windows xp service pack 2 customer awareness workshop trustworthy computing – xp sp2 technical...
TRANSCRIPT
![Page 1: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/1.jpg)
Windows XP Service Pack 2Customer Awareness Workshop
Trustworthy Computing –XP SP2 Technical Overview
Windows XP Service Pack 2Customer Awareness Workshop
Trustworthy Computing –XP SP2 Technical OverviewCraig Schofield ([email protected])Microsoft Ltd. UK
September 2004
![Page 2: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/2.jpg)
The DayThe Day
Trustworthy Computing Overview of Windows XP Service Pack 2
Coffee break… around 11.15am
Technical Drill-Down of Windows XP SP2 – Part 1 You’ll need lunch...12.45 to 1.30pm
Technical Drill-Down of Windows XP SP2 – Part 2 Another coffee break… around 3.15pm
Planning, Testing and Deploying WinXP SP2 Troubleshooting
Close … 5pm
![Page 3: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/3.jpg)
What’s wrong with SP1 then?What’s wrong with SP1 then?
![Page 4: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/4.jpg)
Security and Trustworthy ComputingSecurity and Trustworthy Computing
![Page 5: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/5.jpg)
Most attacks Most attacks occur hereoccur here
SituationWhen do exploits occur?SituationWhen do exploits occur?
ProducProduct t
shippeshippedd
VulnerabilityVulnerabilitydiscovereddiscovered
Fix Fix Made Made
AvailablAvailablee
Fix deployedFix deployedby customerby customer
![Page 6: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/6.jpg)
Exploit TimelineProcess, Tools CriticalExploit TimelineProcess, Tools Critical
ProducProduct t
shippeshippedd
VulnerabilityVulnerabilitydiscovereddiscovered
Fix Fix Made Made
AvailablAvailablee
Fix deployedFix deployedby customerby customer
Days between Fix and Exploit Have decreased so that patching can’t be the only defense in
large organizations
Exploit
151151180180
331331
BlasterBlasterWelchia/ Welchia/ NachiNachi
NimdaNimda
2525
SQL SQL SlammerSlammer
1414
SasserSasser
![Page 7: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/7.jpg)
Microsoft CommitmentMicrosoft Commitment
Build software and services that will help better protect
our customers and the industry.
![Page 8: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/8.jpg)
SpringboardSpringboard
Get secure and stay secure with less cost, less stress Starts with XP SP2 Suite of products and technologies:
• XP SP2, Windows Update V5, update.exe, Windows Installer 3 (.msp/.msi), “SUS 2”, Windows Server 2003 SP1
Changes in functionality & baseline security level
![Page 9: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/9.jpg)
Patch management too complexTime to exploit acceleratingExploits are more sophisticated Current approach is not sufficient
Create a new Microsoft security baseline for the OS & Internet Explorer
Springboard – Why?Springboard – Why?
![Page 10: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/10.jpg)
MemoryMemoryAttachmentsAttachments WebWebNetworkNetwork
Isolation & Resiliency:Old ApproachIsolation & Resiliency:Old Approach
![Page 11: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/11.jpg)
MemoryMemoryAttachmentsAttachments WebWebNetworkNetwork
Isolation & Resiliency:New ApproachIsolation & Resiliency:New Approach
![Page 12: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/12.jpg)
Windows XP Service Pack 2Windows XP Service Pack 2
Block virus or malicious code at the “point of entry”
Enhanced Security
Increased Manageability
Improved Experience
![Page 13: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/13.jpg)
Windows XP Service Pack 2Windows XP Service Pack 2
Schedule Available now: RTW 9th August Critical Update to all Windows XP clients from 25th August
All Windows ‘Editions’ supported Home & Professional SP2 provides the upgrade to Tablet Edition 2005 (“Lonestar”) SP2 provides the upgrade to Media Center Edition 2004 (“Harmony”)
Being localized in 25 languages over next 2 months English, German, French, Spanish, Italian, Brazilian, Japanese,
Dutch, Swedish, Danish, Norwegian, Finnish, Simplified Chinese, Traditional Chinese, Korean, Czech, Polish , Hungarian, Russian, Traditional Hong Kong Chinese, Arabic, Hebrew, Greek, Turkish, Portuguese
![Page 14: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/14.jpg)
Windows Server 2003 Service Pack 1Windows Server 2003 Service Pack 1 Goals
Implement additional protection for enterprise environments
Planned for Q1 2005
Very focused release Enable appropriate “safety technologies” from client Feature list is still under development
• Secure Role-based Configuration
• Inspected Environments
![Page 15: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/15.jpg)
“XP Reloaded”“XP Reloaded”
NOT XP Service Pack 2NOT a product
Value-add initiatives for Windows XP.
