Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Securing Microsoft Infrastructure

advertisement 
http://www.sector.ca/
CMS Consulting Inc.
Microsoft Vista:
How Secure is it Really?
Presented at:
TASK
January 31, 2007
CMS Consulting Inc.
Microsoft Infrastructure and Security Experts
Active Directory - Windows Server - Exchange - SMS - ISA
MOM - Clustering - Office – Desktop Deployment - SQL –
Terminal Services - Security Assessments - Lockdown – Wireless
Training by Experts for Experts
MS Infrastructure – Security - Vista and Office Deployment
Visit us online: www.cms.ca
Downloads – Resources – White Papers
For Security Solutions
For Advanced Infrastructure
For Network Solutions
For Information Worker
CMS Training Offerings
• INSPIRE Infrastructure Workshop
– 4 days of classroom training - demo intensive
AD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server
• Business Desktop Deployment – Deploying Vista/Office
– 3 days of classroom training - hands on labs (computers provide)
Business Desktop Deployment Concepts, Tools, Processes, etc. Vista
and Office
• Securing Internet Information Services
• Securing ActiveDirectory
• Securing Exchange 2003
– 1 day classroom training per topic
TRAINING BY EXPERTS FOR EXPERTS
Session Goals
•
•
•
We let Microsoft talk… so we need a balanced view!
See what the dark side has been up to.
Is it as secure as advertised?
•
•
•
You may ask questions.
Research is current as of Jan 31, 2007
You may not provide emotional rants.
So what is newer, bigger, “bad”-er?
•
•
•
•
•
•
•
•
•
•
•
•
User Account Control (UAC)
Windows Defender *
Windows Firewall *
Windows Security Center *
Malicious Software Removal Tool *
Software Restriction Policies *
BitLocker™ Drive Encryption
Encrypting File System (EFS) *
Rights Management Services (RMS) *
Device control
Address Space Randomization
Now 2400-ish group policy settings (* XP-SP2 had 1700)
* Exists in, or downloadable for XP
Internet Explorer 7
•
•
•
•
•
•
Internet Explorer Protected Mode
ActiveX Opt-in
Cross-domain scripting attack protection
Security Status Bar
Phishing Filter
Etc, etc, etc
(Included here, because Microsoft always shows it as part
of Vista security… yes - I know it runs on XP).
The Switch to Vista
Vista Upgrade
Process:
Buy lotsa new
hardware.
Return
hardware.
Buy hardware
with Vista
driver support.
Admire new
Aero Glass
interface.
• If you don’t buy Vista, you should buy Office 2007 just so you can
make pretty pictures like mine.
Switch to Mac Instead?
The HOT Topic… DRM!
• Peter Gutmann wrote “A Cost Analysis of Windows Vista
Content Protection” and called Vista DRM the “Longest
Suicide Note in History”
• Microsoft rebutted this. The article included some
technical clarifications, but appeared mostly as a PR
piece.
DRM Highlights
• Vista will only play “premium” HD content on x64, as
DRM couldn’t be implemented in their x32 OS.
• This basically effects HD-DVD and BluRay playback.
• High bandwidth Digital Content Protection (HDCP)
compatible monitor is required. (Shame you bought that
nice Dell 24” Ultrasharp)
• Peter thinks a skilled attacker could bypass Vista DRM
inside a week.
• DRM is a big reason that Vista driver support is so limited
even based on the RTM media
DRM Bottom Line
• “Premium” content plays at very degraded quality unless
policy is met.
• There’s 30 checks per second to make sure DRM isn’t
being bypassed (read: serious overhead)
• Drivers now have a “tilt” bit, up to vendors to determine
was constitutes an attack. After “tilt” detected, graphics
subsystem reset
• Drivers can be revoked if they are exploited… if Microsoft
revokes a driver, and the vendor doesn’t release an
update, do you have to buy a new video card?
• Still too early to tell the fall out.
DRM Resources
A Cost Analysis of Windows Vista Content Protection
• http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.h
tml
• Last Update January 27, 2007.
The Official Microsoft Rebuttal
• http://windowsvistablog.com/blogs/windowsvista/archive/
2007/01/20/windows-vista-content-protection-twentyquestions-and-answers.aspx
Windows Defender
Giant AntiSpyware
Microsoft
AntiSpyware
Beta
Windows
Defender
• XP and Vista only
• Not supported on W2K, but ORCA edit install and it
works fine
• You can also use ORCA to remove WGA check
• Actively scans computers for "spyware, adware, and
other potentially unwanted software.” You just need to
trust their definition of what’s “unwanted”
Windows Defender
• SpyNet’s a neat idea.
