Security in Today's Operating Systems

Home , ActiveX, Kernel Patch Protection, Windows CardSpace, Winsock

Security in Today’s Operating Systems – Windows Vista & Server 2008

Ravi Sankar Technology Evangelist | Microsoft Corporation [email protected] Agenda

• Fundamentals • Threat and Vulnerability Mitigation • Identity and Access Control • Information Protection Fundamentals

• Service Hardening • Kernel Protection • Windows Firewall • Next Generation Cryptography • Networking Improvements • The Web Components (browser and server) • Terminal Services Gateway Windows Service Hardening

• Reduce size of high risk layers • Segment the services Service Service • Increase # … 1 D Service Service of layers … D D 2 Service A Service 3 Service B

D Kernel Drivers D User-mode Drivers D D D Windows Service Hardening

Windows® XP SP2/Server 2003 R2 Windows Vista/Server 2008

LocalSystem Firewall Restricted

LocalSystem LocalSystem

Network Service Network Service Fully Restricted

Local Service Network Service Network Restricted

Local Service No Network Access

Local Service Fully Restricted Service Changes Windows XP Windows Vista and Server 2008

Account Services Account Services LocalSystem Wireless RemoteAccess LocalSystem WMI Perf Adapter App Management Configuration DHCP Client Firewall Restricted Automatic updates Wireless Configuration System Event W32time Secondary Logon Notification Rasman Network browser LocalSystem BITS 6to4 Connections 6to4 Themes Task scheduler (netman) Help and support Rasman RemoteAccess COM+ Event Task scheduler TrkWks Rasauto System TrkWks Error Reporting WMI NLA Cryptographic Services Network Service DNS Client browser Rasauto Removable Storage Fully Restricted ICS Server Shell Hardware WMI Perf Adapter DHCP Client W32time Detection Automatic updates Themes WMI Network Service Cryptographic Services PolicyAgent Telephony App Management Network Restricted Telephony Nlasvc Windows Audio Secondary Logon Error Reporting BITS Workstation ICS Network DNS Client Local Service System Event COM+ Event System Service No Network Access Notification Network Connections Shell Hardware Detection Local Service SSDP Local Service Windows Audio Event Log WebClient Fully Restricted TCP/IP NetBIOS helper Workstation TCP/IP NetBIOS helper WebClient Remote registry Remote registry SSDP Kernel protection

Memory and Heap Management

Prefetch clustering for page faults

Management Mechanisms

Microsoft Windows® Registry innovations New Services model Hardware Error Architecture

Security Features

Kernel patch protection Code signing Code integrity Windows Firewall with Advanced Security

Combined Firewall and IPSec Management • New management tools – Windows Firewall with Advanced Security MMC snap-in • Reduces conflicts and coordination overhead between technologies Firewall Rules Become More Intelligent • Specify security requirements such as authentication and encryption • Specify Active Directory® computer or user groups Outbound Filtering

Simplified Protection Policy Reduces Management Overhead Creating a New rule DEMO: WINDOWS FIREWALL

Creating a Connection Security Rule DEMO: WINDOWS FIREWALL

PKI Improvements

Online Certificate Enterprise PKI Status Protocol (PKIView) (OSCP)

Network Device Simple Certificate Enrollment Service Enrollment Protocol and Web Enrollment Next Generation TCP/IP Stack

Winsock User Mode Kernel Mode WSK Clients TDI Clients AFD TDI WSK TDX

Next Generation TCP/IP Stack (tcpip.sys) Windows Filtering Windows

TCP UDP RAW Platform API

IPv4 IPv6

IPv4 802.3 WLAN 802.11 IPv6 Tunnel Tunnel

NDIS • Dual-IP layers for IPv4 and IPv6 support • Seamless security through expanded IPsec integration • Improved performance • Network auto-tuning • Greater extensibility and reliability SSTP (Secure Socket Tunneling Protocol)

SSTP is a new form of Layer 3 VPN tunnel

SSTP encapsulate PPP packet over HTTPS (Port 443)

SSTP supported in Windows Vista and Windows Server 2008 End-to-End scenario

Public Network DMZ Corp LAN

Domain Controller

1 Client connects to the Internet Internet 3 Authenticate User

6 RRAS Server NPS Server 52 DialIP Interface the SSTP created connectoid over port 443 4 User Starts Tunnel Established. Server gives various IP parameters to client Application

Application packets are sent back and forth over VPN tunnel 7

APP Server Internet Explorer 7.0 ProtectionSocial Engineering from Exploits Protections

• Unified URL Parsing • Phishing Filter and Colored Address • Code quality improvements (SDLC) Bar • ActiveX Opt-in • Dangerous Settings Notification • Protected help restrict malicious software • Secure defaults for IDN Internet Explorer Protected Mode

C:\...\Temporary Internet Files

C:\...\Startup Internet Explorer Protected Mode

Install a driver & run Admin-Rights Access Windows Update HKLM Install an Program Files Exploit canActiveX install control MALWAREIEAdmin User-Rights Access IExploreIE6 HKCU Change Settings, My Documents download a Picture Change Startup Folder settings, Exploit can Integrity Integrity Control save a Temp Internet Files IEUser install

Compat Redirector Compat picture MALWARE Un-trusted files & settings RedirectedCache settings Web content & files ActiveX Opt-in

IE7 blocks ActiveX Control

IE7

ActiveX Control enabled Disabled Controls by default IE7 Confirms Install Windows Defender

• Helps Detect and Remove Spyware and other Potentially Unwanted Software • Automatic Download Scanning in Internet Explorer • Allows Standard Users to Remove Spyware • Can be Enabled/Disabled via Group Policy Internet Information Services (IIS) 7.0

Logging and AuthN/AuthZ Extensibility Publishing Diagnostics BasicAuthModule ManagedEngineModule DavModule HttpLoggingModule DigestAuthModule ISAPIModule CustomLoggingModule WindowsAuthModule ISAPIFilterModule RequestMonitorModule CertificateAuthModule CGIModule TracingModule •ComponentizedAnonymousAuthModule ServerSideIncludeModule Architecture •DelegatedFormsAuthModule Management AccessCheckModule

UrlAuthorizationModule

Core Web Server

StaticFileModule DefaultDocumentModule DirectoryListingModule CustomErrorModule

HttpCacheModule DynamicCompressionModule StaticCompressionModule

Http Protocol Support Configuration and Metadata Caches

ValidationRangeModule TraceVerbModule ConfigurationModule UriCacheModule

OptionsVerbModule ClientRedirectionModule SiteCacheModule FileCacheModule Terminal Services Gateway

Perimeter Corporate Internet Network Network Tunnels RDP Strips off RDP traffic over HTTPs RDP / HTTPs passed to TS Terminal Servers and other Internet RDP Hosts

Remote/ Terminal Mobile User Services Gateway

Network Active Policy Server Directory DC Agenda

Fundamentals

Threat and Vulnerability Mitigation

Identity and Access Control

Information Protection Integrating the Edge

• Policy, not topology defines the edge Integrating the Edge Policy, not topology defines the edge

2Authentication-factor and biometrics and ClaimsAuthorization-based Security Universal FederatedActive Directoryidentity AddressabilityIPv6

NetworkSecure Access the Protection AntiBoundary-malware Define the IPSec Policies Per-application VPN Boundary Anywhereand Firewalls Access Network Access Protection Security

Policy Servers What is Network Accesssuch as: Patch, AV Protection?

Not policyHealth Policy Compliance Health Policy Validation compliant Remediation Servers Windows DHCP, VPN Example: Patch NPS Restricted Client Switch/Router Network Policy Ability to Provide Limited compliant Enhanced Security Access Corporate Network Cisco and Microsoft Increased Business Value Integration Story Policy-based Dynamic Segmentation

Active Directory Corporate Network Domain Controller

Trusted Resource Server

X Servers with HR Workstation Sensitive Data Unmanaged/Rogue Computer X Server Isolation Managed Untrusted Managed Computer Computer Domain Isolation

DefineDistributeManagedBlockEnable inboundthe tiered computerspolicies logical-access connections isolationand can tocredentials sensitive communicate boundaries from untrusted resources Agenda

Fundamentals

Threat and Vulnerability Mitigation

Identity and Access Control

Information Protection WinLogon Architecture

Session 0 •GINA Replaced LSA RCM •New Credential Providers •NOTE: Session 0 Isolation WinInit SCM Profiles

Group Policy

Other Sessions

WinLogon LogonUI

Credential Credential Credential Provider 1 Provider 2 Provider 3 Windows CardSpace™

Easier Safer • Provides consistent user • Protects users from phishing & fraud attacks experience • Support for two-factor • Replaces usernames and authentication passwords with strong tokens • Tokens are crypto-graphically strong Standards, standards, standards!! • Built on WS-* Web Services Protocols • Can be supported by websites on any technology & platform CardSpace Environment

• Runs under separate desktop and restricted account • Isolates CardSpace runtime from Windows desktop • Deters hacking attempts by user-mode processes CardSpace Cards

SELF - ISSUED MANAGED

• Contains claims about my identity • Provided by banks, stores, that I assert government, clubs, etc • Not corroborated • Locally stored cards contain • Stored locally metadata only! • Signed and encrypted to prevent • Data stored by Identity Provider replay attacks and obtained only when card submitted Participants

User

Relying Party Identity Provider (website) User Account Control

Windows Vista Challenges Solution

Most users run with full Easier to Run as Standard User administrator privileges all the Users can do more on their own time Change time zone, power At risk from malware settings, VPN, and more Install approved devices Can’t manage desktops or Admin commands clearly enforce policy marked Expensive to support Higher application compatibility File and registry virtualization Difficult to run a standard user

User can’t perform many tasks Greater Protection for Admins Many applications don’t run Software runs with lower privileges by default Administrator provides consent before elevation User Account Control Sample Elevated Privileges Consent Prompts Operating System Application

Signed Application Unsigned Application Agenda

• Fundamentals • Threat and Vulnerability Mitigation • Identity and Access Control • Information Protection Windows Vista/Server 2008 Information Protection • Who are you protecting against? • Other users or administrators on the machine? EFS • Unauthorized users with physical access? BitLocker™

Scenarios BitLocker EFS RMS Laptops Branch office server Local single-user file & folder protection Local multi-user file & folder protection Remote file & folder protection Untrusted network admin Remote document policy enforcement

Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins) Summary

• Stronger Fundamentals • Layered approach for threat and vulnerability mitigation • More options and granularity in identity and access management • Holistic approach towards information protection using encryption technologies