improving resiliency service pack 2. what is sp2? all the usual stuff of course all the usual stuff...
TRANSCRIPT
Improving Improving ResiliencyResiliency
Service Service Pack 2Pack 2
What is SP2?What is SP2?
All the usual stuff of courseAll the usual stuff of course Post-SP1 hotfixes (more regression Post-SP1 hotfixes (more regression
testing)testing) New security technologiesNew security technologies
Network protectionNetwork protection Memory protectionMemory protection Safer e-mail handlingSafer e-mail handling More secure browsingMore secure browsing Improved computer maintenanceImproved computer maintenance
Security goalsSecurity goals
Increase the security resiliencyIncrease the security resiliencyof Windows XPof Windows XP
Reduce damage of worms and virusesReduce damage of worms and viruseseven if updates are not installedeven if updates are not installed
Make attackers work harderMake attackers work harder
Defense in depthDefense in depth
NetworksNetworks RoutersRouters FirewallsFirewalls
VLANsVLANs SubnettinSubnettin
gg
HostsHosts IPsecIPsec Access Access control control listslists
ApplicatioApplications and ns and datadata
AuthenticatiAuthenticationon
AuthorizatioAuthorizationn
Rights Rights managemenmanagementt
Access Access control control listslists
Execution Execution partitionspartitions
UsersUsers Uhh…Uhh…
Network protectionNetwork protection
Windows FirewallWindows Firewall RPC interface restrictionsRPC interface restrictions DCOM security DCOM security
enhancementsenhancements
WF—changesWF—changes
Enhanced multicast and Enhanced multicast and broadcast supportbroadcast support
Unpdated NETSH helper for IPv6 Unpdated NETSH helper for IPv6 WFWF
Updated user interfaceUpdated user interface New group policy supportNew group policy support
Windows FirewallWindows Firewall
Updated user interfaceUpdated user interfaceWhatWhatis it?is it?
New dialogs and settingsNew dialogs and settings Final UI still under designFinal UI still under design
WhyWhydo it?do it?
Necessary for new configuration Necessary for new configuration optionsoptions
What’s What’s differendifferent?t?
Now a control panel appletNow a control panel applet
How doHow doI fix it?I fix it?
No needNo need
Windows FirewallWindows Firewall
Enhanced m’cast and Enhanced m’cast and b’castb’castWhatWhatis it?is it?
If WF receives incoming m’cast or If WF receives incoming m’cast or b’cast traffic, it allows for three b’cast traffic, it allows for three seconds a response from any seconds a response from any source address to the originating source address to the originating portport
WhyWhydo it?do it?
Allows responses without adding Allows responses without adding client applications to permissions client applications to permissions listslists
What’s What’s differendifferent?t?
Incoming b’cast and m’cast traffic Incoming b’cast and m’cast traffic now passes through WF without now passes through WF without manual configurationmanual configuration
How doHow doI fix it?I fix it?
No needNo need
Windows FirewallWindows Firewall
New group policy supportNew group policy supportWhatWhatis it?is it?
More objects for better controlMore objects for better control Operational mode, allowed Operational mode, allowed
programs, opened ports (static), programs, opened ports (static), ICMP settings, enable RPCICMP settings, enable RPC
WhyWhydo it?do it?
Better management between Better management between corporate and standard profilescorporate and standard profiles
What’s What’s differendifferent?t?
IPv4 only (IPv6 still just on/off)IPv4 only (IPv6 still just on/off) Final GPOs might changeFinal GPOs might change
How doHow doI fix it?I fix it?
No needNo need
WF—new featuresWF—new features
On by defaultOn by default Multiple profilesMultiple profiles WF permissions listWF permissions list Local subnet restrictionLocal subnet restriction Global and per-interface Global and per-interface
configurationsconfigurations Boot time securityBoot time security Command-line supportCommand-line support Shielded operational modeShielded operational mode RPC supportRPC support
Windows FirewallWindows Firewall
On by defaultOn by defaultWhatWhatis it?is it?
WF on by default on all interfacesWF on by default on all interfaces New installations and upgradesNew installations and upgrades Enabled when new interfaces are Enabled when new interfaces are
addedadded
WhyWhydo it?do it?
Configuring WF proved to be too Configuring WF proved to be too difficultdifficult
Default configuration provides Default configuration provides good protection against worms good protection against worms (eg., Blaster)(eg., Blaster)
What’s What’s differendifferent?t?
