SP2 arguments

[gsellis]

Hey guys, going through a moment of enterprise style management and have had them set aside deploying SP2. Now before some of you answer, know that our SP1 OS goes out patched to about one level of vulnerabilities back (July). It comes up safe. Too safe, as it almost promotes that we can wait longer.

The only compelling arguments I have is that DCOM and RPC are restructured to be less vulnerable that the patched versions in SP1 (Sasser used this vector). NX is a non-player as we do not have any hardware on the desktop level that can run in NX mode or the Intel equivalent. I can say that IE has a fairly good popup blocker (as opposed to a user trying to install a custom toolbar and potentially loading an adware version.) That will be something that sr mgmt can smell and touch. The firewall is a non-player as we have a better solution (CSA) rolling at the same time.

Have any of you other enterprise ATers come up with some better stuff?

Yes, I know all about the IE, OE, etc., updates. I had to write a white paper on it boiling the MS docs into manager speak.

Here are the arguments from that doc
? Improving the software firewall that is in the base XP to help reduce the network vulnerabilities.
? Adding better restrictions to what can be run without a user?s or administrator?s consent, disallowing control-less IE windows, and adding pop-up blocking to improve the user experience.
? Better defining memory segregation to prevent instructions running in data locations as would occur with a buffer over-run condition.
? Adding better protection for Outlook Express and Messenger, but we do not general use those applications at xxxxx.

? Internet Explorer Add-on Management ? provides control of plug-in components to help resolve crashes created by add-on controls.
? Internet Explorer Add-on Crash Detection ? helps isolate which component may be causing IE to crash.

 

[stash]

There's over 600 new group policy settings in SP2.

 

[gsellis]

Originally posted by: STaSh
There's over 600 new group policy settings in SP2.

🙂 Yes there are. And you can load CER 2.0 better too. Fortunately, we have been able to keep a handle on those that felt we should use the GPO to control the little stuff (when there were only 1000+). Hey, and they finally came out with a meaningful excel doc that documented them.

Thanks STaSH. I was hoping you would respond (and a couple of others).

 

[drag]

I am pretty sure there are numerious patches and fixes for the system and for IE that Microsoft does not make aviable to any Pre-SP2 computers.

At my work they minimize risk by having all web access to thru a proxy filter. Having people use up to date firefox browsers when they need to go out. They use thunderbird email clients, only one guy is allowed to use outlook and that's because he recently got aquired from another company and is fairly big-wig.

There are strong network-based defenses. Such as agressive scanning for spam and anti-virus filtering for all incomming and outgoing mail. (_think_ they use sendmail). Also I mentioned the proxy for web browsing. All videos and images sent thru e-mail are automaticly stripped or at least blocked from ever reaching any of the employees. Multiple firewalls. Computers that act up or do something strange are automaticly locked off of the network.. for instance a couple weeks ago there was a new e-mail worm released on monday and before the clam-av had a chance to be updated with the new definitions (daily automated updates) one email got thru and they called the network guy saying that he had a strange attatchment in the e-mail. The computer was immediately kicked off of the network, had a scan done on it from 'live cd' tools and a few other things before it was allowed back on. (they can't block all attatchments due to the nature of the business requires it.)

So on and so forth.

 

[gsellis]

Originally posted by: drag
I am pretty sure there are numerious patches and fixes for the system and for IE that Microsoft does not make aviable to any Pre-SP2 computers.

At my work they minimize risk by having all web access to thru a proxy filter. Having people use up to date firefox browsers when they need to go out. They use thunderbird email clients, only one guy is allowed to use outlook and that's because he recently got aquired from another company and is fairly big-wig.

There are strong network-based defenses. Such as agressive scanning for spam and anti-virus filtering for all incomming and outgoing mail. (_think_ they use sendmail). Also I mentioned the proxy for web browsing. All videos and images sent thru e-mail are automaticly stripped or at least blocked from ever reaching any of the employees. Multiple firewalls. Computers that act up or do something strange are automaticly locked off of the network.. for instance a couple weeks ago there was a new e-mail worm released on monday and before the clam-av had a chance to be updated with the new definitions (daily automated updates) one email got thru and they called the network guy saying that he had a strange attatchment in the e-mail. The computer was immediately kicked off of the network, had a scan done on it from 'live cd' tools and a few other things before it was allowed back on. (they can't block all attatchments due to the nature of the business requires it.)

So on and so forth.

Thanks drag. Similar, but a bit more. MailSweeper caught the worm you are referring to (our MailSweeper guy sits on the other side of my cube wall and is excitable - it was fun while it lasted while he had those showing up in his queues.) Computers that act up... Sounds like you have CSA with the network policy running.

Was hoping you would answer too.

 

[gsellis]

OK, funny that I forgot this. I wrote another executive summary and found it earlier this week. Here are the bullets.

What features have been added?
Windows XP Service Pack 2 (SP2) is a collection of Windows XP bug fixes and new features.

Network / Network Protection
? Bluetooth added
? Alerter and Messenger Service disabled
? DCOM security enhancements
? Better COM specific restrictions
? New TCP/IP restrictions
? Winsock self-healing
? RPC interface restrictions
? Better WebDAV restrictions
? Inbound Windows Firewall improvements (set to off per ESE)
? Windows Media Player 9
? New Windows Messenger (not installed)
? Added Wireless Provisioning Services
? Wireless Network Setup Wizard

Memory Protection
? Hardware Enforced Data Exception Protection (NX on AMD / Execute-Disable Bit on Intel)

E-Mail Handling
? Outlook Express supports a Plain Text Mode (strips HTML)
? Outlook Express has an attachment execution API set to eliminate the need for custom attachment management

Enhanced Browser Security
? File Download Prompt has changed to include:
o File Icon
o New Message area with signed apps being checked against publisher and new warnings
? Outlook Express will use the same file procedure
? Add-on Manager dialog has been simplified and now allows blocking a publisher
? New Add-on (mobile code) Manager allows users to view/enable/disable add-ons
? New Add-on Manager has crash detection and controls for add-on crash detection
? New block binary behavior for HTML rendering setting
? BindToObject mitigation allows ?safe to initialize? and ?safe for scripting?
? New Information Bar with more detail about errors. messages
o Add-on prompts
o Pop-Up blocked notification
o File download prompts
o Active Content blocked
o ActiveX blocked due to security settings
? More granular Security Zone settings and GPO settings
o Binary Behavior Security Restriction
o MK Protocol Security Restriction
o Local Machine Zone Lockdown Security
o Consistent Mime Handling
o Mime Sniffing Safety Feature
o Object Caching Protection
o Scripted Window Security Restrictions
o Protection From Zone Elevation
o Information Bar
o Restrict ActiveX Install
o Restrict FileDownload
o Add-on Management
o Network Protocol Lockdown
? Local Zone Lockdown
? MIME handling enforcement
? MIME sniffing behavior
? Security content invalidated upon navigation to a different domain
? Pop-up Blocking with allowed, blocked, override, and zone controls
? Block Publisher and Block Invalid Signatures settings
? Window restrictions for script repositioning, sizing, sizing of controls, and removing the status bar
? Pop-up windows controls prevent blocking parent window and creation of chromeless windows
? IE zone elevation blocked
? Network protocol restrictions by zone and blacklist

Computer Maintenance
? Add / Remove filters (show Updates to apps disabled to simplify list)
? Modified Update services including Windows Update Services (SMS add-on)
? Additional updates now include security updates, critical updates, update roll-ups, and service packs
? Critical updates are prioritized
? Clients can be targeted for updates (Update Services)
? Background Intelligent Transfer Service (BITS) 2.0 included
o BITS can be set for a time
o BITS can be set for a network bandwidth level
o BITS can be optimized to download on the portion of a file that changed
o BITS recovers from network failures
? Resultant Set of Policy changes (Windows Firewall awareness)
? Security Center (Firewall, Updates, Anti-virus monitor)
? Updates to Update.exe
? Windows Installer 3.0
o FTP and Gopher no longer supported
o Patch removal supported
o Patch reliability improved with delta installation allowing smaller patches
? New version of Windows Update

New Features
? NetSchedule and Task Scheduler APIs
? Tablet PC Enhancements
o New input panel design (floats near where you are entering text)
o Input panel correction redesign
o Context-sensitive handwriting recognition
o Improved handwriting recognition (especially in Latin-based, Germanic, and East Asian languages)
? New Microsoft Data Access Components (MDAC ? version 2.81)
? Controlling block storage devices ? prevent writes to USB devices
? Distributed Transaction Coordinator set to disabled
? Internet Information Services configuration has changed
? DirectX 9.0c

 

[mechBgon]

How about the money angle. "We have to do this eventually, so do you want to pay again later or shall we just get it over with today?"

 :light:
:Q


Where I work, we run 100% Restricted-User accounts, and that is a nice enhancement to the overall defense scheme, because the majority of the MS exploits seem to gain only the privilege level of the exploitee, and of course that will also be true of anything that an employee executes herself. With MM worms typically wanting to write to the Windows directory and do other stuff a Restricted User can't do... yeah. Being a struggling non-profit agency, we can't afford too many of the big toys, but this freebie measure has proven to be a help.

 

[gsellis]

That is the problem.... the money angle. Anything that they think they can defer is on the block at the moment. Arg... We have a pretty good slide deck now (I think some business should put "Powered by PowerPoint" in their logos 😀 ). We can push it quickly and probably have 25,000 deployed in a week.