View
213
Download
0
Embed Size (px)
Citation preview
Windows XP Service Pack 2Windows XP Service Pack 2
Alex BalcanquallAlex Balcanquall
Senior ConsultantSenior ConsultantMicrosoft Services OrganisationMicrosoft Services Organisation
Agenda for WorkshopAgenda for WorkshopIntroductionIntroduction
Protection TechnologiesProtection Technologies
NetworkNetwork
Web & EmailWeb & Email
Memory ProtectionMemory Protection
ManageabilityManageability
But that’s not all…But that’s not all…
Deployment & TroubleshootingDeployment & Troubleshooting
Round-upRound-up
Exploit TimelineExploit Timeline
Days From Patch to ExploitDays From Patch to Exploit
The average is now nine days The average is now nine days for a patch to be reverse-for a patch to be reverse-engineeredengineered
As this cycle keeps getting As this cycle keeps getting shorter, patching is a less shorter, patching is a less effective defense in large effective defense in large organizationsorganizations
Why does this Why does this gap exist?gap exist?
151151180180
331331
BlasterBlasterWelchia/ Welchia/ NachiNachi
NimdaNimda
2525SQL SQL
SlammerSlammer
exploitexploitcodecodepatchpatch
Days between patch and exploitDays between patch and exploit
Goals of XP SP2Goals of XP SP2
Memory
Network
Maintenance
Email/Web
Provide system-level protection for the base operating system
Help protect the system from directed attacks from the network
Ensure that when updates are necessary, they are easier to deploy quickly
Enable safer Internet experience for most common Internet tasks
Windows FirewallWindows FirewallGoal in XP SP2Provide better protection from network attacksProvide administration tools suitable for the enterprise
Changes in XP SP2Windows Firewall on by defaultBoot time protectionMultiple configuration mechanismsBetter user interfaceBoot time protectionMultiple profile supportRestrict anonymous connections to DCOM/RPC interfaces
ImpactApplications that initiate outbound connections will work out of the boxOnly applications that accept unsolicited inbound communications will be affected by the firewallFirewall should be deployed in all organisationsDevelop organisation wide firewall exceptions & deploy as neededConsider IPSEC bypass for administrative tasks
MaintenanceMaintenance
Network (1)
Email & WebEmail & Web
MemoryMemory
Windows FirewallWindows Firewall
Windows Firewall Group PolicyWindows Firewall Group Policy
DCOM / RPCDCOM / RPCGoal in XP SP2Reduce DCOM / RPC attack surface exposed on the network
Changes in XP SP2Require authentication on default interfacesEnable ability to restrict RPC interfaces to local machine onlyGranular configuration of launch permissions for DCOMMoved most RPCSS code into reduced privilege processDisable RPC over UDP by default
Impact•Application using anonymous authentication will break•Significantly reduces ability of unauthenticated processes or users to attack RPC•May require applications and COM components to be recoded.
