improving resiliency service pack 2. what is sp2? all the usual stuff of course all the usual stuff...

71
Improving Improving Resiliency Resiliency Service Service Pack 2 Pack 2

Upload: elise-ellers

Post on 31-Mar-2015

214 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Improving Improving ResiliencyResiliency

Service Service Pack 2Pack 2

Page 2: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

What is SP2?What is SP2?

All the usual stuff of courseAll the usual stuff of course Post-SP1 hotfixes (more regression Post-SP1 hotfixes (more regression

testing)testing) New security technologiesNew security technologies

Network protectionNetwork protection Memory protectionMemory protection Safer e-mail handlingSafer e-mail handling More secure browsingMore secure browsing Improved computer maintenanceImproved computer maintenance

Page 3: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Security goalsSecurity goals

Increase the security resiliencyIncrease the security resiliencyof Windows XPof Windows XP

Reduce damage of worms and virusesReduce damage of worms and viruseseven if updates are not installedeven if updates are not installed

Make attackers work harderMake attackers work harder

Page 4: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Defense in depthDefense in depth

NetworksNetworks RoutersRouters FirewallsFirewalls

VLANsVLANs SubnettinSubnettin

gg

HostsHosts IPsecIPsec Access Access control control listslists

ApplicatioApplications and ns and datadata

AuthenticatiAuthenticationon

AuthorizatioAuthorizationn

Rights Rights managemenmanagementt

Access Access control control listslists

Execution Execution partitionspartitions

UsersUsers Uhh…Uhh…

Page 5: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Network protectionNetwork protection

Windows FirewallWindows Firewall RPC interface restrictionsRPC interface restrictions DCOM security DCOM security

enhancementsenhancements

Page 6: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

WF—changesWF—changes

Enhanced multicast and Enhanced multicast and broadcast supportbroadcast support

Unpdated NETSH helper for IPv6 Unpdated NETSH helper for IPv6 WFWF

Updated user interfaceUpdated user interface New group policy supportNew group policy support

Page 7: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

Updated user interfaceUpdated user interfaceWhatWhatis it?is it?

New dialogs and settingsNew dialogs and settings Final UI still under designFinal UI still under design

WhyWhydo it?do it?

Necessary for new configuration Necessary for new configuration optionsoptions

What’s What’s differendifferent?t?

Now a control panel appletNow a control panel applet

How doHow doI fix it?I fix it?

No needNo need

Page 8: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)
Page 9: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

Enhanced m’cast and Enhanced m’cast and b’castb’castWhatWhatis it?is it?

If WF receives incoming m’cast or If WF receives incoming m’cast or b’cast traffic, it allows for three b’cast traffic, it allows for three seconds a response from any seconds a response from any source address to the originating source address to the originating portport

WhyWhydo it?do it?

Allows responses without adding Allows responses without adding client applications to permissions client applications to permissions listslists

What’s What’s differendifferent?t?

Incoming b’cast and m’cast traffic Incoming b’cast and m’cast traffic now passes through WF without now passes through WF without manual configurationmanual configuration

How doHow doI fix it?I fix it?

No needNo need

Page 10: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

New group policy supportNew group policy supportWhatWhatis it?is it?

More objects for better controlMore objects for better control Operational mode, allowed Operational mode, allowed

programs, opened ports (static), programs, opened ports (static), ICMP settings, enable RPCICMP settings, enable RPC

WhyWhydo it?do it?

Better management between Better management between corporate and standard profilescorporate and standard profiles

What’s What’s differendifferent?t?

IPv4 only (IPv6 still just on/off)IPv4 only (IPv6 still just on/off) Final GPOs might changeFinal GPOs might change

How doHow doI fix it?I fix it?

No needNo need

Page 11: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

WF—new featuresWF—new features

On by defaultOn by default Multiple profilesMultiple profiles WF permissions listWF permissions list Local subnet restrictionLocal subnet restriction Global and per-interface Global and per-interface

configurationsconfigurations Boot time securityBoot time security Command-line supportCommand-line support Shielded operational modeShielded operational mode RPC supportRPC support

Page 12: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

On by defaultOn by defaultWhatWhatis it?is it?

WF on by default on all interfacesWF on by default on all interfaces New installations and upgradesNew installations and upgrades Enabled when new interfaces are Enabled when new interfaces are

addedadded

WhyWhydo it?do it?

