FoBoT
03-19-2004, 04:16 PM
for anybody that needs to test it - linked - info and download (http://www.microsoft.com/SP2Preview)
here is a commentary from an MS employee:
This is not simply a service pack - this is a new product.
There is so much security hardening that has gone into Windows XP SP2 (via the myriad 'springboard technologies' you may have heard about) that I can (and have) spent hours talking about it.
We will probably have a 150+ page whitepaper available for download on that same web site which goes into detail about these security hardening improvements but I'll summarize them briefly:
Network protection technologies
1. DCOM hardening - anonymous DCOM is no longer allowed (this would have mitigated MS03-026 a.k.a. 'Blaster')
2. RPC hardening - anonymous RPC is no longer allowed (this would have mitigated it as well I believe).
These two things are going to break apps - but at the sake of much improved / needed security. Start testing NOW.
3. Windows Firewall (the artist formerly known as ICF). This new fireall has so many improvements I could talk about it for 20 minutes straight. It is more intelligent, can be deployed more intelligently through group policy, when applications start that bind to a port it can prompt the user whether they want to allow this behavior or continue blocking it, etc.
Memory protection technologies
1. Large portions of critical OS infrastructure have been compiled with the /GS switch (our stack smashing protection that raises the bar on shellcode authors). There has been a whitepaper written on how to circumvent this in some cases so this is not completely foolproof.
2. NX support - The AMD opteron and forthcoming Intel Xeon with x64 extension CPU's support a new setting called 'NX' which allows software developers to mark ranges of memory as read / write only (NX == no execute). We have compiled XP SP2 with full support for NX technology which by default marks the stack and the heap as NX, so at a hardware level it will be impossible to run shellcode from an overflowed buffer. AWESOME! I don't think anyone will be circumventing this anytime soon.
Safer Browsing technologies
Again there is so much IE hardening going on it would take a long time to explain but we've got:
1. Built-in pop-up blocker.
2. New per-zone security settings pertaining to binary behaviors / java / activeX
3. New local machine zone hardening (local machine zone is the most trusted zone and the target of most IE exploits)
4. New add-on management (new UI that allows you to control what runs inside of IE, i.e. browser helper objects, browser extensions, activeX controls etc.). There was no central UI for this before (other than the registry) but there is now.
Safer e-mail technology
1. Outlook Express now defaults to reading all e-mail in plain-text so HTML email is not rendered.
2. Even if you decide to render the email as HTML it won't run any external HTML content by default (user has to click again if they want to do that) (this prevents web bugs etc.)
New Security Center
So the new security center is an applet in control panel that allows you to configure the 'big 3' settings (Firewall, Automatic Updates and Antivirus) and it yells at you via negative feedback (balloon pop-ups) if you don't have all 3 of these configured appropriately. It integrates these 3 settings into one central UI and makes it vastly easier for mom's and pops to get secure and stay secure.
New Automatic Update client
The new AU client is vastly improved as well; you can select which updates you want to install and which ones you don't, as well as having improved UI that allows for better descriptions of what each update is that was downloaded. In addition if the user chooses not to install the updates, when they go to shutdown the machine, the new default is that they will be installed prior to shutdown (user can opt-out).
I could go on and on - the net net is that everyone running Windows XP SP2 should seriously consider installing this release candidate; I'm installing it on all of my machines and my relatives machines.
When you port-scan an SP2 box with the firewall disabled it only listens on 3 TCP ports now (135, 139, 445) and 2 UDP ports (123, 137) due to a lot of the old / legacy services (like messenger / alerter) and other services (universal plug and play) being set to manual / disabled by default now.
This is a significantly reduced attack surface and gets us a bit closer to where some think we should be (0 ports listening by default). We're not there yet but we're getting there and this is a lot better than SP1.
Also remember that 135 (the RPC EPM) now requires AuthN before accepting packets with payload so even though it's exposed it has been hardened significantly.
Also I verified that the new initial OOBE only asks you to enable the automatic update client, even if you take the red pill (choose 'no') the box is still firewalled when you login for the first time after installing the service pack (even if the box was NOT firewalled before the upgrade).
linked - info and download (http://www.microsoft.com/SP2Preview)
here is a commentary from an MS employee:
This is not simply a service pack - this is a new product.
