Transcript Windows XP Service Pack 2

Windows XP Service Pack 2
Alex Balcanquall
Senior Consultant
Microsoft Services Organisation
Agenda for Workshop
Introduction
Protection Technologies
Network
Web & Email
Memory Protection
Manageability
But that’s not all…
Deployment & Troubleshooting
Round-up
Exploit Timeline
exploit
patch code
Why does this
gap exist?
Days between patch and exploit
331
Days From Patch to Exploit
180
151
25
Nimda
SQL
Slammer
Welchia/
Nachi
Blaster
The average is now nine days
for a patch to be reverseengineered
As this cycle keeps getting
shorter, patching is a less
effective defense in large
organizations
Goals of XP SP2
Network
Help protect the system from directed
attacks from the network
Email/Web
Enable safer Internet experience for
most common Internet tasks
Memory
Provide system-level protection for
the base operating system
Maintenance
Ensure that when updates are necessary,
they are easier to deploy quickly
Windows Firewall
Goal in XP SP2
Network (1)
Provide better protection from network attacks
Provide administration tools suitable for the enterprise
Changes in XP SP2
Email & Web
Windows Firewall on by default
Boot time protection
Multiple configuration mechanisms
Better user interface
Boot time protection
Multiple profile support
Restrict anonymous connections to DCOM/RPC interfaces
Memory
Impact
Maintenance
Applications that initiate outbound connections will work out of the box
Only applications that accept unsolicited inbound communications will
be affected by the firewall
Firewall should be deployed in all organisations
Develop organisation wide firewall exceptions & deploy as needed
Consider IPSEC bypass for administrative tasks
Windows Firewall
Windows Firewall Group Policy
DCOM / RPC
Goal in XP SP2
Network (2)
Reduce DCOM / RPC attack surface exposed on the network
Changes in XP SP2
Email & Web
Require authentication on default interfaces
Enable ability to restrict RPC interfaces to local machine only
Granular configuration of launch permissions for DCOM
Moved most RPCSS code into reduced privilege process
Disable RPC over UDP by default
Impact
Memory
Maintenance
•Application using anonymous authentication will break
•Significantly reduces ability of unauthenticated processes or users to
attack RPC
•May require applications and COM components to be recoded.
Email Attachments
Goal in XP SP2
Network
Consistent system-provided mechanism for applications to determine
unsafe attachments
Consistent user experience for attachment “trust” decisions
Changes in XP SP2
Email & Web (1)
Memory
Create new public API for handling safe attachments (Attachment
Execution Services)
Default to not trust unsafe attachments
Outlook Express, Windows Messenger, Internet Explorer changed to
use new API
Open / execute attachments with least privilege possible
Safer message “preview”
Impact
Maintenance
Select applications that use the new API for better user experience,
and better determination of safe content
Applications which depend on email attachments may be impacted
Web Browsing
Goal in XP SP2
Network
Ensure a safer web browsing experience
Changes in XP SP2
Email & Web (2)
Memory
Locking down local machine and local intranet zones
Improved notifications for running or installing applications and
ActiveX Controls
Pop-Up Blocker for Internet Explorer
New Internet Explorer add-on manager
Limit UI spoofing
Change to IE zones
Improved download and security related dialog boxes
Impact
Maintenance
Check for Web application compatibility with newer, safer browsing
defaults
Line of Buisness applications that use pop-ups may need to change
or be added to exception list
Pop-up Blocker
Download Prompts Old vs. New
Data Execution Protection (NX)
Goal in XP SP2
Network
Reduce exposure of common buffer overruns
Changes in XP SP2
Email & Web
Memory
Leverage hardware support in 64-bit and newer 32-bit processors to
only permit execution of code in memory regions specifically marked as
execute
Binaries Compiled with /GS Flag (Not Dependent on DEP)
Reduces exploitability of buffer overruns
Enabled by default on all capable machines
for Windows binaries
Application Compatibility Toolkit setting to exclude incompatible
applications
Impact
Maintenance
System runs in PAE mode. All drivers and application will need to be
compatible with PAE
Currently needs 64bit Extended Systems (e.g. Intel Itanium Family,
AMD Opteron, AMD Athlon 64)
DEP End-user Experience
Application termination dialogs
DEP End-user Experience
Configuration
experience
Accessible through
System Properties
control panel
Manageability
Goal
Network
Reduce management overhead of securing Windows XP
What we’re doing
Email & Web
Memory
Windows Security Center
Anti-Virus Checking
Firewall
Automatic Updates
Automatic Update enhancements
Centralised & granular management of the Windows Firewall
New Wireless LAN client
Bluetooth update
SmartKey Wireless Setup
Impact
Use group policy or any software distribution mechanism to easily
configure firewall
Maintenance
Internet Explorer Add-on Manager
But that’s not all….
Tablet PC NEW V2 “Lonestar”.
In Place Tablet Input Panel (TIP)& Handwriting to text
on the fly
Better office 2003 + OneNote integration
Windows Media 9 Series
Bluetooth Update
Movie Maker 2.1
New Wireless LAN Client
Direct X9.0b
XP SP2 Deployment
Planning and Testing
Why Plan & Test?
New security features will make the system
secure but may break some applications
In common test scenarios expect >=90% of
applications to work
In RC1 these issues have been found to break
down as follows:
30% Firewall
22% DEP / PAE
14% IE
8% DCOM / RPC
6% RTF Converters
NB These figures are for consumer and corporate scenarios & fixes will be
incorporated in the final XP SP2 Release to mitigate many scenarios
Deployment Planning
Review XP SP 2 Changes Document
Test XP SP 2 on limited ‘real systems’
Deploy with firewall on
Determine commonly needed open ports
Deploy settings with AD, INF files, WMI, Unattend.txt
Deploy with XP SP2 DCOM and IE defaults
Use custom OU if you have Active Directory
Don’t forget to test all Intranet applications
Deploy to test community to catch final 5% of
issues
START TESTING NOW!
Troubleshooting 32-Bit Applications
1.
Test application on XP SP1
2.
If 64bit Extended use Application Compatibility
Toolkit to disable DEP on a per app basis
3.
Disable Firewall