Configuring WF proved to be too Configuring WF proved to be too difficultdifficult

Default configuration provides Default configuration provides good protection against worms good protection against worms (eg., Blaster)(eg., Blaster)

What’s What’s differendifferent?t?

Certain applications might require Certain applications might require special WF settingsspecial WF settings

How doHow doI fix it?I fix it?

Developer documentation WF APIDeveloper documentation WF API

Page 13: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

Multiple profilesMultiple profilesWhatWhatis it?is it?

Location-based profiles: one when Location-based profiles: one when connected to a corporate network, connected to a corporate network, another when connected to the another when connected to the InternetInternet

WhyWhydo it?do it?

Can have a more relaxed profile Can have a more relaxed profile when corp-attached and a more when corp-attached and a more restrictive profile when travelingrestrictive profile when traveling

What’s What’s differendifferent?t?

Computer must be domain-joinedComputer must be domain-joined Listening applications might need Listening applications might need

to be on both profilesto be on both profiles

How doHow doI fix it?I fix it?

No needNo need

Page 14: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)
Page 15: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

Permissions listPermissions listWhatWhatis it?is it?

Applications that need to open Applications that need to open listening portslistening ports

WhyWhydo it?do it?

Allows application to run in lower Allows application to run in lower security contextsecurity context

Only local administrator can add to Only local administrator can add to listlist

Ports remain open only while Ports remain open only while application is runningapplication is running

What’s What’s differendifferent?t?

Any app that listens must be on Any app that listens must be on the listthe list

How doHow doI fix it?I fix it?

No needNo need

Page 16: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)
Page 17: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

Local subnet restrictionLocal subnet restrictionWhatWhatis it?is it?

Can restrict port opening to local Can restrict port opening to local subnet address rangesubnet address range

Is the default for file sharing portsIs the default for file sharing ports

WhyWhydo it?do it?

More granularity—allows local More granularity—allows local subnet communication but not subnet communication but not to/from Internetto/from Internet

What’s What’s differendifferent?t?

Enabling “file and printer sharing” Enabling “file and printer sharing” applies restriction to 137/udp, applies restriction to 137/udp, 138/udp, 139/tcp, 445/udp, 445/tcp138/udp, 139/tcp, 445/udp, 445/tcp

How doHow doI fix it?I fix it?

Developer documentation WF API Developer documentation WF API if application can’t work with if application can’t work with restrictionrestriction

Page 18: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)
Page 19: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

Global configurationGlobal configurationWhatWhatis it?is it?

Configuration changes apply to all Configuration changes apply to all interfaces (including new interfaces (including new interfaces)interfaces)

Per-interface configuration still Per-interface configuration still possiblepossible

WhyWhydo it?do it?

Easier to synchronize policy across Easier to synchronize policy across multiple interfacesmultiple interfaces

New interfaces get a policy when New interfaces get a policy when createdcreated

What’s What’s differendifferent?t?

Global plus local configsGlobal plus local configs

How doHow doI fix it?I fix it?

Developer documentation WF APIDeveloper documentation WF API

Page 20: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)
Page 21: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

Boot time securityBoot time securityWhatWhatis it?is it?

New static filtering policy at boot New static filtering policy at boot timetime

Permits DNS, DHCP, NetlogonPermits DNS, DHCP, Netlogon WF policy applied after logonWF policy applied after logon

WhyWhydo it?do it?

Closes hole that existed after boot Closes hole that existed after boot but before policy applicationbut before policy application

What’s What’s differendifferent?t?

NothingNothing

How doHow doI fix it?I fix it?

No needNo need

Page 22: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

Command-line supportCommand-line supportWhatWhatis it?is it?

Add WF configuration to NETSH Add WF configuration to NETSH utilityutility

Default state, open ports, global Default state, open ports, global or per-interface, subnet or per-interface, subnet restrictions, logging options, ICMP restrictions, logging options, ICMP handling, application permissionshandling, application permissions

WhyWhydo it?do it?

Best method for logon scripts and Best method for logon scripts and group policygroup policy

What’s What’s differendifferent?t?

Nothing—new functionalityNothing—new functionality

How doHow doI fix it?I fix it?

No needNo need

Page 23: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

RPC supportRPC supportWhatWhatis it?is it?

WF watches as RPC apps register WF watches as RPC apps register portsports

Allows incoming requests only if Allows incoming requests only if service is running as Local System, service is running as Local System, Network Service, or Local ServiceNetwork Service, or Local Service

WhyWhydo it?do it?