Certain applications might require Certain applications might require special WF settingsspecial WF settings
How doHow doI fix it?I fix it?
Developer documentation WF APIDeveloper documentation WF API
Windows FirewallWindows Firewall
Multiple profilesMultiple profilesWhatWhatis it?is it?
Location-based profiles: one when Location-based profiles: one when connected to a corporate network, connected to a corporate network, another when connected to the another when connected to the InternetInternet
WhyWhydo it?do it?
Can have a more relaxed profile Can have a more relaxed profile when corp-attached and a more when corp-attached and a more restrictive profile when travelingrestrictive profile when traveling
What’s What’s differendifferent?t?
Computer must be domain-joinedComputer must be domain-joined Listening applications might need Listening applications might need
to be on both profilesto be on both profiles
How doHow doI fix it?I fix it?
No needNo need
Windows FirewallWindows Firewall
Permissions listPermissions listWhatWhatis it?is it?
Applications that need to open Applications that need to open listening portslistening ports
WhyWhydo it?do it?
Allows application to run in lower Allows application to run in lower security contextsecurity context
Only local administrator can add to Only local administrator can add to listlist
Ports remain open only while Ports remain open only while application is runningapplication is running
What’s What’s differendifferent?t?
Any app that listens must be on Any app that listens must be on the listthe list
How doHow doI fix it?I fix it?
No needNo need
Windows FirewallWindows Firewall
Local subnet restrictionLocal subnet restrictionWhatWhatis it?is it?
Can restrict port opening to local Can restrict port opening to local subnet address rangesubnet address range
Is the default for file sharing portsIs the default for file sharing ports
WhyWhydo it?do it?
More granularity—allows local More granularity—allows local subnet communication but not subnet communication but not to/from Internetto/from Internet
What’s What’s differendifferent?t?
Enabling “file and printer sharing” Enabling “file and printer sharing” applies restriction to 137/udp, applies restriction to 137/udp, 138/udp, 139/tcp, 445/udp, 445/tcp138/udp, 139/tcp, 445/udp, 445/tcp
How doHow doI fix it?I fix it?
Developer documentation WF API Developer documentation WF API if application can’t work with if application can’t work with restrictionrestriction
Windows FirewallWindows Firewall
Global configurationGlobal configurationWhatWhatis it?is it?
Configuration changes apply to all Configuration changes apply to all interfaces (including new interfaces (including new interfaces)interfaces)
Per-interface configuration still Per-interface configuration still possiblepossible
WhyWhydo it?do it?
Easier to synchronize policy across Easier to synchronize policy across multiple interfacesmultiple interfaces
New interfaces get a policy when New interfaces get a policy when createdcreated
What’s What’s differendifferent?t?
Global plus local configsGlobal plus local configs
How doHow doI fix it?I fix it?
Developer documentation WF APIDeveloper documentation WF API
Windows FirewallWindows Firewall
Boot time securityBoot time securityWhatWhatis it?is it?
New static filtering policy at boot New static filtering policy at boot timetime
Permits DNS, DHCP, NetlogonPermits DNS, DHCP, Netlogon WF policy applied after logonWF policy applied after logon
WhyWhydo it?do it?
Closes hole that existed after boot Closes hole that existed after boot but before policy applicationbut before policy application
What’s What’s differendifferent?t?
NothingNothing
How doHow doI fix it?I fix it?
No needNo need
Windows FirewallWindows Firewall
Command-line supportCommand-line supportWhatWhatis it?is it?
Add WF configuration to NETSH Add WF configuration to NETSH utilityutility
Default state, open ports, global Default state, open ports, global or per-interface, subnet or per-interface, subnet restrictions, logging options, ICMP restrictions, logging options, ICMP handling, application permissionshandling, application permissions
WhyWhydo it?do it?
Best method for logon scripts and Best method for logon scripts and group policygroup policy
What’s What’s differendifferent?t?
Nothing—new functionalityNothing—new functionality
How doHow doI fix it?I fix it?
No needNo need
Windows FirewallWindows Firewall
RPC supportRPC supportWhatWhatis it?is it?
WF watches as RPC apps register WF watches as RPC apps register portsports
Allows incoming requests only if Allows incoming requests only if service is running as Local System, service is running as Local System, Network Service, or Local ServiceNetwork Service, or Local Service
WhyWhydo it?do it?
