teŽavnost: 200 windows vista security rafal lukawiecki strategic consultant...

TEŽAVNOST: 200

Windows Vista SecurityRafal Lukawiecki

Strategic [email protected]

Project Botticelli Ltd

This presentation is based on work by Microsoft TechNet, MSDN and various Microsoft authors including, with special thanks: Ramprabhu Rathnam, Tony Northrup, and Austin Wilson

Pakistan Developer Conference ‘06

Objectives

Overview new security features of Windows Vista explaining their purpose

Relate Vista to emergent security technologies

Excite you about the new opportunities

Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.File/Properties.


Session Agenda

IntroductionA Corporate ScenarioFoundational ProtectionNetworkingUser Account ControlAuthentication & AuthorizationIntegrated Security ControlSecuring the StartupData ProtectionSummary


Engineering ExcellenceWindows Vista Development Process

Microsoft followed their Security Development Lifecycle (SDL) process while creating Windows Vista

Periodic mandatory security trainingAssignment of security advisors for all components Threat modeling as part of design phaseSecurity reviews and testing built into the scheduleSecurity metrics for product teams

Common Criteria (CC) Certification compliance is one of major goals (see later)

CC is maintained by US National Institute of Standards and Technology (who are also responsible for FIPS)csrc.nist.gov/cc


A Corporate Scenario


With Windows Vista…

1. NAP (Network Access Protection) ensures computer adheres to your policy (e.g. has required updates, virus signatures etc.) before “Longhorn” servers allow it to use the network

2. While starting up, system is protected through BitLocker and TPM (Trusted Platform Module), preventing off-line modifications

If PC is non-compliant, it will be given a chance to update

3. Multiple types of logon devices and identities can be selected by the user without losing a consistent UI

4. User logs on using non-admin accounts. If admin rights are truly needed user’s approval is requested. For legacy apps, virtualisation of admin changes is offered.

5. IE improvements help user browse the web with no fear of malware and better privacy protection

6. When updates are available, Restart Manager ensures minimum of disruption, even if running applications are left on a locked workstation

Read: www.microsoft.com/technet/windowsvista/evaluate/admin/mngsec.mspx


Foundational Protection


Windows Service HardeningDefense-in-Depth: Factoring and Profiling of Windows Kernel

DD DDDD

Reduce size of high risk layers

Segment the services

Increase number of layers

Kernel DriversKernel DriversDD

DD User-mode DriversUser-mode Drivers

DDDD DD

Service Service 11

Service Service 22

Service Service 33

ServiceService……

Service Service ……

Service Service AA

Service Service BB


Windows Service Hardening

Windows Services became a large surface attack area due to privileges and being “always-on”

Improvements:SID (per-service Security Identifier) recognised in ACLs (Access Control Lists), so service can protect its resources

Firewall policy prohibiting network access by services (subject to ACLs and SIDs)

Stripping of unnecessary privileges on per-service basis

Moving from LocalSystem to LocalService or NetworkService when possible

Use of write-restricted tokens for service processes


Integrated Windows Defender

Integrated detection, cleaning, and real-time blocking of malware:

Malware, rootkits, and spyware

Targeted at consumers – enterprise manageability will be available as a separate product

Integrated Microsoft Malicious Software Removal Tool (MSRT) will remove worst worms, bots, and trojans during an upgrade and on a monthly basis


Windows Live OneCare

Optional fee-based service

Antivirus

Integration with Antispyware (Windows Defender)

System tuning

Update assurance

Backup


Internet Explorer 7

In addition to building on UAC (see later), IE includes:

Protected Mode that only allows IE to browse with no other rights, even if the user has them, such as to install software

“Read-only” mode, except for Temporary Internet Files when browser is in the Internet Zone of security

All cached data cleared with a single click


Phishing Filter in IEDynamic Protection Against Fraudulent Websites

3 checks to protect users from phishing scams:

