SP1 to SP2: Firewall Benefits?

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi. I've been an XP Home SP1 user for quite a while now. I've been
hesitant to upgrade to SP2, because I've heard that some common
software does not work properly on SP2. Is there any truth to this?
Should I stop worrying and just upgrade?

Note that my typical usage includes Eudora email, Mozilla web browser,
MS Office Pro 2003, some rudementary Eclipse/Java and Visual C++
programming, Norton AV 2005, and Adaware.

I'm posting on this newsgroup, because I am about to change my Internet
service from dial-up to DSL, so perhaps there are some
security/firewall considerations.

Thanks!

Ken
7 answers Last reply
More about firewall benefits
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Ken" <kenandeva@yahoo.com> wrote in message
    news:1121077901.622393.128980@g49g2000cwa.googlegroups.com...
    > Hi. I've been an XP Home SP1 user for quite a while now. I've been
    > hesitant to upgrade to SP2, because I've heard that some common
    > software does not work properly on SP2. Is there any truth to this?
    > Should I stop worrying and just upgrade?

    Yes. The media and so-called experts said lots of bogus things about XP SP2
    breaking things. Plenty of people are on XP SP2 with no problems. If XP
    SP2 is going to break things on your computer, it isn't going to get fixed
    at this point until you install it and look into how to fix it.

    Most of the things that SP2 supposedly "breaks" are really just things that
    the firewall blocks until you tell the firewall not to block it. This is
    pretty much true of any firewall out there and is not proof that SP2 is
    dangerous.

    > Note that my typical usage includes Eudora email, Mozilla web browser,
    > MS Office Pro 2003, some rudementary Eclipse/Java and Visual C++
    > programming, Norton AV 2005, and Adaware.

    These apps should be fine.

    > I'm posting on this newsgroup, because I am about to change my Internet
    > service from dial-up to DSL, so perhaps there are some
    > security/firewall considerations.

    No, I would say the security considerations are pretty similar. dial-up
    gets scanned and compromised at a similar rate as DSL.
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Karl Levinson, mvp wrote:

    <snip>

    > No, I would say the security considerations are pretty similar. dial-up
    > gets scanned and compromised at a similar rate as DSL.

    I thought the big difference there is that DSL is "always on", so the
    window of opportunity for nastiness is much greater, thus I need to
    have more rigorous security set up. Does that sound correct?
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Ken" <kenandeva@yahoo.com> wrote:

    >
    >
    >Karl Levinson, mvp wrote:
    >
    ><snip>
    >
    >> No, I would say the security considerations are pretty similar. dial-up
    >> gets scanned and compromised at a similar rate as DSL.
    >
    >I thought the big difference there is that DSL is "always on", so the
    >window of opportunity for nastiness is much greater, thus I need to
    >have more rigorous security set up. Does that sound correct?

    Yes. The longer you are exposed the greater the probability of
    getting hit.


    Ron Martell Duncan B.C. Canada
    --
    Microsoft MVP
    On-Line Help Computer Service
    http://onlinehelp.bc.ca

    In memory of a dear friend Alex Nichol MVP
    http://aumha.org/alex.htm
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    On Mon, 11 Jul 2005 07:21:15 -0400, "Karl Levinson, mvp"
    >"Ken" <kenandeva@yahoo.com> wrote in message

    >> Hi. I've been an XP Home SP1 user for quite a while now. I've been
    >> hesitant to upgrade to SP2, because I've heard that some common
    >> software does not work properly on SP2. Is there any truth to this?
    >> Should I stop worrying and just upgrade?

    >Yes. The media and so-called experts said lots of bogus things about XP SP2
    >breaking things. Plenty of people are on XP SP2 with no problems.

    This is true. I'd be cautious if...

    1) You have an early Prescott (recent Intel P4 generation PC)

    http://cquirke.mvps.org/sp2intel.htm

    ....or...

    2) You have some custom network-aware application

    >Most of the things that SP2 supposedly "breaks" are really just things that
    >the firewall blocks until you tell the firewall not to block it.

    >> Note that my typical usage includes Eudora email, Mozilla web browser,
    >> MS Office Pro 2003, some rudementary Eclipse/Java and Visual C++
    >> programming, Norton AV 2005, and Adaware.

    I use Eudora, and confirm that's fine. What I always fix:
    - add back Explorer's Status bar, as SP2 disables it
    - curb automatic installing of patches (but do install patches!)
    I also have to fix these:
    - ERUNT; needs new version
    - Licenturion's XP Info needs new version
    - MultiRes needs new version, else CPU goes to 99% busy
    - TweakUI for XP may need new version

    >> I'm posting on this newsgroup, because I am about to change my Internet
    >> service from dial-up to DSL, so perhaps there are some
    >> security/firewall considerations.

    >No, I would say the security considerations are pretty similar. dial-up
    >gets scanned and compromised at a similar rate as DSL.

    What can be challenging with DSL is that you often have the same LAN
    card connecting both LAN (which needs file and print sharing, etc.)
    and Internet via the router (which needs hard firewalling). So the
    practice of "no firewall on LAN, hard firewall on dial-up" has to be
    modified to something less simple, and less solid.

