COE

About COE Membership Events & Education Collaboration Links & Resources

COE Newsnet - September 2004


COE Feature
Safety and Innovation in Biomedical Device Design: The Increasing Role of Simulation
Inside COE
Preparing for the Future Coe Insta-Poll Results and Next Topic Check Out the Latest Updates and Register for the COE Your Way: 2004 Automotive Industry Workshop Submit Your User Presentations Online for the COE 2005 Annual PLM Conference
Technology Update
What is 64-bit Computing? The Benefits of 64-bit Computing HP-UX 11i v1 Tackles 32-bit and 64-bit Applications Where Electronics Meet 3-D Wire Harness Design (Advertorial by Zuken)
WinTel
Overview of Windows XP Service Pack 2 Security Technologies Transforming Manufacturing with Mobile Collaborative Design
Tips and Techniques
SimDesigner Fatigue for CATIA V5: Fatigue Analysis for the Design-Engineer, Part 1
Implementation Network
A V5 User in a V4 Shell Integral Powertrain Ltd. Speeds Projects and Drives Revenues with SMARTEAM
COE Forum
Top 5 Most Active Threads From the COE Discussion Forum COE Web Forum Customer Feedback
Academia News
The IBM PLM-HEAT Program for Academic Institutions
Rug News
COPS on the Move
Industry Outlook
PLM and Innovation - A Strategic Imperative or an Oxymoron
Knowledge Technology
In 2014

Archives

Contribute to Newsnet

If you would like to contribute to COE NewsNet, please email us at newsnet@coe.org

About the Editor

Meet the COE NewsNet editor

Overview of Windows XP Service Pack 2 Security Technologies

With Windows XP Service Pack 2 (SP2), Microsoft delivers several improved security technologies that help protect customers against viruses, worms and other risks to their computer. These technologies are not intended to replace periodic security updates which Microsoft will continue to release as needed. Instead, SP2 helps to strengthen Windows XP's overall defenses against malicious attacks. Some of these enhancements have the potential to impact existing software written by Independent Software Vendors (ISVs) for Windows. The focus of this article is the more significant enhancements in SP2, their potential impact on existing ISV software, and possible solutions/workarounds for software that had relied on less robust security to function.

The major enhancements in SP2 are:

Network protection. These security technologies help to provide better protection against network-based attacks, like MSBlaster, through a number of innovations. These enhancements include turning on Windows Firewall in default installations of Service Pack 2, closing ports except when they are in use, improving the user interface for configuration, improving application compatibility when Windows Firewall is on, and enhancing enterprise administration of Windows Firewall through Group Policy.
Browsing security. Security technologies that are delivered in Microsoft Internet Explorer provide improved protection against malicious content on the Web.
Computer maintenance. A very important part of any security plan is keeping computers updated with the latest software and security updates, and understanding the role they play in protecting your computer. New technologies are being added to help the end user stay up-to-date. These technologies include Security Center, which provides a central location for information about the security of your computer, and Windows Installer, which provides more security options for software installation
Memory protection. Some attacks by malicious software leverage software security vulnerabilities typically referred to as buffer overruns. Although no single technique can completely eliminate this type of vulnerability, Microsoft is employing a number of approaches to mitigate these attacks from different angles. Core Windows components have been recompiled with the most recent version of our compiler technology, which provides added protection against buffer overruns. Additionally, Microsoft is working with microprocessor companies to help Windows support hardware-enforced data execution prevention (DEP) on microprocessors that contain the feature. Data execution prevention uses the CPU to mark all memory locations in an application as non-executable, unless the location explicitly contains executable code. This way, when an attacking worm or virus inserts program code into a portion of memory marked for data only, an application or Windows component will not run it
E-mail handling. Security technologies help to stop viruses that spread through e-mail and instant messaging. These technologies include default settings that have enhanced security, improved attachment control using the Attachment Execution Service (AES) API. This results in security and reliability enhancements for communications applications such as Microsoft Outlook, Outlook Express and Windows Messenger. As a result, potentially unsafe attachments that are sent through e-mail and instant messages are isolated so that they are less likely to affect other parts of the system.

The enhanced security features in Service Pack 2 require you to plan and test your deployment to ensure application compatibility. If application compatibility issues arise, workarounds can be implemented in some cases. Often, though, these will increase your exposure to malicious code. The Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2 describes the enhanced security features, potential application incompatibilities, and methods of mitigating issues that may arise. In some cases it may not be possible in the short term to reconfigure the application to operate successfully with the enhanced level of security, in such a case you may need to not install SP2 until your ISV provides an upgraded version of their software. In this article, we will focus on the issues relevant to end users of CAD applications and the issues that smaller organizations might face. It is strongly recommended that larger IT organizations review the above guide.