Can control which RPC services are Can control which RPC services are exposed to the networkexposed to the network
Better than granting permissions Better than granting permissions to SVCHOST.EXEto SVCHOST.EXE
What’s What’s differendifferent?t?
Must do this for RPC—WF blocks Must do this for RPC—WF blocks all RPC by defaultall RPC by default
How doHow doI fix it?I fix it?
Developer documentation WF API Developer documentation WF API to automateto automate
WF— Inbound APIsWF— Inbound APIs
IPv4 inbound connections for IPv4 inbound connections for applications and servicesapplications and services
IPv4 inbound connections on RPC IPv4 inbound connections on RPC and DCOM portsand DCOM ports
Windows FirewallWindows Firewall
Inbound applications (IPv4)Inbound applications (IPv4)IssueIssue Application needs to bind to a Application needs to bind to a
socket and accept inbound socket and accept inbound requestsrequests
DoDothisthis
Call Call INetFwV4AuthorizedApplicationINetFwV4AuthorizedApplication as either enabled or disabledas either enabled or disabled
Provide image file name, friendly Provide image file name, friendly name, and whether all traffic or name, and whether all traffic or local subnetlocal subnet
NotesNotes When application starts, WF When application starts, WF dynamically opens portsdynamically opens ports
App must run as local admin to App must run as local admin to add to list, but can run in any add to list, but can run in any context latercontext later
Apps should get user consentApps should get user consent Cannot add SVCHOST.EXECannot add SVCHOST.EXE
Windows FirewallWindows Firewall
Inbound services (IPv4)Inbound services (IPv4)IssueIssue Service ports usually need to Service ports usually need to
remain open alwaysremain open always
DoDothisthis
Call Call INetFwV4OpenPortINetFwV4OpenPort as either as either enabled or disabledenabled or disabled
Provide port number, protocol, Provide port number, protocol, friendly name, and whether all friendly name, and whether all traffic or local subnettraffic or local subnet
NotesNotes When service starts, WF opens When service starts, WF opens portsports
Service must run as local adminService must run as local admin Limit to local subnet whenever Limit to local subnet whenever
possiblepossible Service should get user consentService should get user consent Service should close ports if Service should close ports if
disableddisabled
Windows FirewallWindows Firewall
Inbound RPC/DCOM (IPv4)Inbound RPC/DCOM (IPv4)IssueIssue RPC handled by WF’s new RPC RPC handled by WF’s new RPC
awarenessawareness
DoDothisthis
Call Call INetFwV4ProfileINetFwV4Profile Set Set AllowRpcPortsAllowRpcPorts to “true” to “true”
NotesNotes App or service must run as local App or service must run as local admin to enable RPC, but can run admin to enable RPC, but can run as admin, network service, or local as admin, network service, or local service laterservice later
App or service should get user App or service should get user consentconsent
Service should close ports if Service should close ports if disableddisabled
RPC restrictionsRPC restrictions
Restrict remote clientsRestrict remote clients Require authentication to Require authentication to
endpoint mapper (135/tcp)endpoint mapper (135/tcp) New interface registration flagsNew interface registration flags
RPC restrictionsRPC restrictions
Restricting remote clientsRestricting remote clientsWhatWhatis it?is it?
RestrictRemoteClientsRestrictRemoteClients registry key registry key to enforce authenticationto enforce authentication
Remote anonymous calls to RPC Remote anonymous calls to RPC interfaces now rejected by defaultinterfaces now rejected by default
WhyWhydo it?do it?
Useful mitigation against worms Useful mitigation against worms that rely on exploitable buffer that rely on exploitable buffer overruns invoked through overruns invoked through anonymous connectionsanonymous connections
What’s What’s differendifferent?t?
Apps that expect anonymous calls Apps that expect anonymous calls might be affectedmight be affected
How doHow doI fix it?I fix it?
Require clients to use RPC securityRequire clients to use RPC security Exempt interface from Exempt interface from
authentication using exemption authentication using exemption flagflag
RPC restrictionsRPC restrictions
Endpoint mapper authNEndpoint mapper authNWhatWhatis it?is it?
Clients always contact EP mapper Clients always contact EP mapper anonymouslyanonymously
If client restrictions are set, clients If client restrictions are set, clients also won’t be able to contact EP also won’t be able to contact EP mappermapper
WhyWhydo it?do it?
Setting Setting EnableAuthEpResolutionEnableAuthEpResolution key tells RPC client to use NTLM key tells RPC client to use NTLM authentication to EP mapperauthentication to EP mapper
What’s What’s differendifferent?t?
