CS140M Fall 2014 Objectives • Background • Windows Security Architecture Windows 7 Security • Windows Vulnerabilities • Means of Evaluating Metrics • System Hardening By Al Lake – Windows Defenses Fall 2014 • OS Security Capabilities CS 140M LBCC • Conclusion CS140M Fall 2014 Lake 2 Background: Operating System Market Share (September 2014 – netmarketshare.com) Desktop OS Market Share OS Percentage Windows 92% Mac OS X/iOS 6% Linux (Android) 2% CS140M Fall 2014 Lake 3 CS140M Fall 2014 Lake 4 Windows Background Windows Security Architecture • Advantages • Security Reference Monitor – User friendly • Local Security Authority – Enhancements can help millions of users • Security Account Manager – Defects found quickly because of widespread use • Active Directory • Disadvantages • Local vs. Domain Accounts – Security defects can leave millions vulnerable • Access Control Lists – Non‐technical user‐base • Integrity Control – Industry dominance leaves MS handcuffed ‐ any move to expand capabilities seen as anticompetitive • User Account Controls CS140M Fall 2014 Lake 5 CS140M Fall 2014 Lake 6 Lake CS140M Fall 2014 Local Security Policy Security Reference Monitor (SRM) • Kernel Mode Component that – Performs Access Checks – Generates Audit Log Entries – Manipulates User Privileges CS140M Fall 2014 Lake 7 CS140M Fall 2014 Lake 8 Local Security Authority (LSA) Security Account Manager (SAM) • Responsible for enforcing local security policy – Lsass.exe – User mode • A database that • A Microsoft Windows file stored in stores user the c:\windows\system32 short for Local Security Authority Subsystem accounts and local Service and has the file description: users and groups LSA shell. security • Lsass.exe is responsible for how information Microsoft Windows handles security • SamSrv.exe and security related policies, authority domain authentication, and Active Directory management on your computer. CS140M Fall 2014 Lake 9 CS140M Fall 2014 Lake 10 Active Directory WinLogon & NetLogon • Directory Service • WinLogon – keyboard requests – Server‐based authentication • NetLogon – network requests – Centrally managed CS140M Fall 2014 Lake 11 CS140M Fall 2014 Lake 12 Lake CS140M Fall 2014 Local versus Domain Accounts Workgroup Joined • Local Accounts for computers not hooked up • A collection of computers connected together to a network • Only local accounts in SAM can be used • Networked computers can be: • No infrastructure to support AD – Workgroup joined – Domain joined CS140M Fall 2014 Lake 13 CS140M Fall 2014 Lake 14 Domain Joined Windows Login Example • • Administrator creates a user account (full name, Share access to networked printers, file username, password, group, privileges) servers, etc. • Windows creates a security identifier (SID) in the • Centrally Managed form of – S‐1‐5‐21‐AAA‐BBB‐CCC‐RRR – More secure • In MS Windows, the username can be in two – Scalable formats – SAM format: support by all versions of Windows (legacy format) • Form: DOMAIN/username – User Principle Name (UPN) and looks more like RFC822 email address • Example: [email protected] CS140M Fall 2014 Lake 15 CS140M Fall 2014 Lake 16 Windows Login Example Review Question • User logs in with keyboard • A user hits Ctrl+Alt+Del and logs into Windows • Information is sent to the AD (domain with a keyboard… or controller) • Windows + L • If successful token is generated and sent to user • • Token contains What Windows process captures this login? – User’s SID – Group membership • Link to Process Monitor – Privileges • http://blogs.msdn.com/b/dswl/archive/2010/01/10/how‐to‐capture‐a‐ process‐monitor‐trace.aspx CS140M Fall 2014 Lake 17 CS140M Fall 2014 Lake 18 Lake CS140M Fall 2014 Answer Windows Privileges • The WinLogon process captures logins at the • System‐wide permissions assigned to user keyboard accounts • WinLogon passes information to the domain • Some are considered “dangerous” controller (Active Directory) to perform logon – Act as part of the OS privilege • WinLogon would pass the information to the – Debug programs privilege SAM (if local) which would give true/false authentication status – Backup files and directories privilege • LSA would generate token if SAM verifies true • Some are considered “benign” username/password combination – Bypass traverse checking privilege CS140M Fall 2014 Lake 19 CS140M Fall 2014 Lake 20 Access Control List (ACL) Access Control List (ACL) (continued) • Discretionary ACL • Objects needing protection are assigned an – Grants or denies access to protected resources ACL that includes such as files, shared memory, etc. – SID of object owner • System ACL – List of access control entries (ACEs) – An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL • Each ACE includes a SID and