Microsoft Windows XP SP2 for Developers Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd This session is based.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Desktop Value - Introducing Windows XP Service Pack 2 with Advanced Security Technologies Presenter: James K. Murray Title: Information Technologies Consultant.
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
WSUS Presented by: Nada Abdullah Ahmed.
Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Chapter 7 HARDENING SERVERS.
Windows XP Service Pack 2 Technical Update. Windows XP Service Pack 2 Technical Workshop Agenda –Security Overview –Introduce Windows XP Service Pack.
Windows XP Service Pack 2 Alex Balcanquall Senior Consultant Microsoft Services Organisation.
Changes in Windows XP Service Pack 2
Information for Developers Windows XP Service Pack 2 Information for Developers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Lesson 19: Configuring Windows Firewall
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Windows XP Service Pack 2 and the Microsoft Virtual Machine: Developer Implications Rudi Larno Developer & Platform Group Microsoft BeLux.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Security Flaws in Windows XP Service Pack 2 CSE /14/04 By: Saeed Abu Nimeh.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
Microsoft ® Official Course Module 9 Configuring Applications.
.NET, and Service Gateways Group members: Andre Tran, Priyanka Gangishetty, Irena Mao, Wileen Chiu.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Test Review. What is the main advantage to using shadow copies?
Module 7: Configuring TCP/IP Addressing and Name Resolution.
Hands-On Microsoft Windows Server 2008
Information for Developers Windows XP Service Pack 2 Information for Developers Tony Goodhew Product manager Developer Division Microsoft Corp
Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.
Using Windows Firewall and Windows Defender
COMPREHENSIVE Windows Tutorial 5 Protecting Your Computer.
®® Microsoft Windows 7 Windows Tutorial 5 Protecting Your Computer.
Implementing Network Access Protection
Troubleshooting Windows Vista Security Chapter 4.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Using Internet Explorer 7.0 to Access Cisco Unity 5.0(1) Web Interfaces Unity 5.0(1)
OFC290 Information Rights Management in Microsoft Office 2003 Lauren Antonoff Group Program Manager.
C HAPTER 2 Introduction to Windows XP Professional.
Module 5: Configuring Internet Explorer and Supporting Applications.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Configuring Network Access Protection
Lesson 11: Configuring and Maintaining Network Security
Windows XP Service Pack 2 Customer Awareness Workshop XP SP2 Technical Drilldown – Part 1 Craig Schofield Microsoft Ltd. UK September.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 7: Implementing Security Using Group Policy.
Administering Microsoft Windows Server 2003 Chapter 2.
Module 10: Windows Firewall and Caching Fundamentals.
Linux Operations and Administration
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Module 8 Implementing Security Using Group Policy.
Module 14: Advanced Topics and Troubleshooting. Microsoft ® Windows ® Small Business Server (SBS) 2008 Management Console (Advanced Mode) Managing Windows.
Internet Explorer 7 Updated Advice for the NHS 04 February 2008 Version 1.3.
Windows Server 2003 SP1 Technical Overview John Howard, IT Pro Evangelist, Microsoft UK
ITMT Windows 7 Configuration Chapter 7 – Working with Applications.
1 BCS 4 th Semester. Step 1: Download SQL Server 2005 Express Edition Version Feature SQL Server 2005 Express Edition SP1 SQL Server 2005 Express Edition.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Windows Vista Configuration MCTS : Network Security.
11 DEPLOYING AN UPDATE MANAGEMENT INFRASTRUCTURE Chapter 6.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
ArcGIS for Server Security: Advanced
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
Implementing Client Security on Windows 2000 and Windows XP Level 150
Designing IIS Security (IIS – Internet Information Service)
Using Software Restriction Policies
Implementing Advanced Server and Client Security
Presentation transcript:

Microsoft Windows XP SP2 for Developers Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd This session is based on material from course 2853 and from my friend Steve Riley

2 2Objectives Give a brief overview of SP2 Discuss, in-depth, what developers need to do to comply and even benefit from SP2

Brief Overview

4 4 What is SP2? All the usual stuff of course Post-SP1 hotfixes (more regression testing) New security technologies Network protection Memory protection Safer handling More secure browsing Improved computer maintenance Some updated features

