1 windows vista and “longhorn” server: understanding, enhancing and extending security...
Post on 20-Dec-2015
217 views
TRANSCRIPT
1
Windows Vista and “Longhorn” Windows Vista and “Longhorn” Server: Understanding, Enhancing Server: Understanding, Enhancing and Extending Security End-to-endand Extending Security End-to-end
FUN210FUN210Avi Ben-MenahemAvi Ben-MenahemLead Program ManagerLead Program ManagerMicrosoft CorporationMicrosoft Corporation
Andrew TuckerAndrew TuckerDevelopment LeadDevelopment LeadMicrosoft Microsoft CorporationCorporation
2
AgendaAgenda
Windows Vista and “Longhorn” Windows Vista and “Longhorn” Server Security OverviewServer Security Overview
Isolated DesktopIsolated Desktop
Crypto Next Generation (a.k.a CNG)Crypto Next Generation (a.k.a CNG)
Base Smart Card CSP architectureBase Smart Card CSP architecture
X.509 Enrollment classesX.509 Enrollment classes
WinLogon ArchitectureWinLogon Architecture
User Account Protection and YouUser Account Protection and You
3Secure Operating SystemSecure Operating System
Vista Security OverviewVista Security OverviewAccess ControlAccess Control
End User Tools
Isolated DesktopIsolated DesktopSecure StartupSecure Startup
Access ControlAccess Control
AuthenticationAuthentication AuthorizationAuthorization
App AuthZApp AuthZ
AzmanAzman
RBACRBAC
Logon Logon
ProtocolProtocol
IdentityIdentity
2 Factor 2 Factor AuthNAuthN
AuditAudit Credential ManagementCredential Management
Credential RoamingCredential Roaming
Lifecycle Lifecycle ManagementManagement
Certificate ServerCertificate Server
Smart CardsSmart Cards
Common Common CriteriaCriteria
LoggingLogging
EventingEventing
FIPSFIPS
Cryptography ServicesCryptography Services
CAPICAPI CNGCNG
Policy exp.Policy exp.
X.509 ProcessingX.509 Processing
4
Session 0 IsolationSession 0 IsolationWindows XP behaviorWindows XP behavior
Session 0Session 0
Service AService A
Service CService C
Service BService B
Application Application AA
Application Application BB
Application Application CC
Session 1Session 1
ApplicatioApplication Dn D
ApplicatioApplication En E
ApplicatioApplication Fn F
Session 2Session 2
ApplicatioApplication Gn G
ApplicatioApplication Hn H
ApplicatioApplication In I
Session 3Session 3
ApplicatioApplication Jn J
ApplicatioApplication Kn K
ApplicatioApplication Ln L
5
Session 0 IsolationSession 0 IsolationWindows Vista behaviorWindows Vista behavior
Session 1Session 1
ApplicatioApplication An A
ApplicatioApplication Bn B
ApplicatioApplication Cn C
Session 2Session 2
ApplicatioApplication Dn D
ApplicatioApplication En E
ApplicatioApplication Fn F
Session 3Session 3
ApplicatioApplication Gn G
ApplicatioApplication Hn H
ApplicatioApplication In I
Session 0Session 0
Service AService A
Service BService B
Service CService C
6
Session 0 IsolationSession 0 IsolationTechnology IntroductionTechnology Introduction
Separation of Services from User Separation of Services from User SessionsSessions
Desktop is the security boundary for Desktop is the security boundary for Windows user interfacesWindows user interfaces
Interactive Services are vulnerable to Interactive Services are vulnerable to compromise through Windows compromise through Windows MessagingMessaging
Currently users can not see or Currently users can not see or interact with interactive service UI interact with interactive service UI from their sessionfrom their session
7
Session 0 IsolationSession 0 IsolationImplementation GuidelinesImplementation Guidelines
Services should NEVER open a Services should NEVER open a window on the interactive desktop window on the interactive desktop
Services which need user input can:Services which need user input can:Use Use WTSSendMessage WTSSendMessage to pop up a to pop up a simple message box on user’s desktopsimple message box on user’s desktop
Inject process into the target session by Inject process into the target session by using using CreateProcessAsUserCreateProcessAsUser API API
8Secure Operating SystemSecure Operating System
Vista Security OverviewVista Security OverviewAccess ControlAccess Control
End User Tools
Isolated DesktopIsolated DesktopSecure StartupSecure Startup
Access ControlAccess Control
AuthenticationAuthentication AuthorizationAuthorization
App AuthZApp AuthZ
AzmanAzman
RBACRBAC
Logon Logon
ProtocolProtocol
IdentityIdentity
2 Factor 2 Factor AuthNAuthN
AuditAudit Credential ManagementCredential Management
Credential RoamingCredential Roaming
Lifecycle Lifecycle ManagementManagement
Certificate ServerCertificate Server
Smart CardsSmart Cards
Common Common CriteriaCriteria
LoggingLogging
EventingEventing
FIPSFIPS
Cryptography ServicesCryptography Services
CAPICAPI CNGCNG
Policy exp.Policy exp.
