windows vista security and compliance - va scan home
Post on 12-Feb-2022
2 Views
Preview:
TRANSCRIPT
Dean IacovelliChief Security Advisor – State and Local GovernmentMicrosoft Corporationdeaniac@microsoft.com
Security and Compliance
AgendaOverview of Windows Vista security areas:
FundamentalsThreat and vulnerability mitigationIdentity and access controlInformation protection
NOTE: we only have 50 minutes – film at 11 !!
Security and Compliance
Security Development LifecycleThreat Modeling and Code ReviewsWindows Service Hardening
Fundamentals
User Account ControlPlug and Play SmartcardsGranular AuditingCredential manager
Identity and Access Control
Internet Explorer Protected ModeWindows Defender
Threat and Vulnerability Mitigation
BitLocker™ Drive EncryptionEFS SmartcardsIntegrated RMS client
Information Protection
DesignDefine security architecture and design guidelines Document elements of software attack surfaceThreat Modeling
Standards, best practices, and toolsApply coding and testing standardsApply security tools (fuzzingtools, static-analysis tools, etc)
Security PushSecurity code reviewsFocused security testingReview against new threatsMeet signoff criteria
Final Security Review Independent review conducted by the security team Penetration testingArchiving ofcompliance info
RTM and Deployment
Signoff
Security ResponsePlan and process in placeFeedback loop back into the development processPostmortems
Product InceptionAssign security advisorIdentify security milestonesPlan security integration into product
User
Admin
System services
Windows XP Services
Kernel
• Few layers• Mostly high-
privileged• Limited guards
between layers
• Reduced size of high-risk layers
• Increased number of layers
• Services are segmented
• Per service SIDs to apply ACLs, firewall rules
• Device drivers moved to user mode
User
LUA user
Low privilege servicesAdmin
System services
Windows Vista Service Hardening
Kernel
D
D
SS
D D D
S
S
D D
S
S Kernel drivers
System services
Low-privilege services
User mode drivers
Service Service hardeninghardening
User Account User Account ProtectionProtection
Vista Service ChangesServices common to both platforms
Windows XP SP2LocalSystem Wireless
ConfigurationSystem Event NotificationNetwork Connections (netman)COM+ Event SystemNLARasautoShell Hardware DetectionThemesTelephonyWindows AudioError ReportingWorkstationICS
RemoteAccessDHCP ClientW32timeRasmanbrowser6to4Help and supportTask schedulerTrkWksCryptographic ServicesRemovable StorageWMI Perf AdapterAutomatic updatesWMIApp ManagementSecondary LogonBITS
NetworkService
DNS Client
Local Service SSDPWebClientTCP/IP NetBIOS helperRemote registry
Vista clientLocalSystemFirewall Restricted
Removable StorageWMI Perf AdapterAutomatic updates
WMIApp ManagementSecondary Logon
LocalSystemDemand started
BITS
Network ServiceFully Restricted
DNS ClientICSRemoteAccessDHCP ClientW32timeRasman
browser6to4Task schedulerIPSEC ServicesServerNLA
Network ServiceNetwork Restricted
TrkWksCryptographic Services
Local ServiceNo Network Access
Wireless ConfigurationSystem Event NotificationNetwork ConnectionsShell Hardware Detection
RasautoThemesCOM+ Event System
Local ServiceFully Restricted
TelephonyWindows AudioTCP/IP NetBIOS helperWebClientSSDP
Error ReportingEvent LogWorkstationRemote registry
Social Engineering ProtectionsPhishing Filter and Colored Address BarDangerous Settings NotificationSecure defaults for all settings
Protection from ExploitsProtected Mode to prevent malicious softwareCode quality improvementsActiveX Opt-in
Internet Explorer 7
ActiveX Opt-in And Protected ModeDefending systems from malicious attack
ActiveX Opt-in puts users in controlReduces attack surfacePreviously unused controls disabledRetain ActiveX benefits, increase user securityProtected Mode reduces severity of threatsEliminates silent malware installIE process ‘sandboxed’ to protect OS
ActiveX Opt-in
EnabledControls
Windows
DisabledControlsUser
Action
Protected Mode
User
Action
IECache My Computer (C:)
BrokerProcess
Low Rights
Windows DefenderImproved Detection and RemovalRedesigned and Simplified User InterfaceProtection for all users
Windows Vista FirewallCombined firewall and IPsec management
New management consoleReduces conflicts and coordination overhead between technologies
Firewall rules become more intelligent
Specify authentication and encryptionSpecify Active Directory computer or user groups
Outbound filteringEnterprise management feature – not for consumers
ChallengesToo many users running as local admin by default
Whatever users can do, malware can doToo many apps requiring local admin to run
System security must be relaxed to run the application
Common OS tasks require local admin Simple scenarios like changing the time zone don’t work
User Account ControlSimplify common tasks
Standard users can change time zone, power mgmt, printer, wireless, and other settings
High application compatibilityFile and registry virtualization for legacy apps
Perform most tasks as standard userPrivilege level switch in UI without logoffAdministrators privilege elevated only for administrative tasks or applicationsUser provides explicit consent before using elevated privilege
Consent PromptsOperating System ApplicationOperating System Application
Signed ApplicationSigned Application Unsigned ApplicationUnsigned Application
Improved AuditingMore Granularity
New subcategories for Logon, logoff, file system access, registry access, use of administrative privilege
New Logging InfrastructureEasier to filter out “noise” in logs and find the event you’re looking forTasks tied to events: When an event occurs, such as administrative privilege use, tasks such as sending an Email to an auditor can run automatically
Authentication ImprovementsPlug and Play Smart Cards
Drivers and Certificate Service Provider (CSP) included in Windows VistaLogin and credential prompts for User Account Control all support Smart Cards
New logon architectureGINA (the old Windows logon model) is gone. Less coding required for 3rd party biometric, one-time password tokens, and other authentication methods to Windows
BitLocker™ Drive Encryption Designed to prevent a thief from breaking OSProvides data protection on your Windows client systems, even when the system is in unauthorized handsUses a v1.2 TPM or USB flash drive for key storage
BitLockerBitLocker
TPM Only“What it is.”
