windows xp sp 2 hkcert it guide
TRANSCRIPT
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
1/14
Windows XP SP 2Windows XP SP 2
Bremen Lee | IT ManagerBremen Lee | IT Manager
AgendaAgendaAgenda
Introduction of Windows XP SP2Introduction of Windows XP SP2 Windows FirewallWindows Firewall
Email Attachment ProtectionEmail Attachment Protection
IE Security EnhancementIE Security Enhancement
Data Execution PreventionData Execution Prevention Buffer Overflow ProblemBuffer Overflow Problem
New Command Line InterfaceNew Command Line Interface NetshNetsh
Group PolicyGroup Policy
Security Enhancement for DeveloperSecurity Enhancement for Developer
Additional EnhancementAdditional Enhancement
Q&AQ&A
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
2/14
Security ChallengesSecurity ChallengesSecurity Challenges
Responding to the CrisisResponding to the Crisis
Criminal attacks proliferatingCriminal attacks proliferating
Exploits more sophisticatedExploits more sophisticated
Deploying security updatesDeploying security updatescumbersomecumbersome
Time to exploit is decreasingTime to exploit is decreasing
Improve updates managementImprove updates management
Improve guidance and educationImprove guidance and education
Introduce new security technologiesIntroduce new security technologies
Customers have told us Customers have told us Customers have told us
Give us betteraccess controlGive us betterGive us betteraccess controlaccess control
Develop reliableand secure software
Develop reliableDevelop reliableand secure softwareand secure software
Simplify criticalmaintenanceSimplify criticalSimplify criticalmaintenancemaintenance
Reduce impactof malware
Reduce impactReduce impactofofmalwaremalware
Improve UpdatingImprove Updating
Engineering ExcellenceEngineering Excellence
Authentication, Authorization,Authentication, Authorization,Access ControlAccess Control
Isolation and ResiliencyIsolation and Resiliency
Provide betterguidance
Provide betterProvide betterguidanceguidance
Deliver Security Guidance,Deliver Security Guidance,Tools, ResponsivenessTools, Responsiveness
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
3/14
Windows XP Service Pack 2Guiding Principles
Windows XP Service Pack 2Windows XP Service Pack 2Guiding PrinciplesGuiding Principles
Windows XP SP2 security goalsWindows XP SP2 security goalsWindows XP SP2 security goals
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
4/14
Security CenterSecurity CenterSecurity Center
Windows FirewallFormerly known as Internet Connection Firewall
Windows FirewallWindows FirewallFormerly known as Internet Connection FirewallFormerly known as Internet Connection Firewall
Goal and Customer BenefitProvide better protection from network attacks by default
Focus on roaming systems, small business, home users
What Were DoingWindows Firewall will be on by default in almost all configurations
More configuration options
Group policy, command line, unattended setup
Better user interface
Boot time protection
Multiple profile support
Connected to corporate network vs. home
Enable file sharing on home networks with Windows Firewall on
Compatibility ImpactIn-bound network connections not permitted by default
Dynamically enable ports as necessary, but only for as long asnecessary, disable when done
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
5/14
Windows FirewallWindows FirewallWindows Firewall
Email / IM AttachmentsEmail / IM AttachmentsEmail / IM Attachments
Goal and Customer Benefit
Consistent system-provided mechanism for applicationsto determine unsafe attachments
Consistent user experience for attachment trustdecisions
What Were Doing
Create new public API for handling attachments moresecurely (Attachment Execution Services)
Default to not trust less secure attachment types
Outlook Express, Windows Messenger, InternetExplorer changed to use new API
More secure message preview
Replaces AssocIsSafe()
Compatibility Impact
Use new API in your applications for better userexperience, and better determination of security
implications of content
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
6/14
Attachment Execution Services (AES)Attachment Execution Services (AES)Attachment Execution Services (AES)
Web BrowsingWeb BrowsingWeb Browsing
Goal and Customer Benefit
Ensure a more secure web browsing experience
What Were Doing
Locking down local machine and local intranet zonesImproved notifications for running or installingapplications and ActiveX controls - Limit UI spoofing
HTML on local machine wont be able to script unsafeActiveX controls or access data across domains in theLocal Machine Security Zone
Blocking unknown, unsigned ActiveX controls
Files served with mismatched or missing mime-headersand file extensions may be blocked
Pop-up windows will be suppressed unless they areinitiated by user action
Compatibility Impact
Check for web application compatibility new defaults
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
7/14
Pop-Up ManagerPopPop--Up ManagerUp Manager
Automatic Download BlockingAutomatic Download BlockingAutomatic Download Blocking