    For those who abandon all system maintenance or troubleshooting in
    favor of "just" re-installing Windows, SP2 brings major benefits -
    patched against RPC and LSASS attacks out of the box, and firewall is
    enabled by default. Without that, the mean time to being clobbered
    online is around 20 minutes.


    >-- Risk Management is the clue that asks:
    "Why do I keep open buckets of petrol next to all the
    ashtrays in the lounge, when I don't even have a car?"
    >----------------------- ------ ---- --- -- - - - -
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    On 11 Jul 2005 09:26:39 -0700, "Ken" <kenandeva@yahoo.com> wrote:
    >Karl Levinson, mvp wrote:

    >> No, I would say the security considerations are pretty similar. dial-up
    >> gets scanned and compromised at a similar rate as DSL.

    >I thought the big difference there is that DSL is "always on", so the
    >window of opportunity for nastiness is much greater, thus I need to
    >have more rigorous security set up. Does that sound correct?

    It does, but if you're shot 5 times instead of 2000 times, you're just
    as dead. It's riskier in some other ways, e.g. if some really dumbo
    malware used to poop up an unexpected dial-up prompt and thus tip you
    off it was there, on DSL it will connect automatically and invisably.

    What's more of a new risk is WiFi. I would avoid that altogether,
    because that bypasses the router etc. to enter the LAN directly.


    >--------------- ----- ---- --- -- - - -
    Never turn your back on an installer program
    >--------------- ----- ---- --- -- - - -
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "cquirke (MVP Windows shell/user)" <cquirkenews@nospam.mvps.org> wrote in
    message news:hhf6d1h3a44m1oad1uhd2so4n76hnjjr2t@4ax.com...

    > >> No, I would say the security considerations are pretty similar.
    dial-up
    > >> gets scanned and compromised at a similar rate as DSL.
    >
    > >I thought the big difference there is that DSL is "always on", so the
    > >window of opportunity for nastiness is much greater, thus I need to
    > >have more rigorous security set up. Does that sound correct?
    >
    > It does, but if you're shot 5 times instead of 2000 times, you're just
    > as dead.

    Agreed. In study after study over the past four years or so, an unpatched
    or otherwise vulnerable system is typically compromised or infected within
    15 minutes of getting on the Internet, regardless of whether DSL versus
    dial-up is used. Viruses don't check whether you're using DSL or not, and
    there are millions of infected computers out there scanning every IP address
    continuously. Regardless of which internet connection you're using, you're
    either already protected, or you may already be infected. [If you're not
    infected, you're doing something right that will still be just as right and
    probably just as effective when you're on DSL.]
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    On Tue, 12 Jul 2005 02:45:00 -0400, "Karl Levinson, mvp"

    >Agreed. In study after study over the past four years or so, an unpatched
    >or otherwise vulnerable system is typically compromised or infected within
    >15 minutes of getting on the Internet, regardless of whether DSL versus
    >dial-up is used. Viruses don't check whether you're using DSL or not, and
    >there are millions of infected computers out there scanning every IP address
    >continuously. Regardless of which internet connection you're using, you're
    >either already protected, or you may already be infected. [If you're not
    >infected, you're doing something right that will still be just as right and
    >probably just as effective when you're on DSL.]

    The part I have difficulty with, is maintaining internal firewall
    status when moving from separate Internet and LAN connections, to the
    same network connection for both LAN and Internet - as is the case
    when one adds an ADSL NAT router as an extra network device.

    Normally, I'd do that by raising the firewall on all PCs, with no
    exceptions opened, and then use a different network protocol to carry
    the LAN traffic (i.e. File and Print Sharing aka F&PS).

    This works fine when there are no NT systems involved, i.e. a pure
    Win9x LAN. All F&PS is on NetBEUI, which cannot be routed and
    therefore can't "leak" outside the (wired) LAN. Firewalls are up, and
    F&PS is not affected. Sweet.

    But XP (in my experience) can't do NetBEUI to Win9x, even if you do
    find and apply the "unsupported" NetBEUI for XP. I've been told
    adding the NetBEUI files from Win2000 works, but I don't want to
    version-soup a subsystem I understand as poorly as I do networking. I
    also find that IPX doesn't work, between Win9x and XP.

    So if I do use the software firewall, I'm forced to open it up so that
    F&PS can get through. That's not as easy as it could be; the UI
    varies between XP SP level, and what you see when you look at the main
    page of firewall properties is not what you see if you selectively
    apply settings on a per connection basis.

    For example, on SP2, Control Panel Windows Firewall shows me:
    Exceptions, File and Print Sharing. That's easy enough, but let's say
    I want to apply different settings to FireWire than what I apply to
    the LAN adapter. I go Advanced, highlight the adapter I want to
    affect, and the list of things to work with bears absolutrely no
    relationship to the list I saw earlier - and File and Print Sharing is
    nowhere to be found. Maybe I'm supposed to "Add" something as rare
    and arcane as File and Print Sharing, which I might do if I could
    smell (or in my case, remember) what ports it uses.

    This may not be rocket science for network gurus, but the rest of us
    are going to turn the firewall off, and hope NAT stops the bullets.


    >-- Risk Management is the clue that asks:
    "Why do I keep open buckets of petrol next to all the
    ashtrays in the lounge, when I don't even have a car?"
    >----------------------- ------ ---- --- -- - - - -
Ask a new question

Read More

Windows XP