Transcript Windows XP Service Pack 2 - Microsoft Center

Windows XP Service Pack 2
Technical Update
Windows XP Service Pack 2
Technical Workshop
• Agenda
– Security Overview
– Introduce Windows XP Service Pack
– Questions Time
Security – what is the current experience?
•Security exploits are proliferating
•Time to exploit is decreasing
•Exploits are more sophisticated
•The current approach is
insufficient
350
331
300
250
180
200
151
150
100
50
25
18
0
Nimda
1.
2.
3.
4.
SQL Slammer
Welchia/Nachi
Security is a top priority for Microsoft
There is no silver bullet: the solution is complex
This problem has to be tackled across the industry
Change requires innovation & partnerships
Blaster
Sasser
Security Pain Points
We’ve been told…
… Our action items
“The quality of the patching process is
low and inconsistent”
Improve the updates experience to
offer consistency and higher quality
“I need to know how to protect my PC”
http://www.microsoft.com/security/protect
“I can’t keep up…new patches are
released every week”
Offer more resilient PCs by introducing
“safety technologies”
“There are still too many
vulnerabilities in your products”
Continue Improving Quality
Summary
•
There is consumer and commercial concern around security
– Momentum is building
– Interest is high but adoption & action are lagging
•
Communities are unclear on what steps to take
Increase
awareness
– Many don’t know what version OS they are running
– Unclear if they call Microsoft or PC manufacturer
– So many Windows Update (WU) pop-ups, can’t tell if they’re “being current”
•
Narrowband: How to maintain “updated status” world-wide?
– SP1 + Critical updates on narrowband may = extended download time
•
Consumers do not seem to be apportioning blame to any
specific company
– Apparently seen more as an overall industry issue
– Would like Microsoft to be more proactive
– They expect Microsoft to take action
Windows XP Service Pack 2 Beta
Deliver
offline
solution
Work with
PC Industry
Protect Your PC - Education
www.microsoft.com/protect
•
Future Content:
– Tips ‘n tricks
– Outlook®/Microsoft® Internet
Explorer/other product info
– P2P/Home networking tips
Windows XP Service Pack 2 Beta
Windows Security Update CD
Available since Feb17th
• REACTIVE – orderable
from PSS and MS.COM
• PROACTIVE –WW to
online Windows users
• CD contains bits and
content
• Trial antivirus and firewall
software from CA
Content:
• Windows® XP:
– Windows XP SP1a full install package
– All Critical Windows XP and Windows Internet
Explorer 6 security updates since SP1a
– Windows Security Analyzer (WSA)
• Windows® 2000, Windows® Millennium Edition, &
Windows® 98
– Critical security updates to date
– Internet Explorer 6 SP1, DirectX® 9b, Windows®
Media Player
– 3rd party firewall and AV via third parties
• Content:
– PYPC 1-2-3 HTML
CD availability & ordering:
•
Orderable via www.microsoft.com/australia/security
Windows XP Service Pack 2 Beta
Windows XP Service Pack 2
• What is Windows XP Service Pack 2?
– Service Pack 2 includes updates intended to address issues identified
after the release of the prior version.
– Service Pack 2 also includes a set of Microsoft developed safety
technologies which were designed to help reduce the risk of malicious
attacks against computer systems.
• Why release Windows XP Service Pack 2?
– Microsoft continually works to improve its software.
– With the recent increase in the frequency of attacks against computer
systems Microsoft is focusing its efforts in order to help provide security
for our customers’ computer systems.
• Microsoft Goals?
– Help customers reduce the risk associated with malicious attacks
– Reduce the cost and complexity of managing the overall security threat.
Windows XP SP2 is one component in a series of new initiatives and
investments Microsoft is making to help provide online security for
customers.
