Microsoft Windows XP Microsoft Windows XP SP2 for DevelopersSP2 for Developers

Rafal LukawieckiRafal Lukawieckirafal@projectbotticelli.co.ukrafal@projectbotticelli.co.ukStrategic ConsultantStrategic ConsultantProject Botticelli LtdProject Botticelli LtdThis session is based on material from course 2853 and from my This session is based on material from course 2853 and from my friend Steve Rileyfriend Steve Riley

22

ObjectivesObjectives

Give a brief overview of SP2Give a brief overview of SP2

Discuss, in-depth, what developers Discuss, in-depth, what developers need to do to comply and even need to do to comply and even benefit from SP2benefit from SP2

Brief OverviewBrief Overview

44

What is SP2?What is SP2?

All the usual stuff of courseAll the usual stuff of coursePost-SP1 hotfixes (more regression testing)Post-SP1 hotfixes (more regression testing)

New security technologiesNew security technologies

Network protectionNetwork protectionMemory protectionMemory protectionSafer e-mail handlingSafer e-mail handlingMore secure browsingMore secure browsingImproved computer Improved computer maintenancemaintenanceSome updated featuresSome updated features

55

SP2 Security GoalsSP2 Security Goals

Increase the security resiliency Increase the security resiliency and management of Windows XPand management of Windows XP

Decrease end-user security Decrease end-user security burden: more secure out-of-the-burden: more secure out-of-the-boxbox

Reduce damage of worms and Reduce damage of worms and virusesviruseseven if updates are not installedeven if updates are not installed

Make attackers work harderMake attackers work harder

66

Windows Firewall Windows Firewall EnhancementsEnhancements

Better UIBetter UI

On by defaultOn by default

Boot-time securityBoot-time security

Multiple configurations & profilesMultiple configurations & profiles

Exceptions list (can be disallowed)Exceptions list (can be disallowed)

Local subnet restrictionsLocal subnet restrictions

Command-line and better group Command-line and better group policy managementpolicy management

Unattended setupUnattended setup

77

Windows FirewallWindows Firewall

New user interfaceNew user interface

88

Windows FirewallWindows Firewall

Per-interface configurationPer-interface configuration

99

Windows FirewallWindows Firewall

Adding programs or portsAdding programs or ports

1010

Windows FirewallWindows Firewall

Exceptions can be Exceptions can be disalloweddisallowed

1111

Windows FirewallWindows Firewall

Group policy settingsGroup policy settings

1212

Are you sick of “are you Are you sick of “are you sick of”?sick of”?

1313

Internet ExplorerInternet Explorer

Managing pop-upsManaging pop-ups

1414

Internet ExplorerInternet Explorer

Pre-SP2 IE ActiveX Pre-SP2 IE ActiveX warningwarning

1515

Internet ExplorerInternet Explorer

New IE ActiveX noticeNew IE ActiveX notice

1616

Internet ExplorerInternet Explorer

Controlling add-onsControlling add-ons

1717

Outlook ExpressOutlook Express

Blocking attachmentsBlocking attachments

In-Depth DiscussionIn-Depth Discussion

1919

Windows XP SP2Windows XP SP2Windows FirewallWindows Firewall

Application Permissions ListApplication Permissions List

DCOM EnhancementsDCOM Enhancements

Secure RPC Calls Secure RPC Calls

Memory ProtectionMemory Protection

Safer E-mail Execution Safer E-mail Execution

Enhanced Browser SecurityEnhanced Browser Security

Improved Computer MaintenanceImproved Computer Maintenance

2020

Integration of Visual Integration of Visual Studio 2005 with Windows Studio 2005 with Windows XP SP2XP SP2All products from Visual Studio 2005 All products from Visual Studio 2005

onwards:onwards:Will be designed to work well on Will be designed to work well on Windows XP SP2 Windows XP SP2

Will enable developers to take full Will enable developers to take full advantage of the security enhancements advantage of the security enhancements in Windows XPin Windows XP