• Not an antivirus solution
(Forefront Client Security is)
• Not enterprise class
(no central reporting, etc, etc)
• Can distribute updates by WSUS
Malware
• Sophos report summary:
– They used the top ten November 2006 forms of malware
– Windows Mail blocked all 10
– Using web mail, 3 of 10 infected Vista
• Mydoom, Netsky and Stration all succeeded
– All take advantage of social engineer. None took advantage of a
security weakness.
Exploits for Sale!
• Trend Micro CTO quoted in various articles claiming to
see Vista 0day on auction boards for upwards of $50k
• This isn’t really news. Exploits for $$$ is not new.
Attacks for Sale
$50k for an Exploit?
Exploit Prediction
• Because I’m such an expert on the topic. 
– (Ok stolen mostly from Symantec’s Vista Attack Surface paper)
• The networking stack is a complete re-write. Symantec
found several DoS attacks in pre-release Vista and
expect more.
• SMB2
• IPv6
• Loopback attacks (exploit at low level connect back to
medium level process, eg. IE protected mode connect
back to SMB)
User Account Control
• The nuisance:
User Account Control
• Power Users no longer exists (well it does, but does
nothing unless you apply security template)
• Harmless tasks no longer require administrator (eg.
Change time zone, connect to wireless network, install
approved devices)
• Either on or off, no “less annoying”, or “I said yes 5 times
today, I still mean yes” option
• Not entirely true, there are more group policy settings
available to control its behaviour (all settings=less
control, more nuisance)
Disabling User Account Control
•
•
•
•
•
Method 1 - Using Control Panel
Method 2 - Using Control Panel on Single User
Method 3 - Using Registry Editor
Method 4 - Using MsConfig System Configuration
Method 5 - Using Group Policy
Registry/File Virtualization
• When running under limited user access (LUA) failed
(insufficient permission) registry and file writes get
redirected (virtualized)
• Registry access failures to HKLM redirect to HKCU
From: HKEY_LOCAL_MACHINE\Software
to:
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\Software
• File access failures also redirect
From: C:\Progra~1 (C:\Program Files)
to:
%UserProfile%\AppData\Local\VirtualStore\C\Progra~1
Mildly entertaining
Windows Firewall
•
•
•
•
•
•
•
•
XP has Domain vs. Standard configs
Vista has Domain vs. Public vs. Private
Application outbound rules (not on by default)
Default config is same configuration as XP SP2
IP v6 Support
New console available by MMC that’s super cool
Integration with IPSec
See Steve Riley’s TechEd presentation 102 slides on
Firewall and IPSec changes
Comparing features
Windows XP SP2
Windows Vista
Direction
Inbound
Inbound, outbound
Default action
Block
Configurable for direction
Packet types
TCP, UDP, some ICMP All
Rule types
Application, global
ports, ICMP types
Multiple conditions from basic
five-tuple to IPsec metadata
Rule actions
Block
Block, allow, bypass; with rule
merge logic
UI and tools
Control Panel, netsh
C-Panel, more netsh, MMC
APIs
Public COM, private C
More COM to expose rules,
more C to expose features
Remote
management
none
Via hardened RPC interface
Group policy
ADM file
MMC, netsh
Terminology
Exceptions; profiles
Rules; categories=profiles
Encrypted File System – New in Vista
• You can store User keys on smart cards.
• You can store recovery keys on smart cards, allowing
secure data recovery without a dedicated recovery
station, even over Remote Desktop sessions.
• You can encrypt the Windows paging file using EFS with
a key that is generated when the system starts up. This
key is destroyed when the system shuts down.
• You can encrypt the Offline Files cache with EFS. In
Windows Vista this encryption feature employs the user’s
key instead of the system key.
• EFS supports a wider range of user certificates and keys.
Address Space Randomization
• Been used in the Unix world for over 10 years
• Goal is to eliminate overflow attacks (memory space is no
longer predictable)
• Stack and Heap are randomized
• EXE’s and DLL’s shipping as part of Vista are
randomized
• All other EXEs and DLLs will need to explicitly opt-in via
a new PE header flag; by default they will not be
randomized. 'Note that DLLs marked for randomization,
such as system DLLs, will be randomized in every
process (regardless of whether other binaries in that
process have opted-in or not)
Address Space Randomization
• Vista only uses 8 bits for randomization (28=256)
• An attacker has a 1/256 chance of getting an address
right
• Brute force is always a possibility (if the app doesn’t die
first)
• Side effect: memory fragmentation
Address Space Randomization
• Ali Rahbar demonstrates
in this whitepaper how to
run an exploit on code not
compiled with the
randomization switch
Vista Piracy
• Volume Activation 2.0
• Cracks currently fall into 3 categories
– KMS in Virtual Machine (VMPlayer)
– TimeStop (aka 2099 Crack)
– FrankenBuild (RC1 components mixed with RTM)
• Bottom Line:
– Updates to WGA will detect and disable
– Many Cracks come with trojans for no extra charge.
