Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vista Security For Developers Silvano Coriani Developer Evangelist Microsoft.

Published byLisa Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "Vista Security For Developers Silvano Coriani Developer Evangelist Microsoft."— Presentation transcript:

1 Vista Security For Developers Silvano Coriani (silvano.coriani@microsoft.com) Developer Evangelist Microsoft

2 Agenda Windows Vista System Integrity Technologies Layered security onion Boot environment Kernel mode Service hardening User Account Control Administrative tasks Application compatibility: do & don’t

3 Windows XP User Kernel Admin System Services 1. 1.Few layers 2. 2.Mostly privileged 3. 3.Limited guards between layers

4 Vista System Services D D D User Account Control (LUA) Service Hardening Admin Service 1 D D D Kernel Service 2 Service 3 D D D Low Privilege Services Low rights programs 1. 1.Increase # layers 2. 2.Segment services 3. 3.Reduce size of high risk layers LUA User Svc 6 Svc 7 User mode drivers

5 The Bad Guys Are Everywhere! They literally want to do you harm barnie pic Threats exist in two interesting places Online: System started, shows login screen or user is logged in Offline: System is powered down or in hibernation Policies must address both

6 Protect The Os When Running

7 The Threats Trojan that replaces a system file to install a rootkit and take control of the computer (e.g. Fun Love or others that use root kits) Offline attack caused by booting an alternate operating system and attempting to corrupt or modify Windows operating system image files Third-party kernel drivers that are not secure Any action by an administrator that threatens the integrity of the operating system binary files Rogue administrator who changes an operating system binary to hide other acts

8 Code Integrity Validates the integrity of each binary image Checks hashes for every page as it’s loaded Also checks any image loading to a protected process Implemented as a file system filter driver Hashes stored in system catalog or in X.509 certificate embedded in file Also validates the integrity of the boot process Checks the kernel, the HAL, boot-start drivers If validation fails, image won’t load

9 Protect The OS When Not Running

10 The Threats Computer is lost or stolen Theft or compromise of data Attack against corporate network Damage to OS if attacker installs alternate OS Difficult and time-consuming to truly erase decommissioned disks Existing ways to mitigate these threats are too easy for user to circumvent

11 Secure Startup (“Bitlocker”) Ensure boot integrity Resilient against attack Protect system from offline software-based attacks Lock tampered systems Prevent boot if monitored files have been altered Protect data when offline Encrypt user data and system files All data on the volume is encrypted: user, system, page, hibernation, temp, crash dump Umbrella protection Third-party apps benefit when installed on encrypted volume Ease equipmen t recycling Simplify recycling Render data useless by deleting TPM key store Speed data deletion Erasing takes seconds, not hours

12 Bootstrapping the system Secure startup (BitLock) Integration with TPM and BIOS Provides root of trust for CI, LUA, … Full disk encryption Code Integrity (CI) Verifies integrity of binaries at load/page-in Covers x64 kernel modules and protected media processes Supports catalog and embedded signatures

13 Device drivers Poorly written or malicious drivers lead to crashes, instability, and security issues Mandatory kernel driver signing on x64 Load time enforcement Patching of private kernel state on x64 is not allowed Introduction of User Mode Driver Framework Reduce system instability Reduce high privileged attack surface Windows Defender driver protection

14 Protect Services From Exploit

15 The Threats Remember Blaster? Took over RPCSS – made it write msblast.exe to file system and added run keys to the registry No software is perfect; someone still might find a vulnerability in a service Malware often looks to exploit such vulnerabilities Services are attractive Run without user interaction Many services often have free reign over the system – too much access Most services can communicate over any port

16 Service Hardening Service refactoring Move service from LocalSystem to something less privileged If necessary, split service so that only the part requiring LocalSystem receives that Service profiling Enables service to restrict its behavior Resources can have ACLs that allow the service’s ID to access only what it needs Also includes rules for specifying required network behavior It’s about the principle of least privilege – it’s good for people, and it’s good for services

17 Service hardening objectives Run least privilege Minimize resource access Reduce the damage potential and number of critical vulnerabilities in services Extend existing security model and provide options based on service requirements: Good Move to a least privilege account. Refactor services into two parts where necessary. Strip un-necessary Windows “privileges” on a per-service basis. Supply network firewall rules. Better Grant Service Sid access via ACLs on service specific resources. Best Use Service-SID, ACLs and “write-restricted token” to isolate services.