Can control which RPC services are Can control which RPC services are exposed to the networkexposed to the network

Better than granting permissions Better than granting permissions to SVCHOST.EXEto SVCHOST.EXE

What’s What’s differendifferent?t?

Must do this for RPC—WF blocks Must do this for RPC—WF blocks all RPC by defaultall RPC by default

How doHow doI fix it?I fix it?

Developer documentation WF API Developer documentation WF API to automateto automate

Page 24: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

WF— Inbound APIsWF— Inbound APIs

IPv4 inbound connections for IPv4 inbound connections for applications and servicesapplications and services

IPv4 inbound connections on RPC IPv4 inbound connections on RPC and DCOM portsand DCOM ports

Page 25: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

Inbound applications (IPv4)Inbound applications (IPv4)IssueIssue Application needs to bind to a Application needs to bind to a

socket and accept inbound socket and accept inbound requestsrequests

DoDothisthis

Call Call INetFwV4AuthorizedApplicationINetFwV4AuthorizedApplication as either enabled or disabledas either enabled or disabled

Provide image file name, friendly Provide image file name, friendly name, and whether all traffic or name, and whether all traffic or local subnetlocal subnet

NotesNotes When application starts, WF When application starts, WF dynamically opens portsdynamically opens ports

App must run as local admin to App must run as local admin to add to list, but can run in any add to list, but can run in any context latercontext later

Apps should get user consentApps should get user consent Cannot add SVCHOST.EXECannot add SVCHOST.EXE

Page 26: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

Inbound services (IPv4)Inbound services (IPv4)IssueIssue Service ports usually need to Service ports usually need to

remain open alwaysremain open always

DoDothisthis

Call Call INetFwV4OpenPortINetFwV4OpenPort as either as either enabled or disabledenabled or disabled

Provide port number, protocol, Provide port number, protocol, friendly name, and whether all friendly name, and whether all traffic or local subnettraffic or local subnet

NotesNotes When service starts, WF opens When service starts, WF opens portsports

Service must run as local adminService must run as local admin Limit to local subnet whenever Limit to local subnet whenever

possiblepossible Service should get user consentService should get user consent Service should close ports if Service should close ports if

disableddisabled

Page 27: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Windows FirewallWindows Firewall

Inbound RPC/DCOM (IPv4)Inbound RPC/DCOM (IPv4)IssueIssue RPC handled by WF’s new RPC RPC handled by WF’s new RPC

awarenessawareness

DoDothisthis

Call Call INetFwV4ProfileINetFwV4Profile Set Set AllowRpcPortsAllowRpcPorts to “true” to “true”

NotesNotes App or service must run as local App or service must run as local admin to enable RPC, but can run admin to enable RPC, but can run as admin, network service, or local as admin, network service, or local service laterservice later

App or service should get user App or service should get user consentconsent

Service should close ports if Service should close ports if disableddisabled

Page 28: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

RPC restrictionsRPC restrictions

Restrict remote clientsRestrict remote clients Require authentication to Require authentication to

endpoint mapper (135/tcp)endpoint mapper (135/tcp) New interface registration flagsNew interface registration flags

Page 29: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

RPC restrictionsRPC restrictions

Restricting remote clientsRestricting remote clientsWhatWhatis it?is it?

RestrictRemoteClientsRestrictRemoteClients registry key registry key to enforce authenticationto enforce authentication

Remote anonymous calls to RPC Remote anonymous calls to RPC interfaces now rejected by defaultinterfaces now rejected by default

WhyWhydo it?do it?

Useful mitigation against worms Useful mitigation against worms that rely on exploitable buffer that rely on exploitable buffer overruns invoked through overruns invoked through anonymous connectionsanonymous connections

What’s What’s differendifferent?t?

Apps that expect anonymous calls Apps that expect anonymous calls might be affectedmight be affected

How doHow doI fix it?I fix it?

Require clients to use RPC securityRequire clients to use RPC security Exempt interface from Exempt interface from

authentication using exemption authentication using exemption flagflag

Page 30: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

RPC restrictionsRPC restrictions

Endpoint mapper authNEndpoint mapper authNWhatWhatis it?is it?

Clients always contact EP mapper Clients always contact EP mapper anonymouslyanonymously

If client restrictions are set, clients If client restrictions are set, clients also won’t be able to contact EP also won’t be able to contact EP mappermapper

WhyWhydo it?do it?

