Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield Microsoft Ltd. UK September 2004

The Day  Trustworthy Computing  Overview of Windows XP Service Pack 2  Coffee break… around 11.15am  Technical Drill-Down of Windows XP SP2 – Part 1  You’ll need lunch to 1.30pm  Technical Drill-Down of Windows XP SP2 – Part 2  Another coffee break… around 3.15pm  Planning, Testing and Deploying WinXP SP2  Troubleshooting  Close … 5pm

What’s wrong with SP1 then?

Security and Trustworthy Computing

Most attacks occur here Situation When do exploits occur? Product shipped Vulnerabilitydiscovered Fix Made Available Fix deployed by customer

Exploit Timeline Process, Tools Critical Product shipped Vulnerabilitydiscovered Fix Made Available Fix deployed by customer Days between Fix and Exploit Have decreased so that patching can’t be the only defense in large organizations Exploit Blaster Welchia/ Nachi Nimda 25 SQL Slammer 14 Sasser

Microsoft Commitment Build software and services that will help better protect our customers and the industry.

Springboard  Get secure and stay secure with less cost, less stress  Starts with XP SP2  Suite of products and technologies: XP SP2, Windows Update V5, update.exe, Windows Installer 3 (.msp/.msi), “SUS 2”, Windows Server 2003 SP1  Changes in functionality & baseline security level

  Patch management too complex   Time to exploit accelerating   Exploits are more sophisticated   Current approach is not sufficient   Create a new Microsoft security baseline for the OS & Internet Explorer Springboard – Why?

Memory Attachments Web Network Isolation & Resiliency: Old Approach

MemoryAttachments Web Network Isolation & Resiliency: New Approach

Windows XP Service Pack 2 Block virus or malicious code at the “point of entry”   Enhanced Security   Increased Manageability   Improved Experience

Windows XP Service Pack 2  Schedule  Available now: RTW 9 th August  Critical Update to all Windows XP clients from 25 th August  All Windows ‘Editions’ supported  Home & Professional  SP2 provides the upgrade to Tablet Edition 2005 (“Lonestar”)  SP2 provides the upgrade to Media Center Edition 2004 (“Harmony”)  Being localized in 25 languages over next 2 months  English, German, French, Spanish, Italian, Brazilian, Japanese, Dutch, Swedish, Danish, Norwegian, Finnish, Simplified Chinese, Traditional Chinese, Korean, Czech, Polish, Hungarian, Russian, Traditional Hong Kong Chinese, Arabic, Hebrew, Greek, Turkish, Portuguese

Windows Server 2003 Service Pack 1  Goals  Implement additional protection for enterprise environments  Planned for Q  Very focused release  Enable appropriate “safety technologies” from client  Feature list is still under development Secure Role-based Configuration Inspected Environments

“XP Reloaded”  NOT XP Service Pack 2  NOT a product Value-add initiatives for Windows XP.

Service Pack 2 Overview Memory Attachments Web Network

Problem: Port-Based Attacks  Many services and applications running on users’ computers listen for network traffic  These applications and services require open ports to function properly  Hackers build automatic tools that scan the Internet for computers running these applications and services  Even with a perimeter firewall, systems may be vulnerable to attack

Solution: Windows Firewall  Windows Firewall (formerly ICF) is on by default  All ports protected  Exception list for applications & services requiring open ports  Required only for applications or services that need to listen for unsolicited incoming traffic  Per-port or per-application subnet and IP address restrictions  Boot-time security  Highly manageable  Two operating profiles to support mobile computers Domain and Standard  All configuration options available through new Group Policy Objects and through scripting

Problem: DCOM & RPC  Core infrastructure for application to application communications  Underlying service that supports DCOM & RPC-based communication (RPCSS) is always on  RPCSS listens on a well known endpoint  Port 135 for DCOM, many ports for RPC  RPCSS allows unauthenticated remote calls  Limited administrative control

Solution: RPC & DCOM  Change to underlying architecture (RPCSS) to reduce attack surface area  Block unauthenticated calls to DCOM and RPC services  Make it easier to restrict interfaces to local machine only  Fine-grained security  New permissions configured through group policy, UI and logon scripting

Problem: Attachments  Security model depends on users to make good trust decisions  However, users are ill-equipped to make informed decisions  Users easily tricked into making poor choices  Example: “myphoto.jpg.exe”  Employing a static list of dangerous file types isn’t enough

