Attachment Execution Service (AES)
Windows XP Service Pack 2 introduces the new Attachment Execution Service (AES) to control the viewing and execution of files attached to messages. AES has a COM interface that is in turn used by other programs, such as Outlook Express.
AES looks at a file and determines whether it is safe to view or execute based on several criteria. First, it looks at the file extension. It knows it can trust text files (.TXT), JPEG images (.JPG), and GIF images (.GIF). It can look up the associated application for a given MIME type and file extension, and make sure the two are consistent. It can decide whether a given association is safe or dangerous, based on a list. It can make sure that an antivirus is active and up-to-date before allowing the user to view or run unsafe files. It can also check the current security zone of the message source to control its policy.
AES in Outlook Express and Windows Messenger
When Outlook Express opens an email that has an attachment, it now calls AES to determine if the attachment is safe. If the attachment is clearly safe, it will be completely available to the user. Safe images will be displayed, and safe attached plain text files will show as available attachments.
If the attachment is clearly unsafe, like a binary executable, it will be blocked: the user will not be able to open it at all, but will see a notice of the blockage. If the attachment might be safe and might be dangerous, the user will see a warning prompt when attempting to drag, save, open, or print the file. If the user accepts the option, the file will be handled in a way that is guaranteed to trigger any active antivirus program.
Windows Messenger uses similar logic and identical dialogs for handling file attachments. The one major difference is that email attachments are normally downloaded without any intervention by the user, while instant messaging attachments normally require the recipient's permission before they can be sent.
HTML Content Blocking in Outlook Express
One technique that spammers and viruses use to target active email users is to include external content, such as images, in HTML email. When the email calls out to the Web site that hosts the image, the "hit" can be recorded by the Web server and used to identify the recipient.
To preserve the user's privacy and prevent future attacks, Outlook Express now blocks external images and other external content in HTML mode. This option can be globally disabled by the user, and when the option is active the user can load the blocked external content for an email message with one mouse click.
As we will see, running binary behaviors, which use a specialized kind of COM interface that is a feature of Internet Explorer, has been disabled in the Restricted Sites zone by default. Outlook Express runs its HTML email using the rules of the Restricted Sites zone by default, although that can be configured by the user.
However, Outlook Express has now restricted binary behaviors. There is no legitimate reason for an email to use binary behaviors, so from Service Pack 2 onwards Outlook Express will never allow them.
As an additional safety measure, when the user sets Outlook Express to read all messages in plain text, Outlook Express uses the less complicated rich edit control instead of the more complicated HTML browser control (mshtml) from Internet Explorer. This choice presents no disadvantages to the end user, while offering a reduced surface to attackers. There are also another dozen areas in Outlook Express where tightened security has been obtained without affecting users.
More Secure Browsing
In the past, add-ons to Internet Explorer – ActiveX controls, browser extensions, and toolbars – could sometimes become a problem. While many add-ons are useful, some can be unwanted or cause crashes. For example, several advertising com¬panies use add-ons to cause their own pop-up advertisements to display when the user views a Web page with related content.
The new version of Internet Explorer in Windows XP SP 2 includes add-on management and crash detection. Add-on Management allows users to view and control the list of add-ons that can be loaded by Internet Explorer. It also shows the presence of some add-ons that were previously not shown and could be very difficult to detect.
Add-on Crash Detection attempts to detect crashes in Internet Explorer that are related to an add-on, and gives the user the option to disable add-ons. In addition, administrators can now apply policies about allowed add-ons across an enterprise.
Internet Explorer has supported binary behaviors since version 5. A binary behavior is a component that supports two special COM interfaces that Internet Explorer will recognize and use. A binary behavior can add even more functionality to Internet Explorer than can be accomplished with scripts. In the version of Internet Explorer shipped with Windows XP SP2, there is a way to better control binary behavior security.
Binary behaviors are now disabled in the Restricted Sites zone by default. Since HTML-formatted e-mail is rendered in the Restricted Sites zone by default in most e-mail readers, e-mail is now less vulnerable to viruses and worms based on binary behaviors.