Windows XP Service Pack 2 Beta
Four key pillars of Windows XP SP2
Network
Help protect the system from directed
attacks from the network
Email/IM
Helps provide security for Email and
Instant Messaging experience
Web
Helps provide security for Internet experience for
most common Internet tasks
Memory
Offer system-level protection for
the base operating system
Windows XP Service Pack 2 Beta
Network Protection Technologies
• Windows Firewall (previously called Internet Connection Firewall)
– On by default
• Protects new network connections as they are added to the system
(applies to both IPv4 and IPv6 traffic)
• Potential problem with app compatibility if apps do not work with
stateful filtering by default
– Boot time security
• Firewall driver has a static rule to perform stateful filtering called
boot-time policy
• Allows PC to perform DNS and DHCP tasks and communicate with
a domain controller to obtain policy
• Once the firewall is running, run-time policies applied and boot filter
is removed
• Boot-time policy cannot be configured
• No Boot time security if Windows Firewall is disabled
Windows XP Service Pack 2 Beta
Network Protection Technologies
•
Global Configuration
– Previously Windows Firewall was configured on a per-interface basis (ie; each
network connection had its own firewall policy – eg; one policy for wireless and
one policy for Ethernet)
– Global configuration means whenever a change occurs it applies to all network
connections
– When creating new connections – the configuration is applied as well
– This change enables apps to work on any interface with a single configuration
option
•
Local Subnet Restrictions
– Configure ports to only receive network traffic with a source address from the
local subnet (previously this was open globally and incoming traffic can come
from any network location – local or internet)
– Recommend to apply local subnet restrictions to any static port that is used for
communication on the local network
– This can be done programmatically via Windows Firewall Netsh Helper or the
Windows Firewall user interface
Windows XP Service Pack 2 Beta
Network Protection Technologies
•
Local Subnet Restrictions continued…
– When file and print sharing is enabled, the following ports will only receive traffic
from the local subnet
•
•
•
•
UDP port 137
UDP port 138
TCP port 139
TCP port 445
– When the UPnP architecture is enabled two ports are specifically affected and
only receive traffic from the local subnet
• UDP port 1900
• TCP port 2869
•
Unattended Setup Support
– It is now possible to configure the following options of Windows Firewall though
unattended setup
•
•
•
•
Operational mode,
Applications on the Windows Firewall exception list
Static ports on the exception list
ICMP options, Logging options
Windows XP Service Pack 2 Beta
Network Protection Technologies
• New Group Policy support for Windows Firewall
– Previously Windows Firewall had a single Group Policy object
(GPO): Prohibit Use of Internet Connection Firewall on your DNS
domain
– New configuration options include
• Operational mode (On, On with no exceptions, Off)
• Opened static ports
• ICMP settings
• Enable RPC and DCOM
• Enable File and Printer sharing
• Multiple profiles for domain-joined PCs (XP Pro only)
– “Domain” for when PC is connected to the corporate network
– “Standard” for when PC is connected to another network
– Workgroup PCs can only use Standard profile
Windows XP Service Pack 2 Beta
Network Protection Technologies
• Windows Firewall Application Compatibility
– Over 350 apps tested in-house
– Client applications work by default:
• Web browsers
• Email clients
• IM clients (text messaging)
• Client-Server Multiplayer games
• Apps that turn the PC into a server won’t work by default:
–
–
–
–
–
Peer-to-Peer Multiplayer games
Remote Administration
IM clients (voice/video, file transfer)
Notification dialog addresses most applications
Apps that need to be manually added to Exceptions list to be added to
the Protect Website at SP2 RTM:
http://www.microsoft.com/security/protect/ports.asp
Windows XP Service Pack 2 Beta
Network Protection Technologies
• Windows Firewall Configuration
• netfw.inf
– Used by Restore Defaults
– Preferred method if doing custom configuration
– Can configure all global firewall options
– No logging, per-interface
– Available in RC1
• unattend.txt
– Can configure all global firewall options
– No logging, per-interface
– Coming in RC2
• winbom.ini / sysprep
– Can configure all global firewall options
– No logging, per-interface
– Coming in RC2
Windows XP Service Pack 2 Beta
Demonstration
Windows Firewall
Windows XP Service Pack 2 Beta
Network Protection Technologies
• DCOM Security Enhancements
– Microsoft Component Object Model (COM) is a platform
independent, distributed object-oriented system for creating
