Secure Operating Systems Lesson E: Windows Security - Overview.

Slides:

Advertisements

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

Advertisements

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

© Neeraj Suri EU-NSF ICT March 2006 Budapesti Műszaki és Gazdaságtudományi Egyetem Méréstechnika és Információs Rendszerek Tanszék Zoltán Micskei

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Introduction To Windows NT ® Server And Internet Information Server.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,

Windows Security Mechanisms Al Bento - University of Baltimore.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

NTFS. Authentication Is the person who she says she is? If so, access is allowed In Windows, authentication is handled by a password-protected user account.

© Paradigm Publishing Inc. 4-1 Chapter 4 System Software.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Operating Systems. Operating systems  Between the hardware and the application software lies the operating system. The operating system is a program.

Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.

Chapter 4 System Software.

User Manager for Domains.  Manages the user accounts in a domain  It is located in the PDC  While User Manager exists in each NT machine, but it is.

Week #7 Objectives: Secure Windows 7 Desktop

Chapter 7: WORKING WITH GROUPS

CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.

Designing Group Security Designing security groups Designing user rights.

Module 7: Fundamentals of Administering Windows Server 2008.

CSAS 2009 Running Windows as a Non- Administrator or how I learned to love “User” By: Kasey Dennler.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

1 Operating System Security Research David Lie Department of Electrical and Computer Engineering University of Toronto.

Module 4 Managing Access to Resources in Active Directory ® Domain Services.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

1 Chapter Overview Creating Drive and Folder Shares Using Distributed File System Installing Network Printers Administering Network Printers Managing Share.

Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.

Module 3 Configuring File Access and Printers on Windows ® 7 Clients.

Measuring Relative Attack Surfaces Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce.

Module 3 Configuring File Access and Printers on Windows 7 Clients.

NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

Module 3: Configuring File Access and Printers on Windows 7 Clients

Network Security Part III: Security Appliances Firewalls.

Managing Local Users & Groups. OVERVIEW Configure and manage user accounts Manage user account properties Manage user and group rights Configure user.

Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data.

IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.

Secure Operating Systems Lesson 4: Access Control.

Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,

Are They Really Different?.  Check out these ads in which Apple and Microsoft are battling for the “coolness” factor: ◦ Apple Macintosh Apple Macintosh.

May 25 – June 15, Technical Overview Bruce Cowper IT Pro Advisor Microsoft Canada Damir Bersinic IT Pro Advisor Microsoft.

Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.

Windows Vista Configuration MCTS : NTFS Security Features and File Sharing.

NTFS. Authentication Is the person who she says she is? If so, access is allowed In Windows, authentication is handled by a password-protected user account.

Introducing, Installing, and Upgrading Windows 7

HARDENING CLIENT COMPUTERS

CompTIA Security+ Study Guide (SY0-401)

Chapter 2 Objectives Identify Windows 7 Hardware Requirements.

IS3440 Linux Security Unit 2 Securing a Linux Platform―Core Components

Upgrading Condor Best Practices

System & Network Administration (MCSA & RHCSA)

Implementing Client Security on Windows 2000 and Windows XP Level 150

Bethesda Cybersecurity Club

Creating and Managing Folders

Windows Vista Inside Out

Presentation transcript:

Secure Operating Systems Lesson E: Windows Security - Overview

Where are we?  We’ve discovered SELinux is moderately cool  How does this compare to Windows? There’s a lot here, so we’ll just scratch the surface

Windows: History  So, Windows really does have a long history  DOS survived for a long time, until we moved on to the NT core  The current version of Windows 8 has finally started to move away from the backward compatibility that has dogged us

Bitlocker  Full hard drive encryption is actually pretty cool: Bitlocker  Can leverage the TPM, which is nice Can provide remote attestation for hardware and software Not only for disk encryption; has been used for DRM too Can use in combination with a USB token

TPM Structure  Picture from Guillaume Piolle

Windows Integrity Control  Although we don’t think about them, Windows uses MACLs (Mandatory Access Control Lists)  Thus, the OS can make a security decision based on how trusted an object is Let’s take a look with Process Explorer (from sysinternals)

SACLS and DACLS  SACLS beat DACLS System Access Control List Discretionary Access Control List  Thus, even if the DACL grants access, the SACL must also grant access for the operation to go through  This is all documented well by MS… us/library/windows/desktop/bb648648(v=vs.85).aspx us/library/windows/desktop/bb648648(v=vs.85).aspx  Enables things like SYSTEM_MANDATORY_LABEL_NO_READ_UP

Managing all of this

Of course, we need  Run As… administrator  icacls templow /setintegritylevel L for example  But of course, we never use this, except for using the defaults, which seems like a pity, eh? There’s a philosophical point here

UAC (Woohoo!)  Everyone seems to hate UAC, but it does help in terms of users making mistakes  It’s certainly not bulletproof (cue Shaun)  The idea is the principle of least privilege  The problem is that we don’t read the popups very well  The basic idea: run with lower privileges, and then upgrade as you need it

Service Resource Isolation  What happens when a service gets broken in to?  Let’s look  sc query type= service | more  sc showsid AdobeActiveFileMonitor9.0  psgetsid  Can create a *restricted* SID Two checks: one on the enabled token, one on the restricted SID

Service Refactoring  Basically, run services with base least privilege  New service hosts (low to high): LocalServiceNoNetwork LocalServiceRestricted LocalServiceNetworkRestricted NetworkServiceRestricted NetworkServiceNetworkRestricted LocalSystemNetworkRestricted

Restricted Network Access  Network restriction policies can be applied to services too  Direction: ingress and egress  Protocol: what protocols should be allowed?  Principal: Rules apply to specific users  Interface: WLAN, Wireless, LAN etc.

Buffer Overflows  Let’s remind ourselves how buffer overflows work  The compiler now adds Cookies… let’s look at the code

Questions & Comments  What do you want to know?