2121

Impact on Visual Studio .NET 2002, Impact on Visual Studio .NET 2002, Visual Studio .NET 2003, and the .NET Visual Studio .NET 2003, and the .NET Framework 1.1Framework 1.1.NET Framework 1.0 .NET Framework 1.0

and 1.1and 1.1Visual Studio .NET 2002 Visual Studio .NET 2002

and 2003and 2003Will be serviced to Will be serviced to enable developers to enable developers to take advantage of take advantage of Windows XP SP2 Windows XP SP2 enhancements enhancements

Will be serviced to Will be serviced to enable developers to enable developers to take advantage of take advantage of Windows XP SP2 Windows XP SP2 enhancementsenhancements

NET Framework NET Framework service packs that service packs that take advantage of take advantage of Execution Protection Execution Protection will be shipped in the will be shipped in the Windows XP SP2 RTM Windows XP SP2 RTM timeframetimeframe

Tools released prior to Tools released prior to VS .NET 2002 will not VS .NET 2002 will not be serviced to address be serviced to address XP SP2XP SP2

Affects the Visual Affects the Visual SourceSafe, Visual SourceSafe, Visual Studio .NET Analyzer, Studio .NET Analyzer, SQL debugging, and SQL debugging, and remote debugging remote debugging featuresfeatures

2222

Impact of Increased Network Impact of Increased Network Protection on ApplicationsProtection on Applications

““On With No Exceptions” feature of On With No Exceptions” feature of Windows FirewallWindows FirewallConfiguration Settings in Windows Configuration Settings in Windows FirewallFirewallAbility to configure Application Ability to configure Application Permissions List in Windows FirewallPermissions List in Windows FirewallNetsh Commands to Script Netsh Commands to Script Configuration Changes to Windows Configuration Changes to Windows Firewall Firewall Effects of Windows Firewall on IPv4 Effects of Windows Firewall on IPv4 Inbound and Outbound ConnectionsInbound and Outbound ConnectionsEffects of Windows Firewall on IPv4 Effects of Windows Firewall on IPv4 Inbound Connections on RPC and Inbound Connections on RPC and DCOM PortsDCOM Ports

2323

How Windows Firewall How Windows Firewall Affects ApplicationsAffects Applications

FeatureFeature Effect on applicationsEffect on applications

On-by-On-by-DefaultDefault

Creates application incompatibility if the Creates application incompatibility if the application does not work with stateful application does not work with stateful filtering by defaultfiltering by default

Boot-time Boot-time security security

If the Windows Firewall service fails to If the Windows Firewall service fails to start, an administrator will not be able to start, an administrator will not be able to remotely troubleshoot the issue because remotely troubleshoot the issue because all the ports will be closedall the ports will be closed

Global Global configuratioconfiguration n

Makes it easier for users to manage their Makes it easier for users to manage their firewall policy across all network firewall policy across all network connectionsconnections

Local subnet Local subnet restriction restriction

Restricts the scope of who can access a Restricts the scope of who can access a portport

Multiple Multiple profiles profiles

An application that needs to work on An application that needs to work on Internet and trusted network might not Internet and trusted network might not work because the two profiles might not work because the two profiles might not have the same set of policyhave the same set of policy

2424

How to Add Applications to How to Add Applications to Windows FirewallWindows Firewall

AdministrativelyAdministrativelyOn the On the ExceptionsExceptions tab in the Windows tab in the Windows Firewall dialog box, click Firewall dialog box, click Add ProgramAdd Program

If you do not find the program, you can If you do not find the program, you can open a port insteadopen a port instead

ProgrammaticallyProgrammaticallyIt is recommended that ISVs place their It is recommended that ISVs place their applications that act as network listeners applications that act as network listeners on the Windows Firewall Exceptions list on the Windows Firewall Exceptions list during installation (during installation (NetFwTypeLibNetFwTypeLib and and INetFwV4AuthorizedApplicationINetFwV4AuthorizedApplication APIs) APIs)

