Transcript Windows Client Operating System Strategy

Windows Client Directions
Tyler S. Farmer – [email protected]
Sr. Technology Specialist II
Education Solutions Group
Microsoft Corporation
Windows Client Roadmap
“Harmony”
Developer Preview
Service Pack 2
“Lonestar”
Beta
64bit for Extended
Systems
Background
Responding to the Crisis
Exploits proliferating
Exploits are more
sophisticated
Deploying security
patches cumbersome
Current approach is
insufficient
Days between patch
and exploit
331
180
Improve patch management
Improve guidance and education
Introduce new security technologies
151
25
Windows XP
Service Pack 2
with Active Protection Technologies
SP2 Security Technologies
Network
Help protect the system from
attacks from the network
Email/IM
Enable safer Email and
Instant Messaging experience
Web
Enable safer Internet experience for
most common Internet tasks
Memory
Provide system-level protection for
the base operating system
Windows® Firewall
Intended Goal and Customer Benefit
Network
Offer increased protection from network attacks by default
Focused on roaming systems, small business, home users
What We’re Doing in SP2
Email/IM
Web
Memory
Windows® Firewall (formerly ICF) will be on by default
More configuration options
Group policy, command line, unattended setup
Improved user interface
Boot time protection
Multiple profile support
Connected to corporate network vs. home
Enable file sharing on home networks with Windows
Firewall
Developer/Application Impact
In-bound network connections, by default, are not permitted
Dynamically enable ports as necessary, but only for as long
as necessary, disable when done
Network Protection
Windows Firewall (the software formerly known as ICF)
Boot time security
On by default for all interfaces, global configuration (all
interfaces can share same configuration)
Local subnet restriction
Command line support (via netsh) for scriptomatic
configuration (think logon scripts)
“On with no exceptions”
Exception List
Multiple Profiles
RPC Support
Restore Defaults button
Unattended Setup for OEM’s
Multicast / Broadcast support
“Stateful” inspection firewall
New and improved Group Policy configuration (via
System.adm)
Network Protection
DCOM – Locked down by default!
Previously, no way for administrators to enforce machine-wide
access policy for all DCOM applications
XP has over 150 DCOM servers OOB!
Many DCOM applications have weak “Launch” and “Access”
permissions that allow anonymous remote activation / access!
Administrators had no way to centrally manage / override these
settings!
DCOM Solution: New machine-wide access check performed
before any server-specific access checks are performed.
These computerwide ACLs provide a way to override weak security
settings specified by a specific application through
CoInitializeSecurity or application-specific security settings
Access is also considered in terms of distance (i.e. local activation or
remote activation) and ACL’s can be set for both local and remote
activation
Net Net – Starting with XP SP2, only administrators can remotely
launch / activate DCOM servers!
Everyone is granted local launch, activation and call permissions
Network Protection
Restricted Raw Sockets
Limit # of incomplete TCP connection
attempts
Winsock self-healing
RestrictRemoteClients Registry Key
WebDav redirector more secure (no
BasicAuth over clear channel)
New Media Player 9
New Windows Messenger
Wireless Provisioning enhancements
Network Protection
Alerter, Messenger, Universal PnP are
disabled by default
Bluetooth technology included, but
disabled
Port 445 is blocked (prevents remote
administration MMC tools)
Email Attachments
Intended Goal and Customer Benefit
Network
System-provided mechanism for applications, intended to
determine unsafe attachments
Consistent user experience for attachment “trust” decisions
What We’re Doing in SP2
Email/IM
Web
Offering new public API for handling safe attachments
(Attachment Execution Services)
Default to “not trust” unsafe attachments
Outlook®, Outlook® Express, Windows® Messenger,
Internet Explorer changed to use new API
Open / execute attachments with least privilege possible
Safer message “preview”
Developer/Application Impact
Memory
Use new API in your applications for better user
experience, and better identification of potentially unsafe
content
Safer E-Mail
Outlook Express will read all e-mail as
plain-text by default
Blocks HTML e-mail exploits – (beacons, re-dial)
Don’t download external HTML content
If you chose to render HTML e-mail, external
HTML is not rendered / downloaded
Blocks “web bugs” etc.
AES API (Attachment Execution Service)
Apps no longer have to roll their own
attachment handling code (can be shared by IM,
e-mail, browser, etc.)
