RealTime IT News

Q&A: Tony Goodhew, Manager, Microsoft Developer Group

Microsoft's eagerly anticipated Windows XP upgrade promises major security enhancements for customers but the company has already warned that Service Pack 2 (SP2) will break and disrupt existing applications.

In this interview with internetnews.com, product manager in the Microsoft Developer Group Tony Goodhew discusses the thinking behind the security enhancements, the code changes that need to be made and the tradeoff between security and functionality.

Q: You've already warned that XP SP2 will break and disrupt existing applications. What types of applications are going to be affected the most by the security-focused changes?

Some applications will be highly [impacted] but some others will have little or no problems. We launched an online course for developers to spell out all the changes to help them prepare. The peer-to-peer applications will be [impacted] the most. Those types of applications rely on a lot of network activity. They expect to be able to talk through a firewall that will now be turned on by default. So, the P2P guys will have to make major changes or their applications will break.

If you are writing code for applications that listen on a network, you are going to be impacted by these changes. It won't affect the entire applications market but we're mostly letting people know that it affects certain categories.

What has been the response to the online training course? And why the unusual move to do this?

This isn't just a bug-fix service pack release. We are making significant changes to improve XP security. We decided to provide a free course for developers so as not to blindside them. We are explicitly telling them that some of their applications will not work if they don't change their code. We are making changes to defaults that their applications rely on. They have to prepare for it or there will be problems.

The reaction has been very, very positive. The developers we've spoken to have found the material very valuable and, for the most part, they've been very happy with how we've detailed the changes that need to be made. It's about 90 minutes of online training. The developer can go to the URL and it will lead them through the four major areas of changes coming in SP2. It walks them through the important sub-areas. It tells them 'these are what the changes are and this is what they mean to your application. You will need to do this and this and this to ensure you application could keep working'.

With these changes, you care focusing on security over functionality and backward compatibility. Is that a fair tradeoff to the smaller application developers who have to deal with tons of manual changes?

Like I said before, the changes are significant but it only affects certain categories of applications. The bulk of the smaller VAR and ISVs are going to have a small amount of work to do. It's not like they will need to rewrite their applications completely. But, they have to be diligent about testing to ensure their apps work properly. If they do network connectivity in a part of their application, they will be highly affected because of the firewall changes. We are turning the firewall on when the existing applications haven't been written to deal with that.

But, if you are not dealing with network connectivity, your code changes aren't going to be major. For instance, desktop productivity applications will have little or no affect. What developers will find is that their apps may require some configuration of the firewall to continue to work. In some cases, all that need to be done is to tell customers to 'do this, this and this' to the new Windows Firewall.

[XP SP2] is responding to a great customer demand. We improved the platform from a security perspective. That's exactly what we're doing. I don't believe the requirement that small and medium ISVs and VARs make changes are so onerous. The tradeoff works both ways for them, in terms of the gains their customers get from increased security. If I'm a small ISV and I had the firewall turned on, I would not have had to deal with the Blaster virus. Costs would have been saved there.

Talk a bit about the four major changes in SP2 and the reasons for them.

The number one area is network protection and I spoke already about the Windows Firewall, which comes with an explicit setting to enable automatic opening and closing of ports for RPC. We have added new Memory Protection, improvements to e-mail security and enhancements to Internet Explorer to secure the browsing experience.

We've added RPC interface restrictions to reduce the attack surface of Windows XP and DCOM enhancements to deal with reliable and efficient communication between COM components. We've made changes to improve the way attachments are handles in e-mail and instant messaging.

In IE, we're making changes to prevent the malicious scripts for running and to secure against dangerous downloads. We're adding a pop-up blocker which will be turned on by default and we're making UI changes to help prevent malicious ActiveX controls and spyware from running without the customers' consent.

The service pack is still in beta under a technical preview program. Do you foresee any more changes between now and the final release?

With Release Candidate 1 (RC1), we feature complete. All of the enhancements and features are there. But, the defaults can change. We're testing now to decide whether to turn the defaults 'on' or 'off'. Those decisions are going to be made based on the feedback we receive. We're looking to get an understanding of how the underlying bits work as part of the broader exposure with RC1.