Network (2)
MaintenanceMaintenance
Email & WebEmail & Web
MemoryMemory
Email AttachmentsEmail AttachmentsGoal in XP SP2Consistent system-provided mechanism for applications to determine unsafe attachmentsConsistent user experience for attachment “trust” decisions
Changes in XP SP2Create new public API for handling safe attachments (Attachment Execution Services)Default to not trust unsafe attachmentsOutlook Express, Windows Messenger, Internet Explorer changed to use new API Open / execute attachments with least privilege possibleSafer message “preview”
ImpactSelect applications that use the new API for better user experience, and better determination of safe contentApplications which depend on email attachments may be impactedMaintenanceMaintenance
NetworkNetwork
Email & Web (1)
MemoryMemory
Web BrowsingWeb BrowsingGoal in XP SP2Ensure a safer web browsing experience
Changes in XP SP2Locking down local machine and local intranet zonesImproved notifications for running or installing applications and ActiveX ControlsPop-Up Blocker for Internet ExplorerNew Internet Explorer add-on managerLimit UI spoofingChange to IE zonesImproved download and security related dialog boxes
ImpactCheck for Web application compatibility with newer, safer browsing defaultsLine of Buisness applications that use pop-ups may need to change or be added to exception list
NetworkNetwork
Email & Web (2)
MaintenanceMaintenance
MemoryMemory
Pop-up BlockerPop-up Blocker
Download Prompts Old vs. NewDownload Prompts Old vs. New
Data Execution Protection (NX)Data Execution Protection (NX)Goal in XP SP2Reduce exposure of common buffer overruns
Changes in XP SP2Leverage hardware support in 64-bit and newer 32-bit processors to only permit execution of code in memory regions specifically marked as executeBinaries Compiled with /GS Flag (Not Dependent on DEP)Reduces exploitability of buffer overrunsEnabled by default on all capable machines for Windows binariesApplication Compatibility Toolkit setting to exclude incompatible applications
ImpactSystem runs in PAE mode. All drivers and application will need to be compatible with PAECurrently needs 64bit Extended Systems (e.g. Intel Itanium Family, AMD Opteron, AMD Athlon 64)
MaintenanceMaintenance
NetworkNetwork
Email & WebEmail & Web
Memory
DEP End-user ExperienceDEP End-user Experience
Application termination dialogsApplication termination dialogs
DEP End-user ExperienceDEP End-user Experience
Configuration Configuration experienceexperience
Accessible through Accessible through System Properties System Properties control panel control panel
ManageabilityManageabilityGoalReduce management overhead of securing Windows XP
What we’re doingWindows Security Center
Anti-Virus CheckingFirewallAutomatic Updates
Automatic Update enhancementsCentralised & granular management of the Windows FirewallNew Wireless LAN clientBluetooth updateSmartKey Wireless Setup
ImpactUse group policy or any software distribution mechanism to easily configure firewall
Maintenance
NetworkNetwork
Email & WebEmail & Web
MemoryMemory
Internet Explorer Add-on Internet Explorer Add-on Manager Manager
But that’s not all….But that’s not all….
Tablet PC Tablet PC NEW V2 “Lonestar”.NEW V2 “Lonestar”. In Place Tablet Input Panel (TIP)& Handwriting to text In Place Tablet Input Panel (TIP)& Handwriting to text on the flyon the fly
Better office 2003 + OneNote integrationBetter office 2003 + OneNote integration
Windows Media 9 SeriesWindows Media 9 Series
Bluetooth UpdateBluetooth Update
Movie Maker 2.1Movie Maker 2.1
New Wireless LAN ClientNew Wireless LAN Client
Direct X9.0bDirect X9.0b
XP SP2 DeploymentXP SP2 Deployment
Planning and TestingPlanning and Testing
Why Plan & Test?Why Plan & Test?New security features will make the system New security features will make the system secure but may break some applicationssecure but may break some applications
In common test scenarios expect >=90% of In common test scenarios expect >=90% of applications to workapplications to work
In RC1 these issues have been found to break In RC1 these issues have been found to break down as follows:down as follows:
30% Firewall30% Firewall
22% DEP / PAE22% DEP / PAE
14% IE14% IE
8% DCOM / RPC8% DCOM / RPC
6% RTF Converters6% RTF Converters
NB These figures are for consumer and corporate scenarios & fixes will be NB These figures are for consumer and corporate scenarios & fixes will be incorporated in the final XP SP2 Release to mitigate many scenariosincorporated in the final XP SP2 Release to mitigate many scenarios
Deployment Planning Deployment Planning Review XP SP 2 Changes DocumentReview XP SP 2 Changes Document
Test XP SP 2 on limited ‘real systems’Test XP SP 2 on limited ‘real systems’Deploy with firewall onDeploy with firewall on
Determine commonly needed open ports Determine commonly needed open ports
Deploy settings with AD, INF files, WMI, Unattend.txtDeploy settings with AD, INF files, WMI, Unattend.txt
Deploy with XP SP2 DCOM and IE defaultsDeploy with XP SP2 DCOM and IE defaultsUse custom OU if you have Active DirectoryUse custom OU if you have Active Directory
Don’t forget to test all Intranet applicationsDon’t forget to test all Intranet applications
Deploy to test community to catch final 5% of Deploy to test community to catch final 5% of issuesissues
START TESTING NOW!START TESTING NOW!
