Welcome!
This course is an overview of the larger security changes in Windows 7 and Windows Server
2008-R2. The goal of the talk is to give an executive summary of the security enhancements in
Windows 7/2008-R2 to help IT engineers and managers make more-informed decisions about
deployment, the relative value of Windows 7 over XP/Vista, and to help guide further
independent research.
This talk will not be pro-Microsoft propaganda or a sales pitch, but it does discuss many new
things in Windows 7 and Server 2008-R2 which are good. The author does not work for
Microsoft, though the author does specialize in Windows security as a consultant, and, for the
SANS Institute, is the author of the week-long Securing Windows track (SEC505) for the
GCWN certification.
Windows Security at SANS
The six-day Securing Windows course at SANS (course number SEC505) is intended for those
specializing in Microsoft Windows security and is fully updated for Windows 7 and Windows
Server 2008-R2. The course author’s blog is at http://blogs.sans.org/windows-security/,
where you can also download the PowerShell scripts related to the course.
[Windows, Windows Server, Windows XP, Windows 7, Windows Vista, Internet Explorer, InPrivate, SmartFilter, DirectAccess, BitLocker, AppLocker, BranchCache and other terms in
this document are products and/or trademarks of Microsoft Corporation in the United States and other countries.]
1
If, like 90% of other organizations, you skipped over Vista entirely and kept XP, then "What's
new for security in Windows 7?" includes a lot. For XP administrators, Windows 7 will be very
different. Similarly, if your servers are running Windows Server 2000/2003, then moving to
Server 2008-R2 will require some adjustment.
If you are migrating from Vista and Server 2008, on the other hand, then you'll find Windows 7
to be familiar (and a blessing) and 2008-R2 will be a breeze.
So this talk aims to make both groups happy. Since 90% of you skipped over Vista completely,
the talk will include material which was first new in Vista, but today is still new to you. For the
Vista administrators, special emphasis will be placed on changes that are new versus Vista.
Similarly for the contrast between Server 2008-R2 and Server 2000/2003/2008.
2
Windows 7 is what Vista was supposed to be. Windows 7 is really Vista-R2, but for marketing
reasons Microsoft changed the name. There are few fundamentally new things in Windows 7
over Vista (unlike when we went from XP to Vista, which introduced many important changes),
but what we do get is a noticeable overall improvement in speed, responsiveness, backwards
compatibility, and device driver support. Windows 7 also reduces the number of User Account
Control (UAC) prompts in comparison to Vista. And the minimum realistic hardware
requirements to run Vista/7 are now just off-the-shelf typical desktop/laptop hardware, hence,
even in a recession the good-enough hardware is easy to afford. None of these things are
especially eye-popping or make you yell "Wow!", but they were also the main reasons some
90% of organizations skipped over Vista. Windows XP is getting quite old now, so the pent-up
demand to migrate to Windows 7 should be substantial – at least, that's what Microsoft is
betting.
But there are some things in 7 which might make you say "Wow", even if you don't yell it. New
things like DirectAccess, BranchCache, Windows XP Mode, and booting from a VHD file are
very interesting at least, and we'll talk about them here. You might even be surprised to find that
7 runs fairly well on Atom-based netbooks with only 1GB of RAM and, on the high end, scales
up to 256 CPUs and can even harness the GPUs in some newer video cards.
In Server 2008-R2 the biggest changes are again in things like DirectAccess and BranchCache.
But the same organizations which skipped over Vista might have also skipped over Server 2008,
so, for them, the switch from 2003 to 2008-R2 will be dramatic. This presentation, however,
assumes you've already got 2008-R1, so it only discusses what's new in 2008-R2.
3
User Account Control (UAC) is the feature in Vista designed to annoy users to death with popup prompts. Actually, it's designed to motivate software developers to avoid writing
applications which unnecessarily require UAC approval, which makes it easier for us to remove
users from their local Administrators groups.
Nonetheless, UAC is still annoying, but now it's less annoying in Windows 7. There are fewer
changes that require UAC prompt approval in Windows 7, and many of the changes which still
require UAC approval now only pop-up a single confirmation prompt instead of multiple
prompts, e.g., reading a file's properties and moving it to another folder.
In Control Panel, you can go to either the Action Center or User Accounts applet to click a link
to manage UAC settings. The new UAC management interface is more fine-grained and easier
to understand, and the same options exist in Group Policy for distributed management too.
UAC options range from 1) Always notify, 2) Notify only when programs try to make changes
to the computer, but not to Windows settings, 3) Same as option number two, but don't dim the
desktop when prompting, and 4) Never notify.
