Make sure you're prepared for Windows XP SP2's upcoming deadline

After April 12, 2005, Windows XP systems will automatically begin downloading and installing Service Pack 2. Is your organization ready? Find out what SP2 has to offer, and learn how you can disable the automatic update if you need more time.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

If your organization uses Windows XP and you haven't deployed Service Pack 2 (SP2) yet, time is quickly running out. After April 12, 2005, Windows XP systems will automatically begin downloading and installing SP2. If you haven't finished testing SP2 in your network environment, it's time to get moving.

Because of the various features and functionality that SP2 modified and updated, Microsoft offered users the ability to delay the automatic update of this service pack. Last August, the company released several measures to stop the delivery of XP SP2, including group policy templates and a number of scripts for different types of corporate systems.

All of these measures essentially performed the same function: They created a language-independent registry key.


A value of 1 for the DoNotAllowXPSP2 key disables delivery of SP2 via Windows Update and the Automatic Update service. If the value is not 1 or the key doesn't exist, the system can download and install SP2 as long as the Windows Update site is accessible or the Automatic Update service can receive updates from the Microsoft Windows Update site.

This new registry key is strictly for the purposes of disabling and re-enabling the delivery of SP2. After April 12, Windows Update and the Automatic Update service will ignore the presence of this registry key and download SP2 regardless of its existence.


SP2 Resource Center
Visit our SP2 Resource Center for more SP2 news, downloads, and discussions.

What SP2 has to offer

While it is possible to get around this automatic update, it's important that you understand which security enhancements your organization will miss out on if you choose this route. The service pack addresses 51 different security bulletins that cover eight different vulnerabilities and 17 buffer overrun conditions that could lead to a system compromise.

In addition, the update adds a number of security enhancement technologies. Here are some of the highlights:

  • Network protection: SP2 turns on the Windows Firewall by default and closes all ports, except those identified as in use. You can control the Windows Firewall via group policy.
  • Memory protection: Microsoft has recompiled core Windows components with the most recent version of its compiler technology, providing added protection against buffer overruns.
    In addition, CPUs that support hardware-enforced Data Execution Prevention (DEP) can mark memory locations in an application as nonexecutable. Therefore, when an attacking worm or virus inserts program code into a portion of memory marked for data only, an application or Windows component will not execute the code.
  • E-mail handling: SP2 includes default settings that have enhanced security and improved attachment control using the Attachment Execution Service (AES) API. This means enhanced security and reliability for Microsoft Outlook, Outlook Express, and Windows Messenger. It isolates unsafe attachments sent through e-mail and instant messages, making them less likely to affect other parts of the system.
  • Browsing security: SP2 locks down the Local Machine zone in Internet Explorer to prevent the running of malicious scripts and harmful Web downloads. In addition, it provides better user controls that help prevent malicious ActiveX controls and spyware from running without users' knowledge and consent.

Working around the April deadline

However, your organization can still opt to not receive SP2, but your options depend on the complexity of your network. Let's take a look.

Option 1: Manage your own updates

You can choose to deploy and manage updates through your own Microsoft Systems Update Server or Microsoft Systems Management Server. By using either system, you can approve or disapprove any and all updates.

Option 2: Disable all updates

You can disable the Automatic Update service on all of your organization's XP workstations. To do so, follow these steps:

  1. Go to Start | Run, enter services.msc, and click OK.
  2. Double-click Automatic Updates, and change the Startup type to Disabled.
  3. Under Service status, click Stop.
  4. Click Apply, and click OK.

You can also disable services through a group policy by editing the settings under Computer Configuration | Windows Settings | Security Settings | System Services.

Keep in mind that neither option will prevent a user from visiting the Windows Update site and updating his or her local workstation (as long as the user has the appropriate permissions).


SP2 Resource Center
Visit our SP2 Resource Center for more SP2 news, downloads, and discussions.

Final thoughts

If you haven't finished testing Windows XP SP2 in your organization, there's no better time than the present. While it may be tempting to ignore the update, the security issues it addresses are worth the effort.

If your organization does need additional time to address compatibility and other issues, you can still delay the update, but you must act now. While it's important to deal with these issues first, don't put off SP2 forever and leave your organization's systems open to potential attacks.