MPT SP2 v2 - Raven Computers Ltd

Download Report

Transcript MPT SP2 v2 - Raven Computers Ltd

Windows XP Service Pack 2
Steve Wheeler
Windows Technology Evangelist
Microsoft Presentation Team
Agenda



Background
Business Opportunity
Protection Technologies
–
–
–
–


Network protection
Safer Web and email experience
Memory protection
Improved maintenance
But that’s not all…
Availability
Background: Security Challenges




Patch management too
complex
Time to exploit accelerating
Exploits are more
sophisticated
Current approach is not
sufficient
Days between patch
and exploit
331
180
Security is our No. 1 priority
but there is no silver bullet
151
25
Client Attacks
Malicious e-mail
attachments
Port-based
attacks
Malicious Web
content
Buffer overrun
attacks
Protection Technologies
Network
Protection
To help protect all computers connected to
the Internet or an internal network
Safer Web
and Email
To enable a safer Internet experience for
the most common Internet tasks
Memory
Protection
To provide system-level protection for the
base operating system
Improved
Maintenance
To ensure that updates are easier and
quicker to deploy
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Improved
Maintenance
Windows Firewall
Reduction of attack surface of a
Windows XP computer
More secure infrastructure for
DCOM
Windows Messenger Service is
off by default
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Improved
Maintenance
Windows Firewall
Reduction of attack surface of a
Windows XP computer
More secure infrastructure for
DCOM
Windows Messenger Service is
off by default
Protection Technologies
Network
Protection

Windows Firewall
–
–
Safer Web
and Email
–


Memory
Protection

Improved
Maintenance
on by default
boot time protection
multiple profile support
Reduction of attack surface of a
Windows XP computer
More secure infrastructure for
DCOM
Windows Messenger Service is
off by default
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Improved
Maintenance
Windows Firewall
Reduction of attack surface of
a Windows XP computer
More secure infrastructure for
DCOM
Windows Messenger Service is
off by default
Protection Technologies
Network
Protection


Windows Firewall
Reduction of attack surface of
a Windows XP computer
–
Safer Web
and Email
–
Memory
Protection


Improved
Maintenance
The RPC service runs with reduced
privileges
no longer accepts unauthenticated
connections by default
More secure infrastructure for
DCOM
Windows Messenger Service is
off by default
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Improved
Maintenance
Windows Firewall
Reduction of attack surface of a
Windows XP computer
More secure infrastructure for
DCOM
Windows Messenger Service is
off by default
Protection Technologies
Network
Protection

Safer Web
and Email


Windows Firewall
Reduction of attack surface of a
Windows XP computer
More secure infrastructure for
DCOM
–
Memory
Protection
Improved
Maintenance

Granular configuration of launch
permissions for DCOM
Windows Messenger Service is
off by default
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Improved
Maintenance
Windows Firewall
Reduction of attack surface of a
Windows XP computer
More secure infrastructure for
DCOM
Windows Messenger Service
is off by default
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Windows Firewall
Reduction of attack surface of a
Windows XP computer
More secure infrastructure for
DCOM
Windows Messenger Service
is off by default
–
–
Improved
Maintenance
a tool that has been exploited by
spammers
spammers will not be
able to use the feature
to send unwanted pop-ups
Protection Technologies
Network
Protection
To help protect all computers connected to
the Internet or an internal network
Safer Web
and Email
To enable a safer Internet experience for
the most common Internet tasks
Memory
Protection
To provide system-level protection for the
base operating system
Improved
Maintenance
To ensure that updates are easier and
quicker to deploy
Protection Technologies
Network
Protection


Safer Web
and Email


Memory
Protection
Improved
Maintenance
Blocking of un-requested popups
More control over Active-X
controls
More control over downloads
More control over attachments
Protection Technologies
Network
Protection


Safer Web
and Email


Memory
Protection
Improved
Maintenance
Blocking of un-requested popups
More control over Active-X
controls
More control over downloads
More control over attachments
Protection Technologies
Network
Protection


Safer Web
and Email


Memory
Protection
Improved
Maintenance
Blocking of un-requested popups
More control over Active-X
controls
More control over downloads
More control over attachments
Protection Technologies
Network
Protection


Safer Web
and Email


Memory
Protection
Improved
Maintenance
Blocking of un-requested popups
More control over Active-X
controls
More control over downloads
More control over attachments
Protection Technologies
Network
Protection


Safer Web
and Email


Memory
Protection
Improved
Maintenance
Blocking of un-requested popups
More control over Active-X
controls
More control over downloads
More control over attachments
Protection Technologies
Network
Protection
To help protect all computers connected to
the Internet or an internal network
Safer Web
and Email
To enable a safer Internet experience for
the most common Internet tasks
Memory
Protection
To provide system-level protection for the
base operating system
Improved
Maintenance
To ensure that updates are easier and
quicker to deploy
Protection Technologies
Network
Protection
Safer Web
and Email
Memory
Protection
Improved
Maintenance


