improving resiliency service pack 2. what is sp2? all the usual stuff of course all the usual stuff...

Improving Improving ResiliencyResiliency

Service Service Pack 2Pack 2

What is SP2?What is SP2?

All the usual stuff of courseAll the usual stuff of course Post-SP1 hotfixes (more regression Post-SP1 hotfixes (more regression

testing)testing) New security technologiesNew security technologies

Network protectionNetwork protection Memory protectionMemory protection Safer e-mail handlingSafer e-mail handling More secure browsingMore secure browsing Improved computer maintenanceImproved computer maintenance

Security goalsSecurity goals

Increase the security resiliencyIncrease the security resiliencyof Windows XPof Windows XP

Reduce damage of worms and virusesReduce damage of worms and viruseseven if updates are not installedeven if updates are not installed

Make attackers work harderMake attackers work harder

Defense in depthDefense in depth

NetworksNetworks RoutersRouters FirewallsFirewalls

VLANsVLANs SubnettinSubnettin

gg

HostsHosts IPsecIPsec Access Access control control listslists

ApplicatioApplications and ns and datadata

AuthenticatiAuthenticationon

AuthorizatioAuthorizationn

Rights Rights managemenmanagementt

Access Access control control listslists

Execution Execution partitionspartitions

UsersUsers Uhh…Uhh…

Network protectionNetwork protection

Windows FirewallWindows Firewall RPC interface restrictionsRPC interface restrictions DCOM security DCOM security

enhancementsenhancements

WF—changesWF—changes

Enhanced multicast and Enhanced multicast and broadcast supportbroadcast support

Unpdated NETSH helper for IPv6 Unpdated NETSH helper for IPv6 WFWF

Updated user interfaceUpdated user interface New group policy supportNew group policy support

Windows FirewallWindows Firewall

Updated user interfaceUpdated user interfaceWhatWhatis it?is it?

New dialogs and settingsNew dialogs and settings Final UI still under designFinal UI still under design

WhyWhydo it?do it?

Necessary for new configuration Necessary for new configuration optionsoptions

What’s What’s differendifferent?t?

Now a control panel appletNow a control panel applet

How doHow doI fix it?I fix it?

No needNo need


Enhanced m’cast and Enhanced m’cast and b’castb’castWhatWhatis it?is it?

If WF receives incoming m’cast or If WF receives incoming m’cast or b’cast traffic, it allows for three b’cast traffic, it allows for three seconds a response from any seconds a response from any source address to the originating source address to the originating portport

WhyWhydo it?do it?

Allows responses without adding Allows responses without adding client applications to permissions client applications to permissions listslists


Incoming b’cast and m’cast traffic Incoming b’cast and m’cast traffic now passes through WF without now passes through WF without manual configurationmanual configuration


No needNo need


New group policy supportNew group policy supportWhatWhatis it?is it?

More objects for better controlMore objects for better control Operational mode, allowed Operational mode, allowed

programs, opened ports (static), programs, opened ports (static), ICMP settings, enable RPCICMP settings, enable RPC

WhyWhydo it?do it?

Better management between Better management between corporate and standard profilescorporate and standard profiles


IPv4 only (IPv6 still just on/off)IPv4 only (IPv6 still just on/off) Final GPOs might changeFinal GPOs might change


No needNo need

WF—new featuresWF—new features

On by defaultOn by default Multiple profilesMultiple profiles WF permissions listWF permissions list Local subnet restrictionLocal subnet restriction Global and per-interface Global and per-interface

configurationsconfigurations Boot time securityBoot time security Command-line supportCommand-line support Shielded operational modeShielded operational mode RPC supportRPC support


On by defaultOn by defaultWhatWhatis it?is it?

WF on by default on all interfacesWF on by default on all interfaces New installations and upgradesNew installations and upgrades Enabled when new interfaces are Enabled when new interfaces are

addedadded

WhyWhydo it?do it?

