Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Windows XP SP2 for Developers Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd This session is based.

Published byBrice Warner Modified over 9 years ago

Similar presentations

Presentation on theme: "Microsoft Windows XP SP2 for Developers Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd This session is based."— Presentation transcript:

1 Microsoft Windows XP SP2 for Developers Rafal Lukawiecki rafal@projectbotticelli.co.uk Strategic Consultant Project Botticelli Ltd This session is based on material from course 2853 and from my friend Steve Riley

2 2 2Objectives Give a brief overview of SP2 Discuss, in-depth, what developers need to do to comply and even benefit from SP2

3 Brief Overview

4 4 4 What is SP2? All the usual stuff of course Post-SP1 hotfixes (more regression testing) New security technologies Network protection Memory protection Safer e-mail handling More secure browsing Improved computer maintenance Some updated features

5 5 5 SP2 Security Goals Increase the security resiliency and management of Windows XP Decrease end-user security burden: more secure out-of-the-box Reduce damage of worms and viruses even if updates are not installed Make attackers work harder

6 6 6 Windows Firewall Enhancements Better UI On by default Boot-time security Multiple configurations & profiles Exceptions list (can be disallowed) Local subnet restrictions Command-line and better group policy management Unattended setup

7 7 7 Windows Firewall New user interface

8 8 8 Windows Firewall Per-interface configuration

9 9 9 Windows Firewall Adding programs or ports

10 10 Windows Firewall Exceptions can be disallowed

11 11 Windows Firewall Group policy settings

12 12 Are you sick of “are you sick of”?

13 13 Internet Explorer Managing pop-ups

14 14 Internet Explorer Pre-SP2 IE ActiveX warning

15 15 Internet Explorer New IE ActiveX notice

16 16 Internet Explorer Controlling add-ons

17 17 Outlook Express Blocking attachments

18 In-Depth Discussion

19 19 Windows XP SP2 Windows Firewall Application Permissions List DCOM Enhancements Secure RPC Calls Memory Protection Safer E-mail Execution Enhanced Browser Security Improved Computer Maintenance

20 20 Integration of Visual Studio 2005 with Windows XP SP2 All products from Visual Studio 2005 onwards: Will be designed to work well on Windows XP SP2 Will enable developers to take full advantage of the security enhancements in Windows XP

21 21 Impact on Visual Studio.NET 2002, Visual Studio.NET 2003, and the.NET Framework 1.1.NET Framework 1.0 and 1.1 Visual Studio.NET 2002 and 2003 Will be serviced to enable developers to take advantage of Windows XP SP2 enhancements NET Framework service packs that take advantage of Execution Protection will be shipped in the Windows XP SP2 RTM timeframe Tools released prior to VS.NET 2002 will not be serviced to address XP SP2 Affects the Visual SourceSafe, Visual Studio.NET Analyzer, SQL debugging, and remote debugging features

22 22 Impact of Increased Network Protection on Applications “On With No Exceptions” feature of Windows Firewall Configuration Settings in Windows Firewall Ability to configure Application Permissions List in Windows Firewall Netsh Commands to Script Configuration Changes to Windows Firewall Effects of Windows Firewall on IPv4 Inbound and Outbound Connections Effects of Windows Firewall on IPv4 Inbound Connections on RPC and DCOM Ports

23 23 How Windows Firewall Affects Applications Feature Effect on applications On-by-Default Creates application incompatibility if the application does not work with stateful filtering by default Boot-time security If the Windows Firewall service fails to start, an administrator will not be able to remotely troubleshoot the issue because all the ports will be closed Global configuration Makes it easier for users to manage their firewall policy across all network connections Local subnet restriction Restricts the scope of who can access a port Multiple profiles An application that needs to work on Internet and trusted network might not work because the two profiles might not have the same set of policy

24 24 How to Add Applications to Windows Firewall Administratively On the Exceptions tab in the Windows Firewall dialog box, click Add Program If you do not find the program, you can open a port instead Programmatically It is recommended that ISVs place their applications that act as network listeners on the Windows Firewall Exceptions list during installation ( NetFwTypeLib and INetFwV4AuthorizedApplication APIs)

25 25 Netsh Commands to Script Configuration of Windows Firewall Netsh command Purpose add allowedprogram Adds excepted traffic by specifying the program's file name delete allowedprogram Deletes an existing allowed program add portopening Used to add excepted traffic by specifying a TCP or UDP port set portopening Used to modify the settings of an existing open TCP or UDP port delete portopening Used to delete an existing open TCP or UDP port set service Used to allow or drop file and printer sharing, remote administration, remote desktop, and UPnP traffic set opmode Specifies the operating mode of Windows Firewall either globally or for a specific connection (interface)

26 26 Impact of Memory Protection and E-mail Handling Technologies on Applications Data Execution Prevention (NX) Attachment Execution Service

27 27 How Data Execution Prevention Impacts Applications Application compatibility DEP causes compatibility issues for applications that perform dynamic code generation and that do not explicitly mark generated code with Execute permission System compatibility Systems with processors that support the NX processor feature may fail to boot or have other stability issues when the processor is running in PAE mode if not designed to handle > 4GB RAM

