Windows Vista Security
advertisement
Windows Vista Security This presentation is based on work by Microsoft TechNet, MSDN and various Microsoft authors including, with special thanks: Ramprabhu Rathnam, Tony Northrup, and Austin Wilson Rafal Lukawiecki, Strategic Consultant rafal@projectbotticelli.co.uk Project Botticelli Ltd Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. Objectives Overview new security features of Windows Vista explaining their purpose Relate Vista to emergent security technologies Excite you about the new opportunities Session Agenda Introduction A Corporate Scenario Foundational Protection Networking User Account Control Authentication & Authorization Integrated Security Control Secure Startup Data Protection Summary Engineering Excellence Windows Vista Development Process Microsoft followed their Security Development Lifecycle (SDL) process while creating Windows Vista Periodic mandatory security training Assignment of security advisors for all components Threat modeling as part of design phase Security reviews and testing built into the schedule Security metrics for product teams Common Criteria (CC) Certification compliance is one of major goals (see later) CC is maintained by US National Institute of Standards and Technology (who are also responsible for FIPS) csrc.nist.gov/cc A Corporate Scenario With Windows Vista… 1. 2. While starting up, system is protected through BitLocker and TPM (Trusted Platform Module), preventing off-line modifications NAP (Network Access Protection) ensures computer adheres to your policy (e.g. has required updates, virus signatures etc.) before “Longhorn” servers allow it to use the network If PC is non-compliant, it will be given a chance to update 3. 4. 5. 6. Multiple types of logon devices and identities can be selected by the user without losing a consistent UI User logs on using non-admin accounts. If admin rights are truly needed user’s approval is requested. For legacy apps, virtualisation of admin changes is offered. IE improvements help user browse the web with no fear of malware and better privacy protection When updates are available, Restart Manager ensures minimum of disruption, even if running applications are left on a locked workstation Read: www.microsoft.com/technet/windowsvista/ evaluate/admin/mngsec.mspx Foundational Protection Windows Service Hardening Defense-in-Depth: Factoring and Profiling of Windows Kernel Reduce size of high risk layers Segment the services Increase number of layers Service … Service 1 D Service A Service … D D Service 2 Service 3 Service B D Kernel Drivers D User-mode Drivers D D D Windows Service Hardening Windows Services became a large surface attack area due to privileges and being “always-on” Improvements: SID (per-service Security Identifier) recognised in ACLs (Access Control Lists), so service can protect its resources Firewall policy prohibiting network access by services (subject to ACLs and SIDs) Stripping of unnecessary privileges on per-service basis Moving from LocalSystem to LocalService or NetworkService when possible Use of write-restricted tokens for service processes Integrated Windows Defender Integrated detection, cleaning, and real-time blocking of malware: Malware, rootkits, and spyware Targeted at consumers – enterprise manageability will be available as a separate product Integrated Microsoft Malicious Software Removal Tool (MSRT) will remove worst worms, bots, and trojans during an upgrade and on a monthly basis Windows Live OneCare Optional fee-based service Antivirus Integration with Antispyware (Windows Defender) System tuning Update assurance Backup Internet Explorer 7 In addition to building on UAC (see later), IE includes: Protected Mode (planned for Vista Beta 2) that only allows IE to browse with no other rights, even if the user has them, such as to install software “Read-only” mode, except for Temporary Internet Files when browser is in the Internet Zone of security All cached data cleared with a single click Phishing Filter in IE Dynamic Protection Against Fraudulent Websites 3 checks to protect users from phishing scams: 1. Compares web site with local list of known legitimate sites 2. Scans the web site for characteristics common to phishing sites 3. Double checks site with online Microsoft service of reported phishing sites updated several times every hour Two Levels of Warning and Protection in IE7 Security Status Bar Level 1: Warn Suspicious Website Signaled Level 2: Block Confirmed