sector

46
http://www.sector.ca/

description

http://www.sector.ca/. CMS Consulting Inc. Microsoft Vista: How Secure is it Really?. Presented at: TASK January 31, 2007. CMS Consulting Inc. Microsoft Infrastructure and Security Experts Active Directory - Windows Server - Exchange - SMS - ISA - PowerPoint PPT Presentation

Transcript of sector

Page 1: sector

http://www.sector.ca/

Page 2: sector

Microsoft Vista: How Secure is it Really?

Presented at:TASKJanuary 31, 2007

CMS Consulting Inc.CMS Consulting Inc.

Page 3: sector

CMS Consulting Inc.

Microsoft Infrastructure and Security Experts Active Directory - Windows Server - Exchange - SMS - ISA

MOM - Clustering - Office – Desktop Deployment - SQL – Terminal Services - Security Assessments - Lockdown – Wireless

Training by Experts for ExpertsMS Infrastructure – Security - Vista and Office Deployment

Visit us online: www.cms.caDownloads – Resources – White Papers

For Security SolutionsFor Advanced InfrastructureFor Network SolutionsFor Information Worker

Page 4: sector

CMS Training Offerings

• INSPIRE Infrastructure Workshop– 4 days of classroom training - demo intensive

AD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server

• Business Desktop Deployment – Deploying Vista/Office– 3 days of classroom training - hands on labs (computers provide)

Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office

• Securing Internet Information Services• Securing ActiveDirectory• Securing Exchange 2003

– 1 day classroom training per topic

TRAINING BY EXPERTS FOR EXPERTS

Page 5: sector

Session Goals

• We let Microsoft talk… so we need a balanced view!• See what the dark side has been up to.• Is it as secure as advertised?

• You may ask questions.• Research is current as of Jan 31, 2007• You may not provide emotional rants.

1. ~~~~~~~~~2. ~~~ ~~ ~~

3. ~~~~

Page 6: sector

So what is newer, bigger, “bad”-er?

• User Account Control (UAC)• Windows Defender *• Windows Firewall *• Windows Security Center *• Malicious Software Removal Tool *• Software Restriction Policies *• BitLocker™ Drive Encryption• Encrypting File System (EFS) *• Rights Management Services (RMS) *• Device control• Address Space Randomization• Now 2400-ish group policy settings (* XP-SP2 had 1700)

* Exists in, or downloadable for XP

Page 7: sector

Internet Explorer 7

• Internet Explorer Protected Mode• ActiveX Opt-in• Cross-domain scripting attack protection• Security Status Bar• Phishing Filter• Etc, etc, etc

(Included here, because Microsoft always shows it as part of Vista security… yes - I know it runs on XP).

Page 8: sector

The Switch to Vista

• If you don’t buy Vista, you should buy Office 2007 just so you can make pretty pictures like mine.

Page 9: sector

Switch to Mac Instead?

Page 10: sector
Page 11: sector

The HOT Topic… DRM!

• Peter Gutmann wrote “A Cost Analysis of Windows Vista Content Protection” and called Vista DRM the “Longest Suicide Note in History”

• Microsoft rebutted this. The article included some technical clarifications, but appeared mostly as a PR piece.

Page 12: sector

DRM Highlights

• Vista will only play “premium” HD content on x64, as DRM couldn’t be implemented in their x32 OS.

• This basically effects HD-DVD and BluRay playback.• High bandwidth Digital Content Protection (HDCP)

compatible monitor is required. (Shame you bought that nice Dell 24” Ultrasharp)

• Peter thinks a skilled attacker could bypass Vista DRM inside a week.

• DRM is a big reason that Vista driver support is so limited even based on the RTM media

Page 13: sector

DRM Bottom Line

• “Premium” content plays at very degraded quality unless policy is met.

• There’s 30 checks per second to make sure DRM isn’t being bypassed (read: serious overhead)

• Drivers now have a “tilt” bit, up to vendors to determine was constitutes an attack. After “tilt” detected, graphics subsystem reset

• Drivers can be revoked if they are exploited… if Microsoft revokes a driver, and the vendor doesn’t release an update, do you have to buy a new video card?

• Still too early to tell the fall out.

Page 14: sector

DRM Resources

A Cost Analysis of Windows Vista Content Protection• http://www.cs.auckland.ac.nz/~pgut001/pubs/

vista_cost.html• Last Update January 27, 2007.

