Operating System Security
Download
Report
Transcript Operating System Security
Chapter 12
Operating System Security
Operating System
each layer of code needs
measures in place to
provide appropriate
security services
each layer is vulnerable to
attack from below if the
lower layers are not
secured appropriately
Measures
the 2010 Australian Defense Signals Directorate (DSD) list
the “Top 35 Mitigation Strategies”
over 70% of the targeted cyber intrusions investigated by
DSD in 2009 could have been prevented
the top four measures for prevention are:
patch operating systems and applications using auto-update
patch third-party applications
restrict admin privileges to users who need them
white-list approved applications
Operating System Security
possible for a system to be compromised during the
installation process before it can install the latest patches
building and deploying a system should be a planned
process designed to counter this threat
process must:
assess risks and plan the system deployment
secure the underlying operating system and then the key
applications
ensure any critical content is secured
ensure appropriate network protection mechanisms are used
ensure appropriate processes are used to maintain security
System Security Planning Process
the purpose of the system,
the type of information
stored, the applications and
services provided, and their
security requirements
who will administer the
system, and how they will
manage the system (via local
or remote access)
the categories of users of the
system, the privileges they
have, and the types of
information they can access
what access the system has
to information stored on
other hosts, such as file or
database servers, and how
this is managed
how the users are
authenticated
how access to the
information stored on the
system is managed
any additional security
measures required on the
system, including the use of
host firewalls, anti-virus or
other malware protection
mechanisms, and logging
Operating Systems Hardening
first critical step in securing a system is to secure the base
operating system
basic steps
install and patch the operating system
harden and configure the operating system to adequately
address the indentified security needs of the system
install and configure additional security controls, such as antivirus, host-based firewalls, and intrusion detection system (IDS)
test the security of the basic operating system to ensure that
the steps taken adequately address its security needs
Initial Setup and Patching
system security
begins with the
installation of
the operating
system
ideally new
systems should be
constructed on a
protected network
initial installation
should install the
minimum
necessary for the
desired system
overall boot
process must
also be secured
full installation and
hardening process
should occur
before the system
is deployed to its
intended location
the integrity and
source of any
additional device
driver code must
be carefully
validated
should stage and
validate all
patches on the
test systems
before deploying
them in
production
critical that the
system be kept up
to date, with all
critical security
related patches
installed
Remove
Unnecessary
Services,
Applications,
Protocols
when performing the initial
installation the supplied
defaults should not be used
default configuration is set
if fewer software packages
are available to run the risk
is reduced
system planning process
should identify what is
actually required for a given
system
to maximize ease of use
and functionality rather
than security
if additional packages are
needed later they can be
installed when they are
required
system planning process should
Configure
Users, Groups,
and
Authentication
consider:
categories of users on the
system
privileges they have
types of information they can
access
how and where they are defined
and authenticated
default accounts included as
not all users with access to a
system will have the same
access to all data and resources
on that system
elevated privileges should be
restricted to only those users
that require them, and then only
when they are needed to
perform a task
part of the system installation
should be secured
those that are not required
should be either removed or
disabled
policies that apply to
authentication credentials
configured
Configure
Resource
Controls
once the users and groups are
defined, appropriate
permissions can be set on data
and resources
many of the security hardening
guides provide lists of
recommended changes to the
default access configuration
Install
Additional
Security
Controls
further security possible by
installing and configuring
additional security tools:
anti-virus software
host-based firewalls
IDS or IPS software
application white-listing
checklists are included in
Test the
System
Security
security hardening guides
there are programs specifically
designed to:
review a system to ensure that
a system meets the basic
security requirements
scan for known vulnerabilities
final step in the process of
initially securing the base
operating system is security
testing
goal:
ensure the previous security
configuration steps are
correctly implemented
identify any possible
vulnerabilities
