Microsoft Targets XP With New Security Pack

First made available in mid-August to XP users who have their systems set up for automatic updates, SP2 will be available to all XP users in the next several months. Microsoft developed SP2 primarily in response to complaints that XP wasn't as secure as it could be. The company says the upgrade will protect users from virus and worm attacks by sealing their entry points and protecting attempted incursions by spyware applications.

SP2 is also getting an assist from Bedford, Mass.-based RSA Security, which is delivering two-factor authentication support for the upgrade that was to be available in mid-September. The solution, called RSA SecurID for Microsoft Windows, helps ensure that network resources are accessible only by authorized users, while simultaneously delivering a simplified and consistent user login experience.

"There have been point solutions for Windows in the past that have let users log onto networks from local terminals, but this is the first two-factor authentication solution that covers the whole domain," says Karl Wirth, RSA product manager.

The solution works by combining a secret PIN with a unique RSA SecurID token that generates a random, one-time password every 60 seconds. Wirth says SP2 with the RSA solution should provide a two-sided benefit to the company as it disseminates it to partners.

"The initial focus for us will be on getting it out to our existing resellers who want to increase the penetration of SecurID," he says. "But it's also a new product for Windows resellers who, for example, want to upsell off of Windows NT because the solution doesn't run on NT."

But some are questioning whether SP2 makes XP secure enough and whether the security enhancements will restrict activity in other areas. "SP2 provides a wealth of new endpoint security capabilities, so there are some significant questions about what applications it might restrict," says Chuck Adams, CSO of security vendor NetSolv. "It may disrupt a certain amount of standard or proprietary applications."

Last month, Microsoft released a list of about 50 third-party applications that might need to be "tweaked" in order to work with SP2. These included programs for tasks such as Web servers, file sharing, e-mail and multimedia, among others.

Adams says sectors like the financial industry, which deploys numerous esoteric programs, could be most affected by any problems with the upgrade. Bill Gates himself has said that SP2 affects less than 5 percent of the XP OS, saying that it takes significant steps toward helping users isolate their PCs from attacks. But to do this, SP2 demands that users become more involved with securing their PCs by responding to a series of new prompts that ask permission for programs to work with their computers.

The logic is that users are less likely to be exposed to a virus or spyware if they must grant permission for each program to interact with their computer. But Adams wonders if SP2 isn't dropping too much responsibility in their laps before they're ready.

"Microsoft has 'empowered' users but relegated security responsibility to them," he says. "Yet, anyone in the security industry knows that relying on end users to make the right decisions is not always the most effective way to do it."