The distinction between "making changes to the computer" and "making changes to Windows
settings" isn't completely clear cut, but at least Microsoft is trying to draw a line between
settings that don't really matter for security and changes to the file system and other locations
which are rare and potentially destructive. In any case, fewer prompts is usually better,
especially if the alternative is to disable UAC entirely.
4
Software Restriction Policies (SRP) have been around for a long time, ever since Windows XP
first came out. SRP can be used to allow or block processes based on the MD5 hash of the
binary, the code signing certificate of the binary, the local or network path of the binary, or IE
zone. SRP settings are managed through Group Policy for mass distribution.
AppLocker is an updated version of SRP for Windows 7, Server 2008-R2 and later. AppLocker
requires at least one domain controller in the forest to be running Server 2008-R2 or later too.
AppLocker is more precise with respect to digitally-signed binaries, can be assigned to
individual users or groups, and, most importantly, supports an audit-only mode which can be
used for testing and debugging prior to flipping the switch (and triggering a flood of user
complaints). In audit-only mode, nothing is blocked, but information about programs that
would be blocked is written to the event logs for analysis and fine-tuning of rules.
For more information, Google on "site:microsoft.com applocker".
5
To create a BitLocker To Go removable drive you must have Windows 7 Enterprise or Ultimate
Edition (not Professional), but to read and write to that drive afterwards you can use any version
of Windows 7 or later, even Starter Edition. You can also get read-only access to that drive on
Windows XP/Vista using a special reader program automatically installed onto the BitLocker To
Go removable drive when it is created. BitLocker To Go removable drives do not have to be
formatted with NTFS anymore, you can use FAT, FAT32 or ExFAT instead.
Enabling BitLocker To Go on a removable drive is easy: simply right-click that drive in
Windows Explorer and select "Turn On BitLocker". Access to the BitLocker To Go drive is
controlled either by a passphrase or a smart card. After you create the BitLocker USB drive you
also have the option to enable auto-unlock for just that one drive on just that one computer,
hence, you don't have to enter the passphrase again every single time you log onto that machine.
Simply log on, insert the drive, and the drive is mounted and available immediately.
Once a removable drive is encrypted, if you right-click that drive again in Windows Explorer
you'll have a new option to "Manage BitLocker".
BitLocker To Go has the same recovery key backup options as regular fixed-disk BitLocker,
e.g., saving a recovery key to Active Directory, saving a recovery file, printing a recovery
number, etc.
6
A .VHD file is the virtual drive-in-a-file format used by Virtual PC, Virtual Server, Data
Protection Manager and Windows Server Backup. Windows 7 and Server 2008-R2 can boot
from a local VHD file without a host operating system, virtual machine software or a hypervisor
(XP/2003/Vista are not supported; the VHD must be on a local non-removable drive; the VHD
can be fixed, dynamic or differencing). This includes support for all the hardware on the
computer since the device drivers are running from within the VHD. There is no special
requirements for the BIOS of the computer, the VHD file is mounted by the Windows boot
manager after the BIOS hands control of the computer to it, hence, the boot manager files must
be installed on the host drive, but this is not the full OS.
The steps necessary to boot from VHD are too long to list here, but it involves using
BCDEDIT.EXE to mark the VHD file as a bootable partition (Google on "windows 7 boot from
vhd how to"). For mass deployment, obtain Microsoft's free Windows Automated Installation
Kit (WAIK). Note that you cannot use hibernation with VHD boot.
Note that you can also create and/or mount a VHD file as a drive using either DISKPART.EXE
or the Disk Management snap-in in Windows 7/2008-R2. In Windows 7, open the Computer
Management console in Administrative Tools > Storage > right-click Disk Management >
Create/Attach VHD.
You can also use BitLocker To Go to encrypt the interior contents of a VHD file, just mount the
VHD, then right-click the new drive letter and select Encrypt With BitLocker. Note that you
cannot boot from a VHD and also use BitLocker on the physical volume hosting the VHD file at
7
the same time.
7
It's important to understand that BitLocker To Go is not intended to be used just by itself in
isolation from other security policies. Virtually every type of interaction with removable drives
can be regulated through various Group Policy settings. For example, you can deny write
access to unencrypted drives, but allow read access; you can set the minimum length and
complexity requirements for the passphrase used to secure access to BitLocker To Go drives;
you can configure various recovery options for BitLocker drives of any type so that the data can
always be recovered even if the passphrase/PIN is forgotten, the TPM chip is damaged or the
user otherwise cannot access their keys.
The main BitLocker-related settings in a GPO are located under Computer Configuration >
Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption.
You can find more GPO settings related to removable devices in general here: Computer
Configuration > Policies > Administrative Templates > System > Device Installation.