The Official Microsoft Rebuttal• http://windowsvistablog.com/blogs/windowsvista/

archive/2007/01/20/windows-vista-content-protection-twenty-questions-and-answers.aspx

Page 15: sector

Windows Defender

• XP and Vista only• Not supported on W2K, but ORCA edit install and it works fine• You can also use ORCA to remove WGA check

• Actively scans computers for "spyware, adware, and other potentially unwanted software.” You just need to trust their definition of what’s “unwanted”

Page 16: sector

Windows Defender

• SpyNet’s a neat idea.• Not an antivirus solution

(Forefront Client Security is)• Not enterprise class

(no central reporting, etc, etc)• Can distribute updates by WSUS

Page 17: sector
Page 18: sector

Malware

• Sophos report summary:– They used the top ten November 2006 forms of malware– Windows Mail blocked all 10– Using web mail, 3 of 10 infected Vista

• Mydoom, Netsky and Stration all succeeded

– All take advantage of social engineer. None took advantage of a security weakness.

Page 19: sector

Exploits for Sale!

• Trend Micro CTO quoted in various articles claiming to see Vista 0day on auction boards for upwards of $50k

• This isn’t really news. Exploits for $$$ is not new.

Page 20: sector

Attacks for Sale

Page 21: sector
Page 22: sector

$50k for an Exploit?

Page 23: sector
Page 24: sector

Exploit Prediction

• Because I’m such an expert on the topic. – (Ok stolen mostly from Symantec’s Vista Attack Surface paper)

• The networking stack is a complete re-write. Symantec found several DoS attacks in pre-release Vista and expect more.

• SMB2• IPv6• Loopback attacks (exploit at low level connect back to

medium level process, eg. IE protected mode connect back to SMB)

Page 25: sector

User Account Control

• The nuisance:

Page 26: sector

User Account Control

• Power Users no longer exists (well it does, but does nothing unless you apply security template)

• Harmless tasks no longer require administrator (eg. Change time zone, connect to wireless network, install approved devices)

• Either on or off, no “less annoying”, or “I said yes 5 times today, I still mean yes” option

• Not entirely true, there are more group policy settings available to control its behaviour (all settings=less control, more nuisance)

Page 27: sector

Disabling User Account Control

• Method 1 - Using Control Panel• Method 2 - Using Control Panel on Single User• Method 3 - Using Registry Editor• Method 4 - Using MsConfig System Configuration• Method 5 - Using Group Policy

Page 28: sector

Registry/File Virtualization

• When running under limited user access (LUA) failed (insufficient permission) registry and file writes get redirected (virtualized)

• Registry access failures to HKLM redirect to HKCUFrom: HKEY_LOCAL_MACHINE\Software

to:

HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\Software

• File access failures also redirectFrom: C:\Progra~1 (C:\Program Files)

to:

%UserProfile%\AppData\Local\VirtualStore\C\Progra~1

Page 29: sector

Mildly entertaining

Page 30: sector

Windows Firewall

• XP has Domain vs. Standard configs• Vista has Domain vs. Public vs. Private• Application outbound rules (not on by default)• Default config is same configuration as XP SP2• IP v6 Support• New console available by MMC that’s super cool• Integration with IPSec• See Steve Riley’s TechEd presentation 102 slides on

Firewall and IPSec changes

Page 31: sector

Comparing features

Page 32: sector
Page 33: sector

Encrypted File System – New in Vista

• You can store User keys on smart cards.• You can store recovery keys on smart cards, allowing

secure data recovery without a dedicated recovery station, even over Remote Desktop sessions.

• You can encrypt the Windows paging file using EFS with a key that is generated when the system starts up. This key is destroyed when the system shuts down.

• You can encrypt the Offline Files cache with EFS. In Windows Vista this encryption feature employs the user’s key instead of the system key.

• EFS supports a wider range of user certificates and keys.

