Measuring Translation Quality in Today’s Automated Lifecycle
Security in Today’s Operating
Transcript of Security in Today’s Operating
Security in Today’s Operating
Systems – Windows Vista &
Server 2008
Ravi Sankar
Technology Evangelist | Microsoft Corporation
Agenda
• Fundamentals
• Threat and Vulnerability Mitigation
• Identity and Access Control
• Information Protection
Fundamentals
• Service Hardening
• Kernel Protection
• Windows Firewall
• Next Generation Cryptography
• Networking Improvements
• The Web Components (browser and server)
• Terminal Services Gateway
D
D D
Windows Service Hardening
D DD
• Reduce size of
high risk layers
• Segment the
services
• Increase #
of layers
Kernel DriversD
D User-mode Drivers
Service 1
Service 2
Service 3
Service…
Service …
Service A
Service B
Windows Service Hardening
Windows® XP SP2/Server 2003 R2
LocalSystem
Windows Vista/Server 2008
Network Service
Local Service
LocalSystemFirewall Restricted
Network ServiceNetwork Restricted
Local ServiceNo Network Access
LocalSystem
Network ServiceFully Restricted
Local ServiceFully Restricted
Service ChangesWindows XP Windows Vista and Server 2008
Account Services Account Services
LocalSystem Wireless
Configuration
System Event
Notification
Network
Connections
(netman)
COM+ Event
System
NLA
Rasauto
Shell Hardware
Detection
Themes
Telephony
Windows Audio
Error Reporting
Workstation
ICS
RemoteAccess
DHCP Client
W32time
Rasman
browser
6to4
Help and support
Task scheduler
TrkWks
Cryptographic Services
Removable Storage
WMI Perf Adapter
Automatic updates
WMI
App Management
Secondary Logon
BITS
LocalSystem
Firewall Restricted
WMI Perf Adapter
Automatic updates
Secondary Logon
App Management
Wireless Configuration
LocalSystem BITS
Themes
Rasman
TrkWks
Error Reporting
6to4
Task scheduler
RemoteAccess
Rasauto
WMI
Network Service
Fully Restricted
DNS Client
ICS
DHCP Client
browser
Server
W32time
Network Service
Network Restricted
Cryptographic Services
Telephony
PolicyAgent
Nlasvc
Network
Service
DNS Client Local Service
No Network Access
System Event
Notification
Network Connections
Shell Hardware
Detection
COM+ Event System
Local Service SSDP
WebClient
TCP/IP NetBIOS helper
Remote registry
Local Service
Fully Restricted
Windows Audio
TCP/IP NetBIOS helper
WebClient
SSDP
Event Log
Workstation
Remote registry
Kernel protection
Security Features
Kernel patch protection Code signing Code integrity
Management Mechanisms
Registry innovations New Services modelMicrosoft Windows®
Hardware Error Architecture
Memory and Heap Management
Prefetch clustering for page faults
Windows Firewall with Advanced
Security
Combined Firewall and IPSec Management
• New management tools – Windows Firewall with Advanced Security MMC snap-in
• Reduces conflicts and coordination overhead between technologies
Firewall Rules Become More Intelligent
• Specify security requirements such as authentication and encryption
• Specify Active Directory® computer or user groups
Outbound Filtering
Simplified Protection Policy Reduces Management Overhead
Enterprise PKI
(PKIView)
Online Certificate
Status Protocol
(OSCP)
Simple Certificate
Enrollment Protocol
Network Device
Enrollment Service
and Web
Enrollment
PKI Improvements
• Dual-IP layers for IPv4 and IPv6 support
• Seamless security through expanded IPsec integration
• Improved performance
• Network auto-tuning
• Greater extensibility and reliability
Next Generation TCP/IP Stack
Win
do
ws F
ilterin
g
Pla
tform
AP
I
IPv4
802.3
WSK
WSK Clients TDI Clients
NDIS
WLAN 802.11IPv4
TunnelIPv6
Tunnel
IPv6
RAWUDPTCP
Next Generation TCP/IP Stack (tcpip.sys)
AFD
TDX
TDI
Winsock User Mode
Kernel Mode
SSTP (Secure Socket Tunneling Protocol)
SSTP is a new form of Layer 3 VPN tunnel
SSTP encapsulate PPP packet over HTTPS
(Port 443)
SSTP supported in Windows Vista and
Windows Server 2008
End-to-End scenario
Domain Controller
1
2
DMZPublic Network Corp LAN
NPS Server
APP Server
RRAS Server
3
4
7
Internet
Application packets are sent back and forth over VPN tunnel
Authenticate User
Tunnel Established. Server gives various IP parameters to client
Dial the SSTP connectoid over port 443
Client connects to the Internet
IP Interface created
User Starts
Application
5
6
• Phishing Filter and Colored Address
Bar
• Dangerous Settings Notification
• Secure defaults for IDN
• Unified URL Parsing
• Code quality improvements (SDLC)
• ActiveX Opt-in
• Protected help restrict malicious software
Internet Explorer 7.0
Social Engineering ProtectionsProtection from Exploits
Internet Explorer Protected Mode
Exploit can
install
MALWARE
Exploit can
install
MALWARE
IE6
Install a driver & run
Windows Update
Change Settings,
download a Picture
Cache Web content
HKLM
Program Files
Admin-Rights Access
User-Rights Access
HKCU
My Documents
Startup Folder
Temp Internet Files
Un-trusted files &
settings
IExploreC
om
pat
Red
irecto
r
Redirected settings & files
Install an
ActiveX
control
Change
settings,
save a
picture
IEA
dm
inIE
User
Inte
gri
ty C
on
tro
l
ActiveX Opt-in
IE7
Disabled Controls by default
IE7 blocks ActiveX Control
IE7 Confirms Install
ActiveX
Control
enabled
Windows Defender
• Helps Detect and Remove
Spyware and other Potentially
Unwanted Software
• Automatic Download Scanning in
Internet Explorer
• Allows Standard Users to Remove
Spyware
• Can be Enabled/Disabled via
Group Policy
Internet Information Services (IIS) 7.0
Http Protocol Support
ValidationRangeModule TraceVerbModule
OptionsVerbModule ClientRedirectionModule
Logging and Diagnostics
HttpLoggingModule
CustomLoggingModule
Configuration and Metadata Caches
ConfigurationModule UriCacheModule
SiteCacheModule FileCacheModule
Core Web Server
DirectoryListingModule CustomErrorModule
DynamicCompressionModule StaticCompressionModule
StaticFileModule DefaultDocumentModule
HttpCacheModule
RequestMonitorModule
TracingModule
AuthN/AuthZ
BasicAuthModule
DigestAuthModule
WindowsAuthModule
CertificateAuthModule
AnonymousAuthModule
FormsAuthModule
AccessCheckModule
UrlAuthorizationModule
Extensibility
ISAPIModule
ISAPIFilterModule
CGIModule
ServerSideIncludeModule
ManagedEngineModule
Publishing
DavModule
•Componentized Architecture•Delegated Management
Terminal Services Gateway
InternetPerimeter
NetworkCorporate
Network
Remote/
Mobile UserTerminal
Services
Gateway
Network
Policy ServerActive
Directory DC
Tunnels RDP
over HTTPs
Strips off
RDP / HTTPs
Terminal
Servers
and other
RDP Hosts
RDP traffic
passed to TS
Internet
Agenda
Fundamentals
Threat and Vulnerability Mitigation
Identity and Access Control
Information Protection
Define the Boundary
Federated identityUniversal
Addressability
Authentication and Authorization
Secure the Boundary
Anywhere AccessIPSec Policies
Active Directory
2-factor and biometricsClaims-based Security
IPv6
Network Access ProtectionAnti-malware
Per-application VPNand Firewalls
Integrating the EdgePolicy, not topology defines the edge
Network Access Protection
RemediationServers
Example: PatchRestrictedNetwork
Windows
ClientPolicy
compliant
NPSDHCP, VPN
Switch/Router
Policy Serverssuch as: Patch, AV
Corporate Network
Not policy
compliant
What is Network Access Protection?
Cisco and Microsoft Integration Story
Health Policy Validation Health Policy Compliance
Ability to Provide Limited Access
Enhanced Security
Increased Business Value
Security
Policy-based Dynamic Segmentation
Untrusted
Unmanaged/Rogue
Computer
Domain
Isolation
Active Directory
Domain Controller
X
Server
Isolation
Servers with
Sensitive DataHR Workstation
Managed
Computer
X
Managed
Computer
Trusted Resource
Server
Corporate Network
Define the logical isolation boundariesDistribute policies and credentialsManaged computers can communicateBlock inbound connections from untrustedEnable tiered-access to sensitive resources
Agenda
Fundamentals
Threat and Vulnerability Mitigation
Identity and Access Control
Information Protection
WinLogon Architecture
Session 0
WinInit
RCMLSA
Group Policy
ProfilesSCM
Other Sessions
WinLogon
LogonUI
Credential Provider 1
Credential Provider 2
Credential Provider 3
•GINA Replaced
•New Credential Providers
•NOTE: Session 0 Isolation
Windows CardSpace™
Easier
• Provides consistent user
experience
• Replaces usernames and
passwords with strong tokens
Safer
• Protects users from phishing &
fraud attacks
• Support for two-factor
authentication
• Tokens are crypto-graphically
strong
Standards, standards, standards!!
• Built on WS-* Web Services Protocols
• Can be supported by websites on any technology & platform
CardSpace Environment
• Runs under separate
desktop and restricted
account
• Isolates CardSpace
runtime from Windows
desktop
• Deters hacking attempts
by user-mode processes
• Contains claims about my identity that I assert
• Not corroborated
• Stored locally
• Signed and encrypted to prevent replay attacks
• Provided by banks, stores, government, clubs, etc
• Locally stored cards contain metadata only!
• Data stored by Identity Provider and obtained only when card submitted
CardSpace Cards
SELF - ISSUED MANAGED
User Account Control
Challenges Windows Vista
Solution
Easier to Run as Standard UserUsers can do more on their own
Change time zone, power settings, VPN, and more Install approved devicesAdmin commands clearly marked
Higher application compatibilityFile and registry virtualization
Greater Protection for Admins
Software runs with lower privileges by default
Administrator provides consentbefore elevation
Most users run with full administrator privileges all the time
At risk from malware
Can’t manage desktops or enforce policy
Expensive to support
Difficult to run a standard user
User can’t perform many tasks
Many applications don’t run
Agenda
• Fundamentals
• Threat and Vulnerability Mitigation
• Identity and Access Control
• Information Protection
Windows Vista/Server 2008 Information
Protection• Who are you protecting against?
• Other users or administrators on the machine? EFS
• Unauthorized users with physical access? BitLocker™
Scenarios BitLocker EFS RMS
Laptops
Branch office server
Local single-user file & folder protection
Local multi-user file & folder protection
Remote file & folder protection
Untrusted network admin
Remote document policy enforcement
Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins)