Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Similar presentations


Presentation on theme: "Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)"— Presentation transcript:

1 Improving Resiliency Service Pack 2

2 What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing) New security technologies New security technologies  Network protection  Memory protection  Safer handling  More secure browsing  Improved computer maintenance

3 Security goals Increase the security resiliency of Windows XP Reduce damage of worms and viruses even if updates are not installed Make attackers work harder

4 Defense in depth Networks Routers Routers Firewalls Firewalls VLANs VLANs Subnetting Subnetting Hosts IPsec IPsec Access control lists Access control lists Applications and data Authentication Authentication Authorization Authorization Rights management Rights management Access control lists Access control lists Execution partitions Execution partitions Users Uhh… Uhh…

5 Network protection Windows Firewall Windows Firewall RPC interface restrictions RPC interface restrictions DCOM security enhancements DCOM security enhancements

6 WF—changes Enhanced multicast and broadcast support Enhanced multicast and broadcast support Unpdated NETSH helper for IPv6 WF Unpdated NETSH helper for IPv6 WF Updated user interface Updated user interface New group policy support New group policy support

7 Windows Firewall Updated user interface What is it? New dialogs and settings New dialogs and settings Final UI still under design Final UI still under design Why do it? Necessary for new configuration options Necessary for new configuration options What’s different? Now a control panel applet Now a control panel applet How do I fix it? No need No need

8

9 Windows Firewall Enhanced m’cast and b’cast What is it? If WF receives incoming m’cast or b’cast traffic, it allows for three seconds a response from any source address to the originating port If WF receives incoming m’cast or b’cast traffic, it allows for three seconds a response from any source address to the originating port Why do it? Allows responses without adding client applications to permissions lists Allows responses without adding client applications to permissions lists What’s different? Incoming b’cast and m’cast traffic now passes through WF without manual configuration Incoming b’cast and m’cast traffic now passes through WF without manual configuration How do I fix it? No need No need

10 Windows Firewall New group policy support What is it? More objects for better control More objects for better control Operational mode, allowed programs, opened ports (static), ICMP settings, enable RPC Operational mode, allowed programs, opened ports (static), ICMP settings, enable RPC Why do it? Better management between corporate and standard profiles Better management between corporate and standard profiles What’s different? IPv4 only (IPv6 still just on/off) IPv4 only (IPv6 still just on/off) Final GPOs might change Final GPOs might change How do I fix it? No need No need

11 WF—new features On by default On by default Multiple profiles Multiple profiles WF permissions list WF permissions list Local subnet restriction Local subnet restriction Global and per-interface configurations Global and per-interface configurations Boot time security Boot time security Command-line support Command-line support Shielded operational mode Shielded operational mode RPC support RPC support

12 Windows Firewall On by default What is it? WF on by default on all interfaces WF on by default on all interfaces New installations and upgrades New installations and upgrades Enabled when new interfaces are added Enabled when new interfaces are added Why do it? Configuring WF proved to be too difficult Configuring WF proved to be too difficult Default configuration provides good protection against worms (eg., Blaster) Default configuration provides good protection against worms (eg., Blaster) What’s different? Certain applications might require special WF settings Certain applications might require special WF settings How do I fix it? Developer documentation WF API Developer documentation WF API

13 Windows Firewall Multiple profiles What is it? Location-based profiles: one when connected to a corporate network, another when connected to the Internet Location-based profiles: one when connected to a corporate network, another when connected to the Internet Why do it? Can have a more relaxed profile when corp-attached and a more restrictive profile when traveling Can have a more relaxed profile when corp-attached and a more restrictive profile when traveling What’s different? Computer must be domain-joined Computer must be domain-joined Listening applications might need to be on both profiles Listening applications might need to be on both profiles How do I fix it? No need No need

14

15 Windows Firewall Permissions list What is it? Applications that need to open listening ports Applications that need to open listening ports Why do it? Allows application to run in lower security context Allows application to run in lower security context Only local administrator can add to list Only local administrator can add to list Ports remain open only while application is running Ports remain open only while application is running What’s different? Any app that listens must be on the list Any app that listens must be on the list How do I fix it? No need No need

