sector
46
http://www.sector.ca/
description
http://www.sector.ca/. CMS Consulting Inc. Microsoft Vista: How Secure is it Really?. Presented at: TASK January 31, 2007. CMS Consulting Inc. Microsoft Infrastructure and Security Experts Active Directory - Windows Server - Exchange - SMS - ISA - PowerPoint PPT Presentation
Transcript of sector
http://www.sector.ca/
Microsoft Vista: How Secure is it Really?
Presented at:TASKJanuary 31, 2007
CMS Consulting Inc.CMS Consulting Inc.
CMS Consulting Inc.
Microsoft Infrastructure and Security Experts Active Directory - Windows Server - Exchange - SMS - ISA
MOM - Clustering - Office – Desktop Deployment - SQL – Terminal Services - Security Assessments - Lockdown – Wireless
Training by Experts for ExpertsMS Infrastructure – Security - Vista and Office Deployment
Visit us online: www.cms.caDownloads – Resources – White Papers
For Security SolutionsFor Advanced InfrastructureFor Network SolutionsFor Information Worker
CMS Training Offerings
• INSPIRE Infrastructure Workshop– 4 days of classroom training - demo intensive
AD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server
• Business Desktop Deployment – Deploying Vista/Office– 3 days of classroom training - hands on labs (computers provide)
Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office
• Securing Internet Information Services• Securing ActiveDirectory• Securing Exchange 2003
– 1 day classroom training per topic
TRAINING BY EXPERTS FOR EXPERTS
Session Goals
• We let Microsoft talk… so we need a balanced view!• See what the dark side has been up to.• Is it as secure as advertised?
• You may ask questions.• Research is current as of Jan 31, 2007• You may not provide emotional rants.
1. ~~~~~~~~~2. ~~~ ~~ ~~
3. ~~~~
So what is newer, bigger, “bad”-er?
• User Account Control (UAC)• Windows Defender *• Windows Firewall *• Windows Security Center *• Malicious Software Removal Tool *• Software Restriction Policies *• BitLocker™ Drive Encryption• Encrypting File System (EFS) *• Rights Management Services (RMS) *• Device control• Address Space Randomization• Now 2400-ish group policy settings (* XP-SP2 had 1700)
* Exists in, or downloadable for XP
Internet Explorer 7
• Internet Explorer Protected Mode• ActiveX Opt-in• Cross-domain scripting attack protection• Security Status Bar• Phishing Filter• Etc, etc, etc
(Included here, because Microsoft always shows it as part of Vista security… yes - I know it runs on XP).
The Switch to Vista
• If you don’t buy Vista, you should buy Office 2007 just so you can make pretty pictures like mine.
Switch to Mac Instead?
The HOT Topic… DRM!
• Peter Gutmann wrote “A Cost Analysis of Windows Vista Content Protection” and called Vista DRM the “Longest Suicide Note in History”
• Microsoft rebutted this. The article included some technical clarifications, but appeared mostly as a PR piece.
DRM Highlights
• Vista will only play “premium” HD content on x64, as DRM couldn’t be implemented in their x32 OS.
• This basically effects HD-DVD and BluRay playback.• High bandwidth Digital Content Protection (HDCP)
compatible monitor is required. (Shame you bought that nice Dell 24” Ultrasharp)
• Peter thinks a skilled attacker could bypass Vista DRM inside a week.
• DRM is a big reason that Vista driver support is so limited even based on the RTM media
DRM Bottom Line
• “Premium” content plays at very degraded quality unless policy is met.
• There’s 30 checks per second to make sure DRM isn’t being bypassed (read: serious overhead)
• Drivers now have a “tilt” bit, up to vendors to determine was constitutes an attack. After “tilt” detected, graphics subsystem reset
• Drivers can be revoked if they are exploited… if Microsoft revokes a driver, and the vendor doesn’t release an update, do you have to buy a new video card?
• Still too early to tell the fall out.
DRM Resources
A Cost Analysis of Windows Vista Content Protection• http://www.cs.auckland.ac.nz/~pgut001/pubs/
vista_cost.html• Last Update January 27, 2007.