What is a buffer overrun?
Technologies to reduce
exploitation of buffer overruns
What is a buffer


“Buffers” are space set
aside for input, such as
your name when a
computer asks you to
type it in
Information should not
over-fill the buffers
execution
continues
when
input is
received
Function Parameters
Function Return Address
Frame Pointer
Exception Handler Frame
Locally
GoodDeclared
Data
Variables and Buffers
Data Goes
Here
Callee save registers
What is a buffer overflow

A “buffer overflow”
works by filling the
buffer with computer
commands and forcing
the commands to
execute by changing
the return address
Function Parameters
Function Return Address
Overflow attack
Frame Pointer
Overwrites
outside
Buffer
Exception Handler Frame
Locally Declared
Bad and
Code
Variables
Buffers
Data Goes
Here
Callee save registers
Protection Technologies
Network
Protection
Safer Web
and Email
Memory
Protection
Improved
Maintenance


What is a buffer overrun?
Technologies to reduce
exploitation of buffer overruns
–
Microsoft has recompiled all code
changed since the release of
Windows XP using the latest
Visual Studio® compiler and the
“/GS” flag
Solution: /GS Switch
Reduce Risk of Buffer Overruns



XP SP2 uses a "speed
Function Stack
Cookie
bump," or cookie,
with /GS Switch
overwritten,
between the buffer and execution
Function Parameters
the return address
halts
Overflow
attack
(called the /GS switch)
Function
Return
Address
Overwrites outside
If an overflow writes
Cookie
Buffer
Frame
Pointer
over the return address,
Exception Handler Frame
it will have to overwrite
the cookie
Bad Code
Locally Declared
This is detected and the
Variables and Buffers
program stops
Data Goes
Here
Callee save registers
Protection Technologies
Network
Protection
To help protect all computers connected to
the Internet or an internal network
Safer Web
and Email
To enable a safer Internet experience for
the most common Internet tasks
Memory
Protection
To provide system-level protection for the
base operating system
Improved
Maintenance
To ensure that updates are easier and
quicker to deploy
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Improved
Maintenance


Windows Security Center
Automatic Update
enhancements
Group Policy management of
security features
New Wireless LAN client
SmartKey Wireless Setup
Bluetooth update
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Improved
Maintenance


Windows Security Center
Automatic Update
enhancements
Group Policy management of
security features
New Wireless LAN client
SmartKey Wireless Setup
Bluetooth update
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Improved
Maintenance


Windows Security Center
Automatic Update
enhancements
Group Policy management of
security features
New Wireless LAN client
SmartKey Wireless Setup
Bluetooth update
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Improved
Maintenance


Windows Security Center
Automatic Update
enhancements
Group Policy management of
security features
New Wireless LAN client
SmartKey Wireless Setup
Bluetooth update
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Improved
Maintenance


Windows Security Center
Automatic Update
enhancements
Group Policy management of
security features
New Wireless LAN client
SmartKey Wireless Setup
Bluetooth update
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Improved
Maintenance


Windows Security Center
Automatic Update
enhancements
Group Policy management of
security features
New Wireless LAN client
SmartKey Wireless Setup
Bluetooth update
Protection Technologies
Network
Protection

Safer Web
and Email



Memory
Protection
Improved
Maintenance


Windows Security Center
Automatic Update
enhancements
Group Policy management of
security features
New Wireless LAN client
SmartKey Wireless Setup
Bluetooth update
Protection Technologies
Network
Protection
To help protect all computers connected to
the Internet or an internal network
Safer Web
and Email
To enable a safer Internet experience for
the most common Internet tasks
Memory
Protection
To provide system-level protection for the
base operating system
Improved
Maintenance
To ensure that updates are easier and
quicker to deploy
Availability




Available as of August 2004
Download from http://www.microsoft.com
Delivered as a critical update via Automatic
Update - intelligently managed via new
download service
CDs available on request via the website (no
cost)
Diagnostic and fixing process

For Windows Applications
–
–
–

For Web based applications
–
–


Add application to firewall exceptions
Check with application vendor for COM+ requirements
Check with application vendor for patch
Add website to trusted list
Manage Security Zone settings
Look at http://support.microsoft.com
Read documents at
http://www.microsoft.com/technet/prodtechnol/winxp
pro/maintain/winxpsp2.mspx
Call to Action
Plan and Test!



