1 windows vista and “longhorn” server: understanding, enhancing and extending security...

1

Windows Vista and “Longhorn” Windows Vista and “Longhorn” Server: Understanding, Enhancing Server: Understanding, Enhancing and Extending Security End-to-endand Extending Security End-to-end

FUN210FUN210Avi Ben-MenahemAvi Ben-MenahemLead Program ManagerLead Program ManagerMicrosoft CorporationMicrosoft Corporation

Andrew TuckerAndrew TuckerDevelopment LeadDevelopment LeadMicrosoft Microsoft CorporationCorporation

2

AgendaAgenda

Windows Vista and “Longhorn” Windows Vista and “Longhorn” Server Security OverviewServer Security Overview

Isolated DesktopIsolated Desktop

Crypto Next Generation (a.k.a CNG)Crypto Next Generation (a.k.a CNG)

Base Smart Card CSP architectureBase Smart Card CSP architecture

X.509 Enrollment classesX.509 Enrollment classes

WinLogon ArchitectureWinLogon Architecture

User Account Protection and YouUser Account Protection and You

3Secure Operating SystemSecure Operating System

Vista Security OverviewVista Security OverviewAccess ControlAccess Control

End User Tools

Isolated DesktopIsolated DesktopSecure StartupSecure Startup

Access ControlAccess Control

AuthenticationAuthentication AuthorizationAuthorization

App AuthZApp AuthZ

AzmanAzman

RBACRBAC

Logon Logon

ProtocolProtocol

IdentityIdentity

2 Factor 2 Factor AuthNAuthN

AuditAudit Credential ManagementCredential Management

Credential RoamingCredential Roaming

Lifecycle Lifecycle ManagementManagement

Certificate ServerCertificate Server

Smart CardsSmart Cards

Common Common CriteriaCriteria

LoggingLogging

EventingEventing

FIPSFIPS

Cryptography ServicesCryptography Services

CAPICAPI CNGCNG

Policy exp.Policy exp.

X.509 ProcessingX.509 Processing

4

Session 0 IsolationSession 0 IsolationWindows XP behaviorWindows XP behavior

Session 0Session 0

Service AService A

Service CService C

Service BService B

Application Application AA

Application Application BB

Application Application CC

Session 1Session 1

ApplicatioApplication Dn D

ApplicatioApplication En E

ApplicatioApplication Fn F

Session 2Session 2

ApplicatioApplication Gn G

ApplicatioApplication Hn H

ApplicatioApplication In I

Session 3Session 3

ApplicatioApplication Jn J

ApplicatioApplication Kn K

ApplicatioApplication Ln L

5

Session 0 IsolationSession 0 IsolationWindows Vista behaviorWindows Vista behavior

Session 1Session 1

ApplicatioApplication An A

ApplicatioApplication Bn B

ApplicatioApplication Cn C

Session 2Session 2

ApplicatioApplication Dn D

ApplicatioApplication En E

ApplicatioApplication Fn F

Session 3Session 3

ApplicatioApplication Gn G

ApplicatioApplication Hn H

ApplicatioApplication In I

Session 0Session 0

Service AService A

Service BService B

Service CService C

6

Session 0 IsolationSession 0 IsolationTechnology IntroductionTechnology Introduction

Separation of Services from User Separation of Services from User SessionsSessions

Desktop is the security boundary for Desktop is the security boundary for Windows user interfacesWindows user interfaces

Interactive Services are vulnerable to Interactive Services are vulnerable to compromise through Windows compromise through Windows MessagingMessaging

Currently users can not see or Currently users can not see or interact with interactive service UI interact with interactive service UI from their sessionfrom their session

7

Session 0 IsolationSession 0 IsolationImplementation GuidelinesImplementation Guidelines

Services should NEVER open a Services should NEVER open a window on the interactive desktop window on the interactive desktop

Services which need user input can:Services which need user input can:Use Use WTSSendMessage WTSSendMessage to pop up a to pop up a simple message box on user’s desktopsimple message box on user’s desktop

Inject process into the target session by Inject process into the target session by using using CreateProcessAsUserCreateProcessAsUser API API



End User Tools




App AuthZApp AuthZ

AzmanAzman

RBACRBAC

Logon Logon

ProtocolProtocol

IdentityIdentity








LoggingLogging

EventingEventing

FIPSFIPS


CAPICAPI CNGCNG



9

Crypto Next GenerationCrypto Next GenerationTechnology OverviewTechnology Overview