Phishing Site Signaled and Blocked Developers: WinFX and WCF WinFX, the new .NET-based set of APIs provides a stronger support for Code Access Security and Evidence Based Security In essence, the improvements of .NET Framework 2.0 Windows Communication Foundation (WCF) introduces a model of abstracted security and full support for WS-* Security Guidelines Formerly known as “Indigo” Networking NG TCP/IP Next Generation TCP/IP in Vista and “Longhorn” A new, fully re-worked replacement of the old TCP/IP stack Dual-stack IPv6 implementation, with now obligatory IPSec IPv6 is more secure than IPv4 by design, esp.: Privacy, tracking, network port scanning, confidentiality and integrity Other network-level security enhancements for both IPv4 and IPv6 Strong Host model Windows Filtering Platform Improved stack-level resistance to all known TCP/IP-based denial of service and other types of network attacks Routing Compartments Auto-configuration and no-restart reconfiguration Read: www.microsoft.com/technet/community/columns/cableguy/cg0905.mspx Windows Vista Firewall Both inbound and outbound Authentication and authorization aware Outbound applicationaware filtering is now possible Includes IPSec management Of course, policy-based administration Great for Peer-to-Peer control Network Access Protection NAP is a new technology that has roots in VPN quarantine, but now extends to all network clients, not just remote access Relies on NAP-aware servers, which means Windows “Longhorn” Servers for now You specify a policy of: required OS patches, virus signature updates, presence or absence of certain applications, any arbitrary checks …and the system disallows all access to network if policy has not been met, except: access to a location where updates etc. can be downloaded Network Access Protection Policy Servers e.g. Microsoft Security Center, SMS, Antigen or 3rd party 3 1 Windows Vista Client Not policy compliant 2 DHCP, VPN Switch/Router Microsoft Network Policy Server 4 Fix Up Servers Restricted Network e.g. WSUS, SMS & 3rd party Policy compliant 5 Corporate Network User Account Control User Account Control Helps implement Least Privilege principle in two distinct ways: 1. Every user is a standard user Older, legacy, or just greedy application’s attempts to change your system’s settings will be virtualised so they do not break anything 2. Each genuine need to use administrative privileges will require: Selection of a user who has those permissions, or Confirmation of the intent to carry on with the operation Read: www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx Credential Prompting Consent Prompting Applies in a situation when the user has all the necessary rights, but before they have been exercised A new, secondary protection UAC: Fundamental Change to Windows Operation Fixes the system to work well as a standard user Registry and file virtualization to provide compatibility Per-machine registry writes are redirected to per-user locations if the user does not have administrative privileges Effectively: standard accounts can run “adminrequired” legacy applications safely! You can redirect the virtualization store Authentication & Authorization Windows Logon Experience GINA has been replaced with Credential Service Provider interfaces Logon UI can interact with multiple plug-in Credential Providers Direct support for multi-factor authentication: smartcards and tokens, biometrics etc. Plug-and-play for smartcards Common CSPs (Cryptographic Service Providers), and Card Communication Modules Key Storage Providers Root certificate propagation Integrated smartcard unblocking "InfoCard" Easier Consistent user experience Helps eliminate unames and passwords Safer Helps protect users from many forms of phishing & phraud attack Support for twofactor authentication Built on WS-* Web Services Protocols InfoCard Consistent UI for Identity Selection & Provisioning Users need an easy visual way to handle multiple electronic identities: Government-issued IDs, corporate IDs, self-signed IDs (such as a username and password for a web site) Simple visual abstraction of any identity type (PKI, password, token, secret, passphrase, etc.) Vision: UI and metasystem that would be common across industry See 7 “Laws of Identity” on www.identityblog.com Relationship to Identity Metasystem InfoCard is one of the WinFX APIs Integrated Security Control Control Over Device Installation Control over removable device installation via a policy Mainly to disable