In-depth look @ client security enhancements in Windows XP SP2

Steve Lamb

Technical Security Advisor

http://blogs.msdn.com/steve_lamb

stephlam@microsoft.com

What is SP2?• All the usual stuff of course

– Post-SP1 hotfixes (more regression testing)

• New security technologies

Network protectionNetwork protectionMemory protectionMemory protectionSafer e-mail handlingSafer e-mail handlingMore secure browsingMore secure browsingImproved computer Improved computer maintenancemaintenanceSome updated featuresSome updated features

Yes, we broke our previous promise!

But it’s for your own good…

This is your pain

This is your pain gone

This is all you’ve gotten

Security goalsIncrease the security Increase the security resiliency and management of resiliency and management of Windows XPWindows XPDecrease end-user security Decrease end-user security burden: more secure out-of-burden: more secure out-of-the-boxthe-boxReduce damage of worms and Reduce damage of worms and virusesviruseseven if updates are not even if updates are not installedinstalled

Make attackers work harderMake attackers work harder

Defense in depth

Networks • Routers• Firewalls

• VLANs• Subnetting

Hosts • Access control lists

• IPsec

Applications and data

• Authentication• Authorization• Rights

management

• Access control lists

• Execution partitions

Users • Uhh…

Protection scenarios• Evolve from edge security to host security• Block attacks• Foil spyware• Stop mail worms and other malicious code• Reduce buffer overrun exploits• Cut confusing security dialog boxes• Configure secure default states• Simplify security updates• Do the right thing for users

Block attacksBlock attacks

The bad stuff

• Computers can do a lot, but are often used only for a few things

• Most users don’t know how to limit what can come into their computer

• Existing host-based firewalls can confuse users and often get disabled

• Computers with firewalls can be difficult or impossible to manage corporately

Windows Firewall enhancements• New and improved user interface• On by default for all network interfaces• Provides boot-time security• Global and per-interface configurations• Exceptions list (can be disallowed)• Local subnet restrictions• Command-line and better group policy management• Multiple profiles and RPC support• Unattended setup

Windows Firewall

Basic behaviorOutbound TCPOutbound TCPResponse from Response from target IP onlytarget IP only

Outbound UDPOutbound UDPResponse from any Response from any IP;IP;closed after 90 closed after 90 seconds of inactivityseconds of inactivity

OutboundOutboundb’cast and m’castb’cast and m’castOpen for 3 seconds Open for 3 seconds to permit reponse to permit reponse from same subnet from same subnet onlyonly

Unsolicited for appsUnsolicited for appsApplication must be Application must be on exception liston exception list

Unsolicited for Unsolicited for servicesservicesPort must be statically Port must be statically openedopened

Unsolicited RPCUnsolicited RPCFirewall must be Firewall must be configured to configured to permit inbound RPCpermit inbound RPC

Windows Firewall

New user interface

Windows Firewall

On by defaultWhatis it?

• WF on by default on all interfaces• New installations and upgrades• Enabled when new interfaces are added

Whydo it?

• Configuring WF proved to be too difficult• Default configuration provides good

protection against worms (eg., Blaster)

What’s different?

• Certain applications might require special WF settings

How doI fix it?

• Developer documentation WF API

Windows Firewall

Boot time securityWhatis it?

• New static filtering policy at boot time• Permits DNS, DHCP, Netlogon• WF policy applied after logon• Policy then stays in effect until after IP stack

is shut down

Whydo it?

• Closes hole that existed after boot but before policy application

What’s different?

• Nothing

How doI fix it?

• No need

Windows Firewall

Global and per-i/f configsWhatis it?

• Configuration changes apply to all interfaces (including new interfaces)

• Per-interface configuration still possible

Whydo it?

• Easier to synchronize policy across multiple interfaces

• New interfaces get a policy when created

What’s different?

• Global plus per-interface configurations• Applies to IPv4 and IPv6

How doI fix it?

• Developer documentation WF API

Windows Firewall

Per-interface configuration

Windows Firewall

Exceptions listWhatis it?

• Applications that need to open listening ports (that is, act like servers)

Whydo it?

• Allows application to run in lower security context

• Only local administrator can add to list• Ports remain open only while application is

running

What’s different?

• Any app that listens must be on the list

Windows Firewall

Exceptions listHow doI fix it?

• Application can programmatically add itself to the exceptions list– App must be running as local administrator

• Use a notification during TCP/UDP bind– Firewall checks list; opens port if app is present– WF prompts user if not (only if local admin)– User must be running as local administrator;

application can run in lower context

• Configure manually– Scan Start Menu or browse

Windows Firewall

Adding programs or ports

Windows Firewall

Exceptions can be disallowed

Windows Firewall

Local subnet restrictionWhatis it?