28 28 How Attachment Execution Service Impacts Applications Applies to any developer producing e-mail or chat client software Internally, Attachment Execution Services gives each attachment a risk rating based on extension, content type, registered handlers Risk Rating is mapped to a policy checked using Internet Explorer Zones (restricted, Internet, intranet, local, trusted) Does not provide any workarounds to subvert process and protection

29 29 How the Local Machine Zone Lockdown Feature Affects Web Applications Effect of the Local Machine Zone Lockdown feature Impacts applications that host local HTML files in Internet Explorer Does not impact developers of Web sites that are hosted on the Internet or Local Intranet zones Requires developers to register applications if they want to ensure that malicious code cannot be run through applications Overcoming restrictions caused by the Local Machine Zone Lockdown feature Save your content as an HTA file Add a “mark of the Web” comment placed in the HTML file to your Web pages Create a separate application that hosts the HTML content Internet Explorer Web Object Control (WebOC)

30 30 New Internet Explorer–Related Registry Settings SettingPurpose URLACTION_FEATURE_MIME_SNIFFING Enables file promotion from one type to another based on a “MIME sniff ” URLACTION_FEATURE_ZONE_ELEVATION Mitigates many privilege-escalation attacks URLACTION_FEATURE_WINDOW_RESTRICTIO NS Restricts script-initiated pop-up windows and windows that include the title and status bars

31 31 How the Pop-up Manager Affects Web Applications Effects of the Pop-up Manager Affects the behavior of windows opened by Web sites, for example, those opened using the following methods: window.open() window.showModelessDialog(),window.showModalDialo g() window.navigateAndFind()showHelp() Provides the INewWindowManager interface, whichallows applications using rendering engine in Internet Explorer to: Display HTML to use or extend Pop-up Manager functionality Use your own Popup Manager Disable Popup Manager

32 32 Procedure Using Windows Firewall and SQL 7 & MSDE 1.0 Determine the port number Enable networking by using one of the following methods: Add the TCP port as an exception Add the SQL Server program as an exception Enable named pipes and/or multi-protocol over named pipes

33 33 Methods Windows Firewall and SQL 2000 & MSDE 2000 Add the TCP port as an exception Adds the port that you are listening to on SQL Server to the Windows Firewall Exceptions list Add the SQL Server program as an exception Enables SQL Server to listen on any port

34 34 Other SQL Server Components You also need to configure for: SQLXML SQL Browser Service SQL Server 2000 and MSDE 2000 Service Pack 3a MSDTC SQL Server Analysis Services SQL Server Reporting Services SQL Server Agent SQL Server Replication See “References” at the end of the session

35 35 RPC Enhancements Windows Firewall allows only the processes that are running in the Local System, Network Service, or Local Service security context to open ports for RPC communication RestrictRemoteClients registry key by default eliminates remote anonymous access to RPC interfaces on the system, with some exceptions EnableAuthEpResolution enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a Windows XP SP2 system

36 36 The RestrictRemoteClients registry key values RestrictRemoteClients registry key forces RPC to perform some additional security checks for all interfaces, even if the interface has no registered security callback RestrictRemoteClients Registry Setting RPC_RESTRICT_REMOTE_CLIENT_NONE (0) : Causes the system to bypass the new RPC interface restriction RPC_RESTRICT_REMOTE_CLIENT_DEFAULT (1): Causes the system to restrict access to all RPC interfaces RPC_RESTRICT_REMOTE_CLIENT_HIGH (2) : Causes the system to disallow anonymous calls using RPC

37 37 Methods to Resolve RPC Incompatibilities Require your RPC clients to use RPC security when contacting your server application Exempt your interface from requiring authentication by setting the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag during interface registration Force RPC to exhibit the same behavior as earlier versions of Windows by setting the registry key to RPC_RESTRICT_REMOTE_CLIENT_NONE (0)

38 38 Purpose of EnableAuthEpResolution Issues with Resovling an Endpoint EnableAuthEpResolution Registry Setting Anonymous calls to the endpoint mapper interface will fail by default on Windows XP SP2 because of the default value for the new RestrictRemoteClients key Necessary to modify the RPC client runtime to perform an authenticated query to the endpoint mapper Anonymous calls to the endpoint mapper interface will fail by default on Windows XP SP2 because of the default value for the new RestrictRemoteClients key Necessary to modify the RPC client runtime to perform an authenticated query to the endpoint mapper Ensures that all endpoint mapper queries performed on behalf of authenticated calls will be performed using NTLM or Kerberos authentication Enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a computer running Windows XP SP2 Ensures that all endpoint mapper queries performed on behalf of authenticated calls will be performed using NTLM or Kerberos authentication Enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a computer running Windows XP SP2

39 39 Windows XP SP2 and DCOM Windows XP SP2 DCOM Security Enhancements Computer-Wide Restrictions to DCOM Granular COM Permissions