Configuring WF proved to be too Configuring WF proved to be too difficultdifficult

Default configuration provides Default configuration provides good protection against worms good protection against worms (eg., Blaster)(eg., Blaster)


Certain applications might require Certain applications might require special WF settingsspecial WF settings


Developer documentation WF APIDeveloper documentation WF API


Multiple profilesMultiple profilesWhatWhatis it?is it?

Location-based profiles: one when Location-based profiles: one when connected to a corporate network, connected to a corporate network, another when connected to the another when connected to the InternetInternet

WhyWhydo it?do it?

Can have a more relaxed profile Can have a more relaxed profile when corp-attached and a more when corp-attached and a more restrictive profile when travelingrestrictive profile when traveling


Computer must be domain-joinedComputer must be domain-joined Listening applications might need Listening applications might need

to be on both profilesto be on both profiles


No needNo need


Permissions listPermissions listWhatWhatis it?is it?

Applications that need to open Applications that need to open listening portslistening ports

WhyWhydo it?do it?

Allows application to run in lower Allows application to run in lower security contextsecurity context

Only local administrator can add to Only local administrator can add to listlist

Ports remain open only while Ports remain open only while application is runningapplication is running


Any app that listens must be on Any app that listens must be on the listthe list


No needNo need


Local subnet restrictionLocal subnet restrictionWhatWhatis it?is it?

Can restrict port opening to local Can restrict port opening to local subnet address rangesubnet address range

Is the default for file sharing portsIs the default for file sharing ports

WhyWhydo it?do it?

More granularity—allows local More granularity—allows local subnet communication but not subnet communication but not to/from Internetto/from Internet


Enabling “file and printer sharing” Enabling “file and printer sharing” applies restriction to 137/udp, applies restriction to 137/udp, 138/udp, 139/tcp, 445/udp, 445/tcp138/udp, 139/tcp, 445/udp, 445/tcp


Developer documentation WF API Developer documentation WF API if application can’t work with if application can’t work with restrictionrestriction


Global configurationGlobal configurationWhatWhatis it?is it?

Configuration changes apply to all Configuration changes apply to all interfaces (including new interfaces (including new interfaces)interfaces)

Per-interface configuration still Per-interface configuration still possiblepossible

WhyWhydo it?do it?

Easier to synchronize policy across Easier to synchronize policy across multiple interfacesmultiple interfaces

New interfaces get a policy when New interfaces get a policy when createdcreated


Global plus local configsGlobal plus local configs


Developer documentation WF APIDeveloper documentation WF API


Boot time securityBoot time securityWhatWhatis it?is it?

New static filtering policy at boot New static filtering policy at boot timetime

Permits DNS, DHCP, NetlogonPermits DNS, DHCP, Netlogon WF policy applied after logonWF policy applied after logon

WhyWhydo it?do it?

Closes hole that existed after boot Closes hole that existed after boot but before policy applicationbut before policy application


NothingNothing


No needNo need


Command-line supportCommand-line supportWhatWhatis it?is it?

Add WF configuration to NETSH Add WF configuration to NETSH utilityutility

Default state, open ports, global Default state, open ports, global or per-interface, subnet or per-interface, subnet restrictions, logging options, ICMP restrictions, logging options, ICMP handling, application permissionshandling, application permissions

WhyWhydo it?do it?

Best method for logon scripts and Best method for logon scripts and group policygroup policy


Nothing—new functionalityNothing—new functionality


No needNo need


RPC supportRPC supportWhatWhatis it?is it?

WF watches as RPC apps register WF watches as RPC apps register portsports

Allows incoming requests only if Allows incoming requests only if service is running as Local System, service is running as Local System, Network Service, or Local ServiceNetwork Service, or Local Service

WhyWhydo it?do it?