X.509 ProcessingX.509 Processing
9
Crypto Next GenerationCrypto Next GenerationTechnology OverviewTechnology Overview
New crypto infrastructure to replace New crypto infrastructure to replace existing CAPI 1.0 APIsexisting CAPI 1.0 APIs
CAPI will still be available in Vista but CAPI will still be available in Vista but it will be deprecated in some future it will be deprecated in some future versionversion
Customers can plug a new crypto Customers can plug a new crypto algorithm into Windows or replace algorithm into Windows or replace the implementation of an existing the implementation of an existing algorithmalgorithm
New crypto algorithms can be New crypto algorithms can be plugged into OS protocols (e.g. SSL, plugged into OS protocols (e.g. SSL, S/MIME)S/MIME)
10
Crypto Next GenerationCrypto Next GenerationWhy replace CAPI?Why replace CAPI?
Design is 10 years old and shows itDesign is 10 years old and shows it
Plug-in model is monolithic, error Plug-in model is monolithic, error prone and inflexibleprone and inflexible
Lacks centralized configuration Lacks centralized configuration systemsystem
Not available in kernel modeNot available in kernel mode
Performance has much to be desiredPerformance has much to be desired
11
Crypto Next GenerationCrypto Next GenerationFeature highlightsFeature highlights
Crypto agilityCrypto agilityFlexible configuration system that includes Flexible configuration system that includes machine and enterprise level settingsmachine and enterprise level settingsSimple and granular plug-in model that Simple and granular plug-in model that supports both kernel and user modesupports both kernel and user modeSupport a super set of the algorithms in Support a super set of the algorithms in CAPI, including elliptic curve crypto (ECDH, CAPI, including elliptic curve crypto (ECDH, ECDSA) and “Suite-B” complianceECDSA) and “Suite-B” compliancePrivate key isolation for Common Private key isolation for Common Criteria complianceCriteria complianceImproved performanceImproved performance
12
Crypto Next GenerationCrypto Next GenerationThree layers of plug-insThree layers of plug-ins
Protocol Protocol ProvidersProviders
ApplicationsApplications
Key Storage Key Storage ProvidersProviders
Primitive Primitive ProvidersProviders
SymmetriSymmetric Crypto c Crypto RouterRouter
Hash Hash RouterRouter
AsAsymmetrymmetric Crypto ic Crypto RouterRouter
Signature Signature
RouterRouter
Key Key Exchange Exchange
RouterRouter
RNG RNG RouterRouter
Key Key Storage Storage RouterRouter
13
Crypto Next GenerationCrypto Next GenerationPrimitive ProvidersPrimitive Providers
Low level Low level algorithm implementatialgorithm implementationsonsSix different types:Six different types:
Symmetric encryptionSymmetric encryptionHash functionsHash functionsAsymmetric encryptionAsymmetric encryptionSecret agreementSecret agreementSignaturesSignaturesRandom number Random number generationgeneration
No persistent keys or No persistent keys or key isolationkey isolation
Protocol Protocol ProviderProvider
ssApplicatioApplicatio
nsns
Key Key Storage Storage ProviderProvider
ss
PrimitivPrimitive e
ProviderProviderss
14
Protocol Protocol ProviderProvider
ssApplicatioApplicatio
nsns
Key Key Storage Storage ProviderProvider
ss
PrimitivPrimitive e
ProviderProviderss
Crypto Next GenerationCrypto Next GenerationKey Storage ProviderKey Storage Provider
Provides persistent key support for Provides persistent key support for public/private keys public/private keys
Isolates all private key usage to a Isolates all private key usage to a secure process rather than the client secure process rather than the client processprocess
Can be used to interface hardware Can be used to interface hardware such as HSMs, Smart Cards, etc.such as HSMs, Smart Cards, etc.
