Securing the Infrastructure Windows Server 2003 SP1 and Windows XP SP2 Ken Schaefer System Engineer, MVP Avanade

Sorry No funny jokes or pictures But there will be good technical content

Agenda Why we are releasing Windows Server 2003 SP1 Goals for Windows Server 2003 SP1 Key security enhancements and functions of SP1 Windows 2003 & Windows XP SP2 Firewall Other enhancements Additional resources to ramp up on Windows Server 2003 SP1 Summary

Why are we releasing WS03 SP1? To reduce customer pain around security of our operating systems, and to provide a more robust and secure OS to customers To provide some new security enhancements –Setup Protection SECOOBE –Windows Firewall –Role-based Security Configuration Wizard To increase adoption of Windows Server 2003 – some customers wait for SP1 before deploying

WS03 Customer Pains & SP1 Why? –Patch management too complex –Time to exploit decreasing –Exploits are more sophisticated = Current approach is not sufficient Blaster Welchia/ Nachi Nimda 2525 SQL Slammer Days between patch and exploit How? –Role based approach will give flexibility to our customers in terms of time to test/deploy –Proactive instead of reactive engineering i.e. Windows Firewall and AD policy for Windows Firewall rule sets = A step in the journey to more secure computing platforms, applications, and devices.

What are the goals of SP1? Enhanced Security –Reduced attack surface –New security enhancements Stronger defaults and privilege reduction on services (RPC & DCOM) Support for No Execute (NX) hardware (Intel & AMD) Windows Firewall enabled by default for new installs –Includes boot time protection Provide a Security Configuration Wizard to assist IT Admins –Role-based configuration and lockdown RAS/VPN Quarantine –Client inspection, Fix-up, Isolation IIS 6.0 metabase auditing IE security enhancements Enhanced Reliability Enhanced Performance –10%+ improvement in TPC, TPC-H, SAP, SSL, etc.

SP1 Features and Enhancements Post-Setup Security Updates (PSSU) Security Configuration Wizard Relevant XP SP2 enhancements –RPC, DCOM lockdown –Windows Firewall configuration Terminal Services Improvements Base 64-bit extension system x86-64 is reality

WS03SP1 Post-Setup Security Updates (1) A new feature designed to protect servers between first boot and application of most recent security updates Opens on first admin login if Windows Firewall was not explicitly enabled/disabled using unattend script or GPO Blocks inbound connections until customer clicks “Finish” on PSSU dialog box

WS03SP1 Post-Setup Security Updates (2) Offers links to Windows Update Creates an opportunity to configure Automatic Updates Re-opens if not completed before first restart Forced closure (ALT+F4) makes no change to the firewall, system runs tests to display PSSU again at next log on

WS03SP1 Post-Setup Security Updates (3) Applies To: –Windows server admins who are concerned that new Windows Server 2003 servers may not be fully protected before application of updates –Admins who perform new installs of Windows Server 2003 with a Service Pack Does Not Apply When: –OS install with an unattend script enabling or disabling Windows Firewall –Windows Firewall is enabled or disabled through GP before PSSU is displayed –Performing OS updates to existing Windows Server 2003 server, or upgrading existing Windows 2000 server to Windows Server 2003 SP1

Post-Setup Security Updates

Security Configuration Wizard Guided Attack Surface Reduction for Windows Servers –Security Coverage Roles-Based Metaphor Disables Unnecessary Services Disables Unnecessary IIS Web Extensions Blocks unused Ports, including multi-homed scenarios Helps Secure Ports that are left open by using IPSEC Reduces protocol exposure (LDAP, NTLM, SMB) Configures Audit Setting with high Signal to Noise ratio Security for mere mortals –Roles-based makes answering questions easy –Automated versus Paper-Based Guidance –Fully tested and supported by Microsoft

SCW Operational Coverage Supports approximately 60 server roles OOB Rollback, when applied policies disrupt service expectation Analysis, to check that machines are in compliance with policies Remotability for configuration and analysis operations Command Line Support for remote config and analysis en-masse Active Directory Integration for Group Policy-based deployment Editing of previously created policies, when machines are repurposed XSL Views of Knowledge base, policies and analysis results

Security Configuration Wizard

RPC and DCOM Enhancements Dovetails with Windows XP SP2 New RPC registry keys –Allow server applications to restrict access to the interface, typically through a security call back –Optionally deny all remote anonymous access –Enables application developers to more closely control access Additional DCOM access control restrictions –Strengthening of DCOM authentication security model –Overall reduction of risk of a successful network attack RPC and DCOM ports handled as a special case by Windows Firewall

