Preparing for Windows XP Service Pack 2 - Mary Beth Guard
Preparing for Windows XP Service Pack 2
by Mary Beth Guard and Andy Zavoina
Here comes Microsoft's Service Pack 2 for Windows XP. This will resolve all your security and usability issues in one download. Not! There are many issues here. First, it often takes Microsoft three tries to get something right. With SP2 fresh off the programmers desk, it has been tested, but not on your systems, right? So there may be unknown conflicts, especially if you have unique programs housed on your PC. Unique doesn't mean exclusive to you, but perhaps to our industry. How much testing was done with SP2 and your loan production software, your ALCO software, your CRA and HMDA software?
If you are using the Windows XP operating system in your institution, take appropriate precautions and learn about potential dangers before you install Windows XP Service Pack 2.
Microsoft has:
- released a Knowledge Base article about programs that are known to experience a loss of functionality when they run on a Windows XP Service Pack 2-based computer;
and - provided a toolkit that temporarily disables the automatic delivery of this update in order to give organizations an opportunity to evaluate the Service Pack before implementing it.
From ZoneAlarm to WordPerfect, Norton SystemWorks to Omni Page scanning software, there are nearly 50 different programs that experience problems. They include client programs that receive data from a server, server programs that respond to client requests, instant message programs and much more. Some programs simply quit working after Service Pack 2 is installed. Others exhibit "issues."
Examples Microsoft gives of client applications that may not successfully receive data from a server include:
- An FTP client
- Multimedia streaming software
- New mail notifications in some e-mail programs
Examples of server applications that may not respond to client requests after installation of Service Pack 2 for Windows XP include:
- A Web server such as Internet Information Services (IIS)
- Remote Desktop
- File Sharing
Access the continually updated list from Microsoft, including some troubleshooting tips, from Microsoft Knowledge Base Article - 884130.
In another Microsoft KnowledgeBase Article - 842242, Microsoft lists 42 applications that have "issues" with a system fitted with SP2. Problems have been noted with software from McAfee, Symantec and yes, Microsoft. Microsoft has seven programs on the list!
Once you read about it, you'll need to act quickly to disable the automatic update delivery mechanism on your Windows XP system so that your XP computers don't automatically download and install SP2. Actions you need to take to prevent a disruption to your business include executing your patch management procedures. You should have a test system on which you can apply SP2. You may apply it in parts and then test your system thoroughly after each installation to ensure compatibility and output. If you apply it all to a live system, you may get errors. You may not know these errors exist until they have gone on for days, weeks or longer, meaning everything would need to be re-done, or it may crash your system. Either way it is very costly.
The FDIC set forth guidance on developing patch management programs for software vulnerabilities in FIL-43-2003. This statement below about software patches would certainly be applicable to Service Pack2:
Each patch should be tested prior to installation to ensure that it will function as expected and be compatible with other systems. Patches should be tested at a system level as well as in a quality assurance environment prior to their installation in the production environment. This will ensure their compatibility with the system and with other components in the environment. Evaluation and testing should also ensure that the installation of a patch or software update does not open vulnerabilities previously corrected or produce new vulnerabilities. Application of patches in the production environment is subject to normal change management procedures to minimize the risk of disruption due to installation of the patch. Testing should also occur in the production environment after installation.
Depending on the infrastructure at your financial institution, you may have a written policy whereby your PCs are left on at night to allow the IT group to run software updates while you are gone; you may simply have Windows Update turned on to automatically update all your PC systems, or you may do this individually. The bottom line in today's technological environment is that you should have a procedure established for patch management. Patches are applied as needed to prevent a "wound", in the case of PCs. These updates patch up holes someone may be able to exploit, damaging your systems, using them without your knowledge or stealing your data. And because the faults are sometimes known "to the world" before the patches are made available, your risk increase exponentially every hour until you resolve issues. To temporarily disable delivery of Windows XP Service Pack 2 through Windows Update and Automatic Updates, access the instructions and tool from Microsoft. Disabling Delivery.
There is also an FAQ file with questions and answers about temporarily blocking Windows XP SP2 delivery. We recommend you read it as well. FAQ. The FAQ addresses such questions as "If I need to temporarily disable delivery of Windows XP SP2, why should I use these tools provided by Microsoft? Why should I not just disable AU entirely?"
Once you have SP2 installed, you can breathe easier and concentrate exclusively on banking. Not! Nothing replaces common sense. Employees still need to know what type of attachments they should feel confident in sending and receiving with email, if this is allowed at all by your financial institution. Already there are vulnerabilities being noted in SP2 and what it does to your system. System flaws have been reported which can disable warnings that an untrusted program is being executed on a PC. Without this warning, you could install something that would provide complete access to your system. There may also be problems with the firewall. While improved, and now defaulted to be turned on, it still may be controlled by any locally running program. There is no security panacea.
Your patch management process will be utilized here, not retired. It will live on as long as the computing environment does. Apply SP2 with caution and disperse it on a larger scale only after testing.
Be prepared. Stay safe.
First published on BankersOnline.com 08/20/04