USB-device installation, as many corporations worry about intellectual property leak You can control them by device class or driver Approved drivers can be pre-populated into trusted Driver Store Driver Store Policies (group policies) govern driver packages that are not in the Driver Store: Non-corporate standard drivers Unsigned drivers Client Security Scanner Finds out and reports Windows client’s security state: Patch and update levels Security state Signature files Anti-malware status Ability for Windows to self-report its state Information can be collected centrally, or just reviewed in the Security Center by the users and admins Restart Manager Some updates require a restart Restart Manager will: Minimise the number of needed restarts by pooling updates Deal with restarts of computers that may be left locked by a user with applications running E.g. after restart, Microsoft Word will re-open a document on page 42, as it was before the restart This function of most importance to centralised desktop management in corporations, not home users, of course Secure Startup Trusted Platform Module TPM Chip Version 1.2 Hardware present in the computer, usually a chip on the motherboard Securely stores credentials, such as a private key of a machine certificate and is crypto-enabled Effectively, the essence of a smart smartcard TPM can be used to request encryption and digital signing of code and files and for mutual authentication of devices See www.trustedcomputinggroup.org Code Integrity All DLLs and other OS executables have been digitally signed Signatures verified when components load into memory BitLocker™ BitLocker strongly encrypts and signs the entire hard drive (full volume encryption) TPM chip provides key management Can use additional protection factors such as a USB dongle, PIN or password Any unauthorised off-line modification to your data or OS is discovered and no access is granted Prevents attacks which use utilities that access the hard drive while Windows is not running and enforces Windows boot process Protects data after laptop theft etc. Data recovery strategy must be planned carefully! Vista supports three modes: key escrow, recovery agent, backup Data Protection RMS, EFS, and BitLocker Three levels of protection: Rights Management Services Per-document enforcement of policy-based rights Encrypting File Systems Per file or folder encryption of data for confidentiality BitLocker™ Full Volume Encryption Per volume encryption (see earlier) Note: it is not necessary to use a TPM for RMS and EFS EFS can use smartcards and tokens in Vista RMS is based, at present, on a “lockbox.dll” technology, not a TPM CNG: Cryptography Next Generation CAPI 1.0 has been deprecated May be dropped altogether in future Windows releases CNG: Open Cryptographic Interface for Windows Ability to plug in kernel or user mode implementations for: Proprietary cryptographic algorithms Replacements for standard cryptographic algorithms Key Storage Providers (KSP) Enables cryptography configuration at enterprise and machine levels Regulatory Compliance Windows Vista cryptography will comply with: Common Criteria (CC) csrc.nist.gov/cc Currently in version 3 FIPS requirements for strong isolation and auditing FIPS-140-2 on selected platforms and 140-1 on all US NSA (National Security Agency) CSS (Central Security Service) Suite B Vista Supports NSA Suite B www.nsa.gov/ia/industry/crypto_suite_b.cfm Required cryptographic algorithms for all US non-classified and classified (SECRET and TOP-SECRET) needs Higher special-security needs (e.g. nuclear security) – guided by Suite A (definition classified) Announced by NSA at RSA conference in Feb 2005 Encryption: AES FIPS 197 (with keys sizes of 128 and 256 bits) Digital Signature: Elliptic Curve Digital Signature Algorithm FIPS 186-2 (using the curves with 256 and 384-bit prime moduli) Key Exchange: Elliptic Curve Diffie-Hellman or Elliptic Curve MQV Draft NIST Special Publication 800-56 (using the curves with 256 and 384-bit prime moduli) Hashing: Secure Hash Algorithm FIPS 180-2 (using SHA-256 and SHA-384) Summary The Most Secure Windows Yet Threat and Vulnerability Mitigation IE –protected mode/antiphishing Windows Defender Bi-directional Firewall IPSEC improvements Network Access Protection (NAP) Fundamentals SDL Service Hardening Code Scanning Default configuration Code Integrity Identity and Access Control User Account Control Plug and Play Smartcards Simplified Logon architecture Bitlocker RMS Client
