sector
description
Transcript of sector
![Page 1: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/1.jpg)
http://www.sector.ca/
![Page 2: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/2.jpg)
Microsoft Vista: How Secure is it Really?
Presented at:TASKJanuary 31, 2007
CMS Consulting Inc.CMS Consulting Inc.
![Page 3: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/3.jpg)
CMS Consulting Inc.
Microsoft Infrastructure and Security Experts Active Directory - Windows Server - Exchange - SMS - ISA
MOM - Clustering - Office – Desktop Deployment - SQL – Terminal Services - Security Assessments - Lockdown – Wireless
Training by Experts for ExpertsMS Infrastructure – Security - Vista and Office Deployment
Visit us online: www.cms.caDownloads – Resources – White Papers
For Security SolutionsFor Advanced InfrastructureFor Network SolutionsFor Information Worker
![Page 4: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/4.jpg)
CMS Training Offerings
• INSPIRE Infrastructure Workshop– 4 days of classroom training - demo intensive
AD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server
• Business Desktop Deployment – Deploying Vista/Office– 3 days of classroom training - hands on labs (computers provide)
Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office
• Securing Internet Information Services• Securing ActiveDirectory• Securing Exchange 2003
– 1 day classroom training per topic
TRAINING BY EXPERTS FOR EXPERTS
![Page 5: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/5.jpg)
Session Goals
• We let Microsoft talk… so we need a balanced view!• See what the dark side has been up to.• Is it as secure as advertised?
• You may ask questions.• Research is current as of Jan 31, 2007• You may not provide emotional rants.
1. ~~~~~~~~~2. ~~~ ~~ ~~
3. ~~~~
![Page 6: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/6.jpg)
So what is newer, bigger, “bad”-er?
• User Account Control (UAC)• Windows Defender *• Windows Firewall *• Windows Security Center *• Malicious Software Removal Tool *• Software Restriction Policies *• BitLocker™ Drive Encryption• Encrypting File System (EFS) *• Rights Management Services (RMS) *• Device control• Address Space Randomization• Now 2400-ish group policy settings (* XP-SP2 had 1700)
* Exists in, or downloadable for XP
![Page 7: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/7.jpg)
Internet Explorer 7
• Internet Explorer Protected Mode• ActiveX Opt-in• Cross-domain scripting attack protection• Security Status Bar• Phishing Filter• Etc, etc, etc
(Included here, because Microsoft always shows it as part of Vista security… yes - I know it runs on XP).
![Page 8: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/8.jpg)
The Switch to Vista
• If you don’t buy Vista, you should buy Office 2007 just so you can make pretty pictures like mine.
![Page 9: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/9.jpg)
Switch to Mac Instead?
![Page 10: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/10.jpg)
![Page 11: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/11.jpg)
The HOT Topic… DRM!
• Peter Gutmann wrote “A Cost Analysis of Windows Vista Content Protection” and called Vista DRM the “Longest Suicide Note in History”
• Microsoft rebutted this. The article included some technical clarifications, but appeared mostly as a PR piece.
![Page 12: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/12.jpg)
DRM Highlights
• Vista will only play “premium” HD content on x64, as DRM couldn’t be implemented in their x32 OS.
• This basically effects HD-DVD and BluRay playback.• High bandwidth Digital Content Protection (HDCP)
compatible monitor is required. (Shame you bought that nice Dell 24” Ultrasharp)
• Peter thinks a skilled attacker could bypass Vista DRM inside a week.
• DRM is a big reason that Vista driver support is so limited even based on the RTM media
![Page 13: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/13.jpg)
DRM Bottom Line
• “Premium” content plays at very degraded quality unless policy is met.
• There’s 30 checks per second to make sure DRM isn’t being bypassed (read: serious overhead)
• Drivers now have a “tilt” bit, up to vendors to determine was constitutes an attack. After “tilt” detected, graphics subsystem reset
• Drivers can be revoked if they are exploited… if Microsoft revokes a driver, and the vendor doesn’t release an update, do you have to buy a new video card?
• Still too early to tell the fall out.
![Page 14: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/14.jpg)
DRM Resources
A Cost Analysis of Windows Vista Content Protection• http://www.cs.auckland.ac.nz/~pgut001/pubs/
vista_cost.html• Last Update January 27, 2007.
