Windows XP Service Pack 2 Technical Update

1
Windows XP Service Pack 2Technical Update
2
Windows XP Service Pack 2Technical Workshop

• Agenda
• Security Overview
• Introduce Windows XP Service Pack
• Questions Time

3
Security what is the current experience?

• Security exploits are proliferating
• Time to exploit is decreasing
• Exploits are more sophisticated
• The current approach is insufficient

• Security is a top priority for Microsoft
• There is no silver bullet the solution is
  complex
• This problem has to be tackled across the
  industry
• Change requires innovation partnerships

4
Security Pain Points
Our action items
Weve been told
The quality of the patching process is low and
inconsistent
Improve the updates experience to offer
consistency and higher quality
I need to know how to protect my PC
http//www.microsoft.com/security/protect
I cant keep upnew patches are released every
week
Offer more resilient PCs by introducing safety
technologies
There are still too many vulnerabilities in your
products
Continue Improving Quality
5
Summary

• There is consumer and commercial concern around
  security
• Momentum is building
• Interest is high but adoption action are
  lagging
• Communities are unclear on what steps to take
• Many dont know what version OS they are running
• Unclear if they call Microsoft or PC manufacturer
• So many Windows Update (WU) pop-ups, cant tell
  if theyre being current
• Narrowband How to maintain updated status
  world-wide?
• SP1 Critical updates on narrowband may
  extended download time
• Consumers do not seem to be apportioning blame to
  any
• specific company
• Apparently seen more as an overall industry issue
• Would like Microsoft to be more proactive
• They expect Microsoft to take action

Increase awareness
Deliver offline solution
Work with PC Industry
6
Protect Your PC - Education

• www.microsoft.com/protect
• Future Content
• Tips n tricks
• Outlook/Microsoft Internet Explorer/other
  product info
• P2P/Home networking tips

7
Windows Security Update CD

• Content
• Windows XP
• Windows XP SP1a full install package
• All Critical Windows XP and Windows Internet
  Explorer 6 security updates since SP1a
• Windows Security Analyzer (WSA)
• Windows 2000, Windows Millennium Edition,
  Windows 98
• Critical security updates to date
• Internet Explorer 6 SP1, DirectX 9b, Windows
  Media Player
• 3rd party firewall and AV via third parties
• Content
• PYPC 1-2-3 HTML
• CD availability ordering
• Orderable via www.microsoft.com/australia/security

Available since Feb17th

• REACTIVE orderable from PSS and MS.COM
• PROACTIVE WW to online Windows users
• CD contains bits and content
• Trial antivirus and firewall software from CA

8
Windows XP Service Pack 2

• What is Windows XP Service Pack 2?
• Service Pack 2 includes updates intended to
  address issues identified after the release of
  the prior version.
• Service Pack 2 also includes a set of Microsoft
  developed safety technologies which were designed
  to help reduce the risk of malicious attacks
  against computer systems.
• Why release Windows XP Service Pack 2?
• Microsoft continually works to improve its
  software.
• With the recent increase in the frequency of
  attacks against computer systems Microsoft is
  focusing its efforts in order to help provide
  security for our customers computer systems.
• Microsoft Goals?
• Help customers reduce the risk associated with
  malicious attacks
• Reduce the cost and complexity of managing the
  overall security threat. Windows XP SP2 is one
  component in a series of new initiatives and
  investments Microsoft is making to help provide
  online security for customers.

9
Four key pillars of Windows XP SP2
Network
Help protect the system from directed attacks
from the network
Email/IM
Helps provide security for Email and Instant
Messaging experience
Web
Helps provide security for Internet experience
for most common Internet tasks
Memory
Offer system-level protection for the base
operating system
10
Network Protection Technologies

• Windows Firewall (previously called Internet
  Connection Firewall)
• On by default
• Protects new network connections as they are
  added to the system (applies to both IPv4 and
  IPv6 traffic)
• Potential problem with app compatibility if apps
  do not work with stateful filtering by default
• Boot time security
• Firewall driver has a static rule to perform
  stateful filtering called boot-time policy
• Allows PC to perform DNS and DHCP tasks and
  communicate with a domain controller to obtain
  policy
• Once the firewall is running, run-time policies
  applied and boot filter is removed
• Boot-time policy cannot be configured
• No Boot time security if Windows Firewall is
  disabled

11
Network Protection Technologies

• Global Configuration
• Previously Windows Firewall was configured on a
  per-interface basis (ie each network connection
  had its own firewall policy eg one policy for
  wireless and one policy for Ethernet)
• Global configuration means whenever a change
  occurs it applies to all network connections
• When creating new connections the configuration
  is applied as well
• This change enables apps to work on any interface
  with a single configuration option
• Local Subnet Restrictions
• Configure ports to only receive network traffic
  with a source address from the local subnet
  (previously this was open globally and incoming
  traffic can come from any network location
  local or internet)
• Recommend to apply local subnet restrictions to
  any static port that is used for communication on
  the local network
• This can be done programmatically via Windows
  Firewall Netsh Helper or the Windows Firewall
  user interface

12
Network Protection Technologies

• Local Subnet Restrictions continued
• When file and print sharing is enabled, the
  following ports will only receive traffic from
  the local subnet
• UDP port 137
• UDP port 138
• TCP port 139
• TCP port 445
• When the UPnP architecture is enabled two ports
  are specifically affected and only receive
  traffic from the local subnet
• UDP port 1900
• TCP port 2869
• Unattended Setup Support
• It is now possible to configure the following
  options of Windows Firewall though unattended
  setup
• Operational mode,
• Applications on the Windows Firewall exception
  list
• Static ports on the exception list
• ICMP options, Logging options

13
Network Protection Technologies

• New Group Policy support for Windows Firewall
• Previously Windows Firewall had a single Group
  Policy object (GPO) Prohibit Use of Internet
  Connection Firewall on your DNS domain
• New configuration options include
• Operational mode (On, On with no exceptions, Off)
• Opened static ports
• ICMP settings
• Enable RPC and DCOM
• Enable File and Printer sharing
• Multiple profiles for domain-joined PCs (XP Pro
  only)
• Domain for when PC is connected to the
  corporate network
• Standard for when PC is connected to another
  network
• Workgroup PCs can only use Standard profile

14
Network Protection Technologies

• Windows Firewall Application Compatibility
• Over 350 apps tested in-house
• Client applications work by default
• Web browsers
• Email clients
• IM clients (text messaging)
• Client-Server Multiplayer games
• Apps that turn the PC into a server wont work by
  default
• Peer-to-Peer Multiplayer games
• Remote Administration
• IM clients (voice/video, file transfer)
• Notification dialog addresses most applications
• Apps that need to be manually added to Exceptions
  list to be added to the Protect Website at SP2
  RTM http//www.microsoft.com/security/protect/por
  ts.asp

15
Network Protection Technologies

• Windows Firewall Configuration
• netfw.inf
• Used by Restore Defaults
• Preferred method if doing custom configuration
• Can configure all global firewall options
• No logging, per-interface
• Available in RC1
• unattend.txt
• Can configure all global firewall options
• No logging, per-interface
• Coming in RC2
• winbom.ini / sysprep
• Can configure all global firewall options
• No logging, per-interface
• Coming in RC2

16
Demonstration Windows Firewall
17
Network Protection Technologies

• DCOM Security Enhancements
• Microsoft Component Object Model (COM) is a
  platform independent, distributed object-oriented
  system for creating binary software components
• Distributed COM allows applications to be
  distributed across locations
• If you have a COM server application that meets
  one of the following criteria then the DCOM
  security enhancements will affect you
• Access permission for the app is less stringent
  than the permission necessary to run it
• App only meant to run locally
• Unauthenticated remote callbacks