When Internet Explorer opens a Web page, it places restrictions on what the page can do, based on the location of the Web page. For example, Web pages that are located on the Internet might not be able to perform some operations, such as accessing information from the local hard drive.
On the other hand, Web pages on the local computer are in the Local Machine zone, where they have the fewest security restrictions. The Local Machine zone is an Internet Explorer security zone, but is not displayed in the settings for Internet Explorer. The Local Machine zone allows Web content to run with fewer restrictions. Unfortunately, attackers also try to take advantage of the Local Machine zone to elevate their privileges and compromise a computer.
In Windows XP Service Pack 2, all local files and content that is processed by Internet Explorer has the security of the Local Machine zone applied to it. This differs from previous versions, where local content was considered to be secure and had no zone-based security was placed on it.
This feature dramatically restricts HTML in the Local Machine zone and HTML that is hosted in Internet Explorer. This helps to mitigate attacks where the Local Machine zone is used as an attack vector to load malicious HTML code.
ActiveX script in local HTML pages that are viewed inside of Internet Explorer no longer runs. Script in local HTML pages viewed inside of Internet Explorer now prompts the user for permission to run. Administrators and developers who have scripts that need to run in local HTML pages should read about this issue in:
*msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwxp/html/securityinxpsp2.asp
As discussed in the context of attachments to messages, files types can be identified in many ways, including "sniffing" the contents for recognizable internal bit signatures. When files are served to the client, Internet Explorer uses the following pieces of information to decide how to handle the file:
• File name extension
• Content-Type from the HTTP header (MIME type)
• Content-Disposition from the HTTP header
• Results of the MIME sniff
In Windows XP Service Pack 2, Internet Explorer requires that all file-type information that is provided by Web servers is consistent. For example, if the MIME type of a file is “text/plain” but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving the file in the Internet Explorer cache and changes its extension. (In a MIME sniff, Internet Explorer examines, or sniffs, a file to recognize the bit signatures of certain types of files.)
We also discussed the Attachment Execution Service (AES) in the context of email attachments and files transferred via instant messaging applications. Internet Explorer uses AES to check downloaded files for safety, and to display dialogs to the user when permission is needed. The AES dialogs give the user more information and guidance than were available in previous versions of Windows and Internet Explorer. In addition to showing the source, type and size of a downloaded file, AES shows the user the publisher of executable software being installed, and issues a strong warning about software from an unknown source.
In an attempt to grab the user's attention for advertising, many Web sites display ads in pop-up or pop-under browser Windows. Several third-party pop-up blockers have been offered to help lessen this annoyance for users, but some of these pop-up blockers have caused problems of their own. The new Pop-up Manager in Internet Explorer blocks most unwanted pop-up windows from appearing. Pop-up windows that are launched when the end user clicks a link will not be blocked. End users and IT administrators can let specific domains launch programmatic pop-up windows.
The new version of Internet Explorer has another dozen security improvements, most of which do not affect users in normal circumstances. A few of these are better security for ActiveX controls and other scriptable objects, fewer possibilities for buffer overruns, better protection against windows placed on top of other windows, and better protection against windows placed off-screen.
Improved Computer Maintenance
A number of new features in Windows XP Service Pack 2 make it easier for users to maintain their computers. Updates are automatic, patches are smaller and can be removed, and there is a centralized user interface for all security-related maintenance.
Windows Update 5
Windows XP Service Pack 2 uses a new version of the Windows Update Web site, and simplified options for automatic updating. The Express Install option on the Windows Update 5 site lets the user quickly scan for, download, and install only the critical and security updates his computer needs.
The Automatic Updates control panel allows the user to update the computer automatically at scheduled times, which makes mainten¬ance a set-and-forget activity. Users can also choose to download updates automatically but not install them, just get notification of update availability, or handle updates manually.