Can control which RPC services are Can control which RPC services are exposed to the networkexposed to the network

Better than granting permissions Better than granting permissions to SVCHOST.EXEto SVCHOST.EXE


Must do this for RPC—WF blocks Must do this for RPC—WF blocks all RPC by defaultall RPC by default


Developer documentation WF API Developer documentation WF API to automateto automate

WF— Inbound APIsWF— Inbound APIs

IPv4 inbound connections for IPv4 inbound connections for applications and servicesapplications and services

IPv4 inbound connections on RPC IPv4 inbound connections on RPC and DCOM portsand DCOM ports


Inbound applications (IPv4)Inbound applications (IPv4)IssueIssue Application needs to bind to a Application needs to bind to a

socket and accept inbound socket and accept inbound requestsrequests

DoDothisthis

Call Call INetFwV4AuthorizedApplicationINetFwV4AuthorizedApplication as either enabled or disabledas either enabled or disabled

Provide image file name, friendly Provide image file name, friendly name, and whether all traffic or name, and whether all traffic or local subnetlocal subnet

NotesNotes When application starts, WF When application starts, WF dynamically opens portsdynamically opens ports

App must run as local admin to App must run as local admin to add to list, but can run in any add to list, but can run in any context latercontext later

Apps should get user consentApps should get user consent Cannot add SVCHOST.EXECannot add SVCHOST.EXE


Inbound services (IPv4)Inbound services (IPv4)IssueIssue Service ports usually need to Service ports usually need to

remain open alwaysremain open always

DoDothisthis

Call Call INetFwV4OpenPortINetFwV4OpenPort as either as either enabled or disabledenabled or disabled

Provide port number, protocol, Provide port number, protocol, friendly name, and whether all friendly name, and whether all traffic or local subnettraffic or local subnet

NotesNotes When service starts, WF opens When service starts, WF opens portsports

Service must run as local adminService must run as local admin Limit to local subnet whenever Limit to local subnet whenever

possiblepossible Service should get user consentService should get user consent Service should close ports if Service should close ports if

disableddisabled


Inbound RPC/DCOM (IPv4)Inbound RPC/DCOM (IPv4)IssueIssue RPC handled by WF’s new RPC RPC handled by WF’s new RPC

awarenessawareness

DoDothisthis

Call Call INetFwV4ProfileINetFwV4Profile Set Set AllowRpcPortsAllowRpcPorts to “true” to “true”

NotesNotes App or service must run as local App or service must run as local admin to enable RPC, but can run admin to enable RPC, but can run as admin, network service, or local as admin, network service, or local service laterservice later

App or service should get user App or service should get user consentconsent

Service should close ports if Service should close ports if disableddisabled

RPC restrictionsRPC restrictions

Restrict remote clientsRestrict remote clients Require authentication to Require authentication to

endpoint mapper (135/tcp)endpoint mapper (135/tcp) New interface registration flagsNew interface registration flags


Restricting remote clientsRestricting remote clientsWhatWhatis it?is it?

RestrictRemoteClientsRestrictRemoteClients registry key registry key to enforce authenticationto enforce authentication

Remote anonymous calls to RPC Remote anonymous calls to RPC interfaces now rejected by defaultinterfaces now rejected by default

WhyWhydo it?do it?

Useful mitigation against worms Useful mitigation against worms that rely on exploitable buffer that rely on exploitable buffer overruns invoked through overruns invoked through anonymous connectionsanonymous connections


Apps that expect anonymous calls Apps that expect anonymous calls might be affectedmight be affected


Require clients to use RPC securityRequire clients to use RPC security Exempt interface from Exempt interface from

authentication using exemption authentication using exemption flagflag


Endpoint mapper authNEndpoint mapper authNWhatWhatis it?is it?

Clients always contact EP mapper Clients always contact EP mapper anonymouslyanonymously

If client restrictions are set, clients If client restrictions are set, clients also won’t be able to contact EP also won’t be able to contact EP mappermapper

WhyWhydo it?do it?