Web Browsing
Intended Goal and Customer Benefit
Network
Offer a safer web browsing experience
What We’re Doing in SP2
Email/IM
Web
Memory
Locking down local machine and local intranet zones
Improving notifications for running or installing applications
and ActiveX controls
HTML files on the local machine will not be able to script
unsafe ActiveX controls or access data across domains in
the Local Machine Security Zone
Blocking unknown, unsigned ActiveX controls
Disarm cross domain script attacks on APIs
Improved detection and handling of downloaded files
through improvements to mime-handling code path
Files served with mismatched or missing mime-headers
and file extensions may be blocked
Web Browsing (cont’d)
What We’re Doing in SP2 (continued)
Network
Email/IM
Web
Memory
Mitigate ActiveX reuse through potential limited control
leashing and more guided user experience
Limit UI spoofing
Pop-up windows will be suppressed unless they are
initiated by user action
Developer/Application Impact
Check for web application compatibility with newer, safer
browsing defaults
Identify whether controls are safe for scripting on the
Internet, or if they can be more restricted
Safer Browsing
Internet Explorer
Add-On Management / Crash Protection
What DLL caused the crash?
ActiveX Controls handled better
Java VM can be disabled per zone
Local Machine Zone lockdown
All local files / content processed by IE run in LMZ
No ActiveX objects allowed
Scripts set to Prompt
Safer Browsing
Internet Explorer
Improved MIME handling
4 different checks performed (file extension, ContentType/Disposition from header and MIME sniff)
Object caching / Scope
Objects lose scope when browsing to a different
domain /FQDN
Sites can no longer access cached objects from other
sites
POP UP BLOCKER!!!!!
“Never trust content from Publishername”
One Prompt Per Control Per Page
Endless loop attack
Safer Browsing
Internet Explorer
Authenticode Dialog box supports ellipses
Annoying Active X controls with overly long
descriptions can now be viewed
Window Restrictions
Prevents UI spoofing attacks
Script Sizing / Repositioning restrictions
Prevents scripts from moving windows to hide URL
bars / status bars etc
Status bar always visible
Scripts can no longer disable it
Safer Browsing
Internet Explorer
Script Pop-up Window Placement, pop-ups now
constrained so that they
Do not extend above the top or below the bottom of the
parent Internet Explorer Web Object Control (WebOC)
window.
Are smaller in height than the parent WebOC window.
Overlap the parent window horizontally.
Stay with the parent window if the parent window
moves.
Appear above its parent so other windows (such as a
dialog box) cannot be hidden.
Mitigates chromeless window attacks
Safer Browsing
Internet Explorer
Zone Elevation blocks
Internet Explorer prevents the overall security
context for any link on a page from being
higher than the security context of the root
URL
Scripts can not navigate from Internet Zone to Local
Machine Zone
AND Local Machine Zone is locked down by
default now even if it could happen!
Zone Elevation Attacks are one of the most
exploited IE attack vectors
Internet Explorer Information
BarWhat does the Information Bar do?
Replaces many of the common dialog boxes
Contains descriptive text that explains why
the action was taken
Provides a context-sensitive menu for users
to respond to the notification
Feature Control Security zone
settings (2)
MIME sniffing (settings in the UI)
The following table lists the default values for the URLACTION_FEATURE_MIME_SNIFFING flag in each security zone.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer
\Main\FeatureControl\FEATURE_MIME_SNIFFING
Feature Control Security zone
settings (4)
Windows restrictions (settings in the UI)
The following table lists the default values for the URLACTION_FEATURE_MIME_SNIFFING flag in each security zone.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer
\Main\FeatureControl\FEATURE_WINDOWS_RESTRICTIONS
New GPOs
Feature Controls settings
Hardware Execution Protection
Intended Goal and Customer Benefit
Network
Email/IM
Reduce exposure of some buffer overruns
What We’re Doing in SP2
Leverage hardware support in 64-bit and newer 32-bit
processors to only permit execution of code in memory
regions specifically marked as execute
Reduces exploitability of buffer overruns
Enable by default on all capable machines for Windows
binaries
Developer/Application Impact
Web
Memory
Ensure your code doesn’t execute code in a data segment
Ensure your code runs in PAE mode with <4GB RAM
Use VirtualAlloc with PAGE_EXECUTE to allocated
memory as executable
Test your code on 64-bit and 32-bit processors with
“Execution protection”
Memory Protection Technologies
Data Execution Prevention (DEP)
Hardware & Software tools
Flag memory as “do not execute”
64-bit and newer 32-bit systems
AMD = “NX” Feature
Intel = “ExecuteDisable bit” feature
Memory Protection Technologies
JIT programs, drivers may have issues
Physical Address Extension (PAE) has
to be on for this to work
Some drivers can’t handle the 64-bit
addressing.
Apps that use default process stack or
heap could have problems
Help buffer overruns and injected code
attacks
Additional Technologies
Automatic Update
SP2 will make it more convenient for customers to enable
Automatic Update for critical updates.
