THE OFFICIAL BLOG OF THE SBS "DIVA"

[Borrowing a post from the newsgroups]

Is it out yet?
Yes. To beta testers at this time.  Should be on the Download site on Monday:

http://blogs.msdn.com/mswanson/archive/2004/08/06/210345.aspx

The release to manufacturing (RTM) version of Windows XP Service Pack 2 is now available for download via MSDN Subscriber Downloads. The CD ISO image weighs in at 475.35MB.

If you’d rather let Windows Update automatically install it, visit this page to ensure that your Internet Connection Firewall and Automatic Update settings are configured correctly. I don’t think it’s available through Windows Update quite yet, but enabling these features will allow your computer to download it as soon as it’s posted.

This is a fantastic release with a lot of new security features. I’ve been running various builds of SP2 over the past few months, and I’ve loved every minute of it. The pop-up blocker is a very welcome addition, the much improved firewall is easy to configure, and I find that I don’t have nearly as much spyware finding its way onto my computer. Some of the areas that have been improved are: network protection, memory protection, safer e-mail handling, enhanced browsing security, and improved computer maintenance.

From a customer-ready e-mail that is being sent out:

I am pleased to inform you that Windows XP Service Pack 2 released to manufacturing on Friday August 6, 2004. Windows XP Service Pack 2 contains major security improvements designed to provide better protection against hackers, viruses, and worms.  Windows XP Service Pack 2 also improves the manageability of the security features in Windows XP and provides more and better information to help users make decisions that may potentially affect their security and privacy. 

On Monday, August 9, 2004, the full network installation package for Windows XP Server Pack 2 will be posted on the Windows XP Service Pack 2 site on Microsoft TechNet (http://www.microsoft.com/technet/winxpsp2).  This site is also the best resource for accessing the most up-to-date technical information regarding Windows XP Service Pack 2. 

On-line distribution will be the primary distribution vehicle for Windows XP Service Pack 2 and below is a summary of the key milestones of the distribution plan:

8/6  Release to manufacturing
8/9  Release to Microsoft Download Center (network installation package)
8/9  Release to MSDN subscription site (CD ISO image)
8/10  Release to Automatic Updates (for machines running pre-release versions of Windows XP Service Pack 2 only)
8/16  Release to Automatic Updates (for machines NOT running pre-releases versions of Windows XP Service Pack 2)
8/16  Release to Software Update Services
Later in August Release to Windows Update for interactive user installations

Because of the significant security improvements outlined above, Microsoft views Windows XP Service Pack 2 as an essential security update and is therefore distributing it as a “critical update” via Windows Update (WU) and the Automatic Updates (AU) delivery mechanism in Windows. Microsoft is strongly urging customers with Windows XP and Windows XP Service Pack 1-based systems to upgrade to Windows XP Service Pack 2 as soon as possible.
--------------------------------
What do we SBSers need to do specifically?

If you want to be able to enable the firewall INSIDE your networks, install
http://www.microsoft.com/downloads/details.aspx?familyid=d70097c2-4317-40e0-b7da-feb52c6b6386

This update enables and configures the Windows Firewall in Windows XP Service Pack 2 on Windows Small Business Server 2003 networks.

ONLY install this after you have at least one machine in the office at XP sp2 RTM as the group policy will no longer be able to be edited from the server until this is released: 
842933 - "The following entry in the [strings] section is too long and has been truncated" error message when you try to modify or to view GPOs in Windows Server 2003, Windows XP, or Windows 2000:
http://support.microsoft.com/?kbid=842933
[I called about 2 hours ago and they are working on the 2k3 version]

-------------------------------
More reading on this
http://download.microsoft.com/download/7/9/a/79a88f49-5a0f-42f8-b6bb-63939752fb80/SBS_XPSP2.DOC

--------------------------------
What if I do nothing?
Then the firewall will be disabled inside the network and while the active X and pop up blocking will be in place, the internal firewall blocking will not.
----------------------------------
What's the most impact I will see if I install this?
Quite frankly on my desktop at the office where I have been running the RC2 candidate, none of my applications have been affected in any way, shape or form.  The install does take a bit of time [its a 200+kb file and ensure that you archive the bits when installing.  Once it installs the first screen up will look a bit text-installer like and then it will ask you if you want to enable auto update.
First screen
http://www.winsupersite.com/images/reviews/xp_sp2_02_01.gif
----------------------------------
What's this I hear about the security center?
This is kewl as it monitors your patch level, your firewall status and your antivirus level.  It will know that Trend SMB is loaded and alert you if it might be out of date.  Symantec doesn't at this time but the patch is expected soon.  Etrust needs to be on the latest and greatest engine/client to work properly.
Looks like this [obviously Paul's wasn't fully enabled]
http://www.winsupersite.com/images/reviews/xp_sp2_02_02.gif
----------------------------------
What the pop up blocker and active x blocker do?
I see the most impact for me on business web sites like www.bankofamerica.com where we had to manually add the web site and the site it "launches off to" when making tax payments electronically so we could get page properly. 

When you get to a page that the IE blocks some possible harmful scripting and you need to enable it [like the first time you go to Remote Web Workplace after installation] the IE info tool bar will let you know what to do:

http://blogs.msdn.com/tonyschr/archive/2004/06/15/156787.aspx

The pop up manager can be adjusted as well and looks like this:
http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/popupmanager.aspx
http://www.winsupersite.com/images/reviews/xp_sp2_ie_pop-up-blocker.gif
----------------------------
What about the firewall? Won't it stop programs?
If you are running with local admin rights the programs should just poke their own holes through without issue
http://www.winsupersite.com/images/reviews/xp_sp2_security_alert.gif
One thing to check [and unfortunately I can't here at home] On my original test of RC1  I had to manually make a port exception for tcp 27529 for Trend to pick up the dat file updates [SMB suite]  I've heard from other folks that later builds did not need this manual adjustment.  If someone else newly installing this can let me know if this is true, I'd appreciate it.
---------------------------------
What about SBS 2000?  Doesn't it need a patch too?
No,  the firewall and everything on the XP sp2 client will work independently of the server and you won't need to adjust any group policy to make anything work.
-------------------------------
The biggest impact in my office?
On the four machines that are running the sp2, I've had to let folks know how to add a web site to the trusted site zone to enable scripting when needed and to add sites to the pop up tool bar. 

As I've posted in my blog:
http://msmvps.com/bradley/archive/2004/08/04/11232.aspx

"I haven't met a web site yet that I couldn't get to work with XP sp2.  Now mind you I'm adding a few to my “trusted site zone“ settings with my handy dandy Trusted site tool bar add in that works on XP sp2, IE 6 [I'm starting to sound like a broken record but I'll post it again]

http://www.microsoft.com/windows/ie/previous/webaccess/pwrtwks.mspx

ooh and BobP posted in another example at http://www.jasons-toolbox.com/programs.asp?Program=Trust%20Setter

----------------------------------
How soon should I be rolling this out to clients?
Of course, after you test it.  But I can say it's been very stable for me.  Call your clients and inform them that if they are still on 98, this is the time to get off that platform and get on a OS that is much much better built for spyware and malware protection