“The principal reason given for the tremendous under-the-hood changes to Windows unveiled early this year in Vista was the need to overhaul the security model. Indeed, Vista has proven to be a generally more secure operating system, though some vulnerabilities that apply to ordinary software impact Vista users just as much as any other. But now, software analysts testing the latest build 3205 of the beta for Windows XP Service Pack 3 are discovering a wealth of genuinely new features – not just patches and security updates (although there are literally over a thousand of those), but services that could substantially improve system security without overhauling the kernel like in Vista.”
So this ‘wealth of genuinely new features’ is that they moved the crypto services into the kernel (where it can’t be disabled) and introduced NAP that will almost certainly cause a ‘wealth’ of interop problems with non-windows clients. What a bonus.
I totally do not understand this kind of security. Basically, if some client says it can be trusted, the server just trusts the client?
Yes, it promotes clients to update their machines, but it is not secure. A clients can say that it is secure, but that does not make it secure.
Not to mention non Windows clients.
There’s more to being secure than preventing deliberate and malicious acts. Maybe NAP is designed to prevent casual and accidental exposure of servers to insecure clients?
Basically, if some client says it can be trusted, the server just trusts the client?
No. If the client passes that test it just means that the server will allow it to connect whereas before ANY client was allowed to connect. It doesn’t mean that it just trusts it to do whatever it wants from then on. The other points of security are still in place. This is just one more layer of added protection.
At least that’s how I understand it. As for older and non-windows clients I’m sure this can be switched off by the administrator. It would be foolish of them if there was no way to do that.
Edited 2007-10-11 01:00
Yes, it promotes clients to update their machines, but it is not secure. A clients can say that it is secure, but that does not make it secure.
Yes, it’s not a security measure for the servers.
It also doesn’t protect against a comprimised client.
It’s is a preventative measure to make the network as a whole more secure.
Imagine you have road warroir(laptops that rarely enter the office) workers in your company. These laptops tend to be neglicated by IT support because they aren’t always in the office. Road warrior laptops tend to be a great way for malicious worm to get behind your border security(firewalls etc.). If these laptops have to get security updates before they can access then network servers then they are at least getting security updates ever time they are in the office. Therefore making them more secure than they were before.
It’s also a great way to alert IT to the fact that a computer is not getting updates for whatever reason.
– Jesse McNelis
Does it play Ogg Vorbis?
You kidding me? This is a proprietary system!
I don’t get your point. For example, IE supports PNG files and windos can play mpeg4’s…
Edited 2007-10-11 06:38
It was a stab at DRM.
Oh, I didn’t make that link.
(and also, some people are awfully touchy in here – not you guy-I-replied-to)
Edited 2007-10-11 11:49
Just as obligatory, does it open ODF?
I really don’t get the point of your comment. XP itself doesn’t play media files – it’s the media player of choice that does so and there are 3rd party media players (VLC for one) that can play Ogg Vorbis as well as codecs available for media player and winamp.
Granted you would have a point if this thread was about WMP, but it’s not. 😉
It is just a meme that used to be very famous in tech discussions, especially on slashdot.
no one would really expect any Windows servicepack to add support for Ogg.
…for XP users. I’m glad to see they haven’t totally abandoned XP for Vista, yet.
As for this ‘wealth’ of new features, it sounds to me like they are mostly directed at the enterprise and adding support for their own upcoming server release.
One thing that I do find a bit worrying is this NAP mechanism for checking the patch status of a client system. Many companies still run WinNT4, Win2k and XP SP1 for application compatibility issues. If the minimum requirement for passing this NAP check is say XP SP2, then quite a few people will be severely put off.
Hopefully this is just a service that can be switched off, otherwise it’s just another forced upgrade from the boy’s in Redmond.
“forced”?
It’s only on win2k8 servers that there are these checks in place, and it’s a feature that seems pretty much made only for vpn and company intranet situations. No one’s going to intentionally cut off their websites to everyone who lacks NAP unless they have an obvious and potent reason.