New crypto infrastructure to replace New crypto infrastructure to replace existing CAPI 1.0 APIsexisting CAPI 1.0 APIs

CAPI will still be available in Vista but CAPI will still be available in Vista but it will be deprecated in some future it will be deprecated in some future versionversion

Customers can plug a new crypto Customers can plug a new crypto algorithm into Windows or replace algorithm into Windows or replace the implementation of an existing the implementation of an existing algorithmalgorithm

New crypto algorithms can be New crypto algorithms can be plugged into OS protocols (e.g. SSL, plugged into OS protocols (e.g. SSL, S/MIME)S/MIME)

10

Crypto Next GenerationCrypto Next GenerationWhy replace CAPI?Why replace CAPI?

Design is 10 years old and shows itDesign is 10 years old and shows it

Plug-in model is monolithic, error Plug-in model is monolithic, error prone and inflexibleprone and inflexible

Lacks centralized configuration Lacks centralized configuration systemsystem

Not available in kernel modeNot available in kernel mode

Performance has much to be desiredPerformance has much to be desired

11

Crypto Next GenerationCrypto Next GenerationFeature highlightsFeature highlights

Crypto agilityCrypto agilityFlexible configuration system that includes Flexible configuration system that includes machine and enterprise level settingsmachine and enterprise level settingsSimple and granular plug-in model that Simple and granular plug-in model that supports both kernel and user modesupports both kernel and user modeSupport a super set of the algorithms in Support a super set of the algorithms in CAPI, including elliptic curve crypto (ECDH, CAPI, including elliptic curve crypto (ECDH, ECDSA) and “Suite-B” complianceECDSA) and “Suite-B” compliancePrivate key isolation for Common Private key isolation for Common Criteria complianceCriteria complianceImproved performanceImproved performance

12

Crypto Next GenerationCrypto Next GenerationThree layers of plug-insThree layers of plug-ins

Protocol Protocol ProvidersProviders

ApplicationsApplications

Key Storage Key Storage ProvidersProviders

Primitive Primitive ProvidersProviders

SymmetriSymmetric Crypto c Crypto RouterRouter

Hash Hash RouterRouter

AsAsymmetrymmetric Crypto ic Crypto RouterRouter

Signature Signature

RouterRouter

Key Key Exchange Exchange

RouterRouter

RNG RNG RouterRouter

Key Key Storage Storage RouterRouter

13

Crypto Next GenerationCrypto Next GenerationPrimitive ProvidersPrimitive Providers

Low level Low level algorithm implementatialgorithm implementationsonsSix different types:Six different types:

Symmetric encryptionSymmetric encryptionHash functionsHash functionsAsymmetric encryptionAsymmetric encryptionSecret agreementSecret agreementSignaturesSignaturesRandom number Random number generationgeneration

No persistent keys or No persistent keys or key isolationkey isolation

Protocol Protocol ProviderProvider

ssApplicatioApplicatio

nsns

Key Key Storage Storage ProviderProvider

ss

PrimitivPrimitive e

ProviderProviderss

14



nsns


ss

PrimitivPrimitive e

ProviderProviderss

Crypto Next GenerationCrypto Next GenerationKey Storage ProviderKey Storage Provider

Provides persistent key support for Provides persistent key support for public/private keys public/private keys

Isolates all private key usage to a Isolates all private key usage to a secure process rather than the client secure process rather than the client processprocess

Can be used to interface hardware Can be used to interface hardware such as HSMs, Smart Cards, etc.such as HSMs, Smart Cards, etc.

15

Crypto Next GenerationCrypto Next GenerationProtocol ProvidersProtocol Providers

Crypto functionality that is specific to Crypto functionality that is specific to a protocola protocol

SSL – add new cipher suites or replace SSL – add new cipher suites or replace implementations of existing cipher suitesimplementations of existing cipher suites

S/MIME – plug in new algorithms for S/MIME – plug in new algorithms for signing and encrypting emailsigning and encrypting email



nsns


ss

PrimitivPrimitive e

ProviderProviderss

16

Crypto Next GenerationCrypto Next Generation

CNG is expected to be an Open CNG is expected to be an Open Cryptographic Interface (OCI) and Cryptographic Interface (OCI) and will will no longer require plug-ins to be no longer require plug-ins to be signed by Microsoftsigned by Microsoft

We are working to enable this under We are working to enable this under US export lawUS export law

Eliminates one of the big headaches Eliminates one of the big headaches of CAPI CSPsof CAPI CSPs