Solution: Attachment Manager  New Windows service (and public API) for handling safe attachments  Used by Outlook Express, Windows Messenger and Internet Explorer, and third-parties soon  Unsafe attachments not trusted by default  Block/Prompt/Allow determined by combination of file type & zone  Marks zone or origin in file system if file is saved to disk  Enables safer message “preview” in Outlook Express Consistent experience for “trust” decisions

Problem: Memory  Some services and applications improperly handle malformed messages  An attacker can send a message with data that is longer than expected  Extra data includes malicious code  Malicious code is inadvertently written to area of memory where that code is executed Locally Declared Variables and Buffers Function Stack Mapping Malicious Code Executed Here Data Goes Here Anatomy of a Buffer Overrun Callee save registers Function Parameters Function Return AddressFrame PointerException Handler Frame Extra Data Overflows Here

Locally Declared Variables and Buffers Cookie overwritten, execution halts Data Goes Here Callee save registers Function Stack with /GS Switch Function Parameters Function Return Address Frame Pointer Exception Handler Frame Solution: /GS Switch  Visual C++.NET compiler implements the new /GS switch  The /GS switch provides a "speed bump," or cookie, between the buffer and the return address  If an overrun overwrites the cookie, process is halted Cookie Extra Data Overflows Here Most critical Windows components have been recompiled using the /GS switch

Solution: Execution Prevention  Known as NX and “Execution Protection”  Prevents execution of injected code  Leverages processor technology  Marks memory regions as non-executable  Processor raises exception when injected code is executed  Supported on 64-bit extensions processors  SP2 runs in 32-bit compatibility mode with NX support  AMD Athlon64 and Opteron today  Intel has announced support for NX in new Celeron line and Prescott based P4’s Hardware-based protection

Problem: Web Browsing  Internet Explorer flexibility may be exploited  Some Internet Explorer features may be used to mislead users  Popups may be made to look like security messages  Browser windows may be made to look like the Windows desktop or a Windows dialog (spoofing)  The source of Web downloads may be disguised  Internet Explorer security settings difficult to manage

Solution: Internet Explorer  Limit deceptive & annoying behaviors  Popup Blocker  limitations on how script-controlled windows look  Better information for trust decisions  New Information Bar  Safer handling of downloaded web controls  More secure architecture  Zone elevation restrictions  Object caching changes  MIME handling enforcement  Lockdown of the Local Machine Zone  Binary Behaviors (compiled DHTML) restrictions  Improved manageability infrastructure

Additional Enhancements  New Windows Security Center  Automatic Update enhancements  Windows Update Services client  New unified wireless LAN client  Updated Bluetooth client  Windows Media 9 Series player update

How SP2 Would Have Helped  MSBlaster worm  Windows Firewall, by default, blocks the ports required to exploit this vulnerability  By denying unauthenticated requests to DCOM, this exploit would have been mitigated  The /GS Switch and/or NX would have prevented this exploit by preventing the unchecked buffer from being exploited  W32.Sasser.worm  Windows Firewall, by default, blocks the ports required to exploit this vulnerability  The /GS Switch and/or NX would have prevented this exploit by preventing the unchecked buffer from being exploited  Mydoom and  Attachment Manager would have blocked Mydoom had an infected been opened in Outlook Express  Various spoofing and phishing attacks on the Internet  The new IE Popup Blocker and new limitations on script-initiated windows would have eliminated many of these attacks

Application Compatibility Functional AreaCompatibility Status Attachment HandlerUser experience modified Windows Firewall Few apps  proper configuration required DCOM & RPC NX & /GS Other components Internet Explorer Some apps  proper configuration required The vast majority of application compatibility issues are mitigated through configuration of SP2 security options Very few issues require code changes

Summary  More Secure  “Shields-up” approach  Reduced attack surface area  More Resilient  Network Protection  Data Execution Prevention  Greater user control when Browsing  More Secure and Instant Messaging  More Manageable  Enhancements to Group Policy to provide more granular control  Reduced urgency in patching vulnerabilities due to defence in depth  More Visible  Windows Security Center – enhanced security information  Internet Explorer UI enhancements provide more information A major step forward on a long journey

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.