Similarly, I don’t think it’s about client-server trust as much as it is client-client’s computer trust – if someone’s been naughty on the company laptop, you wouldn’t want whatever virus they may have spreading, would you?
Edited 2007-10-11 02:06
It’s quite obvious from the article that NAP is a Win2k8 feature, but that’s neither here nor there.
I’m not talking about home users not being able to connect to a website, that would be absurd. I’m talking about the amount of corporate systems that have been deployed that use older windows operating systems not being able to connect to a Win2k8 server.
What I actually stated was, I’m hoping that this is a feature that can either be tuned or turned off at will. The amount of people who will be severely put of if either of those situation where not the case would already be quite a few, not to mention all the hassle of needing to upgrade each client system to the NAP minimum requirements.
Many companies will want to deploy Win2k8 for it’s inherent security measures, it’s updated IIS and it’s Active Directory implementation. If a client side mass upgrade is needed, then certain sysadmins that I know will be severely put off. After all, very rarely does a sysadmin choose which course of action to take.
Influence? to a certain degree but actually make the final choice? Not very likely. That’s what managers get paid for. 😉
I’m hoping that this is a feature that can either be tuned or turned off at will.
Here you go: http://www.microsoft.com/technet/network/nap/napfaq.mspx
That article says a whole load of nothing, I’m afraid. It does state that MS are still considering support for NT4 and Win2k, but doesn’t give a time frame for when (no big surprise there).
I couldn’t find any information about the feature being a requirement or not, but I’m assuming by the setup instructions that it isn’t. Mind you, as it seems not to actually state anything of the kind, assume is all I can do at this stage.
That article says a whole load of nothing, I’m afraid. It does state that MS are still considering support for NT4 and Win2k, but doesn’t give a time frame for when (no big surprise there).
No surprise indeed – I’d be surprised if they would add support for them. They’re desperate in trying to get people to move to the support nightmare that is Vista. They have had to bow to popular demand when it comes to XP, but I’m sure they won’t bother to include support for any EOL-ed product.
One thing that I do find a bit worrying is this NAP mechanism for checking the patch status of a client system. Many companies still run WinNT4, Win2k and XP SP1 for application compatibility issues. If the minimum requirement for passing this NAP check is say XP SP2, then quite a few people will be severely put off.
No offense meant, but that makes no sense. It’s up to the server administrators to define NAP policies or not, as they see fit. If they define XP SP2 as the minimum requirement, that’s their prerogative, and the quite a few people who will be put off can go yell at them. The way you phrased it, it seems you’re advocating that the IT staff shouldn’t be allowed to control the networks they’re responsible for. That’s a bit disingenious.
Hopefully this is just a service that can be switched off, otherwise it’s just another forced upgrade from the boy’s in Redmond.
It can be switched off. In fact, it must be switched on explicitely.
The client system needs to actually support this mechanism, i.e. a client side service needs to be running. If you check out the link that was posted a few posts further up, you will find that at the moment, WinXP SP3 is the minimum requirement. No plans on implementing this system for WinNT4 or Win2k has been announced.
I’d be happier if it needs to be specifically enabled, but considering the lack of knowledge you have displayed so far, I’ll not take your word for it.
The client system needs to actually support this mechanism, i.e. a client side service needs to be running. If you check out the link that was posted a few posts further up, you will find that at the moment, WinXP SP3 is the minimum requirement. No plans on implementing this system for WinNT4 or Win2k has been announced.
Apparently you can’t understand my point. It is up to the server to make the decision on whether or not to allow a non-supported client through. The decision is not made client-side – if it were, this facility would have no point in the first place. I suggest you think before typing.
I’d be happier if it needs to be specifically enabled, but considering the lack of knowledge you have displayed so far, I’ll not take your word for it.
Then read my post again, this time actually reading and trying to understand it.
Obviously it’s not up to the client who is let through or not. Man, it doesn’t take a genius to figure that one out!