1. Compares web site with local list of known legitimate sites

2. Scans the web site for characteristics common to phishing sites

3. Double checks site with online Microsoft service of reported phishing sites updated several times every hour

Two Levels of Warning and Protection in IE7 Security Status Bar

Level 1: Warn Suspicious Website

Signaled

Level 2: Block Confirmed Phishing Site

Signaled and Blocked


Security in .NET Framework 3.0

.NET Framework 3.0, set of Windows Vista APIs provides a stronger support for Code Access Security and Evidence Based Security

In essence, the improvements of .NET Framework 2.0

Windows Communication Foundation (WCF) introduces a model of abstracted security and full support for WS-* Security Guidelines

Formerly known as “Indigo”


Networking


NG TCP/IPNext Generation TCP/IP in Vista and “Longhorn”

A new, fully re-worked replacement of the old TCP/IP stackDual-stack IPv6 implementation, with now obligatory IPSec

IPv6 is more secure than IPv4 by design, esp.:Privacy, tracking, network port scanning, confidentiality and integrity

Other network-level security enhancements for both IPv4 and IPv6Strong Host modelWindows Filtering PlatformImproved stack-level resistance to all known TCP/IP-based denial of service and other types of network attacksRouting CompartmentsAuto-configuration and no-restart reconfiguration

Read: www.microsoft.com/technet/community/columns/cableguy/cg0905.mspx


Windows Vista Firewall

Both inbound and outbound

Authentication and authorization aware

Outbound application-aware filtering is now possible

Includes IPSec management

Of course, policy-based administration

Great for Peer-to-Peer control


Network Access Protection

NAP is a new technology that has roots in VPN quarantine, but now extends to all network clients, not just remote access

Relies on NAP-aware servers, which means Windows “Longhorn” Servers for now

You specify a policy of:required OS patches, virus signature updates, presence or absence of certain applications, any arbitrary checks

…and the system disallows all access to network if policy has not been met, except:

access to a location where updates etc. can be downloaded


Network Access Protection

11

RestrictedRestrictedNetworkNetworkMicrosoftMicrosoft

NetworkNetworkPolicy Server Policy Server

33

Policy ServersPolicy Serverse.g. Microsoft Security e.g. Microsoft Security Center, SMS, AntigenCenter, SMS, Antigen

or 3or 3rd rd party party

Policy Policy compliantcompliantDHCP, VPNDHCP, VPN

Switch/Router Switch/Router

22

WindowsWindowsVista ClientVista Client

Fix UpFix UpServersServers

e.g. WSUS, SMS e.g. WSUS, SMS & 3& 3rdrd party party

Corporate NetworkCorporate Network55

Not policy Not policy compliantcompliant 44


User Account Control


User Account Control

Helps implement Least Privilege principle in two distinct ways:

1. Every user is a standard userOlder, legacy, or just greedy application’s attempts to change your system’s settings will be virtualised so they do not break anything

2. Each genuine need to use administrative privileges will require:Selection of a user who has those permissions (credential prompting), or

Confirmation of the intent to carry on with the operation (consent prompting)

Read: www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx


Fundamental Change to Windows Operation

Fixes the system to work well as a standard user

Registry and file virtualization to provide compatibility

Per-machine registry writes are redirected to per-user locations if the user does not have administrative privileges

Effectively: standard accounts can run “admin-required” legacy applications safely!

You can redirect the virtualization store


Authentication & Authorization


Windows Logon Experience

GINA has been replaced with Credential Service Provider interfaces

Logon UI can interact with multiple plug-in Credential ProvidersDirect support for multi-factor authentication: smartcards and tokens, biometrics etc.Plug-and-play for smartcards

Common CSPs (Cryptographic Service Providers), andCard Communication ModulesKey Storage Providers

Root certificate propagationIntegrated smartcard unblocking


Integrated Security Control


Control Over Device Installation

Control over removable device installation via a policyMainly to disable USB-device installation, as many corporations worry about intellectual property leak

You can control them by device class or driver

Approved drivers can be pre-populated into trusted Driver Store

Driver Store Policies (group policies) govern driver packages that are not in the Driver Store:

Non-corporate standard drivers

Unsigned drivers


Client Security Scanner

Finds out and reports Windows client’s security state:

