Windows Vista Security - Center
Download
Report
Transcript Windows Vista Security - Center
Windows Vista Security
Rafal Lukawiecki
Strategic Consultant
[email protected]
Project Botticelli Ltd
This presentation is based on work by Microsoft TechNet, MSDN and various Microsoft authors including, with
TEŽAVNOST:
special200
thanks: Ramprabhu Rathnam, Tony Northrup, and Austin Wilson
Objectives
Overview new security features of
Windows Vista explaining their purpose
Relate Vista to emergent security
technologies
Excite you about the new opportunities
Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all
information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in
File/Properties.
Pakistan Developer Conference ‘06
Session Agenda
Introduction
A Corporate Scenario
Foundational Protection
Networking
User Account Control
Authentication & Authorization
Integrated Security Control
Securing the Startup
Data Protection
Summary
Pakistan Developer Conference ‘06
Engineering Excellence
Windows
Vista
Development
Microsoft followed
their Security
Development Lifecycle
(SDL) process while creating Windows Vista
Process
Periodic mandatory security training
Assignment of security advisors for all components
Threat modeling as part of design phase
Security reviews and testing built into the schedule
Security metrics for product teams
Common Criteria (CC) Certification compliance is one of
major goals (see later)
CC is maintained by US National Institute of Standards and
Technology (who are also responsible for FIPS)
csrc.nist.gov/cc
Pakistan Developer Conference ‘06
A Corporate Scenario
Pakistan Developer Conference ‘06
With Windows Vista…
1.
2.
NAP (Network Access Protection) ensures computer adheres to your policy
(e.g. has required updates, virus signatures etc.) before “Longhorn” servers
allow it to use the network
While starting up, system is protected through BitLocker and TPM (Trusted
Platform Module), preventing off-line modifications
If PC is non-compliant, it will be given a chance to update
3.
4.
5.
6.
Multiple types of logon devices and identities can be selected by the user
without losing a consistent UI
User logs on using non-admin accounts. If admin rights are truly needed
user’s approval is requested. For legacy apps, virtualisation of admin
changes is offered.
IE improvements help user browse the web with no fear of malware and
better privacy protection
When updates are available, Restart Manager ensures minimum of
disruption, even if running applications are left on a locked workstation
Read: www.microsoft.com/technet/windowsvista/
evaluate/admin/mngsec.mspx
Pakistan Developer Conference ‘06
Foundational Protection
Pakistan Developer Conference ‘06
Windows Service Hardening
Defense-in-Depth: Factoring and Profiling of Windows Kernel
Reduce size of
high risk layers
Segment the
services
Increase number
of layers
Service
…
Service
1
D
Service
A
Service
…
D D
Service
2
Service
3
Service
B
D Kernel Drivers
D User-mode Drivers
D
D
D
Pakistan Developer Conference ‘06
Windows Service Hardening
Windows Services became a large surface attack area
due to privileges and being “always-on”
Improvements:
SID (per-service Security Identifier) recognised in ACLs (Access
Control Lists), so service can protect its resources
Firewall policy prohibiting network access by services (subject to
ACLs and SIDs)
Stripping of unnecessary privileges on per-service basis
Moving from LocalSystem to LocalService or NetworkService
when possible
Use of write-restricted tokens for service processes
Pakistan Developer Conference ‘06
Integrated Windows Defender
Integrated detection, cleaning,
and real-time blocking of
malware:
Malware, rootkits, and spyware
Targeted at consumers –
enterprise manageability will be
available as a separate product
Integrated Microsoft Malicious
Software Removal Tool (MSRT)
will remove worst worms, bots,
and trojans during an upgrade
and on a monthly basis
Pakistan Developer Conference ‘06
Windows Live OneCare
Optional fee-based
service
Antivirus
Integration with
Antispyware
(Windows Defender)
System tuning
Update assurance
Backup
Pakistan Developer Conference ‘06
Internet Explorer 7
In addition to building on UAC (see later),
IE includes:
Protected Mode that only allows IE to browse
with no other rights, even if the user has them,
such as to install software
“Read-only” mode, except for Temporary Internet
Files when browser is in the Internet Zone of
security
All cached data cleared with a single click
Pakistan Developer Conference ‘06
Phishing Filter in IE
Dynamic Protection Against Fraudulent Websites
3 checks to protect users from phishing scams:
1.
Compares web site with local list of known legitimate sites
2.
Scans the web site for characteristics common to phishing sites
3.
Double checks site with online Microsoft service of reported phishing sites
updated several times every hour
Two Levels of Warning and Protection in IE7 Security Status Bar
Level 1: Warn
Suspicious Website
Signaled
Level 2: Block
Confirmed Phishing Site
Signaled and Blocked
Pakistan Developer Conference ‘06
Security in .NET Framework 3.0
.NET Framework 3.0, set of Windows Vista APIs
provides a stronger support for Code Access
Security and Evidence Based Security
In essence, the improvements of .NET Framework 2.0
Windows Communication Foundation (WCF)
introduces a model of abstracted security and full
support for WS-* Security Guidelines
Formerly known as “Indigo”
Pakistan Developer Conference ‘06
Networking
Pakistan Developer Conference ‘06
NG TCP/IP
Next Generation TCP/IP in Vista and “Longhorn”
A new, fully re-worked replacement of the old TCP/IP stack
Dual-stack IPv6 implementation, with now obligatory IPSec
IPv6 is more secure than IPv4 by design, esp.:
Privacy, tracking, network port scanning, confidentiality and integrity
Other network-level security enhancements for both IPv4 and IPv6
Strong Host model
Windows Filtering Platform
Improved stack-level resistance to all known TCP/IP-based denial of
service and other types of network attacks
Routing Compartments
Auto-configuration and no-restart reconfiguration
Read:
www.microsoft.com/technet/community/columns/cableguy/cg0905.mspx
Pakistan Developer Conference ‘06
Windows Vista Firewall
Both inbound and
outbound
Authentication and
authorization aware
Outbound applicationaware filtering is now
possible
Includes IPSec
management
Of course, policy-based
administration
Great for Peer-to-Peer
control
Pakistan Developer Conference ‘06
Network Access Protection
NAP is a new technology that has roots in VPN
quarantine, but now extends to all network clients, not
just remote access
Relies on NAP-aware servers, which means Windows
“Longhorn” Servers for now
You specify a policy of:
required OS patches, virus signature updates, presence or
absence of certain applications, any arbitrary checks
…and the system disallows all access to network if policy
has not been met, except:
access to a location where updates etc. can be downloaded
Pakistan Developer Conference ‘06
Network Access Protection
Policy Servers
e.g. Microsoft Security
Center, SMS, Antigen
or 3rd party
3
1
Windows
Vista Client
Not policy
compliant
2
DHCP, VPN
Switch/Router
Microsoft
Network
Policy Server
4
Fix Up
Servers
Restricted
Network
e.g. WSUS, SMS
& 3rd party
Policy
compliant
5
Corporate Network
Pakistan Developer Conference ‘06
User Account Control
Pakistan Developer Conference ‘06
User Account Control
Helps implement Least Privilege principle in two distinct
ways:
1.
Every user is a standard user
Older, legacy, or just greedy application’s attempts to change your
system’s settings will be virtualised so they do not break anything
2.
Each genuine need to use administrative privileges will require:
Selection of a user who has those permissions (credential
prompting), or
Confirmation of the intent to carry on with the operation (consent
prompting)
Read:
www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx
Pakistan Developer Conference ‘06
Fundamental Change to Windows Operation
Fixes the system to work well as a
standard user
Registry and file virtualization to provide
compatibility
Per-machine registry writes are redirected to
per-user locations if the user does not have
administrative privileges
Effectively: standard accounts can run “adminrequired” legacy applications safely!
You can redirect the virtualization store
Pakistan Developer Conference ‘06
Authentication & Authorization
Pakistan Developer Conference ‘06
Windows Logon Experience
GINA has been replaced with Credential Service
Provider interfaces
Logon UI can interact with multiple plug-in Credential
Providers
Direct support for multi-factor authentication:
smartcards and tokens, biometrics etc.
Plug-and-play for smartcards
Common CSPs (Cryptographic Service Providers), and
Card Communication Modules
Key Storage Providers
Root certificate propagation
Integrated smartcard unblocking
Pakistan Developer Conference ‘06
Integrated Security Control
Pakistan Developer Conference ‘06
Control Over Device Installation
Control over removable device installation via a policy
Mainly to disable USB-device installation, as many corporations
worry about intellectual property leak
You can control them by device class or driver
Approved drivers can be pre-populated into trusted Driver
Store
Driver Store Policies (group policies) govern driver
packages that are not in the Driver Store:
Non-corporate standard drivers
Unsigned drivers
Pakistan Developer Conference ‘06
Client Security Scanner
Finds out and reports Windows client’s security
state:
Patch and update levels
Security state
Signature files
Anti-malware status
Ability for Windows to self-report its state
Information can be collected centrally, or just
reviewed in the Security Center by the users and
admins
Pakistan Developer Conference ‘06
Restart Manager
Some updates require a restart
Restart Manager will:
Minimise the number of needed restarts by pooling
updates
Deal with restarts of computers that may be left locked
by a user with applications running
E.g. after restart, Microsoft Word will re-open a document on
page 42, as it was before the restart
This function of most importance to centralised desktop
management in corporations, not home users, of course
Pakistan Developer Conference ‘06
Securing the Startup
Pakistan Developer Conference ‘06
Trusted Platform Module
TPM Chip Version 1.2
Hardware present in the computer,
usually a chip on the motherboard
Securely stores credentials, such as
a private key of a machine certificate
and is crypto-enabled
Effectively, the essence of a smart
smartcard
TPM can be used to request
encryption and digital signing of code
and files and for mutual
authentication of devices
See www.trustedcomputinggroup.org
Pakistan Developer Conference ‘06
Code Integrity
All DLLs and other OS executables have
been digitally signed
Signatures verified when components load
into memory
Pakistan Developer Conference ‘06
BitLocker™
BitLocker strongly encrypts and signs the entire hard
drive (full volume encryption)
TPM chip provides key management
Can use additional protection factors such as a USB dongle, PIN
or password
Any unauthorised off-line modification to your data or OS
is discovered and no access is granted
Prevents attacks which use utilities that access the hard drive
while Windows is not running and enforces Windows boot
process
Protects data after laptop theft etc.
Data recovery strategy must be planned carefully!
Vista supports three modes: key escrow, recovery agent, backup
Pakistan Developer Conference ‘06
Data Protection
Pakistan Developer Conference ‘06
RMS, EFS, and BitLocker
Three levels of protection:
Rights Management Services
Per-document enforcement of policy-based rights
Encrypting File Systems
Per file or folder encryption of data for confidentiality
BitLocker™ Full Volume Encryption
Per volume encryption (see earlier)
Note: it is not necessary to use a TPM for RMS and EFS
EFS can use smartcards and tokens in Vista
RMS is based, at present, on a “lockbox.dll” technology, not a
TPM
Pakistan Developer Conference ‘06
CNG:
Cryptography Next Generation
CAPI 1.0 has been deprecated
May be dropped altogether in future Windows releases
CNG: Open Cryptographic Interface for Windows
Ability to plug in kernel or user mode implementations for:
Proprietary cryptographic algorithms
Replacements for standard cryptographic algorithms
Key Storage Providers (KSP)
Enables cryptography configuration at enterprise and machine
levels
Pakistan Developer Conference ‘06
Regulatory Compliance
Windows Vista cryptography will comply with:
Common Criteria (CC)
csrc.nist.gov/cc
Currently in version 3
FIPS requirements for strong isolation and auditing
FIPS-140-2 on selected platforms and 140-1 on all
US NSA (National Security Agency) CSS (Central
Security Service) Suite B
Pakistan Developer Conference ‘06
Vista Supports NSA Suite B
www.nsa.gov/ia/industry/crypto_suite_b.cfm
Required cryptographic algorithms for all US non-classified and
classified (SECRET and TOP-SECRET) needs
Higher special-security needs (e.g. nuclear security) – guided by Suite A
(definition classified)
Announced by NSA at RSA conference in Feb 2005
Encryption: AES
FIPS 197 (with keys sizes of 128 and 256 bits)
Digital Signature: Elliptic Curve Digital Signature Algorithm
FIPS 186-2 (using the curves with 256 and 384-bit prime moduli)
Related to GOST R 34.10-2001
Key Exchange: Elliptic Curve Diffie-Hellman or Elliptic Curve MQV
Draft NIST Special Publication 800-56 (using the curves with 256 and
384-bit prime moduli)
Hashing: Secure Hash Algorithm
FIPS 180-2 (using SHA-256 and SHA-384)
Pakistan Developer Conference ‘06
Summary
Pakistan Developer Conference ‘06
The Most Secure Windows Yet
Threat and
Vulnerability Mitigation
IE –protected mode/antiphishing
Windows Defender
Bi-directional Firewall
IPSEC improvements
Network Access Protection
(NAP)
Fundamentals
SDL
Service Hardening
Code Scanning
Default configuration
Code Integrity
Identity and
Access
Control
User Account Control
Plug and Play Smartcards
Simplified Logon
architecture
Bitlocker
RMS Client
Pakistan Developer Conference ‘06