Changes in Windows XPChanges in Windows XPService Pack 2Service Pack 2

7/20047/2004

robsmith@cs.cmu.edurobsmith@cs.cmu.edu

Enhancements in XP SP2Enhancements in XP SP2

Network ProtectionNetwork Protection Memory Protection (compatible cpu’s)Memory Protection (compatible cpu’s) Safer E-mail handlingSafer E-mail handling Enhanced Browsing SecurityEnhanced Browsing Security Improved Computer MaintenanceImproved Computer Maintenance

Services Disabled by DefaultServices Disabled by Default

Messenger ServiceMessenger Service Alerter ServiceAlerter Service

Updated / Modified ApplicationsUpdated / Modified Applications

Windows Media Player upgraded to v9Windows Media Player upgraded to v9 Windows Messenger security enhancements:Windows Messenger security enhancements:

- blocks unsafe file transfers- blocks unsafe file transfers

- required user display name (different - required user display name (different from e-mail address) from e-mail address)

- ports need to be opened through firewall- ports need to be opened through firewall Outlook Express – plain text mode, moreOutlook Express – plain text mode, more Windows Installer v3.0Windows Installer v3.0

RPC / DCOM, other ChangesRPC / DCOM, other Changes

Anonymous RPC calls no longer allowedAnonymous RPC calls no longer allowed DCOM computer level ACLDCOM computer level ACL Configurable via Registry keyConfigurable via Registry key Better support for Bluetooth wireless Better support for Bluetooth wireless

devicesdevices

Major changesMajor changes

Firewall turned on by defaultFirewall turned on by default IE Pop-Up blockerIE Pop-Up blocker IE runs in restricted modeIE runs in restricted mode Installed patches not displayed by defaultInstalled patches not displayed by default

(enabled via registry key)(enabled via registry key)

FirewallFirewall

Definition - electronic blocking mechanism Definition - electronic blocking mechanism that will not allow unauthorized intruders that will not allow unauthorized intruders into a computer system into a computer system

The firewall in Windows XP will not block The firewall in Windows XP will not block any traffic originated on the local system.any traffic originated on the local system.

Quick SurveyQuick Survey

Black Ice?Black Ice? ZoneAlarm?ZoneAlarm? Symantec Firewall?Symantec Firewall? Tiny?Tiny? Other?Other?

SCS Computing Facilities will support the SCS Computing Facilities will support the firewall bundled with WinXP SP2firewall bundled with WinXP SP2

Methods for configuring the Methods for configuring the Windows Firewall in XP-SP2Windows Firewall in XP-SP2

Group PolicyGroup Policy .Inf file bundled with setup.Inf file bundled with setup Manual configurationManual configuration Netsh command line toolNetsh command line tool

Example: netsh firewall show stateExample: netsh firewall show state

Group Policy SettingsGroup Policy Settings

GPO will be linked to the three Organizational GPO will be linked to the three Organizational Units where computers resideUnits where computers reside

Contain settings that allow the standard SCS Contain settings that allow the standard SCS Windows environment to function:Windows environment to function: Backup Agents (local network scope)Backup Agents (local network scope) Windows File Sharing (local network scope)Windows File Sharing (local network scope) Remote Administration (Hyena),WMI (local network Remote Administration (Hyena),WMI (local network

scope)scope) Common Internet Services (Http,FTP,Telnet,SSH)Common Internet Services (Http,FTP,Telnet,SSH) Additional exceptions will be configurable by userAdditional exceptions will be configurable by user

Group Policy DetailsGroup Policy Details

Ports:Ports:7 (Echo)7 (Echo)6050 (Arcserve Client Agent)6050 (Arcserve Client Agent)497 (Retrospect Client Agent)497 (Retrospect Client Agent)1977 (TiBS Client Agent)1977 (TiBS Client Agent)6000,177(udp) (X-Win32)6000,177(udp) (X-Win32)3389 Remote Desktop3389 Remote DesktopWindows File Sharing (NetBios Ports)Windows File Sharing (NetBios Ports)Remote Management (WMI Ports)Remote Management (WMI Ports)All ICMP TrafficAll ICMP Traffic

Configuring ExceptionsConfiguring Exceptions

Configuring Exceptions # 2Configuring Exceptions # 2

Configuring Exceptions #3Configuring Exceptions #3

Add a text description and specify portAdd a text description and specify port

Dynamic additions of exceptionsDynamic additions of exceptions

Add an exception to the firewall when a Add an exception to the firewall when a newly installed application wants to listen newly installed application wants to listen on a port.on a port.