NOT RECOMMENDED FOR PRODUCTION MACHINES (deploy
exceptions and keep firewall enabled)
Disable DCOM / RPC authentication
4.

NOT RECOMMENDED FOR PRODUCTION MACHINES
5.
Ask software vendor for any needed updates or
patches
6.
Consider risks of disabling protection vs.
selection of alternate application
Troubleshooting Web Applications
Test on XP SP1
Add trusted intranet applications to trusted sites
list
Sign all custom Active X objects
Review application to remove all cross zone
scripting
Disable new IE protection measures to verify
which protection is stopping application
1.
2.
3.
4.
5.

6.
NOT RECOMMENDED FOR PRODUCTION MACHINES
Consider re-writing application vs. risk of
disabling new protection mechanisms
Other troubleshooting tools
Application Compatibility Toolkit
V3 Now
V4 End of 2004 - Dedicated to SP2 features etc.
NB New ‘shims’ like the NX can be used with V3
toolkit
Reporting RC 1 Bugs
NEW desktop icon in RC1
Click on the “Report a XP SP2 Bug”
Corporate Error Reporting
If you have a Premier Agreement and Enterprise Agreement
talk to your TAM about CER
Round-up
XP SP2 has additional protection for:
Network
Email
Web Browsing
Memory Protection (64 bit only)
XP SP2 Includes tools for improved
manageability
Adequate testing is key to successful deployment
of XP SP2
Aim to deploy with Firewall Turned On
Attend Infosec patch management session /
review Microsoft recommendation on patching
Further Information
XP SP2
http://www.microsoft.com/technet/prodtechnol
/winxppro/maintain/winxpsp2.mspx
General Security:
http://www.microsoft.com/security
Windows Application Compatibility Toolkit:
http://www.microsoft.com/windows/appexperience/
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.