Windows XP Service Pack 2 Technical Update

Windows XP Service Pack 2 Technical Workshop Agenda –Security Overview –Introduce Windows XP Service Pack –Questions Time

Security – what is the current experience? Security exploits are proliferating Time to exploit is decreasing Exploits are more sophisticated The current approach is insufficient 1.Security is a top priority for Microsoft 2.There is no silver bullet: the solution is complex 3.This problem has to be tackled across the industry 4.Change requires innovation & partnerships

We’ve been told… … Our action items “I can’t keep up…new patches are released every week” “The quality of the patching process is low and inconsistent” “I need to know how to protect my PC” “There are still too many vulnerabilities in your products” Offer more resilient PCs by introducing “safety technologies” Continue Improving Quality Improve the updates experience to offer consistency and higher quality Security Pain Points

Windows XP Service Pack 2 Beta There is consumer and commercial concern around security –Momentum is building –Interest is high but adoption & action are lagging Communities are unclear on what steps to take –Many don’t know what version OS they are running –Unclear if they call Microsoft or PC manufacturer –So many Windows Update (WU) pop-ups, can’t tell if they’re “being current” Narrowband: How to maintain “updated status” world-wide? –SP1 + Critical updates on narrowband may = extended download time Consumers do not seem to be apportioning blame to any specific company –Apparently seen more as an overall industry issue –Would like Microsoft to be more proactive –They expect Microsoft to take action Increase awareness Deliver offline solution Work with PC Industry Summary

Windows XP Service Pack 2 Beta Future Content: –Tips ‘n tricks –Outlook ® /Microsoft® Internet Explorer/other product info –P2P/Home networking tips Protect Your PC - Education

Windows XP Service Pack 2 Beta Windows Security Update CD Available since Feb17th Content: Windows® XP: –Windows XP SP1a full install package –All Critical Windows XP and Windows Internet Explorer 6 security updates since SP1a –Windows Security Analyzer (WSA) Windows® 2000, Windows® Millennium Edition, & Windows® 98 –Critical security updates to date –Internet Explorer 6 SP1, DirectX® 9b, Windows® Media Player –3 rd party firewall and AV via third parties Content: –PYPC HTML CD availability & ordering : Orderable via REACTIVE – orderable from PSS and MS.COM PROACTIVE –WW to online Windows users CD contains bits and content Trial antivirus and firewall software from CA

Windows XP Service Pack 2 Beta Windows XP Service Pack 2 What is Windows XP Service Pack 2? –Service Pack 2 includes updates intended to address issues identified after the release of the prior version. –Service Pack 2 also includes a set of Microsoft developed safety technologies which were designed to help reduce the risk of malicious attacks against computer systems. Why release Windows XP Service Pack 2? –Microsoft continually works to improve its software. –With the recent increase in the frequency of attacks against computer systems Microsoft is focusing its efforts in order to help provide security for our customers’ computer systems. Microsoft Goals? –Help customers reduce the risk associated with malicious attacks –Reduce the cost and complexity of managing the overall security threat. Windows XP SP2 is one component in a series of new initiatives and investments Microsoft is making to help provide online security for customers.

Windows XP Service Pack 2 Beta Four key pillars of Windows XP SP2 Memory Offer system-level protection for the base operating system Network Help protect the system from directed attacks from the network /IM Helps provide security for and Instant Messaging experience Web Helps provide security for Internet experience for most common Internet tasks

Windows XP Service Pack 2 Beta Network Protection Technologies Windows Firewall (previously called Internet Connection Firewall) –On by default Protects new network connections as they are added to the system (applies to both IPv4 and IPv6 traffic) Potential problem with app compatibility if apps do not work with stateful filtering by default –Boot time security Firewall driver has a static rule to perform stateful filtering called boot-time policy Allows PC to perform DNS and DHCP tasks and communicate with a domain controller to obtain policy Once the firewall is running, run-time policies applied and boot filter is removed Boot-time policy cannot be configured No Boot time security if Windows Firewall is disabled

Windows XP Service Pack 2 Beta Network Protection Technologies Global Configuration –Previously Windows Firewall was configured on a per-interface basis (ie; each network connection had its own firewall policy – eg; one policy for wireless and one policy for Ethernet) –Global configuration means whenever a change occurs it applies to all network connections –When creating new connections – the configuration is applied as well –This change enables apps to work on any interface with a single configuration option Local Subnet Restrictions –Configure ports to only receive network traffic with a source address from the local subnet (previously this was open globally and incoming traffic can come from any network location – local or internet) –Recommend to apply local subnet restrictions to any static port that is used for communication on the local network –This can be done programmatically via Windows Firewall Netsh Helper or the Windows Firewall user interface

