Windows XP Service Pack 2Windows XP Service Pack 2

Alex BalcanquallAlex Balcanquall

Senior ConsultantSenior ConsultantMicrosoft Services OrganisationMicrosoft Services Organisation

Agenda for WorkshopAgenda for WorkshopIntroductionIntroduction

Protection TechnologiesProtection Technologies

NetworkNetwork

Web & EmailWeb & Email

Memory ProtectionMemory Protection

ManageabilityManageability

But that’s not all…But that’s not all…

Deployment & TroubleshootingDeployment & Troubleshooting

Round-upRound-up

Exploit TimelineExploit Timeline

Days From Patch to ExploitDays From Patch to Exploit

The average is now nine days The average is now nine days for a patch to be reverse-for a patch to be reverse-engineeredengineered

As this cycle keeps getting As this cycle keeps getting shorter, patching is a less shorter, patching is a less effective defense in large effective defense in large organizationsorganizations

Why does this Why does this gap exist?gap exist?

151151180180

331331

BlasterBlasterWelchia/ Welchia/ NachiNachi

NimdaNimda

2525SQL SQL

SlammerSlammer

exploitexploitcodecodepatchpatch

Days between patch and exploitDays between patch and exploit

Goals of XP SP2Goals of XP SP2

Memory

Network

Maintenance

Email/Web

Provide system-level protection for the base operating system

Help protect the system from directed attacks from the network

Ensure that when updates are necessary, they are easier to deploy quickly

Enable safer Internet experience for most common Internet tasks

Windows FirewallWindows FirewallGoal in XP SP2Provide better protection from network attacksProvide administration tools suitable for the enterprise

Changes in XP SP2Windows Firewall on by defaultBoot time protectionMultiple configuration mechanismsBetter user interfaceBoot time protectionMultiple profile supportRestrict anonymous connections to DCOM/RPC interfaces

ImpactApplications that initiate outbound connections will work out of the boxOnly applications that accept unsolicited inbound communications will be affected by the firewallFirewall should be deployed in all organisationsDevelop organisation wide firewall exceptions & deploy as neededConsider IPSEC bypass for administrative tasks

MaintenanceMaintenance

Network (1)

Email & WebEmail & Web

MemoryMemory

Windows FirewallWindows Firewall

Windows Firewall Group PolicyWindows Firewall Group Policy

DCOM / RPCDCOM / RPCGoal in XP SP2Reduce DCOM / RPC attack surface exposed on the network

Changes in XP SP2Require authentication on default interfacesEnable ability to restrict RPC interfaces to local machine onlyGranular configuration of launch permissions for DCOMMoved most RPCSS code into reduced privilege processDisable RPC over UDP by default

Impact•Application using anonymous authentication will break•Significantly reduces ability of unauthenticated processes or users to attack RPC•May require applications and COM components to be recoded.

Network (2)

MaintenanceMaintenance

Email & WebEmail & Web

MemoryMemory

Email AttachmentsEmail AttachmentsGoal in XP SP2Consistent system-provided mechanism for applications to determine unsafe attachmentsConsistent user experience for attachment “trust” decisions

Changes in XP SP2Create new public API for handling safe attachments (Attachment Execution Services)Default to not trust unsafe attachmentsOutlook Express, Windows Messenger, Internet Explorer changed to use new API Open / execute attachments with least privilege possibleSafer message “preview”

ImpactSelect applications that use the new API for better user experience, and better determination of safe contentApplications which depend on email attachments may be impactedMaintenanceMaintenance

NetworkNetwork

Email & Web (1)

MemoryMemory

Web BrowsingWeb BrowsingGoal in XP SP2Ensure a safer web browsing experience

Changes in XP SP2Locking down local machine and local intranet zonesImproved notifications for running or installing applications and ActiveX ControlsPop-Up Blocker for Internet ExplorerNew Internet Explorer add-on managerLimit UI spoofingChange to IE zonesImproved download and security related dialog boxes