The Official Microsoft Rebuttal• http://windowsvistablog.com/blogs/windowsvista/
archive/2007/01/20/windows-vista-content-protection-twenty-questions-and-answers.aspx
Windows Defender
• XP and Vista only• Not supported on W2K, but ORCA edit install and it works fine• You can also use ORCA to remove WGA check
• Actively scans computers for "spyware, adware, and other potentially unwanted software.” You just need to trust their definition of what’s “unwanted”
Windows Defender
• SpyNet’s a neat idea.• Not an antivirus solution
(Forefront Client Security is)• Not enterprise class
(no central reporting, etc, etc)• Can distribute updates by WSUS
Malware
• Sophos report summary:– They used the top ten November 2006 forms of malware– Windows Mail blocked all 10– Using web mail, 3 of 10 infected Vista
• Mydoom, Netsky and Stration all succeeded
– All take advantage of social engineer. None took advantage of a security weakness.
Exploits for Sale!
• Trend Micro CTO quoted in various articles claiming to see Vista 0day on auction boards for upwards of $50k
• This isn’t really news. Exploits for $$$ is not new.
Attacks for Sale
$50k for an Exploit?
Exploit Prediction
• Because I’m such an expert on the topic. – (Ok stolen mostly from Symantec’s Vista Attack Surface paper)
• The networking stack is a complete re-write. Symantec found several DoS attacks in pre-release Vista and expect more.
• SMB2• IPv6• Loopback attacks (exploit at low level connect back to
medium level process, eg. IE protected mode connect back to SMB)
User Account Control
• The nuisance:
User Account Control
• Power Users no longer exists (well it does, but does nothing unless you apply security template)
• Harmless tasks no longer require administrator (eg. Change time zone, connect to wireless network, install approved devices)
• Either on or off, no “less annoying”, or “I said yes 5 times today, I still mean yes” option
• Not entirely true, there are more group policy settings available to control its behaviour (all settings=less control, more nuisance)
Disabling User Account Control
• Method 1 - Using Control Panel• Method 2 - Using Control Panel on Single User• Method 3 - Using Registry Editor• Method 4 - Using MsConfig System Configuration• Method 5 - Using Group Policy
Registry/File Virtualization
• When running under limited user access (LUA) failed (insufficient permission) registry and file writes get redirected (virtualized)
• Registry access failures to HKLM redirect to HKCUFrom: HKEY_LOCAL_MACHINE\Software
to:
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\Software
• File access failures also redirectFrom: C:\Progra~1 (C:\Program Files)
to:
%UserProfile%\AppData\Local\VirtualStore\C\Progra~1
Mildly entertaining
Windows Firewall
• XP has Domain vs. Standard configs• Vista has Domain vs. Public vs. Private• Application outbound rules (not on by default)• Default config is same configuration as XP SP2• IP v6 Support• New console available by MMC that’s super cool• Integration with IPSec• See Steve Riley’s TechEd presentation 102 slides on
Firewall and IPSec changes
Comparing features
Encrypted File System – New in Vista
• You can store User keys on smart cards.• You can store recovery keys on smart cards, allowing
secure data recovery without a dedicated recovery station, even over Remote Desktop sessions.
• You can encrypt the Windows paging file using EFS with a key that is generated when the system starts up. This key is destroyed when the system shuts down.
• You can encrypt the Offline Files cache with EFS. In Windows Vista this encryption feature employs the user’s key instead of the system key.
• EFS supports a wider range of user certificates and keys.