Setting Setting EnableAuthEpResolutionEnableAuthEpResolution key tells RPC client to use NTLM key tells RPC client to use NTLM authentication to EP mapperauthentication to EP mapper


Both peers will need XP SP2Both peers will need XP SP2


No needNo need


New i/f registration flagsNew i/f registration flagsWhatWhatis it?is it?

Three new flags for developers to Three new flags for developers to use in applicationsuse in applications

WhyWhydo it?do it?

Provide additional security tools to Provide additional security tools to make RPC bettermake RPC better


No affect on existing RPC No affect on existing RPC applicationsapplications


No needNo need


New i/f registration flagsNew i/f registration flags RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTHRPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH

RPC runtime invokes registered security RPC runtime invokes registered security callback for all callscallback for all calls

Without: RPC rejects all unauthenticated Without: RPC rejects all unauthenticated calls before reaching security callbackcalls before reaching security callback

RPC_IF_SEC_NO_CACHERPC_IF_SEC_NO_CACHE Disables security callback cachingDisables security callback caching

RPC_IF_LOCAL_ONLYRPC_IF_LOCAL_ONLY Reject remote client callsReject remote client calls Reject local calls over all Reject local calls over all ncadg_*ncadg_*

protocolsprotocols Reject all calls over Reject all calls over ncacn_*ncacn_* protocols protocols

(except…)(except…) Reject all calls over Reject all calls over ncacn_npncacn_np if not from if not from

SVRSVR Allow Allow ncalrpcncalrpc calls calls

DCOM enhancementsDCOM enhancements

Computer-wide restrictionsComputer-wide restrictions More specific COM permissionsMore specific COM permissions


Don’t apply to in-process COMDon’t apply to in-process COM Apply if your DCOM server meets Apply if your DCOM server meets

any:any: Access permission for app is less Access permission for app is less

stringent than permission necessary stringent than permission necessary to run itto run it

App is usually activated on a App is usually activated on a Windows XP computer by a remote Windows XP computer by a remote COM client not using administrative COM client not using administrative accountaccount

App uses unauthenticated remote App uses unauthenticated remote callbackscallbacks

App is meant to be used locallyApp is meant to be used locally


Computer-wide restrictionsComputer-wide restrictionsWhatWhatis it?is it?

Computer-wide access controls Computer-wide access controls that govern access to all DCOM that govern access to all DCOM requests on the computerrequests on the computer

An additional An additional AccessCheckAccessCheck against against the ACL for on each call, the ACL for on each call, activation, or launch of any COM activation, or launch of any COM serverserver

WhyWhydo it?do it?

Minimum authorization bar that Minimum authorization bar that must be passed to access COM must be passed to access COM serversservers

Allows administrators to override Allows administrators to override weak security settings in an weak security settings in an application’s application’s CoInitializeSecurityCoInitializeSecurity

ACLs checked when interfaces ACLs checked when interfaces exposed by RPCSS are accessedexposed by RPCSS are accessed


Computer-wide restrictionsComputer-wide restrictionsPermissioPermissionn

AdministratorAdministrator EveryoneEveryone AnonymouAnonymouss

LaunchLaunch Local launchLocal launch Local Local launchlaunch

Local activateLocal activate Local Local activateactivate

Remote Remote launchlaunch

Remote Remote activateactivate

AccessAccess Local callLocal call Local Local callcall

Remote callRemote call


Computer-wide restrictionsComputer-wide restrictionsWhat’s What’s differendifferent?t?

Local scenarios will continue to Local scenarios will continue to workwork

Most COM client scenarios will Most COM client scenarios will continue to workcontinue to work

Unauthenticated remote calls will Unauthenticated remote calls will breakbreak

Only administrators can remotely Only administrators can remotely activate and launchactivate and launch


Don’t write apps that require Don’t write apps that require remote activation by non-admin remote activation by non-admin client or remote unauthenticated client or remote unauthenticated calls!calls!

