|Read about Lisa|
Personally, I'm going to reserve the right to decide when to deploy SP2 on my own PCs. In the meantime, I'm going to learn as much as I can about SP2, starting with how it will affect wireless LAN connectivity.
SP2 in a nutshellMany WLAN users installed some of the features associated with SP2 last summer, when WPA upgrades first became available as a standalone patch. But SP2 enhancements extend well beyond wireless. The biggest changes include an entirely new version of Microsoft's desktop firewall; security additions to Internet Explorer, like a new pop-up ad blocker; and security-related improvements to Outlook, like Web content blocking and text message viewing. To learn more about these enhancements, visit Microsoft's What's New In SP2 Web page.
Of these changes, the new Windows Firewall is likely to have the greatest impact on network connectivity and associated drivers. Earlier versions of Windows XP included an Internet Connection Firewall (ICF), disabled by default and buried beneath the "Advanced" properties panel. Many don't use ICF at all, opting to use third-party desktop firewalls instead. Those who do use ICF typically enable it only on untrusted connections, like dial-up, DSL, and WLAN adapters.
In SP2, the revamped (and renamed) Windows Firewall is turned on by default, for all connections, and launched at system boot. This proactive approach affords better protection, but will require fine-tuning by most users. For example, if you're accustomed to sharing files or printers on your WLAN, you'll need to add exceptions to the default Windows Firewall. Exceptions can be made by application or port, allowing access by any computer, only those on the local subnet, or specified addresses. To learn more, visit this Microsoft Windows Firewall Web page. If you use a third-party desktop firewall like Zone Alarm or Norton, visit your vendor's Web site for SP2 compatibility details.
Wireless wizardryDrill deeper into SP2, and you'll find a lengthy list of OS and application tweaks, including several that apply specifically to 802.11 wireless networks.
- Wi-Fi Protected Access (WPA), first distributed as a standalone patch last year, now becomes an integral part of Windows XP in SP2. WPA adds TKIP and AES encryption options, and 802.1X and PSK authentication options. Whether you can actually use those options depends on your 802.11 adapter, but most 802.11g products now support WPA with at least TKIP. Note that this patch supports WPA (the October 2002 802.11i snapshot), not WPA2 (the final June 2004 802.11i standard). To learn about differences between WPA and WPA2, see my July 2004 WLAN Advisor column, 802.11i: Robust and Ready to Go.
- Wireless Network Connection windows have been augmented to display more information when attempting to associate with a WLAN. For simplicity, earlier versions of XP displayed precious little information -- just the network's name (SSID) and mode (infrastructure or peer-to-peer). SP2 adds the security level and signal strength for each discovered WLAN. New connection status messages make it easier to tell whether your station has successfully obtained an IP address via DHCP.
- The Wireless Zero Configuration Service has been extended to facilitate debugging by generating a pair of trace logs (Wzcdlg.log and Wzctrace.log). If you're having trouble connecting to a WLAN -- in particular, authenticating using 802.1X -- these new trace logs will be a very welcome addition.
- A new Wireless Network Setup Wizard has been added to automate wireless device configuration by writing settings, in XML format, to a USB flash drive. If you've used the XP Network Setup Wizard to configure a Windows Workgroup for resource sharing, then you'll find the Wireless Setup Wizard somewhat familiar.
- Wireless Provisioning Services (WPS) have been added to automate subscriber enrollment when visiting Wi-Fi hot spots that use Windows 2003 Server and Microsoft's AAA server (IAS) for 802.1X authentication. WPS is still being trialed by providers, so this addition probably won't have immediate impact on most users. Providers who want to learn about WPS should read this Microsoft TechNet article.
Further information about these and other wireless-related SP2 changes can be found in this Microsoft TechNet article, including screen snapshots that illustrate the new setup wizard, wireless network connection properties, and status messages.
Wait and seeIf you're a network administrator, you've probably already downloaded the SP2 installer and started experimenting with it. If you're an end user, my advice is to sit tight and resist the temptation to install SP2 immediately. You can install the WPA patch without jumping headfirst into SP2, and still get the most significant wireless enhancements.
In the long run, SP2 security improvements to the Windows Firewall and Internet Explorer are likely to have a much bigger impact. Unless you have a compelling reason to leapfrog the crowd, let organizations with large IT departments take the lead on debugging SP2 deployment. Wait for the dust to settle, and then take the jump to SP2.
About the author: Lisa Phifer is vice president of Core Competence, Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
Do you have comments about this article, or suggestions for Lisa to write about in future columns? Let us know!
This was first published in August 2004