sans.org

What's New In Server 2012 and Windows 8

Jason Fossen Securing Windows at SANS

(Course Number: SEC505)

About The Speaker

Jason Fossen – SANS Institute Fellow

– (not a Microsoft employee...)

Author of course SEC505 at SANS: – Securing Windows and Resisting Malware (505)

Updated for Server 2012 and Windows 8.

Course is about preventing malware and APT infections,

not detection or analysis (those are other SANS courses).

Tablet + Phone + Cloud = Epic Risk

No exaggeration, this is an historical

turning point for Microsoft Corporation.

Windows 8 is the beginning of changes

which will be just as big as the change

from DOS to Windows NT.

Next few years will be make-or-break for

their entire tablet/phone/cloud strategy.

When Will They Be Available?

Windows 8 and Server 2012: – Server 2012: Now

– Windows 8: October 26

Windows Phone 8: – Disclosure of details and SDK: October 29

– General Availability (Rumors): Q1-2013

Office 2013: – Release To Manufacturing: Now

– TechNet/MSDN: November 2013

– General Availability: Q1-2013

Server 2012: Hyper-V Becomes Respectable

Run guest VMs from SMB/NFS shares.

Multiple concurrent live migrations.

www.DidYouKnow2012.com

– 64 virtual CPU cores per guest.

– 1TB memory per guest, plus NUMA.

– 64TB disk image VHDX files.

– Virtual network switch for VMs.

Client Hyper-V in Windows 8.

Server 2012: Storage and File Server Upgrades

SMBv3 – NIC teaming, multichannel I/O, RDMA NIC support.

– Native encryption, downgrade attack protection.

Resilient File System (ReFS) – Optimized for integrity control with giant volumes.

Storage Spaces – RAID with on-the-fly heterogeneous drive additions.

– For Windows 8 too, including external USB drives.

– Supports BitLocker, ReFS, NTFS, but not booting.

Server 2012: BitLocker Network Unlock

Allows hands-free reboot: – Nice for patching and remote administration.

– Supported on both Server 2012 and Windows 8.

Requirements: – UEFI firmware (must support DHCP in pre-boot).

– TPM chip in motherboard.

How does it work? – Group Policy pre-installs WDS certificate on clients.

– WDS server sends key through encrypted DHCP.

Server 2012: Core Installation Is The Default

Core Mode = almost no GUI support: – Much smaller hard drive footprint for VMs.

– More roles are supported than before.

– NTFS data deduplication across VMs (not ReFS yet).

GUI can be added/removed on the fly: – Do not have to reinstall OS to install GUI tools.

– Can remove GUI features after troubleshooting.

Server 2012: PowerShell Juggernaut Continues

2300+ cmdlets for almost everything: – Local administration of Server Core VMs.

– Server Manager is a GUI wrapper for PowerShell.

– Server Manager for multiple on/off-line VMs.

– Everything is moving towards PowerShell...

WS-MAN protocol is now preferred: – RPC maintained for backwards compatibility.

– The *-CIM* cmdlets replace the *-WMI* cmdlets for

direct over-the-Internet IaaS VM management.

Server 2012: Dynamic Access Control (1 of 2)

The Problem: File Server Explosion – Millions of files across hundreds of servers.

– File contents should determine the permissions.

– We can't trust data owners to manage permissions.

– Nested groups in Active Directory are too complex.

– Files move: Laptop Server Tablet USB ?

– Must satisfy regulatory compliance rules.

– Best practice is to use role-based access control.

– We want Data Loss Prevention (DLP) if possible.

Server 2012: Dynamic Access Control (2 of 2)

Automatic file classification tagging: – Based on file contents (regex patterns, plug-ins).

– Based on original location (server and/or share).

– Based on attributes of user who created the file.

User attributes in AD are "claims": – Restrict access to files based on user claims.

– Restrict access based on device claims (Windows 8).

– Enforce permissions without modifying NTFS ACLs.

– Test proposed changes in audit-only mode.

Foolish Predictions for 2013-2014

Server 2012 will be a popular, stable

and quickly-deployed release:

– It is like Server 2008 R3 plus major enhancements.

– Metro interface will be tolerated (mostly ignored).

– Hyper-V deployments will rise significantly.

– Expect better VMware licensing deals:

Play hardball when you negotiate with VMware, tell them

you are strongly considering Hyper-V even if you are not.

Windows 8: Overview of Changes

The Future = Tablets + Phone + Cloud – Windows Runtime API (WinRT) for "Metro" apps.

