Upload
brice-warner
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Microsoft Windows XP Microsoft Windows XP SP2 for DevelopersSP2 for Developers
Rafal LukawieckiRafal [email protected]@projectbotticelli.co.ukStrategic ConsultantStrategic ConsultantProject Botticelli LtdProject Botticelli LtdThis session is based on material from course 2853 and from my This session is based on material from course 2853 and from my friend Steve Rileyfriend Steve Riley
22
ObjectivesObjectives
Give a brief overview of SP2Give a brief overview of SP2
Discuss, in-depth, what developers Discuss, in-depth, what developers need to do to comply and even need to do to comply and even benefit from SP2benefit from SP2
Brief OverviewBrief Overview
44
What is SP2?What is SP2?
All the usual stuff of courseAll the usual stuff of coursePost-SP1 hotfixes (more regression testing)Post-SP1 hotfixes (more regression testing)
New security technologiesNew security technologies
Network protectionNetwork protectionMemory protectionMemory protectionSafer e-mail handlingSafer e-mail handlingMore secure browsingMore secure browsingImproved computer Improved computer maintenancemaintenanceSome updated featuresSome updated features
55
SP2 Security GoalsSP2 Security Goals
Increase the security resiliency Increase the security resiliency and management of Windows XPand management of Windows XP
Decrease end-user security Decrease end-user security burden: more secure out-of-the-burden: more secure out-of-the-boxbox
Reduce damage of worms and Reduce damage of worms and virusesviruseseven if updates are not installedeven if updates are not installed
Make attackers work harderMake attackers work harder
66
Windows Firewall Windows Firewall EnhancementsEnhancements
Better UIBetter UI
On by defaultOn by default
Boot-time securityBoot-time security
Multiple configurations & profilesMultiple configurations & profiles
Exceptions list (can be disallowed)Exceptions list (can be disallowed)
Local subnet restrictionsLocal subnet restrictions
Command-line and better group Command-line and better group policy managementpolicy management
Unattended setupUnattended setup
77
Windows FirewallWindows Firewall
New user interfaceNew user interface
88
Windows FirewallWindows Firewall
Per-interface configurationPer-interface configuration
99
Windows FirewallWindows Firewall
Adding programs or portsAdding programs or ports
1010
Windows FirewallWindows Firewall
Exceptions can be Exceptions can be disalloweddisallowed
1111
Windows FirewallWindows Firewall
Group policy settingsGroup policy settings
1212
Are you sick of “are you Are you sick of “are you sick of”?sick of”?
1313
Internet ExplorerInternet Explorer
Managing pop-upsManaging pop-ups
1414
Internet ExplorerInternet Explorer
Pre-SP2 IE ActiveX Pre-SP2 IE ActiveX warningwarning
1515
Internet ExplorerInternet Explorer
New IE ActiveX noticeNew IE ActiveX notice
1616
Internet ExplorerInternet Explorer
Controlling add-onsControlling add-ons
1717
Outlook ExpressOutlook Express
Blocking attachmentsBlocking attachments
In-Depth DiscussionIn-Depth Discussion
1919
Windows XP SP2Windows XP SP2Windows FirewallWindows Firewall
Application Permissions ListApplication Permissions List
DCOM EnhancementsDCOM Enhancements
Secure RPC Calls Secure RPC Calls
Memory ProtectionMemory Protection
Safer E-mail Execution Safer E-mail Execution
Enhanced Browser SecurityEnhanced Browser Security
Improved Computer MaintenanceImproved Computer Maintenance
2020
Integration of Visual Integration of Visual Studio 2005 with Windows Studio 2005 with Windows XP SP2XP SP2All products from Visual Studio 2005 All products from Visual Studio 2005
onwards:onwards:Will be designed to work well on Will be designed to work well on Windows XP SP2 Windows XP SP2
Will enable developers to take full Will enable developers to take full advantage of the security enhancements advantage of the security enhancements in Windows XPin Windows XP
2121
Impact on Visual Studio .NET 2002, Impact on Visual Studio .NET 2002, Visual Studio .NET 2003, and the .NET Visual Studio .NET 2003, and the .NET Framework 1.1Framework 1.1.NET Framework 1.0 .NET Framework 1.0
and 1.1and 1.1Visual Studio .NET 2002 Visual Studio .NET 2002
and 2003and 2003Will be serviced to Will be serviced to enable developers to enable developers to take advantage of take advantage of Windows XP SP2 Windows XP SP2 enhancements enhancements