ActiveX/Download prompts updated to be more consistent
ActiveX/Download prompts hidden until the userclicks on the Alert bar
Users can blockpublishers forActiveX
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
8/14
Add-on ManagerAddAdd--on Manageron Manager
Data Execution Prevention (DEP)Data Execution Prevention (DEP)Data Execution Prevention (DEP)
Goal and Customer Benefit
Reduce exposure of some buffer overruns
What Were Doing
Leverage hardware support in 64-bit and newer 32-bit
processors to only permit execution of code in memoryregions specifically marked as execute
Reduces exploitability of buffer overruns
Enabled by default on NX capable machines
Ensure application compatibility with NX for Longhorn
Compatibility Impact
Ensure your code doesnt execute code in a datasegment
Ensure your code runs in PAE mode with
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
9/14
DEP User ExperienceDEP User ExperienceDEP User Experience
New Configuration Options for NetshNew Configuration Options forNew Configuration Options forNetshNetsh
With Windows XP (prior to SP2), the only way to enable or disablWith Windows XP (prior to SP2), the only way to enable or disabl eeICF is through:ICF is through:
the Network Connections folderthe Network Connections folder
the Network Setup Wizardthe Network Setup Wizard
the Internet Connection Wizardthe Internet Connection Wizard
NetshNetsh is a commandis a command--line tool through which you can configureline tool through which you can configuresettings for network componentssettings for network components
Prior to SP2 ICF had noPrior to SP2 ICF had no NetshNetsh contextcontext
With Windows XP SP2, you can now configure ICF settings throughWith Windows XP SP2, you can now configure ICF settings througha series of commands in thea series of commands in the netshnetsh firewall contextfirewall context
UsingUsing NetshNetsh, you can create, you can create NetshNetsh scripts to automatically configurescripts to automatically configure
a set of ICF settings for both TCP/IP and IPv6.a set of ICF settings for both TCP/IP and IPv6.
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
10/14
Extensive support to configure settings
using Group Policy
Extensive support to configure settingsExtensive support to configure settings
using Group Policyusing Group Policy
ICF settings for computers running Windows XP SP2 can beICF settings for computers running Windows XP SP2 can bedeployed through Computer Configuration Group Policydeployed through Computer Configuration Group Policy
A new set of Computer Configuration Group Policy ICF settings alA new set of Computer Configuration Group Policy ICF settings allowlowa network administrator to configure:a network administrator to configure:
ICF operational modesICF operational modes
excepted trafficexcepted traffic
other settingsother settings
When ICF is configured in an organization network using GroupWhen ICF is configured in an organization network using GroupPolicy, by default all of the local ICF configuration options arPolicy, by default all of the local ICF configuration options are grayede grayedout and unavailable.out and unavailable.
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
11/14
Security Enhancement for DeveloperSecurity Enhancement for DeveloperSecurity Enhancement for Developer DCOMDCOM Locked down by default!Locked down by default!
Previously, no way for administrators to enforce machinePreviously, no way for administrators to enforce machine--wide accesswide accesspolicy for all DCOM applicationspolicy for all DCOM applications XP has over 150 DCOM servers OOB!XP has over 150 DCOM servers OOB!
Many DCOM applications have weak Launch and Access permissioMany DCOM applications have weak Launch and Access permissions thatns thatallow anonymous remote activation / access!allow anonymous remote activation / access!
Administrators had no way to centrally manage / override these sAdministrators had no way to centrally manage / override these settings!ettings!
DCOM Solution: New machineDCOM Solution: New machine--wide access check performed beforewide access check performed beforeany serverany server--specific access checks are performed.specific access checks are performed. TheseThese computerwidecomputerwideACLsACLs provide a way to override weak security settingsprovide a way to override weak security settings
specified by a specific application throughspecified by a specific application through CoInitializeSecurityCoInitializeSecurity or applicationor application--specific security settingsspecific security settings
Access is also considered in terms of distance (i.e. local activAccess is also considered in terms of distance (i.e. local activation or remoteation or remoteactivation) and ACLs can be set for both local and remote activactivation) and ACLs can be set for both local and remote activationation
NetNet NetNet Starting with XP SP2, only administrators can remotely launch /Starting with XP SP2, only administrators can remotely launch /activate DCOM servers!activate DCOM servers!