SCS Subnets – Local ScopeSCS Subnets – Local Scope

128.2.178.0/23 (255.255.254.0)128.2.178.0/23 (255.255.254.0)

128.2.180.0/22 (255.255.252.0)128.2.180.0/22 (255.255.252.0)

128.2.184.0/21 (255.255.248.0)128.2.184.0/21 (255.255.248.0)

128.2.192.0/19 (255.255.224.0)128.2.192.0/19 (255.255.224.0)

128.2.242.0/24 (255.255.255.0)128.2.242.0/24 (255.255.255.0)

128.2.254.0/24 (255.255.255.0)128.2.254.0/24 (255.255.255.0)

Pop-Up BlockerPop-Up Blocker

Pop-up Blocker can be enabled by three different methods:Pop-up Blocker can be enabled by three different methods: Prompt at first occurrence.Prompt at first occurrence.A prompt appears before the first pop-up window appears that asks A prompt appears before the first pop-up window appears that asks the customer to enable Pop-up Blocker.the customer to enable Pop-up Blocker.

The Tools menu:The Tools menu:In Internet Explorer, on the In Internet Explorer, on the ToolsTools menu, click menu, click Pop-up BlockerPop-up Blocker, and , and then click then click Block Pop-up WindowsBlock Pop-up Windows..

Internet Options:Internet Options:In Internet Explorer, on the In Internet Explorer, on the ToolsTools menu, click menu, click Internet OptionsInternet Options, , click the click the PrivacyPrivacy tab, and then click tab, and then click Block pop-up windowsBlock pop-up windows. You . You can then click can then click OptionsOptions to configure Pop-up Blocker settings. to configure Pop-up Blocker settings.

IE RestrictionsIE Restrictions Configurable via Group Policy (TBD)Configurable via Group Policy (TBD)

Binary Behavior Security RestrictionBinary Behavior Security RestrictionMK Protocol Security RestrictionMK Protocol Security RestrictionLocal Machine Zone LockdownLocal Machine Zone LockdownConsistent Mime HandlingConsistent Mime HandlingMime Sniffing Safety FeatureMime Sniffing Safety FeatureObject Caching ProtectionObject Caching ProtectionPopup ManagementPopup ManagementScripted Window Security RestrictionsScripted Window Security RestrictionsProtection From Zone ElevationProtection From Zone ElevationSecurityBandSecurityBandRestrict ActiveX InstallRestrict ActiveX InstallRestrict FileDownloadRestrict FileDownload

IE prompt when downloading files, IE prompt when downloading files, adding ActiveX controls, etc.adding ActiveX controls, etc.

Information Bar - used to bypass default Information Bar - used to bypass default settings in order to download files (AES), settings in order to download files (AES), display pop-up windows, run unsigned display pop-up windows, run unsigned scripts, etc.scripts, etc.

Tools for troubleshootingTools for troubleshooting

Port Reporter Tool – useful for determining Port Reporter Tool – useful for determining additional ports that may need to be additional ports that may need to be opened.opened.http://support.microsoft.com/default.aspx?scid=kb;en-us;837243http://support.microsoft.com/default.aspx?scid=kb;en-us;837243

Firewall Log:Firewall Log:

%systemroot%\winnt\win_FW.log%systemroot%\winnt\win_FW.log

Additional ReadingAdditional Reading

Details on changes

http://www.microsoft.com/downloads/details.aspx?FamilyID=7bd948d7-b791-40b6-8364-685b84158c78&DisplayLang=en

Manually configuring the Firewall

http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx

QuestionsQuestions

??????

Fall 2004 - Software ChangesFall 2004 - Software Changes

New Kerberos ticket manager (Kfw)New Kerberos ticket manager (Kfw) Updates versions of WinZip, Mozilla,X-Updates versions of WinZip, Mozilla,X-

Win32, OpenAFS (integrated with Kfw)Win32, OpenAFS (integrated with Kfw)