Windows XP Service Pack 2 Beta Network Protection Technologies Local Subnet Restrictions continued… –When file and print sharing is enabled, the following ports will only receive traffic from the local subnet UDP port 137 UDP port 138 TCP port 139 TCP port 445 –When the UPnP architecture is enabled two ports are specifically affected and only receive traffic from the local subnet UDP port 1900 TCP port 2869 Unattended Setup Support –It is now possible to configure the following options of Windows Firewall though unattended setup Operational mode, Applications on the Windows Firewall exception list Static ports on the exception list ICMP options, Logging options

Windows XP Service Pack 2 Beta Network Protection Technologies New Group Policy support for Windows Firewall –Previously Windows Firewall had a single Group Policy object (GPO): Prohibit Use of Internet Connection Firewall on your DNS domain –New configuration options include Operational mode (On, On with no exceptions, Off) Opened static ports ICMP settings Enable RPC and DCOM Enable File and Printer sharing Multiple profiles for domain-joined PCs (XP Pro only) –“Domain” for when PC is connected to the corporate network –“Standard” for when PC is connected to another network –Workgroup PCs can only use Standard profile

Windows XP Service Pack 2 Beta Network Protection Technologies Windows Firewall Application Compatibility –Over 350 apps tested in-house –Client applications work by default: Web browsers clients IM clients (text messaging) Client-Server Multiplayer games Apps that turn the PC into a server won’t work by default: –Peer-to-Peer Multiplayer games –Remote Administration –IM clients (voice/video, file transfer) –Notification dialog addresses most applications –Apps that need to be manually added to Exceptions list to be added to the Protect Website at SP2 RTM:

Windows XP Service Pack 2 Beta Network Protection Technologies Windows Firewall Configuration netfw.inf –Used by Restore Defaults –Preferred method if doing custom configuration –Can configure all global firewall options –No logging, per-interface –Available in RC1 unattend.txt –Can configure all global firewall options –No logging, per-interface –Coming in RC2 winbom.ini / sysprep –Can configure all global firewall options –No logging, per-interface –Coming in RC2

Windows XP Service Pack 2 Beta Demonstration Windows Firewall

Windows XP Service Pack 2 Beta Network Protection Technologies DCOM Security Enhancements –Microsoft Component Object Model (COM) is a platform independent, distributed object-oriented system for creating binary software components –Distributed COM allows applications to be distributed across locations –If you have a COM server application that meets one of the following criteria then the DCOM security enhancements will affect you Access permission for the app is less stringent than the permission necessary to run it App only meant to run locally Unauthenticated remote callbacks

Windows XP Service Pack 2 Beta Network Protection Technologies RPC Interface Restrictions (Remote Procedure Calls) –Change here applies to the addition of the RESTRICTREMOTECLIENTS registry key –This key modifies the behaviour of all RPC interfaces on the system –By default will eliminate remote anonymous access to RPC interfaces –This feature applies to RPC application developers –More difficult to attack an interface if you require calls to perform authentication – even low level –Worms rely on exploitable buffer overruns that can invoked remotely through anonymous connections

Windows XP Service Pack 2 Beta Network Protection Technologies Wireless Provisioning Services (WPS) –An extension to the existing wireless services and user interfaces within Windows XP and Windows Server 2003 –Builds on Wireless AutoConfiguration, Protected Extensible Authentication (PEAP) and Wi-Fi Protected Access (WPA) –WPS includes provisioning service component which allows wireless internet service providers (WISP) and enterprises to send provisioning and config information to a mobile client –WISP’s can offer services at multiple network locations and use multiple network names (SSID’s) –WPS will make it easier to use wireless hotspots without security compromises

Windows XP Service Pack 2 Beta Question Time ?

Windows XP Service Pack 2 Beta Safer Handling Technologies Safer handling with Outlook Express –Plain Text Mode Provides users with the option to render incoming mail messages in plain text instead of HTML This provides an additional barrier to malicious code that is transmitted via – Outlook Express previously processed HTML header scripts in the HTML content The MSHTML control used to automatically execute these scripts – the rich edit control does NOT execute HTML scripts –Don’t Download External HTML Content Avoid users from repeated spam mailings by preventing users from unknowingly validating their address Enabled by default Users are prompted through new message bar that images have not rendered –Open / Execute attachment with least system privileges available

