The perfect gift for Christmas

On November 28, 2004, in Rants, by

Want to give the perfect gift for Christmas?  XP sp2 that’s what.  So what are you missing out on if you don’t have SP2?



While Windows 98 will have critical patches released until June of 2006, the fact that you have to lower the security in your network to accomodate them in your network is unacceptable to me.  Remember you are only as strong as your weakest link. 


For those folks that say “I have apps who’s vendors won’t support XP sp2”, to that I say, let me know whom those vendors are.  Your vendors should not be the ones setting your security policy.


And Jethro?  Dude!  Get up to SP2 as fast as you can!  The people that I’m trying to jump up and down and get on XP sp2 are probably wheezing on Windows 95 and 98.  It almost sounds like you are already on XP sp1?  If so, what in the WORLD are you waiting for?  Granted, I think that XP sp2 without a server to control the features is like driving a fast car in second gear the whole way and I would argue that if you have 6 XP computers… dear… come on up to the pleasure us control freaks can get with group policy and XP sp2s and join us with a Windows 2003 server or better yet a SBS 2003 server to control those 6 machines!  Okay so maybe I’m a major control freak, but knowing that I can remotely patch, touch and control all my workstations just makes my day.


The only pain I had in upgrading to SP2 was two workstations that had digital video cards from nvidia.  That’s Nvidia not Windows at fault.  All of my other machines had no issues.  What’s cool now is that I have firewalls on my desktops that I control from my server.  I’ve limited the attack surfaces of both my server and my desktop.  Now once I kick my workstations down to user mode … that’s “my” Christmas present to myself...I’ll be in an ever better position to protect and defend all over the place.


Jethro… it’s not painful.  Not when you’ve made sure your machines are clean of spybot gunk like Charlie said.  And once it’s done you can rest snug as a bug knowing that your machines have the best protection around.

 

5 Responses to The perfect gift for Christmas

  1. jethro says:

    Thanks susan for the advice

    i have however got my 6 machines safely running on xp sp1 behind a linux firewall, have no need of group policies and use realvnc to remotely manage my machines.

    i do a custom install of win xp (removing lookout express windows messenger and other security holes left open such as plug n pray messenger service (See grc.com)

    i then use the freed cd microsoft sent me to update the pateches as much as possible before turning auto update from the net. (then install nortons and spybot and adaware)

    total build time is about 4 hours including partitioning and formatting hard drives.

    i have deliberately run the dont deploy sp2 patch

    i will probably get around to trying it out on a non critical machine in the xmas break and if it goes painlessly then will attempt the rest.

    in contrawst to the pain installing xp is linux installs in 30 mintues and is remotely configured ina nother 30 minutes. It is stable, inherently more secure and free! I pay a professional a nominal fee for his time to mainain it remotely and deploy upgrades as necessary.

    i cannot afford the cost of shifting to a windows based client server model and the effort to keep a server running windows software (targeted by hackers) u tpo date constantly.

    for example the 22 odd critical patches released in sept / oct by ms including patches to office xp and other apps took me a combined 4-5 hours to downloand and deploy just on my workstations. this is just non recoverable time to a small business (but must be done all the same)

    Not wanting to gripe and don’t want this to appear to be a whingefest, but my experience with ms os is that they are inherently buggy and insecure, and do not work conssitently across differnt hardware. hence the reluctance to upgrade to sp2 when even the main MS website recognises it is a difficult thing to install and there will be problems.

  2. jethro says:

    oh and i dont use IE except when absolutely bloody necessary because some people cant write w3c compliant websites

  3. jethro says:

    last post – promise!

    all my machines use nvidia cards (bar 1 laptop) and i have already experienced <a href="http://www.spyjournal.biz/techtips/2004/11/directx-9c-problems.html">issues </a>with the forced upgrade to directX 9c

  4. Susan says:

    Messenger service is disabled in Sp2, there are changes to the OS such that IE is not vulnerable to IFrame [and dude, read the Full disclosure listserve … all browsers are evil and have unpatched vulns]… I have defense in depth because I ‘DON’T’ just have a firewall on the "outside", I have it inside as well so I don’t have to worry about a SQL slammer anymore on the inside of my network because 1434 is a closed port.

    If you just depend on the firewall on the outside [insert any flavor of OS] then you are missing where your real attack surfaces are.

    Sorry but XP is "not" buggy and I pushed out via http://www.shavlik.com sp2 to all my machines and only hade video card issues with 2.

    Those same patches in my network took 5 minutes. http://www.shavlik.com is free to 1 servers and 10 workstations and patches Windows and Office. The power of group policy my friend. If it took you 5 hours, you are stil sneakernetting.

    Work smarter not harders dude.

  5. The good thing about IE and SP2 is their automatic upgrades as long as you keep in touch things just keep getting better. lets face it the other platforms are just to hard for us simple folk.