18
Network Protection Technologies

• RPC Interface Restrictions (Remote Procedure
  Calls)
• Change here applies to the addition of the
  RESTRICTREMOTECLIENTS registry key
• This key modifies the behaviour of all RPC
  interfaces on the system
• By default will eliminate remote anonymous access
  to RPC interfaces
• This feature applies to RPC application
  developers
• More difficult to attack an interface if you
  require calls to perform authentication even
  low level
• Worms rely on exploitable buffer overruns that
  can invoked remotely through anonymous
  connections

19
Network Protection Technologies

• Wireless Provisioning Services (WPS)
• An extension to the existing wireless services
  and user interfaces within Windows XP and Windows
  Server 2003
• Builds on Wireless AutoConfiguration, Protected
  Extensible Authentication (PEAP) and Wi-Fi
  Protected Access (WPA)
• WPS includes provisioning service component which
  allows wireless internet service providers (WISP)
  and enterprises to send provisioning and config
  information to a mobile client
• WISPs can offer services at multiple network
  locations and use multiple network names (SSIDs)
• WPS will make it easier to use wireless hotspots
  without security compromises

20
Question Time ?
21
Safer E-mail Handling Technologies

• Safer E-mail handling with Outlook Express
• Plain Text Mode
• Provides users with the option to render incoming
  mail messages in plain text instead of HTML
• This provides an additional barrier to malicious
  code that is transmitted via e-mail Outlook
  Express previously processed HTML header scripts
  in the HTML content
• The MSHTML control used to automatically execute
  these scripts the rich edit control does NOT
  execute HTML scripts
• Dont Download External HTML Content
• Avoid users from repeated spam mailings by
  preventing users from unknowingly validating
  their e-mail address
• Enabled by default
• Users are prompted through new message bar that
  images have not rendered
• Open / Execute attachment with least system
  privileges available

22
New Attachment Execution Services

• IE File Download Prompt
• A file handler icon has been added
• A new information area has been added to the
  bottom of the dialog box that provides slightly
  different information, depending on whether the
  downloaded file type is of higher or lower risk
• All executable files that are downloaded are
  checked for publisher information
• Outlook Express E-mail Attachment Prompt
• Uses the same procedures as file downloads
• Files are checked for publisher information
• Files with missing/invalid/blocked publisher
  information are not allowed to run
• Windows Messenger
• Blocks unsafe file transfers

23
Enhanced Browsing Security

• Internet Explorer Download Prompt
• Using IE to download a file will now invoke a new
  dialog box that has the following changes
• A file handler icon added
• New information area depending on whether the
  download file type is low or high risk
• All executable files downloaded are checked for
  publisher information
• Post download, IE authenticode box presents the
  publisher information to the user who can make a
  more informed decision about running the file
• This change brings consistency and clarity to the
  experience of downloading files and code
• Executables with invalid or blocked signatures
  are not allowed to run
• You can unblock a publisher by using Manage
  Add-ons in IE

24
Enhanced Browsing Security

• IE Add-on Management
• Allows users to view and control the list of
  add-ons that can be loaded by IE with more
  detailed control
• Eg a user may unintentionally install an add-on
  that secretly records all Web page activity and
  reports it to a central server
• Add-ons include
• Browser help objects
• ActiveX controls
• Toolbar extensions
• Browser extensions
• Add-ons can be installed from a variety of
  locations and in several ways including
• Download and install while viewing web pages
• Install by way of executable programs
• Pre-installed components of the OS
• Pre-installed add-ons that come with the OS

25
Enhanced Browsing Security

• IE Add-on Management
• This change is important because our Windows
  Error Reporting tells us that add-ons are a major
  cause of stability issues in IE
• They also pose a security risk because they may
  contain malicious and unknown code
• Helps diagnose IE crashes and is easily to
  isolate and fix
• Disabling add-ons does not remove it from the PC,
  it only prevents IE from executing the code
• IE Add-on Management for Administrators
• Administrators can control the use of add-ons
• 3 modes of operation
• Normal mode user has full control
• AllowList mode admin specified
• DenyList mode admin specifies add-ons to be
  disallowed only
• Quick Demonstration

