Windows Vista and Windows Server Codename "Longhorn" Security

Windows Vista And
Windows Server
Codename “Longhorn”
Security Enhancements
Avi Ben-Menahem
Lead Program Manager
Windows Security
Microsoft Corporation
Chris Corio
Program Manager
Agenda
Windows Vista and Windows Server
codenamed “Longhorn” Security Overview
Isolated Desktop
Kernel Mode Driver Signing
Crypto Next Generation (a.k.a CNG)
Base Smart Card CSP Architecture
WinLogon Architecture
User Account Control and You
Windows Security Overview
Access control
Authentication
Authorization
Audit
Credential Management
Policy exp.
Eventing
Certificate Server
Protocol
RBAC
Logging
Lifecycle Management
Logon
Persistence
Common Criteria
Credential Roaming
2 Factor AuthN
AzMan
FIPS
Smart Cards
End User Tools
Identity
Access Control
CAPI
CNG
X.509 Processing
Cryptography Services
Secure Startup
Isolated Desktop
Secure Operating System
Kernel Mode Code Signing
Services Session
Windows XP behavior
Session
Session
00
Session 1
Application
A
Application
D
Service
A
Application
Application
A
Application
Service A
Service B
B
E
Service C
Application
C
Application
F
Service B
Session 3
Application B
Session 2
Application
J
Application
G
Application
Service KC
Application
ApplicationHC
Application
L
Application
I
Services Session
Windows Vista behavior
Session 0
Session 1
Service A
Application
A
Service B
Application
B
Service C
Application
C
Session 3
Session 2
Application
G
Application
D
Application
H
Application
E
Application
I
Application
F
Services Session
Technology introduction
Separation of Services from User Sessions
Desktop is the security boundary
for Windows user interfaces
Interactive Services are vulnerable to
compromise through Windows Messaging
Currently users can not see or interact with
interactive service UI from their session
Interactive Services Detection Service
is available in the interim
Services Session
Implementation guidelines
Services should never open a window
on the interactive desktop
Services which need user input can
Use WTSSendMessage to pop up a
simple message box on user’s desktop
Inject process into the target session
by using CreateProcessAsUser API
Motivation For Kernel
Mode Code Signing
Trustworthy computing built on a trusted kernel
Windows Vista has an identifiable kernel state
Secure kernel loads only signed binaries
Reduce platform vulnerability from unknown binaries
Identifiable kernel enables new scenarios
Access next generation premium content
Address growing threat of malicious rootkit attacks
Improve reliability by identifying and working with
kernel mode software publishers
Code Integrity Verification
Signature checks by OS loader and kernel
On x64 64-bit platforms
All kernel mode code must be signed in order to load
Identity of all kernel mode binaries is verified
System audit events for integrity check failures
On x86 32-bit platforms
Administrator prompted and accepts
to install unsigned kernel mode code
Load-time checks done on all kernel mode
binaries, unsigned code allowed to load
Next generation premium content may not be
accessible, depending on content protection policy
Developer And Test Support
For developers and testers
Options to disable code verification policy
Active kernel debugger attached
and turn on debugging
F8 key, Advanced Boot Option to disable
driver signing enforcement for current boot
Boot configuration option to not fail driver load
if the integrity check fails (Beta2 only)
For pre-release testing
WHQL Test signing
Bcdedit option to enable load of Test Signed drivers
Signing Boot Critical Drivers
Boot critical drivers are loaded by OS Loader
Start Type = 0, loaded by Winload
Boot critical driver files must
be embedded signed
Signature contained in the binary file
Avoids boot time degradation locating catalog file
Embedded sign before submitting to WHQL
Sign individual driver files, then submit package
This is a new WHQL Logo requirement
Windows Security Overview
Access control
Authentication
Authorization
Audit
Credential Management
Policy exp.
