You can download it, but it 9s big (266 MB, 332 MB expanded), and throttled http://www.microsoft.com/technet/winxpsp2/ Includes all patches up to MS04-25 (August security releases) MS has released an SP2 disk and encourages people to share it with friends and family Slide 6 The Security Center the first thing you (might) see The cSecurity Center d Basically it just notes whether you 9ve got Automatic Updates on, an antivirus program installed, and the Windows Firewall on Tracks whether you 9re getting recent virus pattern files AV programs must be cSecurity Center aware d 4 Slide 7 Slide 8 5 Slide 9 The Security Center cWaitaminute& d What 9s that you say, you didn 9t see the Security Center after SP2 installed? It 9s because you 9re a member of a domain You can turn it on with a group policy at Computer / Admin Templates / Windows Components / Security Center, cTurn on Security Center (Domain PCs only) No GP setting to turn it off for non-domain PCs Slide 10 Data Execution Prevention what it is The really bad worms crawl in when a programmer creates an area in a program that 9s supposed to receive some kind of data, but the programmer forgets to check the amount of data If an attacker can insert an arbitrary amount of cdata d 3 containing code!<br><br> 3 into this buffer then the attacker can do really bad stuff DEP tries to make Windows see this and stop it How it does it is different on 32 and 64 bit systems THIS is the feature that made SP2 so big! 6 Slide 11 Data Execution Prevention the 64-bit story 64 bitters (K8/Opteron and Itanium) have the ability to mark memory pages as cNX d or non-executable When someone does a buffer overflow attack, the pages are modified& but they can 9t run, so the worm stops! MAY involve some custom code changes Protects stack, paged pool, session pool Slide 12 Data Execution Prevention the 32-bit story Standard 32 bit processors lack NX support Instead, MS added code to the part of XP that executes code Anything trying to run out of the stack wakes up Data Execution Prevention Only works on OS apps by default, you can change that Clearly affects speed a bit 7 Slide 13 DEP control Control Panel System Advanced Performance Options Top radio button is the default Slide 14 TCP/IP Changes restricting raw sockets cRaw sockets d let you hand-craft TCP, UDP and/or IP packets, letting you do things like lie about your address, or creating nonsensical flag combinations New restrictions: inbound raw sockets are unchanged, but outbounds are rejected if 3 It is TCP data 3 It is UDP data containing a return address that 9s not on the computer 8 Slide 15 TCP/IP Changes restricted outbound connections SP2 refuses to create more than a particular number of incomplete outbound connections The reasoning is that the only kind of program that would try to do this is either a worm or a network scanner Generates a new event ID, 4226 MS isn 9t telling how many, and this may cause security scanners to fail Slide 16 TCP/IP Changes 4226 Event Appears to be 10 connections Claims of a "TcpNumConnections d Registry hack are false; this cannot be disabled Answer (bad): replacement tcpip.sys: DO NOT DO THIS!<br><br> 9 Slide 17 TCP/IP Changes loopbacks The only loopback address that works now is 127.0.0.1 In theory other addresses in the 127 network should work If you need it there 9s a patch on the KB Slide 18 De-Anonymizing Communication Windows contains many ways for one application to talk to another application, whether the apps are in the same computer or in different computers Such conversations should require or encourage authentication, but they haven 9t always SP2 changes the Windows default stance to cyou must authenticate d This can break some applications In general you can roll back to anonymous, but don 9t do it if you can avoid it 10 Slide 19 The Tools In Question Remote Procedure Call MS Distributed Transaction Coordinator Common Object Model (COM) Web Development and Versioning (WebDAV) Slide 20 RPC Changes may break an app or two Anonymous access to RPC disabled with new GP settings in Computer / Admin Templates / System / Remote Proc Call 3 Restrictions for Unauthenticated RPC clients None = revert Authenticated = default, allow exceptions Authenticated no exceps. = HSP mode, no exceptions 3 RPC Endpoint Mapper Client Authentication