Both peers will need XP SP2Both peers will need XP SP2
How doHow doI fix it?I fix it?
No needNo need
RPC restrictionsRPC restrictions
New i/f registration flagsNew i/f registration flagsWhatWhatis it?is it?
Three new flags for developers to Three new flags for developers to use in applicationsuse in applications
WhyWhydo it?do it?
Provide additional security tools to Provide additional security tools to make RPC bettermake RPC better
What’s What’s differendifferent?t?
No affect on existing RPC No affect on existing RPC applicationsapplications
How doHow doI fix it?I fix it?
No needNo need
RPC restrictionsRPC restrictions
New i/f registration flagsNew i/f registration flags RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTHRPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH
RPC runtime invokes registered security RPC runtime invokes registered security callback for all callscallback for all calls
Without: RPC rejects all unauthenticated Without: RPC rejects all unauthenticated calls before reaching security callbackcalls before reaching security callback
RPC_IF_SEC_NO_CACHERPC_IF_SEC_NO_CACHE Disables security callback cachingDisables security callback caching
RPC_IF_LOCAL_ONLYRPC_IF_LOCAL_ONLY Reject remote client callsReject remote client calls Reject local calls over all Reject local calls over all ncadg_*ncadg_*
protocolsprotocols Reject all calls over Reject all calls over ncacn_*ncacn_* protocols protocols
(except…)(except…) Reject all calls over Reject all calls over ncacn_npncacn_np if not from if not from
SVRSVR Allow Allow ncalrpcncalrpc calls calls
DCOM enhancementsDCOM enhancements
Computer-wide restrictionsComputer-wide restrictions More specific COM permissionsMore specific COM permissions
DCOM enhancementsDCOM enhancements
Don’t apply to in-process COMDon’t apply to in-process COM Apply if your DCOM server meets Apply if your DCOM server meets
any:any: Access permission for app is less Access permission for app is less
stringent than permission necessary stringent than permission necessary to run itto run it
App is usually activated on a App is usually activated on a Windows XP computer by a remote Windows XP computer by a remote COM client not using administrative COM client not using administrative accountaccount
App uses unauthenticated remote App uses unauthenticated remote callbackscallbacks
App is meant to be used locallyApp is meant to be used locally
DCOM enhancementsDCOM enhancements
Computer-wide restrictionsComputer-wide restrictionsWhatWhatis it?is it?
Computer-wide access controls Computer-wide access controls that govern access to all DCOM that govern access to all DCOM requests on the computerrequests on the computer
An additional An additional AccessCheckAccessCheck against against the ACL for on each call, the ACL for on each call, activation, or launch of any COM activation, or launch of any COM serverserver
WhyWhydo it?do it?
Minimum authorization bar that Minimum authorization bar that must be passed to access COM must be passed to access COM serversservers
Allows administrators to override Allows administrators to override weak security settings in an weak security settings in an application’s application’s CoInitializeSecurityCoInitializeSecurity
ACLs checked when interfaces ACLs checked when interfaces exposed by RPCSS are accessedexposed by RPCSS are accessed
DCOM enhancementsDCOM enhancements
Computer-wide restrictionsComputer-wide restrictionsPermissioPermissionn
AdministratorAdministrator EveryoneEveryone AnonymouAnonymouss
LaunchLaunch Local launchLocal launch Local Local launchlaunch
Local activateLocal activate Local Local activateactivate
Remote Remote launchlaunch
Remote Remote activateactivate
AccessAccess Local callLocal call Local Local callcall
Remote callRemote call
DCOM enhancementsDCOM enhancements
Computer-wide restrictionsComputer-wide restrictionsWhat’s What’s differendifferent?t?
Local scenarios will continue to Local scenarios will continue to workwork
Most COM client scenarios will Most COM client scenarios will continue to workcontinue to work
Unauthenticated remote calls will Unauthenticated remote calls will breakbreak
Only administrators can remotely Only administrators can remotely activate and launchactivate and launch
How doHow doI fix it?I fix it?
Don’t write apps that require Don’t write apps that require remote activation by non-admin remote activation by non-admin client or remote unauthenticated client or remote unauthenticated calls!calls!
Can change new defaults with Can change new defaults with registry keysregistry keys
DCOM enhancementsDCOM enhancements
More specific COM permsMore specific COM permsWhatWhatis it?is it?