16

17 Windows Firewall Local subnet restriction What is it? Can restrict port opening to local subnet address range Can restrict port opening to local subnet address range Is the default for file sharing ports Is the default for file sharing ports Why do it? More granularity—allows local subnet communication but not to/from Internet More granularity—allows local subnet communication but not to/from Internet What’s different? Enabling “file and printer sharing” applies restriction to 137/udp, 138/udp, 139/tcp, 445/udp, 445/tcp Enabling “file and printer sharing” applies restriction to 137/udp, 138/udp, 139/tcp, 445/udp, 445/tcp How do I fix it? Developer documentation WF API if application can’t work with restriction Developer documentation WF API if application can’t work with restriction

18

19 Windows Firewall Global configuration What is it? Configuration changes apply to all interfaces (including new interfaces) Configuration changes apply to all interfaces (including new interfaces) Per-interface configuration still possible Per-interface configuration still possible Why do it? Easier to synchronize policy across multiple interfaces Easier to synchronize policy across multiple interfaces New interfaces get a policy when created New interfaces get a policy when created What’s different? Global plus local configs Global plus local configs How do I fix it? Developer documentation WF API Developer documentation WF API

20

21 Windows Firewall Boot time security What is it? New static filtering policy at boot time New static filtering policy at boot time Permits DNS, DHCP, Netlogon Permits DNS, DHCP, Netlogon WF policy applied after logon WF policy applied after logon Why do it? Closes hole that existed after boot but before policy application Closes hole that existed after boot but before policy application What’s different? Nothing Nothing How do I fix it? No need No need

22 Windows Firewall Command-line support What is it? Add WF configuration to NETSH utility Add WF configuration to NETSH utility Default state, open ports, global or per- interface, subnet restrictions, logging options, ICMP handling, application permissions Default state, open ports, global or per- interface, subnet restrictions, logging options, ICMP handling, application permissions Why do it? Best method for logon scripts and group policy Best method for logon scripts and group policy What’s different? Nothing—new functionality Nothing—new functionality How do I fix it? No need No need

23 Windows Firewall RPC support What is it? WF watches as RPC apps register ports WF watches as RPC apps register ports Allows incoming requests only if service is running as Local System, Network Service, or Local Service Allows incoming requests only if service is running as Local System, Network Service, or Local Service Why do it? Can control which RPC services are exposed to the network Can control which RPC services are exposed to the network Better than granting permissions to SVCHOST.EXE Better than granting permissions to SVCHOST.EXE What’s different? Must do this for RPC—WF blocks all RPC by default Must do this for RPC—WF blocks all RPC by default How do I fix it? Developer documentation WF API to automate Developer documentation WF API to automate

24 WF— Inbound APIs IPv4 inbound connections for applications and services IPv4 inbound connections for applications and services IPv4 inbound connections on RPC and DCOM ports IPv4 inbound connections on RPC and DCOM ports

25 Windows Firewall Inbound applications (IPv4) Issue Application needs to bind to a socket and accept inbound requests Application needs to bind to a socket and accept inbound requests Do this Call INetFwV4AuthorizedApplication as either enabled or disabled Call INetFwV4AuthorizedApplication as either enabled or disabled Provide image file name, friendly name, and whether all traffic or local subnet Provide image file name, friendly name, and whether all traffic or local subnet Notes When application starts, WF dynamically opens ports When application starts, WF dynamically opens ports App must run as local admin to add to list, but can run in any context later App must run as local admin to add to list, but can run in any context later Apps should get user consent Apps should get user consent Cannot add SVCHOST.EXE Cannot add SVCHOST.EXE

26 Windows Firewall Inbound services (IPv4) Issue Service ports usually need to remain open always Service ports usually need to remain open always Do this Call INetFwV4OpenPort as either enabled or disabled Call INetFwV4OpenPort as either enabled or disabled Provide port number, protocol, friendly name, and whether all traffic or local subnet Provide port number, protocol, friendly name, and whether all traffic or local subnet Notes When service starts, WF opens ports When service starts, WF opens ports Service must run as local admin Service must run as local admin Limit to local subnet whenever possible Limit to local subnet whenever possible Service should get user consent Service should get user consent Service should close ports if disabled Service should close ports if disabled

27 Windows Firewall Inbound RPC/DCOM (IPv4) Issue RPC handled by WF’s new RPC awareness RPC handled by WF’s new RPC awareness Do this Call INetFwV4Profile Call INetFwV4Profile Set AllowRpcPorts to “true” Set AllowRpcPorts to “true” Notes App or service must run as local admin to enable RPC, but can run as admin, network service, or local service later App or service must run as local admin to enable RPC, but can run as admin, network service, or local service later App or service should get user consent App or service should get user consent Service should close ports if disabled Service should close ports if disabled

