How long can you wait for security?

I do hope you saw the story in Network World last week, in which Bill Gates is quoted as saying that in the not-too-distant future security will come to be seen as a Microsoft strength (see editorial link below).

In speaking to financial analysts, Gates touted Windows XP Service Pack 2 and the next version of Windows Server 2003 (codenamed R2) as bringing a new and unprecedented level of security to Microsoft’s operating systems. When we’ll see these improvements, though, is still anybody’s guess.

The release of SP2 has been put off multiple times. Some, supposedly “insider” sites, had the release scheduled for last week. Others are looking at late August as more realistic. Microsoft, in its latest pronouncement said “August” – but we’re almost halfway through the month. R2, the update for Windows Server 2003, is even further away with Microsoft only admitting to “2005,” but most prognosticators believing that late 2005 is more accurate.

How long can you wait for security?

Late last week Redmond announced that SP2 for Windows XP would be a problem for those using its customer relationship management (CRM) software. Microsoft Business Solutions CRM Sales for Outlook 1.2 will need additional patching as well as a good deal of manual tweaking in order to get it to work with SP2.

So now what do you do?

SP2 will make your desktops more secure, but the CRM warning also implies that SP2 could break other applications. Traditionally, network managers would thoroughly test patches before applying them to production systems. But the need for better security has caused many people to minimize or eliminate the testing in order to get patches in place as quickly as possible.

Would you rather the system be insecure or unstable?

In the case of XP2, I’d come down heavily on the side of test before production. It’s an update for the desktop systems that should already have fairly good security protection from your firewalls and servers (as well as a heavy use of group policies!). If you’ve followed the security updates closely, if you’ve modified the insecure default settings on your systems, then your security should be fine. XP2 might enhance it, but the bigger problem could come from unstable systems. Users panic when their desktops are unstable, and panicked users cause terrible problems for network management.

Looking ahead to R2, well, that’s pretty far in the future and maybe the situation will change by then. There was another quote from Gates in the news article I mentioned at the top of this newsletter that to me was even scarier than the claims about Microsoft and security. Come back next issue to see what I mean.