Windows XP Service Pack 2 Beta Users can block publishers for ActiveX New Attachment Execution Services IE File Download Prompt –A file handler icon has been added –A new information area has been added to the bottom of the dialog box that provides slightly different information, depending on whether the downloaded file type is of higher or lower risk –All executable files that are downloaded are checked for publisher information Outlook Express Attachment Prompt –Uses the same procedures as file downloads –Files are checked for publisher information –Files with missing/invalid/blocked publisher information are not allowed to run Windows Messenger – Blocks unsafe file transfers

Windows XP Service Pack 2 Beta Enhanced Browsing Security Internet Explorer Download Prompt –Using IE to download a file will now invoke a new dialog box that has the following changes A file handler icon added New information area depending on whether the download file type is low or high risk All executable files downloaded are checked for publisher information –Post download, IE authenticode box presents the publisher information to the user who can make a more informed decision about running the file –This change brings consistency and clarity to the experience of downloading files and code –Executables with invalid or blocked signatures are not allowed to run –You can unblock a publisher by using Manage Add-ons in IE

Windows XP Service Pack 2 Beta Enhanced Browsing Security IE Add-on Management –Allows users to view and control the list of add-ons that can be loaded by IE with more detailed control –Eg: a user may unintentionally install an add-on that secretly records all Web page activity and reports it to a central server –Add-ons include Browser help objects ActiveX controls Toolbar extensions Browser extensions –Add-ons can be installed from a variety of locations and in several ways including Download and install while viewing web pages Install by way of executable programs Pre-installed components of the OS Pre-installed add-ons that come with the OS

Windows XP Service Pack 2 Beta Enhanced Browsing Security IE Add-on Management –This change is important because our Windows Error Reporting tells us that add-ons are a major cause of stability issues in IE –They also pose a security risk because they may contain malicious and unknown code –Helps diagnose IE crashes and is easily to isolate and fix –Disabling add-ons does not remove it from the PC, it only prevents IE from executing the code IE Add-on Management for Administrators –Administrators can control the use of add-ons –3 modes of operation Normal mode – user has full control AllowList mode – admin specified DenyList mode – admin specifies add-ons to be disallowed only Quick Demonstration

Windows XP Service Pack 2 Beta Enhanced Browsing Security New Group Policy IE Settings include –Binary Behaviour Security Restrictions –Protocol Security Restrictions –Local Machine Zone Lockdown –Consistent MIME handling –MIME Sniffing Safety Feature –Object Caching Protection –Popup Management –Scripted Window Security Restrictions –Protection From Zone Elevation Administrators of Group Policy can manage these new policies in the Administrative Templates extension to the Group Policy Object Editor

Windows XP Service Pack 2 Beta Enhanced Browsing Security Changes to Local Machine Zone Security Settings –Local Machines Zone lockdown will be more restrictive than the Internet Zone –Anytime content attempts one of these actions, an Information Bar will appear in IE with the following text “This page has been restricted from running content that might be able to access your computer. If you trust this page, click here to allow it to access your computer” –Users can click the Information Bar to remove the lockdown –When Local Machine Zone lockdown is applied to a given process, it changes the behaviour of URL actions from Allow to Disallow –Scripts and ActiveX controls will not run –This change will prevent content on a users computer from elevating privileges

Windows XP Service Pack 2 Beta Enhanced Browsing Security IE MSJVM Security Setting –Previous versions of Windows included the Microsoft JVM –IE security setting for Java could be used to disable the MSJVM, but this would also disable any JVM –Windows XPSP2 contains an IE security setting that works exclusively with MSJVM and will rename the previous setting so that its effect is clearer –By default MSJVM is enabled for all zones excpet the Restricted Sites zone –XPSP2 does not include or install the MSJVM –If you already have the MSJVM installed on your PC’s you can continue to update this using Windows Update –MSJVM is not included in Windows Server 2003, Windows 2000 SP4 or Windows XPSP2 –It will not be included in any future Microsoft products

Windows XP Service Pack 2 Beta Enhanced Browsing Security MIME (Multipurpose Internet Mail Extensions) Handling Enforcement –IE uses MIME to decide how to handle files sent by a Web Server –IE will now follow stricter rules designed to reduce the attack surface for spoofing the IE MIME handling logic MIME handling enforcement –IE will now require all file type information provided by Web server to be consistent –IE will enforce consistency between how the file is handled in the browser and in the Windows shell MIME sniffing file type –By examining (or sniffing) a file, IE can recognise the bit signatures of certain file types –Eg; files that are received as plain text but that include HTML code will not be promoted to the HTML type

Windows XP Service Pack 2 Beta Enhanced Browsing Security IE Object Caching –Previously web pages could access objects cached from other websites –Now, a reference to an object is no longer accessible when the user navigates to a new domain –In addition to blocking access when navigating across domains, access is also blocked when navigating within the same domain (a domain is defined as a fully qualified domain name or FQDN)

