How NOT to piss off an ITPro aka How to Build Better Software for Windows Sami Laiho Senior Technical Fellow, MVP @samilaiho [email protected] #DevSum19 Sami Laiho Senior Technical Fellow adminize.com / Sulava • IT Admin since 1996 • MCT since 2001 • MVP in Windows OS since 2011 • Specializes in and trains: • Troubleshooting • Windows Internals • Security, Social Engineering, Auditing • Centralized Management, Active Directory • Trophies: • Ignite 2018 – Session #1 and #2 (out of 1708) ! • Best Speaker at NIC, Oslo 2016, 2017 and 2019 • Best External Speaker at Ignite 2017 • TechDays Sweden 2016, 2018 – Best Speaker • TechEd Europe and North America 2014 - Best session, Best speaker • TechEd Australia 2013 - Best session, Best speaker • TechEd Europe 2013 - Best Session by an external speaker I got Certs 1,2 kg of them @samilaiho If you are not on Twitter – get on Twitter! 70 Best hackers in the world invited (#36) • Super proud to be included in this book • All profits go to charity! • https://www.amazon.com/Tribe- Hackers-Cybersecurity-Advice- World/dp/1793464189 10 Deadly Sins of App Design By the Book - RTFM https://docs.microsoft.com/fi-fi/windows/desktop/win_cert/certification- requirements-for-windows-desktop-apps #1 Wrong use of Filesystem Executable Code and User Data should not be in the same location Mandatory Integrity Control WRITE-OPERATIONS S H MIC PROCESS A NTFS RESOURCE R SYSTEM E SYSTEM HIGH HIGH MEDIUM MEDIUM LOW LOW Location for code and data • Binary goes to • 64bit app → C:\Program Files • 32bit app → C:\Program Files (x86) • Data goes to: • All Users (Shared) → C:\ProgramData • Single user • Roaming data → C:\Users\”UserName”\AppData\Roaming • Not roaming, Medium integrity data → C:\Users\”UserName”\AppData\Local • Not roaming, Low integrity data → C:\Users\”UserName”\AppData\Local\Low Case of Windows Defender #2 Wrong use of Registry Registry • Computer wide: HKLM\Software • User specific: HKCU\Software • NOT HKLM\System ! #3 Wrong use of Services Service accounts and user rights • He/She can use three built in accounts 20 Avoid Custom Service Account Services have SIDs as well #4 Software Requires Admin Rights – NO IT DOES NOT! No excuses! NT 3.1 Security Guide • States that local admins have full access to computer. • It also says: ”in Windows there is no security if you run as admin” • Analysis of Microsoft “Patch Tuesday” Security Bulletins from 2015 • 85% of Critical Microsoft vulnerabilities would be mitigated by removing admin rights • 52% increase in the total volume of vulnerabilities compared to 2014 • Windows Server vulnerabilities • 429 vulnerabilities (304 in 2014) • 85% were found to be mitigated by the removal of admin rights 2016 Microsoft Vulnerabilities Study Key findings could be mitigated • Of the 189 vulnerabilities in 2016 • 100% of vulnerabilities in IE and with a Critical rating, 94% were Chrome could be mitigated by concluded to be mitigated by removing admin rights removing administrator rights • 99% of vulnerabilities affecting • 66% of all Microsoft vulnerabilities Microsoft Office could be mitigated reported in 2016 could be mitigated by removing admin rights by removing admin rights • 93% Critical vulnerabilities affecting • 100% of vulnerabilities impacting Windows 10 could be mitigated by Microsoft’s latest browser Edge removing admin rights Microsoft Vulnerabilities Report 2017 The 2017 report highlights the following key findings: • Removing admin rights would mitigate 80% of all Critical Microsoft vulnerabilities in 2017. • 95% of Critical vulnerabilities in Microsoft browsers can be mitigated by removing administrator rights. • Almost two thirds of all Critical vulnerabilities in Microsoft Office products are mitigated by removing admin rights. • Removing admin rights would mitigate almost 80% of Critical vulnerabilities in Windows 10 in 2017. • 88% of all Critical vulnerabilities reported by Microsoft over the last five years would have been mitigated by removing admin rights. Case of Shit-O-Meter #5 Not having an MSI We don’t care about anything but MSI or MSIX #6 Bad Uninstaller Not cleaning up properly Visual Studio 2015 adds 110000 registry entries #7 Incorrect use of Multimedia Processes For maximum battery life the current timer interval (which can be changed with timeBeginPeriod, or NtSetTimerResolution) should be 15.6 ms Case of PDF Creator / Google #8 Hating APPX / MSIX Application Isolation • Starting from Windows 8 the modern (later in Windows 10 called universal) apps are packaged in APPX-packages that allow the use of AppContainers LOW INTEGRITY C A A APP APP APP C CONTAINER P CONTAINER CONTAINER L A A C B L I L I T I E S Quote from Microsoft • “As you folks know my team owns *all* the deployment technologies at Microsoft. We are being quite clear – all investments are going into MSIX. This is why you saw MSIX AppAttach announced this week to enable WVD/RDP/VDI scenarios. AppAttach is there to make app distribution in a VDI environment significantly better but it is also there to be the replacement for App-V streaming in a VDI environment. Our goal is for there to be no reason not to move to MSIX from your current deployment tech. Of course Rome wasn’t built in a day so it’s a journey but it’s very important to let your customers know that MSIX is the future of app deployment and while App-V provides them tremendous value today there is no roadmap for App-V that doesn’t end up in MSIX. #9 Management Tools misunderstood https://cloudblogs.microsoft.com/windowsserver/2019/04/ 29/its-time-to-update-your-windows-management- strategy/ 39 Future of Management • Windows Admin Center https://docs.microsoft.com/en-us/windows- server/manage/windows-admin-center/overview • No MMC • No GUI on the server • Server 1809 → • Nano server • PowerShell is the only required management interface • But it’s nice to have a GUI as well as long as it’s remote ☺ • Admins need to manage from Privileged Access Workstations (PAW) • RDP is for “emergency use only” • https://blog.win-fu.com/2014/07/why-you-need-to-manage-your-gpos-from.html #10 Not Ready For Whitelisting Whitelisting • Do not change ACL’s on Program Files and Windows – DO NOT! • Don’t install in • the root of C:\ • C:\Users • C:\ProgramData • Anywhere outside of Program Files and Program Files (x86) • All binary needs to be signed, including DLLs • If you use scripts, those as well • Even more if you update your own binaries • Signing with a trusted cert! Whitelisting • Case of Teams or Slack • It is not an excuse to say that the provider of the platform hasn’t signed – You are responsible! • Don’t create binaries to Temp-folders – especially if they are not signed! Case of TeamViewer or Slack/Teams KIITOS JA ANTEEKSI! Thank you and I’m Sorry And…. Last but not least – don’t forget to evaluate this session in the DevSum app! #DevSum19 WANT MORE? • Come to my courses https://win-fu.com/ilt/! • Check out my videos at PluralSight! • Send me an email for a free pass! • Check out my personal video library at https://win-fu.com/dojo • Follow me on Twitter: @samilaiho • Blog, Slack: https://win-fu.com/ • Consulting? Email me at [email protected].