5 5 SP2 Security Goals Increase the security resiliency and management of Windows XP Decrease end-user security burden: more secure out-of-the-box Reduce damage of worms and viruses even if updates are not installed Make attackers work harder

6 6 Windows Firewall Enhancements Better UI On by default Boot-time security Multiple configurations & profiles Exceptions list (can be disallowed) Local subnet restrictions Command-line and better group policy management Unattended setup

7 7 Windows Firewall New user interface

8 8 Windows Firewall Per-interface configuration

9 9 Windows Firewall Adding programs or ports

10 Windows Firewall Exceptions can be disallowed

11 Windows Firewall Group policy settings

12 Are you sick of “are you sick of”?

13 Internet Explorer Managing pop-ups

14 Internet Explorer Pre-SP2 IE ActiveX warning

15 Internet Explorer New IE ActiveX notice

16 Internet Explorer Controlling add-ons

17 Outlook Express Blocking attachments

In-Depth Discussion

19 Windows XP SP2 Windows Firewall Application Permissions List DCOM Enhancements Secure RPC Calls Memory Protection Safer Execution Enhanced Browser Security Improved Computer Maintenance

20 Integration of Visual Studio 2005 with Windows XP SP2 All products from Visual Studio 2005 onwards: Will be designed to work well on Windows XP SP2 Will enable developers to take full advantage of the security enhancements in Windows XP

21 Impact on Visual Studio.NET 2002, Visual Studio.NET 2003, and the.NET Framework 1.1.NET Framework 1.0 and 1.1 Visual Studio.NET 2002 and 2003 Will be serviced to enable developers to take advantage of Windows XP SP2 enhancements NET Framework service packs that take advantage of Execution Protection will be shipped in the Windows XP SP2 RTM timeframe Tools released prior to VS.NET 2002 will not be serviced to address XP SP2 Affects the Visual SourceSafe, Visual Studio.NET Analyzer, SQL debugging, and remote debugging features

22 Impact of Increased Network Protection on Applications “On With No Exceptions” feature of Windows Firewall Configuration Settings in Windows Firewall Ability to configure Application Permissions List in Windows Firewall Netsh Commands to Script Configuration Changes to Windows Firewall Effects of Windows Firewall on IPv4 Inbound and Outbound Connections Effects of Windows Firewall on IPv4 Inbound Connections on RPC and DCOM Ports

23 How Windows Firewall Affects Applications Feature Effect on applications On-by-Default Creates application incompatibility if the application does not work with stateful filtering by default Boot-time security If the Windows Firewall service fails to start, an administrator will not be able to remotely troubleshoot the issue because all the ports will be closed Global configuration Makes it easier for users to manage their firewall policy across all network connections Local subnet restriction Restricts the scope of who can access a port Multiple profiles An application that needs to work on Internet and trusted network might not work because the two profiles might not have the same set of policy

24 How to Add Applications to Windows Firewall Administratively On the Exceptions tab in the Windows Firewall dialog box, click Add Program If you do not find the program, you can open a port instead Programmatically It is recommended that ISVs place their applications that act as network listeners on the Windows Firewall Exceptions list during installation ( NetFwTypeLib and INetFwV4AuthorizedApplication APIs)

25 Netsh Commands to Script Configuration of Windows Firewall Netsh command Purpose add allowedprogram Adds excepted traffic by specifying the program's file name delete allowedprogram Deletes an existing allowed program add portopening Used to add excepted traffic by specifying a TCP or UDP port set portopening Used to modify the settings of an existing open TCP or UDP port delete portopening Used to delete an existing open TCP or UDP port set service Used to allow or drop file and printer sharing, remote administration, remote desktop, and UPnP traffic set opmode Specifies the operating mode of Windows Firewall either globally or for a specific connection (interface)

26 Impact of Memory Protection and Handling Technologies on Applications Data Execution Prevention (NX) Attachment Execution Service