28 RPC restrictions Restrict remote clients Restrict remote clients Require authentication to endpoint mapper (135/tcp) Require authentication to endpoint mapper (135/tcp) New interface registration flags New interface registration flags

29 RPC restrictions Restricting remote clients What is it? RestrictRemoteClients registry key to enforce authentication RestrictRemoteClients registry key to enforce authentication Remote anonymous calls to RPC interfaces now rejected by default Remote anonymous calls to RPC interfaces now rejected by default Why do it? Useful mitigation against worms that rely on exploitable buffer overruns invoked through anonymous connections Useful mitigation against worms that rely on exploitable buffer overruns invoked through anonymous connections What’s different? Apps that expect anonymous calls might be affected Apps that expect anonymous calls might be affected How do I fix it? Require clients to use RPC security Require clients to use RPC security Exempt interface from authentication using exemption flag Exempt interface from authentication using exemption flag

30 RPC restrictions Endpoint mapper authN What is it? Clients always contact EP mapper anonymously Clients always contact EP mapper anonymously If client restrictions are set, clients also won’t be able to contact EP mapper If client restrictions are set, clients also won’t be able to contact EP mapper Why do it? Setting EnableAuthEpResolution key tells RPC client to use NTLM authentication to EP mapper Setting EnableAuthEpResolution key tells RPC client to use NTLM authentication to EP mapper What’s different? Both peers will need XP SP2 Both peers will need XP SP2 How do I fix it? No need No need

31 RPC restrictions New i/f registration flags What is it? Three new flags for developers to use in applications Three new flags for developers to use in applications Why do it? Provide additional security tools to make RPC better Provide additional security tools to make RPC better What’s different? No affect on existing RPC applications No affect on existing RPC applications How do I fix it? No need No need

32 RPC restrictions New i/f registration flags RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH  RPC runtime invokes registered security callback for all calls  Without: RPC rejects all unauthenticated calls before reaching security callback RPC_IF_SEC_NO_CACHE RPC_IF_SEC_NO_CACHE  Disables security callback caching RPC_IF_LOCAL_ONLY RPC_IF_LOCAL_ONLY  Reject remote client calls  Reject local calls over all ncadg_* protocols  Reject all calls over ncacn_* protocols (except…)  Reject all calls over ncacn_np if not from SVR  Allow ncalrpc calls

33 DCOM enhancements Computer-wide restrictions Computer-wide restrictions More specific COM permissions More specific COM permissions

34 DCOM enhancements Don’t apply to in-process COM Don’t apply to in-process COM Apply if your DCOM server meets any: Apply if your DCOM server meets any:  Access permission for app is less stringent than permission necessary to run it  App is usually activated on a Windows XP computer by a remote COM client not using administrative account  App uses unauthenticated remote callbacks  App is meant to be used locally

35 DCOM enhancements Computer-wide restrictions What is it? Computer-wide access controls that govern access to all DCOM requests on the computer Computer-wide access controls that govern access to all DCOM requests on the computer An additional AccessCheck against the ACL for on each call, activation, or launch of any COM server An additional AccessCheck against the ACL for on each call, activation, or launch of any COM server Why do it? Minimum authorization bar that must be passed to access COM servers Minimum authorization bar that must be passed to access COM servers Allows administrators to override weak security settings in an application’s CoInitializeSecurity Allows administrators to override weak security settings in an application’s CoInitializeSecurity ACLs checked when interfaces exposed by RPCSS are accessed ACLs checked when interfaces exposed by RPCSS are accessed

36 DCOM enhancements Computer-wide restrictions PermissionAdministratorEveryoneAnonymous Launch Local launch Local activate Remote launch Remote activate Access Local call Remote call

37 DCOM enhancements Computer-wide restrictions What’s different? Local scenarios will continue to work Local scenarios will continue to work Most COM client scenarios will continue to work Most COM client scenarios will continue to work Unauthenticated remote calls will break Unauthenticated remote calls will break Only administrators can remotely activate and launch Only administrators can remotely activate and launch How do I fix it? Don’t write apps that require remote activation by non-admin client or remote unauthenticated calls! Don’t write apps that require remote activation by non-admin client or remote unauthenticated calls! Can change new defaults with registry keys Can change new defaults with registry keys

