windows xp sp 2 hkcert it guide

7/30/2019 Windows XP SP 2 Hkcert IT Guide

1/14

Windows XP SP 2Windows XP SP 2

Bremen Lee | IT ManagerBremen Lee | IT Manager

AgendaAgendaAgenda

Introduction of Windows XP SP2Introduction of Windows XP SP2 Windows FirewallWindows Firewall

Email Attachment ProtectionEmail Attachment Protection

IE Security EnhancementIE Security Enhancement

Data Execution PreventionData Execution Prevention Buffer Overflow ProblemBuffer Overflow Problem

New Command Line InterfaceNew Command Line Interface NetshNetsh

Group PolicyGroup Policy

Security Enhancement for DeveloperSecurity Enhancement for Developer

Additional EnhancementAdditional Enhancement

Q&AQ&A


2/14

Security ChallengesSecurity ChallengesSecurity Challenges

Responding to the CrisisResponding to the Crisis

Criminal attacks proliferatingCriminal attacks proliferating

Exploits more sophisticatedExploits more sophisticated

Deploying security updatesDeploying security updatescumbersomecumbersome

Time to exploit is decreasingTime to exploit is decreasing

Improve updates managementImprove updates management

Improve guidance and educationImprove guidance and education

Introduce new security technologiesIntroduce new security technologies

Customers have told us Customers have told us Customers have told us

Give us betteraccess controlGive us betterGive us betteraccess controlaccess control

Develop reliableand secure software

Develop reliableDevelop reliableand secure softwareand secure software

Simplify criticalmaintenanceSimplify criticalSimplify criticalmaintenancemaintenance

Reduce impactof malware

Reduce impactReduce impactofofmalwaremalware

Improve UpdatingImprove Updating

Engineering ExcellenceEngineering Excellence

Authentication, Authorization,Authentication, Authorization,Access ControlAccess Control

Isolation and ResiliencyIsolation and Resiliency

Provide betterguidance

Provide betterProvide betterguidanceguidance

Deliver Security Guidance,Deliver Security Guidance,Tools, ResponsivenessTools, Responsiveness


3/14

Windows XP Service Pack 2Guiding Principles

Windows XP Service Pack 2Windows XP Service Pack 2Guiding PrinciplesGuiding Principles

Windows XP SP2 security goalsWindows XP SP2 security goalsWindows XP SP2 security goals


4/14

Security CenterSecurity CenterSecurity Center

Windows FirewallFormerly known as Internet Connection Firewall

Windows FirewallWindows FirewallFormerly known as Internet Connection FirewallFormerly known as Internet Connection Firewall

Goal and Customer BenefitProvide better protection from network attacks by default

Focus on roaming systems, small business, home users

What Were DoingWindows Firewall will be on by default in almost all configurations

More configuration options

Group policy, command line, unattended setup

Better user interface

Boot time protection

Multiple profile support

Connected to corporate network vs. home

Enable file sharing on home networks with Windows Firewall on

Compatibility ImpactIn-bound network connections not permitted by default

Dynamically enable ports as necessary, but only for as long asnecessary, disable when done


5/14

Windows FirewallWindows FirewallWindows Firewall

Email / IM AttachmentsEmail / IM AttachmentsEmail / IM Attachments

Goal and Customer Benefit

Consistent system-provided mechanism for applicationsto determine unsafe attachments

Consistent user experience for attachment trustdecisions

What Were Doing

Create new public API for handling attachments moresecurely (Attachment Execution Services)

Default to not trust less secure attachment types

Outlook Express, Windows Messenger, InternetExplorer changed to use new API

More secure message preview

Replaces AssocIsSafe()

Compatibility Impact

Use new API in your applications for better userexperience, and better determination of security

implications of content


6/14

Attachment Execution Services (AES)Attachment Execution Services (AES)Attachment Execution Services (AES)

Web BrowsingWeb BrowsingWeb Browsing


Ensure a more secure web browsing experience

What Were Doing

Locking down local machine and local intranet zonesImproved notifications for running or installingapplications and ActiveX controls - Limit UI spoofing

HTML on local machine wont be able to script unsafeActiveX controls or access data across domains in theLocal Machine Security Zone

Blocking unknown, unsigned ActiveX controls

Files served with mismatched or missing mime-headersand file extensions may be blocked