Do you actually think that, as a system administrator, I wouldn’t understand that?
It’s the fact that this systems does not, and likely will not support any other version of windows prior to XP SP3 that’s the question here.
There is nothing in that FAQ that you linked to that specifies whether once enabled you can then tailor this system to your own network. In fact, there is nothing that mentions whether this system is on by default or not.
The only one of my questions your link answers is that if your client side is not XP SP3, you can’t use the system.
Dude, read your own links before you start shooting people down.
Wouldn’t it be part of your network security policy to actually run up to date clients as well?
NAP or no NAP is entirely up to the admin and it doesn’t make much sense to assume that there is only on or off for it. It’s more likely that you can set explicit exceptions if you want to use NAP, but needs some clients to run older versions that doesn’t support it.
Thank you. That’s what I was trying to convey, but Mr. SReilly obviously was too busy downvoting my posts to engage his mid-level cognitive functions…
If companies are still running NT4 for application compatibility, now would be a fantastic time to start looking into upgrading those applications, or looking into virtualization (either client or server side) to solve that problem.
There’s no other good reason to be running NT4 in 2007. Same goes for the other two you mentioned, to a lesser extent.
I know many sysadmins that wish it where that simple. 😉
Many apps are written by companies that either no longer update the apps, wrote apps that are specifically meant for one task only and then went bankrupt taking the source code with them, or are written with specific hardware in mind.
Obviously, the two first situations seems like they are easily surmountable with virtualization, but only at first glance. If these systems require network access, and more often than not they do, and the information required is served via a Win2k8 server that because of NAP will not allow them access to the require information, then suddenly virtualization becomes meaningless.
Obviously, if specific hardware is needed then no amount of virtualiszation is going to make it easier. If the exotic hardware drivers are not available for a more recent OS, no way will there be support for it in a virtualized environment.
Developing another solution is often far to expensive to justify on a tight IT budget and looking for off the shelf solutions doesn’t help, as these systems where developed for the specific reason that there are no off the shelf solutions.
It’s just another one of those problems that you have to overcome when dealing with closed source proprietary systems.
Now if they could just back port DirectX 10 to XP people could have high speed gaming instead of using Vista, which seems to lower gaming performance due to overhead and driver problems.
WinXP + SP3 (enhanced security) + DX10 = Mostly Vista without Vista’s current issues.
WinXP + SP3 (enhanced security) + DX10 = Customer satisfaction.
WinXP + SP3 (enhanced security) + DX10 = No money for MS.
No money for MS = Not a single chance of this happening.
I don’t want to rain on anyone’s parade, but both XP and Vista are products and MS, as a bussiness, wants to make as much money as possible from its products. Unfortunately for you (the user), MS can’t make as much money with XP as it can do with Vista.
Again: Not gonna happen, sorry.
PS: For the time being, XP is still useful for gaming. With some luck, Vista’s current gaming issues will be gone before MS phases out XP.
Edited 2007-10-11 03:18 UTC
No money for MS = Not a single chance of this happening.
Windows Vista – where are the money for MS?
They just have replaced one OEM system with another.
Actually, they might be selling more XP retail boxes now (to “downgrade” Vista) than Vista retail boxes.
Well how my money going to Redmond if I refuse to buy a 2000€ PC just so my comp can handle Vista+game
Not Gonna Happen.
I hope there are others like me, because its time we(i mean You) stop buying MS products just for the sake of being Ms Fan.
You mean me? A MS fan? I should mod you up for that one
And for those telling me that “MS is probably doing more more with XP due to downgrades”, that’s just dumb.
You’re thinking like Vista had zero cost to MS, like they were sitting on their asses and Vista just happened to spawn in a disk. MS spent a royal ass-ton of money developing and promoting Vista, and that money HAS to go back to their pockets, including enough benefits to keep the share holders relaxed.
And even if this doesn’t have a significant economic impact on them, Vista “flopping” could do a lot of damage to a company that is no longer seen as “the good people who make apps for non-techies”.