17

Implementing Symmetric Implementing Symmetric Encryption ProviderEncryption Provider

Implement, install and use a Implement, install and use a symmetric encryption primitive symmetric encryption primitive providerprovider

Open Open Algorithm Algorithm ProviderProvider

Get/Set Get/Set Algorithm Algorithm PropertyProperty

Create Create KeyKey

Get/Set Get/Set Key Key

PropertyProperty

Crypto Crypto Operation Operation

(s)(s)

Destroy Destroy KeyKey

Close Close Algorithm Algorithm ProviderProvider



End User Tools




App AuthZApp AuthZ

AzmanAzman

RBACRBAC

Logon Logon

ProtocolProtocol

IdentityIdentity








LoggingLogging

EventingEventing

FIPSFIPS


CAPICAPI CNGCNG



19

WinLogon ArchitectureWinLogon ArchitectureWindows XPWindows XP

Session 0Session 0

WinLogonWinLogon

User GPUser GP

LSALSA

ShellShell

Machine Machine GPGP

ProfilesProfiles

MSGINAMSGINA

SCMSCM

Other SessionsOther Sessions

WinLogonWinLogon

User GPUser GP

ShellShellMSGINAMSGINA

20

WinLogon ArchitectureWinLogon ArchitectureVistaVista

Session 0Session 0

WinInitWinInit

RCMRCMLSALSA

Group Group PolicyPolicy

ProfilesProfilesSCMSCM

Other SessionsOther Sessions

WinLogonWinLogon

LogonUILogonUICredentiCredenti

al al Provider Provider

11

CredentiCredential al

Provider Provider 22



21

Credential ProvidersCredential ProvidersTechnology IntroductionTechnology Introduction

Credential Providers replace GINACredential Providers replace GINACredential Providers plug in to Logon Credential Providers plug in to Logon UIUI

Logon UI can interact simultaneously Logon UI can interact simultaneously with multiple credential providerswith multiple credential providersCredential Providers can be user Credential Providers can be user selectedselected and/orand/or event drivenevent driven

Inbox Credential ProvidersInbox Credential ProvidersPasswordPasswordSmart Card Smart Card

What Credential Providers cannot doWhat Credential Providers cannot doReplace the UI for the logon screenReplace the UI for the logon screen

22

Credential ProvidersCredential ProvidersValue PropositionValue Proposition

Easier to write a Credential Provider Easier to write a Credential Provider than it was to write a GINAthan it was to write a GINA

LogonUI and CredUI provide all UILogonUI and CredUI provide all UI

Winlogon handles LSALogonUser and Winlogon handles LSALogonUser and Terminal Services supportTerminal Services support

Credential providers simply define Credential providers simply define credentials and use LogonUI to gather credentials and use LogonUI to gather the data the data

Uses COM to interact with LogonUI and Uses COM to interact with LogonUI and CredUICredUI

23

Credential ProvidersCredential ProvidersPassword ExamplePassword Example

LSALSAWinLogoWinLogonn

LogonUILogonUI

Credential Credential Provider Provider

InterfacesInterfaces



7. Get 7. Get credential for credential for

logonlogon

1. Ctrl+Alt+Delete1. Ctrl+Alt+Delete

2. 2. Request Request

CredentialCredential

9. LSALogonUser9. LSALogonUser

5. Click on tile, type user 5. Click on tile, type user name & password, click name & password, click

GoGo

3. Get credential 3. Get credential informationinformation

4. Display 4. Display UIUI





8. Return 8. Return CredentialCredential

6. Go 6. Go receivedreceived

24

Smart Card SubsystemSmart Card SubsystemCurrentCurrent

Card Reader #1 Card Reader #2

Crypto Crypto Applications (IE, Applications (IE,

Outlook)Outlook)

CAPICAPI

Smart Card Smart Card CSP #1CSP #1

Smart Card Smart Card CSP #2CSP #2

Smart Card Smart Card CSP #nCSP #n

Smart Card Resource ManagerSmart Card Resource Manager

Card Reader #3

Non Crypto Non Crypto ApplicationsApplications

SCard APISCard API

25

Smart Card SubsystemSmart Card SubsystemVista and BeyondVista and Beyond

Crypto Crypto Applications (IE, Applications (IE,

Outlook)Outlook)