Enable (default) or Disable (like old XP) 11 Slide 21 DTC Changes RPC 9s not the only one Distributed Transaction Coordinator blocks network transactions now by default SQL Server probably most common user To turn them back on, go to the Components snap- in, choose Properties on My Computer Click the MSDTC tab Click cSecurity Configuration Enable cNetwork DTC Access d Enable inbound/outbound as appropriate Slide 22 DTC Changes Component snap-in 12 Slide 23 DTC Changes My Computer Properties Right-click Properties in My Computer, get this dialog Click Security Configuration to continue Slide 24 DTC Changes where to turn on network access if needed (Network DTC Access is NOT enabled by default; it 9s on here just so you can see the options) 13 Slide 25 DTC Changes Pre-SP2 dialog for comparison Slide 26 COM Changes Same story, although the permissions look a mite different Go to Component Services and get Properties on My Computer again, but this time click cCOM Security d A few dialogs& 14 Slide 27 Slide 28 The four dialogs look like this 3 you now see local versus remote access split up. Do NOT loosen these permissions unless you need to, though!<br><br> 15 Slide 29 WebDAV gets pickier WebDAV lets you treat Web folders and similar tools (Exchange HTTP, SharePoint, others) as a file sharing system over port 80 SP2 disallows basic authentication over WebDAV HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services \WebClient\Parameters\UseBasicAuth (DWORD), set to 1 to revert to pre-SP2 Slide 30 Bluetooth Support XP incorporates BT support as vendor code did previously: 3 Personal Area Network (PAN) via My Bluetooth Places, creates IP stacks on BT 3 Bluetooth printer, keyboard, mouse 3 Sync BT PDAs 3 IP connectivity via BT phone or BT access point Somewhat better power management with USB BT adapters You will not get this support if you 9ve got OEM drivers and support progs for your BT installed when you install SP2; you must have an SP2 BT driver 16 Slide 31 802.1x Changes general new stuff A new icon in the System Tray! Browsing for wireless nets is far easier You can choose a cfavorite d SSID WPA patches now built in, client-side stuff for Wireless Provisioning Services (which won 9t work until 2003 SP1) Wireless Network Setup Wizard is a pretty neat way to easily configure WEP/WPA for clients in a small net Slide 32 802.1x Changes 17 Slide 33 New Item in Connection Pages cNotify me when this connection& d appears first in SP2 Unchecking it can make the wireless net cards less irritating Slide 34 Outlook Express A bit more cListerine d (anti-viral) in this edition Blocks bad attachments Offers cplain text only d mode which is on by default By default does not download external HTML code or images to stop cbeaconing d Attachments opened by the Attachment Execution Service (AES) (which does not appear to be a service), which unifies the attachment processing code 3 in any case, it 9s clearly smarter than just looking at the extension 18 Slide 35 Windows Messenger Here we 9re discussing the IM tool File transfers are blocked if 3 The file is of a cdangerous d type (KB 291369), 3 and the sender is not on your Contacts list Users must specify a display name that is not their e-mail addresses Don 9t forget to open a Messenger port in Windows Firewall, if it 9s enabled Slide 36 Internet Explorer changes overview (there are lots!) Popup killer Tons of new security stuff and tighter defaults Zone lockdown for clocal machine d zone File and program download prompts are consistent now No IE 7.x slated& need SP2 to get these! 19 Slide 37 Internet Explorer new uniform cmay I install/run? d dialog Slide 38 Internet Explorer dialog expanded with publisher blocking feature!