As far as I can see, they need Vista to be a good seller.
You’re thinking like Vista had zero cost to MS, like they were sitting on their asses and Vista just happened to spawn in a disk. MS spent a royal ass-ton of money developing and promoting Vista, and that money HAS to go back to their pockets, including enough benefits to keep the share holders relaxed.
It’s called a sunk cost. Microsoft already spent that money creating Vista. There is no way to get it back. What you have to look at is what is the best way forward to continue making profits, regardless of the money you spent on Vista. If it’s a flop then cut your losses and create an alternate strategy. Companies that stand by bad decisions end up going down in flames.
Yep, exactly, and this ‘flopping’ as you call it makes more damage to people than good, because MS is not a im-gonna-take-care-of-all-our-costumers kinda company for a long time now.
They have to sell it and they will and if they can’t convince people its the best system ever, they will take other measures like not porting dx10 to xp and others which is more than enough big reason for me never to buy any MS product again.
And, no I didn’t mean you directly as a MS fan, just general population, which is sadly still in the oh i dunno 90%’s ? at least in desktop pc’s.
If they have the gall to ask that kind of money for Vista, I don’t see why they can’t sell SP3 instead of giving it away.
They could always call the new system for WinXP Reloaded (or something like that) and charge for the service pack. And remember to make MUI a part of the upgrade. Why that isn’t generally available is a mystery to me. MUI is for Windows what gettext is for GNU. As it is now Windows is a joke in terms of localization.
DirectX 10 does not contain any features other than support for protected video path and incompatibility with DX 7 and DX 8.
Read this, or at least google a subject, before you type:
http://www.tomshardware.com/2006/11/08/what_direct3d_10_is_all_abou…
DX10 is available for XP (hack) on the net. I’ve seen it, but not tried it.
and they want their “secure” 3DES algorithm back.
“The new router detection scheme enables IP routers along the way to flag misbehaving PMTU candidates in advance and steer around them.”
Sorry but this is nonsense and not at all what the feature does. As described here the Windows IP stack would somehow instruct routers all across the planet how and where to route packets and that is preposterous, to say the least. What it really do is make Windows detect black hole routers and adapt the PMTU accordingly.
There’s no way for Windows to control how and where packets get routed beyond the first gateway.
Edited 2007-10-11 03:54
They backport a feature to interoperate with Win2k8 and they add a router detection algorithm to the IP stack. This is somehow making XP “better than Vista?”
I really wish the so-called “tech press” were not just a bunch of monkeys writing random articles on random typewriters.
Vista was a dud, and the writers are hoping that XPSP3 will be some kind of holy grail fix-all. Sadly, XP is the hated younger son now that the new baby has arrived. Microsoft’s attention is elsewhere.
Id pay for DX10 on xp, I wont buy Vista. DX 9 will work with most games. And now DX 10.1 is out, so all you guys with DX10 cards are shit out of luck.
DX 10.1 works with DX 10 cards. No need to upgrade hardware (not that there are any games out for it, by the way).
Will NAP be included in windows home server?
No. From http://www.microsoft.com/technet/network/nap/napfaq.mspx :
Q. What is Network Access Protection?
A.
NAP is a policy enforcement platform built into Microsoft® Windows Vista™, Windows Server® 2008 (now in beta testing), and Windows® XP Service Pack 3 (which includes the NAP Client for Windows XP, now in beta testing) that allows you to better protect network assets by enforcing compliance with system health requirements. With NAP, you can create customized health policies to validate computer health before allowing access or communication, automatically update compliant computers to ensure ongoing compliance, and optionally confine noncompliant computers to a restricted network until they become compliant.
I just can find SP2 for WinXP on http://www.microsoft.com
Here: https://connect.microsoft.com
If you don’t have a MSDN subscription, though, you can’t get it from the official channels.
It is just a beta so I think it’s only for the testers.
