Help - Search - Member List - Calendar
Full Version: Need Input Xp Sp2
GovernmentSecurity.org > The Archives > General Network Security
charon255
Jun 8 2004, 03:07 PM
OK, this is mainly targeted at the population of this board who are employed as security pros in a large enterprise environment, however, I'd welcome input from anyone who would like to contribute.

Question: With the release of Windows XP SP2 looming closer, what are other large enterprise security folks doing to plan for, test, and otherwise deal with deployment of this service pack?

Issues: Although I have seen on this and other message boards some rash responses such as "No way we are going to deploy this" and "this SP is mainly for home users" etc..., I feel that a more careful look is warranted at this issue.

XPSP2 represents a significant release for MS. Why? Well first, it is really the first time that a Service Pack has been released which contains truly "new" functionality and features. Second, the focus of this SP is largely on improving the security of the OS at the fundamental level, not simply patching dlls. Finally, many enterprises have now settled into deployment of XP on the desktop (ours has) as standard.

I have read through most of what MS has published regarding the SP, as well as other 3rd party info. However, I have yet to see anyone publish a definitive implementation "roadmap" for deployment of this SP. Considering that this SP is such a drastic change in the OS, I cannot imagine simply blasting it out through SUS/SMS/etc on release day and expecting to have everything operate as normal. This would likely result in a disaster for IT departments.

Our company has not yet made a committment to either testing or planning for the deployment of this SP. I am completely aware of the folly of this, so please, allow me to critisize us, and lets focus on a possible answer. smile.gif

My concern is that post release of XPSP2, it is very likely that future security updates and fixes released for the XP platform will depend on having SP2 installed. I don't think that MS will release security fixes in multiple versions forever (SP2 and non-SP2 versions). Initially they probalby won't have the choice, but with so many changes and recompiled binaries included with SP2, it is going to get expensive for MS to have parallel development efforts for security fixes for the same platform. So, to delay or avoid its deployment in the long term would not appear to be a smart option.

So here is my cry for help:

Has anyone out there developed or been involved in the development of a testing/deployment strategy for XPSP2 that they would be willing to share? We are (like many other companies) an understaffed IT Security department, and although we have the skill and talent to develop such a strategy, we simply are running out of time. If there is anyone out there who has some work done in this area, I personally, as well I'm sure as others like me, would be most appreciative of any input you could contribute to this issue.

Thanks!
tweakz20
Jun 9 2004, 12:22 AM
i'm not in charge of any large scale network, but here's my opinion....
just testing it, you're not going to find too much. there are many many people out there already creating vulnerabilities for this stupid update. i say wait a few weeks or months before a mass deploy... it's going to be hit hard... if you didn't need it before, you deffinitly don't need to get it as soon as it gets released!
w00dy
Jun 9 2004, 12:56 AM
QUOTE
We are an understaffed IT Security department

An understaffed IT department is repetitive.. all IT departments are understaffed, and they should be from the companies point of view.. but that is niether here no there.

As for the whole deployment of SP2, it is still not stable enough to do any real testing. Most IT departments should follow the same guidelines they have in place for implementing a new technology. The drastic change in functionality poses a problem becuase it is still an upgrade, which means it is likely to have problems with software previously installed.


Here is a general reccommendation of implementation provided that there are very few different hardware and software configurations for the computers.

(minimal different hardware/software configurations)
  • Gather 1 complete system of the most common software/hardware configuration
  • Install the service pack and see what types of issues occur
  • --If there are a lot of problems decide whterh or not it is worth it to upgrade, as most of the "new" functionality is geared towards home users (i.e. multimedia features)
  • ----Try a complete reinstall of XP then SP2, then add the software normally on that platform
  • ----If issues still arise, quit now before you waste too much time wink.gif
  • --If there are not many problems
  • ----Gather 1 system of each hardware/software configuration
  • ----Install the SP, run sysprep (removes SID, etc.) and make an image
  • ----You may wish to use a base install of XP+SP2 instead and then add the necessary software
  • ----Apply the image to all the computers with the same software/hardware configuration.
More than likely you should use a lowly employee in each department to run the guinea pig system prior to applying the image to all computers.
The added "functionality/security" means that more than likely there are apps with will have horrendous issues. They should be discovered before you image every computer in the company.
If you want more detail or a formal plan feel free to PM me.

NOTE: I doubt that any software that "pushes" (such as Alteris) patches and software to computers will handle a SP upgrade to well
charon255
Jun 9 2004, 03:16 PM
Thanks for the good advice/input. Fortunately for us we already have a semi-standard desktop image (we call it SOE - "Standard Office Environment"), and we will likely test against that initially.

Although I agree that there will be significant problems along the way. I can't help feeling that eventually we, and other enterprises are going to have to roll this thing out. BTW, for reference we are talking about roughly 22,000 desktops, spread out across 137 locations nationwide.

Thanks again...
tzontzo
Jun 10 2004, 09:47 AM
I have working with for Windows XP sp2 for a some time.I do not know if my opinion help you or not but I will tell you that after i have installed sp2 over a xp sp1 corporate edition i hava a big nasty surprises because the OS do not working any more the same....very much delays in using some programs, the big special firewall work very strange...etc...


From my point of view until Microsoft do not release the Windows XP SP2 build in it has no point to installed it over an windows xp.smile.gif
ILX
Jun 11 2004, 05:44 PM
In my opinion the only good thing i've seen so far in sp2 is the automatic updates system. (way better than that crappy SUS)

(the firewall got better too if u use any of that crap)

But i dont really recommend a mass implementation of it, not in the first few weeks/month or two atleast
As far as i know there's still a shitload of bugs in the rc that has been released
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.