<br><br> 20 Slide 39 Internet Explorer new IE security features Add-on control Binary behaviors Local zone lockdown IE object caching Mime sniffing Scripted window restrictions These can all be disabled with GPs if necessary Slide 40 Internet Explorer add-on controls New dialog lets you see ActiveX controls and browser helpers ( cadd-ons d) When a crash occurs, IE points to the add-on that it thinks caused it Shows either the currently loaded add-ons or all of the ones on the computer Lets you disable suspicious add-ons IE will not load signed objects with invalid signatures 21 Slide 41 Slide 42 Internet Explorer Group Policy Control of Add-Ons Computer / Admin Templates / Windows Components / Internet Explorer / Security Features / Add-on Management cAdd-on List d lets you either block or allow particular add-ons cDeny all add-ons unless specifically allowed in the Add-on List d makes the Add-on List an conly allowed add-ons d list 22 Slide 43 Internet Explorer Blocking publishers with GP settings (1) Slide 44 Internet Explorer Blocking publishers with GP settings (2) Goals: first, block all add-ons except Macromedia Shockwave Player, then block only Macromedia Shockwave Player (MSP) First, we need the CLSID of MSP 3 Go to a page that downloads it 3 Click View/Source 3 Find cCLSID d 3 Copy the number that follows it, like c166B1BCA-3F9C- 11CF-8075-444553540000 d 3 Copy it somewhere convenient (Notepad perhaps) 23 Slide 45 Internet Explorer Blocking publishers with GP settings (2a) Another way to find CLSID: 3 Find an SP2 system with the add-on in question 3 Tools / Manage Add-ons 3 Right-click any of the columns 3 In the resulting check box, check cClass ID d 3 You 9ll get the CLSIDs 3 Unfortunately you can 9t cut and paste them Slide 46 Internet Explorer Blocking publishers with GP settings (4) Now set IE to disallow all add-ons except the ones you approve 3 Open "deny all add-ons unless specifically allowed in Add-on list c 3 Click Enable 3 Click OK 24 Slide 47 Internet Explorer Blocking publishers with GP settings (5) Next, add Shockwave to the cAdd-on List, d giving it the ability to run 3 Open cAdd-on List d 3 Click cEnabled d 3 Click cShow d next to cAdd-on List d 3 Click Add& 3 Add the CLSID surrounded by braces for the cname of the item to be added d Slide 48 Internet Explorer Blocking publishers with GP settings (6) 25 Slide 49 Internet Explorer Blocking publishers with GP settings (7) Under cvalue of the item to be added, d use 3 0 = cdo not run this add-on d 3 1 = callow this add-on to run d 3 2 = clet the user choose d Result: Shockwave player will not load Slide 50 Internet Explorer Unblocking publishers with GP settings (8) To set IE so only MSP will not run: 3 Set cDeny all add-ons& d to disabled or not configured 3 Set cAdd-on List d to Enabled 3 Add Shockwave 9s CLSID as before 3 Enter 0 for the value instead of 1 26 Slide 51 Internet Explorer Binary Behaviors and Local Zone cBinary behaviors d is a class of script-like things that were being used maliciously GPOs now let you block them on particular sites IE used to assume that files on the local hard disk were safe and put them in clocal zone d Now the Information Bar shows you what a local file wants to do and gets your okay Slide 52 Internet Explorer IE Object Caching Previously, one Web page could cache an object and a different Web page could access that object Led to some sneaky two-part attacks Won 9t work under SP2 9s IE 27 Slide 53 Internet Explorer Mime Sniffing Related to Attachment Execution Service Doesn 9t necessarily believe a file 9s extension Looks in the file to see if it could be what it says it is Blocks the file and warns you if it seems uncertain Slide 54 Internet Explorer Scripted Windows Security Restriction Another set of security improvements Keep pop-up windows from 3 Positioning status bar, title bar, address bar off- screen 3 Moving themselves entirely off-screen 3 Removing the status bar, title bar, address bar to become cchromeless d windows 3 Completely covering their parent window 3 popups must live inside the parent 9s chrome 28 Slide 55 Internet Explorer Pop-up Blocker Quite nice and much-needed Includes the cinformation bar d which lets you bring back a blocked pop-up Information bar also serves as the prompt for installing ActiveX controls Can create a cwhite list d of sites to allow pop-ups in Doesn 9t block many scripted pop-ups unfortunately Slide 56 29 Slide 57 Slide 58 Internet Explorer group policies In SP1, IE had 9 GP settings in the Computer Configuration node SP2 has over 600 3 Hide items in IE 3 Pop-up control 3 Turn on/off window restrictions, mime sniffing, binary behavior, etc 3 Control security settings for each Internet zone Looking at your IE options will keep you pretty busy as you roll out SP2! 