15
Crypto Next GenerationCrypto Next GenerationProtocol ProvidersProtocol Providers
Crypto functionality that is specific to Crypto functionality that is specific to a protocola protocol
SSL – add new cipher suites or replace SSL – add new cipher suites or replace implementations of existing cipher suitesimplementations of existing cipher suites
S/MIME – plug in new algorithms for S/MIME – plug in new algorithms for signing and encrypting emailsigning and encrypting email
Protocol Protocol ProviderProvider
ssApplicatioApplicatio
nsns
Key Key Storage Storage ProviderProvider
ss
PrimitivPrimitive e
ProviderProviderss
16
Crypto Next GenerationCrypto Next Generation
CNG is expected to be an Open CNG is expected to be an Open Cryptographic Interface (OCI) and Cryptographic Interface (OCI) and will will no longer require plug-ins to be no longer require plug-ins to be signed by Microsoftsigned by Microsoft
We are working to enable this under We are working to enable this under US export lawUS export law
Eliminates one of the big headaches Eliminates one of the big headaches of CAPI CSPsof CAPI CSPs
17
Implementing Symmetric Implementing Symmetric Encryption ProviderEncryption Provider
Implement, install and use a Implement, install and use a symmetric encryption primitive symmetric encryption primitive providerprovider
Open Open Algorithm Algorithm ProviderProvider
Get/Set Get/Set Algorithm Algorithm PropertyProperty
Create Create KeyKey
Get/Set Get/Set Key Key
PropertyProperty
Crypto Crypto Operation Operation
(s)(s)
Destroy Destroy KeyKey
Close Close Algorithm Algorithm ProviderProvider
18Secure Operating SystemSecure Operating System
Vista Security OverviewVista Security OverviewAccess ControlAccess Control
End User Tools
Isolated DesktopIsolated DesktopSecure StartupSecure Startup
Access ControlAccess Control
AuthenticationAuthentication AuthorizationAuthorization
App AuthZApp AuthZ
AzmanAzman
RBACRBAC
Logon Logon
ProtocolProtocol
IdentityIdentity
2 Factor 2 Factor AuthNAuthN
AuditAudit Credential ManagementCredential Management
Credential RoamingCredential Roaming
Lifecycle Lifecycle ManagementManagement
Certificate ServerCertificate Server
Smart CardsSmart Cards
Common Common CriteriaCriteria
LoggingLogging
EventingEventing
FIPSFIPS
Cryptography ServicesCryptography Services
CAPICAPI CNGCNG
Policy exp.Policy exp.