CAPICAPI

ECC Card ECC Card ModuleModule

RSA/ECC RSA/ECC Card Card

ModuleModule

Smart Card Resource ManagerSmart Card Resource Manager

Non Crypto Non Crypto ApplicationsApplications

SCard APISCard API

Base CSPBase CSP

CNGCNG

Smart Card KSPSmart Card KSP

Card Reader #1 Card Reader #2 Card Reader #3

RSA Card RSA Card ModuleModule

Smart Smart Card Card CSPCSP

26

Smart Card SubsystemSmart Card Subsystem

Simplified Software DevelopmentSimplified Software DevelopmentCommon crypto operations handled in Common crypto operations handled in the platformthe platformAPI for card manufacturersAPI for card manufacturers

Enhanced User ExperienceEnhanced User ExperiencePlanned Certification and Testing Planned Certification and Testing Program for Smartcard middleware on Program for Smartcard middleware on Windows UpdateWindows UpdatePnP support for Smart CardsPnP support for Smart Cards

Enhanced Smart Card Logon Enhanced Smart Card Logon ScenariosScenarios

Root certificates propagationRoot certificates propagationIntegrated Smart Card unblockIntegrated Smart Card unblock

27

X.509 Enrollment ClassesX.509 Enrollment ClassesWhat’s newWhat’s new

ActiveX controls Xenroll and ScrdEnrl ActiveX controls Xenroll and ScrdEnrl are retiredare retired

New comprehensive COM classes New comprehensive COM classes (CertEnroll) for PKI operations(CertEnroll) for PKI operations

““Suite-B” algorithm supportSuite-B” algorithm support

28

X.509 Enrollment ClassesX.509 Enrollment ClassesValue PropositionValue Proposition

XenrollXenrollDifficult to use monolithic interfacesDifficult to use monolithic interfaces

High cost of maintenance for...High cost of maintenance for...Microsoft to support XenrollMicrosoft to support Xenroll

Customers and Third Party CAs if and when Customers and Third Party CAs if and when Xenroll is updatedXenroll is updated

CertEnrollCertEnrollEasy to use modular interfacesEasy to use modular interfaces

No download requiredNo download required

29

X.509 Enrollment ClassesX.509 Enrollment ClassesArchitectural Block DiagramArchitectural Block Diagram

33rdrd Party Party ApplicationsApplications

Web Enrollment Web Enrollment ServicesServices

Auto-Enrollment Auto-Enrollment Provider, Provider,

Certificate Certificate Management MMC, Management MMC,

CertReq.exeCertReq.exe

Public Enrollment ClassesPublic Enrollment Classes

Internal Enrollment ClassesInternal Enrollment Classes

Aero Wizard & Direct UIAero Wizard & Direct UICAPI, CNG and Win32 APICAPI, CNG and Win32 API

30

X.509 Enrollment Classes X.509 Enrollment Classes Class diagram overviewClass diagram overview

IDispatchIDispatch

IX509CertificateReIX509CertificateRequestquest

IX509CertificateRequestPIX509CertificateRequestPkcs10kcs10

IX509CertificateRequestCerIX509CertificateRequestCertificatetificate

IX509CertificateRequesIX509CertificateRequestPkcs7tPkcs7

IX509CertificateRequesIX509CertificateRequestCmctCmc

Request ClassesRequest Classes

Enrollment ClassesEnrollment ClassesIDispatchIDispatch

IX509EnrollmentIX509Enrollment

IX509EnrollmentsIX509Enrollments

IX509EnrollmentStIX509EnrollmentStatusatus

IDispatchIDispatch

ICspAlgorithICspAlgorithmm

ICspAlgorithICspAlgorithmsms

ICspInformatICspInformationion

ICspInformatiICspInformationsons

IcspStatusIcspStatus

ICspStatusesICspStatuses

IX509PublicKIX509PublicKeyey

IX509PrivateIX509PrivateKeyKey

Crypto ClassesCrypto Classes

IDispatchIDispatch

IX509AttribuIX509Attributete

IX509AttribuIX509Attributestes

IX509AttributeExtensiIX509AttributeExtensionsons

ICryptAttribuICryptAttributete

ICryptAttribuICryptAttributestes

Attribute ClassesAttribute Classes

IX509ExtensiIX509Extensionon

IX509ExtensionKeyUIX509ExtensionKeyUsagesage

IX509ExtensionEnhancedKeIX509ExtensionEnhancedKeyUsageyUsage

IX509ExtensionTemplateIX509ExtensionTemplateNameName

IX509ExtensionTempIX509ExtensionTemplatelate

31

X.509 Enrollment X.509 Enrollment WalkthroughWalkthrough

32

Service HardeningService HardeningMotivationMotivation

Services are attractive targets for Services are attractive targets for malwaremalware

