Windows XP Service Pack 2 Alex Balcanquall Senior Consultant Microsoft Services Organisation
Agenda for Workshop Introduction Protection Technologies Network Web & Memory Protection Manageability But that’s not all… Deployment & Troubleshooting Round-up
Exploit Timeline Days From Patch to Exploit The average is now nine days for a patch to be reverse- engineered As this cycle keeps getting shorter, patching is a less effective defense in large organizations Why does this gap exist? Blaster Welchia/ Nachi Nimda 25 SQL Slammer exploit code patch Days between patch and exploit
Goals of XP SP2 Memory Network Maintenance /Web Provide system-level protection for the base operating system Help protect the system from directed attacks from the network Ensure that when updates are necessary, they are easier to deploy quickly Enable safer Internet experience for most common Internet tasks
Windows Firewall Goal in XP SP2 Provide better protection from network attacks Provide administration tools suitable for the enterprise Changes in XP SP2 Windows Firewall on by default Boot time protection Multiple configuration mechanisms Better user interface Boot time protection Multiple profile support Restrict anonymous connections to DCOM/RPC interfaces Impact Applications that initiate outbound connections will work out of the box Only applications that accept unsolicited inbound communications will be affected by the firewall Firewall should be deployed in all organisations Develop organisation wide firewall exceptions & deploy as needed Consider IPSEC bypass for administrative tasks Maintenance Network (1) & Web Memory
Windows Firewall
Windows Firewall Group Policy
DCOM / RPC Goal in XP SP2 Reduce DCOM / RPC attack surface exposed on the network Changes in XP SP2 Require authentication on default interfaces Enable ability to restrict RPC interfaces to local machine only Granular configuration of launch permissions for DCOM Moved most RPCSS code into reduced privilege process Disable RPC over UDP by default Impact Application using anonymous authentication will break Significantly reduces ability of unauthenticated processes or users to attack RPC May require applications and COM components to be recoded. Network (2) Maintenance & Web Memory
Attachments Goal in XP SP2 Consistent system-provided mechanism for applications to determine unsafe attachments Consistent user experience for attachment “trust” decisions Changes in XP SP2 Create new public API for handling safe attachments (Attachment Execution Services) Default to not trust unsafe attachments Outlook Express, Windows Messenger, Internet Explorer changed to use new API Open / execute attachments with least privilege possible Safer message “preview” Impact Select applications that use the new API for better user experience, and better determination of safe content Applications which depend on attachments may be impacted Maintenance Network & Web (1) Memory
Web Browsing Goal in XP SP2 Ensure a safer web browsing experience Changes in XP SP2 Locking down local machine and local intranet zones Improved notifications for running or installing applications and ActiveX Controls Pop-Up Blocker for Internet Explorer New Internet Explorer add-on manager Limit UI spoofing Change to IE zones Improved download and security related dialog boxes Impact Check for Web application compatibility with newer, safer browsing defaults Line of Buisness applications that use pop-ups may need to change or be added to exception listNetwork & Web (2) Maintenance Memory
Pop-up Blocker
Download Prompts Old vs. New
Data Execution Protection (NX) Goal in XP SP2 Reduce exposure of common buffer overruns Changes in XP SP2 Leverage hardware support in 64-bit and newer 32-bit processors to only permit execution of code in memory regions specifically marked as execute Binaries Compiled with /GS Flag (Not Dependent on DEP) Reduces exploitability of buffer overruns Enabled by default on all capable machines for Windows binaries Application Compatibility Toolkit setting to exclude incompatible applications Impact System runs in PAE mode. All drivers and application will need to be compatible with PAE Currently needs 64bit Extended Systems (e.g. Intel Itanium Family, AMD Opteron, AMD Athlon 64) Maintenance Network & Web Memory
DEP End-user Experience Application termination dialogs
DEP End-user Experience Configuration experience Accessible through System Properties control panel
Manageability Goal Reduce management overhead of securing Windows XP What we’re doing Windows Security Center Anti-Virus Checking Firewall Automatic Updates Automatic Update enhancements Centralised & granular management of the Windows Firewall New Wireless LAN client Bluetooth update SmartKey Wireless Setup Impact Use group policy or any software distribution mechanism to easily configure firewall Maintenance Network & Web Memory
Internet Explorer Add-on Manager
But that’s not all…. Tablet PC NEW V2 “Lonestar”. Tablet PC NEW V2 “Lonestar”. In Place Tablet Input Panel (TIP)& Handwriting to text on the fly Better office OneNote integration Windows Media 9 Series Bluetooth Update Movie Maker 2.1 New Wireless LAN Client Direct X9.0b
XP SP2 Deployment Planning and Testing
Why Plan & Test? New security features will make the system secure but may break some applications In common test scenarios expect >=90% of applications to work In RC1 these issues have been found to break down as follows: 30% Firewall 22% DEP / PAE 14% IE 8% DCOM / RPC 6% RTF Converters NB These figures are for consumer and corporate scenarios & fixes will be incorporated in the final XP SP2 Release to mitigate many scenarios
Deployment Planning Review XP SP 2 Changes Document Test XP SP 2 on limited ‘real systems’ Deploy with firewall on Determine commonly needed open ports Deploy settings with AD, INF files, WMI, Unattend.txt Deploy with XP SP2 DCOM and IE defaults Use custom OU if you have Active Directory Don’t forget to test all Intranet applications Deploy to test community to catch final 5% of issues START TESTING NOW!
Troubleshooting 32-Bit Applications 1. Test application on XP SP1 2. If 64bit Extended use Application Compatibility Toolkit to disable DEP on a per app basis 3. Disable Firewall NOT RECOMMENDED FOR PRODUCTION MACHINES (deploy exceptions and keep firewall enabled) 4. Disable DCOM / RPC authentication NOT RECOMMENDED FOR PRODUCTION MACHINES 5. Ask software vendor for any needed updates or patches 6. Consider risks of disabling protection vs. selection of alternate application
Troubleshooting Web Applications 1. Test on XP SP1 2. Add trusted intranet applications to trusted sites list 3. Sign all custom Active X objects 4. Review application to remove all cross zone scripting 5. Disable new IE protection measures to verify which protection is stopping application NOT RECOMMENDED FOR PRODUCTION MACHINES 6. Consider re-writing application vs. risk of disabling new protection mechanisms
Other troubleshooting tools Application Compatibility Toolkit V3 Now V4 End of Dedicated to SP2 features etc. NB New ‘shims’ like the NX can be used with V3 toolkit Reporting RC 1 Bugs NEW desktop icon in RC1 Click on the “Report a XP SP2 Bug” Corporate Error Reporting If you have a Premier Agreement and Enterprise Agreement talk to your TAM about CER
Round-up XP SP2 has additional protection for: Network Web Browsing Memory Protection (64 bit only) XP SP2 Includes tools for improved manageability Adequate testing is key to successful deployment of XP SP2 Aim to deploy with Firewall Turned On Attend Infosec patch management session / review Microsoft recommendation on patching
Further Information XP SP2 /winxppro/maintain/winxpsp2.mspx General Security: Windows Application Compatibility Toolkit:
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.