Microsoft's SP3 update is likely to be the final service pack for Windows XP, and consists largely of previously released updates and hotfixes. However, it does include some enhancements, the most significant of which is client support for the Network Access Protection (NAP) mechanism implemented in Windows Server 2008 (WS 2008) ­ our focus for this first look review. NAP is a policy enforcement mechanism to ensure systems connecting to a network comply with security requirements.

We tested SP3 by downloading it from Microsoft’s TechNet as a .ISO image, which we then burned to CD-ROM for deployment. The executable itself is 324MB in size, while deploying to systems took about 15 minutes and added about 400MB to XP’s image size. Tools and guidance for deployment have not fundamentally changed from Windows XP SP2, according to Microsoft, so system administrators are advised to follow these.

After deployment, we tested upgraded systems to see how NAP works. We set up our WS 2008 system for DHCP NAP enforcement by configuring it as a NAP health policy server and also a NAP enforcement server. Enforcement can also be applied to IPSec, 802.1X, and other VPN clients.

We then configured the Windows System Health Validator and defined a policy that determined whether or not to allow clients network access. The settings included options to disallow access if there were no firewall, anti-virus or anti-spyware tools deployed. We defined a policy blocking access to systems that did not have all updates installed. When clients failed to pass the system health check, a pop-up message informed the user their system needed remediation. This can be done manually, or automatically, if a remediation server has been set up.

Overall, we found it relatively easy to set up NAP protection with WS 2008 and XP SP3 clients, but firms with few IT staff may have difficulty deploying and maintaining the system.

Microsoft released to manufacturing (RTM) its Service Pack 3 (SP3) update for Windows XP on 22 April, and intended it to be generally available by 29 April. However, the update was delayed until last week owing to a compatibility issue reported by some early adopters between Microsoft Dynamics Retail Management System (RMS), and both Windows XP SP3 and Windows Vista SP1.

The Network Installation Package for Windows XP Service Pack 3 can be found here.