Setting Setting EnableAuthEpResolutionEnableAuthEpResolution key tells RPC client to use NTLM key tells RPC client to use NTLM authentication to EP mapperauthentication to EP mapper

What’s What’s differendifferent?t?

Both peers will need XP SP2Both peers will need XP SP2

How doHow doI fix it?I fix it?

No needNo need

Page 31: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

RPC restrictionsRPC restrictions

New i/f registration flagsNew i/f registration flagsWhatWhatis it?is it?

Three new flags for developers to Three new flags for developers to use in applicationsuse in applications

WhyWhydo it?do it?

Provide additional security tools to Provide additional security tools to make RPC bettermake RPC better

What’s What’s differendifferent?t?

No affect on existing RPC No affect on existing RPC applicationsapplications

How doHow doI fix it?I fix it?

No needNo need

Page 32: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

RPC restrictionsRPC restrictions

New i/f registration flagsNew i/f registration flags RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTHRPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH

RPC runtime invokes registered security RPC runtime invokes registered security callback for all callscallback for all calls

Without: RPC rejects all unauthenticated Without: RPC rejects all unauthenticated calls before reaching security callbackcalls before reaching security callback

RPC_IF_SEC_NO_CACHERPC_IF_SEC_NO_CACHE Disables security callback cachingDisables security callback caching

RPC_IF_LOCAL_ONLYRPC_IF_LOCAL_ONLY Reject remote client callsReject remote client calls Reject local calls over all Reject local calls over all ncadg_*ncadg_*

protocolsprotocols Reject all calls over Reject all calls over ncacn_*ncacn_* protocols protocols

(except…)(except…) Reject all calls over Reject all calls over ncacn_npncacn_np if not from if not from

SVRSVR Allow Allow ncalrpcncalrpc calls calls

Page 33: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

DCOM enhancementsDCOM enhancements

Computer-wide restrictionsComputer-wide restrictions More specific COM permissionsMore specific COM permissions

Page 34: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

DCOM enhancementsDCOM enhancements

Don’t apply to in-process COMDon’t apply to in-process COM Apply if your DCOM server meets Apply if your DCOM server meets

any:any: Access permission for app is less Access permission for app is less

stringent than permission necessary stringent than permission necessary to run itto run it

App is usually activated on a App is usually activated on a Windows XP computer by a remote Windows XP computer by a remote COM client not using administrative COM client not using administrative accountaccount

App uses unauthenticated remote App uses unauthenticated remote callbackscallbacks

App is meant to be used locallyApp is meant to be used locally

Page 35: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

DCOM enhancementsDCOM enhancements

Computer-wide restrictionsComputer-wide restrictionsWhatWhatis it?is it?

Computer-wide access controls Computer-wide access controls that govern access to all DCOM that govern access to all DCOM requests on the computerrequests on the computer

An additional An additional AccessCheckAccessCheck against against the ACL for on each call, the ACL for on each call, activation, or launch of any COM activation, or launch of any COM serverserver

WhyWhydo it?do it?

Minimum authorization bar that Minimum authorization bar that must be passed to access COM must be passed to access COM serversservers

Allows administrators to override Allows administrators to override weak security settings in an weak security settings in an application’s application’s CoInitializeSecurityCoInitializeSecurity

ACLs checked when interfaces ACLs checked when interfaces exposed by RPCSS are accessedexposed by RPCSS are accessed

Page 36: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

DCOM enhancementsDCOM enhancements

Computer-wide restrictionsComputer-wide restrictionsPermissioPermissionn

AdministratorAdministrator EveryoneEveryone AnonymouAnonymouss

LaunchLaunch Local launchLocal launch Local Local launchlaunch

Local activateLocal activate Local Local activateactivate

Remote Remote launchlaunch

Remote Remote activateactivate

AccessAccess Local callLocal call Local Local callcall

Remote callRemote call

Page 37: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

DCOM enhancementsDCOM enhancements

Computer-wide restrictionsComputer-wide restrictionsWhat’s What’s differendifferent?t?

Local scenarios will continue to Local scenarios will continue to workwork

Most COM client scenarios will Most COM client scenarios will continue to workcontinue to work

Unauthenticated remote calls will Unauthenticated remote calls will breakbreak

Only administrators can remotely Only administrators can remotely activate and launchactivate and launch

How doHow doI fix it?I fix it?

Don’t write apps that require Don’t write apps that require remote activation by non-admin remote activation by non-admin client or remote unauthenticated client or remote unauthenticated calls!calls!

