Windows XP Service Pack 2 Customer Awareness Workshop XP SP2 Technical Drilldown – Part 2 Craig Schofield Microsoft Ltd. UK September 2004

Service Pack 2 Drill Down Memory Attachments Web Network

Web Browsing

Internet Explorer  New version in Windows XP SP2  Limit deceptive & annoying behaviors  Better information for trust decisions  More secure architecture  Improved manageability infrastructure

Solution: Internet Explorer  New Popup Blocker for script activated pop-ups  Doesn’t affect windows opened by user action  Doesn’t affect trusted sites or sites in local intranet zone  New limitations on script-initiated windows  May not be placed off screen and must overlap parent window  Must be smaller in height than parent window  Must stay with parent window if the parent window moves  Must appear above its parent window so other windows (such as a dialog box) cannot be hidden  Must always display the title bar and status bar Limit deceptive & annoying behaviors

Solution: Internet Explorer  Internet Explorer Information Bar  Replaces many common dialog boxes that prompt users for information  Provides prominent and consistent way for displaying information that users may need to act upon  Improved Authenticode dialog displays publisher and name of web controls in a consistent and more easily readable manner  Safer handling of downloaded web controls  Unsigned controls or controls with invalid signatures blocked  Signed controls blocked in Internet Zone Until user clicks on the Information Bar  Any downloadable control may be blocked from specified publishers  New security granularity enables control of both instantiation and initializing of individual controls on a per zone basis  New Add-On Manager and crash detection for web control management Better information for trust decisions

Pop-up Blocker (Developer)  You can:  load Registry key with trusted sites binary values HKEY_CURRENT_USER\Software \Microsoft \Internet Explorer\New Windows\Allow  Instantiate new COM interface, INewWindowManager EvaluateNewWindow method determines whether popup window opens based on the user's preferences.

Solution: Internet Explorer  Zone elevation restrictions  Navigations to local machine zone will be blocked  Navigations to trusted sites zones will prompt user  Object caching changes  A reference to a cached object is no longer accessible when the user navigates to a new domain  BindToObject changes  ActiveX security model is applied to all object initializations with a URL as a source  Controls may be marked as “safe for scripting” and “safe for initialization” for each security zone More secure architecture

Solution: Internet Explorer  MIME handling enforcement  IE is more restrictive about executing file downloads that could be dangerous. When possible IE will rename files with mismatched mime headers and extensions to enforce a match As defense in depth, files with mismatched mime and file extensions will not be executed Also, even when mime matches extension, IE will not execute a file that is rejected by its mime handler as possibly corrupt Control via Group Policy within IE Security Zones  Optional feature prevents IE from converting a text file to a more dangerous HTML or Media type file Off by default More secure architecture

Solution: Internet Explorer  Lockdown of the Local Machine Zone  Local Machine Zone now more restrictive than Internet Zone  The following actions are blocked Running ActiveX controls, downloading unsigned controls, running a script, overriding control safety, executing a binary behavior, and more User prompted by Information Bar when action blocked  New Binary Behaviors restrictions  Specialized components (.DLLs) that encapsulate HTML rendering functionality associated with elements on a web page  No longer allowed in the “restricted sites” zone Reduces the attack surface for HTML which is hosted in the Restricted Sites zone  Only allowed in the Locked down Local Machine Zone if they are on the Admin-Approved list  Can be turned OFF or to “Admin Approved” for other zones through new URL action setting Improved default security

Solution: Internet Explorer  Administrators can use Group Policy Objects to manage all existing and new security settings  Per-process “Feature Control” keys managed through Administrative Templates  Per-Zone security settings, aka URLActions, can also be managed through Administrative Templates  Alternatively, able to use scripting  Most security settings only apply to IE by default  Other Web Browser Control ‘hosts’ can register to be protected  Developers can manage settings from their application through API Improved manageability infrastructure

MS JVM  MSJVM will not be removed or installed by XP SP2  IE security setting per zone  New “Microsoft Java VM” Will ONLY disable MS JVM –Previous setting disabled all Java VM’s e.g. JRE

Web browser control  Optional GPO settings to enable some restrictions for the Web browser control  Security Band Enable notification bar UI  Restrict ActiveX Install  Restrict File Download