ImpactCheck for Web application compatibility with newer, safer browsing defaultsLine of Buisness applications that use pop-ups may need to change or be added to exception list

NetworkNetwork

Email & Web (2)

MaintenanceMaintenance

MemoryMemory

Pop-up BlockerPop-up Blocker

Download Prompts Old vs. NewDownload Prompts Old vs. New

Data Execution Protection (NX)Data Execution Protection (NX)Goal in XP SP2Reduce exposure of common buffer overruns

Changes in XP SP2Leverage hardware support in 64-bit and newer 32-bit processors to only permit execution of code in memory regions specifically marked as executeBinaries Compiled with /GS Flag (Not Dependent on DEP)Reduces exploitability of buffer overrunsEnabled by default on all capable machines for Windows binariesApplication Compatibility Toolkit setting to exclude incompatible applications

ImpactSystem runs in PAE mode. All drivers and application will need to be compatible with PAECurrently needs 64bit Extended Systems (e.g. Intel Itanium Family, AMD Opteron, AMD Athlon 64)

MaintenanceMaintenance

NetworkNetwork

Email & WebEmail & Web

Memory

DEP End-user ExperienceDEP End-user Experience

Application termination dialogsApplication termination dialogs

DEP End-user ExperienceDEP End-user Experience

Configuration Configuration experienceexperience

Accessible through Accessible through System Properties System Properties control panel control panel

ManageabilityManageabilityGoalReduce management overhead of securing Windows XP

What we’re doingWindows Security Center

Anti-Virus CheckingFirewallAutomatic Updates

Automatic Update enhancementsCentralised & granular management of the Windows FirewallNew Wireless LAN clientBluetooth updateSmartKey Wireless Setup

ImpactUse group policy or any software distribution mechanism to easily configure firewall

Maintenance

NetworkNetwork

Email & WebEmail & Web

MemoryMemory

Internet Explorer Add-on Internet Explorer Add-on Manager Manager

But that’s not all….But that’s not all….

Tablet PC Tablet PC NEW V2 “Lonestar”.NEW V2 “Lonestar”.  In Place Tablet Input Panel (TIP)& Handwriting to text In Place Tablet Input Panel (TIP)& Handwriting to text on the flyon the fly

Better office 2003 + OneNote integrationBetter office 2003 + OneNote integration

Windows Media 9 SeriesWindows Media 9 Series

Bluetooth UpdateBluetooth Update

Movie Maker 2.1Movie Maker 2.1

New Wireless LAN ClientNew Wireless LAN Client

Direct X9.0bDirect X9.0b

XP SP2 DeploymentXP SP2 Deployment

Planning and TestingPlanning and Testing

Why Plan & Test?Why Plan & Test?New security features will make the system New security features will make the system secure but may break some applicationssecure but may break some applications

In common test scenarios expect >=90% of In common test scenarios expect >=90% of applications to workapplications to work

In RC1 these issues have been found to break In RC1 these issues have been found to break down as follows:down as follows:

30% Firewall30% Firewall

22% DEP / PAE22% DEP / PAE

14% IE14% IE

8% DCOM / RPC8% DCOM / RPC

6% RTF Converters6% RTF Converters

NB These figures are for consumer and corporate scenarios & fixes will be NB These figures are for consumer and corporate scenarios & fixes will be incorporated in the final XP SP2 Release to mitigate many scenariosincorporated in the final XP SP2 Release to mitigate many scenarios

Deployment Planning Deployment Planning Review XP SP 2 Changes DocumentReview XP SP 2 Changes Document

Test XP SP 2 on limited ‘real systems’Test XP SP 2 on limited ‘real systems’Deploy with firewall onDeploy with firewall on

Determine commonly needed open ports Determine commonly needed open ports

Deploy settings with AD, INF files, WMI, Unattend.txtDeploy settings with AD, INF files, WMI, Unattend.txt

Deploy with XP SP2 DCOM and IE defaultsDeploy with XP SP2 DCOM and IE defaultsUse custom OU if you have Active DirectoryUse custom OU if you have Active Directory

Don’t forget to test all Intranet applicationsDon’t forget to test all Intranet applications

Deploy to test community to catch final 5% of Deploy to test community to catch final 5% of issuesissues

START TESTING NOW!START TESTING NOW!