Can change new defaults with Can change new defaults with registry keysregistry keys

Page 38: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

DCOM enhancementsDCOM enhancements

More specific COM permsMore specific COM permsWhatWhatis it?is it?

Distinguish COM access rights Distinguish COM access rights based on distance: local (LRPC), based on distance: local (LRPC), remote (eg., RPC over TCP)remote (eg., RPC over TCP)

WhyWhydo it?do it?

Create precise COM permission Create precise COM permission policypolicy

Restrict app so it can only be used Restrict app so it can only be used locallylocally

What’s What’s differendifferent?t?

Launch/activate ACEs: LL, RL, LA, Launch/activate ACEs: LL, RL, LA, RARA

Access (call) ACEs: LC, RCAccess (call) ACEs: LC, RC Generally backward-compatible, Generally backward-compatible,

some specific ACL alterations some specific ACL alterations might be neededmight be needed

How doHow doI fix it?I fix it?

Search MSDN on Search MSDN on “LaunchPermission”“LaunchPermission”

Page 39: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Memory protectionMemory protection

Execution protection (NX)Execution protection (NX)

Page 40: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Memory protectionMemory protection

NX—“no execute”NX—“no execute” Prevents code execution in data Prevents code execution in data

pages:pages: Default heapDefault heap Various stacksVarious stacks Memory poolsMemory pools

Both user and kernel modesBoth user and kernel modes Requires developers to explicitly Requires developers to explicitly

mark pages as executablemark pages as executable

Page 41: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Memory protectionMemory protection

NX—“no execute”NX—“no execute” OS feature that relies on OS feature that relies on

processor hardware to mark processor hardware to mark memorymemory

Functions on a per-VM page basisFunctions on a per-VM page basis Common: change a bit in the Common: change a bit in the

page table entry to mark the page table entry to mark the pagepage

Affects apps that:Affects apps that: Perform just-in-time code Perform just-in-time code

generationgeneration Execute memory from default Execute memory from default

process stack or heapprocess stack or heap

Page 42: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Memory protectionMemory protection

NX—“no execute”NX—“no execute” Hardware implementation varies Hardware implementation varies

by processorby processor Processor must raise exception Processor must raise exception

when code executes from when code executes from disallowed pagedisallowed page

Current processor supportCurrent processor support AMD K8 (32-bit Windows)AMD K8 (32-bit Windows) Intel Itanium (64-bit Windows)Intel Itanium (64-bit Windows)

Page 43: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Memory protectionMemory protection

64-bit Windows64-bit WindowsWhatWhatis it?is it?

Applications Applications expectedexpected to function to function with NX enabled by default!with NX enabled by default!

Protected areasProtected areas StackStack Paged poolPaged pool Session poolSession pool Default process heapDefault process heap

Can’t be disabledCan’t be disabled To allocate virtual memory—To allocate virtual memory—

Call Call VirtualAlloc()VirtualAlloc() with one of the with one of the PAGE_EXECUTE_*PAGE_EXECUTE_* attributes attributes

Page 44: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Memory protectionMemory protection

32-bit Windows32-bit WindowsWhatWhatis it?is it?

User modeUser mode AMD processors with “physical address AMD processors with “physical address

extension” mode enabledextension” mode enabled Investigating per-application methods Investigating per-application methods

to disable or enable NXto disable or enable NX Result: unhandled exception; app Result: unhandled exception; app

terminates terminates STATUS_ACCESS_VIOLATION STATUS_ACCESS_VIOLATION (0xc000005)(0xc000005)

Kernel modeKernel mode Only to the stack by defaultOnly to the stack by default Can’t be enabled/disabled on per-Can’t be enabled/disabled on per-

driver basisdriver basis Result: bugcheck Result: bugcheck 0xFC: ATTEMPTED_0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORYEXECUTE_OF_NOEXECUTE_MEMORY

Page 45: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

Memory protectionMemory protection

All versionsAll versionsWhyWhydo it?do it?

Many worms and viruses execute code Many worms and viruses execute code from data pagesfrom data pages

NX reduces impact—can’t spread nowNX reduces impact—can’t spread now Encourages good software engineeringEncourages good software engineering

What’s What’s different?different?

Apps that perform dynamic code Apps that perform dynamic code execution might breakexecution might break

Drivers that expect 64-bit addressing or Drivers that expect 64-bit addressing or >4 GB RAM in PAE mode might break>4 GB RAM in PAE mode might break

Drivers that do DMA transfersDrivers that do DMA transfers

How doHow doI fix it?I fix it?

