Home      Team      Releases      Testing      Participate      Communications      Search

Overview

News flash!
IS&T recommends Windows XP SP2 - 9/14/2004

Windows XP SP2 has many updated security features that will protect against various network attacks. However, it will not protect against all Internet Explorer (IE) vulnerabilities. It is essential the MIT community members do not attain a false sense of security and continues to keep machines up-to-date by installing critical updates and patches as they become available. IS&T recommends that users enable MIT's Windows Automatic Update Service (WAUS) to automatically obtain updates.

• Network protection
• Memory protection
• E-mail handling
• Web browsing security
• Computer maintenance

Timeline

We plan to release Windows XP SP2 soon after the vendor releases it in August.

News

Microsoft released SP2 for Windows XP on August 9, 2004.

IS&T recommendations about what to do about SP2 pending an MIT recommendation. 8/12/2004

Announcements

IS&T Update on Windows XP SP2
August 25, 2004
Update on MIT progress with Windows XP SP2
August 21, 2004
Microsoft releases SP2 for Windows XP
August 12, 2004
Windows XP SP2 Evaluation Underway
June 21, 2004

Key Decisions

• Evaluate major software packages with the ICF (Windows Firewall) enabled
• Test with beta and final release candidates of SP2

Notable Features

• The firewall will be turned on and operating in both directions
• Messenger will be turned off by default
• Media Bar has been removed from Internet Explorer 6
• New version: Windows Messenger 4.7.3
• New version: Windows Movie Maker 2.1
• You can no longer print or print preview a Web page that includes an ActiveX object
• XP SP2 includes a new power-management option for Windows XP. You can now use the tool Powercfg.exe to configure power-management settings from the command line
• The new Wireless Network Setup Wizard makes it easier to create a security-enabled wireless network and add a new computer or device to an existing wireless network
• When you install SP2, Internet Explorer 6 is updated and includes a new security setting, called Binary Behaviors. To view this setting, click Tools, click Internet Options, click Security, and then click Custom Level.
• The Security Center is a new feature in SP2 that tracks and reports your computer's security settings and sends you alerts if your settings might be putting your computer at risk.
• Automatic Updates will help improve the security of your computer. By default, after you install SP2, these updates are installed automatically when you shut down your computer. If the 'Turn off computer' dialog box appears, it displays a new security shield icon that gives you the option to 'Update and Turn Off' your computer. If you choose this option, the downloaded updates are installed, and then your computer shuts down.

Changes to functionality in Microsoft Windows XP SP2 - Parts 1-8

[Back to top]

System Requirements

Windows XP

Testing

Testing was conducted on various hardware configurations and also included testing the current suite of supported applications. The test matrix is available for review.

The summary of testing with SP2 has been very positive and most things work as expected. See the Test Matrix for detailed information about specific products.
:

We have learned that SP2 has started installing by default through Automatic Update on Wednesday, August 25. For more information on what you can do to prevent this, visit What to do about SP2 pending an MIT recommendation

Early testing RC1/RC2 (May - July):

On a VmWare machine, with virtual networking "NAT"set to start the service, I configured Control Panel>System>Auto update and selected "Automatically download the updates and install them on the schedule that I apply".  The time was 7:10AM and opted to have this occur "Everyday at 8AM".  I clicked on apply.  A few minutes later, the update icon appeared in the task bar. I checked the machine at 8:04AM where the downloads were occurring and was given the option to click yes or no to install the updates when done.  A dialog below the download box said installation would occur automatically within 50 minutes.

At 8:40AM, the updates had finished the installation process and was prompted the machine would restart in 10 minutes.  Upon logon and checking the properties, the version remained at "Windows XP 2002".  I configured auto update to update again at 9AM.  Nothing happened and configured for 10AM.

Still nothing happened and decided to commit the changes and power back on to see what happens.

This morning (5/20), I changed the time to update every Thursday at 9AM.  Immediately, the update icon appeared in the task bar.  At 9AM, I was prompted that the updates would install in approximately 4:35 minutes.   One update installed, however SP1 did not.  When I did a scan, SP1 was the only thing listed to be installed.  All other updates were installed.