2525

Netsh Commands to Script Netsh Commands to Script Configuration of Windows Configuration of Windows FirewallFirewall

Netsh Netsh commandcommand PurposePurpose

add add allowedprograallowedprogramm

Adds excepted traffic by specifying the Adds excepted traffic by specifying the program's file nameprogram's file name

delete delete allowedprograallowedprogramm

Deletes an existing allowed programDeletes an existing allowed program

add add portopeningportopening

Used to add excepted traffic by Used to add excepted traffic by specifying a TCP or UDP portspecifying a TCP or UDP port

set set portopeningportopening

Used to modify the settings of an Used to modify the settings of an existing open TCP or UDP portexisting open TCP or UDP port

delete delete portopeningportopening

Used to delete an existing open TCP or Used to delete an existing open TCP or UDP portUDP port

set serviceset serviceUsed to allow or drop file and printer Used to allow or drop file and printer sharing, remote administration, remote sharing, remote administration, remote desktop, and UPnP trafficdesktop, and UPnP traffic

set opmodeset opmodeSpecifies the operating mode of Specifies the operating mode of Windows Firewall either globally or for Windows Firewall either globally or for a specific connection (interface)a specific connection (interface)

2626

Impact of Memory Impact of Memory Protection and E-mail Protection and E-mail Handling Technologies on Handling Technologies on ApplicationsApplications

Data Execution Prevention (NX)Data Execution Prevention (NX)

Attachment Execution ServiceAttachment Execution Service

2727

How Data Execution Prevention How Data Execution Prevention Impacts ApplicationsImpacts Applications

Application compatibilityApplication compatibility

DEP causes compatibility issues for applications that DEP causes compatibility issues for applications that perform dynamic code generation and that do not perform dynamic code generation and that do not explicitly mark generated code with Execute permissionexplicitly mark generated code with Execute permission

System compatibilitySystem compatibility

Systems with processors that support the NX processor Systems with processors that support the NX processor feature feature may may fail to boot or have other stability issues fail to boot or have other stability issues when the processor is running in PAE mode if not when the processor is running in PAE mode if not designed to handle > 4GB RAMdesigned to handle > 4GB RAM

2828

How Attachment Execution How Attachment Execution Service Impacts ApplicationsService Impacts Applications

Applies to any developer producing e-mail or chat client softwareApplies to any developer producing e-mail or chat client softwareInternally, Attachment Execution Services gives each attachment a risk rating based on extension, content type, Internally, Attachment Execution Services gives each attachment a risk rating based on extension, content type, registered handlersregistered handlersRisk Rating is mapped to a policy checked using Internet Explorer Zones (restricted, Internet, intranet, local, trusted)Risk Rating is mapped to a policy checked using Internet Explorer Zones (restricted, Internet, intranet, local, trusted)Does not provide any workarounds to subvert process and protectionDoes not provide any workarounds to subvert process and protection

2929

How the Local Machine Zone How the Local Machine Zone Lockdown Feature Affects Web Lockdown Feature Affects Web ApplicationsApplicationsEffect of the Local Machine Zone Lockdown feature Effect of the Local Machine Zone Lockdown feature

Impacts applications that host local HTML files in Internet ExplorerImpacts applications that host local HTML files in Internet Explorer

Does not impact developers of Web sites that are hosted on the Internet or Local Intranet Does not impact developers of Web sites that are hosted on the Internet or Local Intranet zoneszones

Requires developers to register applications if they want to ensure that malicious code Requires developers to register applications if they want to ensure that malicious code cannot be run through applicationscannot be run through applications

Overcoming restrictions caused by the Local Machine Zone Lockdown feature Overcoming restrictions caused by the Local Machine Zone Lockdown feature

Save your content as an HTA fileSave your content as an HTA file

Add a “mark of the Web” comment placed in the HTML file to your Web pagesAdd a “mark of the Web” comment placed in the HTML file to your Web pages