Distinguish COM access rights Distinguish COM access rights based on distance: local (LRPC), based on distance: local (LRPC), remote (eg., RPC over TCP)remote (eg., RPC over TCP)
WhyWhydo it?do it?
Create precise COM permission Create precise COM permission policypolicy
Restrict app so it can only be used Restrict app so it can only be used locallylocally
What’s What’s differendifferent?t?
Launch/activate ACEs: LL, RL, LA, Launch/activate ACEs: LL, RL, LA, RARA
Access (call) ACEs: LC, RCAccess (call) ACEs: LC, RC Generally backward-compatible, Generally backward-compatible,
some specific ACL alterations some specific ACL alterations might be neededmight be needed
How doHow doI fix it?I fix it?
Search MSDN on Search MSDN on “LaunchPermission”“LaunchPermission”
Memory protectionMemory protection
Execution protection (NX)Execution protection (NX)
Memory protectionMemory protection
NX—“no execute”NX—“no execute” Prevents code execution in data Prevents code execution in data
pages:pages: Default heapDefault heap Various stacksVarious stacks Memory poolsMemory pools
Both user and kernel modesBoth user and kernel modes Requires developers to explicitly Requires developers to explicitly
mark pages as executablemark pages as executable
Memory protectionMemory protection
NX—“no execute”NX—“no execute” OS feature that relies on OS feature that relies on
processor hardware to mark processor hardware to mark memorymemory
Functions on a per-VM page basisFunctions on a per-VM page basis Common: change a bit in the Common: change a bit in the
page table entry to mark the page table entry to mark the pagepage
Affects apps that:Affects apps that: Perform just-in-time code Perform just-in-time code
generationgeneration Execute memory from default Execute memory from default
process stack or heapprocess stack or heap
Memory protectionMemory protection
NX—“no execute”NX—“no execute” Hardware implementation varies Hardware implementation varies
by processorby processor Processor must raise exception Processor must raise exception
when code executes from when code executes from disallowed pagedisallowed page
Current processor supportCurrent processor support AMD K8 (32-bit Windows)AMD K8 (32-bit Windows) Intel Itanium (64-bit Windows)Intel Itanium (64-bit Windows)
Memory protectionMemory protection
64-bit Windows64-bit WindowsWhatWhatis it?is it?
Applications Applications expectedexpected to function to function with NX enabled by default!with NX enabled by default!
Protected areasProtected areas StackStack Paged poolPaged pool Session poolSession pool Default process heapDefault process heap
Can’t be disabledCan’t be disabled To allocate virtual memory—To allocate virtual memory—
Call Call VirtualAlloc()VirtualAlloc() with one of the with one of the PAGE_EXECUTE_*PAGE_EXECUTE_* attributes attributes
Memory protectionMemory protection
32-bit Windows32-bit WindowsWhatWhatis it?is it?
User modeUser mode AMD processors with “physical address AMD processors with “physical address
extension” mode enabledextension” mode enabled Investigating per-application methods Investigating per-application methods
to disable or enable NXto disable or enable NX Result: unhandled exception; app Result: unhandled exception; app
terminates terminates STATUS_ACCESS_VIOLATION STATUS_ACCESS_VIOLATION (0xc000005)(0xc000005)
Kernel modeKernel mode Only to the stack by defaultOnly to the stack by default Can’t be enabled/disabled on per-Can’t be enabled/disabled on per-
driver basisdriver basis Result: bugcheck Result: bugcheck 0xFC: ATTEMPTED_0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORYEXECUTE_OF_NOEXECUTE_MEMORY
Memory protectionMemory protection
All versionsAll versionsWhyWhydo it?do it?
Many worms and viruses execute code Many worms and viruses execute code from data pagesfrom data pages
NX reduces impact—can’t spread nowNX reduces impact—can’t spread now Encourages good software engineeringEncourages good software engineering
What’s What’s different?different?
Apps that perform dynamic code Apps that perform dynamic code execution might breakexecution might break
Drivers that expect 64-bit addressing or Drivers that expect 64-bit addressing or >4 GB RAM in PAE mode might break>4 GB RAM in PAE mode might break
Drivers that do DMA transfersDrivers that do DMA transfers
How doHow doI fix it?I fix it?
