A recent Redmond Magazine piece doesn't give the date - it was August 2004 - that Microsoft released Windows XP Service Pack 2 (SP2).

At that point the company committed what, according to the writer, many think was a mistake: The default switching on of the host-based Internet Connection Firewall (ICF). The problem, he says, is that getting the host-based firewall running within an organization is a "Herculean effort" involving high levels of application testing and configuration tuning. The complexity forced many administrators to simply disable ICF.

The position of this story is that ICF is potentially a helpful security tool, at least in one particular implementation. The writer says that it remains difficult to deploy ICF within the enterprise, but that the "standard profile" turns on when the device is connecting through outside networks. This can be a boon to security for machines connecting from dangerous environments such as coffee shops and airports. The piece goes on to provide a good amount of detail on why this is good and how it works.

Security folks love to compare security: Open source versus proprietary, Mac versus Windows, Vista versus XP, and so on. A recent piece at Jesper's blog was stimulated by a post at Jeff Jones' Security Blog - a link is provided - that suggests Vista security is better than that offered by XP and other operating systems.

In his post, Jesper Johansson observes that much of the comparison between Vista and XP security is based on each operating systems' first year in the field. However, that is meaningless in terms of how XP works. To them, the important thing is a comparison of how each operating system performs now.

The long piece leads to several conclusions. It found that Vista had fewer vulnerabilities than XP and that open source Firefox had more "patching events" than Internet Explorer running on XP or Vista.

A recent InfoWorld piece indicated that Vista security is far better than previous Microsoft operating systems, but that the price is more user involvement and inconvenience. User Access Control (UAC) is a feature designed to cut down on malware by asking users for permission every time a piece of software is set for installation. While this clearly improves security, it can become burdensome. Indeed, some companies offer software that automates this process and only brings out-of-the-ordinary situations to the attention of users.

The story also discusses the BitLocker encryption feature. BitLocker either encrypts the entire C drive or nothing. Some issues have cropped up, such as encryption for organizations using a D partition, the piece says and difficulty in decrypting data on machines taken from terminated employees.

Though Vista is the immediate future of Microsoft operating systems, there is a huge installed base of XP users. The company is in the extended process of introducing Windows XP Service Pack 3, which is expected to be the last update to XP. WindowsSecurity.com details the release, which contains no drastic changes. There are, however, security-related tweaks. Network Access Protection (NAP) compatibility enables XP to use the NAP feature in Windows Server 2008. This is akin to Network Access Control (NAC) approaches in which devices requesting permission to join a network have their security assessed and, if necessary, are quarantined and their software cleaned and/or updated. This is particularly useful for mobile devices.