Browser: Opera/9.50 (J2ME/MIDP; Opera Mini/4.0.8993/58; U; en)
Or rather, services similar to it. Many colleges and universities now won’t allow you to connect to their network unless you’re up to date on windows patches and have anti-virus installed and up to date. NAP is just microsoft’s version of this. It checks patch status, anti-virus, etc. to make sure (as far as it can) that a client connecting to the network isn’t an open liability. I’m sure you could even setup through group policies to have it scan for open shares, weak passwords, etc. To me, this is a good thing. I’d also imagine the reason they’re not backporting to Win2k or NT is because, well, they’re either not supported anymore or reaching EOL.
As to whoever stated that DX10 brings nothing new but DRM you sir, need education. There’s quite a few benefits to DX10 that can actually increase the speed of shader operations and allow for more interesting, movie-like effects. At this point though, people are still learning how to use it and, as we’ve seen with the so called “mid-range” releases this year (85/600 series Im looking at you and the 24xx+ series) their performance is sub-par to begin with. So is the DX10 cards. Alot of that has to do with drivers at this point but it will improve.
To me, it’s ridiculous. This is totally going overboard with patchwork and treating symptoms instead of the disease. Security holes should be fixed by fixing the application with the holes, and fixing Windows itself. And as much as I’d like Vista to blow in Microsoft’s face, from a security standpoint it’s better than the web of patches that XP is.
You know when I’ll consider Windows secure? When I’ll be able to put a Windows machine on a public IP without antivirus and firewall and not have anything bad happen to it. But it will never happen, because of bad applications. People will keep installing stuff they simply find on the Web, which is closed source and can contain security holes and spyware.
Or perhaps it will, but a radical change in the consumer’s mindset must occur first. They must stop taking security problems for granted. Years of using OS X and Linux have made me extremely demanding, as any user should be of their own machine. Getting ANY malware on my box is NOT AN OPTION, any more than it is to sleep and eat with cockroaches.
That’s the way life works for the Windows cognoscenti. AV and firewall are unnecessary if you keep careful control of your box (by not installing untrusted software and by installing patches soon after they come out).
I have used a system without a firewall or AV for several years running Win2k and then WinXP both before and after SP2. No viruses and no problems. Don’t give me the “How do you know you were clean?” line… I have used rootkit revealer to check for any low-level malware and I can identify every running process on my machine.
Windows is not riskier than other OSes because of its design. It is risky because the authors of malware (which is quite often unsophisticated except in its social engineering) find it easy to write Windows programs.
I urge everyone to stop buying into the fear culture of the AV and Personal Firewall vendors. Their products sap your computer’s performance for marginal gains in security. A far better way to get an even higher level of security without a performance impact is to invest in a strong automatic backup system and do periodic scans with one of the free AV scanners. If viruses are found, just restore the last good backup and avoid the behavior that led to that virus. This backup is also pretty useful if your hard drive fails.
No, it is treating the issues. The user is insecure. They are the greatest point of infection and misuse. Users don’t update, they don’t use common sense, and most of all they don’t use restraint. This removes part of the equation: YOU force the user to be updated and secure before they gain access. It protects the network, the users, and the public at large. You can setup Unix machines and networks to do the samething. In fact, it’d be smart.
And don’t give me the BS about a windows machine sitting out on the network without av and firewall being secure. Go ahead, stick a Linux box out on the open without a firewall running, same with OSX and see how long till its owned. Guess what machines are controlling the windows bot networks now? Linux boxes.
Security is a multi dimensional equation. It doesnt just deal with the OS code, its the user as well.
Go ahead, stick a Linux box out on the open without a firewall running, same with OSX and see how long till its owned. Guess what machines are controlling the windows bot networks now? Linux boxes.
First of all, I happen to own 6 Linux boxes, I have one of them act as a server and is on 24/7. None of them runs a firewall or antivirus. No break-ins whatsoever. NONE. And yes, for example this laptop I am writing this on is in use on a daily basis.. Oh, almost forgot that my sis had Ubuntu on her laptop too before the laptop got broken.