and poor configuration
practices
should be done following the
initial hardening of the system
repeated periodically as part of
the security maintenance
process
Application Configuration
may include:
creating and specifying appropriate data storage areas for
application
making appropriate changes to the application or service default
configuration details
some applications or services may include:
default data
scripts
user accounts
of particular concern with remotely accessed services such as
Web and file transfer services
risk from this form of attack is reduced by ensuring that most of
the files can only be read, but not written, by the server
Encryption Technology
is a key
enabling
technology
that may be
used to secure
data both in
transit and
when stored
must be
configured and
appropriate
cryptographic
keys created,
signed, and
secured
if secure network
services are provided
using TLS or IPsec
suitable public and
private keys must be
generated for each of
them
if secure network
services are
provided using
SSH, appropriate
server and client
keys must be
created
cryptographic
file systems are
another use of
encryption
Security Maintenance
process of maintaining security is continuous
security maintenance includes:
monitoring and analyzing logging information
performing regular backups
recovering from security compromises
regularly testing system security
using appropriate software maintenance processes to patch
and update all critical software, and to monitor and revise
configuration as needed
can only inform you
about bad things that
have already
happened
automated
analysis is
preferred
generates significant volumes
of information and it is
important that sufficient
space is allocated for them
in the event of a system breach
or failure, system administrators
can more quickly identify what
happened
Logging
range of data acquired should be
determined during the system
planning stage
information
can be
generated by
the system,
network and
applications
key is to ensure you
capture the correct data
and then appropriately
monitor and analyze
this data
Data Backup and Archive
performing regular
backups of data is a
critical control that
assists with
maintaining the
integrity of the
system and user
data
•may be legal or
operational requirements
for the retention of data
backup
archive
•the process of
making copies of
data at regular
intervals
•the process of retaining
copies of data over
extended periods of time
in order to meet legal and
operational requirements
to access past data
needs and policy relating to
backup and archive should be
determined during the
system planning stage
•kept online or offline
•stored locally or transported to a
remote site
• trade-offs include ease of
implementation and cost versus
greater security and robustness
against different threats
Linux/Unix Security
patch management
keeping security patches up to date is a widely recognized and
critical control for maintaining security
application and service configuration
most commonly implemented using separate text files for each
application and service
generally located either in the /etc directory or in the installation
tree for a specific application
individual user configurations that can override the system defaults
are located in hidden “dot” files in each user’s home directory
most important changes needed to improve system security are to
disable services and applications that are not required
Linux/Unix Security
users, groups, and permissions
access is specified as granting read, write, and execute
permissions to each of owner, group, and others for each
resource
guides recommend changing the access permissions for
critical directories and files
local exploit
software vulnerability that can be exploited by an attacker to
gain elevated privileges
remote exploit
software vulnerability in a network server that could be
triggered by a remote attacker
Linux/Unix Security
remote access controls
logging and log rotation
• several host firewall programs
may be used
• most systems provide an
administrative utility to select
which services will be permitted
to access the system
• should not assume that the
default setting is necessarily
appropriate
Linux/Unix Security
chroot jail
restricts the server’s view of the file system to just a specified
portion
uses chroot system call to confine a process by mapping the
root of the filesystem to some other directory
file directories outside the chroot jail aren’t visible or
reachable
main disadvantage is added complexity
Windows Security
patch management
• “Windows Update” and
“Windows Server Update
Service” assist with
regular maintenance and
should be used
• third party applications
also provide automatic
update support
users administration and
access controls
• systems implement
discretionary access controls
resources
• Vista and later systems
include mandatory integrity
controls
• objects are labeled as being of
low, medium, high, or system
integrity level
• system ensures the subject’s
integrity is equal or higher
than the object’s level
• implements a form of the Biba
Integrity model
Windows Security
Users Administration and Access Controls
Windows systems also