![Page 16: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/16.jpg)
Service Pack 2 OverviewService Pack 2 Overview
MemoryMemoryAttachmentsAttachments WebWebNetworkNetwork
![Page 17: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/17.jpg)
Problem: Port-Based AttacksProblem: Port-Based Attacks
Many services and applications running on users’ computers listen for network traffic These applications and services require open ports to
function properly Hackers build automatic tools that scan the Internet
for computers running these applications and services
Even with a perimeter firewall, systems may be vulnerable to attack
![Page 18: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/18.jpg)
Solution: Windows FirewallSolution: Windows Firewall
Windows Firewall (formerly ICF) is on by default All ports protected
Exception list for applications & services requiring open ports Required only for applications or services that need to listen for
unsolicited incoming traffic Per-port or per-application subnet and IP address restrictions
Boot-time security Highly manageable
Two operating profiles to support mobile computers• Domain and Standard
All configuration options available through new Group Policy Objects and through scripting
![Page 19: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/19.jpg)
Problem: DCOM & RPCProblem: DCOM & RPC
Core infrastructure for application to application communications
Underlying service that supports DCOM & RPC-based communication (RPCSS) is always on
RPCSS listens on a well known endpoint Port 135 for DCOM, many ports for RPC
RPCSS allows unauthenticated remote calls Limited administrative control
![Page 20: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/20.jpg)
Solution: RPC & DCOMSolution: RPC & DCOM
Change to underlying architecture (RPCSS) to reduce attack surface area
Block unauthenticated calls to DCOM and RPC services
Make it easier to restrict interfaces to local machine only
Fine-grained security New permissions configured through group
policy, UI and logon scripting
![Page 21: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/21.jpg)
Problem: AttachmentsProblem: Attachments
Security model depends on users to make good trust decisions
However, users are ill-equipped to make informed decisions
Users easily tricked into making poor choices Example: “myphoto.jpg .exe”
Employing a static list of dangerous file types isn’t enough
![Page 22: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/22.jpg)
Solution: Attachment ManagerSolution: Attachment Manager
New Windows service (and public API) for handling safe attachments Used by Outlook Express, Windows Messenger and
Internet Explorer, and third-parties soon
Unsafe attachments not trusted by default Block/Prompt/Allow determined by combination
of file type & zone Marks zone or origin in file system if file is saved
to disk Enables safer message “preview” in Outlook
Express
Consistent experience for “trust” decisionsConsistent experience for “trust” decisions
![Page 23: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/23.jpg)
Problem: MemoryProblem: Memory
Some services and applications improperly handle malformed messages
An attacker can send a message with data that is longer than expected Extra data includes
malicious code Malicious code is
inadvertently written to area of memory where that code is executed
Locally DeclaredVariables and Buffers
Function StackMapping
MaliciousCode
ExecutedHere
Data GoesHere
Anatomy of a Buffer Overrun
Callee save registers
Function Parameters
Function Return Address
Frame Pointer
Exception Handler Frame
ExtraData
OverflowsHere
![Page 24: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/24.jpg)
Locally DeclaredLocally DeclaredVariables and BuffersVariables and Buffers
CookieCookieoverwritten,overwritten,executionexecution
haltshalts
Data GoesData GoesHereHere Callee save registersCallee save registers
Function StackFunction Stackwith /GS Switch with /GS Switch
Function ParametersFunction Parameters
Function Return AddressFunction Return Address
Frame PointerFrame Pointer
Exception Handler FrameException Handler Frame
Solution: /GS SwitchSolution: /GS Switch
Visual C++ .NET compiler implements the new /GS switch
The /GS switch provides a "speed bump," or cookie, between the buffer and the return address
If an overrun overwrites the cookie, process is halted
CookieCookie
ExtraExtraDataData
OverflowsOverflowsHereHere
Most critical Most critical Windows Windows components have components have been recompiled been recompiled using the /GS using the /GS switchswitch