Can change new defaults with Can change new defaults with registry keysregistry keys


More specific COM permsMore specific COM permsWhatWhatis it?is it?

Distinguish COM access rights Distinguish COM access rights based on distance: local (LRPC), based on distance: local (LRPC), remote (eg., RPC over TCP)remote (eg., RPC over TCP)

WhyWhydo it?do it?

Create precise COM permission Create precise COM permission policypolicy

Restrict app so it can only be used Restrict app so it can only be used locallylocally


Launch/activate ACEs: LL, RL, LA, Launch/activate ACEs: LL, RL, LA, RARA

Access (call) ACEs: LC, RCAccess (call) ACEs: LC, RC Generally backward-compatible, Generally backward-compatible,

some specific ACL alterations some specific ACL alterations might be neededmight be needed


Search MSDN on Search MSDN on “LaunchPermission”“LaunchPermission”

Memory protectionMemory protection

Execution protection (NX)Execution protection (NX)


NX—“no execute”NX—“no execute” Prevents code execution in data Prevents code execution in data

pages:pages: Default heapDefault heap Various stacksVarious stacks Memory poolsMemory pools

Both user and kernel modesBoth user and kernel modes Requires developers to explicitly Requires developers to explicitly

mark pages as executablemark pages as executable


NX—“no execute”NX—“no execute” OS feature that relies on OS feature that relies on

processor hardware to mark processor hardware to mark memorymemory

Functions on a per-VM page basisFunctions on a per-VM page basis Common: change a bit in the Common: change a bit in the

page table entry to mark the page table entry to mark the pagepage

Affects apps that:Affects apps that: Perform just-in-time code Perform just-in-time code

generationgeneration Execute memory from default Execute memory from default

process stack or heapprocess stack or heap


NX—“no execute”NX—“no execute” Hardware implementation varies Hardware implementation varies

by processorby processor Processor must raise exception Processor must raise exception

when code executes from when code executes from disallowed pagedisallowed page

Current processor supportCurrent processor support AMD K8 (32-bit Windows)AMD K8 (32-bit Windows) Intel Itanium (64-bit Windows)Intel Itanium (64-bit Windows)


64-bit Windows64-bit WindowsWhatWhatis it?is it?

Applications Applications expectedexpected to function to function with NX enabled by default!with NX enabled by default!

Protected areasProtected areas StackStack Paged poolPaged pool Session poolSession pool Default process heapDefault process heap

Can’t be disabledCan’t be disabled To allocate virtual memory—To allocate virtual memory—

Call Call VirtualAlloc()VirtualAlloc() with one of the with one of the PAGE_EXECUTE_*PAGE_EXECUTE_* attributes attributes


32-bit Windows32-bit WindowsWhatWhatis it?is it?

User modeUser mode AMD processors with “physical address AMD processors with “physical address

extension” mode enabledextension” mode enabled Investigating per-application methods Investigating per-application methods

to disable or enable NXto disable or enable NX Result: unhandled exception; app Result: unhandled exception; app

terminates terminates STATUS_ACCESS_VIOLATION STATUS_ACCESS_VIOLATION (0xc000005)(0xc000005)

Kernel modeKernel mode Only to the stack by defaultOnly to the stack by default Can’t be enabled/disabled on per-Can’t be enabled/disabled on per-

driver basisdriver basis Result: bugcheck Result: bugcheck 0xFC: ATTEMPTED_0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORYEXECUTE_OF_NOEXECUTE_MEMORY


All versionsAll versionsWhyWhydo it?do it?

Many worms and viruses execute code Many worms and viruses execute code from data pagesfrom data pages

NX reduces impact—can’t spread nowNX reduces impact—can’t spread now Encourages good software engineeringEncourages good software engineering

What’s What’s different?different?