define privileges
• system wide and granted to user
accounts
User Account Control (UAC)
• provided in Vista and later systems
• assists with ensuring users with
administrative rights only use them
when required, otherwise accesses
the system as a normal user
combination of share and
NTFS permissions may be
used to provide additional
security and granularity
when accessing files on a
shared resource
Low Privilege Service
Accounts
• used for long-lived service
processes such as file, print, and
DNS services
Windows Security
application and service configuration
• much of the configuration information is
centralized in the Registry
• forms a database of keys and values that may
be queried and interpreted by applications
• registry keys can be directly modified
using the “Registry Editor”
• more useful for making bulk changes
Windows Security
other security controls
essential that anti-virus, anti-spyware, personal firewall, and other
malware and attack detection and handling software packages are
installed and configured
current generation Windows systems include basic firewall and
malware countermeasure capabilities
important to ensure the set of products in use are compatible
Windows systems also support a range of cryptographic functions:
encrypting files and directories using the Encrypting File System (EFS)
full-disk encryption with AES using BitLocker
“Microsoft Baseline Security Analyzer”
free, easy to use tool that checks for compliance with Microsoft’s security
recommendations
Virtualization
a technology that provides an abstraction of the resources
used by some software which runs in a simulated
environment called a virtual machine (VM)
benefits include better efficiency in the use of the physical
system resources
provides support for multiple distinct operating systems
and associated applications on one physical system
raises additional security concerns
Virtualization Alternatives
application virtualization
full virtualization
allows
applications
written for one
environment to
execute on some
other operating
system
multiple full
operating system
instances execute
in parallel
virtual machine monitor (VMM)
hypervisor
coordinates access between each
of the guests and the actual
physical hardware resources
Native Virtualization Security Layers
Hosted Virtualization Security Layers
Virtualization Security Issues
security concerns include:
guest OS isolation
ensuring that programs executing within a guest OS may only
access and use the resources allocated to it
guest OS monitoring by the hypervisor
which has privileged access to the programs and data in each
guest OS
virtualized environment security
particularly image and snapshot management which attackers
may attempt to view or modify
Hypervisor Security
should be
secured using a process similar to securing an operating system
installed in an isolated environment
configured so that it is updated automatically
monitored for any signs of compromise
accessed only by authorized administration
may support both local and remote administration so must be
configured appropriately
remote administration access should be considered and secured
in the design of any network firewall and IDS capability in use
Access to VM image and snapshots must be carefully controlled
Linux Security
Linux Security
Linux has evolved into one of the most popular and versatile operating systems
many features mean broad attack surface
can create highly secure Linux systems
will review:
Discretionary Access Controls
typical vulnerabilities and exploits in Linux
best practices for mitigating those threats
new improvements to Linux security model
Linux’s traditional security model is:
people or proceses with “root” privileges can do anything
other accounts can do much less
hence attacker’s want to get root privileges
can run robust, secure Linux systems
crux of problem is use of Discretionary Access Controls (DAC)
Linux Security Transactions
File System Security
in Linux everything as a file
e.g. memory, device-drivers, named pipes, and other system
resources
hence why filesystem security is so important
I/O to devices is via a “special” file
e.g. /dev/cdrom
have other special files like named pipes
a conduit between processes / programs
Users and Groups
a user-account (user)
represents someone capable of using files
associated both with humans and processes
a group-account (group)
is a list of user-accounts
users have a main group
may also belong to other groups
users & groups are not files
Users and Groups
user's details are kept in /etc/password
maestro:x:200:100:Maestro Edward
Hizzersands:/home/maestro:/bin/bash
additional group details in /etc/group
conductors:x:100:
pianists:x:102:maestro,volodya
use useradd, usermod, userdel to alter
File Permissions
files have two owners: a user & a group
each with its own set of permissions
with a third set of permissions for other
permissions are to read/write/execute in order
user/group/other, cf.
-rw-rw-r-- 1 maestro user 35414 Mar 25
01:38 baton.txt
set using chmod command
Directory Permissions
read = list contents
write = create or delete files in directory
execute = use anything in or change working directory to
this directory
e.g.