Mark generated code with an execute Mark generated code with an execute permissionpermission
Update apps that execute from stack, Update apps that execute from stack, default process heap, or dedicated heapdefault process heap, or dedicated heap
DMA transfers are double-bufferedDMA transfers are double-buffered
More secure browsingMore secure browsing
Add-on management and Add-on management and crash detectioncrash detection
Binary behaviors security Binary behaviors security settingssettings
BindToObject mitigationBindToObject mitigation MSJVM security settingMSJVM security setting Local machine zone Local machine zone
lockdownlockdown
More secure browsingMore secure browsing
MIME handling enforcementMIME handling enforcement Object cachingObject caching Pop-up managerPop-up manager Untrusted publishers Untrusted publishers
mitigationsmitigations Window restrictionsWindow restrictions Zone elevation blocksZone elevation blocks
More secure browsingMore secure browsing
Add-on managementAdd-on managementWhatWhatis it?is it?
View and control all IE add-ons, View and control all IE add-ons, including ones previously difficult including ones previously difficult to detectto detect Browser helper objectsBrowser helper objects ActiveX controlsActiveX controls Toolbar extensionsToolbar extensions Browser extensionsBrowser extensions
Status bar and balloon Status bar and balloon notificationsnotifications
WhyWhydo it?do it?
Error reporting data shows add-Error reporting data shows add-ons create significant instabilityons create significant instability
Many pose security risksMany pose security risks
More secure browsingMore secure browsing
Add-on managementAdd-on managementWhat’s What’s differendifferent?t?
Disabled add-ons not removed; IE Disabled add-ons not removed; IE simply won’t instantiate themsimply won’t instantiate them
Applies only to IEXPLORE.EXE and Applies only to IEXPLORE.EXE and EXPLORER.EXEEXPLORER.EXE
Other programs based on IE Other programs based on IE components won’t respect components won’t respect disabled statedisabled state
How doHow doI fix it?I fix it?
Use “Manage Add-ons” to restore Use “Manage Add-ons” to restore broken functionalitybroken functionality
Restart IERestart IE
More secure browsingMore secure browsing
Add-on admin controlAdd-on admin control Can alter user control of add-ons Can alter user control of add-ons
through registry key (apply with through registry key (apply with GPO)GPO) Normal: user has full control Normal: user has full control
(default)(default) AllowList: admin specifies which AllowList: admin specifies which
add-ons are allowed; users can’t add-ons are allowed; users can’t changechange
DenyList: admin specifies which DenyList: admin specifies which add-ons are denied; users can run add-ons are denied; users can run othersothers
More secure browsingMore secure browsing
Add-on crash detectionAdd-on crash detection Crash detection program Crash detection program
launches when IE crashes; launches when IE crashes; collects:collects: List of DLLs that are loadedList of DLLs that are loaded Value of instruction pointer (EIP)Value of instruction pointer (EIP)
Finds DLL whose memory range Finds DLL whose memory range the EIP lies within; DLL must be:the EIP lies within; DLL must be: Non-systemNon-system A COM server for an IE add-onA COM server for an IE add-on
Displays dialog to manageDisplays dialog to manage Disable from hereDisable from here
More secure browsingMore secure browsing
Binary behaviors settingBinary behaviors settingWhatWhatis it?is it?
Components, attached to HTML, Components, attached to HTML, that encapsulate specific that encapsulate specific functionalityfunctionality
New “URL Action” setting in each New “URL Action” setting in each zonezone
WhyWhydo it?do it?
Unrestricted binary behaviors Unrestricted binary behaviors could be exploitedcould be exploited
Allow users to control binary Allow users to control binary behaviorsbehaviors
What’s What’s differendifferent?t?
Disallowed in restricted sites zoneDisallowed in restricted sites zone
How doHow doI fix it?I fix it?
Custom security manager for apps Custom security manager for apps that need to run in restricted sites that need to run in restricted sites zonezone
http://go.microsoft.com/fwlink/?http://go.microsoft.com/fwlink/?linkid=21863linkid=21863
More secure browsingMore secure browsing
BindToObject mitigationBindToObject mitigationWhatWhatis it?is it?
Apply security policies Apply security policies consistently at source of URL consistently at source of URL binding: URLMONbinding: URLMON
WhyWhydo it?do it?
Uniformly enforce ActiveX security Uniformly enforce ActiveX security model rather than relying on model rather than relying on calling codecalling code
Eliminates exploits that use IE to Eliminates exploits that use IE to compromise vulns in calling codecompromise vulns in calling code
What’s What’s differendifferent?t?