Eventing
Certificate Server
Protocol
RBAC
Logging
Lifecycle Management
Logon
Persistence
Common Criteria
Credential Roaming
2 Factor AuthN
AzMan
FIPS
Smart Cards
End User Tools
Identity
Access Control
CAPI
CNG
X.509 Processing
Cryptography Services
Secure Startup
Isolated Desktop
Secure Operating System
Kernel Mode Code Signing
Crypto Next Generation
Technology overview
New crypto infrastructure to
replace existing Crypto API 1.0
Crypto API will still be available in Windows Vista
but it will be deprecated in some future version
Customers can plug a new crypto algorithm
into Windows or replace the implementation
of an existing algorithm
New crypto algorithms can be plugged
into OS protocols (e.g., SSL, S/MIME)
Crypto Next Generation
Feature highlights
Crypto agility
Flexible configuration system that includes
machine and enterprise level settings
Simple and granular plug-in model that
supports both kernel and user mode
Support a super set of the algorithms
in Crypto API, including elliptic curve crypto
(ECDH, ECDSA) and “Suite-B” compliance
Private key isolation for
Common Criteria compliance
Improved performance
Crypto Next Generation
Three layers of plug-ins
Protocol
Providers
Applications
Symmetric
Crypto
Router
Hash
Router
Asymmetric
Crypto
Router
Primitive
Providers
Signature
Router
Key
Exchange
Router
RNG
Router
Key
Storage
Router
Key Storage
Providers
Windows Security Overview
Access control
Authentication
Authorization
Audit
Credential Management
Policy exp.
Eventing
Certificate Server
Protocol
RBAC
Logging
Lifecycle Management
Logon
Persistence
Common Criteria
Credential Roaming
2 Factor AuthN
AzMan
FIPS
Smart Cards
End User Tools
Identity
Access Control
CAPI
CNG
X.509 Processing
Cryptography Services
Secure Startup
Isolated Desktop
Secure Operating System
Kernel Mode Code Signing
WinLogon Architecture
Windows XP
Session 0
WinLogon
User GP
LSA
Profiles
SCM
Machine GP
MSGINA
Shell
Other Sessions
WinLogon
User GP
MSGINA
Shell
WinLogon Architecture
Windows Vista
Session 0
LSA
WinInit
RCM
SCM
Profiles
Group Policy
Other Sessions
WinLogon
LogonUI
Credential
Provider 1
Credential
Provider 2
Credential
Provider 3
Credential Providers
Technology introduction
Credential Providers replace GINA
Credential Providers “plug in” to Logon UI
Logon UI can interact simultaneously
with multiple credential providers
Credential Providers can be user
selected and/or event driven
Inbox Credential Providers
Password
Smart Card
What Credential Providers cannot do
Replace the UI for the logon screen
Credential Providers
Value proposition
Easier to write a Credential Provider
than it was to write a GINA
LogonUI and CredUI provide all UI
Winlogon handles LSALogonUser
and Terminal Services support
Credential providers simply
define credentials and use
LogonUI to gather the data
Uses COM to interact with
LogonUI and CredUI
Credential Providers
Password example
1. Ctrl+Alt+Delete
9. LSALogonUser
WinLogon
5. Click on tile, type
user name and
password, click Go
2. Request
Credential
4. Display UI
6. Go received
8. Return
Credential
LogonUI
Credential Provider
Interfaces
3. Get credential information
Credential
Provider 1
LSA
Credential
Provider 2
7. Get credential
for logon
Credential
Provider 3
Smart Card Subsystem
Current
Crypto Applications
(IE, Outlook)
Non-Crypto
Applications
CAPI
Smart Card
CSP #1
Smart Card
CSP #2
SCard API
Smart Card
CSP #n
Smart Card Resource Manager
Card Reader #1
Card Reader #2
Card Reader #3
Smart Card Subsystem
Vista and beyond
Crypto Applications
(IE, Outlook)
CAPI
CNG
SCard API
Base CSP
Smart Card KSP
ECC Card
Module
Non-Crypto
Applications
RSA/ECC
Card Module
RSA Card
Module
Smart
Card CSP
Smart Card Resource Manager
Card Reader #1
Card Reader #2
Card Reader #3
Smart Card Subsystem
Simplified Software Development
Common crypto operations handled in the platform
API for card manufacturers
Enhanced User Experience
Planned Certification and Testing Program for
Smartcard middleware on Windows Update
PnP support for Smart Cards
Enhanced Smart Card Logon Scenarios
Root certificates propagation
Integrated Smart Card unblock
Service Hardening
Motivation
Services are attractive targets for malware
Run without user interaction