Troubleshooting 32-Bit ApplicationsTroubleshooting 32-Bit Applications1.1. Test application on XP SP1Test application on XP SP1

2.2. If 64bit Extended use Application Compatibility If 64bit Extended use Application Compatibility Toolkit to disable DEP on a per app basisToolkit to disable DEP on a per app basis

3.3. Disable FirewallDisable Firewall NOT RECOMMENDED FOR PRODUCTION MACHINES (deploy NOT RECOMMENDED FOR PRODUCTION MACHINES (deploy

exceptions and keep firewall enabled)exceptions and keep firewall enabled)

4.4. Disable DCOM / RPC authenticationDisable DCOM / RPC authentication NOT RECOMMENDED FOR PRODUCTION MACHINESNOT RECOMMENDED FOR PRODUCTION MACHINES

5.5. Ask software vendor for any needed updates or Ask software vendor for any needed updates or patchespatches

6.6. Consider risks of disabling protection vs. Consider risks of disabling protection vs. selection of alternate applicationselection of alternate application

Troubleshooting Web ApplicationsTroubleshooting Web Applications1.1. Test on XP SP1 Test on XP SP1

2.2. Add trusted intranet applications to trusted sites Add trusted intranet applications to trusted sites listlist

3.3. Sign all custom Active X objectsSign all custom Active X objects

4.4. Review application to remove all cross zone Review application to remove all cross zone scriptingscripting

5.5. Disable new IE protection measures to verify Disable new IE protection measures to verify which protection is stopping applicationwhich protection is stopping application

NOT RECOMMENDED FOR PRODUCTION MACHINESNOT RECOMMENDED FOR PRODUCTION MACHINES

6.6. Consider re-writing application vs. risk of Consider re-writing application vs. risk of disabling new protection mechanismsdisabling new protection mechanisms

Other troubleshooting toolsOther troubleshooting toolsApplication Compatibility ToolkitApplication Compatibility Toolkit

V3 NowV3 Now

V4 End of 2004 - Dedicated to SP2 features etc.V4 End of 2004 - Dedicated to SP2 features etc.

NB NB New ‘shims’ like the NX can be used with V3 New ‘shims’ like the NX can be used with V3 toolkittoolkit

Reporting RC 1 BugsReporting RC 1 Bugs

NEW NEW desktop icon in RC1desktop icon in RC1Click on the “Report a XP SP2 Bug”Click on the “Report a XP SP2 Bug”

Corporate Error ReportingCorporate Error ReportingIf you have a Premier Agreement and Enterprise Agreement If you have a Premier Agreement and Enterprise Agreement

talk to your TAM about CERtalk to your TAM about CER

Round-upRound-upXP SP2 has additional protection for:XP SP2 has additional protection for:

NetworkNetwork

EmailEmail

Web BrowsingWeb Browsing

Memory Protection (64 bit only)Memory Protection (64 bit only)

XP SP2 Includes tools for improved XP SP2 Includes tools for improved manageabilitymanageability

Adequate testing is key to successful deployment Adequate testing is key to successful deployment of XP SP2of XP SP2

Aim to deploy with Firewall Turned OnAim to deploy with Firewall Turned On

Attend Infosec patch management session / Attend Infosec patch management session / review Microsoft recommendation on patchingreview Microsoft recommendation on patching

Further Information Further Information

XP SP2XP SP2

http://www.microsoft.com/technet/http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/prodtechnol/winxppro/maintain/winxpsp2.mspxwinxpsp2.mspx

General Security:General Security:

http://www.microsoft.com/securityhttp://www.microsoft.com/security

Windows Application Compatibility Toolkit:Windows Application Compatibility Toolkit:http://www.microsoft.com/windows/appexperience/http://www.microsoft.com/windows/appexperience/

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.