To regulate users' read/write access to drives of various types, removable or not, open the GPO
and go to User Configuration > Policies > Administrative Templates > System > Removable
Storage Access.
Windows 7 and Server 2008-R2 also have built-in support IEEE 1667 security for USB drives,
and this too is Group Policy manageable.
8
With a Server 2008-R2 or later DirectAccess server, Windows 7 clients can use IPSec to tunnel
IPv6 packets over the Internet in order to maintain continuous connectivity to corporate LAN
servers and the rest of the Internet at the same time. To the end user, it doesn't matter if they are
"inside" the corporate LAN or "outside" on the Internet since resources from either location will
always be accessed in the same way.
The IPSec connection to the DirectAccess server is established even before the user logs on,
assuming their computer is connected to the Internet, which allows single sign-on to Active
Directory, Group Policy processing and Network Access Protection (NAP) enforcement. After
logging on, the user does not have to initiate or manage any special DirectAccess connections or
applications; it all just works in the background. The client will use IPv6-over-IPv4 tunneling,
Teredo or IP-over-HTTPS as necessary in order to establish contact with the DirectAccess
gateway.
In Server 2008-R2, the DirectAccess Management Console is installed as a Feature using Server
Manager, but note that the server must be a domain member or domain controller first. This
console is mainly a wizard for walking you through the configuration process. DirectAccess has
many prerequisites which cannot be discussed here (for more information, see
http://www.microsoft.com/directaccess/).
Though Microsoft goes to great pains to contrast DirectAccess with VPNs, DirectAccess is
essentially the combination of an IPSec VPN with many other network security technologies to
make it more secure and as transparent to the end user as possible. Much of this was available
9
piecemeal in Vista/2008, but it wasn't packaged to simplify deployment.
9
BranchCache is for peer-to-peer ("distributed") or central server ("hosted") cache acceleration of
HTTP and SMB file requests, presumably at a branch office with slow WAN links to other
offices. In distributed mode, clients use WS-Discovery (multicast UDP/3702 of SOAP
messages) to locate each other and the desired file segments, then HTTP is used to download the
file segments. In hosted mode, clients query a designated server over HTTPS for the desired
file segments, then HTTP is used for file download.
Only Windows 7/2008-R2 are supported, but it's disabled by default. On IIS servers, install the
"BranchCache" feature using Server Manager. On file servers, install the "BranchCache for
Remote Files" role service using Server Manager when installing the File Services role, then use
the "File and Storage Management" console in Administrative Tools to configure shared folders.
Client configuration is done through Group Policy or NETSH.EXE commands. The use of
BranchCache acceleration is transparent to users.
The downloaded files are encrypted using a "custom encryption scheme based on AES128"
(??!) based on a random seed that can actually be set, exported or imported with NETSH.EXE.
This same seed is also used (in HMAC fashion?) when BranchCache-enabled HTTP/SMB
servers compute hash values for file segments. Timestamps and hashes are used together to
identify the correct and most recent file segments.
For more information, download the BranchCache Early Adopters Guide from Microsoft.
10
Windows Server 2008-R2 and later supports Domain Name System Security Extensions (DNSSEC) as specified in
RFC 4033, 4034 and 4035. DNSSEC allows authentication and integrity verification of DNS response data in
order to combat spoofing and man-in-the-middle attacks against DNS traffic. This is accomplished, in part, by
signing zone data (RSA public key encryption of SHA-1 hashes, using 512- to 4096-bit RSA keys) using the
DNSCMD.EXE command-line tool.
Keep in mind, though, that DNSSEC and dynamic updates are incompatible.
Only Windows 7, Server 2008-R2 and later are DNSSEC-aware. Windows 2000/XP/2003/Vista/2008 systems
ignore DNSSEC-related options.
Even when a Windows DNS client (i.e., a stub resolver, not a DNS server) is DNSSEC compatible, like Windows
7, the client does not itself validate any DNSSEC records or responses. DNS clients simply rely upon a flag being
set in the response from the DNS server to indicate that the information was validated by the DNS server. To
authenticate the DNS server and its responses, clients must use IPSec.
DNSSEC will most likely be deployed only on your public DNS servers which host the DNS records of your
Internet-exposed servers and which handle forwarded queries from your internal DNS servers.
If you would like more information about DNSSEC, please download Microsoft's how-to whitepaper: Domain
Name System Security Extensions (best to Google for it, the URL may have changed).
11
One of the best free releases from Microsoft in the past few years has been the PowerShell
scripting language and interpretive command shell. PowerShell is the future of Windows
scripting and replaces the old piece-o-junk CMD.EXE shell (don't worry, the CMD.EXE shell
will still be included in Windows for many years for backwards compatibility).