Create a separate application that hosts the HTML content Internet Explorer Web Create a separate application that hosts the HTML content Internet Explorer Web Object Control (WebOC)Object Control (WebOC)

3030

New Internet Explorer–New Internet Explorer–Related Registry SettingsRelated Registry Settings

SettingSetting PurposePurpose

URLACTION_FEATURE_MIME_SNIFFURLACTION_FEATURE_MIME_SNIFFINGING

Enables file Enables file promotion from promotion from one type to one type to another based on another based on a “MIME sniff ”a “MIME sniff ”

URLACTION_FEATURE_ZONE_ELEVURLACTION_FEATURE_ZONE_ELEVATION ATION

Mitigates many Mitigates many privilege-privilege-escalation escalation attacksattacks

URLACTION_FEATURE_WINDOW_RURLACTION_FEATURE_WINDOW_RESTRICTIONSESTRICTIONS

Restricts script-Restricts script-initiated pop-up initiated pop-up windows and windows and windows that windows that include the title include the title and status barsand status bars

3131

How the Pop-up Manager How the Pop-up Manager Affects Web ApplicationsAffects Web Applications

Effects of the Pop-up ManagerEffects of the Pop-up ManagerAffects the behavior of windows opened by Web sites, for example, those opened using the following methods:Affects the behavior of windows opened by Web sites, for example, those opened using the following methods:

window.open()window.open()window.showModelessDialog(),window.showModalDialog()window.showModelessDialog(),window.showModalDialog()window.navigateAndFind()window.navigateAndFind()showHelp()showHelp()

Provides the INewWindowManager interface, whichallows applications using rendering engine in Internet Explorer to:Provides the INewWindowManager interface, whichallows applications using rendering engine in Internet Explorer to:Display HTML to use or extend Pop-up Manager functionalityDisplay HTML to use or extend Pop-up Manager functionalityUse your own Popup ManagerUse your own Popup ManagerDisable Popup ManagerDisable Popup Manager

3232

ProcedureProcedure

Using Windows Firewall Using Windows Firewall and SQL 7 & MSDE 1.0and SQL 7 & MSDE 1.0

Determine the port numberDetermine the port numberEnable networking by using one of the following methods:Enable networking by using one of the following methods:

Add the TCP port as an exceptionAdd the TCP port as an exceptionAdd the SQL Server program as an exceptionAdd the SQL Server program as an exceptionEnable named pipes and/or multi-protocol over named pipes Enable named pipes and/or multi-protocol over named pipes

3333

MethodsMethods

Windows Firewall and SQL Windows Firewall and SQL 2000 & MSDE 20002000 & MSDE 2000

Add the TCP port as an exceptionAdd the TCP port as an exceptionAdds the port that you are listening to on SQL Server to the Windows Firewall Adds the port that you are listening to on SQL Server to the Windows Firewall Exceptions listExceptions list

Add the SQL Server program as an exceptionAdd the SQL Server program as an exceptionEnables SQL Server to listen on any port Enables SQL Server to listen on any port

3434

Other SQL Server Other SQL Server ComponentsComponents

You also need to configure for:You also need to configure for:SQLXMLSQLXML

SQL Browser ServiceSQL Browser Service

SQL Server 2000 and MSDE 2000 Service SQL Server 2000 and MSDE 2000 Service Pack 3aPack 3a

MSDTCMSDTC

SQL Server Analysis ServicesSQL Server Analysis Services

SQL Server Reporting Services SQL Server Reporting Services

SQL Server AgentSQL Server Agent

SQL Server ReplicationSQL Server Replication

See “References” at the end of the See “References” at the end of the sessionsession

3535

RPC EnhancementsRPC Enhancements

Windows Firewall allows only the processes that are running in the Local System, Network Service, or Local Service security context to open ports for RPC communication

Windows Firewall allows only the processes that are running in the Local System, Network Service, or Local Service security context to open ports for RPC communication

RestrictRemoteClients registry key by default eliminates remote anonymous access to RPC interfaces on the system, with some exceptions