The Official Microsoft Rebuttal• http://windowsvistablog.com/blogs/windowsvista/
archive/2007/01/20/windows-vista-content-protection-twenty-questions-and-answers.aspx
![Page 15: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/15.jpg)
Windows Defender
• XP and Vista only• Not supported on W2K, but ORCA edit install and it works fine• You can also use ORCA to remove WGA check
• Actively scans computers for "spyware, adware, and other potentially unwanted software.” You just need to trust their definition of what’s “unwanted”
![Page 16: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/16.jpg)
Windows Defender
• SpyNet’s a neat idea.• Not an antivirus solution
(Forefront Client Security is)• Not enterprise class
(no central reporting, etc, etc)• Can distribute updates by WSUS
![Page 17: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/17.jpg)
![Page 18: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/18.jpg)
Malware
• Sophos report summary:– They used the top ten November 2006 forms of malware– Windows Mail blocked all 10– Using web mail, 3 of 10 infected Vista
• Mydoom, Netsky and Stration all succeeded
– All take advantage of social engineer. None took advantage of a security weakness.
![Page 19: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/19.jpg)
Exploits for Sale!
• Trend Micro CTO quoted in various articles claiming to see Vista 0day on auction boards for upwards of $50k
• This isn’t really news. Exploits for $$$ is not new.
![Page 20: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/20.jpg)
Attacks for Sale
![Page 21: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/21.jpg)
![Page 22: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/22.jpg)
$50k for an Exploit?
![Page 23: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/23.jpg)
![Page 24: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/24.jpg)
Exploit Prediction
• Because I’m such an expert on the topic. – (Ok stolen mostly from Symantec’s Vista Attack Surface paper)
• The networking stack is a complete re-write. Symantec found several DoS attacks in pre-release Vista and expect more.
• SMB2• IPv6• Loopback attacks (exploit at low level connect back to
medium level process, eg. IE protected mode connect back to SMB)
![Page 25: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/25.jpg)
User Account Control
• The nuisance:
![Page 26: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/26.jpg)
User Account Control
• Power Users no longer exists (well it does, but does nothing unless you apply security template)
• Harmless tasks no longer require administrator (eg. Change time zone, connect to wireless network, install approved devices)
• Either on or off, no “less annoying”, or “I said yes 5 times today, I still mean yes” option
• Not entirely true, there are more group policy settings available to control its behaviour (all settings=less control, more nuisance)
![Page 27: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/27.jpg)
Disabling User Account Control
• Method 1 - Using Control Panel• Method 2 - Using Control Panel on Single User• Method 3 - Using Registry Editor• Method 4 - Using MsConfig System Configuration• Method 5 - Using Group Policy
![Page 28: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/28.jpg)
Registry/File Virtualization
• When running under limited user access (LUA) failed (insufficient permission) registry and file writes get redirected (virtualized)
• Registry access failures to HKLM redirect to HKCUFrom: HKEY_LOCAL_MACHINE\Software
to:
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\Software
• File access failures also redirectFrom: C:\Progra~1 (C:\Program Files)
to:
%UserProfile%\AppData\Local\VirtualStore\C\Progra~1
![Page 29: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/29.jpg)
Mildly entertaining
![Page 30: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/30.jpg)
Windows Firewall
• XP has Domain vs. Standard configs• Vista has Domain vs. Public vs. Private• Application outbound rules (not on by default)• Default config is same configuration as XP SP2• IP v6 Support• New console available by MMC that’s super cool• Integration with IPSec• See Steve Riley’s TechEd presentation 102 slides on
Firewall and IPSec changes
![Page 31: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/31.jpg)
Comparing features
![Page 32: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/32.jpg)
![Page 33: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/33.jpg)
Encrypted File System – New in Vista
• You can store User keys on smart cards.• You can store recovery keys on smart cards, allowing
secure data recovery without a dedicated recovery station, even over Remote Desktop sessions.
• You can encrypt the Windows paging file using EFS with a key that is generated when the system starts up. This key is destroyed when the system shuts down.
• You can encrypt the Offline Files cache with EFS. In Windows Vista this encryption feature employs the user’s key instead of the system key.
• EFS supports a wider range of user certificates and keys.
