There's a lot going on in the world of Windows these days. Vista Service Pack 1 has been out for more than a month now and XP Service Pack 3 is due out any day. But what are these updates about? Does the Vista update warrant an upgrade? Or, is it more worthwhile to just update your existing XP installations and keep that OS around a few more years?
With Vista SP1, Microsoft claims reliability, performance and security upgrades. Given those claims and Vista's reputation thus far, you'd think Vista SP1 would be a huge update. Well it is, literally. It's 435 MB for 32-bit Vista and a whopping 727 MB for 64-bit Vista -- the version I chose to run. I nearly ran out of local hard drive space just downloading the service pack.
What's new in Windows Vista SP1?
Vista SP1 includes some data protection improvements for Windows Backup and for when you are ejecting removable drives. It also tunes up Vista's wired and wireless traffic management elements, including 802.11n support, network speed and file copy improvements as well as some other performance enhancements to help keep us from going crazy while waiting for the OS to respond.
In the security arena, Vista SP1 allows you to use BitLocker to encrypt drives other than the C: drive, SSL VPN tunneling, and it contains certain cryptography additions and multi-factor authentication options. It also has some administrative enhancements to Network Access Protection (NAP), which is native to Vista. This is Microsoft's answer to NAC, limiting network access to only "healthy" computers based on policies you define. Overall, Vista SP1 has quite a few changes and improvements that Microsoft obviously put a lot of thought into.
Windows XP SP3: Out with the old, in with the new
With Windows XP Service Pack 3, you're going to get the usual performance, stability and security updates. It includes all the patches and hotfixes dating back to the SP2 era in 2004. (Can you believe it's been that long?) Some of the updates have been available for a while via Windows Update; some others are unique to SP3. I must say that rolling out one service pack sure beats installing hundreds of individual updates. You will, however, have to be running XP SP1 in order to install SP3.
But SP3 is not only about catching up with the old. There are some new features built into SP3 that, before now, were only available in Vista. For instance, XP SP3 will include NAP support. I suspect this is to help clear any roadblocks for migrating to Server 2008. If NAP takes off, I can see this technology really helping admins with security standardization and policy enforcement, and it should reduce the number of vulnerabilities uncovered by internal security assessments. (I'm looking forward to the "NAP" jokes as well.)
There's also the inclusion of the Wi-Fi supplicant updates supporting WPA2. Perhaps the end of an era for Wi-Fi hacking? Yeah, right.
In addition, XP SP3 has some beefed up documentation on Windows security settings that can be good for organizations with limited network help. Microsoft is touting the new ability to detect routers that are silently dropping packets (a security control dubbed "black hole routing"). I'm not sure why this is a big selling point but it's there if you need it. You also won't be forced to upgrade to IE version 7. XP SP3 will update IE6 or IE7, depending on what's installed. You can no longer buy Windows XP, but support for this tried and true OS will be around until 2014. That seems a long way off, but it'll be here before we know it.
So … XP SP3 or Vista SP1?
I'll tell you straight up: I've really gotten into the user experience that Vista has to offer. But given all the troubles I've had and continue to have -- even after installing Vista SP1 -- I think it's a great thing that XP SP3 is catching us up with the times. I don't see any pressing reason to upgrade to Vista -- especially at the enterprise level -- until you absolutely have to. There are not only the stability and performance issues that I and others have experienced, but there are third-party software license upgrades required as well to bring certain business applications up to the current level required to work with Vista. VMware and Adobe Acrobat are ones I've had to deal with already. This software isn't cheap for a sole-proprietor like myself, but the cost is manageable. However, try upgrading a handful of licenses on every desktop at the enterprise level. That's a serious investment.
I think I've talked myself into it: I see a Windows downgrade in my future thanks to XP SP3. Long live Windows XP.
About the author: Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.
This was first published in April 2008