Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Windows Vista Security Tidbits

Windows Vista Security Tidbits
Steve Riley
Senior Security Strategist
Microsoft Corporation
steve.riley@microsoft.com
http://blogs.technet.com/steriley
©2006 Microsoft Corporation. All rights reserved.
Overview
User And Group Changes
Admin account
New/Missing SIDs
New/Missing Users and Groups
Cached credentials
Kernel Changes
Buffer overflow protection
ACL Changes
Encryption changes
Suite B
TS SSO
EFS with Smart Cards
Audit changes
User rights
New and changed security options
Firewall
Auth IP
SMBv2
©2006 Microsoft Corporation. All rights reserved.
User and Group Changes
©2006 Microsoft Corporation. All rights reserved.
Administrator Account Status
©2006 Microsoft Corporation. All rights reserved.
Built-in “Administrator”
Safe mode created a hole: reboot and login
without a password!
New behavior:
Non-domain: if you have a local admin, safe mode
prohibits use of BA
Domain: BA can never be used
©2006 Microsoft Corporation. All rights reserved.
Power Users Are Not Anymore
©2006 Microsoft Corporation. All rights reserved.
New Groups
©2006 Microsoft Corporation. All rights reserved.
Some Additional SIDs
©2006 Microsoft Corporation. All rights reserved.
And A Few More SIDs
The Trusted
Installer
INTERNET
USER
High integrity
SID
A Service
Medium
integrity SID
System
integrity SID
Low integrity
SID
©2006 Microsoft Corporation. All rights reserved.
Integrity Levels in Token
©2006 Microsoft Corporation. All rights reserved.
ACL Changes
©2006 Microsoft Corporation. All rights reserved.
ACL Modifications
©2006 Microsoft Corporation. All rights reserved.
Old ACL UI
©2006 Microsoft Corporation. All rights reserved.
New ACL UI
©2006 Microsoft Corporation. All rights reserved.
Owner Needs Explicit Perms
©2006 Microsoft Corporation. All rights reserved.
Crypto Changes
©2006 Microsoft Corporation. All rights reserved.
Offline Files Encrypted Per User
©2006 Microsoft Corporation. All rights reserved.
Encrypted Pagefile
©2006 Microsoft Corporation. All rights reserved.
Suite-B Crypto
Software and Smart Card Key Storage Providers
Cryptographic configuration
NIST ECC Prime Curves support (smart cards
too)
AES
SHA-2
IPsec support for AES and ECDH
ECC cipher suites in SSL
EFS with smart cards
©2006 Microsoft Corporation. All rights reserved.
Cached Credentials Much Tougher
©2006 Microsoft Corporation. All rights reserved.
Improved Auditing
©2006 Microsoft Corporation. All rights reserved.
Granular
Audit Policy
©2006 Microsoft Corporation. All rights reserved.
Object Access Auditing
Object Access Attempt:
Object Server:
%1
Handle ID:
%2
Object Type:
%3
Process ID:
%4
Image File Name: %5
Access Mask:
%6
©2006 Microsoft Corporation. All rights reserved.
Object Access Auditing
An operation was performed on an object.
Subject :
Security ID:
%1
Account Name:
%2
Account Domain:
%3
Logon ID:
%4
Object:
Object Server:
%5
Object Type:
%6
Object Name:
%7
Handle ID:
%9
Operation:
Operation Type:
%8
Accesses:
%10
Access Mask:
%11
Properties:
%12
Additional Info:
%13
Additional Info2:
%14
©2006 Microsoft Corporation. All rights reserved.
Added Auditing For
Registry value change audit events (old+new values)
AD change audit events (old+new values)
Improved operation-based audit
Audit events for UAC
Improved IPSec audit events including support for AuthIP
RPC Call audit events
Share Access audit events
Share Management events
Cryptographic function audit events
NAP audit events (server only)
IAS (RADIUS) audit events (server only)
©2006 Microsoft Corporation. All rights reserved.
More Info In Event Log UI
©2006 Microsoft Corporation. All rights reserved.
XML Events
©2006 Microsoft Corporation. All rights reserved.
New Event Numbers
©2006 Microsoft Corporation. All rights reserved.
New and Modified
User Rights
©2006 Microsoft Corporation. All rights reserved.