38 DCOM enhancements More specific COM perms What is it? Distinguish COM access rights based on distance: local (LRPC), remote (eg., RPC over TCP) Distinguish COM access rights based on distance: local (LRPC), remote (eg., RPC over TCP) Why do it? Create precise COM permission policy Create precise COM permission policy Restrict app so it can only be used locally Restrict app so it can only be used locally What’s different? Launch/activate ACEs: LL, RL, LA, RA Launch/activate ACEs: LL, RL, LA, RA Access (call) ACEs: LC, RC Access (call) ACEs: LC, RC Generally backward-compatible, some specific ACL alterations might be needed Generally backward-compatible, some specific ACL alterations might be needed How do I fix it? Search MSDN on “LaunchPermission” Search MSDN on “LaunchPermission”

39 Memory protection Execution protection (NX) Execution protection (NX)

40 Memory protection NX—“no execute” Prevents code execution in data pages: Prevents code execution in data pages:  Default heap  Various stacks  Memory pools Both user and kernel modes Both user and kernel modes Requires developers to explicitly mark pages as executable Requires developers to explicitly mark pages as executable

41 Memory protection NX—“no execute” OS feature that relies on processor hardware to mark memory OS feature that relies on processor hardware to mark memory Functions on a per-VM page basis Functions on a per-VM page basis Common: change a bit in the page table entry to mark the page Common: change a bit in the page table entry to mark the page Affects apps that: Affects apps that:  Perform just-in-time code generation  Execute memory from default process stack or heap

42 Memory protection NX—“no execute” Hardware implementation varies by processor Hardware implementation varies by processor Processor must raise exception when code executes from disallowed page Processor must raise exception when code executes from disallowed page Current processor support Current processor support  AMD K8 (32-bit Windows)  Intel Itanium (64-bit Windows)

43 Memory protection 64-bit Windows What is it? Applications expected to function with NX enabled by default! Applications expected to function with NX enabled by default! Protected areas Protected areas  Stack  Paged pool  Session pool  Default process heap Can’t be disabled Can’t be disabled To allocate virtual memory— To allocate virtual memory—  Call VirtualAlloc() with one of the PAGE_EXECUTE_* attributes

44 Memory protection 32-bit Windows What is it? User mode User mode  AMD processors with “physical address extension” mode enabled  Investigating per-application methods to disable or enable NX  Result: unhandled exception; app terminates STATUS_ACCESS_VIOLATION (0xc000005) Kernel mode Kernel mode  Only to the stack by default  Can’t be enabled/disabled on per-driver basis  Result: bugcheck 0xFC: ATTEMPTED_ EXECUTE_OF_NOEXECUTE_MEMORY

45 Memory protection All versions Why do it? Many worms and viruses execute code from data pages Many worms and viruses execute code from data pages NX reduces impact—can’t spread now NX reduces impact—can’t spread now Encourages good software engineering Encourages good software engineering What’s different? Apps that perform dynamic code execution might break Apps that perform dynamic code execution might break Drivers that expect 64-bit addressing or >4 GB RAM in PAE mode might break Drivers that expect 64-bit addressing or >4 GB RAM in PAE mode might break Drivers that do DMA transfers Drivers that do DMA transfers How do I fix it? Mark generated code with an execute permission Mark generated code with an execute permission Update apps that execute from stack, default process heap, or dedicated heap Update apps that execute from stack, default process heap, or dedicated heap DMA transfers are double-buffered DMA transfers are double-buffered

46 More secure browsing Add-on management and crash detection Add-on management and crash detection Binary behaviors security settings Binary behaviors security settings BindToObject mitigation BindToObject mitigation MSJVM security setting MSJVM security setting Local machine zone lockdown Local machine zone lockdown

47 More secure browsing MIME handling enforcement MIME handling enforcement Object caching Object caching Pop-up manager Pop-up manager Untrusted publishers mitigations Untrusted publishers mitigations Window restrictions Window restrictions Zone elevation blocks Zone elevation blocks

48 More secure browsing Add-on management What is it? View and control all IE add-ons, including ones previously difficult to detect View and control all IE add-ons, including ones previously difficult to detect  Browser helper objects  ActiveX controls  Toolbar extensions  Browser extensions Status bar and balloon notifications Status bar and balloon notifications Why do it? Error reporting data shows add-ons create significant instability Error reporting data shows add-ons create significant instability Many pose security risks Many pose security risks