Pop-up windows will be suppressed unless they areinitiated by user action


Check for web application compatibility new defaults


7/14

Pop-Up ManagerPopPop--Up ManagerUp Manager

Automatic Download BlockingAutomatic Download BlockingAutomatic Download Blocking

ActiveX/Download prompts updated to be more consistent

ActiveX/Download prompts hidden until the userclicks on the Alert bar

Users can blockpublishers forActiveX


8/14

Add-on ManagerAddAdd--on Manageron Manager

Data Execution Prevention (DEP)Data Execution Prevention (DEP)Data Execution Prevention (DEP)


Reduce exposure of some buffer overruns

What Were Doing

Leverage hardware support in 64-bit and newer 32-bit

processors to only permit execution of code in memoryregions specifically marked as execute

Reduces exploitability of buffer overruns

Enabled by default on NX capable machines

Ensure application compatibility with NX for Longhorn


Ensure your code doesnt execute code in a datasegment

Ensure your code runs in PAE mode with


9/14

DEP User ExperienceDEP User ExperienceDEP User Experience

New Configuration Options for NetshNew Configuration Options forNew Configuration Options forNetshNetsh

With Windows XP (prior to SP2), the only way to enable or disablWith Windows XP (prior to SP2), the only way to enable or disabl eeICF is through:ICF is through:

the Network Connections folderthe Network Connections folder

the Network Setup Wizardthe Network Setup Wizard

the Internet Connection Wizardthe Internet Connection Wizard

NetshNetsh is a commandis a command--line tool through which you can configureline tool through which you can configuresettings for network componentssettings for network components

Prior to SP2 ICF had noPrior to SP2 ICF had no NetshNetsh contextcontext

With Windows XP SP2, you can now configure ICF settings throughWith Windows XP SP2, you can now configure ICF settings througha series of commands in thea series of commands in the netshnetsh firewall contextfirewall context

UsingUsing NetshNetsh, you can create, you can create NetshNetsh scripts to automatically configurescripts to automatically configure

a set of ICF settings for both TCP/IP and IPv6.a set of ICF settings for both TCP/IP and IPv6.


10/14

Extensive support to configure settings

using Group Policy

Extensive support to configure settingsExtensive support to configure settings

using Group Policyusing Group Policy

ICF settings for computers running Windows XP SP2 can beICF settings for computers running Windows XP SP2 can bedeployed through Computer Configuration Group Policydeployed through Computer Configuration Group Policy

A new set of Computer Configuration Group Policy ICF settings alA new set of Computer Configuration Group Policy ICF settings allowlowa network administrator to configure:a network administrator to configure:

ICF operational modesICF operational modes

excepted trafficexcepted traffic

other settingsother settings

When ICF is configured in an organization network using GroupWhen ICF is configured in an organization network using GroupPolicy, by default all of the local ICF configuration options arPolicy, by default all of the local ICF configuration options are grayede grayedout and unavailable.out and unavailable.


11/14

Security Enhancement for DeveloperSecurity Enhancement for DeveloperSecurity Enhancement for Developer DCOMDCOM Locked down by default!Locked down by default!

Previously, no way for administrators to enforce machinePreviously, no way for administrators to enforce machine--wide accesswide accesspolicy for all DCOM applicationspolicy for all DCOM applications XP has over 150 DCOM servers OOB!XP has over 150 DCOM servers OOB!

Many DCOM applications have weak Launch and Access permissioMany DCOM applications have weak Launch and Access permissions thatns thatallow anonymous remote activation / access!allow anonymous remote activation / access!

Administrators had no way to centrally manage / override these sAdministrators had no way to centrally manage / override these settings!ettings!

DCOM Solution: New machineDCOM Solution: New machine--wide access check performed beforewide access check performed beforeany serverany server--specific access checks are performed.specific access checks are performed. TheseThese computerwidecomputerwideACLsACLs provide a way to override weak security settingsprovide a way to override weak security settings

specified by a specific application throughspecified by a specific application through CoInitializeSecurityCoInitializeSecurity or applicationor application--specific security settingsspecific security settings

Access is also considered in terms of distance (i.e. local activAccess is also considered in terms of distance (i.e. local activation or remoteation or remoteactivation) and ACLs can be set for both local and remote activactivation) and ACLs can be set for both local and remote activationation

NetNet NetNet Starting with XP SP2, only administrators can remotely launch /Starting with XP SP2, only administrators can remotely launch /activate DCOM servers!activate DCOM servers!