$ chmod g+rx extreme_casseroles
$ ls -l extreme_casseroles
drwxr-x--- 8 biff drummers 288
01:38 extreme_casseroles
Mar 25
Sticky Bit
originally used to lock file in memory
now used on directories to limit delete
if set must own file or dir to delete
other users cannot delete even if have write
set using chmod command with +t flag, e.g.
chmod +t extreme_casseroles
directory listing includes t or T flag
drwxrwx--T 8 biff drummers
extreme_casseroles
288
Mar 25 01:38
only apply to specific directory not child dirs
SetUID and SetGID
setuid bit means program "runs as" owner
no matter who executes it
setgid bit means run as a member of the group which owns it
again regardless of who executes it
"run as" = "run with same privileges as”
are very dangerous if set on file owned by root or other privileged
account or group
only used on executable files, not shell scripts
setuid has no effect on directories. setgid does and causes any file
created in a directory to inherit the directory's group
useful if users belong to other groups and routinely create files to be
shared with other members of those groups
instead of manually changing its group
Numeric File Permissions
Kernel vs User Space
Kernel space
refers to memory used by the Linux kernel and its loadable
modules (e.g., device drivers)
User space
refers to memory used by all other processes
since kernel enforces Linux DAC and security critical to
isolate kernel from user
so kernel space never swapped to disk
only root may load and unload kernel modules
setuid root Vulnerabilities
a setuid root program runs as root
no matter who executes it
used to provide unprivileged users with access to
privileged resources
must be very carefully programmed
if can be exploited due to a software bug
may allow otherwise-unprivileged users to use it to wield
unauthorized root privileges
distributions now minimise setuid-root programs
system attackers still scan for them!
Web Vulnerabilities
a very broad category of vulnerabilities
because of ubiquity of world wide web have big and visible
attack surfaces
when written in scripting languages
not as prone to classic buffer overflows
can suffer from poor input-handling
few “enabled-by-default” web applications
but users install vulnerable web applications
or write custom web applications having easily-
identified and easily-exploited flaws
Rootkits
allow attacker to cover their tracks
if successfully installed before detection, all is very nearly
lost
originally collections of hacked commands
hiding attacker’s files, directories, processes
now use loadable kernel modules
intercepting system calls in kernel-space
hiding attacker from standard commands
may be able to detect with chkrootkit
generally have to wipe and rebuild system
Linux Hardening - OS Installation
security begins with O/S installation
especially what software is run
since unused applications liable to be left in default, un-
hardened and un-patched state
generally should not run:
X Window system, RPC services, R-services, inetd, SMTP
daemons, telnet etc
also have some initial system s/w configuration:
setting root password
creating a non-root user account
setting an overall system security level
enabling a simple host-based firewall policy
enabling SELinux
Patch Management
installed server applications must be:
configured securely
kept up to date with security patches
patching can never win “patch rat-race”
have tools to automatically download and install security
updates
e.g. up2date, YaST, apt-get
note should not run automatic updates on change-controlled
systems without testing
Network Access Controls
network a key attack vector to secure
TCP wrappers a key tool to check access
originally tcpd inetd wrapper daemon
before allowing connection to service checks
if requesting host explicitly in hosts.allow is ok
if requesting host explicitly in hosts.deny is blocked
if not in either is ok
checks on service, source IP, username
now often part of app using libwrappers
Network Access Controls
also have the very powerful netfilter Linux kernel native firewall
mechanism
and iptables user-space front end
as useful on firewalls, servers, desktops
direct config tricky, steep learning curve
do have automated rule generators
typically for “personnal” firewall use will:
allow incoming requests to specified services
block all other inbound service requests
allow all outbound (locally-originating) requests
if need greater security, manually config
Antivirus Software
historically Linux not as vulnerable to viruses
more to lesser popularity than security
prompt patching was effective for worms
but viruses abuse users privileges
non-root users have less scope to exploit
but can still consume resources
growing Linux popularity mean exploits
hence antivirus software will more important
various commercial and free Linux A/V
User Management
guiding principles in user-account security:
need care setting file / directory permissions
use groups to differentiate between roles
use extreme care in granting / using root privs
commands: chmod, useradd/mod/del, groupadd/mod/del,
passwd, chage
info in files /etc/passwd & /etc/group
manage user’s group memberships
set appropriate password ages
Root Delegation
