1 / 11

Microsoft Windows XP SP2

Microsoft Windows XP SP2. Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH. Overview Of Windows XP SP2. Network. Help protect the system from attacks from the network. Email/IM. Enable safer Email and Instant Messaging experience. Web.

paul2
Download Presentation

Microsoft Windows XP SP2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH

  2. Overview Of Windows XP SP2 Network Help protect the system from attacks from the network Email/IM Enable safer Email and Instant Messaging experience Web Enable safer Internet experience for most common Internet tasks Memory Provide system-level protection for the base operating system

  3. Windows Firewall Network • Goal and Customer Benefit • Provide better protection from network attacks by default • Focus on roaming systems, small business, home users • What We’re Doing • Windows Firewall (formerly ICF) will be on by default in almost all configurations • More configuration options • Group policy, command line, unattended setup, • Better user interface • Boot time protection • Multiple profile support • Connected to corporate network vs. home • Enable file sharing on home networks with Windows Firewall on • Developer Impact • In-bound network connections not permitted by default • Dynamically enable ports as necessary, but only for as long as necessary, disable when done Email/IM Web Memory

  4. DCOM And RPC Changes Network • Goal and Customer Benefit • Reducing DCOM / RPC attack surface exposed on network • What We’re Doing • Require authentication on default interfaces • Enable programmatic ability to restrict RPC interfaces to local machine only • Configuration of access and launch permissions for DCOM through registry • Move most RPCSS code into reduced privilege process • Enable customer-controlled option to require authentication to the end-point mapper • Disable RPC over UDP by default • Developer Impact • Where appropriate, use new RPC API to limit calls to local machine • Ensure your application doesn’t require anonymous clients • Don’t use RPC over UDP Email/IM Web Memory

  5. Email Attachments Network • Goal and Customer Benefit • Consistent system-provided mechanism for applications to determine unsafe attachments • Consistent user experience for attachment “trust” decisions • What We’re Doing • Create new public API for handling safe attachments (Attachment Execution Services) • Default to not trust unsafe attachments • Outlook, Outlook Express, Windows Messenger, Internet Explorer changed to use new API • Open / execute attachments with least privilege possible • Safer message “preview” • Replaces AssocIsSafe() • Developer Impact • Use new API in your applications for better user experience, and better determination of safe content Email/IM Web Memory

  6. Web Browsing Network • Goal and Customer Benefit • Ensure a safer web browsing experience • What We’re Doing • Locking down local machine and local intranet zones • Improved notifications for running or installing applications and ActiveX controls • HTML files on the local machine will not be able to script unsafe ActiveX controls or access data across domains in the Local Machine Security Zone • Blocking unknown, unsigned ActiveX controls • Disarm cross domain script attacks on APIs • Improved detection and handling of downloaded files through improvements to mime-handling code path • Files served with mismatched or missing mime-headers and file extensions may be blocked Email/IM Web Memory

  7. Web Browsing Network • What We’re Doing (continued) • Mitigate ActiveX reuse through potential limited control leashing and more guided user experience • Limit UI spoofing • Pop-up windows will be suppressed unless they are initiated by user action • Developer Impact • Check for web application compatibility with newer, safer browsing defaults • Identify whether controls are safe for scripting on the Internet, or if they can be more restricted Email/IM Web Memory

  8. Hardware Execution Protection Network • Goal and Customer Benefit • Reduce exposure of some buffer overruns • What We’re Doing • Leverage hardware support in 64-bit and newer 32-bit processors to only permit execution of code in memory regions specifically marked as execute • Reduces exploitability of buffer overruns • Enable by default on all capable machines for Windows binaries • Ensure application compatibility with NX for Longhorn • Developer Impact • Ensure your code doesn’t execute code in a data segment • Ensure your code runs in PAE mode with <4GB RAM • Use VirtualAlloc with PAGE_EXECUTE to allocated memory as executable • Test your code on 64-bit and 32-bit processors with “Execution protection” Email/IM Web Memory

  9. Additional Enhancements In Windows SP2 • Automatic Update • SP2 will make it more convenient for customers to enable Automatic Update for critical updates • SUS 2.0 client • Software Update Services 2.0 will use a consistent engine for reporting system state and reducing inconsistent results on secure patch availability on a computer • Windows Media 9 Series Player: • Enhanced performance and security improvements over prior versions

  10. Additional Enhancements In Windows SP2 • DirectX 9.0b • Latest, most secure DirectX components include fixes to address a network firewall change that impacts OEM pre-installs and DirectPlay • Bluetooth 2.0 • Includes support for the latest version of Bluetooth 2.0 allowing customers to take advantage of the latest wireless devices • Unified Windows Local Area Network (LAN) client • New wireless LAN will work with a broad range of wireless hotspots enabling customers to connect seamlessly without having to install or update a third-party client

  11. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

More Related