Everyone is granted local launch, activation and call permissionEveryone is granted local launch, activation and call permissionss

Security Enhancement for DeveloperSecurity Enhancement for DeveloperSecurity Enhancement for Developer

RPCRPC Locked down by default (RPCLocked down by default (RPCInterface Restriction)Interface Restriction)

Previously RPC was wide open forPreviously RPC was wide open for

anonymous accessanonymous access SP2 addsSP2 adds RestrictRemoteClientsRestrictRemoteClients settingsetting

and enables it by defaultand enables it by default

Requires all remote RPC clients to authenticateRequires all remote RPC clients to authenticate

The EPM now requiresThe EPM now requiresAuthNAuthN

Must setMust set EnableAuthEpResolutionEnableAuthEpResolution to 1 onto 1 onclients to get the EPM working again.clients to get the EPM working again.


12/14

Additional Enhancements in Windows XP SP2 BetaAdditional Enhancements in WindowsAdditional Enhancements in Windows XP SP2 BetaXP SP2 Beta

Automatic UpdateAutomatic Update SP2 will make it more convenient for customers to enableSP2 will make it more convenient for customers to enable

Automatic Update for Critical Updates.Automatic Update for Critical Updates.

SUS 2.0 clientSUS 2.0 client Software Update Services 2.0 will use a consistent engine forSoftware Update Services 2.0 will use a consistent engine for

reporting system state and reducing inconsistent results onreporting system state and reducing inconsistent results onsecure update availability on a computer.secure update availability on a computer.

DirectXDirectX 9.0b9.0b Enhanced DirectX components include updates to address aEnhanced DirectX components include updates to address a

network firewall change that impacts OEM prenetwork firewall change that impacts OEM pre--installs andinstalls andDirectPlayDirectPlay..

Bluetooth 2.0Bluetooth 2.0 Includes support for current version of Bluetooth.Includes support for current version of Bluetooth.

Unified Windows Local Area Network (LAN) clientUnified Windows Local Area Network (LAN) client New wireless LAN is intended to work with a broad range ofNew wireless LAN is intended to work with a broad range of

wireless hotspots.wireless hotspots.

Improved Wireless configurationImproved Wireless configurationImproved Wireless configuration

Improved detection ofImproved detection ofwireless networkswireless networks

Friendlier user interfaceFriendlier user interface

Wireless Network SetupWireless Network SetupWizardWizard

WEP KeyWEP Keyconfiguration/transfer usingconfiguration/transfer usingremovable storageremovable storage


13/14

New Bluetooth ClientNew Bluetooth ClientNew Bluetooth Client

Improved user experienceImproved user experience

Improved securityImproved security

New profiles:New profiles: Personal Area Network user (PANU)Personal Area Network user (PANU)

File pushFile push Object Push Profile (OPP)Object Push Profile (OPP)

Virtual COM portsVirtual COM ports

BootBoot--mode support for keyboardsmode support for keyboards

Selective suspend supportSelective suspend support

BenefitsBenefits

Enables scenarios without the mess of wiresEnables scenarios without the mess of wires

Extends use of a loosely connected devices for use with the PCExtends use of a loosely connected devices for use with the PC

Same devices used with PC in both corporate and consumer contextSame devices used with PC in both corporate and consumer contextss

Easy discovery of devices with Windows Bluetooth supportEasy discovery of devices with Windows Bluetooth support

Windows Update ServicesWindows Update ServicesWindows Update Services

Windows, SQL,Windows, SQL,Exchange, OfficeExchange, Office

WindowsWindowsUpdateUpdateServicesServices

Windows, SQL,Windows, SQL,Exchange, OfficeExchange, Office

SMSSMS

Microsoft UpdateMicrosoft Update(Windows Update)(Windows Update)

WUS available late 2004WUS available late 2004

A free Windows Server addA free Windows Server add--onon

Allows easy handling of patchAllows easy handling of patchmanagement for servers andmanagement for servers andclientsclients


14/14

Q&AQ&AQ&A

Technical documentation on changes in XP SP2:Technical documentation on changes in XP SP2:http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/whttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspxinxpsp2.mspx

windows xp sp 2 hkcert it guide

Documents