have "root can to anything, users do little” issue
“su” command allows users to run as root
either root shell or single command
must supply root password
means likely too many people know this
SELinux RBAC can limit root authority, complex
“sudo” allows users to run as root
but only need their password, not root password
/etc/sudoers file specifies what commands allowed
or configure user/group perms to allow, tricky
Logging
effective logging a key resource
Linux logs using syslogd or Syslog-NG
receive log data from a variety of sources
sorts by facility (category) and severity
writes log messages to local/remote log files
Syslog-NG preferable because it has:
variety of log-data sources / destinations. much more flexible “rules engine” to configure
Log Management………
can log via TCP which can be encryptedbalance number of log files used
manage size of log files
size of few to finding info in many
must rotate log files and delete old copies. typically use logrotate utility run by cron
to manage both system and application logs
must also configure application logging
Running As Unprivileged
User/Group
every process “runs as” some user
extremely important this user is not root
since any bug can compromise entire system
may need root privileges, e.g. bind port
have root parent perform privileged function
but main service from unprivileged child
user/group used should be dedicated
easier to identify source of log messages
Running in chroot Jail
chroot confines a process to a subset of /
maps a virtual “/” to some other directory
useful if have a daemon that should only access a portion of
the file system, e.g. FTP
directories outside the chroot jail aren’t visible or reachable
at all
contains effects of compromised daemon
complex to configure and troubleshoot
must mirror portions of system in chroot jail
Modularity
applications running as a single, large, multipurpose
process can be:
more difficult to run as an unprivileged user
harder to locate / fix security bugs in source
harder to disable unnecessary functionality
hence modularity a highly prized feature
providing a much smaller attack surface
cf. postfix vs sendmail, Apache modules
Encryption
sending logins & passwords or application data over
networks in clear text exposes them to network
eavesdropping attacks
hence many network applications now support encryption
to protect such data
often using OpenSSL library
may need own X.509 certificates to use
can generate/sign using openssl command
may use commercial/own/free CA
Logging
applications can usually be configured to log to any level
of detail (debug to none)
need appropriate setting
must decide if use dedicated file or system logging facility
(e.g. syslog)
central facility useful for consistent use
must ensure any log files are rotated
Mandatory Access Controls
Linux uses a DAC security model
but Mandatory Access Controls (MAC) impose a global
security policy on all users
users may not set controls weaker than policy
normal admin done with accounts without authority to
change the global security policy
but MAC systems have been hard to manage
Novell’s SuSE Linux has AppArmor
RedHat Enterprise Linux has SELinux
pure SELinux for high-sensitivity, high-security
Windows Security
Windows is the world’s most popular O/S
advantage is that security enhancements can protect
millions of nontechnical users
challenge is that vulnerabilities in Windows can also affect
millions of users
will review overall security architecture of Windows
then security defenses built into Windows
Windows Security Architecture
Security Reference Monitor (SRM)
a kernel-mode component that performs access checks,
generates audit log entries, and manipulates user rights
(privileges)
Local Security Authority (LSA)
responsible for enforcing local security policy
Security Account Manager (SAM)
a database that stores user accounts and local users and
groups security information
local logins perform lookup against SAM DB
passwords are stored using MD4
Windows Security Architecture
Active Directory (AD)
Microsoft’s LDAP directory
all Windows clients can use AD to perform security
operations including account logon
authenticate using AD when the user logs on using a
domain rather than local account
user’s credential information is sent securely across
the network to be verified by AD
WinLogon (local) and NetLogon (net) handle login
requests
Local vs Domain Accounts
a networked Windows computer can be:
domain joined
can login with either domain or local accounts
if local may not access domain resources
centrally managed and much more secure
in a workgroup
a collection of computers connected together
only local accounts in SAM can be used
no infrastructure to support AD domain
Domain Login Example
domain admin adds user’s account info (name,
account, password, groups, privileges)
account is represented by a Security ID (SID)
unique to each account within a domain
of form: S-1–5–21-AAA-BBB-CCC-RRR
Breakdown: S means SID; 1 is version number; 5 is
identifier authority (here is
SECURITY_NT_AUTHORITY); 21 means “not unique”,
although always unique within a domain; AAA-BBBCCC is unique number representing domain; and RRR is
a relative id (increments by 1 for each new account)
Domain Login Example (cont.)