Will be serviced to Will be serviced to enable developers to enable developers to take advantage of take advantage of Windows XP SP2 Windows XP SP2 enhancementsenhancements
NET Framework NET Framework service packs that service packs that take advantage of take advantage of Execution Protection Execution Protection will be shipped in the will be shipped in the Windows XP SP2 RTM Windows XP SP2 RTM timeframetimeframe
Tools released prior to Tools released prior to VS .NET 2002 will not VS .NET 2002 will not be serviced to address be serviced to address XP SP2XP SP2
Affects the Visual Affects the Visual SourceSafe, Visual SourceSafe, Visual Studio .NET Analyzer, Studio .NET Analyzer, SQL debugging, and SQL debugging, and remote debugging remote debugging featuresfeatures
2222
Impact of Increased Network Impact of Increased Network Protection on ApplicationsProtection on Applications
““On With No Exceptions” feature of On With No Exceptions” feature of Windows FirewallWindows FirewallConfiguration Settings in Windows Configuration Settings in Windows FirewallFirewallAbility to configure Application Ability to configure Application Permissions List in Windows FirewallPermissions List in Windows FirewallNetsh Commands to Script Netsh Commands to Script Configuration Changes to Windows Configuration Changes to Windows Firewall Firewall Effects of Windows Firewall on IPv4 Effects of Windows Firewall on IPv4 Inbound and Outbound ConnectionsInbound and Outbound ConnectionsEffects of Windows Firewall on IPv4 Effects of Windows Firewall on IPv4 Inbound Connections on RPC and Inbound Connections on RPC and DCOM PortsDCOM Ports
2323
How Windows Firewall How Windows Firewall Affects ApplicationsAffects Applications
FeatureFeature Effect on applicationsEffect on applications
On-by-On-by-DefaultDefault
Creates application incompatibility if the Creates application incompatibility if the application does not work with stateful application does not work with stateful filtering by defaultfiltering by default
Boot-time Boot-time security security
If the Windows Firewall service fails to If the Windows Firewall service fails to start, an administrator will not be able to start, an administrator will not be able to remotely troubleshoot the issue because remotely troubleshoot the issue because all the ports will be closedall the ports will be closed
Global Global configuratioconfiguration n
Makes it easier for users to manage their Makes it easier for users to manage their firewall policy across all network firewall policy across all network connectionsconnections
Local subnet Local subnet restriction restriction
Restricts the scope of who can access a Restricts the scope of who can access a portport
Multiple Multiple profiles profiles
An application that needs to work on An application that needs to work on Internet and trusted network might not Internet and trusted network might not work because the two profiles might not work because the two profiles might not have the same set of policyhave the same set of policy
2424
How to Add Applications to How to Add Applications to Windows FirewallWindows Firewall
AdministrativelyAdministrativelyOn the On the ExceptionsExceptions tab in the Windows tab in the Windows Firewall dialog box, click Firewall dialog box, click Add ProgramAdd Program
If you do not find the program, you can If you do not find the program, you can open a port insteadopen a port instead
ProgrammaticallyProgrammaticallyIt is recommended that ISVs place their It is recommended that ISVs place their applications that act as network listeners applications that act as network listeners on the Windows Firewall Exceptions list on the Windows Firewall Exceptions list during installation (during installation (NetFwTypeLibNetFwTypeLib and and INetFwV4AuthorizedApplicationINetFwV4AuthorizedApplication APIs) APIs)
2525
Netsh Commands to Script Netsh Commands to Script Configuration of Windows Configuration of Windows FirewallFirewall
Netsh Netsh commandcommand PurposePurpose
add add allowedprograallowedprogramm
Adds excepted traffic by specifying the Adds excepted traffic by specifying the program's file nameprogram's file name
delete delete allowedprograallowedprogramm