X.509 ProcessingX.509 Processing
19
WinLogon ArchitectureWinLogon ArchitectureWindows XPWindows XP
Session 0Session 0
WinLogonWinLogon
User GPUser GP
LSALSA
ShellShell
Machine Machine GPGP
ProfilesProfiles
MSGINAMSGINA
SCMSCM
Other SessionsOther Sessions
WinLogonWinLogon
User GPUser GP
ShellShellMSGINAMSGINA
20
WinLogon ArchitectureWinLogon ArchitectureVistaVista
Session 0Session 0
WinInitWinInit
RCMRCMLSALSA
Group Group PolicyPolicy
ProfilesProfilesSCMSCM
Other SessionsOther Sessions
WinLogonWinLogon
LogonUILogonUICredentiCredenti
al al Provider Provider
11
CredentiCredential al
Provider Provider 22
CredentiCredential al
Provider Provider 33
21
Credential ProvidersCredential ProvidersTechnology IntroductionTechnology Introduction
Credential Providers replace GINACredential Providers replace GINACredential Providers plug in to Logon Credential Providers plug in to Logon UIUI
Logon UI can interact simultaneously Logon UI can interact simultaneously with multiple credential providerswith multiple credential providersCredential Providers can be user Credential Providers can be user selectedselected and/orand/or event drivenevent driven
Inbox Credential ProvidersInbox Credential ProvidersPasswordPasswordSmart Card Smart Card
What Credential Providers cannot doWhat Credential Providers cannot doReplace the UI for the logon screenReplace the UI for the logon screen
22
Credential ProvidersCredential ProvidersValue PropositionValue Proposition
Easier to write a Credential Provider Easier to write a Credential Provider than it was to write a GINAthan it was to write a GINA
LogonUI and CredUI provide all UILogonUI and CredUI provide all UI
Winlogon handles LSALogonUser and Winlogon handles LSALogonUser and Terminal Services supportTerminal Services support
Credential providers simply define Credential providers simply define credentials and use LogonUI to gather credentials and use LogonUI to gather the data the data
Uses COM to interact with LogonUI and Uses COM to interact with LogonUI and CredUICredUI
23
Credential ProvidersCredential ProvidersPassword ExamplePassword Example
LSALSAWinLogoWinLogonn
LogonUILogonUI
Credential Credential Provider Provider
InterfacesInterfaces
CredentiCredential al
Provider Provider 22
7. Get 7. Get credential for credential for
logonlogon
1. Ctrl+Alt+Delete1. Ctrl+Alt+Delete
2. 2. Request Request
CredentialCredential
9. LSALogonUser9. LSALogonUser
5. Click on tile, type user 5. Click on tile, type user name & password, click name & password, click
GoGo
3. Get credential 3. Get credential informationinformation
4. Display 4. Display UIUI
CredentiCredential al
Provider Provider 11
CredentiCredential al
Provider Provider 33
8. Return 8. Return CredentialCredential
6. Go 6. Go receivedreceived
24
Smart Card SubsystemSmart Card SubsystemCurrentCurrent
Card Reader #1 Card Reader #2
Crypto Crypto Applications (IE, Applications (IE,
Outlook)Outlook)
CAPICAPI
Smart Card Smart Card CSP #1CSP #1
Smart Card Smart Card CSP #2CSP #2
Smart Card Smart Card CSP #nCSP #n
Smart Card Resource ManagerSmart Card Resource Manager
Card Reader #3
Non Crypto Non Crypto ApplicationsApplications
SCard APISCard API
25
Smart Card SubsystemSmart Card SubsystemVista and BeyondVista and Beyond
Crypto Crypto Applications (IE, Applications (IE,
Outlook)Outlook)
CAPICAPI
ECC Card ECC Card ModuleModule
RSA/ECC RSA/ECC Card Card
ModuleModule
Smart Card Resource ManagerSmart Card Resource Manager
Non Crypto Non Crypto ApplicationsApplications
SCard APISCard API
Base CSPBase CSP
CNGCNG
Smart Card KSPSmart Card KSP
Card Reader #1 Card Reader #2 Card Reader #3
RSA Card RSA Card ModuleModule
Smart Smart Card Card CSPCSP
26
Smart Card SubsystemSmart Card Subsystem
Simplified Software DevelopmentSimplified Software DevelopmentCommon crypto operations handled in Common crypto operations handled in the platformthe platformAPI for card manufacturersAPI for card manufacturers