binary software components
– Distributed COM allows applications to be distributed across
locations
– If you have a COM server application that meets one of the
following criteria then the DCOM security enhancements will
affect you
• Access permission for the app is less stringent than the
permission necessary to run it
• App only meant to run locally
• Unauthenticated remote callbacks
Windows XP Service Pack 2 Beta
Network Protection Technologies
• RPC Interface Restrictions (Remote Procedure Calls)
– Change here applies to the addition of the
RESTRICTREMOTECLIENTS registry key
– This key modifies the behaviour of all RPC interfaces on the
system
– By default will eliminate remote anonymous access to RPC
interfaces
– This feature applies to RPC application developers
– More difficult to attack an interface if you require calls to perform
authentication – even low level
– Worms rely on exploitable buffer overruns that can invoked
remotely through anonymous connections
Windows XP Service Pack 2 Beta
Network Protection Technologies
• Wireless Provisioning Services (WPS)
– An extension to the existing wireless services and user
interfaces within Windows XP and Windows Server 2003
– Builds on Wireless AutoConfiguration, Protected Extensible
Authentication (PEAP) and Wi-Fi Protected Access (WPA)
– WPS includes provisioning service component which allows
wireless internet service providers (WISP) and enterprises to
send provisioning and config information to a mobile client
– WISP’s can offer services at multiple network locations and use
multiple network names (SSID’s)
– WPS will make it easier to use wireless hotspots without security
compromises
Windows XP Service Pack 2 Beta
Question Time ?
Windows XP Service Pack 2 Beta
Safer E-mail Handling Technologies
• Safer E-mail handling with Outlook Express
– Plain Text Mode
• Provides users with the option to render incoming mail messages in
plain text instead of HTML
• This provides an additional barrier to malicious code that is
transmitted via e-mail – Outlook Express previously processed
HTML header scripts in the HTML content
• The MSHTML control used to automatically execute these scripts –
the rich edit control does NOT execute HTML scripts
– Don’t Download External HTML Content
• Avoid users from repeated spam mailings by preventing users from
unknowingly validating their e-mail address
• Enabled by default
• Users are prompted through new message bar that images have
not rendered
– Open / Execute attachment with least system privileges available
Windows XP Service Pack 2 Beta
New Attachment Execution Services
• IE File Download Prompt
–
–
–
A file handler icon has been added
A new information area has been added to the bottom of the dialog box that provides
slightly different information, depending on whether the downloaded file type is of
higher or lower risk
All executable files that are downloaded are checked for publisher information
• Outlook Express E-mail Attachment Prompt
– Uses the same procedures as file downloads
– Files are checked for publisher information
– Files with missing/invalid/blocked publisher information are not allowed to
run
• Windows Messenger
–
Blocks unsafe file transfers
Windows XP Service Pack 2 Beta
Users can
block
publishers for
ActiveX
Enhanced Browsing Security
• Internet Explorer Download Prompt
– Using IE to download a file will now invoke a new dialog box that has
the following changes
• A file handler icon added
• New information area depending on whether the download file type
is low or high risk
• All executable files downloaded are checked for publisher
information
– Post download, IE authenticode box presents the publisher information
to the user who can make a more informed decision about running the
file
– This change brings consistency and clarity to the experience of
downloading files and code
– Executables with invalid or blocked signatures are not allowed to run
– You can unblock a publisher by using Manage Add-ons in IE
Windows XP Service Pack 2 Beta
Enhanced Browsing Security
• IE Add-on Management
– Allows users to view and control the list of add-ons that can be loaded
by IE with more detailed control
– Eg: a user may unintentionally install an add-on that secretly records all
Web page activity and reports it to a central server
– Add-ons include
• Browser help objects
• ActiveX controls
• Toolbar extensions
• Browser extensions
– Add-ons can be installed from a variety of locations and in several ways
including
• Download and install while viewing web pages
• Install by way of executable programs
• Pre-installed components of the OS
• Pre-installed add-ons that come with the OS
Windows XP Service Pack 2 Beta
Enhanced Browsing Security
• IE Add-on Management