27 How Data Execution Prevention Impacts Applications Application compatibility DEP causes compatibility issues for applications that perform dynamic code generation and that do not explicitly mark generated code with Execute permission System compatibility Systems with processors that support the NX processor feature may fail to boot or have other stability issues when the processor is running in PAE mode if not designed to handle > 4GB RAM

28 How Attachment Execution Service Impacts Applications Applies to any developer producing or chat client software Internally, Attachment Execution Services gives each attachment a risk rating based on extension, content type, registered handlers Risk Rating is mapped to a policy checked using Internet Explorer Zones (restricted, Internet, intranet, local, trusted) Does not provide any workarounds to subvert process and protection

29 How the Local Machine Zone Lockdown Feature Affects Web Applications Effect of the Local Machine Zone Lockdown feature Impacts applications that host local HTML files in Internet Explorer Does not impact developers of Web sites that are hosted on the Internet or Local Intranet zones Requires developers to register applications if they want to ensure that malicious code cannot be run through applications Overcoming restrictions caused by the Local Machine Zone Lockdown feature Save your content as an HTA file Add a “mark of the Web” comment placed in the HTML file to your Web pages Create a separate application that hosts the HTML content Internet Explorer Web Object Control (WebOC)

30 New Internet Explorer–Related Registry Settings SettingPurpose URLACTION_FEATURE_MIME_SNIFFING Enables file promotion from one type to another based on a “MIME sniff ” URLACTION_FEATURE_ZONE_ELEVATION Mitigates many privilege-escalation attacks URLACTION_FEATURE_WINDOW_RESTRICTIO NS Restricts script-initiated pop-up windows and windows that include the title and status bars

31 How the Pop-up Manager Affects Web Applications Effects of the Pop-up Manager Affects the behavior of windows opened by Web sites, for example, those opened using the following methods: window.open() window.showModelessDialog(),window.showModalDialo g() window.navigateAndFind()showHelp() Provides the INewWindowManager interface, whichallows applications using rendering engine in Internet Explorer to: Display HTML to use or extend Pop-up Manager functionality Use your own Popup Manager Disable Popup Manager

32 Procedure Using Windows Firewall and SQL 7 & MSDE 1.0 Determine the port number Enable networking by using one of the following methods: Add the TCP port as an exception Add the SQL Server program as an exception Enable named pipes and/or multi-protocol over named pipes

33 Methods Windows Firewall and SQL 2000 & MSDE 2000 Add the TCP port as an exception Adds the port that you are listening to on SQL Server to the Windows Firewall Exceptions list Add the SQL Server program as an exception Enables SQL Server to listen on any port

34 Other SQL Server Components You also need to configure for: SQLXML SQL Browser Service SQL Server 2000 and MSDE 2000 Service Pack 3a MSDTC SQL Server Analysis Services SQL Server Reporting Services SQL Server Agent SQL Server Replication See “References” at the end of the session

35 RPC Enhancements Windows Firewall allows only the processes that are running in the Local System, Network Service, or Local Service security context to open ports for RPC communication RestrictRemoteClients registry key by default eliminates remote anonymous access to RPC interfaces on the system, with some exceptions EnableAuthEpResolution enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a Windows XP SP2 system

36 The RestrictRemoteClients registry key values RestrictRemoteClients registry key forces RPC to perform some additional security checks for all interfaces, even if the interface has no registered security callback RestrictRemoteClients Registry Setting RPC_RESTRICT_REMOTE_CLIENT_NONE (0) : Causes the system to bypass the new RPC interface restriction RPC_RESTRICT_REMOTE_CLIENT_DEFAULT (1): Causes the system to restrict access to all RPC interfaces RPC_RESTRICT_REMOTE_CLIENT_HIGH (2) : Causes the system to disallow anonymous calls using RPC

37 Methods to Resolve RPC Incompatibilities Require your RPC clients to use RPC security when contacting your server application Exempt your interface from requiring authentication by setting the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag during interface registration Force RPC to exhibit the same behavior as earlier versions of Windows by setting the registry key to RPC_RESTRICT_REMOTE_CLIENT_NONE (0)