Apps that perform dynamic code Apps that perform dynamic code execution might breakexecution might break

Drivers that expect 64-bit addressing or Drivers that expect 64-bit addressing or >4 GB RAM in PAE mode might break>4 GB RAM in PAE mode might break

Drivers that do DMA transfersDrivers that do DMA transfers


Mark generated code with an execute Mark generated code with an execute permissionpermission

Update apps that execute from stack, Update apps that execute from stack, default process heap, or dedicated heapdefault process heap, or dedicated heap

DMA transfers are double-bufferedDMA transfers are double-buffered

More secure browsingMore secure browsing

Add-on management and Add-on management and crash detectioncrash detection

Binary behaviors security Binary behaviors security settingssettings

BindToObject mitigationBindToObject mitigation MSJVM security settingMSJVM security setting Local machine zone Local machine zone

lockdownlockdown


MIME handling enforcementMIME handling enforcement Object cachingObject caching Pop-up managerPop-up manager Untrusted publishers Untrusted publishers

mitigationsmitigations Window restrictionsWindow restrictions Zone elevation blocksZone elevation blocks


Add-on managementAdd-on managementWhatWhatis it?is it?

View and control all IE add-ons, View and control all IE add-ons, including ones previously difficult including ones previously difficult to detectto detect Browser helper objectsBrowser helper objects ActiveX controlsActiveX controls Toolbar extensionsToolbar extensions Browser extensionsBrowser extensions

Status bar and balloon Status bar and balloon notificationsnotifications

WhyWhydo it?do it?

Error reporting data shows add-Error reporting data shows add-ons create significant instabilityons create significant instability

Many pose security risksMany pose security risks


Add-on managementAdd-on managementWhat’s What’s differendifferent?t?

Disabled add-ons not removed; IE Disabled add-ons not removed; IE simply won’t instantiate themsimply won’t instantiate them

Applies only to IEXPLORE.EXE and Applies only to IEXPLORE.EXE and EXPLORER.EXEEXPLORER.EXE

Other programs based on IE Other programs based on IE components won’t respect components won’t respect disabled statedisabled state


Use “Manage Add-ons” to restore Use “Manage Add-ons” to restore broken functionalitybroken functionality

Restart IERestart IE


Add-on admin controlAdd-on admin control Can alter user control of add-ons Can alter user control of add-ons

through registry key (apply with through registry key (apply with GPO)GPO) Normal: user has full control Normal: user has full control

(default)(default) AllowList: admin specifies which AllowList: admin specifies which

add-ons are allowed; users can’t add-ons are allowed; users can’t changechange

DenyList: admin specifies which DenyList: admin specifies which add-ons are denied; users can run add-ons are denied; users can run othersothers


Add-on crash detectionAdd-on crash detection Crash detection program Crash detection program

launches when IE crashes; launches when IE crashes; collects:collects: List of DLLs that are loadedList of DLLs that are loaded Value of instruction pointer (EIP)Value of instruction pointer (EIP)

Finds DLL whose memory range Finds DLL whose memory range the EIP lies within; DLL must be:the EIP lies within; DLL must be: Non-systemNon-system A COM server for an IE add-onA COM server for an IE add-on

Displays dialog to manageDisplays dialog to manage Disable from hereDisable from here


Binary behaviors settingBinary behaviors settingWhatWhatis it?is it?

Components, attached to HTML, Components, attached to HTML, that encapsulate specific that encapsulate specific functionalityfunctionality

New “URL Action” setting in each New “URL Action” setting in each zonezone

WhyWhydo it?do it?

Unrestricted binary behaviors Unrestricted binary behaviors could be exploitedcould be exploited

Allow users to control binary Allow users to control binary behaviorsbehaviors


Disallowed in restricted sites zoneDisallowed in restricted sites zone


Custom security manager for apps Custom security manager for apps that need to run in restricted sites that need to run in restricted sites zonezone

http://go.microsoft.com/fwlink/?http://go.microsoft.com/fwlink/?linkid=21863linkid=21863


BindToObject mitigationBindToObject mitigationWhatWhatis it?is it?