Deletes an existing allowed programDeletes an existing allowed program
add add portopeningportopening
Used to add excepted traffic by Used to add excepted traffic by specifying a TCP or UDP portspecifying a TCP or UDP port
set set portopeningportopening
Used to modify the settings of an Used to modify the settings of an existing open TCP or UDP portexisting open TCP or UDP port
delete delete portopeningportopening
Used to delete an existing open TCP or Used to delete an existing open TCP or UDP portUDP port
set serviceset serviceUsed to allow or drop file and printer Used to allow or drop file and printer sharing, remote administration, remote sharing, remote administration, remote desktop, and UPnP trafficdesktop, and UPnP traffic
set opmodeset opmodeSpecifies the operating mode of Specifies the operating mode of Windows Firewall either globally or for Windows Firewall either globally or for a specific connection (interface)a specific connection (interface)
2626
Impact of Memory Impact of Memory Protection and E-mail Protection and E-mail Handling Technologies on Handling Technologies on ApplicationsApplications
Data Execution Prevention (NX)Data Execution Prevention (NX)
Attachment Execution ServiceAttachment Execution Service
2727
How Data Execution Prevention How Data Execution Prevention Impacts ApplicationsImpacts Applications
Application compatibilityApplication compatibility
DEP causes compatibility issues for applications that DEP causes compatibility issues for applications that perform dynamic code generation and that do not perform dynamic code generation and that do not explicitly mark generated code with Execute permissionexplicitly mark generated code with Execute permission
System compatibilitySystem compatibility
Systems with processors that support the NX processor Systems with processors that support the NX processor feature feature may may fail to boot or have other stability issues fail to boot or have other stability issues when the processor is running in PAE mode if not when the processor is running in PAE mode if not designed to handle > 4GB RAMdesigned to handle > 4GB RAM
2828
How Attachment Execution How Attachment Execution Service Impacts ApplicationsService Impacts Applications
Applies to any developer producing e-mail or chat client softwareApplies to any developer producing e-mail or chat client softwareInternally, Attachment Execution Services gives each attachment a risk rating based on extension, content type, Internally, Attachment Execution Services gives each attachment a risk rating based on extension, content type, registered handlersregistered handlersRisk Rating is mapped to a policy checked using Internet Explorer Zones (restricted, Internet, intranet, local, trusted)Risk Rating is mapped to a policy checked using Internet Explorer Zones (restricted, Internet, intranet, local, trusted)Does not provide any workarounds to subvert process and protectionDoes not provide any workarounds to subvert process and protection
2929
How the Local Machine Zone How the Local Machine Zone Lockdown Feature Affects Web Lockdown Feature Affects Web ApplicationsApplicationsEffect of the Local Machine Zone Lockdown feature Effect of the Local Machine Zone Lockdown feature
Impacts applications that host local HTML files in Internet ExplorerImpacts applications that host local HTML files in Internet Explorer
Does not impact developers of Web sites that are hosted on the Internet or Local Intranet Does not impact developers of Web sites that are hosted on the Internet or Local Intranet zoneszones
Requires developers to register applications if they want to ensure that malicious code Requires developers to register applications if they want to ensure that malicious code cannot be run through applicationscannot be run through applications
Overcoming restrictions caused by the Local Machine Zone Lockdown feature Overcoming restrictions caused by the Local Machine Zone Lockdown feature
Save your content as an HTA fileSave your content as an HTA file
Add a “mark of the Web” comment placed in the HTML file to your Web pagesAdd a “mark of the Web” comment placed in the HTML file to your Web pages
Create a separate application that hosts the HTML content Internet Explorer Web Create a separate application that hosts the HTML content Internet Explorer Web Object Control (WebOC)Object Control (WebOC)
