Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH

Overview Of Windows XP SP2 Memory Provide system-level protection for the base operating system Network Help protect the system from attacks from the network /IM Enable safer and Instant Messaging experience Web Enable safer Internet experience for most common Internet tasks

Windows Firewall Goal and Customer Benefit Provide better protection from network attacks by default Provide better protection from network attacks by default Focus on roaming systems, small business, home users Focus on roaming systems, small business, home users What We’re Doing Windows Firewall (formerly ICF) will be on by default in almost all configurations Windows Firewall (formerly ICF) will be on by default in almost all configurations More configuration options More configuration options Group policy, command line, unattended setup, Group policy, command line, unattended setup, Better user interface Better user interface Boot time protection Boot time protection Multiple profile support Multiple profile support Connected to corporate network vs. home Connected to corporate network vs. home Enable file sharing on home networks with Windows Firewall on Enable file sharing on home networks with Windows Firewall on Developer Impact In-bound network connections not permitted by default In-bound network connections not permitted by default Dynamically enable ports as necessary, but only for as long as necessary, disable when done Dynamically enable ports as necessary, but only for as long as necessary, disable when done Memory Network /IM Web

DCOM And RPC Changes Goal and Customer Benefit Reducing DCOM / RPC attack surface exposed on network Reducing DCOM / RPC attack surface exposed on network What We’re Doing Require authentication on default interfaces Require authentication on default interfaces Enable programmatic ability to restrict RPC interfaces to local machine only Enable programmatic ability to restrict RPC interfaces to local machine only Configuration of access and launch permissions for DCOM through registry Configuration of access and launch permissions for DCOM through registry Move most RPCSS code into reduced privilege process Move most RPCSS code into reduced privilege process Enable customer-controlled option to require authentication to the end-point mapper Enable customer-controlled option to require authentication to the end-point mapper Disable RPC over UDP by default Disable RPC over UDP by default Developer Impact Where appropriate, use new RPC API to limit calls to local machine Where appropriate, use new RPC API to limit calls to local machine Ensure your application doesn’t require anonymous clients Ensure your application doesn’t require anonymous clients Don’t use RPC over UDP Don’t use RPC over UDPNetwork Memory /IM Web

Attachments Goal and Customer Benefit Consistent system-provided mechanism for applications to determine unsafe attachments Consistent system-provided mechanism for applications to determine unsafe attachments Consistent user experience for attachment “trust” decisions Consistent user experience for attachment “trust” decisions What We’re Doing Create new public API for handling safe attachments (Attachment Execution Services) Create new public API for handling safe attachments (Attachment Execution Services) Default to not trust unsafe attachments Default to not trust unsafe attachments Outlook, Outlook Express, Windows Messenger, Internet Explorer changed to use new API Outlook, Outlook Express, Windows Messenger, Internet Explorer changed to use new API Open / execute attachments with least privilege possible Open / execute attachments with least privilege possible Safer message “preview” Safer message “preview” Replaces AssocIsSafe() Replaces AssocIsSafe() Developer Impact Use new API in your applications for better user experience, and better determination of safe content Use new API in your applications for better user experience, and better determination of safe content Memory Network /IM Web

Web Browsing Goal and Customer Benefit Ensure a safer web browsing experience Ensure a safer web browsing experience What We’re Doing Locking down local machine and local intranet zones Locking down local machine and local intranet zones Improved notifications for running or installing applications and ActiveX controls Improved notifications for running or installing applications and ActiveX controls HTML files on the local machine will not be able to script unsafe ActiveX controls or access data across domains in the Local Machine Security Zone HTML files on the local machine will not be able to script unsafe ActiveX controls or access data across domains in the Local Machine Security Zone Blocking unknown, unsigned ActiveX controls Blocking unknown, unsigned ActiveX controls Disarm cross domain script attacks on APIs Disarm cross domain script attacks on APIs Improved detection and handling of downloaded files through improvements to mime-handling code path Improved detection and handling of downloaded files through improvements to mime-handling code path Files served with mismatched or missing mime-headers and file extensions may be blocked Files served with mismatched or missing mime-headers and file extensions may be blocked Memory Network /IM Web

Web Browsing What We’re Doing (continued) Mitigate ActiveX reuse through potential limited control leashing and more guided user experience Mitigate ActiveX reuse through potential limited control leashing and more guided user experience Limit UI spoofing Limit UI spoofing Pop-up windows will be suppressed unless they are initiated by user action Pop-up windows will be suppressed unless they are initiated by user action Developer Impact Check for web application compatibility with newer, safer browsing defaults Check for web application compatibility with newer, safer browsing defaults Identify whether controls are safe for scripting on the Internet, or if they can be more restricted Identify whether controls are safe for scripting on the Internet, or if they can be more restricted Memory Network /IM Web

Hardware Execution Protection Goal and Customer Benefit Reduce exposure of some buffer overruns Reduce exposure of some buffer overruns What We’re Doing Leverage hardware support in 64-bit and newer 32-bit processors to only permit execution of code in memory regions specifically marked as execute Leverage hardware support in 64-bit and newer 32-bit processors to only permit execution of code in memory regions specifically marked as execute Reduces exploitability of buffer overruns Reduces exploitability of buffer overruns Enable by default on all capable machines for Windows binaries Enable by default on all capable machines for Windows binaries Ensure application compatibility with NX for Longhorn Ensure application compatibility with NX for Longhorn Developer Impact Ensure your code doesn’t execute code in a data segment Ensure your code doesn’t execute code in a data segment Ensure your code runs in PAE mode with <4GB RAM Ensure your code runs in PAE mode with <4GB RAM Use VirtualAlloc with PAGE_EXECUTE to allocated memory as executable Use VirtualAlloc with PAGE_EXECUTE to allocated memory as executable Test your code on 64-bit and 32-bit processors with “Execution protection” Test your code on 64-bit and 32-bit processors with “Execution protection” Memory Network /IM Web

Additional Enhancements In Windows SP2 Automatic Update Automatic Update  SP2 will make it more convenient for customers to enable Automatic Update for critical updates SUS 2.0 client SUS 2.0 client  Software Update Services 2.0 will use a consistent engine for reporting system state and reducing inconsistent results on secure patch availability on a computer Windows Media 9 Series Player: Windows Media 9 Series Player:  Enhanced performance and security improvements over prior versions

Additional Enhancements In Windows SP2 DirectX 9.0b DirectX 9.0b  Latest, most secure DirectX components include fixes to address a network firewall change that impacts OEM pre- installs and DirectPlay Bluetooth 2.0 Bluetooth 2.0  Includes support for the latest version of Bluetooth 2.0 allowing customers to take advantage of the latest wireless devices Unified Windows Local Area Network (LAN) client Unified Windows Local Area Network (LAN) client  New wireless LAN will work with a broad range of wireless hotspots enabling customers to connect seamlessly without having to install or update a third-party client

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.