XP Service packs

Lee H

Hi

We all understand the importance of service packs for XP, 3 being the latest. But how important is it in a company, today I have come across 6 machines, 3 have SP2, 1 has SP1 and 2 have no SP

The only danger I can see is if anyone from inside the workplace brings in a virus on CD or pen drive

Q. Service pack 3 still may not be commonly installed as its quite new but how many of you IT people have PC's on your network with only SP2, SP1 or even no SP's installed, in a busy IT environment were there is always work to do I can understand if this falls by the way side, but is this as bad as it sounds

Lee H

Silver Bullet

Most larger companies will test updates/patches/SPs to check for compatibility issues on their apps, etc.. before pushing them out to the client machines. They will also use an update system such as SMS or WSUS.

Doesn't sound like there is an update/patch plan there.

aordal

If you have machines on your network that are running no SP or just SP1 they are a threat to the rest of your network. The reason being is M$ stopped supporting them, aka stopped patching them. It's a big deal if you have lots of these on your network, if it's a small company I advise you start rolling out SP2 asap. If you are running AD then you can set up WSUS 3.0 SP1 (it's free).

The only danger I can see is if anyone from inside the workplace brings in a virus on CD or pen drive

You don't connect to the internet at all?

As far as SP3 it's not as hot of a deal right now because SP2 is still supported, but when M$ announces a date (and they will) when SP2 is no longer supported it's important that you upgrade to SP3.

dave0212

aordal wrote: »

If you are running AD then you can set up WSUS 3.0 SP1 (it's free).

You dont need AD for WSUS it just makes it easier to configure all your system via GP to point to it

dynamik

SP1 and SP2 are very important. I can't imagine anyone is not using those unless there are some incompatibility issues with critical software. SP3 was more a collection of updates with a few minor additions (that most people won't notice) in functionality. It doesn't even sound like those are getting updates since I believe some require SP1 or SP2.

NetAdmin2436

At a minimum they should all have XP SP2 for the enhanced security. SP2 included the built in firewall which you should be running on all clients.

blargoe

SP2 has been the requirement for quite some time for receiving patches from Microsoft.

I wouldn't even bother with upgrading them in place, personally I would just rebuild the computers with a new install that included SP3. Those ones running SP0 are probably infected with something by now if they get on the internet much.

It's also possible they are using pirated copies of windows and MS added the product key to the blacklist which prevents them from installing the latest sp and patches.

HeroPsycho

NetAdmin2436 wrote: »

At a minimum they should all have XP SP2 for the enhanced security. SP2 included the built in firewall which you should be running on all clients.

Remember, XP SP2 didn't include the firewall for the first time. That wasn't the change in respect to it. The change was that it was enabled by default for the first time.

It also hardened a lot of the services and installed fixes for numerous security threats.

That's why it was/is so important to install.

I agree that XP SP3 is not absolutely critical to install at this time, although it can add a few valuable features, like a more secure wifi connection manager and support for NAP if you're looking to deploy that.

Psoasman

AT THE MINIMUM you should have SP2 installed. I have seen very few compatibility problems with SP2..usually with specialized software.
We tested SP3 in our lab at work for months before the admins approved it for install.

the_Grinch

Microsoft exec calls XP hack 'frightening' - CNET News

I'd get SP2 on those machine asap...

Lee H

I kind of knew already guys how important these SP's are but in a network environment were all PC's get internet via a proxy and relevant anti virus installed, so only threat of virus's is in-house, providing the AV is up to date

Not my call to update these machines though, am here to roll out laptop's. But they have been notified, I guess there just too busy most of the time to update these machines it probably happens in every company

Thanks for all your input guys

Lee H

dynamik

Viruses aren't the only threat, and no scanner is perfect.

Plus, people can always bring things in on flash drives, CD/DVDs, etc. The proxy server isn't the single point of entry.