Mark generated code with an execute Mark generated code with an execute permissionpermission

Update apps that execute from stack, Update apps that execute from stack, default process heap, or dedicated heapdefault process heap, or dedicated heap

DMA transfers are double-bufferedDMA transfers are double-buffered

Page 46: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Add-on management and Add-on management and crash detectioncrash detection

Binary behaviors security Binary behaviors security settingssettings

BindToObject mitigationBindToObject mitigation MSJVM security settingMSJVM security setting Local machine zone Local machine zone

lockdownlockdown

Page 47: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

MIME handling enforcementMIME handling enforcement Object cachingObject caching Pop-up managerPop-up manager Untrusted publishers Untrusted publishers

mitigationsmitigations Window restrictionsWindow restrictions Zone elevation blocksZone elevation blocks

Page 48: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Add-on managementAdd-on managementWhatWhatis it?is it?

View and control all IE add-ons, View and control all IE add-ons, including ones previously difficult including ones previously difficult to detectto detect Browser helper objectsBrowser helper objects ActiveX controlsActiveX controls Toolbar extensionsToolbar extensions Browser extensionsBrowser extensions

Status bar and balloon Status bar and balloon notificationsnotifications

WhyWhydo it?do it?

Error reporting data shows add-Error reporting data shows add-ons create significant instabilityons create significant instability

Many pose security risksMany pose security risks

Page 49: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Add-on managementAdd-on managementWhat’s What’s differendifferent?t?

Disabled add-ons not removed; IE Disabled add-ons not removed; IE simply won’t instantiate themsimply won’t instantiate them

Applies only to IEXPLORE.EXE and Applies only to IEXPLORE.EXE and EXPLORER.EXEEXPLORER.EXE

Other programs based on IE Other programs based on IE components won’t respect components won’t respect disabled statedisabled state

How doHow doI fix it?I fix it?

Use “Manage Add-ons” to restore Use “Manage Add-ons” to restore broken functionalitybroken functionality

Restart IERestart IE

Page 50: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)
Page 51: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Add-on admin controlAdd-on admin control Can alter user control of add-ons Can alter user control of add-ons

through registry key (apply with through registry key (apply with GPO)GPO) Normal: user has full control Normal: user has full control

(default)(default) AllowList: admin specifies which AllowList: admin specifies which

add-ons are allowed; users can’t add-ons are allowed; users can’t changechange

DenyList: admin specifies which DenyList: admin specifies which add-ons are denied; users can run add-ons are denied; users can run othersothers

Page 52: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Add-on crash detectionAdd-on crash detection Crash detection program Crash detection program

launches when IE crashes; launches when IE crashes; collects:collects: List of DLLs that are loadedList of DLLs that are loaded Value of instruction pointer (EIP)Value of instruction pointer (EIP)

Finds DLL whose memory range Finds DLL whose memory range the EIP lies within; DLL must be:the EIP lies within; DLL must be: Non-systemNon-system A COM server for an IE add-onA COM server for an IE add-on

Displays dialog to manageDisplays dialog to manage Disable from hereDisable from here

Page 53: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Binary behaviors settingBinary behaviors settingWhatWhatis it?is it?

Components, attached to HTML, Components, attached to HTML, that encapsulate specific that encapsulate specific functionalityfunctionality

New “URL Action” setting in each New “URL Action” setting in each zonezone

WhyWhydo it?do it?

Unrestricted binary behaviors Unrestricted binary behaviors could be exploitedcould be exploited

Allow users to control binary Allow users to control binary behaviorsbehaviors

What’s What’s differendifferent?t?

Disallowed in restricted sites zoneDisallowed in restricted sites zone

How doHow doI fix it?I fix it?

Custom security manager for apps Custom security manager for apps that need to run in restricted sites that need to run in restricted sites zonezone

http://go.microsoft.com/fwlink/?http://go.microsoft.com/fwlink/?linkid=21863linkid=21863

Page 54: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

BindToObject mitigationBindToObject mitigationWhatWhatis it?is it?

Apply security policies Apply security policies consistently at source of URL consistently at source of URL binding: URLMONbinding: URLMON

WhyWhydo it?do it?

Uniformly enforce ActiveX security Uniformly enforce ActiveX security model rather than relying on model rather than relying on calling codecalling code

Eliminates exploits that use IE to Eliminates exploits that use IE to compromise vulns in calling codecompromise vulns in calling code

What’s What’s differendifferent?t?