New security features will make the system
secure but may break some applications
In common test scenarios expect >=90% of
applications to work without any
configuration changes
Majority of fixes are enabling pop-ups in
browser applications and “listening” for
firewall setup.
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Exchange Intelligent Message Filter
(Exchange2003 Anti Spam)
Steve Wheeler
Windows Technology Evangelist
Microsoft Presentation Team
Agenda


The Spam Problem
How to Fight Spam
–
–
–

Exchange2003 Anti-Spam Features
Exchange Intelligent Message Filter
Outlook and OWA Client Features
Deployment
The Spam Problem
Spam & Viruses Compared
Viruses
Spam
Exploits
Specific vulnerabilities
(e.g. buffer overruns)
General openness of mail
system
Effects
Destructive
Nuisance, offensive
Sender motivation
Kudos, Revenge
$
Identification
Signatures, deterministic
Various, often subjective
Cost
Data loss
Productivity loss
Helpdesk
Administration
System resources
Bandwidth
Productivity loss
Helpdesk
Administration
System resources
Bandwidth
Exchange Solution
Exchange infrastructure
3rd Party Anti-Virus plug-ins
Exchange infrastructure
Exchange features
Exchange plug-ins
3rd Party Anti-Spam plug-ins
Enterprise Requirements For Anti-Spam

False Positives: Number 1 Concern
–

Block at the gateway whenever possible
–
–

Valid mail in the junk folder is as good as lost
User never sees it
Reduced impact on bandwidth & other system
resources
Administration
–
–
–
End-to-end solutions
Easy to manage
Balance corporate & end-user control
How to Fight Spam
The Taxonomy of a Message

Where From (Connection – IP based)
Who From (Sender)
Who To (Recipient)
What it’s about (Content)

Taxonomy mapped to Exchange Features



Where From (Connection Filtering)

Global Allow and Deny lists
–
–

Support for subscribing to 3rd party “real-time block
list (RBL)” services
–
–
–

Configure individual IP or ranges by subnet mask
Allow overrides Deny by design
Support for multiple RBL providers
Customizable NDR response per configured provider
Override exception email address
Integrated IP features
Who From (Sender Filtering)






Filter messages sent from particular email
addresses or domains
Filter messages with blank senders
Optionally drop connection
Enhanced spoof detection – message submission
method is persisted
Don’t resolve anonymous sender by default
Blocking own domain will break list services
Who To (Recipient filtering)

Filter messages sent to nonexistent recipients
–
–


No NDR – message rejected at protocol
Address book mining
Filter messages sent to particular email recipients
(valid or invalid)
Restricted Distribution Lists
–
–
Allow only authenticated users to send to a DL
Reduces impact of unsolicited email sent to internal
only DLs
Desirability
What Its About Classification
Critical legitimate
mail
Business
Personal
Order confirmations
Non-critical
legitimate mail
Subscriptions
Listserv
Legitimate
commercial
mail
Amazon.com promotions
Expedia fare tracker
Mail from companies with a pre-existing
business relationship
Spam
Unsolicited product promotions
Health & “pharmaceutical”
Real estate & financial
Scams & chain letters
Pornography
Destructive
Viruses
Easily classified
at Gateway
Gray area,
best classified
by end user
Easily classified
at Gateway
* External communication only. All internal communication is assumed to be legitimate
Microsoft Exchange Intelligent Message Filter

Server-side message content filtering plug-in
–



Extension to Exchange2003 Server, deployed on Internet
Bridgeheads
Based on Microsoft SmartScreen™ technology from
Microsoft Research
SmartScreen tracks over 500,000 e-mail
characteristics based on data from hundreds of
thousands of MSN® Hotmail® volunteer
subscribers
IMF determines whether each incoming e-mail
message is likely to be spam
Microsoft Exchange Intelligent Message Filter

Heuristics-based analysis of messages
–

Capable of adapting over time
–


Determines whether unsolicited commercial
e-mail, spam, or legitimate e-mail.
Constantly improves ability to catch unwanted messages
and prevent false positives.
Support for per message spam confidence level
(SCL) ratings and message tagging.
Outlook 2003 uses SmartScreen & SCL to enhance
client-side Spam filters
Microsoft Exchange Intelligent Message Filter




Supports per Message
tagging
Administration via Exchange
System Manager Console
extension
Filter Updates
Coexistence with 3rd party
solutions
–
Compliments not compete
http://www.microsoft.com/exchange/imf
Outlook2003 and OWA2003 Enhancements

User specified Safe & Blocked Senders lists
–
–
–


User Lists shared by Outlook 2003 and Exchange 2003 OWA
stored on the server
Move to junk folder determined by:
–
–
–

Safe Senders, Safe Recipients, Blocked Senders
Can optionally include Contacts and GAL
Supports Safe Senders Only mode
Exchange 2003 Mailbox Store based on user lists
Per message SCL
Client Side based on Microsoft SmartScreen Technology
Block all external content by default (Web beacons)
Putting It All Together 2004
Exchange Org
Forest A
Exchange Servers
Exchange Servers
Exchange 2003
Anti-Spam Server
Internet
ISA Server or
Firewall
Exchange
IMF
Smart Host
Server
SMTP
Connector
Exchange Org
Forest B
Summary



There is no “silver bullet” in the war against spam.
Microsoft is committed to fighting spam through
on-going investments in anti-spam features &
technologies.
Through integration of our own products and ISV
partner products, we aim to reduce spam by
providing complete end to end solutions.
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.