Apply security policies Apply security policies consistently at source of URL consistently at source of URL binding: URLMONbinding: URLMON

WhyWhydo it?do it?

Uniformly enforce ActiveX security Uniformly enforce ActiveX security model rather than relying on model rather than relying on calling codecalling code

Eliminates exploits that use IE to Eliminates exploits that use IE to compromise vulns in calling codecompromise vulns in calling code


Any component that wants to Any component that wants to resolve a URL and get back a resolve a URL and get back a stream or objectstream or object




MSJVM security settingMSJVM security settingWhatWhatis it?is it?

Separate setting to control MSJVMSeparate setting to control MSJVM Existing JVM setting renamedExisting JVM setting renamed

WhyWhydo it?do it?

No known threats to MSJVMNo known threats to MSJVM


Clean installs of these will lack Clean installs of these will lack MSJVM:MSJVM: Windows XP SP 2 full OSWindows XP SP 2 full OS Windows Server 2003Windows Server 2003 Windows 2000 SP 4 full OSWindows 2000 SP 4 full OS

Upgrading won’t remove MSJVMUpgrading won’t remove MSJVM


Need to transition away from Need to transition away from MSJVMMSJVM



Local machine zone Local machine zone lockdownlockdownWhatWhatis it?is it?

A non-displayed security zone that A non-displayed security zone that runs all local HTML pages on a runs all local HTML pages on a computercomputer

WhyWhydo it?do it?

Helps stop malicious local code Helps stop malicious local code from elevating privilegefrom elevating privilege


Enabled for IE processesEnabled for IE processes Not enabled for non-IE processesNot enabled for non-IE processes


Can save HTML as .HTA Can save HTML as .HTA (dangerous: full privileges)(dangerous: full privileges)

Use “mark of the web” comments Use “mark of the web” comments to load file into another security to load file into another security zonezone


Local machine zone Local machine zone lockdownlockdown Overridden URL actionsOverridden URL actions

Run ActiveX: disallowRun ActiveX: disallow Override ActiveX safety: disallowOverride ActiveX safety: disallow Run scripts: promptRun scripts: prompt Cross domain data: promptCross domain data: prompt Block binary behaviors: disallowBlock binary behaviors: disallow Java permissions: disallowJava permissions: disallow


MIME handling MIME handling enforcementenforcementWhatWhatis it?is it?

IE checks received files in four IE checks received files in four ways:ways: File name extensionFile name extension Content-Type from HTTP header (MIME Content-Type from HTTP header (MIME

type)type) Content-Disposition from HTTP headerContent-Disposition from HTTP header MIME sniffMIME sniff

WhyWhydo it?do it?

Eliminates improper handling of Eliminates improper handling of mis-reported files (eg., .EXE mis-reported files (eg., .EXE assumed as text)assumed as text)


If MIME sniff results in different If MIME sniff results in different type, IE changes file extension in type, IE changes file extension in cachecache

Never elevates to a more Never elevates to a more dangerous typedangerous type


Report your MIME types correctly!Report your MIME types correctly!


Object cachingObject cachingWhatWhatis it?is it?

New security context on all New security context on all scriptable objectsscriptable objects

Access blocked when navigating Access blocked when navigating away from current FQDNaway from current FQDN

WhyWhydo it?do it?

Single MSHTML instance across Single MSHTML instance across navigations; cached objects navigations; cached objects availableavailable

Eliminate current cross-domain Eliminate current cross-domain hole exploitable by frameshole exploitable by frames


Four more bytes added to cached Four more bytes added to cached markupmarkup


Probably nothing hereProbably nothing here


Untrusted publishers Untrusted publishers mitigationsmitigationsWhatWhatis it?is it?

Block all signed content from a Block all signed content from a publisherpublisher

One prompt per control per pageOne prompt per control per page Block invalid signaturesBlock invalid signatures Display ellipsis if text is longer Display ellipsis if text is longer

than boxthan box

WhyWhydo it?do it?