WU 2.0 client
Software Update Services 2.0 will use a consistent engine for
reporting system state and reducing inconsistent results on
secure patch availability on a computer.
DirectX 9.0b
Latest, most secure DirectX components include fixes to
address a network firewall change that impacts OEM pre-installs
and DirectPlay.
Bluetooth 2.0
Includes support for current version of Bluetooth
Unified Windows Local Area Network (LAN) client
New wireless LAN is intended to work with a broad range of
wireless hotspots
Additional Technologies
Filters in Add/Remove programs
Hides “updates” in program list
BITS 2.0
Target groups, delta downloads, small
bandwidth, checkpoint download
Windows Update/Microsoft Update
1-stop shopping for Windows, Office,
Exchange, SQL
All MS programs to follow suit
Include drivers
Additional Technologies
Setup Program for SP2
Laptop must be on AC Power
Hibernation / standby disabled during
installation
Disabling Anti-virus software could
increase install by 20%
Windows Installer 3.0
Reduce patch size
No more need for original CD
Patch removal
Additional Technologies
Tons of cool stuff for Tablet PCs
Block write to USB drives (if wanted)
IIS 5.1 with reduced attack serface
Support and Follow On
Technical Support
Primary Vehicle:
http://support.microsoft.com/windowsxpsp2
Toll Free, Business Hours: 1-888-SP2HELP (4357)
Additional Policy Questions: Account
Representatives
Additional HEVDP Program Questions:
[email protected]
Questions ?
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Resources
Resources
Main Web Page for SP2 for IT
Professionals:
http://www.microsoft.com/technet/prodtec
hnol/winxppro/maintain/winxpsp2.mspx
Main Web Page for SP2 for Developers:
http://msdn.microsoft.com/security/produ
ctinfo/xpsp2/default.aspx
Resources
Web Cast & PowerPoint file about SP2:
http://support.microsoft.com/default.aspx
?kbid=872831
Resources
Changes to Functionality in Microsoft
Windows XP Service Pack 2:
http://www.microsoft.com/technet/prodtec
hnol/winxppro/maintain/sp2chngs.mspx
Issues that SP2 may cause:
http://www.microsoft.com/technet/prodtec
hnol/winxppro/deploy/relsprc2.mspx
Resources
SP2 for Network Professionals:
http://www.microsoft.com/technet/prodtec
hnol/winxppro/maintain/winxpsp2.mspx
Guide for Installing & Deploying SP2:
http://www.microsoft.com/technet/prodtec
hnol/winxppro/deploy/spdeploy.mspx
Deploying Windows Firewall Settings
for Microsoft Windows XP with Service
Pack 2
http://www.microsoft.com/downloads/deta
ils.aspx?familyid=4454e0e1-61fa-447abdcd-499f73a637d1&displaylang=en
Resources
General
Windows XP SP2 Home
http://www.microsoft.com/technet/prodtechnol/winxppro/
maintain/winxpsp2.mspx
Changes to Functionality
http://go.microsoft.com/fwlink/?LinkId=28022
Deployment
General
http://www.microsoft.com/technet/prodtechnol/winxppro/
deploy/
spdeploy.mspx
Firewall
http://www.microsoft.com/downloads/details.aspx?Family
ID=4454e0e1-61fa-447a-bdcd499f73a637d1&DisplayLang=en
Automatic Update Options
http://www.microsoft.com/technet/prodtechnol/winxppro/
Deployment
Slides
Disabling AU for SP2 Only
Techniques and details:
http://www.microsoft.com/technet/prodtechnol/winxp
pro/maintain/sp2aumng.mspx
After 120 days from 8/16 (12/14/2004), WU and AU will
ignore this setting – machines will then install XPSP2
if they visit AU or WU after 12/14/2004
Methods:
Group Policy ADM Template: NoXPSP2Update.ADM
Command line Executable and Sample CMD:
BlockSP2.CMD [MACHINENAME] [/B] [/U] [/H]
Redirect to the following URL’s:
To block XPSP2: http://go.microsoft.com/fwlink/?LinkId=33518
To un-block XPSP2:
http://go.microsoft.com/fwlink/?LinkId=33519
Sample E-mail scripts provided on how to use URL’s…
Registry = DoNotAllowXPSP2 set to DWORD Value of 1 at
key
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUp
date
Deployment Options & Tools
Update Installation
Local: Run directly (XPsp2.exe)
Remote: Extract to share then run (Update.exe)
GPO & Windows Installer
Update.MSI with machine-assigned distribution
Integrated Installation – “Slipstream”
Update.exe with /s
RIS Options
Uninstall
Add/Remove Programs
XPsp2 and Update - /uninstall
Deployment – Update Installation
Update Installation
Extracted by XPSP2.exe
Initiated by Update.exe
Delta driver cab: Sp2.cab and updated
Drvindex.inf
Layout.inf to specify installs and source (original
CD or SP2)
Svcpack.log in systemroot:
Command-line utility that instantiated setup
List of files copied
Many command line options (standardized)
Options
Local SP source files (recommended)
Shared remote SP source files (for always
connected)
Group Policy Object (AD required)
Deployment – Integrated Installation
Integrated Installation
Copy Windows XP bits to share (if necessary)
Update /s to share Integrated Installation
Options
Update i386 installation
Update RIS installation
RIS CD image: handled like normal slipstream
RIPrep image: install and copy back to RIS server
Note
Slipstream is a one way operation
Deploying SP2 with GPO
Create a shared network distribution
folder
Create a Group Policy object for SP2
deployments
Deploy the SP2 update.msi from the
shared distribution folder as machineassigned
Do not deploy it as a user-deployment
Target deployment (Domain, Site, OU)
When the computers are restarted,
they will be updated to SP2.
