Programming Windows: Springboard (Premium)

With Longhorn development creeping along with no end in sight, Microsoft also worked to improve Windows XP, which would remain in the market for far longer than originally intended. There were various efforts along these lines in the early 2000s, from new XP product editions like Media Center and Tablet PC to various digital media- and home networking-related improvements and add-ons. But the biggest push, by far, was an internal project called Springboard that would dramatically elevate XP’s—and, as it turned out, Windows Server 2003’s—security posture.

Springboard ended up being such a big update that Microsoft could have shipped it as a new version of Windows on both client and server that would have sat between XP/Server 2003 and Longhorn. But instead, Windows lead Jim Allchin decided to do right by his customers and ship it as a free update. It was just one of several responsible and credible decisions that Allchin would make during Longhorn’s tortuous development process.

Springboard was quickly branded as Windows XP Service Pack 2 (SP2) on the client and as Windows Server 2003 Service Pack 1 (SP1) on the server, unassuming names that did nothing to convey the massive changes that would come to these two systems. But that was part of the strategy: these updates would bring bigger changes under the covers than most major new Windows versions, and they would be more disruptive to users than the upgrades from Windows 2000 to XP/2003. But Microsoft wanted to ensure that as many customers as possible moved forward to these new versions as quickly as possible. Where Windows XP SP1 and Windows Server 2003 paid lip service to the Trustworthy Computing security push, Springboard would technically embody its ideals. It would put action to the words.

Microsoft had originally designed service packs so that its business customers could aggregate previously released security and bug fixes into a single, more easily deployable package in the days of expensive connectivity. And over time, they evolved service packs so that they could be slipstreamed into a specific version of Windows. That way, IT administrators could deploy, say, Windows 2000 with Service Pack 2 (SP4) at the same time, rather than separately, saving lots of time.

Microsoft’s history with these updates was, to that point, mixed, with the firm sometimes using them to add new features as well. After its corporate customers rebelled over the feature additions, the software giant experimented with other ways to deliver new features mid-stream via so-called Option Packs and Feature Packs. Because Windows was updated so often in the late 1990s and early 2000s, these were rarely necessary.

But with all the Longhorn delays requiring XP/2003 to remain in the market for longer than originally expected, Microsoft needed to recalibrate. It started shipping smaller update rollups that would bundle previously released security updates into more easily deployed packages between service packs. And it would once again upend the notion of what a service pack could be with Springboard. On both Windows XP and Server 2003, these updates would bring many changes, including new features, and they would lock down key components in ways that would break existing software.

Steve Ballmer addressed the issues Microsoft faced with servicing Windows in a September 2003 keynote address at the firm’s Worldwide Partner Conference. There, he announced Windows XP Service Pack 2, noting that it would provide protection from “four attack vectors” that included “malicious e-mails, viruses and worms that scan ports on the Internet, malicious web content, and buffer overruns.” It would support “inspection technologies” that would quarantine PCs brought back into a corporate network to ensure they weren’t infected with malware. And it would come with major improvements to the Internet Connection Firewall, Internet Explorer’s sandboxing technologies, and memory protection.

“To implement these technologies, we’ll introduce a new version of Windows XP, which we’ll call Service Pack 2, which is not a glamorous and glorious and exciting name, but exactly what our customers want right now, something that focuses very much on the security issues,” he said. “I’d call it a service pack on steroids, and I really want it on your radar screen. We’ll deliver that in beta by the end of this year and RTM in the first part of next year [2004], release to manufacturing. And then a service pack for Windows Server 2003 that adds role-based security configurations, making it easier to configure the system, and it has the inspection technologies that we talked about and that will follow the client by a few months. So both of these things we’re announcing today for delivery first part of next year.”

Springboard would also usher in the PC era in which we still live today: Later that month, Microsoft announced that it would support a new computing architecture called AMD64 that extended the 32-bit x86 architecture then used by all PCs to 64-bits. The firm would ship AMD64 native versions of Windows XP and Server 2003 based on this new architecture, it said, and Intel would later license it for use in its own PC microprocessors. The effort had been backed internally by NT architect Dave Cutler, who had previously spearheaded the 64-bit port of Windows NT to the Digital Alpha and, later, the Intel Itanium.

In November, I received a leaked internal presentation that spelled out Microsoft’s goals with Windows XP SP2 more clearly. SP2 would be a “very focused release,” the slide deck explained, and it would feature new “safety technologies” that would retroactively add resiliency against malicious software attacks and would enable the Internet Connection Firewall (ICF) by default, providing better security from boot-time- and network-based attacks.