Any component that wants to Any component that wants to resolve a URL and get back a resolve a URL and get back a stream or objectstream or object
How doHow doI fix it?I fix it?
http://go.microsoft.com/fwlink/?http://go.microsoft.com/fwlink/?linkid=21814linkid=21814
More secure browsingMore secure browsing
MSJVM security settingMSJVM security settingWhatWhatis it?is it?
Separate setting to control MSJVMSeparate setting to control MSJVM Existing JVM setting renamedExisting JVM setting renamed
WhyWhydo it?do it?
No known threats to MSJVMNo known threats to MSJVM
What’s What’s differendifferent?t?
Clean installs of these will lack Clean installs of these will lack MSJVM:MSJVM: Windows XP SP 2 full OSWindows XP SP 2 full OS Windows Server 2003Windows Server 2003 Windows 2000 SP 4 full OSWindows 2000 SP 4 full OS
Upgrading won’t remove MSJVMUpgrading won’t remove MSJVM
How doHow doI fix it?I fix it?
Need to transition away from Need to transition away from MSJVMMSJVM
http://go.microsoft.com/fwlink/?http://go.microsoft.com/fwlink/?linkid=21850linkid=21850
More secure browsingMore secure browsing
Local machine zone Local machine zone lockdownlockdownWhatWhatis it?is it?
A non-displayed security zone that A non-displayed security zone that runs all local HTML pages on a runs all local HTML pages on a computercomputer
WhyWhydo it?do it?
Helps stop malicious local code Helps stop malicious local code from elevating privilegefrom elevating privilege
What’s What’s differendifferent?t?
Enabled for IE processesEnabled for IE processes Not enabled for non-IE processesNot enabled for non-IE processes
How doHow doI fix it?I fix it?
Can save HTML as .HTA Can save HTML as .HTA (dangerous: full privileges)(dangerous: full privileges)
Use “mark of the web” comments Use “mark of the web” comments to load file into another security to load file into another security zonezone
More secure browsingMore secure browsing
Local machine zone Local machine zone lockdownlockdown Overridden URL actionsOverridden URL actions
Run ActiveX: disallowRun ActiveX: disallow Override ActiveX safety: disallowOverride ActiveX safety: disallow Run scripts: promptRun scripts: prompt Cross domain data: promptCross domain data: prompt Block binary behaviors: disallowBlock binary behaviors: disallow Java permissions: disallowJava permissions: disallow
More secure browsingMore secure browsing
MIME handling MIME handling enforcementenforcementWhatWhatis it?is it?
IE checks received files in four IE checks received files in four ways:ways: File name extensionFile name extension Content-Type from HTTP header (MIME Content-Type from HTTP header (MIME
type)type) Content-Disposition from HTTP headerContent-Disposition from HTTP header MIME sniffMIME sniff
WhyWhydo it?do it?
Eliminates improper handling of Eliminates improper handling of mis-reported files (eg., .EXE mis-reported files (eg., .EXE assumed as text)assumed as text)
What’s What’s differendifferent?t?
If MIME sniff results in different If MIME sniff results in different type, IE changes file extension in type, IE changes file extension in cachecache
Never elevates to a more Never elevates to a more dangerous typedangerous type
How doHow doI fix it?I fix it?
Report your MIME types correctly!Report your MIME types correctly!
More secure browsingMore secure browsing
Object cachingObject cachingWhatWhatis it?is it?
New security context on all New security context on all scriptable objectsscriptable objects
Access blocked when navigating Access blocked when navigating away from current FQDNaway from current FQDN
WhyWhydo it?do it?
Single MSHTML instance across Single MSHTML instance across navigations; cached objects navigations; cached objects availableavailable
Eliminate current cross-domain Eliminate current cross-domain hole exploitable by frameshole exploitable by frames
What’s What’s differendifferent?t?
Four more bytes added to cached Four more bytes added to cached markupmarkup
How doHow doI fix it?I fix it?
Probably nothing hereProbably nothing here
More secure browsingMore secure browsing
Untrusted publishers Untrusted publishers mitigationsmitigationsWhatWhatis it?is it?
Block all signed content from a Block all signed content from a publisherpublisher
One prompt per control per pageOne prompt per control per page Block invalid signaturesBlock invalid signatures Display ellipsis if text is longer Display ellipsis if text is longer
than boxthan box
WhyWhydo it?do it?