3030
New Internet Explorer–New Internet Explorer–Related Registry SettingsRelated Registry Settings
SettingSetting PurposePurpose
URLACTION_FEATURE_MIME_SNIFFURLACTION_FEATURE_MIME_SNIFFINGING
Enables file Enables file promotion from promotion from one type to one type to another based on another based on a “MIME sniff ”a “MIME sniff ”
URLACTION_FEATURE_ZONE_ELEVURLACTION_FEATURE_ZONE_ELEVATION ATION
Mitigates many Mitigates many privilege-privilege-escalation escalation attacksattacks
URLACTION_FEATURE_WINDOW_RURLACTION_FEATURE_WINDOW_RESTRICTIONSESTRICTIONS
Restricts script-Restricts script-initiated pop-up initiated pop-up windows and windows and windows that windows that include the title include the title and status barsand status bars
3131
How the Pop-up Manager How the Pop-up Manager Affects Web ApplicationsAffects Web Applications
Effects of the Pop-up ManagerEffects of the Pop-up ManagerAffects the behavior of windows opened by Web sites, for example, those opened using the following methods:Affects the behavior of windows opened by Web sites, for example, those opened using the following methods:
window.open()window.open()window.showModelessDialog(),window.showModalDialog()window.showModelessDialog(),window.showModalDialog()window.navigateAndFind()window.navigateAndFind()showHelp()showHelp()
Provides the INewWindowManager interface, whichallows applications using rendering engine in Internet Explorer to:Provides the INewWindowManager interface, whichallows applications using rendering engine in Internet Explorer to:Display HTML to use or extend Pop-up Manager functionalityDisplay HTML to use or extend Pop-up Manager functionalityUse your own Popup ManagerUse your own Popup ManagerDisable Popup ManagerDisable Popup Manager
3232
ProcedureProcedure
Using Windows Firewall Using Windows Firewall and SQL 7 & MSDE 1.0and SQL 7 & MSDE 1.0
Determine the port numberDetermine the port numberEnable networking by using one of the following methods:Enable networking by using one of the following methods:
Add the TCP port as an exceptionAdd the TCP port as an exceptionAdd the SQL Server program as an exceptionAdd the SQL Server program as an exceptionEnable named pipes and/or multi-protocol over named pipes Enable named pipes and/or multi-protocol over named pipes
3333
MethodsMethods
Windows Firewall and SQL Windows Firewall and SQL 2000 & MSDE 20002000 & MSDE 2000
Add the TCP port as an exceptionAdd the TCP port as an exceptionAdds the port that you are listening to on SQL Server to the Windows Firewall Adds the port that you are listening to on SQL Server to the Windows Firewall Exceptions listExceptions list
Add the SQL Server program as an exceptionAdd the SQL Server program as an exceptionEnables SQL Server to listen on any port Enables SQL Server to listen on any port
3434
Other SQL Server Other SQL Server ComponentsComponents
You also need to configure for:You also need to configure for:SQLXMLSQLXML
SQL Browser ServiceSQL Browser Service
SQL Server 2000 and MSDE 2000 Service SQL Server 2000 and MSDE 2000 Service Pack 3aPack 3a
MSDTCMSDTC
SQL Server Analysis ServicesSQL Server Analysis Services
SQL Server Reporting Services SQL Server Reporting Services
SQL Server AgentSQL Server Agent
SQL Server ReplicationSQL Server Replication
See “References” at the end of the See “References” at the end of the sessionsession
3535
RPC EnhancementsRPC Enhancements
Windows Firewall allows only the processes that are running in the Local System, Network Service, or Local Service security context to open ports for RPC communication
Windows Firewall allows only the processes that are running in the Local System, Network Service, or Local Service security context to open ports for RPC communication
RestrictRemoteClients registry key by default eliminates remote anonymous access to RPC interfaces on the system, with some exceptions
RestrictRemoteClients registry key by default eliminates remote anonymous access to RPC interfaces on the system, with some exceptions
EnableAuthEpResolution enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a Windows XP SP2 system
EnableAuthEpResolution enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a Windows XP SP2 system
3636
The RestrictRemoteClients registry key valuesThe RestrictRemoteClients registry key values