Windows Firewall Goals and customer benefit –Provide by default better protection from network attacks –Focus on role-based server configuration What we’re doing –Windows Firewall (formerly ICF) will be on by default in almost all configurations –More configuration options Group policy, command line, unattended setup Better user interface –Boot time protection –Restrict anonymous connections to DCOM/RPC interfaces Application impact –In-bound network connections will not be permitted by default –Listening ports only open as long as the application is running

Windows Firewall and AD Firewall Policy Deployment

Administering Windows XP SP2 Recommended Enterprise Settings (1) Guidelines only, review all settings prior to deployment!! Windows Firewall: Protect all network connections –Enabled Windows Firewall: Do not allow exceptions –Not configured Windows Firewall: Define program exceptions –Set to the names of applications and services used by the computers running Windows XP SP2 on your network for managed, server, listener, or peer applications. (e.g. SMS)

Administering Windows XP SP2 Recommended Enterprise Settings (2) Windows Firewall: Allow local program exceptions –Enabled Windows Firewall: Allow remote administration exception –Disabled, unless the Windows XP SP2-based computers are configured remotely using MMC snap-in or monitored remotely using WMI. Windows Firewall: Allow file and print sharing exception –Enabled only if the computers running Windows XP SP2 are sharing local folders and printers.

Administering Windows XP SP2 Recommended Enterprise Settings (3) Windows Firewall: Allow ICMP exceptions –Enabled only to allow diagnostic or management capabilities that are based on ICMP traffic. Windows Firewall: Allow Remote Desktop exception –Enabled only if you use Remote Desktop to connect to Windows XP SP2-based computers. Windows Firewall: Allow UPnP framework exception –Enabled only if you use UPnP devices on your network. Windows Firewall: Prohibit notifications –Disabled

Administering Windows XP SP2 Recommended Enterprise Settings (4) Windows Firewall: Allow logging –Not configured Windows Firewall: Prohibit unicast response to multicast or broadcast requests –Disabled – may break Wake On LAN Windows Firewall: Define port exceptions –Set to the TCP and UDP ports used by the Windows XP SP2 computers on your network for managed, server, listener, or peer applications that cannot be specified by filename. (Add SMS and similar ports here) Windows Firewall: Allow local port exceptions –Enabled (pending corporate policy)

Administering Windows XP SP2 3rd Party firewalls scenarios Disable Windows Firewall Disable Windows Firewall via accidental installation –Unattend.txt or Netfw.inf –Deploy registry settings to disable WF HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windo wsFirewall\DomainProfile\EnableFirewall=0 (DWORD data type) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windo wsFirewall\StandardProfile\EnableFirewall=0 (DWORD data type) Configure GPOs accordingly

Terminal Services Improvements Fallback Printer Driver –Addresses Client to Server Printing issues when driver mismatch occurs –Heuristic that does name matching on printer driver strings provided from TS client –Will do a best guess and then substitute for a lowest common denominator PCL or PS driver PCL and - "HP DeskJet 500“ Color PCL - "HP DeskJet 500C“ PS - "HP LaserJet 4/4M PS" Color PS - "HP Color LaserJet 5/5M PS“ Licensing Server Improvements

SP1 Terminal Services

Key value –Core OS functionality & performance benefits (64-bit) –Runs most existing 32-bit apps with increased performance –Provides evolutionary path to 64-bit applications Single code-base based on WS03 SP1 –AMD Opteron/Athlon 64 & Intel Xeon EM64T supported with one product –Basis for Windows XP Professional, x64 Edition Compatibility –WS03 SP1 level compatibility –Application kernel mode code and drivers must be 64-bit Windows Server 2003 x64 Editions WorkloadPerformance and Scale 32-bit Databaseup 17% 32-bit Business AppsSAP 10% more users NetworkingRecord 7Gbit/sec xfer File111% higher user capacity Active Directory2x higher throughput Terminal Services50% more Users

How To Get Involved Share your ideas with the Windows Server development team at: You can also participate in: –Online surveys about product feature priorities –Product focus groups –TechBeta

Summary Windows Server 2003 SP1 exists to encourage adoption of Windows Server 2003, migration from NT4 and 2000 Security-focused service pack, also includes performance, feature and reliability improvements Exciting roadmap – complement to XP SP2, precursor to Windows Server 2003 R2 and Longhorn What you can do: –Review the reference material on the following slides –Test the available Release Candidate 2 (RC2) version –Provide your ideas on how we can make further improvements in this area

More Information: Windows Server 2003 SP1 Release Candidate 2: Windows XP SP2 on Microsoft TechNet: MBSA v2 Beta (use Beta GuestID: MBSA20): Windows Update Services Beta Technet Security Centre for IT Pros: Microsoft IT practices:

Evaluation: Prescriptive Guidance Overall how satisfied where you with the event?9 Rate the session: Windows 2003 SP19

Ken Schaefer