![Page 34: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/34.jpg)
Address Space Randomization
• Been used in the Unix world for over 10 years• Goal is to eliminate overflow attacks (memory space is no
longer predictable)• Stack and Heap are randomized• EXE’s and DLL’s shipping as part of Vista are
randomized• All other EXEs and DLLs will need to explicitly opt-in via a
new PE header flag; by default they will not be randomized. 'Note that DLLs marked for randomization, such as system DLLs, will be randomized in every process (regardless of whether other binaries in that process have opted-in or not)
![Page 35: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/35.jpg)
Address Space Randomization
• Vista only uses 8 bits for randomization (28=256) • An attacker has a 1/256 chance of getting an address
right• Brute force is always a possibility (if the app doesn’t die
first)• Side effect: memory fragmentation
![Page 36: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/36.jpg)
Address Space Randomization
• Ali Rahbar demonstrates in this whitepaper how to run an exploit on code not compiled with the randomization switch
![Page 37: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/37.jpg)
Vista Piracy
• Volume Activation 2.0• Cracks currently fall into 3 categories
– KMS in Virtual Machine (VMPlayer)– TimeStop (aka 2099 Crack)– FrankenBuild (RC1 components mixed with RTM)
• Bottom Line:– Updates to WGA will detect and disable– Many Cracks come with trojans for no extra charge.
![Page 38: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/38.jpg)
![Page 39: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/39.jpg)
Bitlocker: Crash Course
• Several Options:– TPM Only (this is default)– TPM + PIN– TPM + USB– USB Only (no TPM present)
• AES 128bit or 256bit based encryption• Brute Force currently computationally unfeasible • If no PIN present, then stolen machines can still be
attacked by traditional methods (ie. TPM is present, and decryption happens at boot)
![Page 40: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/40.jpg)
Bitlocker: Secure Enough?
• Attacks against TPM only mode– Warm boot without destroying memory, grab keys from memory ghosts
– Cold ghosting (memory remains charged long enough to capture)
– PCI bus exploit with repurposed PC Card device and DMA (direct memory access) (e.g. CardBus DMA technique demoed by David Hulton at ShmooCon, 2006)
– Xbox v1-style attacks
– BIOS attacks (may involve removal, re-programming and compromise of Core Root of Trust for Measurement (CRTM)
• TPM+MultiFactor– Brute force PIN (mitigated by TPM anti-hammering)
– Key wear analysis (theoretical)
– BitLocker Aware Boot-Rootkits
– Multi-Visit Attacks (Hobble Bitlocker, then steal laptop)
– Lost machine while unlocked (one chance threat)
• The best presentation I could find on bypassing BitLocker was actually put out by Microsoft themselves. Presentation by Douglas MacIver at Hack in the Box 2006.
![Page 41: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/41.jpg)
BitLocker: Secure Enough?
• Team Blog violently opposes and denies any gov’t backdoor. If one is legislated, they promise to disclose or withdraw the feature
• No apparent “easy to execute” attacks (yet)
![Page 42: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/42.jpg)
PatchGuard
• Also known as Kernel Patch Protection (KPP)• Not to be confused with requirement for signed drivers• Means you can`t mess with the kernel• Exists for all x64 versions of Windows• 5 or 6 bypass methods can be found searching, although
little PoC exists, no methods appear to work with Vista• Authentium "broke" Patchguard on RC• Joanna`s raw-disk access Patchguard exploit shutdown
with RC2• Designed to both limit rootkit exposure and stop vendors
from using undocumented kernel manipulation
![Page 43: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/43.jpg)
PatchGuard
• This really is what all the AV vendors are upset about• Symantec has posted a paper on how to disable first the
kernel signed driver requirement and then Patchguard (not updated with RTM info, but I believe it would still work). Involves taking ownership on ACL’s from TrustedInstaller (set by Windows Resource Protection), then patching NTOSKRNL.EXE and WINLOAD.EXE
• Most recent paper by Ken Johnson (Skywing) at http://www.nynaeve.net/ - Posted Jan 29
![Page 44: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/44.jpg)
Notes on Secure Deployment
• Use BDD 3.0 for standardized rollout• Read all 107 pages of Microsoft’s “Vista Security Guide” • GPOAccelerator.wsf creates Domain, User, Desktop and
Laptops GPO’s for you!• Deploy 64bit if possible (its more secure)• Make sure your AV vendor supports Vista and x64• Train users on UAC• Replace Defender with something enterprise class
![Page 45: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/45.jpg)
CMS Training Offerings
• INSPIRE Infrastructure Workshop– 4 days of classroom training - demo intensive
AD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server
• Business Desktop Deployment – Deploying Vista/Office– 3 days of classroom training - hands on labs (computers provide)
Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office
• Securing Internet Information Services• Securing ActiveDirectory• Securing Exchange 2003
– 1 day classroom training per topic
TRAINING BY EXPERTS FOR EXPERTS
![Page 46: sector](https://reader035.fdocuments.us/reader035/viewer/2022062322/568147ab550346895db4e6b6/html5/thumbnails/46.jpg)
SIGN UP NOW!
http://www.sector.ca/