30 Slide 59 Windows Firewall XP and 2003 9s Windows Firewall Pre-SP2 systems call it cInternet Connection Firewall; now renamed cWindows Firewall d Main items: 3 Now starts up before the TCP/IP stack 3 On by default when SP2 deployed 3 Configurable from GUI, CLI, GPO 3 No effect on being a domain member 3 Will break most remote admin tools 3 Separate inside/outside domain rules possible Slide 60 Windows Firewall the basics If you already have a personal firewall then you probably don 9t need this Only blocks incoming, uses stateful packet inspection 3 in other words, it only allows packets in that are responses to requests Permits you to open particular incoming ports Has been off by default& but XP SP2 enables it 31 Slide 61 Windows Firewall how do I know if it 9s on? From the GUI: 3 Control Panel / Network Connections 3 Right-click any adapter, choose Properties, then Advanced, then cSettings d under Windows Firewall Slide 62 Windows Firewall how do I know if it 9s on?<br><br> From a command line: netsh firewall show state Add enable for verbose output C:\>netsh firewall show state Firewall status: ------------------------------------- Profile = Standard Operational mode = Enable Exception mode = Enable 32 Slide 63 Windows Firewall how do I turn it on? From the GUI, or from the command line with netsh firewall set opmode enabled or netsh firewall set opmode disabled From GPs at Computer Configuration / Admin Templates / Network / Network Connections / Windows Firewall / profilename, cWindows Firewall: Protect all network connections d Slide 64 Windows Firewall how can I turn it on? One more way: netfw.inf Appears on an SP2 CD, a new install CD, or (once installed) in \Windows\INF You can change it and type netsh firewall reset to see the changes take effect See cUsing the Windows Firewall INF File in Microsoft Windows XP Service Pack d for more info 33 Slide 65 Windows Firewall global settings 3 set one, you set 8em all Turning on the firewall on one NIC turns it on (or off) for all NICs This can be annoying (e.g.<br><br> with VMWare 9s virtual network adapters) Answer: in the firewall dialog, go to Advanced and un-check boxes for whatever NICs you want to disable separately I don 9t know of a GPO or CLI way Slide 66 Windows Firewall Disabling WF on one adapter 34 Slide 67 Windows Firewall making WF behave differently inside and outside the office Wouldn 9t it be great if you could turn the firewall off when inside your intranet, but on when traveling? Answer: two cWF profiles, d cdomain d and cstandard d Domain applies when your system is logged onto a domain, standard otherwise Slide 68 Windows Firewall how does it know which profile to use? Your computer remembers the DNS suffix of the NIC from which it got its last group policy info It looks at every active NIC 9s NIC-specific DNS suffix (except SLIP/PPP connections) If any match the DNS suffix from that last- GPO-receiving NIC, then you 9re in Domain mode; otherwise, it 9s Standard 35 Slide 69 Windows Firewall using profiles from the command line To turn it on outside the firewall but off inside: netsh firewall set opmode mode=disable profile=domain netsh firewall set opmode mode=enable profile=standard To find out what mode WF thinks it 9s in: netsh firewall show state Slide 70 Windows Firewall do I want it on or off?<br><br> To understand that, let 9s talk about how it works Remember, it doesn 9t block outgoing stuff and allows incoming stuff as long as it 9s a response to something that you asked for As your workstation initiates logons, no problem. Ditto for group policies, roaming profiles, etc 3 it 9s all client-initiated 36 Slide 71 Windows Firewall do I want it on or off? If connected directly to the Internet: yes, you want it on If in a domain as a domain client& 3 As a client, no bad effects 3 But as a server?