There is so much security hardening that has gone into Windows XP SP2 (via the myriad 'springboard technologies' you may have heard about) that I can (and have) spent hours talking about it.
We will probably have a 150+ page whitepaper available for download on that same web site which goes into detail about these security hardening improvements but I'll summarize them briefly:
Network protection technologies
1. DCOM hardening - anonymous DCOM is no longer allowed (this would have mitigated MS03-026 a.k.a. 'Blaster')
2. RPC hardening - anonymous RPC is no longer allowed (this would have mitigated it as well I believe).
These two things are going to break apps - but at the sake of much improved / needed security. Start testing NOW.
3. Windows Firewall (the artist formerly known as ICF). This new fireall has so many improvements I could talk about it for 20 minutes straight. It is more intelligent, can be deployed more intelligently through group policy, when applications start that bind to a port it can prompt the user whether they want to allow this behavior or continue blocking it, etc.
Memory protection technologies
1. Large portions of critical OS infrastructure have been compiled with the /GS switch (our stack smashing protection that raises the bar on shellcode authors). There has been a whitepaper written on how to circumvent this in some cases so this is not completely foolproof.
2. NX support - The AMD opteron and forthcoming Intel Xeon with x64 extension CPU's support a new setting called 'NX' which allows software developers to mark ranges of memory as read / write only (NX == no execute). We have compiled XP SP2 with full support for NX technology which by default marks the stack and the heap as NX, so at a hardware level it will be impossible to run shellcode from an overflowed buffer. AWESOME! I don't think anyone will be circumventing this anytime soon.
Safer Browsing technologies
Again there is so much IE hardening going on it would take a long time to explain but we've got:
1. Built-in pop-up blocker.
2. New per-zone security settings pertaining to binary behaviors / java / activeX
3. New local machine zone hardening (local machine zone is the most trusted zone and the target of most IE exploits)
4. New add-on management (new UI that allows you to control what runs inside of IE, i.e. browser helper objects, browser extensions, activeX controls etc.). There was no central UI for this before (other than the registry) but there is now.
Safer e-mail technology
1. Outlook Express now defaults to reading all e-mail in plain-text so HTML email is not rendered.
2. Even if you decide to render the email as HTML it won't run any external HTML content by default (user has to click again if they want to do that) (this prevents web bugs etc.)
New Security Center
So the new security center is an applet in control panel that allows you to configure the 'big 3' settings (Firewall, Automatic Updates and Antivirus) and it yells at you via negative feedback (balloon pop-ups) if you don't have all 3 of these configured appropriately. It integrates these 3 settings into one central UI and makes it vastly easier for mom's and pops to get secure and stay secure.
New Automatic Update client
The new AU client is vastly improved as well; you can select which updates you want to install and which ones you don't, as well as having improved UI that allows for better descriptions of what each update is that was downloaded. In addition if the user chooses not to install the updates, when they go to shutdown the machine, the new default is that they will be installed prior to shutdown (user can opt-out).
I could go on and on - the net net is that everyone running Windows XP SP2 should seriously consider installing this release candidate; I'm installing it on all of my machines and my relatives machines.
When you port-scan an SP2 box with the firewall disabled it only listens on 3 TCP ports now (135, 139, 445) and 2 UDP ports (123, 137) due to a lot of the old / legacy services (like messenger / alerter) and other services (universal plug and play) being set to manual / disabled by default now.
This is a significantly reduced attack surface and gets us a bit closer to where some think we should be (0 ports listening by default). We're not there yet but we're getting there and this is a lot better than SP1.
Also remember that 135 (the RPC EPM) now requires AuthN before accepting packets with payload so even though it's exposed it has been hardened significantly.
Also I verified that the new initial OOBE only asks you to enable the automatic update client, even if you take the red pill (choose 'no') the box is still firewalled when you login for the first time after installing the service pack (even if the box was NOT firewalled before the upgrade).
linked - info and download (http://www.microsoft.com/SP2Preview)