26
Enhanced Browsing Security

• New Group Policy IE Settings include
• Binary Behaviour Security Restrictions
• Protocol Security Restrictions
• Local Machine Zone Lockdown
• Consistent MIME handling
• MIME Sniffing Safety Feature
• Object Caching Protection
• Popup Management
• Scripted Window Security Restrictions
• Protection From Zone Elevation
• Administrators of Group Policy can manage these
  new policies in the Administrative Templates
  extension to the Group Policy Object Editor

27
Enhanced Browsing Security

• Changes to Local Machine Zone Security Settings
• Local Machines Zone lockdown will be more
  restrictive than the Internet Zone
• Anytime content attempts one of these actions, an
  Information Bar will appear in IE with the
  following text
• This page has been restricted from running
  content that might be able to access your
  computer. If you trust this page, click here to
  allow it to access your computer
• Users can click the Information Bar to remove the
  lockdown
• When Local Machine Zone lockdown is applied to a
  given process, it changes the behaviour of URL
  actions from Allow to Disallow
• Scripts and ActiveX controls will not run
• This change will prevent content on a users
  computer from elevating privileges

28
Enhanced Browsing Security

• IE MSJVM Security Setting
• Previous versions of Windows included the
  Microsoft JVM
• IE security setting for Java could be used to
  disable the MSJVM, but this would also disable
  any JVM
• Windows XPSP2 contains an IE security setting
  that works exclusively with MSJVM and will rename
  the previous setting so that its effect is
  clearer
• By default MSJVM is enabled for all zones excpet
  the Restricted Sites zone
• XPSP2 does not include or install the MSJVM
• If you already have the MSJVM installed on your
  PCs you can continue to update this using
  Windows Update
• MSJVM is not included in Windows Server 2003,
  Windows 2000 SP4 or Windows XPSP2
• It will not be included in any future Microsoft
  products

29
Enhanced Browsing Security

• MIME (Multipurpose Internet Mail Extensions)
  Handling Enforcement
• IE uses MIME to decide how to handle files sent
  by a Web Server
• IE will now follow stricter rules designed to
  reduce the attack surface for spoofing the IE
  MIME handling logic
• MIME handling enforcement
• IE will now require all file type information
  provided by Web server to be consistent
• IE will enforce consistency between how the file
  is handled in the browser and in the Windows
  shell
• MIME sniffing file type
• By examining (or sniffing) a file, IE can
  recognise the bit signatures of certain file
  types
• Eg files that are received as plain text but
  that include HTML code will not be promoted to
  the HTML type

30
Enhanced Browsing Security

• IE Object Caching
• Previously web pages could access objects cached
  from other websites
• Now, a reference to an object is no longer
  accessible when the user navigates to a new
  domain
• In addition to blocking access when navigating
  across domains, access is also blocked when
  navigating within the same domain (a domain is
  defined as a fully qualified domain name or FQDN)

31
Enhanced Browsing Security

• Pop-up Blocking
• Pop-up Manager is turned on by default
• Pop-up windows cannot be opened larger than or
  outside the viewable desktop area
• Sites in the Trusted Sites and Local Intranet
  zones never have their pop-up windows blocked, as
  they are considered safe
• When a pop-up window is blocked by IE, a
  notification appears in the status bar with the
  following options
• Show blocked popup Window
• Allow Pop-up Windows from this site
• Block Pop-up
• Pop-up Window Options
• Users will see Pop-up Windows open in the
  following cases
• Pop-up is opened by a link
• Pop-up is opened by software running on the PC
• Pop-up is opened by ActiveX controls initiated
  from a web site
• Pop-up is opened from the Trusted Site or Local
  Intranet