HeroPsycho

Lee H wrote: »

I kind of knew already guys how important these SP's are but in a network environment were all PC's get internet via a proxy and relevant anti virus installed, so only threat of virus's is in-house, providing the AV is up to date

Not my call to update these machines though, am here to roll out laptop's. But they have been notified, I guess there just too busy most of the time to update these machines it probably happens in every company

Thanks for all your input guys

Lee H

And since when are proxies and AV fullproof?

tiersten

Lee H wrote: »

I kind of knew already guys how important these SP's are but in a network environment were all PC's get internet via a proxy and relevant anti virus installed, so only threat of virus's is in-house, providing the AV is up to date

Somebody brings in their virus and worm riddled laptop from home and plugs it into the network...

I assume since they've not bothered to do their service packs that they've also not got anything like 802.1x.

Lee H

Funny you should mention, we do and its unsecured. But i have tried to conect and it doesnt, I think maybe the mac address on my wifi phone needs adding to some list somewhere, does that sound right

Daniel333

Lee H wrote: »

Hi

We all understand the importance of service packs for XP, 3 being the latest. But how important is it in a company, today I have come across 6 machines, 3 have SP2, 1 has SP1 and 2 have no SP

The only danger I can see is if anyone from inside the workplace brings in a virus on CD or pen drive

Q. Service pack 3 still may not be commonly installed as its quite new but how many of you IT people have PC's on your network with only SP2, SP1 or even no SP's installed, in a busy IT environment were there is always work to do I can understand if this falls by the way side, but is this as bad as it sounds

Lee H

Normally you would push the service pack out through SMS, group policy or something like that. You are not likely to see an IT person manually install it. So it's really a non-issue. The only time consuming part is maybe testing any random software you might have.

XP and XP Service Pack 1 are no longer supported I believe. So if they find a critical flaw, it's not likely to be patched. But if you are on SP2 or 3 it will be. Also, if you call with a problem and they find you on a dated service pack, they are going to give you the run around.

this explains it well
Microsoft Windows: End of support for Windows 98, Windows Me, and Windows XP Service Pack 1

You are getting security enhancements, system stability and beefed up firewall protection. In addition you gain some group policy enhancments so Windows XP plays nicely with Vista and 7.

Anyhow, I've had no legit problems with Sp3 in a roll out to 40 companies amounting to about 4,000 users. That ain't bad. Any Windows company should certainly be in the process of testing their software on SP3 now and rolling out soon.

arwes

Posting in an old thread, yay! I finally got around to releasing SP3 for XP in WSUS this past Friday and I've already had to uninstall it from several workstations. Dell must really not bother with offering updated drivers for older products these days. Got one user with a Latitude D810 and uses ATI Catalyst Control Center stuff to rotate her second monitor. That stopped working in SP3. And then anyone who uses a Dell 5100cn or 3100cn can no longer print. No updated drivers from Dell. Anyone have this kind of problem from other manufacturers?

undomiel

At that point I would try the drivers straight from ATI and see if they make a difference. I can't think of anything in particular in SP3 that should interfere with display rotation.

arwes

When I tried that I got a message that more or less told me to contact the manufacturer for updated drivers. I think the latest ones Dell had were from 2005.

Paul Boz

I do on-site pen tests and thank god every time I find unpatched boxes. If you have XP service pack 1 metasploit will own you every time. Same goes for 2k installs.

Lack of patch management is negligent. Not just from a virus standpoint, but from a "there are tons of holes in the operating system that need to be patched" standpoint.

HeroPsycho

Paul Boz wrote: »

I do on-site pen tests and thank god every time I find unpatched boxes. If you have XP service pack 1 metasploit will own you every time. Same goes for 2k installs.

Lack of patch management is negligent. Not just from a virus standpoint, but from a "there are tons of holes in the operating system that need to be patched" standpoint.

Fun PowerShell one liner you can run with the Quest AD cmdlets:

get-qadcomputer -OSName "*XP*" | where-object {$_.OSServicePack -notlike "*2"} | select name,OSServicePack

It's obviously adaptable for other OS's and service pack levels.

I ran that where I'm contracting, and seeing numerous XP RTMs still on the network made me cry.