Eliminate repeated promptsEliminate repeated prompts Stop modified codeStop modified code
What’s What’s differendifferent?t?
New functionalityNew functionality Reduces social engineering tricksReduces social engineering tricks
How doHow doI fix it?I fix it?
Not neededNot needed
More secure browsingMore secure browsing
Zone elevation blocksZone elevation blocksWhatWhatis it?is it?
IE prevents the security context IE prevents the security context for any link from being higher than for any link from being higher than the context of the current pagethe context of the current page
WhyWhydo it?do it?
Stop scripts from navigating to Stop scripts from navigating to higher security zonehigher security zone
What’s What’s differendifferent?t?
Web pages that try to call more Web pages that try to call more privileged pages will failprivileged pages will fail
Only a user-clicked link can go to Only a user-clicked link can go to higher privilegehigher privilege
How doHow doI fix it?I fix it?
Fix apps to require user initiationFix apps to require user initiation
More secure browsingMore secure browsing
Window restrictionsWindow restrictionsWhatWhatis it?is it?
Scripts can’t position or resize Scripts can’t position or resize windows with title and status bars windows with title and status bars offscreenoffscreen
Scripts can’t turn off status barScripts can’t turn off status bar
WhyWhydo it?do it?
Eliminates windows that try to Eliminates windows that try to spoof desktop objectsspoof desktop objects
Allows users to always see Allows users to always see security zonesecurity zone
What’s What’s differendifferent?t?
Title and status bars will always be Title and status bars will always be visible to usersvisible to users
How doHow doI fix it?I fix it?
Must change code that will breakMust change code that will break
More secure browsingMore secure browsing
Window restrictionsWindow restrictions Unrestricted “chromeless” Unrestricted “chromeless”
windows can cover important UI windows can cover important UI elements and deceive userselements and deceive users
Script-initiated pop-ups are Script-initiated pop-ups are constrainedconstrained Appear between top and bottom of Appear between top and bottom of
parent window “chrome”parent window “chrome” Must overlap some part of parent Must overlap some part of parent
windowwindow Must stay immediately on top of Must stay immediately on top of
parent (eg., can’t be placed over parent (eg., can’t be placed over dialogs)dialogs)
More secure browsingMore secure browsing
Pop-up managerPop-up managerWhatWhatis it?is it?
Blocks automatic and background Blocks automatic and background pop-up windows activated by:pop-up windows activated by: window.open()window.open() window.external.navigateAndFind()window.external.navigateAndFind() showHelp()showHelp()
Doesn’t affect windows opened by:Doesn’t affect windows opened by: Mouse clickMouse click Locally-running softwareLocally-running software ActiveX controls on a web siteActiveX controls on a web site Trusted sites or local intranet zonesTrusted sites or local intranet zones
WhyWhydo it?do it?
Pop-ups suck!Pop-ups suck!
More secure browsingMore secure browsing
Pop-up managerPop-up managerWhat’s What’s differendifferent?t?
Allowed windows that open Allowed windows that open outside viewable screen are outside viewable screen are positioned onto viewable areapositioned onto viewable area
Allowed windows that open larger Allowed windows that open larger than the viewable screen are than the viewable screen are resized to the viewable arearesized to the viewable area
How doHow doI fix it?I fix it?
No needNo need
More secure browsingMore secure browsing
Pop-up managerPop-up manager Notification and sound, with Notification and sound, with
choices:choices: Show blocked pop-upShow blocked pop-up Allow pop-ups from this siteAllow pop-ups from this site Block pop-upsBlock pop-ups Open pop-up management optionsOpen pop-up management options
Configuration choicesConfiguration choices Allow listAllow list Block all, including clicked pop-upsBlock all, including clicked pop-ups Override key for aboveOverride key for above SoundSound ZonesZones
OK, what’s next?OK, what’s next?
More resiliencyMore resiliency
Increase protection and security Increase protection and security of Windows XPof Windows XP Even if updates haven’t been Even if updates haven’t been
installedinstalled Implications for users and Implications for users and
developersdevelopers The next step of trustworthy The next step of trustworthy
computingcomputing
UpdatesUpdates
““New security technologies in New security technologies in Windows XP Service Pack 2”Windows XP Service Pack 2”
http://go.microsoft.com/fwlink/?http://go.microsoft.com/fwlink/?linkid=20969linkid=20969
© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.
Steve RileySteve [email protected]@microsoft.com