Number of critical vulnerabilities in services
Large number of services run as “System”
Worms target services
Sasser, Blaster, CodeRed, Slammer, etc…
Service Hardening
Developer guidance
Move to a least privileged account
Use “Local Service” or “Network Service”
Grant Service Sid access via ACLs
on service specific resources
Use Service-SID, ACLs and “writerestricted token” to isolate services
Supply network firewall rules
User Account Control
Motivation
Everybody runs as an administrator on XP
There is tremendous security benefit
to running as a “Standard User”
Most software doesn’t need
Administrator privileges to run
Windows Vista UAC goals
All users run as Standard User by default
Filtered token created during logon
Only specially marked apps get
the unfiltered token
Explicit consent required for elevation
Predictable shell elevation paths
High application compatibility
Data redirection
Enabling legacy apps to run as standard user
Installer Detection
UAC Architecture
Standard User Rights
Administrative Rights
Admin logon
Abby
Admin Token
“Standard User” Token
UAC Architecture
Standard User Rights
Administrative Rights
Standard User Mode
Standard User Privilege
Change
Time Zone
Run IT
Approved
Applications
Install Fonts
Install
Printers
Run MSN
Messenger
Etc.
User Process
User
UAC Architecture
Standard User Rights
Administrative Rights
Admin Privileges
Standard User Privilege
Admin Privilege
• Change Time
Zone
Change Time
Admin Process
• Run IT Approved
Applications
• Install Fonts
Admin Privilege
Admin Process
• Install Printers
• Run MSN
Messenger
• Etc.
User Process
Configure IIS
User
Install Application
Admin Privilege
Admin Process
Guidance For
Application Developers
Installation Best Practices
Use MSI 3.1 for Install and Update
Alternate to MSI3.1 – call Update.exe
marked as admin to do the update
Self Updating Code – Don’t Do It!
This is our largest App Compat problem
Home consumer user applications
Examples of what not to do
Do not assume the user is an administrator
Run Custom Actions in right context!
ClickOnce is a great deployment technology
for Standard User apps
Guidance For Developers
Application Data Best Practices
Your apps per user setup is performed at first run
Place per-user data into %LOCALAPPDATA%
Roaming into %APPDATA%
Place Per-Machine (Shared) data into %ALLUSERPROFILE%
Examples of what not to do
Do not perform admin configuration at first run
Do your admin operations during setup
Do not perform explicit Admin checks
for Standard User applications
UAC and Code Access Security (CAS)
can be used together for defense in depth
User Account Control
In Windows Vista
Chris Corio
Program Manager
Windows Security
Call To Action
Ensure that your device and
driver work on ALL 64-bit enable
Windows operating systems
Test your applications soon; understand
the difference that UAC will make
Additional Resources
CNG
API documentation – currently only available with signed NDA and EULA
Smart Card Subsystem
Base CSP and Card Module specifications have been published to
over 20 card vendors – ask if your card vendor has a card module
Card module developer kit including card module spec, Base CSP binary,
test suite, etc. is currently only available with signed NDA and EULA
Card module developer information will be made public via MSDN
in the coming months
A whitepaper on the new smart card infrastructure
will be released at the same time as the Base CSP
Windows Service Hardening
Email: wsh @ microsoft.com
User Account Control
Getting Started with UAC: http://www.microsoft.com/technet/windowsvista/
evaluate/feat/uaprot.mspx
UAC Developer Guidelines: http://msdn.microsoft.com/library/default.asp?url=/
library/en-us/dnlong/html/AccProtVista.asp
UAC Blog: http://blogs.msdn.com/uac
Additional Resources
Kernel Mode Code Signing
White paper titled “Digital Signatures for
Kernel Modules on x64-based Systems
Running Windows Vista”
http://www.microsoft.com/whdc/system/
platform/64bit/kmsigning.mspx
64-bit and kernel mode
http://www.microsoft.com/whdc/
driver/kernel/64bit_chklist.mspx
Vista Logo requirements
http://www.microsoft.com/whdc/
winlogo/hwrequirements.mspx
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.