Bitlocker: Crash Course
• Several Options:
–
–
–
–
TPM Only (this is default)
TPM + PIN
TPM + USB
USB Only (no TPM present)
• AES 128bit or 256bit based encryption
• Brute Force currently computationally unfeasible
• If no PIN present, then stolen machines can still be
attacked by traditional methods (ie. TPM is present, and
decryption happens at boot)
Bitlocker: Secure Enough?
• Attacks against TPM only mode
– Warm boot without destroying memory, grab keys from memory ghosts
– Cold ghosting (memory remains charged long enough to capture)
– PCI bus exploit with repurposed PC Card device and DMA (direct memory
access) (e.g. CardBus DMA technique demoed by David Hulton at ShmooCon,
2006)
– Xbox v1-style attacks
– BIOS attacks (may involve removal, re-programming and compromise of Core
Root of Trust for Measurement (CRTM)
• TPM+MultiFactor
–
–
–
–
–
Brute force PIN (mitigated by TPM anti-hammering)
Key wear analysis (theoretical)
BitLocker Aware Boot-Rootkits
Multi-Visit Attacks (Hobble Bitlocker, then steal laptop)
Lost machine while unlocked (one chance threat)
• The best presentation I could find on bypassing BitLocker was
actually put out by Microsoft themselves. Presentation by Douglas
BitLocker: Secure Enough?
• Team Blog violently opposes and denies any gov’t
backdoor. If one is legislated, they promise to disclose or
withdraw the feature
• No apparent “easy to execute” attacks (yet)
PatchGuard
•
•
•
•
•
Also known as Kernel Patch Protection (KPP)
Not to be confused with requirement for signed drivers
Means you can`t mess with the kernel
Exists for all x64 versions of Windows
5 or 6 bypass methods can be found searching, although
little PoC exists, no methods appear to work with Vista
• Authentium "broke" Patchguard on RC
• Joanna`s raw-disk access Patchguard exploit shutdown
with RC2
• Designed to both limit rootkit exposure and stop vendors
from using undocumented kernel manipulation
PatchGuard
• This really is what all the AV vendors are upset about
• Symantec has posted a paper on how to disable first the
kernel signed driver requirement and then Patchguard
(not updated with RTM info, but I believe it would still
work). Involves taking ownership on ACL’s from
TrustedInstaller (set by Windows Resource Protection),
then patching NTOSKRNL.EXE and WINLOAD.EXE
• Most recent paper by Ken Johnson (Skywing) at
http://www.nynaeve.net/ - Posted Jan 29
Notes on Secure Deployment
• Use BDD 3.0 for standardized rollout
• Read all 107 pages of Microsoft’s “Vista Security Guide” 
• GPOAccelerator.wsf creates Domain, User, Desktop and
Laptops GPO’s for you!
• Deploy 64bit if possible (its more secure)
• Make sure your AV vendor supports Vista and x64
• Train users on UAC
• Replace Defender with something enterprise class
CMS Training Offerings
• INSPIRE Infrastructure Workshop
– 4 days of classroom training - demo intensive
AD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server
• Business Desktop Deployment – Deploying Vista/Office
– 3 days of classroom training - hands on labs (computers provide)
Business Desktop Deployment Concepts, Tools, Processes, etc. Vista
and Office
• Securing Internet Information Services
• Securing ActiveDirectory
• Securing Exchange 2003
– 1 day classroom training per topic
TRAINING BY EXPERTS FOR EXPERTS
SIGN UP NOW!
http://www.sector.ca/
Related documents
Assignment 2
Assignment 2
Objective Check
Objective Check
Indefinite words refer to people and things that are
Indefinite words refer to people and things that are
January 24, 2016 - Principal Letter to DV's Parents
January 24, 2016 - Principal Letter to DV's Parents
Photoshop CS2: Project 1 (Multiple Choice)
Photoshop CS2: Project 1 (Multiple Choice)
Vista Radio prides itself on a fresh vision of broadcasting and an
Vista Radio prides itself on a fresh vision of broadcasting and an
VISTA – Association of VET Professionals
VISTA – Association of VET Professionals
Free Medical IT Education
Free Medical IT Education
Teacher of Year Nomination Form-Elementary
Teacher of Year Nomination Form-Elementary
Download
advertisement