Windows XP Service Pack 2 Beta Enhanced Browsing Security Pop-up Blocking –Pop-up Manager is turned on by default –Pop-up windows cannot be opened larger than or outside the viewable desktop area –Sites in the Trusted Sites and Local Intranet zones never have their pop-up windows blocked, as they are considered safe –When a pop-up window is blocked by IE, a notification appears in the status bar with the following options Show blocked popup Window Allow Pop-up Windows from this site Block Pop-up Pop-up Window Options Users will see Pop-up Windows open in the following cases Pop-up is opened by a link Pop-up is opened by software running on the PC Pop-up is opened by ActiveX controls initiated from a web site Pop-up is opened from the Trusted Site or Local Intranet

Windows XP Service Pack 2 Beta Demonstration –Pop Up Blocker –IE Add-On Manager

Windows XP Service Pack 2 Beta Question Time ?

Windows XP Service Pack 2 Beta Windows Security Centre A central location for changing security settings, learning more about security, and ensuring that the user’s computer is up to date, with the essential security settings that are recommended by Microsoft On by Default Works with 3 rd party Anti-Virus and Firewall solutions –Supports manual detection via registry settings –Supports automatic detection when ISV writes to schema 1 st run experience –WSC screen added to OOBE in preinstall –WSC screen shows up at 1 st Admin logon if it is an upgrade (SP1->SP2) Domain vs. Non-domain –Prescription and notification are turned off for PCs in a domain

Windows XP Service Pack 2 Beta Windows Security Centre Group Policy Settings –There is 1 Group Policy setting for the Security Centre –This determines whether or not the Security Centre user interface and alert system are enabled or unavailable for users whose computers are joined to a windows domain –If you decide to use the Security Centre within your business you must modify Group Policy setting to “On” Overall Group Policy Updates – (click here)(click here)

Windows XP Service Pack 2 Beta Windows Messenger New capabilities have been added to Windows Messenger –Block unsafe file transfers –Require user display name –Windows Messenger / Windows Firewall Files will be blocked when both of the following occur –The sender is not on your contacts list –Someone tries to send you a file that is considered unsafe User is prompted before opening the following file types: –Microsoft Office files, such as.doc,.ppt,.xls. –Files from other applications, such as.zip,.wpd, and.pdf. –Computer applications, programs, or any file that contains software code or script including macros, executables, and JavaScript –Files with these extensions:.exe,.cmd,.wsh,.bat,.vb,.vbs;.pif,.scr,.scf.

Windows XP Service Pack 2 Beta Windows Messenger Files with the extensions.jpg,.txt and.gif are generally considered safe and you can receive these from someone not on your contacts list Windows Messenger / Windows Firewall –Windows Messenger needs permission to connect to the Internet through the Windows Firewall –To give permission go to Security Centre, Windows Firewall and click exceptions tab – select Windows Messenger

Windows XP Service Pack 2 Beta Memory Protection Technologies Execution Protection (NX – no execute) Marks all memory locations in a process as non- executable unless the location explicitly contains executable code Requires both OS and hardware support Both Intel and AMD have defined and shipped Windows compatible architectures for execution protection NX protects against certain types of memory buffer overruns In order to use the NX feature, the processor must be running in Physical Address Extension (PAE) mode Helps drive best practice software development

Windows XP Service Pack 2 Beta Memory Protection Technologies Security feature that helps protect against certain kinds of buffer overrun exploits –Code injection attack Buffer overrun leveraged to inject code into process address space –Execution of injected code raises an exception Process is terminated to prevent malicious code from running –Data Execution Prevention is not a buffer overrun panacea Execution protection requires both processor-level hardware support and operating system software support –Currently, the only shipping x86 processors to support execution protection are AMD’s 32/64-bit Opteron and Althlon-64 –The Itanium Processor Family also supports execution protection.

Windows XP Service Pack 2 Beta NX End User Experience Application Crash Experience

Windows XP Service Pack 2 Beta NX End User Experience Configuration Experience –Accessible through the system properties in the control panel

Windows XP Service Pack 2 Beta Windows Update Windows Update (WU) is a component of Windows Update Services (WUS) With Windows XPSP2, WU and WUS provides 2 services –Windows Update – all security patches and updates for Windows components –Microsoft Update – all security patches and updates for Windows components and other Microsoft product applications – including SQL, Exchange and Office. Microsoft Update is a superset of WU Removes the need for navigating to multiple locations to keep Windows and Apps updated and secure

Windows XP Service Pack 2 Beta Question Time ?