Some of the changes in XP SP2 would have “a major impact” on users and the apps they ran, the presentation claimed. For example, it would add support for a technology called NX (No-eXecute) that helped protect against common buffer overrun attacks but at the expense of video driver and application compatibility. And Microsoft would also use SP2 to rollout various patching improvements that would reduce the complexity of updaters and allow customers to roll back to previous versions if there were problems.

There would be problems.

Microsoft released Windows XP SP2 Beta 1 to testers in late December, providing testers with an early look at some of its new features, like the on-by-default ICF and a new Automatic Updates feature that would automatically install critical Windows Updates over the Internet with no user interaction. And starting with XP Service Pack 1 (SP1), Windows XP would no longer connect to insecure and password-less Wi-Fi networks by default, as it had since the product’s 2001 launch; in SP2, this feature would remember authorized insecure networks.

In early 2004, a source at Microsoft also revealed to me that Microsoft was working on an interim release of Windows Server 2003 called R2—for Release 2—that would incorporate its Service Pack 1 (SP1) release and a handful of additional new workloads. I was told that Microsoft was considering a similar Windows XP R2 release as well, but that initiative was quickly killed by Jim Allchin.

During a Microsoft campus visit in January, I learned that the security advances in XP SP2 and Server 2003 SP1 were originally designed for Longhorn, but that Microsoft realized it could easily backport them to XP/2003 “without churning through the code again.” But the addition of XP SP2/Server 2003 SP 1 would not impact Longhorn’s release schedule, I was told.

Later builds of SP2 would add additional features, including the Security Center dashboard for reviewing the status of the firewall, Automatic Updates, and virus protection, which at that time was provided by third parties. And ICF was replaced with a new firewall called Windows Firewall that protected network traffic moving in two ways—inbound and outbound—and not just one-way (inbound), as with ICF.

Internet Explorer would add pop-up ad blocking and browser add-on management features, and its usages zones were each secured more tightly. It would also prevent script-initiated changes to IE windows, which hackers had been using to deliver malicious code to users’ computers.

SP2 would also deliver an updated version of Outlook Express that would block images in HTML emails and isolate potentially dangerous email attachments, similar to the work Microsoft had previously done in Outlook. And there was a new Windows Messenger version that would isolate potentially unsafe sent files so that users wouldn’t inadvertently infect their systems.

By February, Microsoft was touting XP SP2 and Server 2003 SP1 as the next steps in its Trustworthy Computing initiative, noting that these updates went beyond patching and increased system resiliency. Server 2003 SP1 would add role-based security configuration, remote access client inspection, and local inspection on connection capabilities, and the first beta was due in the first half of 2004.

Microsoft chairman Bill Gates talked up XP SP2 and Server 2003 SP1 at the RSA Conference in San Francisco in late February.

“This half-year there are a lot of things taking place, but I’d say the key thing is XP Service Pack 2, SP2, getting that out and updating systems with that,” he noted. “In the second half of the year, we’ll have essentially our first SP for the server.” An underling demonstrated some of the new XP SP2 features, including the new firewall and Internet Explorer security features.

In March, Microsoft released XP SP1 Release Candidate (RC1), and a source told me that Microsoft was now targeting May 2004 for Release Candidate 2 (RC2), with the final release expected by mid-year. SP2 would be made available to existing Windows XP product editions, and it would be integrated into Windows XP Tablet PC Edition 2005 (codenamed Lonestar) and Windows Media Center Edition 2005 (codenamed Symphony). The firm would “fully refresh” all of its XP versions at retail and via PC makers so that XP and SP2 would always be bundled together from that point on.

In April, I published an early review of SP2, which by that point carried the official and tedious name Windows XP Service Pack 2 with Advanced Security Technologies to differentiate it from previous service packs. And we learned that it would add new, non-security features to XP SP2, including Direct X 9.0a, Windows Media Player 9 Series, and a new version of Windows Movie Maker.

“During the XP SP2 beta, testers identified a number of problems with existing applications,” I wrote of the compatibility issues it caused. “In my own tests, however, I’ve seen few issues. The biggest one involves my Netgear print server: pre-SP2 machines have no problem finding and printing to the printer that’s attached to it, but it’s invisible to SP2 boxes. I’ll work on that in the days ahead; other print servers, like the Hawking Technologies model a friend uses, continue to work fine with SP2 machines. My suspicion is that Microsoft will post a compatibility list when it releases SP2, so customers can determine whether they’ll have any issues.”

Overall, however, I liked SP1 quite a bit.