Internet Explorer
Most of the changes that will affect users can be found in applications that leverage Internet Explorer (IE). We will briefly touch on the new features of IE that affect the application compatibility for the average CAD user.

These first five features primarily apply to system administrators and ISVs. They concern the security context that a web application selects to run in, and how an application renders binary data in Internet Explorer. Detailed compatibility issues can be found at

Feature Control
UrlAction Security
Binary Behaviors
Distributed COM and Remote Procedure Calls
Changes to DCOM and RPC have significantly enhanced the security of network communications and remotely executed applications. This security feature directly impacts Independent Software Developers (ISVs). If one of your applications begins behaving unusually after installation of Service Pack 2 and the below workarounds do not help, you should contact the ISV
Object Caching
Object Caching is primarily an issue for ISV developers. It prevents code in one application from sniffing the data being entered in another application. This protects your credit card info from some types of spyware sniffers. Applications that rely on this capability, however, will no longer work properly

Local Machine Lockdown
The first issue that concerns the average user is Local Machine Lockdown. Prior to Windows Service Pack 2, access to files and content local to the machine had less restrictive security settings, and these settings were not configurable. Applications that rely on the lower security settings for local content may have compatibility issues after installing SP2. Starting with SP2, content stored in the local file system is no longer assumed to be safe. Initially, the default Local Machine Lockdown security settings are even more restrictive than those for content on the Internet. This is because your local machine contains much more valuable data. So, Scripts and ActiveX^® Controls are blocked when default Local Machine Lockdown settings are applied.

As a result, if an application downloads content from the Internet Zone and accesses it locally, the page may not load and the warning message in Figure 2.3 appears in the Information Bar.

Figure 2.3: An application attempts an unsafe action with Local Machine Lockdown applied

The same issue can also occur when running active content from a CD.

Multipurpose Internet Mail Extensions (MIME) handling
Multipurpose Internet Mail Extensions (MIME) were used by IE to determine how to handle the content being downloaded. To prevent malicious code from pretending to be something it is not, with SP2, IE attempts to determine the actual type of the file by looking at the content and comparing it to what kind of content the data claims to be. If there is a mismatch, IE will not allow the content to be loaded.

This might cause problems with web applications that relied on this ability in previous releases, as well as files that have oddly-named extensions.

For workarounds to existing applications, please consult the Application Compatibility Guide reference above.

Window Restrictions
Some malicious applications attempt to launch windows that are hidden, difficult to close, or which overlay legitimate dialog boxes. With SP2, this capability is restricted. Applications that rely on these capabilities can be enabled using the Feature Control settings, but only at the risk of enabling this type of spyware.

Zone Elevation Blocking
This new feature of IE prevents a webpage script from maliciously launching a less secure webpage and then executing malicious code in that web-page. Applications that rely on this feature can be enabled using the Feature Control capabilities.

Information Bar and PopUp Management.
These two features address probably the most common complaint/request about internet browsers: the desire to manage and block pop-up windows. The Information Bar replaces many dialogue boxes that IE uses to prompt users about installing add-ons (such as Quicktime™ or RealOne™ players), enabling blocked ActiveX^® Controls. The Information Bar also is the mechanism for interacting with pop-up windows. The settings for PopUp Management are set in the Tools menu for Internet explorer. When enabled, the PopUp Blocker will create a prompt in the Information Bar whether to launch the window or not. This means that even applications that rely on PopUp windows can be run with the PopUp Blocker enabled.

Add-on Management
Management of add-ons for IE has now been enhanced. System Administrators now have the choice of creating AllowLists and DenyLists. With AllowLists, the System Administrators create a set of lists of permitted add-ons, and all others are not allowed. With DenyLists, the System Administrators can create lists of add-ons that are not allowed, but all others can be installed by the user.

Windows Firewall
A significant amount of work has been added to the Windows Firewall. Most significantly, the Windows Firewall is enabled by default at installation, even if another firewall has been installed. The administrator can choose to disable the Windows XP Service Pack 2 Firewall and continue to use their existing firewall. For those who do not have an existing Firewall installed, it is strongly recommended that they continue to run the Windows Firewall, even on machines that run on a secure network. This helps protect the user from any machines that may have been accidentally infected even within the local network.

The challenge is that since firewalls are specifically designed to prevent unauthorized communications to and from your machine, they need to be properly configured for the applications that you run. Microsoft has simplified this process considerably, but it still requires the user to spend some time configuring their network connections.