– This change is important because our Windows Error Reporting tells us
that add-ons are a major cause of stability issues in IE
– They also pose a security risk because they may contain malicious and
unknown code
– Helps diagnose IE crashes and is easily to isolate and fix
– Disabling add-ons does not remove it from the PC, it only prevents IE
from executing the code
• IE Add-on Management for Administrators
– Administrators can control the use of add-ons
– 3 modes of operation
• Normal mode – user has full control
• AllowList mode – admin specified
• DenyList mode – admin specifies add-ons to be disallowed only
• Quick Demonstration
Windows XP Service Pack 2 Beta
Enhanced Browsing Security
• New Group Policy IE Settings include
–
–
–
–
–
–
–
–
–
Binary Behaviour Security Restrictions
Protocol Security Restrictions
Local Machine Zone Lockdown
Consistent MIME handling
MIME Sniffing Safety Feature
Object Caching Protection
Popup Management
Scripted Window Security Restrictions
Protection From Zone Elevation
• Administrators of Group Policy can manage these new policies in
the Administrative Templates extension to the Group Policy Object
Editor
Windows XP Service Pack 2 Beta
Enhanced Browsing Security
• Changes to Local Machine Zone Security Settings
– Local Machines Zone lockdown will be more restrictive than the
Internet Zone
– Anytime content attempts one of these actions, an Information
Bar will appear in IE with the following text
• “This page has been restricted from running content that
might be able to access your computer. If you trust this page,
click here to allow it to access your computer”
– Users can click the Information Bar to remove the lockdown
– When Local Machine Zone lockdown is applied to a given
process, it changes the behaviour of URL actions from Allow to
Disallow
– Scripts and ActiveX controls will not run
– This change will prevent content on a users computer from
elevating privileges
Windows XP Service Pack 2 Beta
Enhanced Browsing Security
• IE MSJVM Security Setting
– Previous versions of Windows included the Microsoft JVM
– IE security setting for Java could be used to disable the MSJVM,
but this would also disable any JVM
– Windows XPSP2 contains an IE security setting that works
exclusively with MSJVM and will rename the previous setting so
that its effect is clearer
– By default MSJVM is enabled for all zones excpet the Restricted
Sites zone
– XPSP2 does not include or install the MSJVM
– If you already have the MSJVM installed on your PC’s you can
continue to update this using Windows Update
– MSJVM is not included in Windows Server 2003, Windows 2000
SP4 or Windows XPSP2
– It will not be included in any future Microsoft products
Windows XP Service Pack 2 Beta
Enhanced Browsing Security
• MIME (Multipurpose Internet Mail Extensions) Handling
Enforcement
– IE uses MIME to decide how to handle files sent by a Web Server
– IE will now follow stricter rules designed to reduce the attack surface for
spoofing the IE MIME handling logic
• MIME handling enforcement
– IE will now require all file type information provided by Web server to be
consistent
– IE will enforce consistency between how the file is handled in the
browser and in the Windows shell
• MIME sniffing file type
– By examining (or sniffing) a file, IE can recognise the bit signatures of
certain file types
– Eg; files that are received as plain text but that include HTML code will
not be promoted to the HTML type
Windows XP Service Pack 2 Beta
Enhanced Browsing Security
• IE Object Caching
– Previously web pages could access objects cached from other
websites
– Now, a reference to an object is no longer accessible when the
user navigates to a new domain
– In addition to blocking access when navigating across domains,
access is also blocked when navigating within the same domain
(a domain is defined as a fully qualified domain name or FQDN)
Windows XP Service Pack 2 Beta
Enhanced Browsing Security
• Pop-up Blocking
– Pop-up Manager is turned on by default
– Pop-up windows cannot be opened larger than or outside the viewable
desktop area
– Sites in the Trusted Sites and Local Intranet zones never have their
pop-up windows blocked, as they are considered safe
– When a pop-up window is blocked by IE, a notification appears in the status
bar with the following options
• Show blocked popup Window
• Allow Pop-up Windows from this site
• Block Pop-up
• Pop-up Window Options
• Users will see Pop-up Windows open in the following cases
• Pop-up is opened by a link
• Pop-up is opened by software running on the PC
• Pop-up is opened by ActiveX controls initiated from a web site
• Pop-up is opened from the Trusted Site or Local Intranet
Windows XP Service Pack 2 Beta
• Demonstration
– Pop Up Blocker
– IE Add-On Manager
Windows XP Service Pack 2 Beta
Question Time ?
