Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... ·...
Transcript of Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... ·...
![Page 1: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/1.jpg)
Windows VistaSecurity Posture
Matthew CookNetwork & Security Manager
Loughborough University
![Page 2: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/2.jpg)
2
A bit about myself…
Network & Security Manager atLoughborough University
Team of ten IT Professionals
Worked at Loughborough for 9+ years
JANET(UK) Trainer
Security Researcher
![Page 3: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/3.jpg)
3
Windows Vista Security Posture
![Page 4: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/4.jpg)
4
Starting Points
Five years worth of development, Windows Vista launches in 2007.
Slow adoption of Vista in both home and business markets.
Over to you…
![Page 5: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/5.jpg)
5
Latest News
Microsoft Security Intelligence Report (Revision 5) released, November 3rd 2008 covers Q1 and Q2 2008.“The higher the level of service pack a machine runs, the lower the rate of infection!”
http://www.microsoft.com/security/portal/sir.aspx
![Page 6: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/6.jpg)
6
Under the hood: Group Policy Objects
Grown exponentiallyNT 4 tattoosNumber frequently increase
AD Schema ExtensionsVista has approx 2,500Allows for a very tailored configuration
![Page 7: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/7.jpg)
7
Under the hood: Microsoft Security Centre
FirewallMonitors egress trafficLocation aware improvements
Windows DefenderSoftware explorer
Monitoring ImprovementsAnti VirusAnti SpywareFirewallMicrosoft UpdateInternet Explorer SettingsUser Account Control
![Page 8: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/8.jpg)
8
Under the hood: Firewall
Unchanged since W2K, until…Bi-direction firewall
Often features included in A/V PackageMost egress filtering disabled
Configuration through wf.mscGroup Policy creationSoftware vs Hardware firewall
Yoggie
![Page 9: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/9.jpg)
9
Under the hood: Defender
SpywareSchedule and removal Software Explorer aka msconfigUpdates, or not…
2am every morningTools -> OptionsMS KB918355
![Page 10: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/10.jpg)
10
Under the hood: User Account Control
What do these features have in common?
![Page 11: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/11.jpg)
11
Under the hood: Filing System Protection
BitLocker Drive ProtectionAccidental data disposalTPMEncryption keys and RIPA Part 3
Enhancements to traditional EFSConnection of USB devices
USB SticksUSB hard discsiPods etc
![Page 12: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/12.jpg)
12
Internet Explorer 7
New architecturePhishing FilterSSL Certificate Warning Protected mode (in Vista)
Default, except in trusted zoneUses new layering technology
User Account ControlIntegrity of ApplicationsProcess Privilege protections
Restrict AccessFix My Settings
![Page 13: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/13.jpg)
13
Networking Changes
Network Access Protection (NAP)Posture checkingIsolation
Network AwarenessConnectivityConnectionsLocation
Network diagnostics frameworkWireless improvementsTCP Offloading support
![Page 14: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/14.jpg)
14
Network Posture
Windows XP IPv4
135/tcp open msrpc
139/tcp open netbios-ssn445/tcp open microsoft-ds
1025/tcp open taskscheduler
Windows Vista IPv4/6
135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds5357/tcp open wininit.exe49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open lsass.exe49157/tcp open services.exe
![Page 15: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/15.jpg)
15
Network Services
49152/tcp open - wininit.exe Windows Startup Application
49153/tcp open - svchost.exe Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc
49154/tcp open - svchost.exe EventSystem, FDResPub, LanmanWorkstation,netprofm, nsi, SSDPSRV, upnphost, W32Time, WebClient
49155/tcp open - svchost.exe AeLookupSvc, Appinfo, AppMgmt, BITS, Browser, CertPropSvc, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS, SessionEnv, ShellHWDetection, Themes, Winmgmt, wuauserv
49156/tcp open - lsass.exe KeyIso, Netlogon, ProtectedStorage, SamSs
![Page 16: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/16.jpg)
16
Network Attack Surface
Network Attack Surface for Vista has changed:Many tools no longer work
FportSys Internals TCP View
PortQry 2.0http://support.microsoft.com/kb/832919
Reference Materialhttp://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdfhttp://www.symantec.com/avcenter/reference/ATR-VistaAttackSurface.pdfhttp://www.microsoft.com/technet/technetmag/issues/2007/02/VistaKernel/
![Page 17: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/17.jpg)
17
Web Services for Devices
What is web Services for Devices?http://msdn2.microsoft.com/en-us/library/aa386284.aspxhttp://msdn2.microsoft.com/en-us/library/aa385800.aspx
wsdapi 5357/tcp Web Services for Deviceswsdapi 5357/udp Web Services for Deviceswsdapi-s 5358/tcp WS for Devices Securedwsdapi-s 5358/udp WS for Devices Secured
![Page 18: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/18.jpg)
18
IPv6
Redesigned IPv6 network stackEnabled by defaultConversations on local subnetAAAA DNS Lookups
Pre SP1 ICS IssuesIPSec supportTeredo NAT Tunnelling
![Page 19: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/19.jpg)
19
Wireless Security
![Page 20: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/20.jpg)
20
Disc Security
Already a hot topicData Disposal (Dban)Data Encryption
BitlockerTrueCryptFIPS 140-2
Not just discs…
![Page 21: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/21.jpg)
21
Anti Virus
Becoming very top heavyAntivirusAnti Ad/Spy/MalwareSPAM CheckerHost based Intrusion PreventionPosture CheckingBuffer Overflow ProtectionData Execution Prevention
Running twice, three times, surely not?
![Page 22: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/22.jpg)
22
…and at the end of the day.
PasswordsVirtualisation, you do have two Operating Systems!Secure your wireless access pointTheft of physical hardwareUser interaction
![Page 23: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/23.jpg)
23
Futures and Windows 7
Windows 7 pre-beta 6801 post PDC2008Action Centre
Takes Security Centre, Defender, UACSliding annoyance of alerts
Firewall Filtering PlatformBitlocker Removable Storage EncryptionBiometricsDNSSec – Addressing RFC 3833AppLocker
![Page 24: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/24.jpg)
24
Web Links
Windows Vista Security Blog:http://blogs.msdn.com/windowsvistasecurity/Microsoft Security Response Centrehttp://blogs.technet.com/msrc/Microsoft Security Centralhttp://www.microsoft.com/security/SANS Internet Storm Centrehttp://isc.sans.org/diary.htmlSecurity Focushttp://www.securityfocus.com/
![Page 25: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/25.jpg)
25
References
Administering Windows Vista SecurityThe Big Surprises
Mark MinasiISBN 0470108320
Microsoft Vista for IT Security ProfessionalsAnthony PiltzeckerISBN 159749139X
Windows Vista SecurityRoger Grimes, Jesper Johansson
ISBN 0470101555
![Page 26: Matthew Cook Network & Security Manager Loughborough ... › downloads › VistaSecurity... · Matthew Cook Network & Security Manager Loughborough University. 2 ... Under the hood:](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0c991e7e708231d4363309/html5/thumbnails/26.jpg)
Questions?Matthew Cook
http://escarpment.net/