Run without user interactionRun without user interaction

Number of critical vulnerabilities in Number of critical vulnerabilities in servicesservices

Large number of services run as Large number of services run as “System”“System”

Worms target servicesWorms target servicesSasser, Blaster, CodeRed, Slammer, etc…Sasser, Blaster, CodeRed, Slammer, etc…

33

Service HardeningService HardeningDeveloper GuidanceDeveloper Guidance

Move to a least privileged accountMove to a least privileged accountUse “Local Service” or “Network Service”Use “Local Service” or “Network Service”

Remove privileges that are not neededRemove privileges that are not needed

Grant Service Sid access via ACLs on Grant Service Sid access via ACLs on service specific resourcesservice specific resources

Use Service-SID, ACLs and “write-Use Service-SID, ACLs and “write-restricted token” to isolate servicesrestricted token” to isolate services

Supply network firewall rulesSupply network firewall rules

34

User Account ProtectionUser Account Protection

Previously known as “LUA”Previously known as “LUA”

Users will logon as non-administrator Users will logon as non-administrator by defaultby default

Protects the system from the userProtects the system from the user

Enables the system to protect the userEnables the system to protect the user

Consent UI allows elevation Consent UI allows elevation to administratorto administrator

Applications and administrator tools should Applications and administrator tools should be UAP awarebe UAP aware

Differentiate capabilities based on UAPDifferentiate capabilities based on UAP

Apply correct security checks to Apply correct security checks to product featuresproduct features

Start testing your software in LH Beta1 and Start testing your software in LH Beta1 and LH Beta2 with UAPLH Beta2 with UAP

35

User Account ProtectionUser Account ProtectionAdditional InformationAdditional Information

Where can I find more information?Where can I find more information?Come get Whitepaper from Come get Whitepaper from FUNdamentals Cabana!FUNdamentals Cabana!

FUN406 - Windows Vista: User Account FUN406 - Windows Vista: User Account Protection ”Securing Your Application Protection ”Securing Your Application with Least Privilege Administrationwith Least Privilege Administration

Contact info?Contact info?Darren Canavor – Darren Canavor – [email protected]@Microsoft.com

36

CNGCNGAdditional InformationAdditional Information

CNG Documentation available for CNG Documentation available for reviewreview

API documentation - currently only API documentation - currently only available with signed NDA and EULA available with signed NDA and EULA

ContactsContactsTomas Palmer - Tomas Palmer - [email protected]@Microsoft.com

Tolga Acar - Tolga Acar - [email protected]@Microsoft.com

mailto:[email protected]


37

Smart Card SubsystemSmart Card SubsystemAdditional InformationAdditional Information

Where can I find more information? Where can I find more information? Base CSP and Card Module specifications have Base CSP and Card Module specifications have been published to over 20 card vendors – ask if been published to over 20 card vendors – ask if your card vendor has a card moduleyour card vendor has a card moduleCard module developer kit including card Card module developer kit including card module spec, Base CSP binary, test suite, etc. is module spec, Base CSP binary, test suite, etc. is currently only available with signed NDA and currently only available with signed NDA and EULAEULACard module developer information will be Card module developer information will be made public via MSDN in the coming monthsmade public via MSDN in the coming monthsA whitepaper on the new smart card A whitepaper on the new smart card infrastructure will be released at the same time infrastructure will be released at the same time as the Base CSPas the Base CSP

Contact infoContact info Derek Adam (Derek Adam ([email protected]@microsoft.com))


38

X.509 Enrollment ClassesX.509 Enrollment ClassesAdditional InformationAdditional Information

Where can I find more information?Where can I find more information?Libraries included in Vista Beta 1Libraries included in Vista Beta 1

Specifications are currently only Specifications are currently only available with signed NDA and EULAavailable with signed NDA and EULA

Contact info?Contact info?Anand Abhyankar Anand Abhyankar

[email protected]@Microsoft.com


39

Service HardeningService HardeningAdditional InformationAdditional Information

Related SessionsRelated SessionsFUNHOL019 – “Best Practices for writing FUNHOL019 – “Best Practices for writing Vista Services” Vista Services”

ContactsContactsWindows Service Hardening - Windows Service Hardening - [email protected]@Microsoft.com


1 windows vista and “longhorn” server: understanding, enhancing and extending security...

Documents