Changes to User Rights
All rights for Power Users removed
Create global objects does not have
INTERACTIVE
SE_IMPERSONATE has added IIS_IUSRS and
removed ASPNET
Logon as a service is now empty by default
©2006 Microsoft Corporation. All rights reserved.
New User Rights
Access credential manager as a trusted caller
Winlogon uses for credential manager backup/restore
Change time zone user right
Create symbolic links
Modify an object’s integrity label
Synchronize directory service data
Increase a process working set
©2006 Microsoft Corporation. All rights reserved.
Security Options With Modified
Defaults
©2006 Microsoft Corporation. All rights reserved.
Anonymous Named Pipes
©2006 Microsoft Corporation. All rights reserved.
Anonymous Named Pipes
©2006 Microsoft Corporation. All rights reserved.
Network access: remotely
accessible registry paths
©2006 Microsoft Corporation. All rights reserved.
Network access: remotely
accessible registry paths
©2006 Microsoft Corporation. All rights reserved.
Network access: shares that can be
accessed anonymously
©2006 Microsoft Corporation. All rights reserved.
Network access: shares that can be
accessed anonymously
©2006 Microsoft Corporation. All rights reserved.
Network Security: Do not store LAN
Manager hash value on next
password change
©2006 Microsoft Corporation. All rights reserved.
Network Security: Do not store LAN
Manager hash value on next
password change
©2006 Microsoft Corporation. All rights reserved.
Network security: LAN Manager
authentication level
©2006 Microsoft Corporation. All rights reserved.
Network security: LAN Manager
authentication level
©2006 Microsoft Corporation. All rights reserved.
Devices: Allowed to format and
eject removable media
©2006 Microsoft Corporation. All rights reserved.
Devices: Allowed to format and
eject removable media
©2006 Microsoft Corporation. All rights reserved.
Devices: Restrict CD-ROM/Floppy
access to locally logged on user
only
©2006 Microsoft Corporation. All rights reserved.
Devices: Restrict CD-ROM/Floppy
access to locally logged on user
only
©2006 Microsoft Corporation. All rights reserved.
Devices: Unsigned driver installation
behavior
©2006 Microsoft Corporation. All rights reserved.
Devices: Unsigned driver installation
behavior
©2006 Microsoft Corporation. All rights reserved.
Why Change It?
©2006 Microsoft Corporation. All rights reserved.
Devices and Drivers
©2006 Microsoft Corporation. All rights reserved.
Allowing users to install drivers
©2006 Microsoft Corporation. All rights reserved.
Installing devices
©2006 Microsoft Corporation. All rights reserved.
Configuring device restrictions
©2006 Microsoft Corporation. All rights reserved.
New Security Options
©2006 Microsoft Corporation. All rights reserved.
Network access: Restrict
anonymous access to named pipes
and shares
©2006 Microsoft Corporation. All rights reserved.
System settings: Optional
subsystems
©2006 Microsoft Corporation. All rights reserved.
System settings: Use certificate
rules on windows executables for
software restriction policies
©2006 Microsoft Corporation. All rights reserved.
Lots and lots and lots of GP
changes
©2006 Microsoft Corporation. All rights reserved.
Last Logon Display
©2006 Microsoft Corporation. All rights reserved.
Trusted Path Credential Entry
©2006 Microsoft Corporation. All rights reserved.
Smart Card Policies
©2006 Microsoft Corporation. All rights reserved.
RDP
©2006 Microsoft Corporation. All rights reserved.
New RDP Control
©2006 Microsoft Corporation. All rights reserved.
New RDP Control
©2006 Microsoft Corporation. All rights reserved.
Timeless Security Advice!
Order online:
http://www.protectyourwindowsnetwork.c
om
steve.riley@microsoft.com
http://blogs.technet.com/steriley
©2006 Microsoft Corporation. All rights reserved.
Related documents
Application software assignment
Application software assignment
ASP.NET MVC
ASP.NET MVC
February 27, 2014 TO: Investor Relations Department Microsoft
February 27, 2014 TO: Investor Relations Department Microsoft
Chapter 1Computer Concept
Chapter 1Computer Concept
Exchange Online Overview (Office 365)
Exchange Online Overview (Office 365)
Download