PowerShell 1.0 is available for Windows XP/2003/Vista and is built into Server 2008.
PowerShell 2.0 is built into Windows 7/2008-R2 and later by default.
PowerShell 2.0 includes important new enhancements, such as WS-Management remoting,
which allows execution of PowerShell commands and scripts on remote systems without using
telnet, ssh or Remote Desktop Protocol. Version 2.0 includes over 100 new cmdlets for
managing Active Directory, Group Policy Objects, and many other things. Just as with bash on
Linux, PowerShell 2.0 can launch background jobs, including jobs on multiple remote systems.
A graphical editor and debugger is also included now, but it's still not as good as, for example,
Sapien's PrimalCode or some other IDEs for PowerShell.
For more information, see http://www.microsoft.com/powershell/. PowerShell training is also a
part of the SANS Securing Windows track (SEC505) and as a standalone course (SEC533). Get
the instructor's scripts from http://blogs.sans.org/windows-security/.
12
The IE SmartScreen Filter (previously known as the "Phishing Filter") compares each visited URL
against a list of known-bad URLs maintained by Microsoft and is accessed via a web service. Bad sites
include both known phishing sites and malware download URLs. SmartScreen also looks for phishy
pheatures in web pages (what these characteristics are exactly is not well known) and is integrated into
the IE9 Download Manager. Similarly, the Cross Site Scripting (XSS) Filter also examines the flow of
data back-and-forth between browser and web server(s) to detect and thwart XSS attacks.
SmartScreen in IE8/IE9 can check each site automatically or can be invoked manually by the user by
pulling down the Safety menu > SmartScreen Filter > Check This Website. Known-good or known-bad
sites can be submitted to Microsoft for review and inclusion/exclusion from the list. You can suggest to
Microsoft that they review a website for phishiness by pulling down the Safety menu > SmartScreen
Filter > Report Unsafe Website.
IE8/IE9 also includes the InPrivate Filter, which is for maintaining privacy against attempts to track users
across multiple sites. To manage InPrivate options, pull down the Safety menu > InPrivate Filtering
Settings.
An architectural change is that each tab in IE8/IE9 corresponds to a separate IEXPLORE.EXE process,
hence, if one tab locks up, it hopefully only affects that one process and does not cause other tabs or
browser as a whole to lock up. Each tab/process can also run at a different Protected Mode level for each
zone (Tools menu > Internet Options > Security tab > (un)check the Protected Mode box for each zone as
desired). You can see the Protected Mode state in the status bar for the current tab.
The most noticeable change in IE9 is GPU-assisted hardware acceleration and faster script execution.
Much faster than in IE8! Time will tell how it stacks up against Firefox and Chrome…
13
NTLMv1 and NTLMv2 authentication is slower, less scalable and less secure than Kerberos
authentication. And while NTLM is faster than certificate-based authentication, the later is
much more secure, especially when combined with smart cards and HSMs. So, just as we are
slowly giving up NetBIOS, WINS and LanManager, so in the long run we'll want to migrate
away from NTLM in favor of Kerberos and certificate-based authentication too.
Starting with Windows 7 and Server 2008-R2, you can 1) audit which systems are using NTLM,
2) block inbound and/or outbound NTLM authentication, and 3) allow the inevitable exceptions
which still require NTLM while you are in the 12-month process of eliminating it.
Exceptions to allow NTLM are defined by the NetBIOS name and/or fully-qualified domain
name (FQDN) of the permitted systems. A wildcard ("*") may be used at the beginning or end
of each name in the list of permitted exceptions.
You can find the options to audit and restrict NTML in a GPO here: Computer Configuration >
Policies > Windows Settings > Security Settings > Local Policies > Security Options. Look for
the options that begin with "Network Security: Restrict NTLM".
For more information, see: http://blogs.technet.com/askds/archive/2009/10/08/ntlm-blockingand-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx
14
If you are migrating from IIS 6.0 on Server 2003 to IIS 7.5 on Server 2008-R2, you're in for a bit of a
(good) shock. The metabase is gone, the management GUI has changed drastically, the architecture of
the product is now extremely modular (right down to which DLLs are loaded into worker processes) and
some very nice security enhancements have been added too.
For example, when hosting many sites on behalf of other groups, it was difficult in the past to allow
secure over-the-Internet remote administration. You don't have to grant RDP access anymore. Over an
SSL channel remote webmasters can use the IIS Manager console just like they would locally, and you
can precisely define which configuration settings can be seen or edited in each site.