40 40 DCOM in Windows XP SP2 Computer-Wide Restrictions to DCOM Adds computer-wide access controls that govern access to all call, activation, or launch requests on a computer Creates an additional AccessCheck Provides a minimum authorization bar that must be passed to access COM servers on computer Provides a computer-wide ACL for launch permissions to cover activation and launch, and for access permissions to cover calls Provides a computer-wide ACL as a means to override weak security settings specified by a specific application through CoInitializeSecurity Adds computer-wide access controls that govern access to all call, activation, or launch requests on a computer Creates an additional AccessCheck Provides a minimum authorization bar that must be passed to access COM servers on computer Provides a computer-wide ACL for launch permissions to cover activation and launch, and for access permissions to cover calls Provides a computer-wide ACL as a means to override weak security settings specified by a specific application through CoInitializeSecurity

41 41 Separating call and activation permissions Local and remote permissions Administrators have the flexibility to control a computer's COM permission policy based on the concept of "distance" Local is defined as the COM message arriving via LRPC protocol, while remote COM messages arrive via a remote RPC protocol like TCP/IP Administrators have the flexibility to control a computer's COM permission policy based on the concept of "distance" Local is defined as the COM message arriving via LRPC protocol, while remote COM messages arrive via a remote RPC protocol like TCP/IP Windows XP SP2 changes COM to separate the call and activation permissions and move the activation permissions from the Access Permission ACL to the Launch Permission ACL Launch Permission ACLs can be into Local launch (LL), Remote launch (RL), Local activate (LA), and Remote activate (RA) permissions Windows XP SP2 changes COM to separate the call and activation permissions and move the activation permissions from the Access Permission ACL to the Launch Permission ACL Launch Permission ACLs can be into Local launch (LL), Remote launch (RL), Local activate (LA), and Remote activate (RA) permissions Granular COM Permissions Granular COM Permissions

42 42 Implications Implications of Granular COM Permissions on Custom Applications For COM applications that use the default security settings, there are no compatibility issues Most applications that are dynamically started by using COM activation will have no compatibility issues because the launch permissions must already include anyone who is able to activate an object Applications that are already started by using mechanisms such as Windows Explorer or Service Control Manager can have compatibility issues For COM applications that use the default security settings, there are no compatibility issues Most applications that are dynamically started by using COM activation will have no compatibility issues because the launch permissions must already include anyone who is able to activate an object Applications that are already started by using mechanisms such as Windows Explorer or Service Control Manager can have compatibility issues

43 43 Remember the Challenge Usability vs. Security SP2 is a significant shift towards Security A lot of work done on overcoming Usability issues But the challenge of this balance remains

44 44 Summary SP2 gives a wide range of security improvements SP2 forces developer to be more security- conscious Most applications will run “as-is” Apps that use features impacted by the Service Pack need to be serviced themselves

45 45 References & More msdn.microsoft.com Microsoft training course 2853 Developer resources—including training http://msdn.microsoft.com/security/productinfo/xpsp2/default.aspx Learn more about Service Pack 2 http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/ winxpsp2.mspx http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/ winxpsp2.mspx Changes to functionality—always updated http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/ sp2chngs.mspx http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/ sp2chngs.mspx Deploying Service Pack 2 http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/ winxpsp2.mspx http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/ winxpsp2.mspx Microsoft IT Forum in Copenhagen, November 2004

46 46 © 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Microsoft Windows XP SP2 for Developers Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd This session is based."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Desktop Value - Introducing Windows XP Service Pack 2 with Advanced Security Technologies Presenter: James K. Murray Title: Information Technologies Consultant.

Desktop Value - Introducing Windows XP Service Pack 2 with Advanced Security Technologies Presenter: James K. Murray Title: Information Technologies Consultant.
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.

Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Windows XP Service Pack 2 Technical Update. Windows XP Service Pack 2 Technical Workshop Agenda –Security Overview –Introduce Windows XP Service Pack.

Windows XP Service Pack 2 Technical Update. Windows XP Service Pack 2 Technical Workshop Agenda –Security Overview –Introduce Windows XP Service Pack.
Windows XP Service Pack 2 Alex Balcanquall Senior Consultant Microsoft Services Organisation.

Windows XP Service Pack 2 Alex Balcanquall Senior Consultant Microsoft Services Organisation.
Changes in Windows XP Service Pack 2

Changes in Windows XP Service Pack 2
Information for Developers Windows XP Service Pack 2 Information for Developers.

Information for Developers Windows XP Service Pack 2 Information for Developers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Windows XP Service Pack 2 and the Microsoft Virtual Machine: Developer Implications Rudi Larno Developer & Platform Group Microsoft BeLux.

Windows XP Service Pack 2 and the Microsoft Virtual Machine: Developer Implications Rudi Larno Developer & Platform Group Microsoft BeLux.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Security Flaws in Windows XP Service Pack 2 CSE 7339 9/14/04 By: Saeed Abu Nimeh.

Security Flaws in Windows XP Service Pack 2 CSE /14/04 By: Saeed Abu Nimeh.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Similar presentations

Ads by Google