Protects against:SW-only attacks
Vulnerable to: HW attacks (including potentially “easy”
HW attacks)
TPM + PIN“What you know.”Protects against:Many HW attacks
Vulnerable to: TPM breaking attacks
Dongle Only“What you have.” Protects against:All HW attacksVulnerable to:Losing donglePre-OS attacks
TPM + Dongle“Two what I
have’s.”Protects against:Many HW attacksVulnerable to: HW
attacks
BDE offers a spectrum of protection allowing customers to balance ease-of-use against the
threats they are most concerned with.
Spectrum Of Protection
**************
Recovery OptionsBitLocker™ setup will automatically escrow keys and passwords into AD
Centralized storage/management keysCan also backup keys and passwords onto a USB dongle or to a file location (set via policy)
Default for non-domain-joined users Recovery password known by the user/administrator
Recovery can occur “in the field” – 48 char recovery password
Delete the keys and you have securely de-provisioned that machine !!
EFS EnhancementsExtended Security Scenarios
Support for private keys stored on smartcardsNew Group Policies for enterprise managementKey and certificate backup notificationDiagnostics wizard for troubleshooting
Windows Vista SecuritySummary
SDLService HardeningCode ScanningDefault configurationCode Integrity
IE –protected mode/anti-phishingWindows DefenderBi-directional FirewallIPSEC improvementsNetwork Access Protection (NAP)
Threat and Vulnerability Mitigation
Fundamentals
Identify and Access Control
User Account ControlPlug and Play SmartcardsSimplified Logon architectureBitlockerRMS Client
ResourcesVista security overviewhttp://www.microsoft.com/technet/windowsvista/security/default.mspxWhite papershttp://www.microsoft.com/security/windowsvista/default.mspxVista security bloghttp://blogs.msdn.com/windowsvistasecurity/Vista security o-demand webcastshttp://msevents.microsoft.com/cui/eventdetail.aspx?eventID=10322930
03&Culture=en-UShttp://go.microsoft.com/?linkid=4573437http://www.microsoft.com/winme/0605/27914/Mike_Nash_Vista_Demo
_MBR.asxCOMING AT LAUNCH: Windows Vista Security Guide
Phishing FilterDynamic Protection Against Fraudulent Websites
3 “checks” to protect users from phishing scams:1.Compares web site with local list of known legitimate sites
2.Scans the web site for characteristics common to phishing sites
3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour
Level 1: WarnSuspicious Website
Signaled
Level 2: Block Confirmed Phishing Site
Signaled and Blocked
Two Levels of Warning and Protection Two Levels of Warning and Protection in IE7 Security Status Barin IE7 Security Status Bar
IE6IE6
IE6 running with Admin Rights
Install a driver,
Run Windows Update
Change Settings,
Download a Picture
Cache Web content
Exploit can install MALWARE
Exploit can install MALWARE
Admin-Rights AccessAdmin-Rights Access
User-Rights AccessUser-Rights Access
Temp Internet FilesTemp Internet Files
Untrusted files & settings
HKLM
Program Files
HKCU
My Documents
Startup Folder
IExploreIExplore
Install an ActiveX control
Changesettings,
Save a picture
Inte
grity
Con
trol
IEU
ser
Redirected settings & files
Com
patR
edire
ctor
Cache Web content
Admin-Rights AccessAdmin-Rights Access
User-Rights AccessUser-Rights Access
Temp Internet FilesTemp Internet Files
HKLM
HKCR
Program Files
HKCU
My Documents
Startup Folder
Untrusted files & settings
Advanced Malware ProtectionProtected Mode IE, UAC contain threats
IEA
dmin
Bitlocker™ Hardware Requirements
Hardware requirements to support BDETrusted Platform Module (TPM) v1.2
Provides platform integrity measurement and reportingRequires platform support for TPM Interface (TIS)
Firmware (Conventional or EFI BIOS) – TCG compliant
Establishes chain of trust for pre-OS bootMust support TCG specified Static Root Trust Measurement (SRTM)
Additional functionality enabled by USB dongleAt least 2 partitions. Partitions should be NTFS.
What Is A Trusted Platform Module (TPM)?
Smartcard-like module on the motherboard that:Helps protect secrets Performs cryptographic functions
RSA, SHA-1, RNGMeets encryption export requirements
Can create, store and manage keysProvides a unique Endorsement Key (EK)Provides a unique Storage Root Key (SRK)
Performs digital signature operationsHolds Platform Measurements (hashes)Anchors chain of trust for keys and credentialsProtects itself against attacks
TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org
Bitlocker™ Features Overview
BitLocker Drive Encryption (BDE)
Prevents bypass of Window’s boot process
TPM Base Services (TBS)
Windows and 3rd party SW access to TPM
Pre-OS multi-factor authentication
Dongle, BIOS, and TPM-backed SW Identity
Bit-chippingSys-admin ONLY tool to securely speed-up PC re-deployment
Single MS TPM driver Improved stability and security
Scenarios: Lost or stolen laptopBranch-office Server
top related