Windows Firewall Settings and GPOs
Group Policy updates are requested by the domain
member computer (and therefore solicited traffic
that is not dropped when WF is enabled)
Local administrators will be unable to change some
elements of its configuration using the Windows
Firewall Control Panel applet (Some tabs and
options in the Windows Firewall dialog box will be
grayed out)
Group Policy Management Console recommended
for updates (free SP1 download)
System.adm template updated with first SP2 install
(or can be updated manually)
Deploying Windows Firewall
Settings Without Group Policy
Use the Netfw.inf file to configure Windows Firewall
settings while Windows XP SP2 is being installed
Can be scripted or inserted into distribution folder
directly
Use Netsh utility to update programmatically
Consider impact of users accessing WU directly
For SUS, consider early update to GPO
For disabled WF, consider pre-populating registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FirewallPolic
y\DomainProfile \EnableFirewall=0 (DWORD data type)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FirewallPolic
y\StandardProfile \EnableFirewall=0 (DWORD data type)
Troubleshooting
Slides
Windows Firewall
Stateful firewall
Example: DNS, DHCP, etc.
Blocks all traffic that is not allowed
Can open specific ports
Can allow specific applications
Can be completely turned off
…get to know the NETSH command!
Configuring the Firewall
Windows Firewall GUI in Control Panel
Customize Netfw.inf
netsh firewall reset
NetSH Commands (programmatic):
Netsh firewall add allowedprogram
C:\MyApp\MyApp.exe MyApp ENABLE
Netsh firewall set service FILEANDPRINT
Local or AD Group Policy
For more information:
http://www.microsoft.com/downloads/details
.aspx?FamilyID=4454e0e1-61fa-447a-bdcd499f73a637d1&DisplayLang=en
Other Firewall Issues
Programs seems to stop working after install
http://support.microsoft.com/default.aspx?kbid=842242
Programs that may behave differently after
install
http://support.microsoft.com/default.aspx?kbid=884130
Consider impact of users accessing SP2
directly
For SUS, AU consider early update to GPO
For disabled WF, consider pre-populating
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Fire
wallPolicy\DomainProfile \EnableFirewall=0 (DWORD data
type)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Fire
wallPolicy\StandardProfile \EnableFirewall=0 (DWORD data
type)
Common Issues
“I Can’t configure the firewall”
You don’t have administrator priveleges
GPO is in place (even in non-Active
Directory environment)
Common Issues
“Nobody can ping my computer”
This is by design
Blocks ICMP Echo Request messages
Can by turned on if desireable
Common Issues
“Users cannot access my game / web
server / etc.”
Expected with default install
Add exception for the application
Add exception for the ports
Common Issues
“My Local File shares and printer
shares can’t be accessed”
“I can’t see computers on the network
in My Network Places”
Expected by default
Add File & Printer sharing to firewall
exception list
Common Issues
“I can’t remotely administer a machine
with the firewall enabled.”
Expected by default
Add Remote Assistance on the firewall
exception list
Common Issues
“I can’t remotely administer a machine
with the firewall enabled.”
Expected by default
Add Remote Assistance on the firewall
exception list
Tools
Netsh firewall show state
verbose=enable
Shows how the firewall is configured
Netstat –abn
Shows what ports the PC is listening on
Set the firewall logging (pfirewall.log)
Also audit logging, logs change in the
security event log
Tools
Netstat –ano
Display ports that are being used by PIDs
Tasklist /svc
Show PIDs and the program name .EXE