RestrictRemoteClients registry key by default eliminates remote anonymous access to RPC interfaces on the system, with some exceptions

EnableAuthEpResolution enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a Windows XP SP2 system

EnableAuthEpResolution enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a Windows XP SP2 system

3636

The RestrictRemoteClients registry key valuesThe RestrictRemoteClients registry key values

RestrictRemoteClients registry key forces RPC to perform some additional security checks for all interfaces, even if the interface has no registered security callback

RestrictRemoteClients RestrictRemoteClients Registry SettingRegistry Setting

RPC_RESTRICT_REMOTE_CLIENT_NONE (0) : Causes the system to bypass the new RPC interface restrictionRPC_RESTRICT_REMOTE_CLIENT_NONE (0) : Causes the system to bypass the new RPC interface restriction

RPC_RESTRICT_REMOTE_CLIENT_DEFAULT (1): Causes the system to restrict access to all RPC interfacesRPC_RESTRICT_REMOTE_CLIENT_DEFAULT (1): Causes the system to restrict access to all RPC interfaces

RPC_RESTRICT_REMOTE_CLIENT_HIGH (2) : Causes the system to disallow anonymous calls using RPCRPC_RESTRICT_REMOTE_CLIENT_HIGH (2) : Causes the system to disallow anonymous calls using RPC

3737

Methods to Resolve RPC Methods to Resolve RPC IncompatibilitiesIncompatibilities

Require your RPC clients to use RPC security when contacting your server applicationRequire your RPC clients to use RPC security when contacting your server application

Exempt your interface from requiring authentication by setting the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag during interface registration

Exempt your interface from requiring authentication by setting the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag during interface registration

Force RPC to exhibit the same behavior as earlier versions of Windows by setting the registry key to RPC_RESTRICT_REMOTE_CLIENT_NONE (0)

Force RPC to exhibit the same behavior as earlier versions of Windows by setting the registry key to RPC_RESTRICT_REMOTE_CLIENT_NONE (0)

3838

Purpose of EnableAuthEpResolutionPurpose of EnableAuthEpResolution

Issues with Resovling an EndpointIssues with Resovling an Endpoint

EnableAuthEpResolution EnableAuthEpResolution Registry SettingRegistry Setting

Anonymous calls to the endpoint mapper interface will fail by default on Windows XP SP2 because of the default value for the new RestrictRemoteClients key

Necessary to modify the RPC client runtime to perform an authenticated query to the endpoint mapper

Anonymous calls to the endpoint mapper interface will fail by default on Windows XP SP2 because of the default value for the new RestrictRemoteClients key

Necessary to modify the RPC client runtime to perform an authenticated query to the endpoint mapper

Ensures that all endpoint mapper queries performed on behalf of authenticated calls will be performed using NTLM or Kerberos authentication

Enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a computer running Windows XP SP2

Ensures that all endpoint mapper queries performed on behalf of authenticated calls will be performed using NTLM or Kerberos authentication

Enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a computer running Windows XP SP2

3939

Windows XP SP2 and Windows XP SP2 and DCOMDCOM

Windows XP SP2 DCOM Security Windows XP SP2 DCOM Security EnhancementsEnhancements

Computer-Wide Restrictions to DCOMComputer-Wide Restrictions to DCOM

Granular COM PermissionsGranular COM Permissions

4040

DCOM in Windows XP SP2DCOM in Windows XP SP2

Computer-Wide Computer-Wide Restrictions to DCOMRestrictions to DCOM

Adds computer-wide access controls that govern access to all call, activation, or launch requests on a computer

Creates an additional AccessCheck

Provides a minimum authorization bar that must be passed to access COM servers on computer

Provides a computer-wide ACL for launch permissions to cover activation and launch, and for access permissions to cover calls

Provides a computer-wide ACL as a means to override weak security settings specified by a specific application through CoInitializeSecurity

Adds computer-wide access controls that govern access to all call, activation, or launch requests on a computer