username in one of two forms:
SAM format: DOMAIN\Username
User Principal Name (UPN):
[email protected]
login using username & password or smartcard
assuming login is correct, token is generated and
assigned to the user
contains user’s SID, group membership info, and privileges
assigned to every process run by user, and used for access
checks
Windows Privileges
are systemwide permissions assigned to user accounts –
over 45 total
e.g. backup computer, or change system time
some are deemed “dangerous” such as:
act as part of operating system privilege
debug programs privilege
backup files and directories privilege
others are deemed “benign” such as
bypass traverse checking privilege
Access Control Lists
two forms of access control list (ACL):
Discretionary ACL (DACL)
System ACL (ACL)
grants or denies access to protected resources such as files, shared memory, named pipes etc
used for auditing and in Windows Vista to enforce mandatory integrity policy
objects needing protection are assigned a DACL (and possible SACL) that includes
SID of the object owner. list of access control entries (ACEs)
each ACE includes a SID & access mask
access mask could include ability to:
read, write, create, delete, modify, etc
access masks are object-type specific
e.g. service abilities are create, enumerate
Security Descriptor (SD)
data structure with object owner, DACL, & SACL
e.g.
Owner: CORP\Blake
ACE[0]: Allow CORP\Paige Full Control
ACE[1]: Allow Administrators Full Control
ACE[2]: Allow CORP\Cheryl Read, Write and Delete
have no implied access, if there is no ACE for requesting
user, then access is denied
applications must request correct type of access
if just request “all access” when need less (e.g. read) some
user’s who should have access will be denied
More SD’s & Access Checks
each ACE in the DACL determines access
an ACE can be an allow or a deny ACE
Windows evaluates each ACE in the ACL until access is
granted or explicitly denied
so deny ACEs come before allow ACEs
default if set using GUI
explicitly order if create programmatically
when user attempts to access a protected object, the O/S
performs an access check
comparing user/group info with ACE’s in ACL
Application access
Note that when an application requests access, it must
also request an access level.
Initially (before XP), most applications just requested “all
access”, which is only given to owner or admin accounts.
This is the reason so many applications failed on Windows
XP unless they ran at admin level – essentially, poor
coding.
Interacting with SDs
Powershell to get an object’s SD:
get-acl c:\folder\file.txt | format-list
use set-acl to set DACL or SACL
Can also use Security Descriptor Definition Language
(SDDL):
Example function:
ConvertStringSecurityDescriptorToSecurityDescriptor()
Impersonation
process can have multiple threads
common for both clients and servers
impersonation allows a server to serve a user, using their
access privileges
e.g. ImpersonateNamedPipeClient function sets user’s token
on the current thread
then access checks for that thread are performed against this
token not server’s
with user’s access rights
Mandatory Access Control
have Integrity Control in Windows Vista (and later)
that limits operations changing an object’s state
objects and principals are labeled (using SID):
Low integrity (S-1-16-4096)
Medium integrity (S-1-16-8192)
High integrity (S-1-16-12288)
System integrity (S-1-16-16384)
when write operation occurs first check subject’s
integrity level dominates object’s integrity level
much of O/S marked medium or higher integrity
Vista User Account
Windows Vulnerabilities
Windows, like all O/S’s, has security bugs
and bugs have been exploited by attackers to compromise
customer operating systems
Microsoft now uses process improvement called the
Security Development Lifecycle
net effect approx 50% reduction in bugs
Windows Vista used SDL start to finish
IIS v6 (in Windows Server 2003) had only 3 vulnerabilities in
4 years, none critical
Security Development Lifecycle
(SDL)
Requirements:
Mandatory security education
Security design requirements
Threat modeling
Attack surface analysis and reduction
Secure coding
Secure testing
Security push
Final security review
Security response
Patch Management
At first, patches were released at all times. Now, they
release on the second Tuesday of each month (Patch
Tuesday).
More recently, they even announce the expected load the
Thursday before, which has been popular with sys admins.
Windows System Hardening
process of shoring up defenses, reducing exposed
functionality, disabling features
known as attack surface reduction
use 80/20 rule on features
not always achievable
e.g. requiring RPC authentication in XP SP2
e.g. strip mobile code support on servers
servers easier to harden:
are used for very specific and controlled purposes
2. server users are administrators with (theoretically) better
computer configuration skills than typical users
1.
Windows Security Defenses
Have 4 broad categories of security defenses:
account defenses
network defenses
buffer overrun defenses.
browser defenses
Account Defenses
user accounts can have privileged SIDs
least privilege dictates that users operate with just
enough privilege for tasks
Windows XP users in local Administrators
for application compatibility reasons
can use “Secondary Logon” to run applications
also restricted tokens reduce per-thread privilege
Windows Vista onwards reverses default with UAC
users prompted to perform a privileged operation
unless admin on Server
Low Privilege Service Accounts
Windows services are long-lived processes started
after booting
many ran with elevated privileges
but many do not need elevated requirements
Windows XP added Local Service and Network service
accounts
allow a service local or network access
otherwise operate at much lower privilege level
Windows XP SP2 split RPC service (RPCSS) in two
(RPCSS and DCOM Server Process)
example of least privilege in action, see also IIS6
direct result of Blastr worm
Stripping Privileges
another defense is to strip privileges from an account soon
after an application starts
e.g. Index server process runs as system to access all disk
volumes
but then sheds any unneeded privileges as soon as possible
using AdjustTokenPrivileges
Windows Vista can define privileges required by a service
using ChangeServiceConfig2
Network Defenses
have IPSec and IPv6 with authenticated network packets
enabled by default in Windows Vista
IPv4 also enabled by default, expect less use
E.g. Windows Xbox live network ----- ipsec
have built-in software firewall
block inbound connections on specific ports
Vista can allow local net access only
optionally block outbound connections
default was off (XP) but now default on
Buffer Overrun Defenses
many compromises exploit buffer overruns
Windows Vista has “Stack-Based Buffer Overrun Detection
(/GS)” default enabled
source code compiled with special /GS option
does not affect every function; only those with at least 4-
bytes of contiguous stack data and that takes a pointer or
buffer as an argument
defends against “classic stack smash”
Windows Stack and /GS flag
Buffer Overrun Defenses
No eXecuteNamed (NX) / Data Execution Prevention
(DEP) / eXecution Disable (XD)
prevent code executing in data segments
as commonly used by buffer overrun exploits
applications linked with /NXCOMPAT option
Stack Randomization (Vista only)
randomizes thread stack base addresses
Heap-based buffer overrun defenses:
add and check random value on each heap block
heap integrity checking
heap randomization (Vista only)
Other Defenses
Image Randomization
O/S boots in one of 256 configurations
makes O/S less predictable for attackers
Service Restart Policy
services can be configured to restart if fail
great for reliability but lousy for security
Vista sets some critical services so can only restart twice,
then manual restart needed
gives attacker only two attempts
Encrypted File System…..EFS, Bitlocker
Browser Defenses
web browser is a key point of attack
via script code, graphics, helper objects
Microsoft added many defenses to IE7 onwards
ActiveX opt-in
unloads ActiveX controls by default
when any then first run prompts user to confirm
protected mode
IE runs at low integrity level (see earlier)
so more difficult for malware to manipulate O/S
The End