In addition, a new option is provided in the Turn off computer interface as shown below. When updates requiring a reboot have been downloaded to the machine by Automatic Updates but have not been installed, this prompt is provided when performing a manual shut down. This helps ensure the updates can be installed when it is most convenient.
Windows Installer 3
The Windows Installer service defines and manages a standard format for application setup, installation, and upgrades. It tracks components such as groups of files, registry entries, and shortcuts. Windows Installer is a system-resident installation service that provides consistent deployment, enabling administrators and users to manage shared resources, customize installation processes, make decisions on application usage, and resolve configuration problems. Windows Installer 3.0 is a new version of the service that is included in Windows XP Service Pack 2.
Windows Installer 3.0 has enhanced inventory functions that identify what patch components do and don't need to be downloaded, and supports Microsoft's delta compression technology, which makes patches smaller. Windows Installer 3.0 also supports more reliable patch removal.
Security Center
Note: After this introduction, take a closer look into the Windows Security Center later in this module.
Windows Security Center is the centralized place in Windows XP Service Pack 2 for users to learn anything about security and perform any security-related tasks. Security Center monitors the status of three major security functions: the firewall, automatic updates, and virus protection. If Security Center detects a problem with any of these, typically at boot time, it will display an icon and balloon message in the Windows taskbar notification area.
The prescription offered by Windows Security Center is to have an active firewall; to allow for daily, automatic updates of the Windows system; and to have an active antivirus with up-to-date signatures. The status of each of these prescription elements is displayed in Security Center as a stop light.
Security Center knows about Windows Firewall, and about several third-party firewalls. It knows about the most common antivirus solutions. It has an open interface that third-party antivirus and firewall vendors can use to allow Security Center to detect the presence of their software and report its status. Users can tell Security Center that they have an undetected third-party solution, or turn off notifications about specific security vulnerabilities that don't apply in their environment.
Summary
As you've seen, Windows XP Service Pack 2 addresses new challenges to the security of personal computers by making a number of basic improvements to the operating system. It reduces common attack vectors four ways: it protects the network, protects memory, handles e-mail more safely, and browses the Internet more securely. Service Pack 2 also makes it easier to keep the system up-to-date.
Network protection is provided by the Windows Firewall, improvements to the Distributed COM security infrastructure, and improvements to the Remote Procedure Call security infrastructure. Enhanced memory protection comes from support of execution protection on compatible CPUs, and "sandboxing" of the stack and heap on all CPUs.
Message handling is safer thanks to a new Attachment Execution Service, which is used by Outlook Express, Windows Messenger, and other email and instant messaging applications. Numerous improvements to Internet Explorer make browsing more secure and more stable.
In Windows XP Service Pack 2, updates can be fully automatic. Patches are smaller and can always be removed. And, finally, Windows Security Center provides a centralized user interface for all security-related maintenance.
Windows Security Center
Introduction
The Windows Security Center (WSC), shows you the security status of your computer. It also displays any tasks that you need to perform in order to help keep your computer more secure. Specifically, the Security Center displays the status of and recommendations for the following:
? Firewall: Windows checks to make sure that your computer is protected by a firewall. A firewall helps protect your computer by preventing unauthorized users from gaining access to it through a network or the Internet. If no firewall is found on your computer, the Security Center provides recommendations for how to install one.
? Virus protection: Windows checks to make sure that your computer is using a full, up-to-date antivirus program. Antivirus software can help protect your computer against viruses and other security threats. If no antivirus program is found, or if your antivirus program is out of date or isn't running, the Security Center provides recommendations for fixing the problem.
? Automatic Updates: Windows checks to make sure that Automatic Updates is set up to download and install security and other important updates to your computer automatically. If Automatic Updates is turned off or not set up to best protect your computer, the Security Center provides recommendations for fixing it.
When all three Security Center components are in a secure and up to date state, your system will be “green” – safe and no alerts appear. If any of the three components are in a non-secure or undetectable state an icon appears in the icon tray, .
The Security Center can also help you:
? Find out about the latest viruses or other security threats.
? Scan your computer for viruses.
? Get customer support from Microsoft for a security-related issue.
Consumer and Small Business
The Windows Security Center (WSC) helps make sure that home and unmanaged small business end users continue to stay protected in four ways:
? Clearly communicating the Microsoft consumer security prescription – use a firewall, use auto-update, and use antivirus software
? Notifying when you might be vulnerable because you are not following that prescription
? Making it very easy for you to mitigate that potential vulnerability
? Making it easier for you to learn more and do more to protect your PC
To accomplish this there are two main components: the Windows Security Center and the Windows Security Center Risk Indicator.
The Risk Indicator tells you when Windows cannot detect that the computer is protected. It communicates this to you through a flashing tray icon and through a notification dialog box when you log on, This is triggered when:
? A firewall is not protecting the PC – meaning Windows Firewall is not turned on or third party software or hardware firewall cannot be found or the software firewall is not enabled.
? Auto-update is not turned on.
? Antivirus software is not protecting the PC – meaning there is not up-to-date antivirus software on the system with “on-access” or “real-time” scanning turned on.
The Risk Indicator directs you to the main interfaces to address the potential vulnerability.
The key aspects of the Windows Security Center are:
? Clearly states the status of your PC protection – through the heading and the color-scheme.
? Makes it simple for you to see what issues you need to address and provides a single tool to go address them. In the case of firewall and updates, the fix globally turns on Windows Firewall and turns on Automatic Update. For Antivirus, if you have antivirus software present but it is out-of-date or on-access scanning is not enabled, a link is provided to the antivirus interface to address the issue. Otherwise, you are linked to Microsoft.com to learn about obtaining antivirus software.
? Through help content, addresses the biggest questions you may have about the protection technologies to make you more comfortable following the prescribed protection strategy.
? Links to very important security resources on Microsoft.com.
First Run Behavior
Windows Security Center is automatically launched at first run (on update installs only—not on upgrade or clean install) for all users in the Administrators group regardless of the status of the firewall, antivirus, or automatic updates.
As new users are created in (or added to) the Administrators group, the Security Center will launch as that user’s first run.
Entry Points
There are three shell entry points for Windows Security Center:
? Start menu, Control Panel
? Start menu, All Programs, Accessories, System Tools, Windows Security Center
? If alert balloon and/or engine light tray icon is present, clicking on either.
Note: In Control Panel, if view option is set to Category View, you see Security Center as a category . If view option is set to Classic View, you see Security Center as a control panel icon.
Enterprise
For enterprises, Security Center can be managed centrally via Active Directory Group Policy. It will be turned off by default in domain environments. When it is disabled, the interface appears as shown below.
If an administrator wants to enable the Security Center, they can configure the policy in Group Policy Editor under: Computer Configuration\Administrative Templates\Windows Components\Security Center.
WSC interface
The WSC interface, has three sections:
? Security Essentials
? Manage Security Settings
? Resources
Security Essentials
The Security Essentials section of WSC lists the status for your firewall, Windows Automatic Update, and for virus protection. The WSC features the status items for a PC with disabled firewall, Automatic Updates on, and an unknown firewall.
For each item you can view its current status (for example: on, off, unknown, out of date), information about the item, and depending on the status a Recommendations button.
compare Automatic Updates to Firewall and Virus Protection. You will note the Recommendations button is not shown when the status of the item is ON but does appear when there is a potential security issue. For example, a disabled firewall indicated in WSC, clicking the button opens the Recommendations dialog box for the firewall where you can easily enable the firewall.
Manage Security Settings
This section provides an easy way to navigate to common security settings without having to know how to find them via other routes. These shortcuts to Internet Options, System, and Windows Firewall, open the corresponding dialog box.
Resources
The resources section of WSC, provide links to make it easier for you to keep up to date with the latest security information, Windows Update, support, WSC help, and manage WSC alerts (more on managing WSC alerts later).