• Can restrict port opening to local subnet address range

• Is the default for file sharing and UPnP

Whydo it?

• More granularity—allows local subnet communication but not to/from Internet

What’s different?

• Enabling “file and printer sharing” auto-applies restriction to 137/udp, 138/udp, 139/tcp, 445/udp, 445/tcp

• Enabling UPnP auto-applies restriction to 1900/udp, 2869/tcp

How doI fix it?

• Developer documentation WF API if application can’t work with restriction

Windows Firewall

Restricting subnets

Windows Firewall

Command-line supportWhatis it?

• Add WF configuration to NETSH utility• Default state, open ports, global or per-

interface, subnet restrictions, logging options, ICMP handling, application permissions

Whydo it?

• Best method for logon scripts and remote management

What’s different?

• Nothing—new functionality

How doI fix it?

• No need

Windows Firewall

Group policy supportWhatis it?

• More objects for better control• Operational mode, allowed programs, static

opened ports, ICMP settings, enable RPC and DCOM, enable file and printer sharing

Whydo it?

• Better management between corporate and standard profiles

• Allows corporate profile to reflect needs

What’s different?

• IPv4 only (IPv6 still just on/off)• Final GPOs might change

How doI fix it?

• No need

Windows Firewall

Group policy settings

Windows Firewall

Multiple profilesWhatis it?

• Two profiles: one when connected to a corporate network, another when connected to the Internet

• Uses NLA (network location awareness)

Whydo it?

• Can have a more relaxed profile when corp-attached and a more restrictive profile when traveling

What’s different?

• Computer must be domain-joined• Listening applications might need to be on

both profiles

How doI fix it?

• No need

Windows Firewall

RPC supportWhatis it?

• WF watches as RPC apps register ports• Allows incoming requests only if service is

running as Local System, Network Service, or Local Service

Whydo it?

• Can control which RPC services are exposed to the network

• Better than granting permissions to SVCHOST.EXE

What’s different?

• Must do this for RPC—WF blocks all RPC by default

How doI fix it?

• Developer documentation WF API to automate

Windows Firewall

Unattended setupWhatis it?

• Can pre-configure several options for unattended build scripts

• Operational mode, allowed programs, static opened ports, ICMP settings, logging

Whydo it?

• Can customize firewall configuration for your enterprise

What’s different?

• Nothing—new functionality

How doI fix it?

• No need

Foil spywareFoil spyware

Are you sick of “sick of”?

The bad stuff• It’s easy to trick people into installing unknown

software• Unrestricted “chromeless” windows cover

important UI elements and deceive users• ActiveX publisher verification is confusing—or

often ignored• No way to control which add-ons are running—

and nontrivial to disable

Internet Explorer

Window restrictionsWhatis it?

• Scripts can’t position or resize windows with title and status bars offscreen

• Scripts can’t turn off status bar• Script windows:

– Must fit between top and bottom of parent– Overlap parent horizontally– Move with parent– Appear above parent so that other windows (like

dialog boxes) can’t be hidden

Whydo it?

• Eliminates windows that try to spoof desktop objects

• Allows users to always see security zone• Prevents overlaying of address bar

Internet Explorer

Window restrictionsWhat’s different?

• Title and status bars will always be visible• Scripts can’t (although users can):

– Move windows offscreen– Open windows in kiosk mode

• Pop-up windows that rely on such spoofing will be truncated

How doI fix it?

• Must change code that will break

Internet Explorer

Pop-up managerWhatis it?

• Blocks automatic and background pop-up windows activated by:– window.open()– window.external.navigateAndFind()– showHelp()

• Doesn’t affect windows opened by:– Mouse click– Locally-running software– ActiveX controls on a web site– Trusted sites or local intranet zones

• INewWindowManager API for you to useWhydo it?

• Pop-ups suck!

Internet Explorer

Pop-up managerWhat’s different?

• Allowed windows that open outside viewable screen are positioned onto viewable area

• Allowed windows that open larger than the viewable screen are resized to the viewable area

• Does not affect sites in Trusted Sites or Local Intranet zones

How doI fix it?

• Enabled by default; no workaround needed

Internet Explorer

Pop-up controls• Notification and sound, with choices:

– Show blocked pop-up– Allow pop-ups from this site– Block pop-ups– Open pop-up management options

• Configuration choices– Allow list– Block all, including clicked pop-ups– Override key for above– Sound– Zones

Internet Explorer

Managing pop-ups

Internet Explorer

Pre-SP2 IE ActiveX warning

Internet Explorer

Untrusted publishers mitigationsWhatis it?