Troubleshooting 32-Bit ApplicationsTroubleshooting 32-Bit Applications1.1. Test application on XP SP1Test application on XP SP1
2.2. If 64bit Extended use Application Compatibility If 64bit Extended use Application Compatibility Toolkit to disable DEP on a per app basisToolkit to disable DEP on a per app basis
3.3. Disable FirewallDisable Firewall NOT RECOMMENDED FOR PRODUCTION MACHINES (deploy NOT RECOMMENDED FOR PRODUCTION MACHINES (deploy
exceptions and keep firewall enabled)exceptions and keep firewall enabled)
4.4. Disable DCOM / RPC authenticationDisable DCOM / RPC authentication NOT RECOMMENDED FOR PRODUCTION MACHINESNOT RECOMMENDED FOR PRODUCTION MACHINES
5.5. Ask software vendor for any needed updates or Ask software vendor for any needed updates or patchespatches
6.6. Consider risks of disabling protection vs. Consider risks of disabling protection vs. selection of alternate applicationselection of alternate application
Troubleshooting Web ApplicationsTroubleshooting Web Applications1.1. Test on XP SP1 Test on XP SP1
2.2. Add trusted intranet applications to trusted sites Add trusted intranet applications to trusted sites listlist
3.3. Sign all custom Active X objectsSign all custom Active X objects
4.4. Review application to remove all cross zone Review application to remove all cross zone scriptingscripting
5.5. Disable new IE protection measures to verify Disable new IE protection measures to verify which protection is stopping applicationwhich protection is stopping application
NOT RECOMMENDED FOR PRODUCTION MACHINESNOT RECOMMENDED FOR PRODUCTION MACHINES
6.6. Consider re-writing application vs. risk of Consider re-writing application vs. risk of disabling new protection mechanismsdisabling new protection mechanisms
Other troubleshooting toolsOther troubleshooting toolsApplication Compatibility ToolkitApplication Compatibility Toolkit
V3 NowV3 Now
V4 End of 2004 - Dedicated to SP2 features etc.V4 End of 2004 - Dedicated to SP2 features etc.
NB NB New ‘shims’ like the NX can be used with V3 New ‘shims’ like the NX can be used with V3 toolkittoolkit
Reporting RC 1 BugsReporting RC 1 Bugs
NEW NEW desktop icon in RC1desktop icon in RC1Click on the “Report a XP SP2 Bug”Click on the “Report a XP SP2 Bug”
Corporate Error ReportingCorporate Error ReportingIf you have a Premier Agreement and Enterprise Agreement If you have a Premier Agreement and Enterprise Agreement
talk to your TAM about CERtalk to your TAM about CER
Round-upRound-upXP SP2 has additional protection for:XP SP2 has additional protection for:
NetworkNetwork
EmailEmail
Web BrowsingWeb Browsing
Memory Protection (64 bit only)Memory Protection (64 bit only)
XP SP2 Includes tools for improved XP SP2 Includes tools for improved manageabilitymanageability
Adequate testing is key to successful deployment Adequate testing is key to successful deployment of XP SP2of XP SP2
Aim to deploy with Firewall Turned OnAim to deploy with Firewall Turned On
Attend Infosec patch management session / Attend Infosec patch management session / review Microsoft recommendation on patchingreview Microsoft recommendation on patching
Further Information Further Information
XP SP2XP SP2
http://www.microsoft.com/technet/http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/prodtechnol/winxppro/maintain/winxpsp2.mspxwinxpsp2.mspx
General Security:General Security:
http://www.microsoft.com/securityhttp://www.microsoft.com/security
Windows Application Compatibility Toolkit:Windows Application Compatibility Toolkit:http://www.microsoft.com/windows/appexperience/http://www.microsoft.com/windows/appexperience/
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.