Windows XP SP2 RC2 :
The Windows Security Center control panel now recognizes installations of VirusScan:

"VirusScan reports that it is up-to-date and virusscanning is on".
(Note: You now have antivirus software that Windows can monitor. Click recommendations to find out how). When clicking on recommendations, a check box which is on by default: "I have an antivirus program that I'll monitor myself. Note: Windows won't monitor your virus protection status and won't send alerts if it is off or out-of-date. I unchecked to see what will happen. Stay tuned...

Upon downloading VirusScan 8.0i, and Information bar appeared and made a bleeping sound. The information bar is a an alerting system that sound off when Internet Explorer blocks a pop up window or file download that may not be safe. The option to "Do not show this message again" is available and also a link to learn more about the information bar. To obtain the download, options given are:

• download file
• what's the risk?
• information bar help

Chose to download the file.
Having an older version of beta VirusScan (7.5), I uninstalled to see if what I enabled earlier by having Microsoft monitor virusscan would create a message or dialog to say none was installed. When launching the windows security center panel, it stated that windows did not find any antivirus software on this computer. This was the result found within RC1 even though VirusScan was installed. On to installing VirusScan 8.0i.

Upon running the VirusScan Enterprise 8.0ib2 msi, I was prompted that I needed to reboot and again after installation. Received a dialog that VS was not Windows XP logo certified and could run into issues when using certain applications. Running the update was fine.

Known Issues

Windows XP Service Pack 2 (SP2) is the largest free operating system upgrade Microsoft has ever released and provides enhanced security measures that will hopefully improve defences against viruses, worms and hackers, along with increased manageability and an improved experience for users. In addition to security and bug fixes, it will change many default settings to improve security. The list below are current known issues within the RTM:

General:

With IS&T-supported software:

• You may experience what appear to be problems with rollovers and Javascript when using Internet Explorer (e.g., during general browsing or when using Dreamweaver's Preview feature). SP2 updates Internet Explorer to block "active content" in web pages. The following message will appear in IE's new Information Bar. "To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options." Because active content is a potential hazard to your computer, you should be certain that you trust the publisher of a script or ActiveX control before you decide to give it access to your computer. If you are certain that you want to allow the page to run scripts and ActiveX controls on your computer, you can click the Information Bar, then click Allow blocked content.
  
• After installing SP2, you may notice that messages in Microsoft Outlook are not sent immediately. The message remains in your Outbox folder longer than you expect. To work around this problem, click a folder other than the Outbox folder, or open any e-mail message. This action sends a remote procedure call (RPC) to the Exchange Server, and the e-mail messages in our Outbox folder are sent. (During testing at MIT we did not find this problem, but it has been noted by Microsoft.)
  
• Recent testing of VirusScan 7 with the final release of SP2 was successful; however, upon using VirusScan's AutoUpdate feature immediately after install, you may see the following message appear:
  "The update failed to version 4.3.20. Upon a second running of the AutoUpdate feature, the update succeeded to version 4.0.4386."
  
• You could experience problems using WinZephyr after installing Windows XP SP2.
  
• SAPgui 6.20 and 4.6D do not display message contents in the Inbox - issues have been resolved- 8/20/2004.
  
• Minor issue:
  Users of MIT Kerberos for Windows who import tickets from the Microsoft Windows Logon Session Cache. Windows XP SP2 locks down the machine to prevent the exporting of Kerberos TGT session keys unless you instruct Windows to do otherwise.

  MIT KFW 2.6.4 will automatically set the appropriate key. It is recommended that KFW 2.6.4 be used on Windows XP SP2. However, if you must use an earlier version you will have to set the following value in the registry:

  HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
  AllowTGTSessionKey = 0x01 (DWORD)

With non IS&T-supported software:

• The current stable client of OpenAFS for Windows is 1.3.70.
  Note: All users are strongly encouraged to upgrade to this release prior to the installation of Windows XP SP2.
  
• There is a serious incompatibility between Microsoft Windows XP SP2 and all previous versions of AFS for Windows whether released by IBM/Transarc or OpenAFS.org. The afslogon.dll which provides the Integrated Logon functionality violates newly imposed security restrictions. These restrictions cause network operations performed during DLL process attachment to block forever. This will prevent proper loading and unloading of user profile information. Depending on the version of AFS, the boot cycle of Windows XP SP2 may fail to complete.
  
• Norton Antivirus users will need to download a Norton update after installing SP2.
  
• Symantec Ghost Corporate software needs to have certain ports open in order for it to function properly.
  
