Windows XP SP2: Don't fear the reaper

Enthusiasts, this is a sad time for you

An open letter to those who are distraught over the impending retirement of Windows XP SP2:

Windows XP SP2 enthusiasts, this is a sad time for you.

Microsoft, eager to get us all to use Windows 7, has announced that XP SP2's days are numbered -- at least in terms of support and security updates.

Change is hard, and this will be no exception. Microsoft will stop supporting Windows XP SP2 after July 13. That means no more security fixes on Patch Tuesday. You can soften the blow by updating to Windows XP SP3, which will be supported until April 2014. But that doesn't make this much easier. It's still a major update, and major updates are fraught with problems. It's a fact of life.

Your anxiety is made worse by what this ultimately means -- an across-the-enterprise switch to Windows 7. You can already picture the flood of help desk tickets bloating your inbox as users try to figure out how to handle this new OS. Heck, you're not sure you even know how to handle it yet.

Some of you have even developed a genuine affection for SP2, which makes this all the more painful.

Windows XP itself has been a bear of a challenge from a security perspective. We couldn't even begin to calculate the number of XP boxes that have fallen prey to malware. There are simply too many to count. Many XP machines were long ago hijacked into the expanding array of botnets plaguing the cybersphere. Microsoft made security matters worse by allowing users to have an administrator account by default, giving a treacherous amount of unrestricted access to the system's underpinnings. IT security practitioners have long lamented that if the administrator's account is cracked, the bad guys can take control and do just about anything they want. Not even the sky is the limit.

But while it didn't solve every problem, SP2 was a major improvement.

I remember the day SP2 came out -- Aug. 25, 2004 -- like it were yesterday. I had been hearing rumors the preceding weekend that it's release was imminent. Back then, the release of such things was a little less predictable than it is today, so I spent the entire weekend writing up a full package of articles about what to expect -- just in case we needed it. At the time, almost everyone I interviewed threw cold water on the news. There was no way they were going to download SP2 as quickly as Microsoft wanted them too. They planned to test it slowly and take all the time they needed.

But in the grand scheme of things, mass implementation was fairly quick. IT shops couldn't deny this was a major security improvement. And they got around the compatibility problems they found early on.

In the years since, SP2 has seen its share of vulnerabilities and attacks. But it has proven far more durable than what came before it.

Your affection for SP2 is certainly understandable. Nevertheless, it's time to move on, no matter how much of a pain it's going to be.

Gregg Keizer, my colleague from across the IDG Enterprise aisle at Computerworld, recently wrote about danger stubborn SP2 holdouts face:

Three out of four companies will soon face more security risks because they continue to run the soon-to-be-retired Windows XP Service Pack 2 (SP2), a report from Toronto, Canada-based technology provider Softchoice found. According to the report, 77 percent of the organizations it surveyed run Windows XP SP2 on 10 percent or more of their PCs. Nearly 46 percent of the 280,000 business computers Softchoice analyzed rely on the aged operating system. "This is a red alert," said Dean Williams, the services development manager for Softchoice. "This isn't something you can safely ignore, like you might have before. Windows XP SP2 is deployed in 100 percent of the companies [surveyed] to some extent, but that doesn't tell the whole story. On average, 36 percent of the PCs in every organization run SP2. It's unrealistic for Microsoft to expect them to execute a deployment of Windows 7 in the next [2] weeks, but they should determine who is affected and get them updated to Windows XP SP3 immediately."

As difficult as this is, you really should have nothing to fear. Upgrading to SP3 is a good intermediate step, and Windows 7 has gotten rock-solid reviews so far by the enterprises that have adopted it.

A few months back, I interviewed Jimmy Kuo, principal architect for Microsoft's Malware Protection Center. When I asked about the security enhancements, here's what he said:

A lot of the security enhancements worked into the development of Windows 7 were based on the threats our reports have outlined in recent years. DirectAccess, for example, offers remote workers the same level of seamless and secure connectivity that they have in the office. The system automatically creates a secure tunnel to the corporate network and workers don't have to manually substantiate a connection. DirectAccess also allows IT administrators to patch systems whenever a remote worker is on the network. We're pretty hopeful that this will lead to a reduction in the malware we've been seeing. It should also be noted that the newer the OS, the less malware we tend to find because of the higher patch rate. All previous patches have been worked into Windows 7. That will have a positive impact.

I'm sure it will. The other thing you should all take comfort in is that the switch to Windows 7 won't be the nightmare scenario you faced with Windows Vista. Many enterprises retreated from major Vista deployments after tests revealed a heaping pile of compatibility problems. Sure, the security enhancements were impressive, but when you can't configure something to fit the rest of your network architecture, all the OS security improvements in the world won't ease your mind. Even Microsoft understood this, which is why they essentially abandoned Vista and moved ahead with Windows 7.

The IT security practitioners I've talked to so far who are handling Windows 7 say this OS is far more straightforward, and they expect a quicker mass deployment than earlier incarnations. There will surely be hiccups along the way. Implementing new technology is always an adventure.

But don't worry, XP SP2 loyalists. Everything will ultimately be fine.

That doesn't make it any easier to say goodbye, though. So take a little time to look back and appreciate the good times you had with SP2.

Then pull yourselves together and move on.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags supportMicrosoftWindowsoperating systems

More about etworkIDGMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Brenner

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts