A Primer on Livestock Guardians: Dogs, Donkeys, Llamas Presented by Sarah Letts-Smith
David Smith | Windows Client | Microsoft Canada Security Primer.
-
Upload
barrie-allen -
Category
Documents
-
view
225 -
download
0
Transcript of David Smith | Windows Client | Microsoft Canada Security Primer.
David Smith | Windows Client | Microsoft Canada
Security Primer
Agenda
Fundamental securityUAC (the former LUA)TPM 1.2BitLocker
Fundamentals
Improved Security Development Lifecycle (SDL) process for Windows Vista
Threat modeling as part of design phaseSecurity reviews and testing built into the scheduleSecurity metrics for product teams
Common Criteria (CC) CertificationEAL 4 and Single Level OS Protection Profile
Service Hardening
Windows Service HardeningDefense in depth
Services run with reduced privilege compared to Windows XP
Activeprotection
File system
Registry
Network
Service Hardening
Windows Service HardeningDefense in depth
Windows services are profiled for allowed actions to the network, file system, and registry
Activeprotection
File system
Registry
Network
Service Hardening
Windows Service HardeningDefense in depth
Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile
Activeprotection
File system
Registry
Network
Windows Defender
Improved Detection and Removal
Redesigned and Simplified User Interface
Protection for all users
Windows Vista FirewallCombined firewall and IPsec management
New management tools – Windows Firewall with Advanced Security MMC snap-in
Reduces conflicts and coordination overhead between technologies
Firewall rules become more intelligent
Specify security requirements such as authentication and encryption
Specify Active Directory computer or user groups
Outbound filteringEnterprise management feature – not
for consumers
Simplified protection policy reduces management overhead
Challenges
Users running as admin = unmanaged desktops
Viruses and Spyware can damage the system when run with elevated privilegesEnterprise users running elevated privileges can compromise the corporationUsers can make changes that require re-imaging the machine to undo
Challenges
Line of Business (LoB) applications require elevated privileges to run
System security must be relaxed to run the LoB applicationIT Administrators must reevaluate the LoB applications for each Operating System release due to inconsistent configuration settings
Challenges
Common Operating System Configuration tasks require elevated privilege
Corporations can’t easily deploy applications unless they compromise Operating System SecuritySimple scenarios like changing the time zone don’t work Users are not able to manage non-sensitive account information
User Account Control
Goal: Allow businesses to move to a better-managed desktop and consumers to use parental controls
User Account Control
Make the system work well for standard usersAllow standard users to change time zone and power management settings, add printers, and connect to secure wireless networks
User Account Control
High application compatibilityMake it clear when elevation to admin is required and allow that to happen in-place without logging offHigh application compatibility with file/registry virtualization
User Account Control
Administrators use full privilege only for administrative tasks or applicationsUser provides explicit consent before using elevated privilege
Information Leakage Is Top-of-mind With Business Decision Makers
“After virus infections, businesses report unintended forwarding of e-mails and loss of mobile devices more frequently than they do any other security breach”
Jupiter Research Report, 2004
0% 10% 20% 30% 40% 50% 60% 70%
Loss of digital assets, restored
Email piracy
Password compromise
Loss of mobile devices
Unintended forwarding of emails
20%
22%
22%
35%
36%
63%Virus infection
BitLocker Drive Encryption
BitLocker Drive Encryption fully encrypts the entire Windows Vista volume. Designed specifically to prevent the unauthorized disclosure of data when it is at rest.
BitLockerBitLocker
BitLocker Drive Encryption
Provides data protection on your Windows client systems, even when the system is in unauthorized hands.Designed to utilize a v1.2 Trusted Platform Module (TPM) for secure key storage and boot environment authentication
BitLockerBitLocker
Protects secrets Performs cryptographic functions
RSA, SHA-1, RNGMeets encryption export requirements
Can create, store and manage keys
Provides a unique Endorsement Key (EK)Provides a unique Storage Root Key (SRK)
TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org
A Trusted Platform Module?
Answers the question: “Where do we put the key?”
Hardware can be made and certified tamper-resistant
Provides anti-hammering protection
TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org
A Trusted Platform Module?
TPM is implementation of Root-Of-Trust
Enables implementation of Static-Root-Of-Trust measurement
Hardware is easy to validate
Difficult for software to self-validate
TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org
A Trusted Platform Module?
Performs digital signature operations
Holds Platform Measurements (hashes)
Anchors chain of trust for keys and credentials
Protects itself against attacks
TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org
A Trusted Platform Module?
Spectrum of Protection
Security
Ea
s e o
f U
s e TPM OnlyProtects against: SW-only attacksVulnerable to:
Some HW attacks
TPM + PINProtects against: Many HW attacks
Vulnerable to: Some HW attacks
Dongle OnlyProtects against: All HW attacksVulnerable to: Losing dongle
Pre-OS attacksDongle left with
device
TPM + DongleProtects against:
Software and HW attacks
Vulnerable to: Losing dongle
Dongle left with device
An Integrated Solution
BitLocker integrated into WMI and Group PolicyAD will automatically escrow keys and passwords for centralized managementRecovery console built into Vista for field recovery if needed
Windows Vista Information ProtectionWho are you protecting against?