38 Purpose of EnableAuthEpResolution Issues with Resovling an Endpoint EnableAuthEpResolution Registry Setting Anonymous calls to the endpoint mapper interface will fail by default on Windows XP SP2 because of the default value for the new RestrictRemoteClients key Necessary to modify the RPC client runtime to perform an authenticated query to the endpoint mapper Anonymous calls to the endpoint mapper interface will fail by default on Windows XP SP2 because of the default value for the new RestrictRemoteClients key Necessary to modify the RPC client runtime to perform an authenticated query to the endpoint mapper Ensures that all endpoint mapper queries performed on behalf of authenticated calls will be performed using NTLM or Kerberos authentication Enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a computer running Windows XP SP2 Ensures that all endpoint mapper queries performed on behalf of authenticated calls will be performed using NTLM or Kerberos authentication Enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a computer running Windows XP SP2

39 Windows XP SP2 and DCOM Windows XP SP2 DCOM Security Enhancements Computer-Wide Restrictions to DCOM Granular COM Permissions

40 DCOM in Windows XP SP2 Computer-Wide Restrictions to DCOM Adds computer-wide access controls that govern access to all call, activation, or launch requests on a computer Creates an additional AccessCheck Provides a minimum authorization bar that must be passed to access COM servers on computer Provides a computer-wide ACL for launch permissions to cover activation and launch, and for access permissions to cover calls Provides a computer-wide ACL as a means to override weak security settings specified by a specific application through CoInitializeSecurity Adds computer-wide access controls that govern access to all call, activation, or launch requests on a computer Creates an additional AccessCheck Provides a minimum authorization bar that must be passed to access COM servers on computer Provides a computer-wide ACL for launch permissions to cover activation and launch, and for access permissions to cover calls Provides a computer-wide ACL as a means to override weak security settings specified by a specific application through CoInitializeSecurity

41 Separating call and activation permissions Local and remote permissions Administrators have the flexibility to control a computer's COM permission policy based on the concept of "distance" Local is defined as the COM message arriving via LRPC protocol, while remote COM messages arrive via a remote RPC protocol like TCP/IP Administrators have the flexibility to control a computer's COM permission policy based on the concept of "distance" Local is defined as the COM message arriving via LRPC protocol, while remote COM messages arrive via a remote RPC protocol like TCP/IP Windows XP SP2 changes COM to separate the call and activation permissions and move the activation permissions from the Access Permission ACL to the Launch Permission ACL Launch Permission ACLs can be into Local launch (LL), Remote launch (RL), Local activate (LA), and Remote activate (RA) permissions Windows XP SP2 changes COM to separate the call and activation permissions and move the activation permissions from the Access Permission ACL to the Launch Permission ACL Launch Permission ACLs can be into Local launch (LL), Remote launch (RL), Local activate (LA), and Remote activate (RA) permissions Granular COM Permissions Granular COM Permissions

42 Implications Implications of Granular COM Permissions on Custom Applications For COM applications that use the default security settings, there are no compatibility issues Most applications that are dynamically started by using COM activation will have no compatibility issues because the launch permissions must already include anyone who is able to activate an object Applications that are already started by using mechanisms such as Windows Explorer or Service Control Manager can have compatibility issues For COM applications that use the default security settings, there are no compatibility issues Most applications that are dynamically started by using COM activation will have no compatibility issues because the launch permissions must already include anyone who is able to activate an object Applications that are already started by using mechanisms such as Windows Explorer or Service Control Manager can have compatibility issues

43 Remember the Challenge Usability vs. Security SP2 is a significant shift towards Security A lot of work done on overcoming Usability issues But the challenge of this balance remains

44 Summary SP2 gives a wide range of security improvements SP2 forces developer to be more security- conscious Most applications will run “as-is” Apps that use features impacted by the Service Pack need to be serviced themselves

45 References & More msdn.microsoft.com Microsoft training course 2853 Developer resources—including training Learn more about Service Pack 2 winxpsp2.mspx winxpsp2.mspx Changes to functionality—always updated sp2chngs.mspx sp2chngs.mspx Deploying Service Pack 2 winxpsp2.mspx winxpsp2.mspx Microsoft IT Forum in Copenhagen, November 2004

46 © 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.