Windows 7 Security

CS140M Fall 2014

Objectives

• Background • Windows Security Architecture Windows 7 Security • Windows Vulnerabilities • Means of Evaluating Metrics • System Hardening By Al Lake – Windows Defenses Fall 2014 • OS Security Capabilities CS 140M LBCC • Conclusion

CS140M Fall 2014 Lake 2

Background: Operating System Market Share (September 2014 – netmarketshare.com) Desktop OS Market Share OS Percentage

Windows 92%

Mac OS X/iOS 6%

Linux (Android) 2%

CS140M Fall 2014 Lake 3 CS140M Fall 2014 Lake 4

Windows Background Windows Security Architecture

• Advantages • Security Reference Monitor – User friendly • Local Security Authority – Enhancements can help millions of users • Security Account Manager – Defects found quickly because of widespread use • Active Directory • Disadvantages • Local vs. Domain Accounts – Security defects can leave millions vulnerable • Access Control Lists – Non‐technical user‐base • Integrity Control – Industry dominance leaves MS handcuffed ‐ any move to expand capabilities seen as anticompetitive • User Account Controls

CS140M Fall 2014 Lake 5 CS140M Fall 2014 Lake 6

Lake CS140M Fall 2014

Local Security Policy Security Reference Monitor (SRM)

• Kernel Mode Component that – Performs Access Checks – Generates Audit Log Entries – Manipulates User Privileges

CS140M Fall 2014 Lake 7 CS140M Fall 2014 Lake 8

Local Security Authority (LSA) Security Account Manager (SAM)

• Responsible for enforcing local security policy – Lsass.exe – User mode • A database that • A Microsoft Windows file stored in stores user the c:\windows\system32 short for Local Security Authority Subsystem accounts and local Service and has the file description: users and groups LSA shell. security • Lsass.exe is responsible for how information Microsoft Windows handles security • SamSrv.exe and security related policies, authority domain authentication, and Active Directory management on your computer.

CS140M Fall 2014 Lake 9 CS140M Fall 2014 Lake 10

Active Directory WinLogon & NetLogon

• Directory Service • WinLogon – keyboard requests – Server‐based authentication • NetLogon – network requests – Centrally managed

CS140M Fall 2014 Lake 11 CS140M Fall 2014 Lake 12

Lake CS140M Fall 2014

Local versus Domain Accounts Workgroup Joined

• Local Accounts for computers not hooked up • A collection of computers connected together to a network • Only local accounts in SAM can be used • Networked computers can be: • No infrastructure to support AD – Workgroup joined – Domain joined

CS140M Fall 2014 Lake 13 CS140M Fall 2014 Lake 14

Domain Joined Windows Login Example

• • Administrator creates a user account (full name, Share access to networked printers, file username, password, group, privileges) servers, etc. • Windows creates a security identifier (SID) in the • Centrally Managed form of – S‐1‐5‐21‐AAA‐BBB‐CCC‐RRR – More secure • In MS Windows, the username can be in two – Scalable formats – SAM format: support by all versions of Windows (legacy format) • Form: DOMAIN/username – User Principle Name (UPN) and looks more like RFC822 email address • Example: [email protected]

CS140M Fall 2014 Lake 15 CS140M Fall 2014 Lake 16

Windows Login Example Review Question

• User logs in with keyboard • A user hits Ctrl+Alt+Del and logs into Windows • Information is sent to the AD (domain with a keyboard… or controller) • Windows + L • If successful token is generated and sent to user • • Token contains What Windows process captures this login? – User’s SID – Group membership • Link to Process Monitor – Privileges • http://blogs.msdn.com/b/dswl/archive/2010/01/10/how‐to‐capture‐a‐ process‐monitor‐trace.aspx

CS140M Fall 2014 Lake 17 CS140M Fall 2014 Lake 18

Lake CS140M Fall 2014

Answer Windows Privileges

• The WinLogon process captures logins at the • System‐wide permissions assigned to user keyboard accounts • WinLogon passes information to the domain • Some are considered “dangerous” controller (Active Directory) to perform logon – Act as part of the OS privilege • WinLogon would pass the information to the – Debug programs privilege SAM (if local) which would give true/false authentication status – Backup files and directories privilege • LSA would generate token if SAM verifies true • Some are considered “benign” username/password combination – Bypass traverse checking privilege

CS140M Fall 2014 Lake 19 CS140M Fall 2014 Lake 20

Access Control List (ACL) Access Control List (ACL) (continued) • Discretionary ACL • Objects needing protection are assigned an – Grants or denies access to protected resources ACL that includes such as files, shared memory, etc. – SID of object owner • System ACL – List of access control entries (ACEs) – An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL • Each ACE includes a SID and Access Mask identifies a trustee and specifies the access rights – Access mask could include allowed, denied, or audited for that trustee. The • Read, Write, Create, Delete, Modify, etc. security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL.

CS140M Fall 2014 Lake 21 CS140M Fall 2014 Lake 22

Access Control Example Integrity Control

• User opens text file • New to Windows 7: a low‐level change to Windows that isolates different objects on a trust‐based scale • Controlled by a new OS component called Windows Integrity Control (WIC) • Integrity levels trounce permissions – Example: malware no longer runs at the privilege level of the logged‐ on user, as it does in XP – The process runs in the integrity level of the object that spawned it • Makes process isolation and other Windows 7 security measures possible

CS140M Fall 2014 Lake 23 CS140M Fall 2014 Lake 24

Lake CS140M Fall 2014

Six Integrity Levels MIC: Mandatory Integrity Control

• Mandatory Integrity Control Object and Principals are labeled (MIC) provides a • Untrusted mechanism for controlling access to securable objects. • Low This is in addition to • Medium discretionary access control. • High • Mandatory Integrity Control • System (MIC) in Windows 7 – Limits operations changing an • Installer object’s state

CS140M Fall 2014 Lake 25 CS140M Fall 2014 Lake 26

Integrity Levels Integrity Levels

• Windows defines five integrity levels: • Standard users receive medium, elevated users receive high. untrusted, low, medium, high, and system. • Processes you start and objects you create receive your integrity level (medium or high) or low if the executable file's level is low; system services receive system integrity. • Objects that lack an integrity label are treated as medium by the operating system; this prevents low‐ integrity code from modifying unlabeled objects. • Additionally, Windows ensures that processes running with a low integrity level cannot obtain access a process which is associated with an app container.

CS140M Fall 2014 Lake 27 CS140M Fall 2014 Lake 28

User Account Controls User Account Controls (continued)

• User Account Controls (UAC) was a new feature • How it works: When your consent is required to that came out in Windows complete a task, UAC will prompt you with a dialog box Vista • Tasks that will trigger a UAC prompt include anything • It was designed to help that will affect the integrity or security of the underlying prevent unauthorized changes to your compute system • UAC is similar to security – This is a surprisingly long list of tasks features in UNIX‐like • UAC works slightly differently with standard user and operating systems administrator‐class accounts • Perhaps the most reviled and misunderstood feature ever added to Windows

CS140M Fall 2014 Lake 29 CS140M Fall 2014 Lake 30

Lake CS140M Fall 2014

UAC Consent UI: Type 1 UAC Consent UI: Type 2

• Prompt: Windows needs your permission to continue • Prompt: A program needs your permission to continue • Why you see this: You attempt to change a potentially • Why you see this: An external application with a valid digital dangerous system setting, such as a running a Control Panel signature is attempting to run with admin privileges

CS140M Fall 2014 Lake 31 CS140M Fall 2014 Lake 32

UAC Consent UI: Type 3 UAC: What’s really happening

• Prompt: An unidentified program wants access to your • Administrator accounts now logon with a mixed computer token • Why you see this: an external application without a valid digital signature is trying to run an application or process • Half of this mixed token is a standard user token: this is what is typically used to determine your memberships and privileges • The other half, the administrator token, is invoked only when required: you can invoke an administrator token manually (run as) or automatically (certain tasks in Windows 7 are tagged as requiring an admin token)

CS140M Fall 2014 Lake 33 CS140M Fall 2014 Lake 34

Windows Design Flaws/Poor Design Decisions Single‐User Design

• • Windows has long been hampered by its origin as a single‐user system Windows has evolved from a single‐user – Windows was originally designed to allow both users and applications free access to the entire system, which means anyone could tamper with a critical design to a multi‐user model few years back system program or file • Windows is monolithic, not modular, by – Windows evolved from single‐user design to a multi‐user model during the upgrade to Windows XP design • Windows XP was the first version of Windows to reflect a serious effort to isolate users from the operating system, so that users each have their • Windows depends too heavily on an RPC own private files and limited system privileges – This caused many legacy Windows applications to fail model – Solution: Windows XP includes a compatibility mode ‐ a mode that allows programs to operate as if they were running in the original insecure single‐ • Windows focuses on its familiar graphical user design • Windows XP represented progress, but even Windows XP could not be desktop interface justifiably referred to as a true multi‐user system (Is this true?)

CS140M Fall 2014 Lake 35 CS140M Fall 2014 Lake 36

Lake CS140M Fall 2014

Monolithic by Design, not Modular Depends Heavily on an RPC Model • Monolithic Design: one where most features are integrated into a single unit • RPC stands for Remote Procedure Call • Microsoft successfully makes competing products irrelevant • Simply put, an RPC is what happens when one by integrating more and more of the services they provide program sends a message over a network to tell into its operating system another program to do something – But this approach creates a monster of inextricably interdependent • RPCs are potential security risks because they are services designed to let other computers somewhere on a • Interdependencies side effects: network to tell your computer what to do – Every flaw in a piece of that system is exposed through all of the services and applications that depend on that piece of the system – Unfortunately, Windows users cannot disable RPC because Windows depends upon it, even if your computer is not – Unstable by nature: when you design a system that has too many interdependencies, you introduce numerous risks when you change connected to a network one piece of the system • The most common way to exploit an RPC‐related • Thus, Monolithic system tends to make security vulnerability is to attack the service that uses RPC, vulnerabilities more critical than they need to be not RPC itself

CS140M Fall 2014 Lake 37 CS140M Fall 2014 Lake 38

RPC Focuses on its Familiar Graphical Desktop Interface • Microsoft considers its familiar Windows interface as the • A remote procedure call (RPC) is an inter‐ number one benefit for using Windows Server 2003 process communication that allows a – Quote from the Microsoft web site, “With its familiar Windows interface, Windows Server 2003 is easy to use. New streamlined computer program to cause a subroutine or wizards simplify the setup of specific server roles and routine procedure to execute in another address server management tasks...” space (commonly on another computer on a • By advocating this type of usage, Microsoft invites administrators to work with Windows Server 2003 at the shared network) without the programmer server itself, logged in with Administrator privileges explicitly coding the details for this remote – This makes the Windows administrator most vulnerable to interaction. security flaws, because using vulnerable programs such as Internet Explorer expose the server to security risks

CS140M Fall 2014 Lake 39 CS140M Fall 2014 Lake 40

Windows Vulnerabilities Windows Vulnerabilities Example

• Windows like all other OS has security bugs • Vulnerabilities in Windows Kernel Could Allow – Bugs have been exploited to compromise Elevation of Privilege Microsoft Security Bulletin customer accounts MS10‐021, April 2010) • Multiple versions of Windows – Most severe of these vulnerabilities could allow – Each with substantial user‐base elevation of privilege if an attacker logged on locally • Attackers are now (organized) criminals highly and ran a specially crafted application motivated by money – An attacker must have valid logon credentials and be • Microsoft Security Bulletin Summaries and able to log on locally to exploit this vulnerability Webcasts provides latest vulnerabilities list • The vulnerability could not be exploited remotely or by and relative security updates (and status) anonymous users

CS140M Fall 2014 Lake 41 CS140M Fall 2014 Lake 42

Lake CS140M Fall 2014

Aggregate Operating System Maximum Security Impact Severity Rating Windows Vulnerabilities Example Microsoft Windows 2000 Service Pack 4 Elevation of Privilege Important Windows XP Service Pack 2 and Windows XP Service Pack 3 Elevation of Privilege Important

Windows XP Professional x64 Edition Service Pack 2 Elevation of Privilege Important • Vulnerabilities in Windows Kernel Could Allow Windows Server 2003 Service Pack 2 Elevation of Privilege Important Elevation of Privilege Microsoft Security Bulletin Windows Server 2003 x64 Edition Service Pack 2 Elevation of Privilege Important Windows Server 2003 with SP2 for Itanium-based Systems Elevation of Privilege Important

MS10‐021, April 2010) (continued) Windows Vista Elevation of Privilege Important – Security update resolves several privately reported Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Denial of Service Moderate Windows Vista x64 Edition Elevation of Privilege Important

vulnerabilities in Microsoft Windows Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Denial of Service Moderate

• Rated Important for all supported editions of Microsoft Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Windows 2000, Windows XP, Windows Server 2003, and the Systems Service Pack 2* Denial of Service Moderate Windows Server 2008 for x64-based Systems and Windows Server 2008 for original release version of Windows Vista x64-based Systems Service Pack 2* Denial of Service Moderate • Rated Moderate for all supported versions of Windows Vista Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Denial of Service Moderate Service Pack 1 and Windows Vista Service Pack 2, Windows Windows 7 for 32-bit Systems Denial of Service Moderate Server 2008, Windows 7, and Windows Server 2008 R2 Windows 7 for x64-based Systems Denial of Service Moderate • Most likely result in a denial of service condition Windows Server 2008 R2 for x64-based Systems* Denial of Service Moderate Windows Server 2008 R2 for Itanium-based Systems Denial of Service Moderate

CS140M Fall 2014 Lake 43 CS140M Fall 2014 Lake 44

Example: Microsoft Security Bulletin Means Of Evaluating Security Metrics • The severity of security vulnerabilities, derived from MS08‐067 –Critical the following metrics: – Damage potential (how much damage is possible?) – Exploitation potential (how easy is it to exploit?) – Exposure potential (what kind of access is necessary to exploit the vulnerability?) • Overall severity risk – Given the above three factors, the overall severity risks range from minimal to catastrophic – Example: Microsoft often ranks a security flaw as Critical for all Windows operating systems except Windows Server 2003, in which case it is ranked at the lower value, Important • The reason given for this difference is that Windows Server 2003 has different default settings than other versions of Windows

CS140M Fall 2014 Lake 45 CS140M Fall 2014 Lake 46

CERT: Query Result for Keyword “Microsoft” CERT: Query Result for Keyword “Microsoft” (continued)

CS140M Fall 2014 Lake 47 CS140M Fall 2014 Lake 48

Lake CS140M Fall 2014

System Hardening Windows Defenses

• Shoring up defenses, reducing exposed • Microsoft Security Development Lifecycle functionality, disabling less‐used features – Net effect approximately 50% reduction in – Called attack surface reduction security bugs – 80/20 rule of functionality – Vista was the first OS used SDL start to finish – Not always achievable • Strip mobile code support on servers • Categorize Security Defenses • Servers easier to harden – Account defenses – Used for specific and controlled purposes – Network defenses – Administrative users with better skills than – Buffer over‐run defenses workstation users – Browser defenses

CS140M Fall 2014 Lake 49 CS140M Fall 2014 Lake 50

Account Defenses Network Defenses

• Least Privilege • Need more than account/user defenses – Operate with just enough privileges for task • Vulnerable to network attacks • Another defense is to strip privileges from an • IPSec and IPv6 with authentication packets account soon after an application start available in Windows 7 • Windows 7 reserves default with UAC • Built‐in software firewall – Users prompted to perform privileged operations – Block inbound connection of specific ports – Block outbound connections • Default settings on Windows 7

CS140M Fall 2014 Lake 51 CS140M Fall 2014 Lake 52

Browser Defenses Cryptographic Services

• Browser is key point of attack • Encrypting File System (EFS) – Via script code, graphics, helper objects, add‐ons, – Files and directories encrypted/decrypted transparently cookies – Generates random key, protected by DPAPI • Added defenses in IE7 • Bitlocker Drive Encryption – ActiveX disabled by default – Encrypts entire volume with AES – Protected mode – Key either USB or TPM 1.2 compatible chip • Data Protection API (DPAPI) – Manages encryption key maintenance – Keys derived from user’s password

CS140M Fall 2014 Lake 53 CS140M Fall 2014 Lake 54

Lake CS140M Fall 2014

OS‐Level Security Tools and Techniques User Management

• OS Installation: Software Selection and Initial Setup • Guiding principles in user‐account security: • Patch Management – Be careful setting file / directory permissions • Network‐Level Access Controls – Use groups to differentiate between roles • Using iptables for “Local Firewall” Rules • Antivirus Software – Use extreme care in granting / using root • User Management privileges • Password aging • Root Delegation • Logging

CS140M Fall 2014 Lake 55 CS140M Fall 2014 Lake 56

Password Aging Conclusion

• Maximum and minimum lifetime for user • Security is an ongoing concern for IT administrators • Managers need a framework to evaluate operating system passwords security – Globally changed in /etc/login.defs • The challenge in evaluating the security of Windows on any criteria is that there is not a single version of each operating – To change password settings for existing users system • command line ‐> change • The ability to make either operating system more secure varies depending on architectural design – The Windows operating system is designed to support applications by moving more functionality into the operating system, and by more deeply integrating applications into the Windows kernel

CS140M Fall 2014 Lake 57 CS140M Fall 2014 Lake 58

Questions? Assignment • Create the steps to create a secure Guest account. • Write a 1‐2 page answer justifying the following: – “Windows XP represented progress, but even Windows XP could not be justifiably referred to as a true multi‐user system.” (Is this true?) from slide 36 • A user hits Ctrl+Alt+Del and logs into Windows 7 with a keyboard. What Windows process captures this login?

• Define the following terms and give an example: – Malware – Computer virus – Bot – Anti‐virus – Firewall – Computer security – Encryption (demonstrate one type of encryption)

CS140M Fall 2014 Lake 59 CS140M Fall 2014 Lake 60

Lake