49 More secure browsing Add-on management What’s different? Disabled add-ons not removed; IE simply won’t instantiate them Disabled add-ons not removed; IE simply won’t instantiate them Applies only to IEXPLORE.EXE and EXPLORER.EXE Applies only to IEXPLORE.EXE and EXPLORER.EXE Other programs based on IE components won’t respect disabled state Other programs based on IE components won’t respect disabled state How do I fix it? Use “Manage Add-ons” to restore broken functionality Use “Manage Add-ons” to restore broken functionality Restart IE Restart IE

50

51 More secure browsing Add-on admin control Can alter user control of add-ons through registry key (apply with GPO) Can alter user control of add-ons through registry key (apply with GPO)  Normal: user has full control (default)  AllowList: admin specifies which add-ons are allowed; users can’t change  DenyList: admin specifies which add-ons are denied; users can run others

52 More secure browsing Add-on crash detection Crash detection program launches when IE crashes; collects: Crash detection program launches when IE crashes; collects:  List of DLLs that are loaded  Value of instruction pointer (EIP) Finds DLL whose memory range the EIP lies within; DLL must be: Finds DLL whose memory range the EIP lies within; DLL must be:  Non-system  A COM server for an IE add-on Displays dialog to manage Displays dialog to manage  Disable from here

53 More secure browsing Binary behaviors setting What is it? Components, attached to HTML, that encapsulate specific functionality Components, attached to HTML, that encapsulate specific functionality New “URL Action” setting in each zone New “URL Action” setting in each zone Why do it? Unrestricted binary behaviors could be exploited Unrestricted binary behaviors could be exploited Allow users to control binary behaviors Allow users to control binary behaviors What’s different? Disallowed in restricted sites zone Disallowed in restricted sites zone How do I fix it? Custom security manager for apps that need to run in restricted sites zone Custom security manager for apps that need to run in restricted sites zone

54 More secure browsing BindToObject mitigation What is it? Apply security policies consistently at source of URL binding: URLMON Apply security policies consistently at source of URL binding: URLMON Why do it? Uniformly enforce ActiveX security model rather than relying on calling code Uniformly enforce ActiveX security model rather than relying on calling code Eliminates exploits that use IE to compromise vulns in calling code Eliminates exploits that use IE to compromise vulns in calling code What’s different? Any component that wants to resolve a URL and get back a stream or object Any component that wants to resolve a URL and get back a stream or object How do I fix it?

55 More secure browsing MSJVM security setting What is it? Separate setting to control MSJVM Separate setting to control MSJVM Existing JVM setting renamed Existing JVM setting renamed Why do it? No known threats to MSJVM No known threats to MSJVM What’s different? Clean installs of these will lack MSJVM: Clean installs of these will lack MSJVM:  Windows XP SP 2 full OS  Windows Server 2003  Windows 2000 SP 4 full OS Upgrading won’t remove MSJVM Upgrading won’t remove MSJVM How do I fix it? Need to transition away from MSJVM Need to transition away from MSJVM

56 More secure browsing Local machine zone lockdown What is it? A non-displayed security zone that runs all local HTML pages on a computer A non-displayed security zone that runs all local HTML pages on a computer Why do it? Helps stop malicious local code from elevating privilege Helps stop malicious local code from elevating privilege What’s different? Enabled for IE processes Enabled for IE processes Not enabled for non-IE processes Not enabled for non-IE processes How do I fix it? Can save HTML as.HTA (dangerous: full privileges) Can save HTML as.HTA (dangerous: full privileges) Use “mark of the web” comments to load file into another security zone Use “mark of the web” comments to load file into another security zone

57 More secure browsing Local machine zone lockdown Overridden URL actions Overridden URL actions  Run ActiveX: disallow  Override ActiveX safety: disallow  Run scripts: prompt  Cross domain data: prompt  Block binary behaviors: disallow  Java permissions: disallow

58 More secure browsing MIME handling enforcement What is it? IE checks received files in four ways: IE checks received files in four ways:  File name extension  Content-Type from HTTP header (MIME type)  Content-Disposition from HTTP header  MIME sniff Why do it? Eliminates improper handling of mis- reported files (eg.,.EXE assumed as text) Eliminates improper handling of mis- reported files (eg.,.EXE assumed as text) What’s different? If MIME sniff results in different type, IE changes file extension in cache If MIME sniff results in different type, IE changes file extension in cache Never elevates to a more dangerous type Never elevates to a more dangerous type How do I fix it? Report your MIME types correctly! Report your MIME types correctly!