Enhanced User ExperienceEnhanced User ExperiencePlanned Certification and Testing Planned Certification and Testing Program for Smartcard middleware on Program for Smartcard middleware on Windows UpdateWindows UpdatePnP support for Smart CardsPnP support for Smart Cards
Enhanced Smart Card Logon Enhanced Smart Card Logon ScenariosScenarios
Root certificates propagationRoot certificates propagationIntegrated Smart Card unblockIntegrated Smart Card unblock
27
X.509 Enrollment ClassesX.509 Enrollment ClassesWhat’s newWhat’s new
ActiveX controls Xenroll and ScrdEnrl ActiveX controls Xenroll and ScrdEnrl are retiredare retired
New comprehensive COM classes New comprehensive COM classes (CertEnroll) for PKI operations(CertEnroll) for PKI operations
““Suite-B” algorithm supportSuite-B” algorithm support
28
X.509 Enrollment ClassesX.509 Enrollment ClassesValue PropositionValue Proposition
XenrollXenrollDifficult to use monolithic interfacesDifficult to use monolithic interfaces
High cost of maintenance for...High cost of maintenance for...Microsoft to support XenrollMicrosoft to support Xenroll
Customers and Third Party CAs if and when Customers and Third Party CAs if and when Xenroll is updatedXenroll is updated
CertEnrollCertEnrollEasy to use modular interfacesEasy to use modular interfaces
No download requiredNo download required
29
X.509 Enrollment ClassesX.509 Enrollment ClassesArchitectural Block DiagramArchitectural Block Diagram
33rdrd Party Party ApplicationsApplications
Web Enrollment Web Enrollment ServicesServices
Auto-Enrollment Auto-Enrollment Provider, Provider,
Certificate Certificate Management MMC, Management MMC,
CertReq.exeCertReq.exe
Public Enrollment ClassesPublic Enrollment Classes
Internal Enrollment ClassesInternal Enrollment Classes
Aero Wizard & Direct UIAero Wizard & Direct UICAPI, CNG and Win32 APICAPI, CNG and Win32 API
30
X.509 Enrollment Classes X.509 Enrollment Classes Class diagram overviewClass diagram overview
IDispatchIDispatch
IX509CertificateReIX509CertificateRequestquest
IX509CertificateRequestPIX509CertificateRequestPkcs10kcs10
IX509CertificateRequestCerIX509CertificateRequestCertificatetificate
IX509CertificateRequesIX509CertificateRequestPkcs7tPkcs7
IX509CertificateRequesIX509CertificateRequestCmctCmc
Request ClassesRequest Classes
Enrollment ClassesEnrollment ClassesIDispatchIDispatch
IX509EnrollmentIX509Enrollment
IX509EnrollmentsIX509Enrollments
IX509EnrollmentStIX509EnrollmentStatusatus
IDispatchIDispatch
ICspAlgorithICspAlgorithmm
ICspAlgorithICspAlgorithmsms
ICspInformatICspInformationion
ICspInformatiICspInformationsons
IcspStatusIcspStatus
ICspStatusesICspStatuses
IX509PublicKIX509PublicKeyey
IX509PrivateIX509PrivateKeyKey
Crypto ClassesCrypto Classes
IDispatchIDispatch
IX509AttribuIX509Attributete
IX509AttribuIX509Attributestes
IX509AttributeExtensiIX509AttributeExtensionsons
ICryptAttribuICryptAttributete
ICryptAttribuICryptAttributestes
Attribute ClassesAttribute Classes
IX509ExtensiIX509Extensionon
IX509ExtensionKeyUIX509ExtensionKeyUsagesage
IX509ExtensionEnhancedKeIX509ExtensionEnhancedKeyUsageyUsage
IX509ExtensionTemplateIX509ExtensionTemplateNameName
IX509ExtensionTempIX509ExtensionTemplatelate
31
X.509 Enrollment X.509 Enrollment WalkthroughWalkthrough
32
Service HardeningService HardeningMotivationMotivation
Services are attractive targets for Services are attractive targets for malwaremalware
Run without user interactionRun without user interaction
Number of critical vulnerabilities in Number of critical vulnerabilities in servicesservices
Large number of services run as Large number of services run as “System”“System”
Worms target servicesWorms target servicesSasser, Blaster, CodeRed, Slammer, etc…Sasser, Blaster, CodeRed, Slammer, etc…
33
Service HardeningService HardeningDeveloper GuidanceDeveloper Guidance
Move to a least privileged accountMove to a least privileged accountUse “Local Service” or “Network Service”Use “Local Service” or “Network Service”
Remove privileges that are not neededRemove privileges that are not needed
Grant Service Sid access via ACLs on Grant Service Sid access via ACLs on service specific resourcesservice specific resources