Memory

Locally Declared Variables and Buffers Cookie overwritten, execution halts Data Goes Here Callee save registers Function Stack with /GS Switch Function Parameters Function Return Address Frame Pointer Exception Handler Frame Buffer Overruns & the /GS Switch  To check for buffer overruns in production code, the Visual C++.NET compiler implements the new /GS switch  The /GS switch provides a "speed bump," or cookie, between the buffer and the return address  If an overrun writes over the return address, it will have to overwrite the cookie put in between it and the buffer Reduce Risk of Buffer Overruns Cookie Extra Data Overflows Here

Solution: /GS Switch  Most critical Windows components have been recompiled in SP2 using the /GS switch  Components included in network facing processes  Components that operate on un-trusted input  All other files required for the installation of SP2 have been recompiled with /GS switch Reduce risk of Windows buffer overruns

Solution: Execution Prevention  Known as NX and “Execution Protection”  Prevents execution of injected code by marking code as non- executable  Leverages processor technology  Marks memory regions as non-executable  Processor raises exception when injected code is executed Memory Access Violation and process terminated  Supported on 64-bit extensions processors  SP2 runs in 32-bit compatibility mode with NX support  AMD Athlon64 and Opteron today  Intel has announced support for NX with new Celeron line of processors and Prescott P4  On by default only for system components  User applications can be opted in Hardware-based protection

Solution: Execution Prevention  System-wide configuration through boot.ini switches  Some application may have compatibility issues with DEP  Individual applications can be opted out of DEP protection  Exceptions list for end users  SP2 includes “DisableNX” Compatibility Fix (“Shim”) Leverages Application Compatibility Toolkit Use Group Policy, SMS, logon scripting to distribute compatibility configuration NX Manageability and Compatibility

Application Behaviour  JIT’d/generated code will fail  Must explicitly mark generated code with Execute permission .NET Framework code pre-Whidbey is marked NX off.  Whidbey will have NX support.  DisableNX shim included in Application Compatibility Toolkit; disables NX support for an application.

Maintenance

Security Center  Centralized access to all security configuration settings  Runs as Win32 Service  Operationalizes ‘Protect Your PC’ guidance  Configure via GPO (1 setting) or 3 registry keys  AntiVirusDisableNotify, FirewallDisableNotify, UpdatesDisableNotify,  Administrative Templates\windows components\ Security Center  Some functionality disabled in Domain environment – managed via GPO’s.

Updating Group Policies  Edit all Group Policy on an XP SP2 machine once you have updated ADM’s  Use GPMC Service Pack 1  Copy the latest ADM files to the %windir%\inf directory on workstation  Will be included in Windows Server 2003 SP1  Load into each ADM template as required  Be aware of the size of the ADM files that will replicate to all Domain Controllers (>3MB). See MSKB for details.  Editing XP SP2 based GPO’s on non-SP2 machines will result in “The following entry in the [strings] section is too long and has been truncated” errors  See MSKB for details and hotfix download locations

Windows Update 5  For users without Automatic Updates  XP SP2 will prompt user to enable Automatic Updates on first logon after install if not set via GPO.  Windows Update – OS security patches  Delta Compression  Single download (WU and AU)  Install on Shutdown  Revised design (Express Install)  Microsoft Update - Office, SQL, Exchange  All patches in one location  Still in development

RSOP  Now blocked due to firewall restrictions  Edit Firewall Exceptions to allow functionality  Allow C:\Windows\System32\Wbem\unsecapp.exe  Allow TCP 135  Group Policy changes  Enable Windows Firewall Allow remote administration exception Group Policy setting  Additional exceptions required for delegation of RSOP and remote editing of GPO’s

Windows Installer 3.0  Included with XP SP2  Smaller & Reliable Patches: “Delta compression”  Patch removal: MsiRemovePatches function  Sequencing: patch sequence table enables patch authors to provide explicit instructions to control order of install  Group Policy settings to control configuration

Media Player 9  Enhanced performance and security improvements over prior versions  Uninstall option if upgrading  Handles digital content licences differently  Requires manual backup of pre-SP2 licenses

Wireless Configuration  Improved Wireless network registration wizard & client.  Migrate settings using USB Key.  New wireless LAN configuration will work with a broad range of wireless hotspots enabling customers to connect seamlessly without having to install or update a third- party client.  Requires XP SP2 and Windows Server 2003 SP1.

Summary  Web Browsing  Changes to limit deceptive & annoying behaviors (eg popup’s) while providing users with better information for trust decisions.  More secure architecture with enhanced manageability.  Memory Protection  Reduce risk of Windows buffer overruns and support for hardware NX protection.  Maintenance  Expanded Group Policy settings for greater control over desktop configuration.

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.