Address Space Randomization
• Been used in the Unix world for over 10 years• Goal is to eliminate overflow attacks (memory space is no
longer predictable)• Stack and Heap are randomized• EXE’s and DLL’s shipping as part of Vista are
randomized• All other EXEs and DLLs will need to explicitly opt-in via a
new PE header flag; by default they will not be randomized. 'Note that DLLs marked for randomization, such as system DLLs, will be randomized in every process (regardless of whether other binaries in that process have opted-in or not)
Address Space Randomization
• Vista only uses 8 bits for randomization (28=256) • An attacker has a 1/256 chance of getting an address
right• Brute force is always a possibility (if the app doesn’t die
first)• Side effect: memory fragmentation
Address Space Randomization
• Ali Rahbar demonstrates in this whitepaper how to run an exploit on code not compiled with the randomization switch
Vista Piracy
• Volume Activation 2.0• Cracks currently fall into 3 categories
– KMS in Virtual Machine (VMPlayer)– TimeStop (aka 2099 Crack)– FrankenBuild (RC1 components mixed with RTM)
• Bottom Line:– Updates to WGA will detect and disable– Many Cracks come with trojans for no extra charge.
Bitlocker: Crash Course
• Several Options:– TPM Only (this is default)– TPM + PIN– TPM + USB– USB Only (no TPM present)
• AES 128bit or 256bit based encryption• Brute Force currently computationally unfeasible • If no PIN present, then stolen machines can still be
attacked by traditional methods (ie. TPM is present, and decryption happens at boot)
Bitlocker: Secure Enough?
• Attacks against TPM only mode– Warm boot without destroying memory, grab keys from memory ghosts
– Cold ghosting (memory remains charged long enough to capture)
– PCI bus exploit with repurposed PC Card device and DMA (direct memory access) (e.g. CardBus DMA technique demoed by David Hulton at ShmooCon, 2006)
– Xbox v1-style attacks
– BIOS attacks (may involve removal, re-programming and compromise of Core Root of Trust for Measurement (CRTM)
• TPM+MultiFactor– Brute force PIN (mitigated by TPM anti-hammering)
– Key wear analysis (theoretical)
– BitLocker Aware Boot-Rootkits
– Multi-Visit Attacks (Hobble Bitlocker, then steal laptop)
– Lost machine while unlocked (one chance threat)
• The best presentation I could find on bypassing BitLocker was actually put out by Microsoft themselves. Presentation by Douglas MacIver at Hack in the Box 2006.
BitLocker: Secure Enough?
• Team Blog violently opposes and denies any gov’t backdoor. If one is legislated, they promise to disclose or withdraw the feature
• No apparent “easy to execute” attacks (yet)
PatchGuard
• Also known as Kernel Patch Protection (KPP)• Not to be confused with requirement for signed drivers• Means you can`t mess with the kernel• Exists for all x64 versions of Windows• 5 or 6 bypass methods can be found searching, although
little PoC exists, no methods appear to work with Vista• Authentium "broke" Patchguard on RC• Joanna`s raw-disk access Patchguard exploit shutdown
with RC2• Designed to both limit rootkit exposure and stop vendors
from using undocumented kernel manipulation
PatchGuard
• This really is what all the AV vendors are upset about• Symantec has posted a paper on how to disable first the
kernel signed driver requirement and then Patchguard (not updated with RTM info, but I believe it would still work). Involves taking ownership on ACL’s from TrustedInstaller (set by Windows Resource Protection), then patching NTOSKRNL.EXE and WINLOAD.EXE
• Most recent paper by Ken Johnson (Skywing) at http://www.nynaeve.net/ - Posted Jan 29
Notes on Secure Deployment
• Use BDD 3.0 for standardized rollout• Read all 107 pages of Microsoft’s “Vista Security Guide” • GPOAccelerator.wsf creates Domain, User, Desktop and
Laptops GPO’s for you!• Deploy 64bit if possible (its more secure)• Make sure your AV vendor supports Vista and x64• Train users on UAC• Replace Defender with something enterprise class
CMS Training Offerings
• INSPIRE Infrastructure Workshop– 4 days of classroom training - demo intensive
AD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server
• Business Desktop Deployment – Deploying Vista/Office– 3 days of classroom training - hands on labs (computers provide)
Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office
• Securing Internet Information Services• Securing ActiveDirectory• Securing Exchange 2003
– 1 day classroom training per topic
TRAINING BY EXPERTS FOR EXPERTS
SIGN UP NOW!
http://www.sector.ca/