Access Mask identifies a trustee and specifies the access rights – Access mask could include allowed, denied, or audited for that trustee. The • Read, Write, Create, Delete, Modify, etc. security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL. CS140M Fall 2014 Lake 21 CS140M Fall 2014 Lake 22 Access Control Example Integrity Control • User opens text file • New to Windows 7: a low‐level change to Windows that isolates different objects on a trust‐based scale • Controlled by a new OS component called Windows Integrity Control (WIC) • Integrity levels trounce permissions – Example: malware no longer runs at the privilege level of the logged‐ on user, as it does in XP – The process runs in the integrity level of the object that spawned it • Makes process isolation and other Windows 7 security measures possible CS140M Fall 2014 Lake 23 CS140M Fall 2014 Lake 24 Lake CS140M Fall 2014 Six Integrity Levels MIC: Mandatory Integrity Control • Mandatory Integrity Control Object and Principals are labeled (MIC) provides a • Untrusted mechanism for controlling access to securable objects. • Low This is in addition to • Medium discretionary access control. • High • Mandatory Integrity Control • System (MIC) in Windows 7 – Limits operations changing an • Installer object’s state CS140M Fall 2014 Lake 25 CS140M Fall 2014 Lake 26 Integrity Levels Integrity Levels • Windows defines five integrity levels: • Standard users receive medium, elevated users receive high. untrusted, low, medium, high, and system. • Processes you start and objects you create receive your integrity level (medium or high) or low if the executable file's level is low; system services receive system integrity. • Objects that lack an integrity label are treated as medium by the operating system; this prevents low‐ integrity code from modifying unlabeled objects. • Additionally, Windows ensures that processes running with a low integrity level cannot obtain access a process which is associated with an app container. CS140M Fall 2014 Lake 27 CS140M Fall 2014 Lake 28 User Account Controls User Account Controls (continued) • User Account Controls (UAC) was a new feature • How it works: When your consent is required to that came out in Windows complete a task, UAC will prompt you with a dialog box Vista • Tasks that will trigger a UAC prompt include anything • It was designed to help that will affect the integrity or security of the underlying prevent unauthorized changes to your compute system • UAC is similar to security – This is a surprisingly long list of tasks features in UNIX‐like • UAC works slightly differently with standard user and operating systems administrator‐class accounts • Perhaps the most reviled and misunderstood feature ever added to Windows CS140M Fall 2014 Lake 29 CS140M Fall 2014 Lake 30 Lake CS140M Fall 2014 UAC Consent UI: Type 1 UAC Consent UI: Type 2 • Prompt: Windows needs your permission to continue • Prompt: A program needs your permission to continue • Why you see this: You attempt to change a potentially • Why you see this: An external application with a valid digital dangerous system setting, such as a running a Control Panel signature is attempting to run with admin privileges CS140M Fall 2014 Lake 31 CS140M Fall 2014 Lake 32 UAC Consent UI: Type 3 UAC: What’s really happening • Prompt: An unidentified program wants access to your • Administrator accounts now logon with a mixed computer token • Why you see this: an external application without a valid digital signature is trying to run an application or process • Half of this mixed token is a standard user token: this is what is typically used to determine your memberships and privileges • The other half, the administrator token, is invoked only when required: you can invoke an administrator token manually (run as) or automatically (certain tasks in Windows 7 are tagged as requiring an admin token) CS140M Fall 2014 Lake 33 CS140M Fall 2014 Lake 34 Windows Design Flaws/Poor Design Decisions Single‐User Design • • Windows has long been hampered by its origin as a single‐user system Windows has evolved from a single‐user – Windows was originally designed to allow both users and applications free access to the entire system, which means anyone could tamper with a critical design to a multi‐user model few years back system program or file • Windows is monolithic, not modular, by – Windows evolved from single‐user design to a multi‐user model during the upgrade to Windows XP design • Windows XP was the first version of Windows to reflect a serious effort to isolate users from the operating system, so that users each have their • Windows depends too heavily on an RPC own private files and limited system privileges – This caused many legacy Windows