Creates an additional AccessCheck

Provides a minimum authorization bar that must be passed to access COM servers on computer

Provides a computer-wide ACL for launch permissions to cover activation and launch, and for access permissions to cover calls

Provides a computer-wide ACL as a means to override weak security settings specified by a specific application through CoInitializeSecurity

4141

Separating call and activation permissionsSeparating call and activation permissions

Local and remote permissionsLocal and remote permissions

Administrators have the flexibility to control a computer's COM permission policy based on the concept of "distance"

Local is defined as the COM message arriving via LRPC protocol, while remote COM messages arrive via a remote RPC protocol like TCP/IP

Administrators have the flexibility to control a computer's COM permission policy based on the concept of "distance"

Local is defined as the COM message arriving via LRPC protocol, while remote COM messages arrive via a remote RPC protocol like TCP/IP

Windows XP SP2 changes COM to separate the call and activation permissions and move the activation permissions from the Access Permission ACL to the Launch Permission ACL

Launch Permission ACLs can be into Local launch (LL), Remote launch (RL), Local activate (LA), and Remote activate (RA) permissions

Windows XP SP2 changes COM to separate the call and activation permissions and move the activation permissions from the Access Permission ACL to the Launch Permission ACL

Launch Permission ACLs can be into Local launch (LL), Remote launch (RL), Local activate (LA), and Remote activate (RA) permissions

Granular COM Granular COM PermissionsPermissions

4242

ImplicationsImplications

Implications of Granular Implications of Granular COM Permissions on COM Permissions on Custom ApplicationsCustom Applications

For COM applications that use the default security settings, there are no compatibility issues

Most applications that are dynamically started by using COM activation will have no compatibility issues because the launch permissions must already include anyone who is able to activate an object

Applications that are already started by using mechanisms such as Windows Explorer or Service Control Manager can have compatibility issues

For COM applications that use the default security settings, there are no compatibility issues

Most applications that are dynamically started by using COM activation will have no compatibility issues because the launch permissions must already include anyone who is able to activate an object

Applications that are already started by using mechanisms such as Windows Explorer or Service Control Manager can have compatibility issues

4343

Remember the ChallengeRemember the Challenge

Usability vs. SecurityUsability vs. Security

SP2 is a significant shift towards SP2 is a significant shift towards SecuritySecurity

A lot of work done on overcoming A lot of work done on overcoming Usability issuesUsability issues

But the challenge of this balance But the challenge of this balance remainsremains

4444

SummarySummary

SP2 gives a wide range of security SP2 gives a wide range of security improvementsimprovements

SP2 forces developer to be more SP2 forces developer to be more security-conscioussecurity-conscious

Most applications will run “as-is”Most applications will run “as-is”

Apps that use features impacted by Apps that use features impacted by the Service Pack need to be serviced the Service Pack need to be serviced themselvesthemselves

4545

References & MoreReferences & Moremsdn.microsoft.commsdn.microsoft.comMicrosoft training course 2853Microsoft training course 2853Developer resources—including trainingDeveloper resources—including training

http://msdn.microsoft.com/security/productinfo/xpsp2/defhttp://msdn.microsoft.com/security/productinfo/xpsp2/default.aspxault.aspx

Learn more about Service Pack 2Learn more about Service Pack 2http://www.microsoft.com/technet/prodtechnol/winxppro/http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspxmaintain/winxpsp2.mspx

Changes to functionality—always updatedChanges to functionality—always updatedhttp://www.microsoft.com/technet/prodtechnol/winxppro/http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspxmaintain/sp2chngs.mspx

Deploying Service Pack 2Deploying Service Pack 2http://www.microsoft.com/technet/prodtechnol/winxppro/http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspxmaintain/winxpsp2.mspx

Microsoft IT Forum in Copenhagen, November Microsoft IT Forum in Copenhagen, November 20042004

4646

© 2003 Microsoft Limited. All rights reserved.© 2003 Microsoft Limited. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summaryThis presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary..