How NOT to Piss Off an Itpro Aka How to Build Better Software for Windows

How NOT to piss off an ITPro aka How to Build Better Software for Windows

Sami Laiho Senior Technical Fellow, MVP

@samilaiho [email protected] #DevSum19 Sami Laiho Senior Technical Fellow adminize.com / Sulava • IT Admin since 1996 • MCT since 2001 • MVP in Windows OS since 2011 • Specializes in and trains: • Troubleshooting • Windows Internals • Security, Social Engineering, Auditing • Centralized Management, Active Directory • Trophies: • Ignite 2018 – Session #1 and #2 (out of 1708) ! • Best Speaker at NIC, Oslo 2016, 2017 and 2019 • Best External Speaker at Ignite 2017 • TechDays Sweden 2016, 2018 – Best Speaker • TechEd Europe and North America 2014 - Best session, Best speaker • TechEd Australia 2013 - Best session, Best speaker • TechEd Europe 2013 - Best Session by an external speaker I got Certs 1,2 kg of them

@samilaiho If you are not on Twitter – get on Twitter! 70 Best hackers in the world invited (#36)

• Super proud to be included in this book • All profits go to charity! • https://www.amazon.com/Tribe- Hackers-Cybersecurity-Advice- World/dp/1793464189 10 Deadly Sins of App Design By the Book - RTFM https://docs.microsoft.com/fi-fi/windows/desktop/win_cert/certification- requirements-for-windows-desktop-apps

#1 Wrong use of Filesystem Executable Code and User Data should not be in the same location Mandatory Integrity Control

WRITE-OPERATIONS

S H MIC PROCESS A NTFS RESOURCE R SYSTEM E SYSTEM HIGH HIGH MEDIUM MEDIUM LOW LOW Location for code and data

• Binary goes to • 64bit app → C:\Program Files • 32bit app → C:\Program Files (x86) • Data goes to: • All Users (Shared) → C:\ProgramData • Single user • Roaming data → C:\Users\”UserName”\AppData\Roaming • Not roaming, Medium integrity data → C:\Users\”UserName”\AppData\Local • Not roaming, Low integrity data → C:\Users\”UserName”\AppData\Local\Low Case of Windows Defender #2 Wrong use of Registry Registry

• Computer wide: HKLM\Software • User specific: HKCU\Software • NOT HKLM\System ! #3 Wrong use of Services Service accounts and user rights

• He/She can use three built in accounts

20 Avoid Custom Service Account Services have SIDs as well #4 Software Requires Admin Rights – NO IT DOES NOT! No excuses! NT 3.1 Security Guide

• States that local admins have full access to computer. • It also says: ”in Windows there is no security if you run as admin” • Analysis of Microsoft “Patch Tuesday” Security Bulletins from 2015 • 85% of Critical Microsoft vulnerabilities would be mitigated by removing admin rights • 52% increase in the total volume of vulnerabilities compared to 2014 • Windows Server vulnerabilities • 429 vulnerabilities (304 in 2014) • 85% were found to be mitigated by the removal of admin rights 2016 Microsoft Vulnerabilities Study

Key findings could be mitigated • Of the 189 vulnerabilities in 2016 • 100% of vulnerabilities in IE and with a Critical rating, 94% were Chrome could be mitigated by concluded to be mitigated by removing admin rights removing administrator rights • 99% of vulnerabilities affecting • 66% of all Microsoft vulnerabilities Microsoft Office could be mitigated reported in 2016 could be mitigated by removing admin rights by removing admin rights • 93% Critical vulnerabilities affecting • 100% of vulnerabilities impacting Windows 10 could be mitigated by Microsoft’s latest browser Edge removing admin rights Microsoft Vulnerabilities Report 2017

The 2017 report highlights the following key findings: • Removing admin rights would mitigate 80% of all Critical Microsoft vulnerabilities in 2017. • 95% of Critical vulnerabilities in Microsoft browsers can be mitigated by removing administrator rights. • Almost two thirds of all Critical vulnerabilities in Microsoft Office products are mitigated by removing admin rights. • Removing admin rights would mitigate almost 80% of Critical vulnerabilities in Windows 10 in 2017. • 88% of all Critical vulnerabilities reported by Microsoft over the last five years would have been mitigated by removing admin rights. Case of Shit-O-Meter #5 Not having an MSI We don’t care about anything but MSI or MSIX #6 Bad Uninstaller Not cleaning up properly Visual Studio 2015 adds 110000 registry entries #7 Incorrect use of Multimedia Processes For maximum battery life the current timer interval (which can be changed with timeBeginPeriod, or NtSetTimerResolution) should be 15.6 ms Case of PDF Creator / Google

#8 Hating APPX / MSIX Application Isolation

• Starting from Windows 8 the modern (later in Windows 10 called universal) apps are packaged in APPX-packages that allow the use of AppContainers LOW INTEGRITY C A A APP APP APP C CONTAINER P CONTAINER CONTAINER L A A C B L I L I T I E S Quote from Microsoft

• “As you folks know my team owns *all* the deployment technologies at Microsoft. We are being quite clear – all investments are going into MSIX. This is why you saw MSIX AppAttach announced this week to enable WVD/RDP/VDI scenarios. AppAttach is there to make app distribution in a VDI environment significantly better but it is also there to be the replacement for App-V streaming in a VDI environment. Our goal is for there to be no reason not to move to MSIX from your current deployment tech. Of course Rome wasn’t built in a day so it’s a journey but it’s very important to let your customers know that MSIX is the future of app deployment and while App-V provides them tremendous value today there is no roadmap for App-V that doesn’t end up in MSIX. #9 Management Tools misunderstood https://cloudblogs.microsoft.com/windowsserver/2019/04/ 29/its-time-to-update-your-windows-management- strategy/ 39 Future of Management

• Windows Admin Center https://docs.microsoft.com/en-us/windowsserver/manage/windows-admin-center/overview • No MMC • No GUI on the server • Server 1809 → • Nano server • PowerShell is the only required management interface • But it’s nice to have a GUI as well as long as it’s remote ☺ • Admins need to manage from Privileged Access Workstations (PAW) • RDP is for “emergency use only” • https://blog.win-fu.com/2014/07/why-you-need-to-manage-your-gpos-from.html #10 Not Ready For Whitelisting Whitelisting

• Do not change ACL’s on Program Files and Windows – DO NOT! • Don’t install in • the root of C:\ • C:\Users • C:\ProgramData • Anywhere outside of Program Files and Program Files (x86) • All binary needs to be signed, including DLLs • If you use scripts, those as well • Even more if you update your own binaries • Signing with a trusted cert! Whitelisting

• Case of Teams or Slack • It is not an excuse to say that the provider of the platform hasn’t signed – You are responsible! • Don’t create binaries to Temp-folders – especially if they are not signed! Case of TeamViewer or Slack/Teams KIITOS JA ANTEEKSI! Thank you and I’m Sorry And…. Last but not least – don’t forget to evaluate this session in the DevSum app!

#DevSum19 WANT MORE?

• Come to my courses https://win-fu.com/ilt/! • Check out my videos at PluralSight! • Send me an email for a free pass! • Check out my personal video library at https://win-fu.com/dojo • Follow me on Twitter: @samilaiho • Blog, Slack: https://win-fu.com/ • Consulting? Email me at [email protected]