• Block all signed content from a publisher• Block invalid signatures• One prompt per control per page• Display ellipsis if text is longer than box

Whydo it?

• Eliminate repeated prompts• Stop code modified after being signed from

running

What’s different?

• New functionality• Reduces social engineering tricks

How doI fix it?

• Can revert to allowing unsigned code to run if necessary

Internet Explorer

New IE ActiveX notice

Internet Explorer

Add-on managementWhatis it?

• View and control all IE add-ons, including ones previously difficult to detect– Browser helper objects– ActiveX controls– Toolbar extensions– Browser extensions

• Status bar and balloon notifications

Whydo it?

• Error reporting data shows add-ons create significant instability

• Many pose security risks

Internet Explorer

Add-on managementWhat’s different?

• Disabled add-ons not removed; IE simply won’t instantiate them

• Applies only to IEXPLORE.EXE and EXPLORER.EXE

• Other programs based on IE components won’t respect disabled state

How doI fix it?

• Use “Manage Add-ons” to restore broken functionality

• Restart IE

Internet Explorer

Controlling add-ons

Internet Explorer

Add-on crash detection• Crash detection program

launches when IE crashes; collects:– List of DLLs that are loaded– Value of instruction pointer

CPU register (EIP)

• Finds DLL whose memory range the EIP lies within; DLL must be:– Non-system– A COM server for an IE add-

on

• Displays dialog to manage and disable

RAMRAM

DLLDLL

DLLDLL

DLLDLL

DLLDLL

EIPEIP9825:43520989825:4352098

33

Internet Explorer

Add-on admin control• Can alter user control of add-ons through registry

key (apply with GPO)– Normal: user has full control (default)– AllowList: admin specifies which add-ons are allowed;

users can’t change– DenyList: admin specifies which add-ons are denied;

users can run others

• Can also enable/disable crash detection and user management interface

Stop mail worms and Stop mail worms and other malicious codeother malicious code

The bad stuff

• People keep opening attachments• Dialogs weren’t useful or informative• Instant messengers becoming popular second

avenue for attack• HTML headers can deliver malicious code—no

attachments needed• IE zone elevation and local computer exploitation

are very popular

Attachment Execution Service

Whatis it?

• OE includes new API for applications to use to check files; also used by Windows Messenger

Whydo it?

• Provides consistent user experience across multiple applications

What’s different?

• New dialogs• Windows Messenger blocks transfer of

“potentially unsafe” files from those not on your contact list

How doI fix it?

• See whitepapers for API info

Outlook Express

Blocking attachments

Outlook Express

Plain text modeWhatis it?

• Forces all mail to be read in plain text rather than HTML

Whydo it?

• Stops malicious code delivered in HTML header scripts

What’s different?

• HTML messages won’t render correctly• Not possible to change text size• New read options setting

How doI fix it?

• Can switch displayed mail to HTML if known to be safe

Outlook Express

Reading plain and HTML

Outlook Express

No external HTML contentWhatis it?

• Much spam contains “web bugs,” links to single-pixel images; retrieving them indicates you read the mail

Whydo it?

• Increases privacy: doesn’t confirm your email address is valid

What’s different?

• Images in HTML mail won’t load from servers in Internet and Restricted Sites

• Placeholder indicates image’s location

How doI fix it?

• Click information bar to download images

Outlook Express

Blocking images

Internet Explorer

Zone elevation blocksWhatis it?

• IE prevents the security context for any link from switching to a less-restrictive zone than the context of the current page

Whydo it?

• Stop scripts from navigating to lower security zone

What’s different?

• Web pages that try to call more privileged pages will fail

• Only a user-clicked link can go to higher privilege

How doI fix it?

• Fix apps to require user initiation

Internet Explorer

Local machine zone lockdownWhatis it?

• A non-displayed security zone that runs all local HTML pages on a computer

Whydo it?

• Helps stop malicious local code from elevating privilege

What’s different?

• Enabled for IE processes• Not enabled for non-IE processes

How doI fix it?

• Can save HTML as .HTA (dangerous: full privileges)

• Use “mark of the web” comments to load file into another security zone

Internet Explorer

Local machine zone lockdown• Disallowed URL actions

– Run scripts– Download unsigned ActiveX– Run ActiveX– Override ActiveX safety– Prompt for client certificate– Run binary behaviors– Java permissions

Internet Explorer

MIME handling enforcementWhatis it?