Everyone is granted local launch, activation and call permissionEveryone is granted local launch, activation and call permissionss
Security Enhancement for DeveloperSecurity Enhancement for DeveloperSecurity Enhancement for Developer
RPCRPC Locked down by default (RPCLocked down by default (RPCInterface Restriction)Interface Restriction)
Previously RPC was wide open forPreviously RPC was wide open for
anonymous accessanonymous access SP2 addsSP2 adds RestrictRemoteClientsRestrictRemoteClients settingsetting
and enables it by defaultand enables it by default
Requires all remote RPC clients to authenticateRequires all remote RPC clients to authenticate
The EPM now requiresThe EPM now requiresAuthNAuthN
Must setMust set EnableAuthEpResolutionEnableAuthEpResolution to 1 onto 1 onclients to get the EPM working again.clients to get the EPM working again.
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
12/14
Additional Enhancements in Windows XP SP2 BetaAdditional Enhancements in WindowsAdditional Enhancements in Windows XP SP2 BetaXP SP2 Beta
Automatic UpdateAutomatic Update SP2 will make it more convenient for customers to enableSP2 will make it more convenient for customers to enable
Automatic Update for Critical Updates.Automatic Update for Critical Updates.
SUS 2.0 clientSUS 2.0 client Software Update Services 2.0 will use a consistent engine forSoftware Update Services 2.0 will use a consistent engine for
reporting system state and reducing inconsistent results onreporting system state and reducing inconsistent results onsecure update availability on a computer.secure update availability on a computer.
DirectXDirectX 9.0b9.0b Enhanced DirectX components include updates to address aEnhanced DirectX components include updates to address a
network firewall change that impacts OEM prenetwork firewall change that impacts OEM pre--installs andinstalls andDirectPlayDirectPlay..
Bluetooth 2.0Bluetooth 2.0 Includes support for current version of Bluetooth.Includes support for current version of Bluetooth.
Unified Windows Local Area Network (LAN) clientUnified Windows Local Area Network (LAN) client New wireless LAN is intended to work with a broad range ofNew wireless LAN is intended to work with a broad range of
wireless hotspots.wireless hotspots.
Improved Wireless configurationImproved Wireless configurationImproved Wireless configuration
Improved detection ofImproved detection ofwireless networkswireless networks
Friendlier user interfaceFriendlier user interface
Wireless Network SetupWireless Network SetupWizardWizard
WEP KeyWEP Keyconfiguration/transfer usingconfiguration/transfer usingremovable storageremovable storage
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
13/14
New Bluetooth ClientNew Bluetooth ClientNew Bluetooth Client
Improved user experienceImproved user experience
Improved securityImproved security
New profiles:New profiles: Personal Area Network user (PANU)Personal Area Network user (PANU)
File pushFile push Object Push Profile (OPP)Object Push Profile (OPP)
Virtual COM portsVirtual COM ports
BootBoot--mode support for keyboardsmode support for keyboards
Selective suspend supportSelective suspend support
BenefitsBenefits
Enables scenarios without the mess of wiresEnables scenarios without the mess of wires
Extends use of a loosely connected devices for use with the PCExtends use of a loosely connected devices for use with the PC
Same devices used with PC in both corporate and consumer contextSame devices used with PC in both corporate and consumer contextss
Easy discovery of devices with Windows Bluetooth supportEasy discovery of devices with Windows Bluetooth support
Windows Update ServicesWindows Update ServicesWindows Update Services
Windows, SQL,Windows, SQL,Exchange, OfficeExchange, Office
WindowsWindowsUpdateUpdateServicesServices
Windows, SQL,Windows, SQL,Exchange, OfficeExchange, Office
SMSSMS
Microsoft UpdateMicrosoft Update(Windows Update)(Windows Update)
WUS available late 2004WUS available late 2004
A free Windows Server addA free Windows Server add--onon
Allows easy handling of patchAllows easy handling of patchmanagement for servers andmanagement for servers andclientsclients
-
7/30/2019 Windows XP SP 2 Hkcert IT Guide
14/14
Q&AQ&AQ&A
Technical documentation on changes in XP SP2:Technical documentation on changes in XP SP2:http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/whttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspxinxpsp2.mspx