RestrictRemoteClients registry key forces RPC to perform some additional security checks for all interfaces, even if the interface has no registered security callback
RestrictRemoteClients RestrictRemoteClients Registry SettingRegistry Setting
RPC_RESTRICT_REMOTE_CLIENT_NONE (0) : Causes the system to bypass the new RPC interface restrictionRPC_RESTRICT_REMOTE_CLIENT_NONE (0) : Causes the system to bypass the new RPC interface restriction
RPC_RESTRICT_REMOTE_CLIENT_DEFAULT (1): Causes the system to restrict access to all RPC interfacesRPC_RESTRICT_REMOTE_CLIENT_DEFAULT (1): Causes the system to restrict access to all RPC interfaces
RPC_RESTRICT_REMOTE_CLIENT_HIGH (2) : Causes the system to disallow anonymous calls using RPCRPC_RESTRICT_REMOTE_CLIENT_HIGH (2) : Causes the system to disallow anonymous calls using RPC
3737
Methods to Resolve RPC Methods to Resolve RPC IncompatibilitiesIncompatibilities
Require your RPC clients to use RPC security when contacting your server applicationRequire your RPC clients to use RPC security when contacting your server application
Exempt your interface from requiring authentication by setting the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag during interface registration
Exempt your interface from requiring authentication by setting the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag during interface registration
Force RPC to exhibit the same behavior as earlier versions of Windows by setting the registry key to RPC_RESTRICT_REMOTE_CLIENT_NONE (0)
Force RPC to exhibit the same behavior as earlier versions of Windows by setting the registry key to RPC_RESTRICT_REMOTE_CLIENT_NONE (0)
3838
Purpose of EnableAuthEpResolutionPurpose of EnableAuthEpResolution
Issues with Resovling an EndpointIssues with Resovling an Endpoint
EnableAuthEpResolution EnableAuthEpResolution Registry SettingRegistry Setting
Anonymous calls to the endpoint mapper interface will fail by default on Windows XP SP2 because of the default value for the new RestrictRemoteClients key
Necessary to modify the RPC client runtime to perform an authenticated query to the endpoint mapper
Anonymous calls to the endpoint mapper interface will fail by default on Windows XP SP2 because of the default value for the new RestrictRemoteClients key
Necessary to modify the RPC client runtime to perform an authenticated query to the endpoint mapper
Ensures that all endpoint mapper queries performed on behalf of authenticated calls will be performed using NTLM or Kerberos authentication
Enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a computer running Windows XP SP2
Ensures that all endpoint mapper queries performed on behalf of authenticated calls will be performed using NTLM or Kerberos authentication
Enables an RPC client to make a call to an RPC server that has registered a dynamic endpoint on a computer running Windows XP SP2
3939
Windows XP SP2 and Windows XP SP2 and DCOMDCOM
Windows XP SP2 DCOM Security Windows XP SP2 DCOM Security EnhancementsEnhancements
Computer-Wide Restrictions to DCOMComputer-Wide Restrictions to DCOM
Granular COM PermissionsGranular COM Permissions
4040
DCOM in Windows XP SP2DCOM in Windows XP SP2
Computer-Wide Computer-Wide Restrictions to DCOMRestrictions to DCOM
Adds computer-wide access controls that govern access to all call, activation, or launch requests on a computer
Creates an additional AccessCheck
Provides a minimum authorization bar that must be passed to access COM servers on computer
Provides a computer-wide ACL for launch permissions to cover activation and launch, and for access permissions to cover calls
Provides a computer-wide ACL as a means to override weak security settings specified by a specific application through CoInitializeSecurity
Adds computer-wide access controls that govern access to all call, activation, or launch requests on a computer
Creates an additional AccessCheck
Provides a minimum authorization bar that must be passed to access COM servers on computer
Provides a computer-wide ACL for launch permissions to cover activation and launch, and for access permissions to cover calls
Provides a computer-wide ACL as a means to override weak security settings specified by a specific application through CoInitializeSecurity
4141
Separating call and activation permissionsSeparating call and activation permissions