Page 34: sector

Address Space Randomization

• Been used in the Unix world for over 10 years• Goal is to eliminate overflow attacks (memory space is no

longer predictable)• Stack and Heap are randomized• EXE’s and DLL’s shipping as part of Vista are

randomized• All other EXEs and DLLs will need to explicitly opt-in via a

new PE header flag; by default they will not be randomized. 'Note that DLLs marked for randomization, such as system DLLs, will be randomized in every process (regardless of whether other binaries in that process have opted-in or not)

Page 35: sector

Address Space Randomization

• Vista only uses 8 bits for randomization (28=256) • An attacker has a 1/256 chance of getting an address

right• Brute force is always a possibility (if the app doesn’t die

first)• Side effect: memory fragmentation

Page 36: sector

Address Space Randomization

• Ali Rahbar demonstrates in this whitepaper how to run an exploit on code not compiled with the randomization switch

Page 37: sector

Vista Piracy

• Volume Activation 2.0• Cracks currently fall into 3 categories

– KMS in Virtual Machine (VMPlayer)– TimeStop (aka 2099 Crack)– FrankenBuild (RC1 components mixed with RTM)

• Bottom Line:– Updates to WGA will detect and disable– Many Cracks come with trojans for no extra charge.

Page 38: sector
Page 39: sector

Bitlocker: Crash Course

• Several Options:– TPM Only (this is default)– TPM + PIN– TPM + USB– USB Only (no TPM present)

• AES 128bit or 256bit based encryption• Brute Force currently computationally unfeasible • If no PIN present, then stolen machines can still be

attacked by traditional methods (ie. TPM is present, and decryption happens at boot)

Page 40: sector

Bitlocker: Secure Enough?

• Attacks against TPM only mode– Warm boot without destroying memory, grab keys from memory ghosts

– Cold ghosting (memory remains charged long enough to capture)

– PCI bus exploit with repurposed PC Card device and DMA (direct memory access) (e.g. CardBus DMA technique demoed by David Hulton at ShmooCon, 2006)

– Xbox v1-style attacks

– BIOS attacks (may involve removal, re-programming and compromise of Core Root of Trust for Measurement (CRTM)

• TPM+MultiFactor– Brute force PIN (mitigated by TPM anti-hammering)

– Key wear analysis (theoretical)

– BitLocker Aware Boot-Rootkits

– Multi-Visit Attacks (Hobble Bitlocker, then steal laptop)

– Lost machine while unlocked (one chance threat)

• The best presentation I could find on bypassing BitLocker was actually put out by Microsoft themselves. Presentation by Douglas MacIver at Hack in the Box 2006.

Page 41: sector

BitLocker: Secure Enough?

• Team Blog violently opposes and denies any gov’t backdoor. If one is legislated, they promise to disclose or withdraw the feature

• No apparent “easy to execute” attacks (yet)

Page 42: sector

PatchGuard

• Also known as Kernel Patch Protection (KPP)• Not to be confused with requirement for signed drivers• Means you can`t mess with the kernel• Exists for all x64 versions of Windows• 5 or 6 bypass methods can be found searching, although

little PoC exists, no methods appear to work with Vista• Authentium "broke" Patchguard on RC• Joanna`s raw-disk access Patchguard exploit shutdown

with RC2• Designed to both limit rootkit exposure and stop vendors

from using undocumented kernel manipulation

Page 43: sector

PatchGuard

• This really is what all the AV vendors are upset about• Symantec has posted a paper on how to disable first the

kernel signed driver requirement and then Patchguard (not updated with RTM info, but I believe it would still work). Involves taking ownership on ACL’s from TrustedInstaller (set by Windows Resource Protection), then patching NTOSKRNL.EXE and WINLOAD.EXE

• Most recent paper by Ken Johnson (Skywing) at http://www.nynaeve.net/ - Posted Jan 29

Page 44: sector

Notes on Secure Deployment

• Use BDD 3.0 for standardized rollout• Read all 107 pages of Microsoft’s “Vista Security Guide” • GPOAccelerator.wsf creates Domain, User, Desktop and

Laptops GPO’s for you!• Deploy 64bit if possible (its more secure)• Make sure your AV vendor supports Vista and x64• Train users on UAC• Replace Defender with something enterprise class

Page 45: sector

CMS Training Offerings

• INSPIRE Infrastructure Workshop– 4 days of classroom training - demo intensive

AD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server

• Business Desktop Deployment – Deploying Vista/Office– 3 days of classroom training - hands on labs (computers provide)

Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office

• Securing Internet Information Services• Securing ActiveDirectory• Securing Exchange 2003

– 1 day classroom training per topic

TRAINING BY EXPERTS FOR EXPERTS

Page 46: sector

SIGN UP NOW!

http://www.sector.ca/