• Some inconsistent results were noted with testing of Timbuktu Pro b914 and b933 in the MIT environment. On at least one SP2 installation, loss of remote session hosting (black screen shown on client) was observed. Netopia acknowledges the issue with Timbuktu Pro and XP SP2 and promised patch shortly after public SP2 release.
  

Notable Security Features:

• The first thing users will notice upon upgrading/installing XP SP2 will be the new Security Center Control panel which opens upon restarting after the installation.
  • The Windows Firewall is enabled by default and will be IS&T's recommendation
  • When the firewall is disabled, users will receive a windows security alert dialog box notifying them that it is turned off and the windows security alert icon remains in the system tray.
  • Automatic update is set to install updates after checking with the user.  MIT IS&T recommends users configure MIT's WAUS to obtain automatic updates:
    < http://web.mit.edu/ist/topics/windows/updates/ >
  • Virus Protection: If VirusScan is installed, this setting will detect that it is up-to-date and on.
  • Located at the bottom is Manage Security Settings for Internet Options, Automatic Updates and Windows Firewall
    • Internet options (same as Internet Explorer options file)
    • Automatic updates (choose options)
    • Windows firewall
  • Tabs within windows firewall:
    • General (on, off, don't allow exceptions)
    • Exceptions (allows users to add programs, ports)
    • Advanced (Network connection settings)
      • security login (creates a log file for troubleshooting purposes)
      • icmp (internet control message protocol) computers on a network can share error and status info
      • default settings (restores firewall settings to a default state)
  • Windows Firewall and Automatic updates, in addition to being part of the security center, are stand alone control panels and can be configured from within.
• Another noticeable feature is the network connection (icon) located in the system tray.
  • Pop up block: Pop up block only functions within Internet Explorer.  This functionality is non-existent within Netscape or Mozilla.
    • "Pop up blocked, to see this popup or additional options, please click here":
      • temporarily allow popups
      • always allow popups from this site
      • settings
        • turn off pop up blocker
        • show information bar for popups
        • more settings...
          • exceptions
        • information bar help
    • (can manually disable pop up blocker within internet options)
  • File Download Security warning. (can disable this within the security tab of internet options, auto prompting for file downloads)
    • run, save or cancel
  • Open File security warning: (when launching installers);
    Running msi's:  Unknown Publisher dialog.
  • By default, Windows blocks the installation of signed code if it has an invalid digital signature.
    • If code has an invalid signature, it usually means that the code has been changed since it was signed. When this happens, Internet Explorer considers the code to be unsigned, since someone might have tampered with it. By default, Internet Explorer blocks ActiveX applications that are unsigned that come from the Internet zone. This extends that functionality so that it applies to all code with invalid signatures.
      How this affects the MIT Community:
      Users will find when launching an .msi (installer) via Internet Explorer or by saving the installer to disk before running, they will receive a security warning:  "The publisher could not be verified.  Are you sure you want to run this software"?  This can be turned off by deselecting "Always ask before opening this file".  This does not happen if launched using either Netscape or Mozilla.
  • Information bar:
    The information bar is a an alerting system that sounds off when Internet
    Explorer blocks a pop up window or file download that may not be safe.  The
    option to "Do not show this message again" is available and also a link to
    learn more about the information bar.
    • To obtain the download, options given:
      • download file
      • what's the risk
      • information bar help
• Tablet PC users:
  Installing SP2 RC2 will update your installation to Windows XP Tablet PC Edition 2005 (codename Longhorn)
  http://www.microsoft.com/windowsxp/tabletpc/evaluation/lonestar/default.mspx

Documentation

Existing or Planned Documentation:

Release Team

	Deb Bowser - SWRT
	Product Release Coordinator
	Jonathan Hunt - SWRT
	Windows Platform Coordinator
	Deb Bowser - SWRT
	Quality Assurance Coordinator
	Carol Wood- TWS - Tim Brennan - TWS
	Documentation Writer - Senior Technical Writer
	Bill Brids - TH
	Tech Help Representative
	Mark VanDyke - ITSS
	Network Security Team

If you would like to contact the team, please send email to winxp-release@mit.edu.

Meeting Minutes

• No Meeting Minutes at this time.

Support

If you have a question or need assistance, please contact the Computing Help Desk at computing-help@mit.edu or x3-1101 or visit their web site for more support resources.