WebDAV allows users to map drive letters over HTTPS to folders on the IIS server, and if these folders
have been mapped to the UNC paths of shared folders inside the LAN (such as to a user's home share),
then users can always get authenticated and encrypted access to their files. Through NTFS permissions,
share permissions and WebDAV authorization rules, you can precisely define who can access what.
The URL Rewrite module (similar to Apache's mod_rewrite) can examine incoming HTTP requests,
search them for matches to one or more boolean-connected regular expression patterns, then allow or
deny the request. In short, URL Rewrite can be used as a web application-layer firewall (similar but
better than URLSCAN). The URL Rewrite module can also perform on-the-fly search and replace within
request bodies or server responses.
And FTP gets a second lease on life with support for SSL encryption. Just like with WebDAV, an SSLencrypted FTP folder can be mapped to the UNC path of an internal shared folder. Rather humorously,
though, Windows 7 does not include an FTPS client, so you'll have to get something like FileZilla in the
meantime (filezilla-project.org).
15
So little time, so many things to talk about…
PKU2U certificate-based authentication (and its SSP for SSPI):
http://technet.microsoft.com/en-us/library/dd560634(WS.10).aspx
BitLocker Recovery Agent Certificate (similar to how EFS does it):
http://technet.microsoft.com/en-us/library/dd630628(WS.10).aspx
Restricting NTLM Authentication Through Group Policy:
http://technet.microsoft.com/en-us/library/dd560653(WS.10).aspx
Managed Service Accounts (using PowerShell):
http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx
Enhanced Storage Access (IEEE 1667 security for USB drives):
http://technet.microsoft.com/en-us/library/dd560657(WS.10).aspx
EFS Now Supports Elliptic Curve Cryptography (ECC) Public Keys:
http://technet.microsoft.com/en-us/library/dd630631(WS.10).aspx
Authentication Mechanism Assurance (modify groups in SAT based on authentication type):
http://technet.microsoft.com/en-us/library/dd378897(WS.10).aspx
Active Directory Recycle Bin (to undelete accidental deletions):
http://technet.microsoft.com/en-us/library/dd391916(WS.10).aspx
And an improved Resource Monitor (launch from within Task Manager), but it’s still not as good as Process Explorer.
16
At this point, there is very little solid information about the version of desktop Windows to
follow Windows 7. This next version is often called "Windows 8", but that is unlikely to be the
name under which it ships.
One thing we know for sure, Steve Ballmer says Windows 8 will run on ARM hardware,
including system-on-a-chip (SoC) platforms. This is clearly aimed at tablet/slate computers, but
also low-power special-purpose computers, such as in cars, handheld devices, household
appliances, entertainment consoles, etc. This also continues a trend in which Windows is
becoming less monolithic and more modular or layered in its architecture; it's the payoff from
projects like "MinWin", the "Vista reset" which teased out and simplified the dependency layers
in the OS, Server Core, Windows Embedded, and so on.
We can also reasonably expect more cloud-integration features, especially with HotMail,
SkyDrive, Live Mesh, Xbox and Windows Phone. This might go as far as something like
roaming user profiles and data, but hosted on Internet-accessible servers, and may include
roaming applications which are streamed to one's various computers as needed.
There will certainly be more optimization for solid state drive (SSD) technologies, USB 3.0 and
probably Light Peak.
17
When laptops come with hypervisors (tablets too?), Windows 8 may be designed to run
primarily as a VM (Windows 7 can already boot and run from a VHD file), with the ability to
switch to different concurrent VMs for different applications, or perhaps a "revert to factory
default" option will restore the default VM while keeping the user's data and applications.
Just as Server 2008 was the last 32-bit sever OS, so Windows 8 might be the first client OS to
only come in a 64-bit flavor (except for ARM).
There is a rumor of an alternative desktop for tablets which has the look-and-feel of Windows
Media Center or Windows Phone.
There is a rumor of Kinect integration features, similar to the GUI interface from the movie
Minority Report, which would probably work best (or work only with) a desktop patterned after
Windows Media Center or the tiles on Windows Phone.
A slimmed-down version of the .NET Framwork (codenamed "Redhawk") optimized for lowpower, multi-core devices. It may also represent a taste of a new OS or subsystem, similar to
the "Midori" project.
18
Thank You for attending!
For more information about Windows 7 and Server 2008-R2, begin at the following URLs or
simply go to Google and add "site:microsoft.com" to your keywords:
http://www.microsoft.com/windows7/
http://www.microsoft.com/windowsserver2008/
http://www.microsoft.com/directaccess/
http://technet.microsoft.com
For the SANS Windows Security blog, please visit:
http://blogs.sans.org/windows-security/
19