The Other Side of SP4: New Features Can Bring Unwanted Problems

• 11/04/1998

Rob Enderle, a senior analyst with consultancy Giga Information Group (Santa Clara, Calif., www.gigaweb.com), expresses concern over Microsoft’s delay in getting SP4 out the door, noting that rather than attempting to stabilize the Windows NT 4.0 code base, Microsoft introduced several new features with SP4 that could compromise the stability of Windows NT systems. "This is one of the practices that makes us very nervous about NT," Enderle maintains. "Microsoft has been slipstreaming features into NT 4 service packs for some time, a practice that we believe is counter to what a service pack is supposed to do and creates additional instabilities in what is supposed to be Microsoft's most stable platform."

In response to these types of concerns expressed in the past, Microsoft announced in October 1997 that forthcoming Windows NT service packs would introduce only integrated bug fixes and core operating system updates. At the time, the software giant indicated that new Windows NT features would be implemented through the medium of Windows NT Option Packs, the first of which was introduced in December 1997. "In the past, we said, 'Here's NT,' and we released bug fixes called service packs. Then we started sneaking features into service packs, and that kind of got out of control," acknowledged Mike Nash, Microsoft’s director of product marketing for Windows NT Server and infrastructure products, at the time.

In May 1998 Microsoft reversed course, however, and announced that the forthcoming SP4 release would contain new features, such as a Security Configuration Editor (SCE) and support for DCOM-over-HTTP tunneling, among other new technologies.

One of SP4’s most highly touted new features is the SCE, a tool that allows administrators to more easily lock down client workstations and servers. Many Windows NT systems administrators, such as David LeBlanc, a senior Windows NT systems engineer with security software vendor Internet Security Systems Inc. (Atlanta, www.iss.net), feel that the SCE could be SP4’s most significant new feature. "The new Security Configuration Editor provides significant new functionality, and will be helpful in maintaining a consistent security posture across the enterprise," LeBlanc maintains.

But the SCE isn’t available in the downloadable version of the service pack. IT managers who wish to take advantage of SP4’s enhanced functionality must wait until the first CD-ROM releases are shipped.

For Phil Cox, a staff member with the U.S. Government's Computer Incident Advisory Capability (CIAC, Livermore, Calif., ciac.llnl.gov), this oversight on Microsoft’s part is a big disappointment. "The SCM -- security configuration editor/manager -- does not come in the download-only version of the service pack but is only available on the CD, which has a three to four week lead time," Cox explains. "I was most displeased with this, as this was one of the major functionality points for the SP release."

According to Frank Knobbe, a senior security consultant with systems integrator MicroAge (Nashville, Tenn., www.microage.com), SP4 has met most of his expectations. While many IT managers undoubtedly looked forward to tinkering with new SP4 features such as the SCE, Knobbe confesses that he’ll likely deploy SP4 simply as a consolidated means of applying hotfixes to Windows NT systems. "The only reason that many people were looking forward to SP4 is not because they were curious about the issues that have been fixed -- those were available as hotfixes -- but because it is more convenient to install a single Service Pack rather than 20 hotfixes," Knobbe notes.

Hotfix consolidation aside, CIAC’s Cox worries that some of SP4’s additional features will introduce new problems, and hence create a need for new post-SP4 Windows NT hotfixes. "There is a major functionality issue with the new ability of DCOM to tunnel over TCP/IP port 80," Cox observes. "This has the potential to circumvent most firewalls in place today, as far as COM/DCOM is concerned. I am personally worried about the ramifications of this."

SP4 could pose additional problems for users of version 1.0 of the Windows NT 4.0 Terminal Server Edition. As it is presently constituted, SP4 will not install correctly on machines running Terminal Server. Accordingly, Terminal Server users must wait until Microsoft provides a Service Pack 4 derivative built specifically for that product. Microsoft officials declined to comment on a timeframe for availability, but indicated that a Terminal Server-specific version of SP4 will be released at some point in the future.

Giga’s Enderle expresses concern, as well, over Microsoft’s commitment to quality assurance, citing download problems with SP4 in its first week of availability. "Certainly Microsoft had significant problems with the downloads, as I’ve heard reports -- confirmed by Microsoft -- that attempts to download SP4 actually downloaded SP3, undoubtedly causing a number of headaches for Microsoft-beleaguered NT customers," Enderle comments. "SP4 should be better, but the experiences reported last week continue to cause us to question Microsoft's quality assurance programs."

Security Configuration Editor – Provides a centralized, graphical administrative console from which to lock down Windows NT computers on a network

DCOM-over-HTTP Tunneling – Technology that allows object components to communicate using HTTP over networks and through firewalls

WBEM Support – Provides new, native APIs for Web Based Enterprise Management, an initiative that seeks to enable system and network management over the Internet