Windows XP Service Pack 2 Beta
Windows Security Centre
•
•
•
A central location for changing security
settings, learning more about security,
and ensuring that the user’s computer
is up to date, with the essential
security settings that are
recommended by Microsoft
On by Default
Works with 3rd party Anti-Virus and
Firewall solutions
–
–
•
•
Supports manual detection via registry
settings
Supports automatic detection when ISV
writes to schema
1st run experience
– WSC screen added to OOBE in
preinstall
– WSC screen shows up at 1st
Admin logon if it is an upgrade
(SP1->SP2)
Domain vs. Non-domain
– Prescription and notification are
turned off for PCs in a domain
Windows XP Service Pack 2 Beta
Windows Security Centre
• Group Policy Settings
– There is 1 Group Policy setting for the Security Centre
– This determines whether or not the Security Centre user
interface and alert system are enabled or unavailable for users
whose computers are joined to a windows domain
– If you decide to use the Security Centre within your business you
must modify Group Policy setting to “On”
• Overall Group Policy Updates – (click here)
Windows XP Service Pack 2 Beta
Windows Messenger
• New capabilities have been added to Windows Messenger
– Block unsafe file transfers
– Require user display name
– Windows Messenger / Windows Firewall
• Files will be blocked when both of the following occur
– The sender is not on your contacts list
– Someone tries to send you a file that is considered unsafe
• User is prompted before opening the following file types:
– Microsoft Office files, such as .doc, .ppt, .xls.
– Files from other applications, such as .zip, .wpd, and .pdf.
– Computer applications, programs, or any file that contains software
code or script including macros, executables, and JavaScript
– Files with these extensions: .exe, .cmd, .wsh, .bat, .vb, .vbs; .pif, .scr,
.scf.
Windows XP Service Pack 2 Beta
Windows Messenger
• Files with the extensions .jpg, .txt and .gif are generally
considered safe and you can receive these from
someone not on your contacts list
• Windows Messenger / Windows Firewall
– Windows Messenger needs permission to connect to the
Internet through the Windows Firewall
– To give permission go to Security Centre, Windows Firewall and
click exceptions tab – select Windows Messenger
Windows XP Service Pack 2 Beta
Memory Protection Technologies
• Execution Protection (NX – no execute)
• Marks all memory locations in a process as nonexecutable unless the location explicitly contains
executable code
• Requires both OS and hardware support
• Both Intel and AMD have defined and shipped Windows
compatible architectures for execution protection
• NX protects against certain types of memory buffer
overruns
• In order to use the NX feature, the processor must be
running in Physical Address Extension (PAE) mode
• Helps drive best practice software development
Windows XP Service Pack 2 Beta
Memory Protection Technologies
• Security feature that helps protect against certain kinds of buffer
overrun exploits
– Code injection attack
• Buffer overrun leveraged to inject code into process address
space
– Execution of injected code raises an exception
• Process is terminated to prevent malicious code from running
– Data Execution Prevention is not a buffer overrun panacea
• Execution protection requires both processor-level hardware support
and operating system software support
– Currently, the only shipping x86 processors to support execution
protection are AMD’s 32/64-bit Opteron and Althlon-64
– The Itanium Processor Family also supports execution
protection.
Windows XP Service Pack 2 Beta
NX End User Experience
• Application Crash Experience
Windows XP Service Pack 2 Beta
NX End User Experience
• Configuration Experience
– Accessible through the system
properties in the control panel
Windows XP Service Pack 2 Beta
Windows Update
• Windows Update (WU) is a component of Windows
Update Services (WUS)
• With Windows XPSP2, WU and WUS provides 2
services
– Windows Update – all security patches and updates for Windows
components
– Microsoft Update – all security patches and updates for Windows
components and other Microsoft product applications – including
SQL, Exchange and Office. Microsoft Update is a superset of
WU
• Removes the need for navigating to multiple locations to
keep Windows and Apps updated and secure
Windows XP Service Pack 2 Beta
Question Time ?
Windows XP Service Pack 2 Beta