Windows XP, the long-awaited merger of Windows versions based on DOS and those grounded in NT, was released last week in New York. Our testing showed there are many implications to consider before deploying XP wholesale on your corporate network, including new and enhanced distribution methods, changes to the networking stack and potential privacy issues.
Overall, XP is a relatively reliable operating system, has an overhauled user interface and includes multimedia enhancements.
XP comes in two editions, Home and Professional. Server versions of XP will likely be released in the second quarter of 2002. The Home Edition lacks enterprise functionality including tiered authentication services, IP Security (IPSec) VPN support, endemic file/folder encryption support and back-up software. Microsoft Corp. has imposed limitations on usability of the Home Edition in business networks, but has paid attention to building residential networks from XP and connecting those networks via XP Home Edition to the Internet.
The strongest enhancement to the XP Professional Edition is the delivery on promises Microsoft made for Windows 2000. Group policy administration (via the Win 2000 Active Directory) components are easier to define and manage. There are more than 200 more policies for desktop lockdown, defining users and security setup than in Win 2000. The new Resultant Set of Policy utility gives you on-the-spot policy configuration information about any PC or logged-on user and can help you to debug policies for that PC.
User mobility functions are improved. IntelliMirror functions, which let users easily take their PC desktop and folder settings to other computers, have been improved. Users can place files from a local, network or Internet files/data source into portable cache, making the data on remote machines available to authenticated users.
Additionally, hardware power management has been largely perfected, and the ability for a single PC to support multiple users has been upgraded without sacrificing user privacy or security for group-applied policy characteristics.
Getting to XP
From an installation perspective, XP is what Win 2000 should have been. There are many flexible installation choices and distribution options, far better attention to existing applications compatibility and far less software driver chasing than was necessary with Win 2000. We had trouble finding hardware that didn’t work with XP upgrades from Windows 98 or Win 2000. It also has the first compelling user interface changes in six years – XP is actually pretty.
The biggest frustration we found with XP is the lack of Java support in its browser. It’s an immediate show-stopper because familiar Java apps – from simple games to sophisticated SNMP monitoring programs – simply don’t run at all. Fortunately, a Sun-sponsored interim Java Virtual Machine can be found on the Web.
Registration is now a part of installation, and there’s little choice but registering the license of an XP installation because it soon expires. On the downside, XP versions won’t load if the license is moved or migrated to another PC. This potentially places a burden to purchase additional licenses for XP support in large installations to overcome hardware disasters.
However, in our tests we were able to change a significant amount of hardware in a PC before XP wouldn’t load. We don’t know the exact formula that stops XP from thinking it’s been moved, but we found that motherboard changeouts or significant upgrades (especially CPU changes) are likely to trigger XP licensing expiration notifications. We also found the Automated System Recovery feature included in the bundle has no implications on licensing unless aforementioned hardware features were dramatically changed.
The Networking News
XP Professional hardware and network detection has advanced significantly, and it does a better job than previous versions in detecting its network environment and subsequently making correct installation settings. Wizards invoked by XP during upgrades and fresh installations complete quickly and accurately, with often with little or no user intervention.
XP doesn’t present any dramatically new or different reactions in the International Standards Organization/Open Systems Interconnection Layers 1 through 4 over Win 2000 – with important exceptions noted below. Unlike its predecessor, XP allows applications nonroot, raw TCP/IP sockets access. This unprecedented access lets applications tap into the Winsock API (which controls network communications among other tasks) without control of the operating system kernel.
The good news is that streaming media and TCP/IP communications such as browser, mail and/or multimedia traffic no longer necessarily transverse kernel address space, and the kernel might become more stable as fewer demands will be placed upon it. Timing-sensitive, sophisticated multimedia applications may have a smoothness and performance improvement as another result. The smoothness effect is more pronounced in older and/or slower PCs.
The downside is that non-root raw sockets access also means that XP workstations, once infected with aggressive or hostile code in the form of viruses, Trojans, zombies, etc., could wreak havoc on network segments, as applications can gain control of the Winsock API stack autonomously and unauthenticated. In some cases, that’s possible in current Windows versions but it’s more difficult natively as raw socket capability can be installed through third- party tool kits – potentially letting hostile code to gain control.
Most networked PCs haven’t used non-root raw sockets before because they haven’t needed them. Microsoft apparently felt that improved performance was needed over the potential for harmful interaction with hostile code.
There are no currently known attacks that can take advantage of this feature, and future security updates may prevent difficulties. But it places a certain burden on network professionals overseeing XP deployments to have integral firewall protections in place. Microsoft includes one, called the Internet Connection Firewall, which can be used on LANs, VPNs or dial-up connections to remote access servers or ISPs. However, we noted that Internet Connection Firewall affected Ethernet performance in some cases. We noticed this effect on machines that meet the minimum CPU speed requirement (300 MHz). XP Professional and Home Editions required a SirCam Virus patch, but otherwise survived our Internet Security Systems RealSecure Scanner testing of the firewall and other port probes. The firewall includes network address translation that didn’t render the IPSec VPN protocol unusable as other personal firewall products can.
XP also supports Session Initiation Protocol, an enabler for IP telephony and directory-based messaging services, and includes a peer-chat feature called Windows Messenger that some organizations will support and others will take pains to block because of its potential abuse and/or misuse. Our tests proved it isn’t tough to disable on individual machines or to extract from corporate upgrade distributions.
Organizations wanting the comparative reliability of Win 2000 will find that the wait for XP has likely been well worth it. However, before you deploy it, consider the sensitivity points of privacy, applications life cycle and compatibility, and the potential danger from raw access to the TCP/IP sockets. A final consideration is that getting too far behind the current Windows revision demands an ever- enlarging upgrade price-tag tax from Microsoft, as Microsoft has changed XP pricing so that it is more expensive to move to XP from Windows NT or 98 than from Win 2000.
Henderson is principal researcher for Extreme Labs Inc. of Indianapolis. He can be reached at [email protected].
Prices listed are in Cdn currency.