Use Service-SID, ACLs and “write-Use Service-SID, ACLs and “write-restricted token” to isolate servicesrestricted token” to isolate services
Supply network firewall rulesSupply network firewall rules
34
User Account ProtectionUser Account Protection
Previously known as “LUA”Previously known as “LUA”
Users will logon as non-administrator Users will logon as non-administrator by defaultby default
Protects the system from the userProtects the system from the user
Enables the system to protect the userEnables the system to protect the user
Consent UI allows elevation Consent UI allows elevation to administratorto administrator
Applications and administrator tools should Applications and administrator tools should be UAP awarebe UAP aware
Differentiate capabilities based on UAPDifferentiate capabilities based on UAP
Apply correct security checks to Apply correct security checks to product featuresproduct features
Start testing your software in LH Beta1 and Start testing your software in LH Beta1 and LH Beta2 with UAPLH Beta2 with UAP
35
User Account ProtectionUser Account ProtectionAdditional InformationAdditional Information
Where can I find more information?Where can I find more information?Come get Whitepaper from Come get Whitepaper from FUNdamentals Cabana!FUNdamentals Cabana!
FUN406 - Windows Vista: User Account FUN406 - Windows Vista: User Account Protection ”Securing Your Application Protection ”Securing Your Application with Least Privilege Administrationwith Least Privilege Administration
Contact info?Contact info?Darren Canavor – Darren Canavor – [email protected]@Microsoft.com
36
CNGCNGAdditional InformationAdditional Information
CNG Documentation available for CNG Documentation available for reviewreview
API documentation - currently only API documentation - currently only available with signed NDA and EULA available with signed NDA and EULA
ContactsContactsTomas Palmer - Tomas Palmer - [email protected]@Microsoft.com
Tolga Acar - Tolga Acar - [email protected]@Microsoft.com
37
Smart Card SubsystemSmart Card SubsystemAdditional InformationAdditional Information
Where can I find more information? Where can I find more information? Base CSP and Card Module specifications have Base CSP and Card Module specifications have been published to over 20 card vendors – ask if been published to over 20 card vendors – ask if your card vendor has a card moduleyour card vendor has a card moduleCard module developer kit including card Card module developer kit including card module spec, Base CSP binary, test suite, etc. is module spec, Base CSP binary, test suite, etc. is currently only available with signed NDA and currently only available with signed NDA and EULAEULACard module developer information will be Card module developer information will be made public via MSDN in the coming monthsmade public via MSDN in the coming monthsA whitepaper on the new smart card A whitepaper on the new smart card infrastructure will be released at the same time infrastructure will be released at the same time as the Base CSPas the Base CSP
Contact infoContact info Derek Adam (Derek Adam ([email protected]@microsoft.com))
38
X.509 Enrollment ClassesX.509 Enrollment ClassesAdditional InformationAdditional Information
Where can I find more information?Where can I find more information?Libraries included in Vista Beta 1Libraries included in Vista Beta 1
Specifications are currently only Specifications are currently only available with signed NDA and EULAavailable with signed NDA and EULA
Contact info?Contact info?Anand Abhyankar Anand Abhyankar
[email protected]@Microsoft.com
39
Service HardeningService HardeningAdditional InformationAdditional Information
Related SessionsRelated SessionsFUNHOL019 – “Best Practices for writing FUNHOL019 – “Best Practices for writing Vista Services” Vista Services”
ContactsContactsWindows Service Hardening - Windows Service Hardening - [email protected]@Microsoft.com
40
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.