Patch and update levels

Security state

Signature files

Anti-malware status

Ability for Windows to self-report its state

Information can be collected centrally, or just reviewed in the Security Center by the users and admins


Restart Manager

Some updates require a restart

Restart Manager will:Minimise the number of needed restarts by pooling updates

Deal with restarts of computers that may be left locked by a user with applications running

E.g. after restart, Microsoft Word will re-open a document on page 42, as it was before the restart

This function of most importance to centralised desktop management in corporations, not home users, of course


Securing the Startup


Trusted Platform Module

TPM Chip Version 1.2

Hardware present in the computer, usually a chip on the motherboardSecurely stores credentials, such as a private key of a machine certificate and is crypto-enabled

Effectively, the essence of a smart smartcard

TPM can be used to request encryption and digital signing of code and files and for mutual authentication of devicesSee www.trustedcomputinggroup.org


Code Integrity

All DLLs and other OS executables have been digitally signed

Signatures verified when components load into memory


BitLocker™

BitLocker strongly encrypts and signs the entire hard drive (full volume encryption)

TPM chip provides key managementCan use additional protection factors such as a USB dongle, PIN or password

Any unauthorised off-line modification to your data or OS is discovered and no access is granted

Prevents attacks which use utilities that access the hard drive while Windows is not running and enforces Windows boot process

Protects data after laptop theft etc.Data recovery strategy must be planned carefully!

Vista supports three modes: key escrow, recovery agent, backup


Data Protection


RMS, EFS, and BitLocker

Three levels of protection:Rights Management Services

Per-document enforcement of policy-based rights

Encrypting File SystemsPer file or folder encryption of data for confidentiality

BitLocker™ Full Volume EncryptionPer volume encryption (see earlier)

Note: it is not necessary to use a TPM for RMS and EFSEFS can use smartcards and tokens in Vista

RMS is based, at present, on a “lockbox.dll” technology, not a TPM


CNG: Cryptography Next Generation

CAPI 1.0 has been deprecatedMay be dropped altogether in future Windows releases

CNG: Open Cryptographic Interface for WindowsAbility to plug in kernel or user mode implementations for:

Proprietary cryptographic algorithms

Replacements for standard cryptographic algorithms

Key Storage Providers (KSP)

Enables cryptography configuration at enterprise and machine levels


Regulatory Compliance

Windows Vista cryptography will comply with:Common Criteria (CC)

csrc.nist.gov/cc

Currently in version 3

FIPS requirements for strong isolation and auditingFIPS-140-2 on selected platforms and 140-1 on all

US NSA (National Security Agency) CSS (Central Security Service) Suite B


Vista Supports NSA Suite Bwww.nsa.gov/ia/industry/crypto_suite_b.cfm

Required cryptographic algorithms for all US non-classified and classified (SECRET and TOP-SECRET) needs

Higher special-security needs (e.g. nuclear security) – guided by Suite A (definition classified)Announced by NSA at RSA conference in Feb 2005

Encryption: AESFIPS 197 (with keys sizes of 128 and 256 bits)

Digital Signature: Elliptic Curve Digital Signature AlgorithmFIPS 186-2 (using the curves with 256 and 384-bit prime moduli)Related to GOST R 34.10-2001

Key Exchange: Elliptic Curve Diffie-Hellman or Elliptic Curve MQVDraft NIST Special Publication 800-56 (using the curves with 256 and 384-bit prime moduli)

Hashing: Secure Hash AlgorithmFIPS 180-2 (using SHA-256 and SHA-384)


Summary


The Most Secure Windows Yet

SDL

Service Hardening

Code Scanning

Default configuration

Code Integrity

IE –protected mode/anti-phishing

Windows Defender

Bi-directional Firewall

IPSEC improvements

Network Access Protection (NAP)

Threat and Vulnerability

Mitigation

Fundamentals

Identity and Access

ControlUser Account Control

Plug and Play Smartcards

Simplified Logon architecture

Bitlocker

RMS Client

teŽavnost: 200 windows vista security rafal lukawiecki strategic consultant...

Documents