<br><br> Slide 72 Windows Firewall think your XP box isn 9t a server? Do you& Want to ping it Control a remote PC with Manage Computer NET USE to C$ or any other NET USEs Share your printer Run any cremote-able d command like systeminfo.exe or exec.vbs Control it with Remote Desktop or Remote Assistance or VNC or SMS etc Run Web, mail, news etc server software 37 Slide 73 Windows Firewall MMCs that won 9t work w/o port 445 opened Certificates Computer Mgmt Device Manager Disk Management Event Viewer Group Policy RSOP Indexing Service IP Security Monitor IPSec policy Local users & groups Removable Storage Services Shared Folders WMI Control File sharing Note that if you open 445, then ping echoes are enabled automatically Slide 74 Windows Firewall solving the remote admin problem Skip all remote control Turn off the firewall for domain members 3 This presents problems for mobile PCs (when to turn it back on?) and when new worms get in Open the ports that you 9ll need for remote control 3 But understand that future worms may crawl in this way 3 And it 9s not always clear what port #s to open 38 Slide 75 Windows Firewall how to open ports Opened ports are called cexceptions d Create them: 3 From the GUI cExceptions d tab 3 From the command line 3 From a group policy setting 3 Allow a particular program to open whatever ports it wants Slide 76 Windows Firewall Exceptions GUI-style 39 Slide 77 Windows Firewall more detail on exceptions and profiles under CLI Controlling on/off, exceptions and profiles: 3 On/off: set opmode enable/disable 3 netsh firewall set opmode enable 3 Options: exceptions=enable/disable, profile=domain/standard; to use them either put them in order, or use mode=, exceptions=, profile=; examples: 3 netsh firewall set opmode enable enable standard OR& 3 netsh firewall set opmode mode=enable exceptions=enable profile=standard Slide 78 Windows Firewall creating exceptions with the CLI 3 netsh firewall set icmpsetting type 8 enables all ICMP echoes 3 netsh firewall add portopening tcp 1433 sql enable subnet opens 1433 just to the local subnet 3 netsh firewall add portopening tcp 1433 sql enable custom 4.0.0.0/24,10.0.0.0/255.255.0.0,subnet opens 1433 just to the C net starting at 4.0.0.0, the B net starting at 10.0.0.0 and the local subnet 40 Slide 79 Windows Firewall controlling with group policies All in Computer / Admin Templates / Network / Network Connections / Windows Firewall cProtect all network connections: d turns firewall on/off for all network connections cDo not allow exceptions: d close all ports cDefine program exceptions: d specify programs which can open ports cAllow local program exceptions: d let local admin add program exceptions or not (can by default) Slide 80 Windows Firewall controlling with group policies cAllow Remote Administration Exception: d open 135 and 445, enable ping echo, enables most remote admin tools 3 most RPC, DCOM, WMI stuff works with this This is a bit scary, but consider that you can be very specific about whom to accept traffic from cAllow File/Print: d open UDP 137&138, TCP 139&445, allow ping echoes 41 Slide 81 Windows Firewall controlling with group policies cAllow ICMP Exceptions: d specify what you can do with ping and other ICMP tools. Note you cannot limit this to a set of addresses cAllow Remote Desktop Exception: d open 3389, Remote Assistance works also Allow UPnP Exceptions: don 9t use Prohibit Notifications: when you allow a program to open ports, it notifies you unless you use this policy setting Slide 82 Windows Firewall controlling with group policies cAllow Logging: d turns on an ASCII log cProhibit Unicast Response& d your system does a multicast or broadcast, and another system produces a unicast response 3 does Firewall drop it?<br><br> By default it will permit the response, as long as it occurs within 3 seconds of the broadcast. Recommend you leave it alone, as it keeps NetBIOS name conflict detection from working 42 Slide 83 Windows Firewall controlling with group policies cDefine Port Exceptions: d custom setting for rolling your own port opening cAllow Local Port Exceptions d lets a local admin open extra ports; they can 9t by default Slide 84 Windows Firewall a note on using GPs As these new GP settings don 9t exist in earlier OSes, you 9ve got to be careful how you create them Create and modify any WF-related GPOs from an XP workstation with SP2 on it Or look at KB 842933 for a patch for 2K, 2003 43 Slide 85 Windows Firewall gpo settings Slide 86 Making USB drives read-only You can cause an SP2 system to refuse to write to any USB drive (external drive, memory stick, thumb drive, etc) Good in places where you use USB storage devices but do not want people to transfer stuff from their computer to a USB device HKLM\System\CurrentControlSet\Control \ StorageDevicePolicies, Reg_DWORD WriteProtect = 1 to enable, =0 to disable Note you must create the entry and the key! No reboot necessary, read when you attach to USB 44 Slide 87 Group Policies MS claims 609 new policies, seems like more Most are modifications of existing ones or new IE settings (619 IE settings!) Full list at www.microsoft.com/downloads, search for cpolicysettings.xls d Also & big bonus & the spreadsheet links each policy to its Registry entry!