The SP2 catch-22

I was talking to NBC technology reporter IJ Hudson about Microsoft’s impending release of SP2 (Service Pack 2), which allegedly starts going out to Windows Update users in the next few days, if it hasn’t started already. We had both heard that a number of IT managers at major universities in the Washington, D.C., area were planning to find ways to keep their students from upgrading their copies of Windows.

The reason? The schools’ IT managers didn’t want to take the bandwidth hit that the massive upgrade might cause. These same managers were also taking a go-slow approach to allowing their faculty and staff members to perform the upgrade, saying they needed time to test the upgrade before letting it in to their enterprises.

It sounds like these managers are at least being consistent, but they’re not. And in the process, they’re risking the security of everyone else on the Internet.

On one hand, the operations of faculty and staff members are very similar to the employees of any other large enterprise. For the most part, their computers are centrally managed, and it’s likely that they have at least some locally developed custom software running. SP2 really needs to be tested to make sure everything works. No surprise there, and it’s a sound practice. They’re doing exactly what the people in the IT department should do.

But when it comes to managing SP2 for students, the situation is completely different. In many, if not most, universities, student computers are not protected by an enterprise firewall. They’re just out there in the open by the thousands. An unprotected computer in such an environment is fertile ground for any worm that happens by. This was clearly demonstrated a year ago when we saw one worm attack after another rip through the Internet. One major vector for these infestations was the multitude of computers freshly attached to university networks where everyone has broadband connections, and many have remarkably little training in how to protect their computers.

At home these same students probably got to the Internet through a DSL or cable modem, or they had a dial-up connection. They had at least some minimal protection this way. And it might have been pretty decent protection if their family had a router with built-in firewall at home.

Now, unprotected, they’re just what worm writers are looking for. As soon as students plug that Ethernet cable into the wall, they’re fresh meat. Unless, of course, they have a well-patched version of Windows and a firewall of some sort. But because these universities’ IT staffers are refusing to allow the students to upgrade, they won’t have either. Instead, they’ll have worms almost immediately (our tests show that the first infection can happen in about 10 minutes).

If it was just the university’s problem, we might be sympathetic. But by insisting that these computers remain unpatched, they form a launching pad aimed at the heart of your enterprise. This is a major source of an implacable, relentless stream of attacks that will cause headaches or worse to you and your users.

The responsible act would be to insist that computers be upgraded to SP2 before they could connect to the campus network. IT managers should also insist on current anti-virus software and a personal firewall. Yes, SP2 does require some bandwidth, but not nearly the bandwidth that a campus full of infected computers will demand. There’s cost either way. But at least by upgrading, the IT managers are doing the right thing for everyone involved.