59 More secure browsing Object caching What is it? New security context on all scriptable objects New security context on all scriptable objects Access blocked when navigating away from current FQDN Access blocked when navigating away from current FQDN Why do it? Single MSHTML instance across navigations; cached objects available Single MSHTML instance across navigations; cached objects available Eliminate current cross-domain hole exploitable by frames Eliminate current cross-domain hole exploitable by frames What’s different? Four more bytes added to cached markup Four more bytes added to cached markup How do I fix it? Probably nothing here Probably nothing here

60 More secure browsing Untrusted publishers mitigations What is it? Block all signed content from a publisher Block all signed content from a publisher One prompt per control per page One prompt per control per page Block invalid signatures Block invalid signatures Display ellipsis if text is longer than box Display ellipsis if text is longer than box Why do it? Eliminate repeated prompts Eliminate repeated prompts Stop modified code Stop modified code What’s different? New functionality New functionality Reduces social engineering tricks Reduces social engineering tricks How do I fix it? Not needed Not needed

61 More secure browsing Zone elevation blocks What is it? IE prevents the security context for any link from being higher than the context of the current page IE prevents the security context for any link from being higher than the context of the current page Why do it? Stop scripts from navigating to higher security zone Stop scripts from navigating to higher security zone What’s different? Web pages that try to call more privileged pages will fail Web pages that try to call more privileged pages will fail Only a user-clicked link can go to higher privilege Only a user-clicked link can go to higher privilege How do I fix it? Fix apps to require user initiation Fix apps to require user initiation

62 More secure browsing Window restrictions What is it? Scripts can’t position or resize windows with title and status bars offscreen Scripts can’t position or resize windows with title and status bars offscreen Scripts can’t turn off status bar Scripts can’t turn off status bar Why do it? Eliminates windows that try to spoof desktop objects Eliminates windows that try to spoof desktop objects Allows users to always see security zone Allows users to always see security zone What’s different? Title and status bars will always be visible to users Title and status bars will always be visible to users How do I fix it? Must change code that will break Must change code that will break

63 More secure browsing Window restrictions Unrestricted “chromeless” windows can cover important UI elements and deceive users Unrestricted “chromeless” windows can cover important UI elements and deceive users Script-initiated pop-ups are constrained Script-initiated pop-ups are constrained  Appear between top and bottom of parent window “chrome”  Must overlap some part of parent window  Must stay immediately on top of parent (eg., can’t be placed over dialogs)

64 More secure browsing Pop-up manager What is it? Blocks automatic and background pop- up windows activated by: Blocks automatic and background pop- up windows activated by:  window.open()  window.external.navigateAndFind()  showHelp() Doesn’t affect windows opened by: Doesn’t affect windows opened by:  Mouse click  Locally-running software  ActiveX controls on a web site  Trusted sites or local intranet zones Why do it? Pop-ups suck! Pop-ups suck!

65 More secure browsing Pop-up manager What’s different? Allowed windows that open outside viewable screen are positioned onto viewable area Allowed windows that open outside viewable screen are positioned onto viewable area Allowed windows that open larger than the viewable screen are resized to the viewable area Allowed windows that open larger than the viewable screen are resized to the viewable area How do I fix it? No need No need

66 More secure browsing Pop-up manager Notification and sound, with choices: Notification and sound, with choices:  Show blocked pop-up  Allow pop-ups from this site  Block pop-ups  Open pop-up management options Configuration choices Configuration choices  Allow list  Block all, including clicked pop-ups  Override key for above  Sound  Zones

67

68 OK, what’s next?

69 More resiliency Increase protection and security of Windows XP Increase protection and security of Windows XP  Even if updates haven’t been installed Implications for users and developers Implications for users and developers The next step of trustworthy computing The next step of trustworthy computing

70 Updates “New security technologies in Windows XP Service Pack 2” “New security technologies in Windows XP Service Pack 2”

71 © 2004 Microsoft Corporation. All rights reserved. Steve Riley


Download ppt "Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)"

Similar presentations


Ads by Google