• IE checks received files in four ways:– File name extension, registered ProgID handler– MIME Content-Type in HTTP header and ProgID– MIME Content-Disposition in HTTP header– MIME sniff

Whydo it?

• Eliminates improper handling of mis-reported files (eg., .EXE assumed as text)

What’s different?

• If MIME sniff results in different type, IE changes file extension in cache

• Never elevates to a more dangerous type

How doI fix it?

• Report your MIME types correctly!

Internet Explorer

Object cachingWhatis it?

• New security context on all scripted objects

• Access to cached objects is blocked– Reference no longer accessible after context

invalidation caused by navigation

Whydo it?

• Single MSHTML instance across navigations; cached objects available

• Eliminate current cross-domain hole– Say, scripts in one frame from one domain that listen for

events in other frames from different domains

What’s different?

• Four more bytes added to cached markup

How doI fix it?

• Recache object before accessing it with a script

Reduce bufferReduce bufferoverrun exploitsoverrun exploits

The bad stuff

• Buffer overruns can be eliminated from good code, but it takes time

• Attackers will continue to exploit them• Might even deliver purposefully-broken code to

then exploit later• RPC not originally engineered to operate in

today’s hostile networked world

Data execution prevention• Prevents code execution in data pages:

– Default heap– Various stacks– Memory pools

• Both user and kernel modes• Requires developers to explicitly mark pages as

executable

Data execution prevention

NX—“no execute”• OS feature that relies on processor hardware to

mark memory• Functions on a per-VM page basis

– Common: change a bit in the page table entry to mark the page

• Affects apps that:– Perform just-in-time code generation– Execute memory from default process stack or heap

Data execution prevention

NX—“no execute”• Hardware implementation varies by processor• Processor must raise exception when code

executes from disallowed page• Current processor support

– AMD K8 (32-bit Windows)– Intel Itanium (64-bit Windows)

Data execution prevention

64-bit WindowsWhatis it?

• Applications expected to function with NX enabled by default!

• Protected areas– Stack– Paged pool– Session pool– Default process heap

• Can’t be disabled• To allocate virtual memory—

– Call VirtualAlloc() with one of the PAGE_EXECUTE_* attributes

Data execution prevention

32-bit WindowsWhatis it?

• User mode– AMD processors with “physical address

extension” mode enabled– Can be selectively disabled per-application– Result: unhandled exception (process termination)

with STATUS_ACCESS_VIOLATION (0xc000005)

• Kernel mode– Only to the stack by default– Can’t be enabled/disabled– Result: bugcheck 0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY

Data execution prevention

All versionsWhydo it?

• Many worms and viruses execute code in data pages• NX reduces impact—can’t spread now• Encourages good software engineering

What’s different?

• Dynamic code execution apps might break• Drivers that expect 64-bit addressing or >4 GB RAM

in PAE mode might break• Drivers that do DMA transfers

How doI fix it?

• Mark generated code with an execute permission• Update apps that execute from stack, default process

heap, or dedicated heap• DMA transfers are double-buffered• Systemwide control with BOOT.INI switches

Data execution prevention

End-user experience

RPC restrictions• Restrict remote clients

• Require authentication to endpoint mapper (135/tcp)

• New interface registration flags

RPC restrictions

Restricting remote clientsWhatis it?

• RestrictRemoteClients registry key to enforce authentication

• Remote anonymous calls to RPC interfaces now rejected by default

Whydo it?

• Useful mitigation against worms that rely on exploitable buffer overruns invoked through anonymous connections

What’s different?

• Apps that expect anonymous calls might be affected

How doI fix it?

• Require clients to use RPC security• Exempt interface from authentication using

exemption flag

RPC restrictions

Endpoint mapper authNWhatis it?

• Clients always contact EP mapper anonymously

• If client restrictions are set, clients also won’t be able to contact EP mapper

Whydo it?

• Setting EnableAuthEpResolution key tells RPC client to use NTLM authentication to EP mapper

What’s different?

• Both peers will need XP SP2

How doI fix it?

• No need

OK, so what’s next?OK, so what’s next?

More resiliency• Increase protection and security of Windows XP

– Even if updates haven’t been installed

• Implications for users and developers• The next step of trustworthy computing

• It’s a victory for the security guys!

• Learn more about Service Pack 2http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx

• Changes to functionality—always updatedhttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx

• Deploying Service Pack 2http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx

• Developer resources—including traininghttp://msdn.microsoft.com/security/productinfo/xpsp2/default.aspx

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Thanks to Steve Riley(Microsoft Corp) for the original slides