Besides, what does that have to do with anything what OS the botnet controllers are using? It could just as well be Windows, some BSD, SkyOS or whatever.
I don’t really understand the point behind your post anyway. This article is about Windows, not Linux.
The point of my post was another a reply to another person who was once again stating a fallacy in that these problems never happen with alternate operating systems like Linux/OSX/whatever the soup of the day is. Fact of the matter is, they do happen.
Also, for future reference, most Linux distributions ship with iptables (a firewall) enabled by default. It just might be set to allow all, or deny all. So yes, you are running a firewall.
Well, yeah, most distros have iptables enabled in the kernel but if it is not in use do you actually run a firewall? Anyway, I use Gentoo, haven’t had any use for iptables so left it out completely
But well, when comparing Linux to Windows you do notice that most Linux distros have fewer ports open. Like f.ex. on my machine I only have portmap and ssh server running. On a default Ubuntu installation you don’t even have an ssh server installed, so that makes even fewer open ports to attack. No open ports = not possible to attack.
//You know when I’ll consider Windows secure? When I’ll be able to put a Windows machine on a public IP without antivirus and firewall and not have anything bad happen to it. //
If you do that with any OS, you’re a complete idiot.
All I care about Windows now is my time in BattleField 2142, other than that I am happy with Ubuntu, thanks but I mean windows patches, no thanks.
Is XP SP3 going to be as slow as Vista or is that non-goal for this service pack?
Probably not. I doubt MS would make XP slower just to encourage people to switch to vista. But who knows?
Except for DX10, I find no compelling features in Vista. Killing a laptop battery fast by using the GPU for everything is not a feature.
Except for Cleartype and 48-bit hard drive addressing, I found few compelling features from Windows 2000 to XP. (BTW, the 48-Bit addressing was patched in a non-official service pack which can be slipstreamed.)
XP was included with my new notebook, but except for games and Photoshop, I can use Ubuntu.
So, we finally can buy solid state hard drives, but operating systems are becoming so bloated, they can’t really work well on smaller drives, and their size makes patching a daily process.
Killing a laptop battery fast by using the GPU for everything is not a feature.
Unless you have driver issues or something that should not be happening.
I have had no problems getting 4 hours of battery life out of my thinkpad running Vista with Aero turned on.
Are you saying that Windows XP (SP2) doesn’t have support for 48-bit addressing, even on Ultra133 PATA or SATA controllers? I thought the hardware took care of that but maybe I’m wrong here.
I don’t know how Windows copes with large physical hard drives since I have only run it on virtual hardware for the last five years. VMware doesn’t allow for larger hard drives than 128 GB, as far as I know.
If you read the OP again, he says that XP does have cleartype and 48-bit addressing, while Windows 2000 doesn’t (except for an unofficial patch)
LBA48 was introduced in a 2000 service pack and can be enabled via a registry key, I wouldn’t call that an “unofficial patch” as I suspect there is a MSDN page for it *somewhere*
I urge everyone to stop buying into the fear culture of the AV and Personal Firewall vendors
Ya everyone let the attackers in, or just ditch wintarget for linux. Really why say don’t use a AV or firewall? I have a AV, Firewll, Spyware blaster, & a Anti-spyware. I still get spyware & viruses at times. Do I go to porn & warez sites, no I don’t. So safe surfing isn’t allways to answer.
Edited 2007-10-11 17:10
Actually, this isn’t a stupid idea, if you have a router separating you from the internet, this is a pretty good filter for unsolicited traffic. Add that to safe-surfing habits and you have a pretty secure setup, even without virus checkers. I don’t run an on-access virus scanner any more, just run regular (weekly) one-off scans of my entire system.
osnews doesnt even mention service pack 2c? the new sp2c for xp?
It’s because sp2c is not really a new service pack. It just adds some new CD-keys.
Slipstream it, and it saves you an hour or two of downloading from Windows Update.
Other “features”…..meh….no thanks. I don’t want my XP acting anything remotely like Vista, thank you very much.