Other users or administrators on the machine? EFSUnauthorized users with physical access? BitLocker™
Scenarios BitLocker EFS RMS
Laptops
Branch office server
Local single-user file & folder protectionLocal multi-user file & folder protectionRemote file & folder protection
Untrusted network admin
Remote document policy enforcementSome cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins)
Windows Vista SecuritySummary
SDL
Service Hardening
Code Scanning
Default configuration
Code Integrity
IE –protected mode/anti-phishing
Windows Defender
Bi-directional Firewall
IPSEC improvements
Network Access Protection (NAP)
Threat and Vulnerability
Mitigation
Fundamentals
Identify and Access
ControlUser Account Control
Plug and Play Smartcards
Simplified Logon architecture
Bitlocker
RMS Client
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Questions and Answers
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
DISCLAIMER FOR DOCUMENTATION REGARDING PRE-RELEASED SOFTWAREThis document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, including URL and other Internet Web sites referenced, and is the confidential and proprietary information of Microsoft Corporation. The entire risk of the use or the results from the use of this document remains with the user.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Therefore, MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. Copyright 2006 Microsoft Corporation. All rights reserved.Microsoft and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Backup Slides
DD DDDD
Reduce size of high risk layers
Segment the services
Increase # of layers
Kernel DriversKernel Drivers
Windows Service HardeningDefense In Depth – Factoring/Profiling
DD
DD User-mode DriversUser-mode Drivers
DDDD DD
Service Service 11
Service Service 22
Service Service 33
ServiceService……
Service Service ……
Service Service AA
Service Service BB
Phishing FilterDynamic Protection Against Fraudulent Websites
3 “checks” to protect users from phishing scams:
1.Compares web site with local list of known legitimate sites
2.Scans the web site for characteristics common to phishing sites
3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour
Level 1: Warn Suspicious Website
Signaled
Level 2: Block Confirmed Phishing Site
Signaled and Blocked
Two Levels of Warning and Protection Two Levels of Warning and Protection in IE7 Security Status Barin IE7 Security Status Bar
IE6IE6
IE6 running with Admin Rights
Install a driver,
Run Windows Update
Change Settings,
Download a Picture
Cache Web content
Exploit can install MALWARE
Exploit can install MALWARE
Admin-Rights Access
Admin-Rights Access
User-Rights AccessUser-Rights Access
Temp Internet FilesTemp Internet Files
HKLM
Program Files
HKCU
My Documents
Startup Folder
Untrusted files & settings
IExploreIExplore
Install an ActiveX control
Change settings,
Save a picture
Inte
gri
ty C
on
tro
l
IEU
ser
Redirected settings & files
Com
pat
Red
irect
or
Cache Web content
Admin-Rights Access
Admin-Rights Access
User-Rights AccessUser-Rights Access
Temp Internet FilesTemp Internet Files
HKLM
HKCR
Program Files
HKCU
My Documents
Startup Folder
Untrusted files & settings
Advanced Malware ProtectionProtected Mode IE, UAC contain threats
IEA
dmin
Bitlocker™ Hardware Requirements
Hardware requirements to support BDETrusted Platform Module (TPM) v1.2
Provides platform integrity measurement and reporting
Requires platform support for TPM Interface (TIS)
Firmware (Conventional or EFI BIOS) – TCG compliant
Establishes chain of trust for pre-OS bootMust support TCG specified Static Root Trust Measurement (SRTM)
Additional functionality enabled by USB dongleAt least 2 partitions. Partitions should be NTFS.
What Is A Trusted Platform Module (TPM)?
Smartcard-like module on the motherboard that:Helps protect secrets Performs cryptographic functions
RSA, SHA-1, RNGMeets encryption export requirements
Can create, store and manage keysProvides a unique Endorsement Key (EK)Provides a unique Storage Root Key (SRK)
Performs digital signature operationsHolds Platform Measurements (hashes)Anchors chain of trust for keys and credentialsProtects itself against attacks
TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org
Bitlocker™ Features Overview
BitLocker Drive Encryption (BDE)
Prevents bypass of Window’s boot process
TPM Base Services (TBS)
Windows and 3rd party SW access to TPM
Pre-OS multi-factor authentication
Dongle, BIOS, and TPM-backed SW Identity
Bit-chippingSys-admin ONLY tool to securely speed-up PC re-deployment
Single MS TPM driver Improved stability and security
Scenarios: Lost or stolen laptop
Branch-office Server
Bitlocker™ Drive Appears In XP
Bitlocker™ Drive Appears In Vista