32

• Demonstration
• Pop Up Blocker
• IE Add-On Manager

33
Question Time ?
34
Windows Security Centre

• A central location for changing security
  settings, learning more about security, and
  ensuring that the users computer is up to date,
  with the essential security settings that are
  recommended by Microsoft
• On by Default
• Works with 3rd party Anti-Virus and Firewall
  solutions
• Supports manual detection via registry settings
• Supports automatic detection when ISV writes to
  schema
• 1st run experience
• WSC screen added to OOBE in preinstall
• WSC screen shows up at 1st Admin logon if it is
  an upgrade (SP1-SP2)
• Domain vs. Non-domain
• Prescription and notification are turned off for
  PCs in a domain

35
Windows Security Centre

• Group Policy Settings
• There is 1 Group Policy setting for the Security
  Centre
• This determines whether or not the Security
  Centre user interface and alert system are
  enabled or unavailable for users whose computers
  are joined to a windows domain
• If you decide to use the Security Centre within
  your business you must modify Group Policy
  setting to On
• Overall Group Policy Updates (click here)

36
Windows Messenger

• New capabilities have been added to Windows
  Messenger
• Block unsafe file transfers
• Require user display name
• Windows Messenger / Windows Firewall
• Files will be blocked when both of the following
  occur
• The sender is not on your contacts list
• Someone tries to send you a file that is
  considered unsafe
• User is prompted before opening the following
  file types
• Microsoft Office files, such as .doc, .ppt, .xls.
• Files from other applications, such as .zip,
  .wpd, and .pdf.
• Computer applications, programs, or any file that
  contains software code or script including
  macros, executables, and JavaScript
• Files with these extensions .exe, .cmd, .wsh,
  .bat, .vb, .vbs .pif, .scr, .scf.

37
Windows Messenger

• Files with the extensions .jpg, .txt and .gif are
  generally considered safe and you can receive
  these from someone not on your contacts list
• Windows Messenger / Windows Firewall
• Windows Messenger needs permission to connect to
  the Internet through the Windows Firewall
• To give permission go to Security Centre, Windows
  Firewall and click exceptions tab select
  Windows Messenger

38
Memory Protection Technologies

• Execution Protection (NX no execute)
• Marks all memory locations in a process as
  non-executable unless the location explicitly
  contains executable code
• Requires both OS and hardware support
• Both Intel and AMD have defined and shipped
  Windows compatible architectures for execution
  protection
• NX protects against certain types of memory
  buffer overruns
• In order to use the NX feature, the processor
  must be running in Physical Address Extension
  (PAE) mode
• Helps drive best practice software development

39
Memory Protection Technologies

• Security feature that helps protect against
  certain kinds of buffer overrun exploits
• Code injection attack
• Buffer overrun leveraged to inject code into
  process address space
• Execution of injected code raises an exception
• Process is terminated to prevent malicious code
  from running
• Data Execution Prevention is not a buffer overrun
  panacea
• Execution protection requires both
  processor-level hardware support and operating
  system software support
• Currently, the only shipping x86 processors to
  support execution protection are AMDs 32/64-bit
  Opteron and Althlon-64
• The Itanium Processor Family also supports
  execution protection.

40
NX End User Experience

• Application Crash Experience

41
NX End User Experience

• Configuration Experience
• Accessible through the system properties in the
  control panel

42
Windows Update

• Windows Update (WU) is a component of Windows
  Update Services (WUS)
• With Windows XPSP2, WU and WUS provides 2
  services
• Windows Update all security patches and updates
  for Windows components
• Microsoft Update all security patches and
  updates for Windows components and other
  Microsoft product applications including SQL,
  Exchange and Office. Microsoft Update is a
  superset of WU
• Removes the need for navigating to multiple
  locations to keep Windows and Apps updated and
  secure

43
Question Time ?