Eliminate repeated promptsEliminate repeated prompts Stop modified codeStop modified code


New functionalityNew functionality Reduces social engineering tricksReduces social engineering tricks


Not neededNot needed


Zone elevation blocksZone elevation blocksWhatWhatis it?is it?

IE prevents the security context IE prevents the security context for any link from being higher than for any link from being higher than the context of the current pagethe context of the current page

WhyWhydo it?do it?

Stop scripts from navigating to Stop scripts from navigating to higher security zonehigher security zone


Web pages that try to call more Web pages that try to call more privileged pages will failprivileged pages will fail

Only a user-clicked link can go to Only a user-clicked link can go to higher privilegehigher privilege


Fix apps to require user initiationFix apps to require user initiation


Window restrictionsWindow restrictionsWhatWhatis it?is it?

Scripts can’t position or resize Scripts can’t position or resize windows with title and status bars windows with title and status bars offscreenoffscreen

Scripts can’t turn off status barScripts can’t turn off status bar

WhyWhydo it?do it?

Eliminates windows that try to Eliminates windows that try to spoof desktop objectsspoof desktop objects

Allows users to always see Allows users to always see security zonesecurity zone


Title and status bars will always be Title and status bars will always be visible to usersvisible to users


Must change code that will breakMust change code that will break


Window restrictionsWindow restrictions Unrestricted “chromeless” Unrestricted “chromeless”

windows can cover important UI windows can cover important UI elements and deceive userselements and deceive users

Script-initiated pop-ups are Script-initiated pop-ups are constrainedconstrained Appear between top and bottom of Appear between top and bottom of

parent window “chrome”parent window “chrome” Must overlap some part of parent Must overlap some part of parent

windowwindow Must stay immediately on top of Must stay immediately on top of

parent (eg., can’t be placed over parent (eg., can’t be placed over dialogs)dialogs)


Pop-up managerPop-up managerWhatWhatis it?is it?

Blocks automatic and background Blocks automatic and background pop-up windows activated by:pop-up windows activated by: window.open()window.open() window.external.navigateAndFind()window.external.navigateAndFind() showHelp()showHelp()

Doesn’t affect windows opened by:Doesn’t affect windows opened by: Mouse clickMouse click Locally-running softwareLocally-running software ActiveX controls on a web siteActiveX controls on a web site Trusted sites or local intranet zonesTrusted sites or local intranet zones

WhyWhydo it?do it?

Pop-ups suck!Pop-ups suck!


Pop-up managerPop-up managerWhat’s What’s differendifferent?t?

Allowed windows that open Allowed windows that open outside viewable screen are outside viewable screen are positioned onto viewable areapositioned onto viewable area

Allowed windows that open larger Allowed windows that open larger than the viewable screen are than the viewable screen are resized to the viewable arearesized to the viewable area


No needNo need


Pop-up managerPop-up manager Notification and sound, with Notification and sound, with

choices:choices: Show blocked pop-upShow blocked pop-up Allow pop-ups from this siteAllow pop-ups from this site Block pop-upsBlock pop-ups Open pop-up management optionsOpen pop-up management options

Configuration choicesConfiguration choices Allow listAllow list Block all, including clicked pop-upsBlock all, including clicked pop-ups Override key for aboveOverride key for above SoundSound ZonesZones

OK, what’s next?OK, what’s next?

More resiliencyMore resiliency

Increase protection and security Increase protection and security of Windows XPof Windows XP Even if updates haven’t been Even if updates haven’t been

installedinstalled Implications for users and Implications for users and

developersdevelopers The next step of trustworthy The next step of trustworthy

computingcomputing

UpdatesUpdates

““New security technologies in New security technologies in Windows XP Service Pack 2”Windows XP Service Pack 2”


improving resiliency service pack 2. what is sp2? all the usual stuff of course all the usual stuff...

Documents