“Barring a massive incompatibility issue, virtually every Windows XP user should upgrade to this release as soon as possible, in order to take advantage of its enhanced security features,” I wrote. “And for heaven’s sake, do yourself a favor and leave Windows Firewall and Automatic Updates on, please. Get a compatible anti-virus package; I recommend McAfee VirusScan, which is relatively inexpensive, lightweight, and unobtrusive.”

“Yes, there will be incompatibilities. Yes, you may find the occasional software application that won’t work with the new firewall, save through some future update. Grin and bear it. Figure out a workaround (maybe that app will work with a third-party firewall). But realize that security is the priority. Do the right thing, and your system will pay you back by keeping your precious data safe the next time a Slammer-type attack occurs. Windows XP SP2 will make your system more secure. If you ignore or put off this release, you’ll only be hurting yourself.”

Microsoft formally announced Windows Server 2003 R2 at TechEd that May and said that SP1 would ship later that year. R2 would come with just a handful of new features, all disabled by default, including remote differential compression for Branch Office connections, client inspection and isolation technology, Active Directory Federation Services (ADFS, formerly codenamed TrustBridge), and Anywhere Access, a technology for corporate users to access e-mail and other services on a corporate network without needing a virtual private network (VPN). R2 was due in late 2005.

Windows XP SP2 Release Candidate (RC3) arrived in mid-June with just a few minor functional additions related to Internet Explorer, including a new information bar that appeared when it blocked a pop-up window and a Pop-Up Blocker settings interface. By this point, I was starting to collect a list of features that were missing from SP1, including its lack of built-in Trojan scanning, detection, and removal tools, and no built-in anti-virus. Its wireless sharing feature was nearly impossible to use, I noted, and the NX buffer overrun protection functionality would only be offered in AMD64-compatible PCs, which virtually no one owned at the time.

At its Worldwide Partner Conference in July, Microsoft senior vice president Will Poole announced that the firm would ship SP2 in August. And so it did: on August 6, 2004, Microsoft announced that Windows XP SP2 was complete.

“Service Pack 2 is a significant step in delivering on our goal to help customers make their PCs better isolated and more resilient in the face of increasingly sophisticated attacks,” Bill Gates said, promising that Microsoft would distribute Service Pack 2 to approximately 100 million PCs through Automatic Updates over the next two months. “It is the result of sustained investments in innovation and extensive industry collaboration. It also reflects a broad recognition that as the security environment changes, the industry needs to work together to respond.”

“The shipment of Windows XP SP2 marks the end of a year-long struggle for the software maker,” I wrote. “Last summer, the company abruptly decided to retreat on its original plan to ship SP2 as a simple collection of bug fixes and instead recast the release as a major security update with numerous new features. Since then, XP SP2 has been almost continually delayed, due largely to the incompatibilities caused by its radical changes to the way in which XP works.”

Windows XP SP2 would be the subject of a massive marketing campaign, with Microsoft attempting to get the update into as many users’ hands as possible, as quickly as possible. This campaign was to include free SP2 CDs, both via web order and at retail stores, and an effort to get electronics retailers to update already stocked XP machines to SP2. PC makers would begin shipping new PCs with XP SP2 in the next 6 to 8 weeks, Microsoft said, and the software giant would deliver over 25 localized versions over the next two months.

In October, Microsoft revealed that it had distributed XP SP2 to over 106 million users in two months. “Of that 106 million, approximately 90 million were downloaded via Automatic Update, Windows Update and the Download Center,” I was told. “Another 16 million were distributed via CDs, either ordered from Microsoft or distributed by Microsoft via various venues.”

Meanwhile, work on Windows Server 2003 SP1 was also winding down by late 2004. It would include a new Security Configuration Wizard, the Windows Firewall from Windows XP, and new quarantining functionality for RAS and VPN connections. Like XP with SP2, Server 2003 with SP1 would also benefit from its support for Data Execution Prevention (DEP), boot-time network protection, and other security features. A second release candidate, RC2, appeared in early February 2005, and the product was finalized on March 30, 2005 and made available to customers as a free download shortly thereafter.

“With Windows Server 2003 Service Pack 1, our development team took the time to treat the root cause of many security issues, not just the symptoms,” Microsoft senior vice president Bob Muglia said of this release. “This service pack is very significant and should help address certain classes of exploits. Service Pack 1 is a major component of our overall strategy to help keep customers as secure as possible. I encourage all of our Windows Server 2003 customers to deploy Service Pack 1.”

There were other minor updates to the current generation of Windows to come in 2005, including the AMD64 versions of Windows XP and Windows Server 2003, and Windows Server 2003 R2. But the world’s eyes were, of course, on Longhorn, a product that had already run off the rails and sent the Windows team into unchartered territory.