Changes in Windows XP Service Pack 2 7/2004 [email protected]

Changes in Windows XP Service Pack 2 7/2004 [email protected]

Enhancements in XP SP2 Network Protection Memory Protection (compatible cpu’s) Safer E-mail handling Enhanced Browsing Security Improved Computer Maintenance

Services Disabled by Default Messenger Service Alerter Service

Updated / Modified Applications Windows Media Player upgraded to v9 Windows Messenger security enhancements: - blocks unsafe file transfers - required user display name (different from e-mail address) - ports need to be opened through firewall Outlook Express – plain text mode, more Windows Installer v3.0

RPC / DCOM, other Changes Anonymous RPC calls no longer allowed DCOM computer level ACL Configurable via Registry key Better support for Bluetooth wireless devices

Major changes Firewall turned on by default IE Pop-Up blocker IE runs in restricted mode Installed patches not displayed by default (enabled via registry key)

Firewall Definition - electronic blocking mechanism that will not allow unauthorized intruders into a computer system The firewall in Windows XP will not block any traffic originated on the local system.

Quick Survey Black Ice? ZoneAlarm? Symantec Firewall? Tiny? Other? SCS Computing Facilities will support the firewall bundled with WinXP SP2

Methods for configuring the Windows Firewall in XP-SP2 Group Policy .Inf file bundled with setup Manual configuration Netsh command line tool Example: netsh firewall show state

Group Policy Settings GPO will be linked to the three Organizational Units where computers reside Contain settings that allow the standard SCS Windows environment to function: Backup Agents (local network scope) Windows File Sharing (local network scope) Remote Administration (Hyena),WMI (local network scope) Common Internet Services (Http,FTP,Telnet,SSH) Additional exceptions will be configurable by user

Group Policy Details Ports: 7 (Echo) 6050 (Arcserve Client Agent) 497 (Retrospect Client Agent) 1977 (TiBS Client Agent) 6000,177(udp) (X-Win32) 3389 Remote Desktop Windows File Sharing (NetBios Ports) Remote Management (WMI Ports) All ICMP Traffic

Configuring Exceptions

Configuring Exceptions # 2

Configuring Exceptions #3 Add a text description and specify port

Dynamic additions of exceptions Add an exception to the firewall when a newly installed application wants to listen on a port.

SCS Subnets – Local Scope 128.2.178.0/23 (255.255.254.0) 128.2.180.0/22 (255.255.252.0) 128.2.184.0/21 (255.255.248.0) 128.2.192.0/19 (255.255.224.0) 128.2.242.0/24 (255.255.255.0) 128.2.254.0/24 (255.255.255.0)

Pop-Up Blocker Pop-up Blocker can be enabled by three different methods: Prompt at first occurrence. A prompt appears before the first pop-up window appears that asks the customer to enable Pop-up Blocker. The Tools menu: In Internet Explorer, on the Tools menu, click Pop-up Blocker, and then click Block Pop-up Windows. Internet Options: In Internet Explorer, on the Tools menu, click Internet Options, click the Privacy tab, and then click Block pop-up windows. You can then click Options to configure Pop-up Blocker settings.

IE Restrictions Configurable via Group Policy (TBD) Binary Behavior Security Restriction MK Protocol Security Restriction Local Machine Zone Lockdown Consistent Mime Handling Mime Sniffing Safety Feature Object Caching Protection Popup Management Scripted Window Security Restrictions Protection From Zone Elevation SecurityBand Restrict ActiveX Install Restrict FileDownload

IE prompt when downloading files, adding ActiveX controls, etc. Information Bar - used to bypass default settings in order to download files (AES), display pop-up windows, run unsigned scripts, etc.

Tools for troubleshooting Port Reporter Tool – useful for determining additional ports that may need to be opened. http://support.microsoft.com/default.aspx?scid kb;en-us;837243 Firewall Log: %systemroot%\winnt\win FW.log

Additional Reading Details on changes http://www.microsoft.com/downloads/ details.aspx?FamilyID 7bd948d7-b79140b6-8364-685b84158c78&DisplayLang en Manually configuring the Firewall http://www.microsoft.com/technet/community/ columns/cableguy/cg0204.mspx

Questions ?

Fall 2004 - Software Changes New Kerberos ticket manager (Kfw) Updates versions of WinZip, Mozilla,XWin32, OpenAFS (integrated with Kfw)