<br><br> Slide 88 Internet Comm. Settings greatly reducing the unauthorized Net browsing 45 Slide 89 They Seem To Mean it& cNew Hardware d asks before it phones home Slide 90 Installing SP2 notes Again, please test apps before a big rollout Remove bluetooth drivers and OEM support programs to get SP2 9s bluetooth tools Laptops must be on AC or SP2 won 9t load 46 Slide 91 Installing SP2 rollout options SUS or SMS are probably the best way to do it But you can also slipstream, as before Or roll out with a software installation group policy to \i386\update\update.msi Or do unattended from the command line Defaults to creating backup files and waiting for you to tell it to reboot Slide 92 Installing SP2 new command-line switches for the package /quiet (doesn 9t ask any questions, no display) /passive (unattended with a progress bar) /n (do not create backup for uninstall) /o (overwrite newer OEM files w/o prompt) /f (force apps closed when rebooting) /forcerestart and /norestart control reboot /uninstall (starts uninstalling) -x (extract files to a directory) /l (list installed updates/hotfixes) /integrate: fullpath slipstreams /d: path place to put back up files 47 Slide 93 Installing SP2 example command line update /n /passive /forcerestart Says not to back up (if you trust SP2) 3 greatly speeds up an SP2 install Also says to show the progress bar, then reboot automatically Slide 94 Installing SP2 the new way to install patches New update.exe and Installer 3.0 lets you install patches out of order without problems If you install a patch that 9s older than SP2 (or whatever SP you have) then it 9s ignored; otherwise it 9s installed In theory every patch supports the same command-line options as SP2! That means you can now slipstream (now cintegrate d) patches 48 Slide 95 Troubleshooting SP Installs Once in a while, an updated driver will cause an OS to bluescreen Answer #1: it 9s always a good idea to refresh your drivers before installing an SP, and reboot before installing an SP Answer #2: if you retained uninstall information for your SP (or any other), then just run the cuninstall the SP d batch file Slide 96 Where 9s That?<br><br> In the Windows\$NTServicePackUninstall$ \ spuninst directory, which is hidden and read- only File 9s name is spuninst.txt, rename to .bat Run the batch file This will run fine from Recovery Console 49 Slide 97 Windows Update Client improvements you can use now Can designate how often to look for patches Doesn 9t treat Admin users differently any more Patches that don 9t require a reboot can be applied immediately, optionally Client prioritizes downloads Client now scriptable BITS now includes more bandwidth throttling, is more efficient on restart Slide 98 Windows Update Client benefits that need WUS Can designate groups that only get a subset of patches Includes support for patches for Office, SQL, Exchange, ISA etc (once MUS/WUS appear) You can filter critical/non-critical 50 Slide 99 Simplifying Add/Remove Programs removing the patch clutter Now that patches appear in Add/Remove Programs, it can be cluttered; a new check box filters them out by default: Slide 100 Miscellaneous Messenger and Alerter services are off If you uninstall SP2 then you lose your Media Player licenses DirectX 9.0 installed Installer includes a patch compress option At.exe can no longer schedule remote computers unless at.exe runs on an SP2 box Tablet PC non-security-related enhancemts 51 Slide 101 Get ALL The Details Eight Word documents at http://go.microsoft.com/fwlink/?LinkId=28022 Complete details, more Registry keys, etc The group policy spreadsheet is at http://go.microsoft.com/fwlink/?LinkId=28031 Slide 102 Thanks! I hope this was useful and not Too Much Information, thanks for spending some time with me! My AD & Security seminars come to Mahwah, NJ November 8-10 You can find my newsletters and seminar information at www.minasi.com; there is a free support forum there as well Don 9t forget the evals; enjoy the rest of the show<br><br>

less