Windows XP Service Pack 2 Customer
Download
Report
Transcript Windows XP Service Pack 2 Customer
Windows XP Service Pack 2
Customer Awareness Workshop
XP SP2 Technical Drilldown –
Part 1
Craig Schofield ([email protected])
Microsoft Ltd. UK
September 2004
Service Pack 2 Drill Down
Network
Attachments
Memory
Web
Networking
Windows Firewall
Protection from network-based attacks
Windows Firewall (formerly ICF) is on by default
Enabled on all interfaces (LAN, Dial-Up, VPN)
Supports both IPv4 and IPv6
Windows Firewall is “stateful”
Automatically match inbound traffic with outgoing requests
Restricts only unsolicited in-bound traffic
Three operational modes
On (default) – no unsolicited inbound traffic allowed
• Can be configured to allow specific unsolicited inbound traffic
Don’t Allow Exceptions – no unsolicited inbound traffic allowed
• Ignores other settings and blocks all unsolicited inbound traffic
Off – no protection
Boot-time security
Runs in highly secure mode until run-time policy can be applied
Windows Firewall
Configuration Options
Default configuration is by machine
Can still configure interfaces separately if necessary
Exception list for applications & services requiring
open ports
Enables listening on whichever ports are required
Per-port or per- application subnet and IP address
restrictions
Can allow inbound traffic from specific subnets, IP addresses
Two operating profiles: Domain & Standard
Domain profile used when attached to network with same DNS
suffix as domain
Standard profile used when not attached to network with the
same DNS suffix as domain
Windows Firewall
Application and Standards Compatibility
Most applications will work with no adjustments
Stateful firewall matches incoming traffic with outgoing requests
Only applications or services that need to listen for
unsolicited incoming traffic affected
e.g. File and print sharing, Web server, Voice or video
conversations, remote management tools
Pre-built options will open correct port or program
exceptions without requiring manual entries
File & Print service, UPnP framework, Remote Administration,
ICMP options, Remote Desktop
IPSec authenticated bypass
Traffic is allowed through firewall for specified systems that
successfully authenticate with IPSec
Windows Firewall
Manageability Improvements
User notifications help automatically configure firewall
Only for applications running in user context
Through Security Center
All configuration options available through new Group Policy
Objects
Group Policy settings override local settings
Updated NETSH command line interface can control all settings
APIs (NetFwPublicTypeLib) can be used for scripting or
registering applications with the firewall
Security Event Log entry when listening application detected
Customize settings at deployment with SP2 configuration files
netfw.inf and unattend.txt
Can also use Group Policy Objects
Registry settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\DomainProfile \EnableFirewall
RPC & DCOM Changes
RPCSS architecture enhanced
Network facing functionality runs with reduced privilege – network
service account privilege only
Functionality that requires local system privilege has limited exposure
Block unauthenticated calls to DCOM and RPC services
Includes blocking unauthenticated calls to the RPC Endpoint Mapper
Only administrators are granted remote activation and launch
permissions
Easier to restrict RPC interfaces to local machine only
Fine-grained DCOM security
Machine-wide lockdown ACL for DCOM launch activation
access
DCOM infrastructure access restricted to TCP and RPC over
HTTP
RPC over HTTP not installed by default
New permissions configured through group policy, UI and
logon scripting
New central location to set authentication policy.
DCOM Default Security
Permission
Administrator
Everyone
Launch
Local (Launch)
Local Activate
Remote (Launch)
Remote Activate
Local (Launch)
Local Activate
Access
Local (Call)
Remote (Call)
Anonymous
Local (Call)
Bluetooth
“Bluetooth Devices” is a new Control Panel
item.
Client includes support for the latest version of
Bluetooth (v1.2) allowing customers to take
advantage of the latest wireless devices
Bluetooth support is enabled if approved
device, and no existing driver.
Windows Hardware Quality Labs (WHQL)
Includes selective suspend (power)
Boot-mode keyboards supported
Bluetooth File Transfer Wizard
Alerter and Messenger
Services disabled by default.
Any applications or services that use the
Alerter or Messenger services to
communicate with the user will not be
successfull.
Email
Attachments
Security model relies on users to make good trust
decisions
However, users are ill-equipped to make informed
decisions
Lack needed information
Lack technical understanding
And users easily tricked into making poor choices
Example: “myphoto.jpg
.exe”
Employing a static list of dangerous file types isn’t
enough
Hackers find exploits using files not on the list of dangerous file
types
• Example: MyDoom packages malicious payload in a ZIP
Users can’t share file types on the dangerous list - diminishes
functionality
Attachment Manager
Consistent experience for “trust” decisions
New public API for handling safe attachments
IAttachmentExecute
Used by Outlook Express, Windows Messenger and
Internet Explorer, and third-parties soon
Unsafe attachments not trusted by default
Block/Prompt/Allow determined by combination of
file type & zone
Dangerous file type + Restricted Zone = Block
Dangerous file type + Internet Zone = Prompt
AM marks the zone when it saves a file
Enables AES to block/prompt files in a ZIP
Safer message “preview” in OE
Windows Messenger
Block unsafe file transfers
Leverages Attachment Manager
Require user display name
Firewall Impacts
Summary
Networking
Windows Firewall – On by default, highly
configurable
RPC & DCOM - Security enhancements
Email
Attachment Manager – Protect user from malicious
attachments through consistent interface
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.