Windows XP Service Pack 2Customer Awareness Workshop

XP SP2 Technical Drilldown – Part 1

Windows XP Service Pack 2Customer Awareness Workshop

XP SP2 Technical Drilldown – Part 1

Craig Schofield (craschof@microsoft.com)Microsoft Ltd. UK

September 2004

Service Pack 2 Drill DownService Pack 2 Drill Down

MemoryMemoryAttachmentsAttachments WebWebNetworkNetwork

NetworkingNetworking

Windows FirewallWindows Firewall

Windows Firewall (formerly ICF) is on by default Enabled on all interfaces (LAN, Dial-Up, VPN) Supports both IPv4 and IPv6

Windows Firewall is “stateful” Automatically match inbound traffic with outgoing requests Restricts only unsolicited in-bound traffic

Three operational modes On (default) – no unsolicited inbound traffic allowed

• Can be configured to allow specific unsolicited inbound traffic Don’t Allow Exceptions – no unsolicited inbound traffic allowed

• Ignores other settings and blocks all unsolicited inbound traffic Off – no protection

Boot-time security Runs in highly secure mode until run-time policy can be applied

Protection from network-based attacks

Windows FirewallWindows Firewall

Default configuration is by machine Can still configure interfaces separately if necessary

Exception list for applications & services requiring open ports Enables listening on whichever ports are required

Per-port or per- application subnet and IP address restrictions Can allow inbound traffic from specific subnets, IP addresses

Two operating profiles: Domain & Standard Domain profile used when attached to network with same DNS

suffix as domain Standard profile used when not attached to network with the

same DNS suffix as domain

Configuration Options

Windows FirewallWindows Firewall

Most applications will work with no adjustments Stateful firewall matches incoming traffic with outgoing requests

Only applications or services that need to listen for unsolicited incoming traffic affected e.g. File and print sharing, Web server, Voice or video

conversations, remote management tools Pre-built options will open correct port or program

exceptions without requiring manual entries File & Print service, UPnP framework, Remote Administration,

ICMP options, Remote Desktop IPSec authenticated bypass

Traffic is allowed through firewall for specified systems that successfully authenticate with IPSec

Application and Standards Compatibility

Windows FirewallWindows Firewall

User notifications help automatically configure firewall Only for applications running in user context Through Security Center

All configuration options available through new Group Policy Objects Group Policy settings override local settings

Updated NETSH command line interface can control all settings APIs (NetFwPublicTypeLib) can be used for scripting or

registering applications with the firewall Security Event Log entry when listening application detected Customize settings at deployment with SP2 configuration files

netfw.inf and unattend.txt Can also use Group Policy Objects

Registry settings HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\

WindowsFirewall\DomainProfile \EnableFirewall

Manageability Improvements

RPC & DCOM ChangesRPC & DCOM Changes RPCSS architecture enhanced

Network facing functionality runs with reduced privilege – network service account privilege only

Functionality that requires local system privilege has limited exposure Block unauthenticated calls to DCOM and RPC services

Includes blocking unauthenticated calls to the RPC Endpoint Mapper Only administrators are granted remote activation and launch

permissions Easier to restrict RPC interfaces to local machine only Fine-grained DCOM security Machine-wide lockdown ACL for DCOM launch activation

access DCOM infrastructure access restricted to TCP and RPC over

HTTP RPC over HTTP not installed by default

New permissions configured through group policy, UI and logon scripting New central location to set authentication policy.

DCOM Default SecurityDCOM Default Security

Permission Administrator Everyone Anonymous

Launch Local (Launch)

Local Activate

Remote (Launch)

Remote Activate

Local (Launch)

Local Activate

Access Local (Call)

Remote (Call)

Local (Call)

BluetoothBluetooth “Bluetooth Devices” is a new Control Panel

item. Client includes support for the latest version of

Bluetooth (v1.2) allowing customers to take advantage of the latest wireless devices

Bluetooth support is enabled if approved device, and no existing driver. Windows Hardware Quality Labs (WHQL)

Includes selective suspend (power) Boot-mode keyboards supported Bluetooth File Transfer Wizard

Alerter and MessengerAlerter and Messenger

Services disabled by default. Any applications or services that use the

Alerter or Messenger services to communicate with the user will not be successfull.

EmailEmail

AttachmentsAttachments

Security model relies on users to make good trust decisions

However, users are ill-equipped to make informed decisions Lack needed information Lack technical understanding

And users easily tricked into making poor choices Example: “myphoto.jpg .exe”

Employing a static list of dangerous file types isn’t enough Hackers find exploits using files not on the list of dangerous file

types• Example: MyDoom packages malicious payload in a ZIP

Users can’t share file types on the dangerous list - diminishes functionality

Attachment ManagerAttachment Manager

New public API for handling safe attachments IAttachmentExecute

Used by Outlook Express, Windows Messenger and Internet Explorer, and third-parties soon

Unsafe attachments not trusted by default Block/Prompt/Allow determined by combination of

file type & zone Dangerous file type + Restricted Zone = Block Dangerous file type + Internet Zone = Prompt

AM marks the zone when it saves a file Enables AES to block/prompt files in a ZIP

Safer message “preview” in OE

Consistent experience for “trust” decisions

Windows MessengerWindows Messenger

Block unsafe file transfers Leverages Attachment Manager

Require user display name Firewall Impacts

SummarySummary

Networking Windows Firewall – On by default, highly

configurable RPC & DCOM - Security enhancements

Email Attachment Manager – Protect user from

malicious attachments through consistent interface

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.