suck it up, folks: We're in bunker mode now.

What's missing in Windows XP SP2?

Now that I've spent a number of months with Windows XP Service Pack 2, I'm struck by two mutually exclusive feelings. On the one hand, XP SP2 is a much-needed update for XP, one that will provide a level of security previous unheard of in desktop versions of Windows. But on the other hand, despite the numerous security advances in SP2, there are a number of equally necessary features that are missing from SP2. Here's where Microsoft is coming up short in providing necessary functionality for its customers. Who else is already ready for SP3?

No built-in Trojan scanning, detection, and removal tools

While XP SP2's Windows Firewall feature and attachment download services will likely protect many customers from Trojans and other electronic attacks, the product offers absolutely no tools to help you in the event that an attack is successful. Today, third parties offer a myriad of tools that can scan your system, detect malware, and then remove it. The reason these tools exist is because most of our Windows systems are indeed infected with a wide variety of electronic junk, some of it quite malicious. At the very least, this malware is intrusive and annoying, and can often hamper our systems' performance. Microsoft needs to license one of these solutions, or create one in-house, and make it a core part of Windows security.

No built-in antivirus

Though XP SP2 integrates with a variety of third-party antivirus solutions, Microsoft won't have its own subscription-based antivirus product ready until Longhorn ships, a full two years from now. There are two problems with this approach. First, it's too far in the future to do any good now, when we're getting whacked every day by electronic attacks. Second, antivirus shouldn't cost anything. Instead, it should be a core part of Windows, and we should be able to download updated virus definitions via Automatic Updates, for free, as part of the value of investing in Windows. Anything less is an insult, and until Microsoft understands this--and realizes that the decline of a few third party applications is less important than the loyalty of its hundreds of millions of customers--we're all at risk.

Best deep-level security available only on next-generation AMD-64/Intel EM64T hardware

If you're lucky enough to own an AMD-64 based system (Athlon 64 or Opteron, out now) or an upcoming Intel next-generation Pentium 4 and Xeon (due late this year), Windows XP SP2 will offer a unique hardware-software buffer overrun protection feature that utilizes the NX (No eXecute) code in those processors. However, today, virtually no one runs such a system, leaving the vast majority of Windows users open to one of the most basic electronic attacks of all time. A buffer overrun is basically a software flaw that lets data stomp all over a portion of memory reserved for executable code. Surely, there must be a software-based approach that can solve this problem. You know, a little protection for the rest of us?

Near-impossible to set up wireless sharing

On Mac OS X, it's very easy to connect to a broadband (or dial-up) connection via Ethernet (or, respectively, the modem) and then share that connection wirelessly with your Mac's built-in wireless connection. On Windows XP, even with the new Wireless Setup Wizard and simpler wireless configuration tools in Service Pack 2, it's virtually impossible to accomplish this simple, and commonly-needed, task. Come on, Microsoft. This isn't rocket science.

Conclusion

I've been reviewing Windows products for a decade now, and very rarely have I been able to wholeheartedly recommend any product. Windows XP Service Pack 2 (SP2), however, is such a product, despite the potential for software incompatibilities and certain missing features. Barring a massive incompatibility issue, virtually every Windows XP user should upgrade to this release as soon as possible, in order to take advantage of its enhanced security features. And for heaven's sake, do yourself a favor and leave Windows Firewall and Automatic Updates on, please. Get a compatible anti-virus package; I recommend McAfee VirusScan, which is relatively inexpensive, lightweight, and unobtrusive, or Symantec's corporate-oriented AntiVirus product. Finding incompatibilities with Windows Firewall? Try a third party product, such as Zone Alarm or Tiny Personal Firewall; either one is superior to Windows Firewall and offers outbound protection as well as inbound, a feature Windows Firewall lacks.

And yes, you will run into incompatibilities, count on it, so evaluate SP2 as quickly as possible. Find those incompatibilities, and then figure out a workaround that makes your existing solution work. But realize that security is the priority. Do the right thing going forward, and your system will pay you back by keeping your precious data safe the next time a Slammer-type attack occurs. Windows XP SP2 will make your system more secure, if you let it. But if you ignore or put off this release, you'll only be hurting yourself.