– Push the unwilling masses to Metro if necessary.

– "Got a non-touch PC? Well, we have you anyway! "

One unified kernel for every device: – Servers, notebook, tablet, phone, Xbox, appliances.

– Cloud services should be viewed as part of the OS.

– Single sign-on to the tablet and to web services.

Windows 8: Microsoft = User Interface Geniuses

"Where the $%&# is the Start button!"

Two Start Menus + One Start Screen: – Start Screen not really designed for mice.

– Full-screen Metro = users who feel lost and trapped.

– Metro not really designed for large screens.

Two Control Panels (PC Settings)

Two Internet Explorers (Metro IE)

Great for touch...painful with a mouse.

BSOD

Windows RT: Windows on ARM

Lower cost and longer battery life.

Cannot run legacy x86/x64 apps: – Except what Microsoft allows and ports over.

Cannot be joined to an AD domain: – Managed through System Center or Intune service.

Microsoft's tablet named "Surface": – Learned from Apple: quality requires 100% control.

– No bloatware, stable/fast drivers, aesthetic design.

– Microsoft now competes directly with the OEMs.

Windows 8: TPM Virtual Smart Card

Trusted Platform Module (TPM): – Crypto module built into the motherboard.

– Used by BitLocker and for integrity checking.

– Probably for DRM, licensing, and ID tracking too...

TPM Virtual Smart Card: – An always-inserted smart card with PIN logon.

– Group Policy auto-enrollment from your PKI.

– This is certificate authentication for the masses.

– Tip: Only purchase devices with TPMs from now on.

Windows 8: Picture Password & PIN Logon

For touch devices and phones: – Creates 100 x 100 grid on desktop.

The three-touch salute: – Line, Circle, Tap.

– Lines and circles are direction-sensitive.

Must use password after 5 failures.

Windows 8: Microsoft Account Single Sign-On

Formerly known as "Live ID": – Hotmail, SkyDrive, Messenger, Xbox, etc.

SSO to computer and cloud services: – Works with both local and domain user accounts.

– "MicrosoftAccount\<LiveIdName>" in your SATs.

– If Microsoft Account password is reset, you can log

on to your desktop with the new password (Yikes!).

Many preferences are roamed/synced: – Including saved passwords in Credentials Manager.

Windows 8: Two Internet Explorers

Desktop IE vs. Metro IE – Very different graphical interfaces.

– They do not share static cookies or favorites.

Enhanced Protected Mode: – Metro IE: on by default, in isolated AppContainer:

Metro AppContainers must declare capabilities to OS.

No access to intranet, domain credentials, or file libraries.

No plug-ins allowed whatsoever -- oh, except for Flash...

– Desktop IE: off by default, but breaks most plug-ins.

Windows 8: Secure Boot

Requires UEFI firmware, not BIOS: – Not a Windows feature really, part of UEFI specs.

UEFI firmware code must be signed.

Boot up binaries must be signed too: – Controversial, what about dual-booting to Linux?

– OEM decides what CAs are trusted by default.

Very early load of AV drivers at boot.

Optional TPM integration too.

Windows 8: USB Flash Drive "Windows To Go"

Boot Windows from USB flash drive!

User data on flash drive (or in cloud).

BitLocker encryption with passphrase.

Will freeze OS if flash drive removed.

Create corporate image for home use.

Does not require UEFI firmware.

Requires Software Assurance license.

Windows 8 and Server 2012: Kernel Hardening

BlackHat 2012 Windows 8 summary: – Most Win7-style user mode heap attacks will now fail.

– Kernel pool exploits much more difficult.

– DEP for most kernel code and pool allocations.

– ASLR significantly better on 64-bit systems.

– New compiler automatic boundary checking (/GS).

– Metro AppContainer sandbox with broker:

For Internet Explorer with Enhanced Protected Mode.

But also for all Metro apps!

– High-value target users should use Windows 8.

Foolish Predictions for 2013-2014

Windows RT on low-end tablets: – Sales OK, but iPad and Android will still dominate.

– This niche is very sensitive to pricing and apps.

Windows 8 on tablets and hybrids: – Solid sales in high-end, especially with businesses.

Windows 8 on non-touch computers: – Flop, worse than Vista, especially with businesses.

– XP end of life (April 2014) will drive Windows 7 sales.

– Hiding the Start button will be viewed as a mistake.

Thank You!

If you want the PDF of this talk:

http://www.sans.org/windows-security

-Go to the Downloads link on the right-hand side.