Transcript Vista Security For Developers

Vista Security For
Developers
Silvano Coriani ([email protected])
Developer Evangelist
Microsoft
Agenda
Windows Vista System Integrity
Technologies
Layered security onion
Boot environment
Kernel mode
Service hardening
User Account Control
Administrative tasks
Application compatibility: do & don’t
Windows XP
User
Admin
System
Services
Kernel
1. Few
layers
2. Mostly
privileged
3. Limited
guards
between
layers
Vista
Service
Hardening
User
Account
Control
(LUA)
Low rights
programs
LUA User
Low Privilege
Services
Admin
1. Increase #
layers
System
Services
Svc 6
Kernel
Service
1
D DD
D D D Service
2
Service
3
Svc 7
DD
D
User mode
drivers
2. Segment
services
3. Reduce
size of
high risk
layers
The Bad Guys Are Everywhere!
They literally want to do you harm
barnie pic
Threats exist in two interesting places
Online: System started, shows login screen
or user is logged in
Offline: System is powered down or in
hibernation
Policies must address both
Protect The Os When Running
The Threats
Trojan that replaces a system file to install
a rootkit and take control of the computer
(e.g. Fun Love or others that use root kits)
Offline attack caused by booting an alternate
operating system and attempting to corrupt or
modify Windows operating system image files
Third-party kernel drivers that are not secure
Any action by an administrator that
threatens the integrity of the operating
system binary files
Rogue administrator who changes an operating
system binary to hide other acts
Code Integrity
Validates the integrity of each binary image
Checks hashes for every page as it’s loaded
Also checks any image loading to a
protected process
Implemented as a file system filter driver
Hashes stored in system catalog or in X.509 certificate
embedded in file
Also validates the integrity of the boot process
Checks the kernel, the HAL, boot-start drivers
If validation fails, image won’t load
Protect The OS When
Not Running
The Threats
Computer is lost or stolen
Theft or compromise of data
Attack against corporate network
Damage to OS if attacker installs
alternate OS
Difficult and time-consuming to truly erase
decommissioned disks
Existing ways to mitigate these threats
are too easy for user to circumvent
Secure Startup (“Bitlocker”)
Ensure Resilient
boot against attack
integrity Lock tampered
systems
Protect Encrypt user
data when data and
offline system files
Umbrella
protection
Ease Simplify
equipmen recycling
t Speed data
recycling deletion
Protect system from offline
software-based attacks
Prevent boot if monitored files
have been altered
All data on the volume is
encrypted: user, system, page,
hibernation, temp, crash dump
Third-party apps benefit when
installed on encrypted volume
Render data useless by deleting
TPM key store
Erasing takes seconds, not hours
Bootstrapping the system
Secure startup (BitLock)
Integration with TPM and BIOS
Provides root of trust for CI, LUA, …
Full disk encryption
Code Integrity (CI)
Verifies integrity of binaries at load/page-in
Covers x64 kernel modules and protected
media processes
Supports catalog and embedded signatures
Device drivers
Poorly written or malicious drivers lead to
crashes, instability, and security issues
Mandatory kernel driver signing on x64
Load time enforcement
Patching of private kernel state on x64 is
not allowed
Introduction of User Mode Driver
Framework
Reduce system instability
Reduce high privileged attack surface
Windows Defender driver protection
Protect Services
From Exploit
The Threats
Remember Blaster?
Took over RPCSS – made it write msblast.exe
to file system and added run keys to the registry
No software is perfect; someone still might
find a vulnerability in a service
Malware often looks to exploit such
vulnerabilities
Services are attractive
Run without user interaction
Many services often have free reign over the system –
too much access
Most services can communicate over any port
Service Hardening
Service
refactoring
Service
profiling
Move service from LocalSystem to something
less privileged
If necessary, split service so that only the part
requiring LocalSystem receives that
Enables service to restrict its behavior
Resources can have ACLs that allow the
service’s ID to access only what it needs
Also includes rules for specifying required
network behavior
It’s about the principle of least privilege –
it’s good for people, and it’s good for services
Service hardening objectives
Run least privilege
Minimize resource access
Reduce the damage potential and number of critical
vulnerabilities in services
Extend existing security model and provide options based
on service requirements:
Good
Better
Best
Move to a least privilege account.
Refactor services into two parts where necessary.
Strip un-necessary Windows “privileges” on a per-service basis.
Supply network firewall rules.
Grant Service Sid access via ACLs on service specific resources.
Use Service-SID, ACLs and “write-restricted token” to isolate
services.
Vista service changes
Services common to both platforms
Windows XP SP2
Vista client
LocalSystem
Wireless
Configuration
System Event
Notification
Network Connections
(netman)
COM+ Event System
NLA
Rasauto
Shell Hardware
Detection
Themes
Telephony
Windows Audio
Error Reporting
Workstation
ICS
RemoteAccess
DHCP Client
W32time
Rasman
browser
6to4
Help and support
Task scheduler
TrkWks
Cryptographic Services
Removable Storage
WMI Perf Adapter
Automatic updates
WMI
App Management
Secondary Logon
BITS
Network
Service
DNS Client
Local Service
SSDP
WebClient
TCP/IP NetBIOS helper
Remote registry
Firewall Restricted
Removable Storage
WMI Perf Adapter
Automatic updates
LocalSystem
BITS
LocalSystem
WMI
App Management
Secondary Logon
Demand started
Network Service
Fully Restricted
Network Service
Network Restricted
Local Service
No Network Access
Local Service
Fully Restricted
DNS Client
ICS
RemoteAccess
DHCP Client
W32time
Rasman
browser
6to4
Task scheduler
IPSEC Services
Server
NLA
TrkWks
Cryptographic Services
Wireless Configuration
System Event Notification
Network Connections
Shell Hardware Detection
Rasauto
Themes
COM+ Event System
Telephony
Windows Audio
TCP/IP NetBIOS helper
WebClient
SSDP
Error Reporting
Event Log
Workstation
Remote registry
Protect The OS And Data
From Unknown Code
The Threats
A user unknowingly runs code from an unknown
source that attempts to modify
or delete files
Code running as LUA attempts a local elevation
of privilege by injecting code into a process
running as administrator
Trojans that attempt to execute with full
administrator privilege
System code reads data from the Internet
(an untrustworthy source) that contains
corrupt data designed to elevate privilege
by exploiting a bug
Mandatory Integrity Control
Method to prevent low-integrity code from
modifying high-integrity code
Protect TCB files and data from modification by
privileged users
Protect user data from modification by unknown
malicious code
Protect processes running as PA (privileged
administrator) from modification by processes running
as LUA under the same user SID
Classical computer security concept known since
the 1970s
Lots of recent work in various operating systems
Protect The OS From
The Web
The Threats
Alas, most Windows users still run as admin
Meaning: The Internet runs as admin on your PC!
“Drive-by” installs of spyware and virus code
Exploits of vulnerabilities give attackers full
remote access
Even non-admins still vulnerable to malicious
destruction of personal data
Internet Explorer Protected Mode
Built on mandatory integrity control
Internet Explorer runs at low integrity level
Reduce the severity of threats to IE add-ons
Eliminate the silent install of malicious code
through software vulnerabilities
Preserve compatibility whenever possible
Provide the capability and guidance for
add-ons to restore functionality
Minimize required user involvement
Sometimes called “low-rights IE”
Protect The OS From
The User! 
Pain Points
Productivity is lost when my machine is
compromised
Malware, without my knowledge, can modify Windows
when run with elevated privileges
Enterprise users running elevated privileges can
compromise the corporation
We have to relax security to run Line of Business
(LoB) applications
LoB applications require elevated privileges to run
System security must be relaxed to run the LoB
application
It is costly to re-evaluate the required security settings
for each application with every OS release
Common OS Configuration tasks require
elevated privilege
Simple scenarios like VPN don’t work
Standard Users are not able to manage configuration
changes that affect only their account
User Account Control (UAC)
Previously known as “LUA”
Users will logon as non-administrator by default
Protects the system from the user
Enables the system to protect the user
Consent UI allows elevation to administrator
Applications and administrator tools should be
UAP aware
Differentiate capabilities based on UAP
Apply correct security checks to product features
Start testing your software against Vista now!
Why User Account Control (UAC)?
Managed Desktops: Systematic control over enduser clients to maintain security & productivity
Gartner: Nearly 40% TCO Savings per desktop in
a managed environment
Reduces day-to-day helpdesk calls
Increases end-users productivity/uptime
Security Holes Increase
Windows Client TCO
14 October 2004
Why User Account Control?
At risk from malware when running as
administrator.
Misplaced Administrator checks in
Windows XP that needed to get fixed.
Enterprises realize significant TCO
reductions when running with managed
systems.
The UAC Approach
Improving productivity by granting
permissions only when needed
Allows Standard Users to perform key tasks
without impacting system-wide settings
Helps to insulate the system files and data
from malicious or deceptive code
Limit potential damage to my data by using
Protected Mode IE
All apps run as Standard User unless
specifically marked
Process isolation of Admin apps and
higher risk applications
Enabling Parental Control Scenarios
Windows Vista UAC Goals
All users run as Standard User by default

Filtered token created during logon

Only specially marked apps get the unfiltered token
Administrators use full privilege only for
administrative tasks or applications!
User provides explicit consent before using
elevated privilege
Predictable shell elevation paths
High application compatibility

Data redirection


Enabling legacy apps to run as standard user
Installer Detection
UAC Architecture
Standard User Rights
Administrative Rights
Standard
User
Mode
Admin
logon
Admin
SplitPrivileges
Token
Standard User Privilege
Admin Privilege
Abby
Admin Token
“Standard User” Token
Admin Privilege
• Change Time
Zone
• Run IT Approved
Applications
• Install Fonts
• Install Printers
• Run MSN
Messenger
Admin Privilege
• Etc.
User Process
Taxonomy of a
Standard User Token
Privileges typically in Standard User token
Bypass traverse checking (SeChangeNotify)
Shut down the system (SeShutdown)
Increase Working Set Size (SeIncreaseWorkingSet)
Remove computer from docking station
(SeUndock)
Change Time Zone (SeChangeTimeZone)
New in Vista
All other privileges removed.
Privileged RIDs set to DENY_ONLY
E.g. Administrators, Enterprise Admins, Policy
How to Run Code Elevated
Mark application as requiring Administrator
privileges using manifest.
Installer detection
Application Compatibility shims
Compatibility Tab on Program Properties
Right-click Run Elevated…
UX Goals: Simple & Predictable
1st Choice: Make application Standard
user only
2nd Choice: Clearly identify Administrative
tasks
Ensure Standard users can be fully
productive
Identify tasks that need elevation with a
“shield”
Command line tools run AsInvoker…
UX: The Shield
Attached to controls which, if clicked, will
require elevation as the next step
Has only one state (I.e. no hover, disabled
etc.)
Does not remember elevated state
Not an unlock operation
Shield UI Examples
Elevation Prompts
Consent UI
OS Application
Signed Application
Unsigned Application
Low rights IE
Used in internet zone
Less privileged than UAC user
Can only write to limited areas of the file system
Cannot manipulate other processes at higher privilege
level
Sensitive operations moved to broker process
Installing ActiveX
Changing internet settings
Single purpose constrained interfaces
Broker cannot be programmatically manipulated
Uses MIC and UIPI isolation
Protecting Administrative
Applications with Process Isolation
Administrative and Standard User
applications share the same desktop
Primary threats
Cross-process Window messages
DLL injection and create remote thread
Process Isolation mechanisms
Integrity level for processes
UI privilege isolation
“Lower” cannot interfere with “Higher”
Separation of Admin Code
Cannot elevate a running process
Three Design Patterns:
Service Broker Model
RPC
Side by Side Processes
Shared memory
RPC
Creation of an Administrator COM object to
perform elevated task.
CoCreateAsAdmin
High Application Compatibility for
Legacy Applications
Legacy apps write to admin locations
HLKM\Software
%SystemDrive%\Program Files
%SystemRoot%
Redirection allows legacy apps to run as
Standard User
Writes to HKLM go to HKCU redirected store
Writes to system directories redirected to peruser store, copy-on-write
… you can still write Admin code
This is a crutch for legacy applications.
Logo Application - Configuration
Best Practices
Your app’s per-user setup is performed at first run
Place per-user data into %LOCALAPPDATA%
Roaming into %APPDATA%
Place Per-Machine (Shared) data into
%ALLUSERPROFILE%
Examples of what not to do:
Do not perform admin configuration at first run. Do
your admin operations during setup
Do not perform explicit Admin checks for Standard
User applications
UAP and Code Access Security (CAS) can be
used together for defense in depth
Logo Application Install
Best Practices
Use MSI 3.1 for Install and Update
Alternate to MSI3.1 – call Update.exe marked as
admin to do the update
Self Updating Code – DON’T DO IT
This is our LARGEST App Compat problem Home
consumer user applications
Examples of what not to do:
Do not assume the user is an administrator
Run Custom Actions in right context!
ClickOnce is a great deployment
technology for Standard User apps
ISV Impact Summary
Windows XP Logo’d for Standard User?
It will just work on Windows Vista
Fails on Windows XP as Standard User?
Mitigated by Redirection
Mitigated by App Compat Shim “IsAdmin()?”
Simple app with Admin dependencies
Admin app on Windows XP? Needs to be marked!
Web apps need special attention due to Protected
Mode IE
Use the LUA Predictor to fix your app now!
Tool Location:
http://www.microsoft.com/windows/appcompatibility/d
efault.mspx
Future UAC Direction
Continue Isolation of Admin code on
Standard User Desktop
Integrate AppIDs into OS for Standard
User code
Integrate Software Restriction Policies into
AppIDs
Tighten down power of Setup applications
PUSH ISVs to write Logo compliant code!
More Information on UAC
Deck from PDC2005:
http://commnet.microsoftpdc.com/content/downloads.aspx search for
FUN406
General Security
Info: http://msdn.microsoft.com/windowsvista/security/
Getting Started with UAC:
http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.m
spx
UAP Developer Guidelines:
http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnlong/html/AccProtVista.asp
UAC Blog: http://blogs.msdn.com/uac
UAC Question on Update:
http://forums.microsoft.com/msdn/showpost.aspx?postid=111453&sitei
d=1
Aaron’s Blog: “Not running as administrator”
http://blogs.msdn.com/Aaron_Margosis
FAQ
If I mark my app as “admin”, can I skip the elevation consent dialog?
– No
Can you modify the privilege of a running application? - No
Will LUA elevate whenever a privileged API is used? – No, the
entire process is either elevated or not
How long does the elevated process last? Can it time out? – Life of
the process
Can I enable which users will use UAC? – Currently this is a per
machine setting
Does UAC apply to all processes and services? – Interactive
processes only
What areas of the Registry and File system get redirected? –
HKLM\Software, %SystemRoot%, %ProgramFiles%
Won’t Redirection de-motivate developers to fix their code? – Yes, it
is a short term mitigation, not in 64bit
What happens when installer detection fails? – The app runs as
non-admin
Will UAC be going down-level? - No
© 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.