![Page 25: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/25.jpg)
Solution: Execution PreventionSolution: Execution Prevention
Known as NX and “Execution Protection” Prevents execution of injected code Leverages processor technology
Marks memory regions as non-executable Processor raises exception when injected code is
executed
Supported on 64-bit extensions processors SP2 runs in 32-bit compatibility mode with NX support AMD Athlon64 and Opteron today Intel has announced support for NX in new Celeron
line and Prescott based P4’s
Hardware-based protection
![Page 26: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/26.jpg)
Problem: Web BrowsingProblem: Web Browsing
Internet Explorer flexibility may be exploited Some Internet Explorer features may be used
to mislead users Popups may be made to look like security messages Browser windows may be made to look like the
Windows desktop or a Windows dialog (spoofing) The source of Web downloads may be disguised
Internet Explorer security settings difficult to manage
![Page 27: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/27.jpg)
Solution: Internet ExplorerSolution: Internet Explorer Limit deceptive & annoying behaviors
Popup Blocker limitations on how script-controlled windows look
Better information for trust decisions New Information Bar Safer handling of downloaded web controls
More secure architecture Zone elevation restrictions Object caching changes MIME handling enforcement Lockdown of the Local Machine Zone Binary Behaviors (compiled DHTML) restrictions
Improved manageability infrastructure
![Page 28: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/28.jpg)
Additional EnhancementsAdditional Enhancements
New Windows Security Center
Automatic Update enhancements
Windows Update Services client
New unified wireless LAN client
Updated Bluetooth client
Windows Media 9 Series player update
![Page 29: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/29.jpg)
![Page 30: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/30.jpg)
How SP2 Would Have HelpedHow SP2 Would Have Helped
MSBlaster worm Windows Firewall, by default, blocks the ports required to exploit this vulnerability By denying unauthenticated requests to DCOM, this exploit would have been
mitigated The /GS Switch and/or NX would have prevented this exploit by preventing the
unchecked buffer from being exploited
W32.Sasser.worm Windows Firewall, by default, blocks the ports required to exploit this vulnerability The /GS Switch and/or NX would have prevented this exploit by preventing the
unchecked buffer from being exploited
Mydoom and W32/Nimda.A@mm Attachment Manager would have blocked Mydoom had an infected e-mail been
opened in Outlook Express
Various spoofing and phishing attacks on the Internet The new IE Popup Blocker and new limitations on script-initiated windows would
have eliminated many of these attacks
![Page 31: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/31.jpg)
Application CompatibilityApplication Compatibility
Functional Area Compatibility Status
Attachment Handler User experience modified
Windows Firewall
Few apps proper configuration requiredDCOM & RPC
NX & /GS
Other components
Internet Explorer Some apps proper configuration required
The vast majority of application compatibility The vast majority of application compatibility issues are mitigated through configuration of SP2 issues are mitigated through configuration of SP2 security optionssecurity options
Very few issues require code changesVery few issues require code changes
![Page 32: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/32.jpg)
SummarySummary
More Secure “Shields-up” approach Reduced attack surface area
More Resilient Network Protection Data Execution Prevention Greater user control when Browsing More Secure Email and Instant Messaging
More Manageable Enhancements to Group Policy to provide more granular control Reduced urgency in patching vulnerabilities due to defence in depth
More Visible Windows Security Center – enhanced security information Internet Explorer UI enhancements provide more information
A major step forward on a long journeyA major step forward on a long journey
![Page 33: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/33.jpg)
![Page 34: Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft](https://reader034.vdocument.in/reader034/viewer/2022051516/56649f205503460f94c38eeb/html5/thumbnails/34.jpg)
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.