Local and remote permissionsLocal and remote permissions
Administrators have the flexibility to control a computer's COM permission policy based on the concept of "distance"
Local is defined as the COM message arriving via LRPC protocol, while remote COM messages arrive via a remote RPC protocol like TCP/IP
Administrators have the flexibility to control a computer's COM permission policy based on the concept of "distance"
Local is defined as the COM message arriving via LRPC protocol, while remote COM messages arrive via a remote RPC protocol like TCP/IP
Windows XP SP2 changes COM to separate the call and activation permissions and move the activation permissions from the Access Permission ACL to the Launch Permission ACL
Launch Permission ACLs can be into Local launch (LL), Remote launch (RL), Local activate (LA), and Remote activate (RA) permissions
Windows XP SP2 changes COM to separate the call and activation permissions and move the activation permissions from the Access Permission ACL to the Launch Permission ACL
Launch Permission ACLs can be into Local launch (LL), Remote launch (RL), Local activate (LA), and Remote activate (RA) permissions
Granular COM Granular COM PermissionsPermissions
4242
ImplicationsImplications
Implications of Granular Implications of Granular COM Permissions on COM Permissions on Custom ApplicationsCustom Applications
For COM applications that use the default security settings, there are no compatibility issues
Most applications that are dynamically started by using COM activation will have no compatibility issues because the launch permissions must already include anyone who is able to activate an object
Applications that are already started by using mechanisms such as Windows Explorer or Service Control Manager can have compatibility issues
For COM applications that use the default security settings, there are no compatibility issues
Most applications that are dynamically started by using COM activation will have no compatibility issues because the launch permissions must already include anyone who is able to activate an object
Applications that are already started by using mechanisms such as Windows Explorer or Service Control Manager can have compatibility issues
4343
Remember the ChallengeRemember the Challenge
Usability vs. SecurityUsability vs. Security
SP2 is a significant shift towards SP2 is a significant shift towards SecuritySecurity
A lot of work done on overcoming A lot of work done on overcoming Usability issuesUsability issues
But the challenge of this balance But the challenge of this balance remainsremains
4444
SummarySummary
SP2 gives a wide range of security SP2 gives a wide range of security improvementsimprovements
SP2 forces developer to be more SP2 forces developer to be more security-conscioussecurity-conscious
Most applications will run “as-is”Most applications will run “as-is”
Apps that use features impacted by Apps that use features impacted by the Service Pack need to be serviced the Service Pack need to be serviced themselvesthemselves
4545
References & MoreReferences & Moremsdn.microsoft.commsdn.microsoft.comMicrosoft training course 2853Microsoft training course 2853Developer resources—including trainingDeveloper resources—including training
http://msdn.microsoft.com/security/productinfo/xpsp2/defhttp://msdn.microsoft.com/security/productinfo/xpsp2/default.aspxault.aspx
Learn more about Service Pack 2Learn more about Service Pack 2http://www.microsoft.com/technet/prodtechnol/winxppro/http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspxmaintain/winxpsp2.mspx
Changes to functionality—always updatedChanges to functionality—always updatedhttp://www.microsoft.com/technet/prodtechnol/winxppro/http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspxmaintain/sp2chngs.mspx
Deploying Service Pack 2Deploying Service Pack 2http://www.microsoft.com/technet/prodtechnol/winxppro/http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspxmaintain/winxpsp2.mspx
Microsoft IT Forum in Copenhagen, November Microsoft IT Forum in Copenhagen, November 20042004
4646
© 2003 Microsoft Limited. All rights reserved.© 2003 Microsoft Limited. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summaryThis presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary..