David Smith | Windows Client | Microsoft Canada Security Primer.

David Smith | Windows Client | Microsoft Canada

Security Primer

Agenda

Fundamental securityUAC (the former LUA)TPM 1.2BitLocker

Fundamentals

Improved Security Development Lifecycle (SDL) process for Windows Vista

Threat modeling as part of design phaseSecurity reviews and testing built into the scheduleSecurity metrics for product teams

Common Criteria (CC) CertificationEAL 4 and Single Level OS Protection Profile

Service Hardening

Windows Service HardeningDefense in depth

Services run with reduced privilege compared to Windows XP

Activeprotection

File system

Registry

Network

Service Hardening


Windows services are profiled for allowed actions to the network, file system, and registry

Activeprotection

File system

Registry

Network

Service Hardening


Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile

Activeprotection

File system

Registry

Network

Windows Defender

Improved Detection and Removal

Redesigned and Simplified User Interface

Protection for all users

Windows Vista FirewallCombined firewall and IPsec management

New management tools – Windows Firewall with Advanced Security MMC snap-in

Reduces conflicts and coordination overhead between technologies

Firewall rules become more intelligent

Specify security requirements such as authentication and encryption

Specify Active Directory computer or user groups

Outbound filteringEnterprise management feature – not

for consumers

Simplified protection policy reduces management overhead

Challenges

Users running as admin = unmanaged desktops

Viruses and Spyware can damage the system when run with elevated privilegesEnterprise users running elevated privileges can compromise the corporationUsers can make changes that require re-imaging the machine to undo

Challenges

Line of Business (LoB) applications require elevated privileges to run

System security must be relaxed to run the LoB applicationIT Administrators must reevaluate the LoB applications for each Operating System release due to inconsistent configuration settings

Challenges

Common Operating System Configuration tasks require elevated privilege

Corporations can’t easily deploy applications unless they compromise Operating System SecuritySimple scenarios like changing the time zone don’t work Users are not able to manage non-sensitive account information

User Account Control

Goal: Allow businesses to move to a better-managed desktop and consumers to use parental controls


Make the system work well for standard usersAllow standard users to change time zone and power management settings, add printers, and connect to secure wireless networks


High application compatibilityMake it clear when elevation to admin is required and allow that to happen in-place without logging offHigh application compatibility with file/registry virtualization


Administrators use full privilege only for administrative tasks or applicationsUser provides explicit consent before using elevated privilege

Information Leakage Is Top-of-mind With Business Decision Makers

“After virus infections, businesses report unintended forwarding of e-mails and loss of mobile devices more frequently than they do any other security breach”

Jupiter Research Report, 2004

0% 10% 20% 30% 40% 50% 60% 70%

Loss of digital assets, restored

Email piracy

Password compromise

Loss of mobile devices

Unintended forwarding of emails

20%

22%

22%

35%

36%

63%Virus infection

BitLocker Drive Encryption

BitLocker Drive Encryption fully encrypts the entire Windows Vista volume. Designed specifically to prevent the unauthorized disclosure of data when it is at rest.

BitLockerBitLocker

BitLocker Drive Encryption

Provides data protection on your Windows client systems, even when the system is in unauthorized hands.Designed to utilize a v1.2 Trusted Platform Module (TPM) for secure key storage and boot environment authentication

BitLockerBitLocker

Protects secrets Performs cryptographic functions

RSA, SHA-1, RNGMeets encryption export requirements

Can create, store and manage keys

Provides a unique Endorsement Key (EK)Provides a unique Storage Root Key (SRK)

TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org

A Trusted Platform Module?

Answers the question: “Where do we put the key?”

Hardware can be made and certified tamper-resistant

Provides anti-hammering protection



TPM is implementation of Root-Of-Trust

Enables implementation of Static-Root-Of-Trust measurement

Hardware is easy to validate

Difficult for software to self-validate



Performs digital signature operations

Holds Platform Measurements (hashes)

Anchors chain of trust for keys and credentials

Protects itself against attacks



Spectrum of Protection

Security

Ea

s e o

f U

s e TPM OnlyProtects against: SW-only attacksVulnerable to:

Some HW attacks

TPM + PINProtects against: Many HW attacks

Vulnerable to: Some HW attacks

Dongle OnlyProtects against: All HW attacksVulnerable to: Losing dongle

Pre-OS attacksDongle left with

device

TPM + DongleProtects against:

Software and HW attacks

Vulnerable to: Losing dongle

Dongle left with device

An Integrated Solution

BitLocker integrated into WMI and Group PolicyAD will automatically escrow keys and passwords for centralized managementRecovery console built into Vista for field recovery if needed

Windows Vista Information ProtectionWho are you protecting against?

Other users or administrators on the machine? EFSUnauthorized users with physical access? BitLocker™

Scenarios BitLocker EFS RMS

Laptops

Branch office server

Local single-user file & folder protectionLocal multi-user file & folder protectionRemote file & folder protection

Untrusted network admin

Remote document policy enforcementSome cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins)

Windows Vista SecuritySummary

SDL

Service Hardening

Code Scanning

Default configuration

Code Integrity

IE –protected mode/anti-phishing

Windows Defender

Bi-directional Firewall

IPSEC improvements

Network Access Protection (NAP)

Threat and Vulnerability

Mitigation

Fundamentals

Identify and Access

ControlUser Account Control

Plug and Play Smartcards

Simplified Logon architecture

Bitlocker

RMS Client

DISCLAIMER FOR DOCUMENTATION REGARDING PRE-RELEASED SOFTWAREThis document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, including URL and other Internet Web sites referenced, and is the confidential and proprietary information of Microsoft Corporation. The entire risk of the use or the results from the use of this document remains with the user.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Therefore, MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. Copyright 2006 Microsoft Corporation. All rights reserved.Microsoft and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Backup Slides

DD DDDD

Reduce size of high risk layers

Segment the services

Increase # of layers

Kernel DriversKernel Drivers

Windows Service HardeningDefense In Depth – Factoring/Profiling

DD

DD User-mode DriversUser-mode Drivers

DDDD DD

Service Service 11

Service Service 22

Service Service 33

ServiceService……

Service Service ……

Service Service AA

Service Service BB

Phishing FilterDynamic Protection Against Fraudulent Websites

3 “checks” to protect users from phishing scams:

1.Compares web site with local list of known legitimate sites

2.Scans the web site for characteristics common to phishing sites

3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour

Level 1: Warn Suspicious Website

Signaled

Level 2: Block Confirmed Phishing Site

Signaled and Blocked

Two Levels of Warning and Protection Two Levels of Warning and Protection in IE7 Security Status Barin IE7 Security Status Bar

IE6IE6

IE6 running with Admin Rights

Install a driver,

Run Windows Update

Change Settings,

Download a Picture

Cache Web content

Exploit can install MALWARE

Exploit can install MALWARE

Admin-Rights Access

Admin-Rights Access

User-Rights AccessUser-Rights Access

Temp Internet FilesTemp Internet Files

HKLM

Program Files

HKCU

My Documents

Startup Folder

Untrusted files & settings

IExploreIExplore

Install an ActiveX control

Change settings,

Save a picture

Inte

gri

ty C

on

tro

l

IEU

ser

Redirected settings & files

Com

pat

Red

irect

or

Cache Web content

Admin-Rights Access

Admin-Rights Access

User-Rights AccessUser-Rights Access

Temp Internet FilesTemp Internet Files

HKLM

HKCR

Program Files

HKCU

My Documents

Startup Folder

Untrusted files & settings

Advanced Malware ProtectionProtected Mode IE, UAC contain threats

IEA

dmin

Bitlocker™ Hardware Requirements

Hardware requirements to support BDETrusted Platform Module (TPM) v1.2

Provides platform integrity measurement and reporting

Requires platform support for TPM Interface (TIS)

Firmware (Conventional or EFI BIOS) – TCG compliant

Establishes chain of trust for pre-OS bootMust support TCG specified Static Root Trust Measurement (SRTM)

Additional functionality enabled by USB dongleAt least 2 partitions. Partitions should be NTFS.

What Is A Trusted Platform Module (TPM)?

Smartcard-like module on the motherboard that:Helps protect secrets Performs cryptographic functions

RSA, SHA-1, RNGMeets encryption export requirements

Can create, store and manage keysProvides a unique Endorsement Key (EK)Provides a unique Storage Root Key (SRK)

Performs digital signature operationsHolds Platform Measurements (hashes)Anchors chain of trust for keys and credentialsProtects itself against attacks


Bitlocker™ Features Overview

BitLocker Drive Encryption (BDE)

Prevents bypass of Window’s boot process

TPM Base Services (TBS)

Windows and 3rd party SW access to TPM

Pre-OS multi-factor authentication

Dongle, BIOS, and TPM-backed SW Identity

Bit-chippingSys-admin ONLY tool to securely speed-up PC re-deployment

Single MS TPM driver Improved stability and security

Scenarios: Lost or stolen laptop

Branch-office Server

Bitlocker™ Drive Appears In XP

Bitlocker™ Drive Appears In Vista

David Smith | Windows Client | Microsoft Canada Security Primer.

Documents

Transcript of David Smith | Windows Client | Microsoft Canada Security Primer.