Antivirus and Firewall Detection
Windows Security Center has a two-tiered approach for detection status; manual, and automatic - via WMI (Windows Management Interface). The manual detection approach searches for registry keys and files – identified by ISVs to Microsoft – to detect presence and status. In the WMI model, ISVs determine their own product status and report that back to WSC via a WMI provider. In both cases Windows Security Center is seeking to determine, for antivirus applications, if:
? AV is present.
? Signatures are up to date.
? Real time scanning (on access scanning) is turned on.
Note: To learn more about WMI, please go to - *msdn.microsoft.com/library/en-us/dnanchor/html/anch_wmi.asp
If any three of the above are not valid you receive notification. Similarly, when no antivirus software is detected WSC alerts you “Windows did not find Antivirus software on this computer” from the icon tray and also shows a Not Found status in the essentials portion of the WSC as shown in . You can also receive notification when your signatures are not up to date.
Note: The status architecture of some antivirus software is unique and may require an update for WSC to detect its presence. In some other cases WSC will detect presence only – with no status available. These users will receive a “red alert” because Windows could not detect an up to date and turned on antivirus product even if one is present, turned on, and up to date. Some example companies which may fall into this area include Symantec and Norton – watch for updates from these companies in the XPSP2 timeframe to resolve this issue.
You will NOT be required to select AV or FW software compliant with Windows Security Center. If you use software that is not detectable, you can follow prompts which alert WSC that you will monitor status on their own; this will result in a “yellow,” caution state, but no proactive messages.
Note: For firewalls, WSC detects whether a third party firewall is installed, and if it is turned on or not along with similar notifications and alerts as you see with antivirus.
To specify that you are using antivirus software that Windows does not find.
When you use this procedure, the Security Center displays your Virus Protection setting as Unknown, and does not send you alerts.
Note: You can also use this procedure if Security Center is alerting you because it does not recognize signatures as up to date, even if you believe they are up to date.
1. First, visit your antivirus vendor to download and install the latest version of the software and the most recent signatures.
a. Restart Windows and check the status in Security Center.
b. If Security Center does not recognize your software by continuing to display your Virus Protection setting as Unknown, proceed to the next step.
2. To open the Security Center, click Start, click Control Panel, and then click Security Center.
3. In the Security Center, under Antivirus, click Recommendations.
4. In the Recommendations dialog box for antivirus enable I have an antivirus program that I’ll monitor myself, Click OK.
5. Visit your antivirus vendor regularly to see if updates for software and signatures are available.
Note: The Recommendations button is not available when your Antivirus setting is marked ON.
To specify that you are using a firewall that Windows does not find:
When you use this procedure, the Security Center displays your Firewall setting as Unknown, and does not send you alerts.
1. To open the Security Center, click Start, click Control Panel, and then click Security Center.
2. In the Security Center, under Firewall, click Recommendations.
3. In the Recommendations dialog box, select the I have a firewall solution that I'll monitor myself check box, and then click OK.
Note: The Recommendations button is not available when your Firewall setting is marked ON.
Recommendation: If your computer is using a hardware firewall, you should still enable Windows Firewall or another software firewall.
Change Alert Settings
If you prefer not to be alerted about your status in any circumstance, there is an option to de-select any or all notifications for:
? Firewall
? Automatic Updates
? Virus Protection
1. In Security Center, click Change the way Security Center alerts me.
2. Clear the item to disable alerts, then click OK..
Windows Security Center in reduced mode via Group Policy
For PC in a domain, some of the security essential items may not make sense to display. For example, a PC may be behind a corporate firewall or may be using corporate Windows Update. WSC does not have special logic to detect environment configurations specific to PC in a domain, thus WSC prescription may be very likely inaccurate.
Therefore, for PC in a domain, WSC interface is switched to a “reduced mode”, as shown in This reduced mode hides the Security Essentials of the interface and displays everything else. The reduced mode also turns off all icon tray notifications. The reduced mode also turns off WSC in first run.
Note: When in reduced mode, the link in the left panel to change security center settings is disabled.
RC 2049 and RC2062.....work like a charm... 