The first step in configuring the Windows Firewall is to select the Properties for any network connection (Right-Click on the connection in the Network Connections dialogue). The Advanced tab for the connection gives you access to the Windows Firewall Settings dialogue.

The Exceptions tab allows access for a program or to a port on the following basis

Program. The necessary ports open dynamically when required by the application and close when the application terminates.
Port. The TCP or UDP port remains open while the Windows Firewall or Internet Connection Firewall service is running.

When a program or port is placed in the exceptions list, the scope of access can be defined by clicking the Change Scope button and selecting one of:

Any computer (including those on the Internet)
My network (Subnet) only
Custom list (a list of IP addresses and subnet mask)

The Windows Firewall settings can also be configured on a per-network interface basis. This allows you to have more restrictive settings in a wireless or blue-tooth mode than in a hardwired network connected environment. More details on how to configure a desktop instance of the Windows Firewall can be found at http://www.microsoft.com/windowsxp/
using/security/internet/sp2_wfintro.mspx

If Windows Firewall causes compatibility issues you may need to open static ports in the firewall or place the application into the exception list. Some useful settings to maintain functionality are:

Prohibit use of Internet Connection Firewall on your DNS domain network:Prevents Windows Firewall from being enabled or configured when connected to the domain that the policy was received from. For example, if a client computer receives a policy from the corp.contoso.com domain, the Windows Firewall will not attempt to filter traffic when connected to the corp.contoso.corp DNS domain.
Windows Firewall: Allow authenticated IPSec bypass: Allows unsolicited incoming traffic from any computer that is authenticated using IPSec. This setting requires IPSec configuration on all relevant computers.
Windows Firewall: Allow remote administration exception: Allows remote administration of this computer using administrative tools, such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Component Object Model (DCOM).
Windows Firewall: Allow file and printer exception: Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445. If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is selected and administrators cannot clear it.
Windows Firewall: Allow ICMP exceptions: Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, PING uses the echo request message. If you do not enable the "Allow inbound echo request" message type, Windows Firewall blocks echo request messages sent by PING running on other computers, but does not block outbound echo request messages sent by PING running on this computer. Blocking PING requests from other computers may raise management application issues because the remote user cannot confirm that the target computer is on the network.
Windows Firewall: Allow Remote Desktop exception: Allows this computer to receive Remote Desktop requests. To do this, Windows Firewall opens TCP port 3389. You must specify the IP addresses or subnets from which Remote Desktop requests are allowed. In the Windows Firewall component of Control Panel, the "Remote Desktop" check box is selected and administrators cannot clear it.
Windows Firewall: Define program exceptions and Windows Firewall: Define port exceptions: These two settings allow the pre-configuration of an exception list for deployment to network clients.
Windows Firewall: Allow logging: Allows Windows Firewall to record information about the unsolicited incoming messages that it receives.

ISVs can also programmatically open Firewall Ports. For details, requirements, and implications of this approach, please consult the Application Compatibility Guide referenced earlier.

Data Execution Prevention
Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits. In Windows XP Service Pack 2, DEP is enforced by both hardware and software. Hardware enforced DEP relies on processor hardware support to mark the memory locations with an attribute that indicates that code should not be executed from that memory location. Both Advanced Micro Devices^TM (AMD) and Intel® Corporation have defined and shipped Windows-compatible architectures that are compatible with DEP, but not all processors support this feature. An additional set of Data Execution Prevention security checks, known as software-enforced DEP, are designed to mitigate exploits of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor capable of running Windows XP Service Pack 2, and is limited to the binary components of the Windows XP Service Pack 2.

By default, DEP only protects system applications and services. However, applications that extend Windows functionality may encounter problems with DEP. Applications may also encounter problems with DEP if the system DEP configuration has changed from the defaults.

If you believe you are experiencing problems with DEP, it is possible to apply a compatibility fix named "DisableNX".

Attachment Execution Service
The Attachment Execution Service (AES) is new functionality in SP2, and introduces a few application compatibility issues. AES gives a new and consistent look for file and attachment download dialog boxes for all applications. These new features include:

A file handler icon
A new information area added to the bottom of the dialog box that provides slightly different information, depending on the severity of risk the file type carries

All downloaded executable files are checked for publisher information. Once the file is downloaded the Authenticode dialog box displays publisher information. It is possible to configure download and execution of files where the signature is invalid in Internet Options on the Advanced tab or using Active Directory Group Policy at: Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

The user interface has a list of dangerous file types for e-mail file attachment downloads that are more stringent than before, and may result in additional warning prompts. The file type list cannot be edited, but the feature can be turned off for Outlook Express by selecting Options on the Tools menu. You can prevent the use of the dangerous file types list on the Security tab by deselecting the Do not allow attachments to be saved or opened that could potentially be a virus check box.