Any component that wants to Any component that wants to resolve a URL and get back a resolve a URL and get back a stream or objectstream or object

How doHow doI fix it?I fix it?

http://go.microsoft.com/fwlink/?http://go.microsoft.com/fwlink/?linkid=21814linkid=21814

Page 55: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

MSJVM security settingMSJVM security settingWhatWhatis it?is it?

Separate setting to control MSJVMSeparate setting to control MSJVM Existing JVM setting renamedExisting JVM setting renamed

WhyWhydo it?do it?

No known threats to MSJVMNo known threats to MSJVM

What’s What’s differendifferent?t?

Clean installs of these will lack Clean installs of these will lack MSJVM:MSJVM: Windows XP SP 2 full OSWindows XP SP 2 full OS Windows Server 2003Windows Server 2003 Windows 2000 SP 4 full OSWindows 2000 SP 4 full OS

Upgrading won’t remove MSJVMUpgrading won’t remove MSJVM

How doHow doI fix it?I fix it?

Need to transition away from Need to transition away from MSJVMMSJVM

http://go.microsoft.com/fwlink/?http://go.microsoft.com/fwlink/?linkid=21850linkid=21850

Page 56: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Local machine zone Local machine zone lockdownlockdownWhatWhatis it?is it?

A non-displayed security zone that A non-displayed security zone that runs all local HTML pages on a runs all local HTML pages on a computercomputer

WhyWhydo it?do it?

Helps stop malicious local code Helps stop malicious local code from elevating privilegefrom elevating privilege

What’s What’s differendifferent?t?

Enabled for IE processesEnabled for IE processes Not enabled for non-IE processesNot enabled for non-IE processes

How doHow doI fix it?I fix it?

Can save HTML as .HTA Can save HTML as .HTA (dangerous: full privileges)(dangerous: full privileges)

Use “mark of the web” comments Use “mark of the web” comments to load file into another security to load file into another security zonezone

Page 57: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Local machine zone Local machine zone lockdownlockdown Overridden URL actionsOverridden URL actions

Run ActiveX: disallowRun ActiveX: disallow Override ActiveX safety: disallowOverride ActiveX safety: disallow Run scripts: promptRun scripts: prompt Cross domain data: promptCross domain data: prompt Block binary behaviors: disallowBlock binary behaviors: disallow Java permissions: disallowJava permissions: disallow

Page 58: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

MIME handling MIME handling enforcementenforcementWhatWhatis it?is it?

IE checks received files in four IE checks received files in four ways:ways: File name extensionFile name extension Content-Type from HTTP header (MIME Content-Type from HTTP header (MIME

type)type) Content-Disposition from HTTP headerContent-Disposition from HTTP header MIME sniffMIME sniff

WhyWhydo it?do it?

Eliminates improper handling of Eliminates improper handling of mis-reported files (eg., .EXE mis-reported files (eg., .EXE assumed as text)assumed as text)

What’s What’s differendifferent?t?

If MIME sniff results in different If MIME sniff results in different type, IE changes file extension in type, IE changes file extension in cachecache

Never elevates to a more Never elevates to a more dangerous typedangerous type

How doHow doI fix it?I fix it?

Report your MIME types correctly!Report your MIME types correctly!

Page 59: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Object cachingObject cachingWhatWhatis it?is it?

New security context on all New security context on all scriptable objectsscriptable objects

Access blocked when navigating Access blocked when navigating away from current FQDNaway from current FQDN

WhyWhydo it?do it?

Single MSHTML instance across Single MSHTML instance across navigations; cached objects navigations; cached objects availableavailable

Eliminate current cross-domain Eliminate current cross-domain hole exploitable by frameshole exploitable by frames

What’s What’s differendifferent?t?

Four more bytes added to cached Four more bytes added to cached markupmarkup

How doHow doI fix it?I fix it?

Probably nothing hereProbably nothing here

Page 60: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Untrusted publishers Untrusted publishers mitigationsmitigationsWhatWhatis it?is it?

Block all signed content from a Block all signed content from a publisherpublisher

One prompt per control per pageOne prompt per control per page Block invalid signaturesBlock invalid signatures Display ellipsis if text is longer Display ellipsis if text is longer

than boxthan box

WhyWhydo it?do it?

Eliminate repeated promptsEliminate repeated prompts Stop modified codeStop modified code

What’s What’s differendifferent?t?

