Windows XP SP2: Don't fear the reaper
- 30 June, 2010 04:40
An open letter to those who are distraught over the impending retirement of Windows XP SP2:
Windows XP SP2 enthusiasts, this is a sad time for you.
Microsoft, eager to get us all to use Windows 7, has announced that XP SP2's days are numbered -- at least in terms of support and security updates.
Change is hard, and this will be no exception. Microsoft will stop supporting Windows XP SP2 after July 13. That means no more security fixes on Patch Tuesday. You can soften the blow by updating to Windows XP SP3, which will be supported until April 2014. But that doesn't make this much easier. It's still a major update, and major updates are fraught with problems. It's a fact of life.
Your anxiety is made worse by what this ultimately means -- an across-the-enterprise switch to Windows 7. You can already picture the flood of help desk tickets bloating your inbox as users try to figure out how to handle this new OS. Heck, you're not sure you even know how to handle it yet.
Some of you have even developed a genuine affection for SP2, which makes this all the more painful.
Windows XP itself has been a bear of a challenge from a security perspective. We couldn't even begin to calculate the number of XP boxes that have fallen prey to malware. There are simply too many to count. Many XP machines were long ago hijacked into the expanding array of botnets plaguing the cybersphere. Microsoft made security matters worse by allowing users to have an administrator account by default, giving a treacherous amount of unrestricted access to the system's underpinnings. IT security practitioners have long lamented that if the administrator's account is cracked, the bad guys can take control and do just about anything they want. Not even the sky is the limit.
But while it didn't solve every problem, SP2 was a major improvement.
I remember the day SP2 came out -- Aug. 25, 2004 -- like it were yesterday. I had been hearing rumors the preceding weekend that it's release was imminent. Back then, the release of such things was a little less predictable than it is today, so I spent the entire weekend writing up a full package of articles about what to expect -- just in case we needed it. At the time, almost everyone I interviewed threw cold water on the news. There was no way they were going to download SP2 as quickly as Microsoft wanted them too. They planned to test it slowly and take all the time they needed.
But in the grand scheme of things, mass implementation was fairly quick. IT shops couldn't deny this was a major security improvement. And they got around the compatibility problems they found early on.
In the years since, SP2 has seen its share of vulnerabilities and attacks. But it has proven far more durable than what came before it.
Your affection for SP2 is certainly understandable. Nevertheless, it's time to move on, no matter how much of a pain it's going to be.
Gregg Keizer, my colleague from across the IDG Enterprise aisle at Computerworld, recently wrote about danger stubborn SP2 holdouts face:
Three out of four companies will soon face more security risks because they continue to run the soon-to-be-retired Windows XP Service Pack 2 (SP2), a report from Toronto, Canada-based technology provider Softchoice found. According to the report, 77 percent of the organizations it surveyed run Windows XP SP2 on 10 percent or more of their PCs. Nearly 46 percent of the 280,000 business computers Softchoice analyzed rely on the aged operating system. "This is a red alert," said Dean Williams, the services development manager for Softchoice. "This isn't something you can safely ignore, like you might have before. Windows XP SP2 is deployed in 100 percent of the companies [surveyed] to some extent, but that doesn't tell the whole story. On average, 36 percent of the PCs in every organization run SP2. It's unrealistic for Microsoft to expect them to execute a deployment of Windows 7 in the next  weeks, but they should determine who is affected and get them updated to Windows XP SP3 immediately."
As difficult as this is, you really should have nothing to fear. Upgrading to SP3 is a good intermediate step, and Windows 7 has gotten rock-solid reviews so far by the enterprises that have adopted it.
A few months back, I interviewed Jimmy Kuo, principal architect for Microsoft's Malware Protection Center. When I asked about the security enhancements, here's what he said:
A lot of the security enhancements worked into the development of Windows 7 were based on the threats our reports have outlined in recent years. DirectAccess, for example, offers remote workers the same level of seamless and secure connectivity that they have in the office. The system automatically creates a secure tunnel to the corporate network and workers don't have to manually substantiate a connection. DirectAccess also allows IT administrators to patch systems whenever a remote worker is on the network. We're pretty hopeful that this will lead to a reduction in the malware we've been seeing. It should also be noted that the newer the OS, the less malware we tend to find because of the higher patch rate. All previous patches have been worked into Windows 7. That will have a positive impact.
I'm sure it will. The other thing you should all take comfort in is that the switch to Windows 7 won't be the nightmare scenario you faced with Windows Vista. Many enterprises retreated from major Vista deployments after tests revealed a heaping pile of compatibility problems. Sure, the security enhancements were impressive, but when you can't configure something to fit the rest of your network architecture, all the OS security improvements in the world won't ease your mind. Even Microsoft understood this, which is why they essentially abandoned Vista and moved ahead with Windows 7.
The IT security practitioners I've talked to so far who are handling Windows 7 say this OS is far more straightforward, and they expect a quicker mass deployment than earlier incarnations. There will surely be hiccups along the way. Implementing new technology is always an adventure.
But don't worry, XP SP2 loyalists. Everything will ultimately be fine.
That doesn't make it any easier to say goodbye, though. So take a little time to look back and appreciate the good times you had with SP2.
Then pull yourselves together and move on.
Read more about data protection in CSOonline's Data Protection section.