AES may prevent an e-mail attachment that a user has downloaded to the local file system from executing. The file is marked so that its source is known, even if it is executed at a later date. If the file is considered dangerous it is blocked. This feature requires NTFS file system on the user's computer. This behavior can be changed for the file on the General tab of the file properties. More information is available in the Application Compatibility guide.

So far, we have discussed applying mitigation fixes to overcome application compatibility issues. The goal of this process is to enable an application to function by reducing security in one or more areas. The recommended approach is to maintain security configurations and make changes to the application so that it works with Service Pack 2.

If upgrading or modifying the application is not possible, then cautious and limited changes to the security configuration should be made, but only to the extent necessary to ensure correct operation of the application. You should also keep track of the changes you have made, so that when the application has been upgraded or modified to support Service Pack 2, you can restore your system security settings.

Summary
This article has provided an overview of Windows XP Service Pack 2 and some of the possible application compatibility issues that deployment may cause. For more details on implementing application compatibility testing processes, please refer to:

The Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2

Transforming Manufacturing with Mobile Collaborative Design

Why Go Mobile?
Mobile technology has become crucial to modern business. With information readily accessible via wireless networks the same as it is from office workstations, and with professionals on the move staying connected wherever they go via portable devices and computers, being away from the desk, or away from the office no longer has a negative impact on productivity.

While competitive businesses all over the globe have embraced a mobile philosophy, the product development and manufacturing industries have been slow to catch up due to a lack of mobile solutions to meet their needs. CAD applications have long been notorious space hogs, requiring bulky, expensive, high performance computers to handle huge design files. Small, light, mobile computers have not been an option for product development…until now. With today's mobile technology, high performance notebooks and tablet PCs, and specialized applications for collaborative design, it's finally time for product development to go mobile.

In an industry where a complex, distributed network of engineers, manufacturers, suppliers, and other disciplines are striving to create innovative products in an increasingly competitive market, mobility is a key factor to increasing productivity and performance. Gartner reports that productivity gains of over 11 hours occur per employee, per week, with wireless-enabled notebooks¹. Applying those figures to a product development environment can mean drastic reductions in time to market.

A mobile product development environment not only enables resources to be where they need to be, when they need to be there, but also enables them to access and understand critical information and to make critical decisions no matter where they are. With a design environment at the fingertips of product developers whether they are working from home, on the shop floor, on the road, or anywhere in between, the major payoff of mobility is a faster, more responsive product development process that fosters innovation.

Why go mobile with Intel and ImpactXoft?
It's apparent that mobility in product development is becoming a necessity, so how do you choose the mobile solution that best fits your company's needs? The MOBILITY FOR 3D program helps you mobilize your workforce with an unparalleled solution from leading providers:

Intel® Centrino^TM Mobile Technology: built for outstanding mobile performance, extended battery life and integrated wireless LAN capability in thinner and lighter notebooks and laptops.

ImpactXoft Software: full-fledged collaborative 3D modeling system built from the ground up on an Internet framework. Design changes, no matter how major or slight, can be easily shared and merged between members of the design team who are working in parallel. Another added benefit is the IX SPeeD V5 Suite is also built on the CAA V5 platform and has native interoperability with CATIA V5 users.

The Mobility for 3D program announces its first seminar series hosted by HP, ImpactXoft, Intel and Software Marketing Consultants! Don't miss this opportunity to see a live demonstration and talk to the experts about how a mobile design environment that can transform your product development process! Visit this website to find out more and to register online!

New England Area Seminar
Tuesday, September 14
1:00 PM - 4:30 PM
HP Facility
131 Hartwell Avenue
Lexington, MA
781.676.4500 New York/New Jersey Area Seminar
Tuesday, September 21
1:00 PM - 4:30 PM HP Facility
120 West Century Road
Paramus, NJ
201.599.5000

Philadelphia Area Seminar
Wednesday, September 22
1:00 PM - 4:30 PM HP Facility
640 Freedom Business Center
King of Prussia, PA
610.878.7000 Maryland Area Seminar
Thursday, September 23
1:00 PM - 4:30 PM HP Facility
9737 Washingtonian Boulevard
Gaithersburg, MD
240.744.8100

Email This Page