New functionalityNew functionality Reduces social engineering tricksReduces social engineering tricks

How doHow doI fix it?I fix it?

Not neededNot needed

Page 61: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Zone elevation blocksZone elevation blocksWhatWhatis it?is it?

IE prevents the security context IE prevents the security context for any link from being higher than for any link from being higher than the context of the current pagethe context of the current page

WhyWhydo it?do it?

Stop scripts from navigating to Stop scripts from navigating to higher security zonehigher security zone

What’s What’s differendifferent?t?

Web pages that try to call more Web pages that try to call more privileged pages will failprivileged pages will fail

Only a user-clicked link can go to Only a user-clicked link can go to higher privilegehigher privilege

How doHow doI fix it?I fix it?

Fix apps to require user initiationFix apps to require user initiation

Page 62: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Window restrictionsWindow restrictionsWhatWhatis it?is it?

Scripts can’t position or resize Scripts can’t position or resize windows with title and status bars windows with title and status bars offscreenoffscreen

Scripts can’t turn off status barScripts can’t turn off status bar

WhyWhydo it?do it?

Eliminates windows that try to Eliminates windows that try to spoof desktop objectsspoof desktop objects

Allows users to always see Allows users to always see security zonesecurity zone

What’s What’s differendifferent?t?

Title and status bars will always be Title and status bars will always be visible to usersvisible to users

How doHow doI fix it?I fix it?

Must change code that will breakMust change code that will break

Page 63: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Window restrictionsWindow restrictions Unrestricted “chromeless” Unrestricted “chromeless”

windows can cover important UI windows can cover important UI elements and deceive userselements and deceive users

Script-initiated pop-ups are Script-initiated pop-ups are constrainedconstrained Appear between top and bottom of Appear between top and bottom of

parent window “chrome”parent window “chrome” Must overlap some part of parent Must overlap some part of parent

windowwindow Must stay immediately on top of Must stay immediately on top of

parent (eg., can’t be placed over parent (eg., can’t be placed over dialogs)dialogs)

Page 64: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Pop-up managerPop-up managerWhatWhatis it?is it?

Blocks automatic and background Blocks automatic and background pop-up windows activated by:pop-up windows activated by: window.open()window.open() window.external.navigateAndFind()window.external.navigateAndFind() showHelp()showHelp()

Doesn’t affect windows opened by:Doesn’t affect windows opened by: Mouse clickMouse click Locally-running softwareLocally-running software ActiveX controls on a web siteActiveX controls on a web site Trusted sites or local intranet zonesTrusted sites or local intranet zones

WhyWhydo it?do it?

Pop-ups suck!Pop-ups suck!

Page 65: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Pop-up managerPop-up managerWhat’s What’s differendifferent?t?

Allowed windows that open Allowed windows that open outside viewable screen are outside viewable screen are positioned onto viewable areapositioned onto viewable area

Allowed windows that open larger Allowed windows that open larger than the viewable screen are than the viewable screen are resized to the viewable arearesized to the viewable area

How doHow doI fix it?I fix it?

No needNo need

Page 66: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More secure browsingMore secure browsing

Pop-up managerPop-up manager Notification and sound, with Notification and sound, with

choices:choices: Show blocked pop-upShow blocked pop-up Allow pop-ups from this siteAllow pop-ups from this site Block pop-upsBlock pop-ups Open pop-up management optionsOpen pop-up management options

Configuration choicesConfiguration choices Allow listAllow list Block all, including clicked pop-upsBlock all, including clicked pop-ups Override key for aboveOverride key for above SoundSound ZonesZones

Page 67: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)
Page 68: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

OK, what’s next?OK, what’s next?

Page 69: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

More resiliencyMore resiliency

Increase protection and security Increase protection and security of Windows XPof Windows XP Even if updates haven’t been Even if updates haven’t been

installedinstalled Implications for users and Implications for users and

developersdevelopers The next step of trustworthy The next step of trustworthy

computingcomputing

Page 70: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

UpdatesUpdates

““New security technologies in New security technologies in Windows XP Service Pack 2”Windows XP Service Pack 2”

http://go.microsoft.com/fwlink/?http://go.microsoft.com/fwlink/?linkid=20969linkid=20969

Page 71: Improving Resiliency Service Pack 2. What is SP2? All the usual stuff of course All the usual stuff of course  Post-SP1 hotfixes (more regression testing)

© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.

Steve RileySteve [email protected]@microsoft.com