18 Vista service changes Services common to both platforms Windows XP SP2 LocalSystem Wireless Configuration System Event Notification Network Connections (netman) COM+ Event System NLARasauto Shell Hardware Detection ThemesTelephony Windows Audio Error Reporting WorkstationICSRemoteAccess DHCP Client W32timeRasmanbrowser6to4 Help and support Task scheduler TrkWks Cryptographic Services Removable Storage WMI Perf Adapter Automatic updates WMI App Management Secondary Logon BITS Network Service DNS Client Local Service SSDP WebClient TCP/IP NetBIOS helper Remote registry Vista client LocalSystem Firewall Restricted Removable Storage WMI Perf Adapter Automatic updates WMI App Management Secondary Logon LocalSystem Demand started BITS Network Service Fully Restricted DNS Client ICSRemoteAccess DHCP Client W32timeRasmanbrowser6to4 Task scheduler IPSEC Services ServerNLA Network Service Network Restricted TrkWks Cryptographic Services Local Service No Network Access Wireless Configuration System Event Notification Network Connections Shell Hardware Detection RasautoThemes COM+ Event System Local Service Fully Restricted Telephony Windows Audio TCP/IP NetBIOS helper WebClientSSDP Error Reporting Event Log Workstation Remote registry

19 Protect The OS And Data From Unknown Code

20 The Threats A user unknowingly runs code from an unknown source that attempts to modify or delete files Code running as LUA attempts a local elevation of privilege by injecting code into a process running as administrator Trojans that attempt to execute with full administrator privilege System code reads data from the Internet (an untrustworthy source) that contains corrupt data designed to elevate privilege by exploiting a bug

21 Mandatory Integrity Control Method to prevent low-integrity code from modifying high-integrity code Protect TCB files and data from modification by privileged users Protect user data from modification by unknown malicious code Protect processes running as PA (privileged administrator) from modification by processes running as LUA under the same user SID Classical computer security concept known since the 1970s Lots of recent work in various operating systems

22 Protect The OS From The Web

23 The Threats Alas, most Windows users still run as admin Meaning: The Internet runs as admin on your PC! “Drive-by” installs of spyware and virus code Exploits of vulnerabilities give attackers full remote access Even non-admins still vulnerable to malicious destruction of personal data

24 Internet Explorer Protected Mode Built on mandatory integrity control Internet Explorer runs at low integrity level Reduce the severity of threats to IE add-ons Eliminate the silent install of malicious code through software vulnerabilities Preserve compatibility whenever possible Provide the capability and guidance for add-ons to restore functionality Minimize required user involvement Sometimes called “low-rights IE”

25 Protect The OS From The User! Protect The OS From The User!

26 Pain Points Productivity is lost when my machine is compromised Malware, without my knowledge, can modify Windows when run with elevated privileges Enterprise users running elevated privileges can compromise the corporation We have to relax security to run Line of Business (LoB) applications LoB applications require elevated privileges to run System security must be relaxed to run the LoB application It is costly to re-evaluate the required security settings for each application with every OS release Common OS Configuration tasks require elevated privilege Simple scenarios like VPN don’t work Standard Users are not able to manage configuration changes that affect only their account

27 User Account Control (UAC) Previously known as “LUA” Users will logon as non-administrator by default Protects the system from the user Enables the system to protect the user Consent UI allows elevation to administrator Applications and administrator tools should be UAP aware Differentiate capabilities based on UAP Apply correct security checks to product features Start testing your software against Vista now!

28 Why User Account Control (UAC)? Managed Desktops: Systematic control over end- user clients to maintain security & productivity Gartner: Nearly 40% TCO Savings per desktop in a managed environment Reduces day-to-day helpdesk calls Increases end-users productivity/uptime Security Holes Increase Windows Client TCO 14 October 2004

29 Why User Account Control? At risk from malware when running as administrator. Misplaced Administrator checks in Windows XP that needed to get fixed. Enterprises realize significant TCO reductions when running with managed systems.

30 The UAC Approach Improving productivity by granting permissions only when needed Allows Standard Users to perform key tasks without impacting system-wide settings Helps to insulate the system files and data from malicious or deceptive code Limit potential damage to my data by using Protected Mode IE All apps run as Standard User unless specifically marked Process isolation of Admin apps and higher risk applications Enabling Parental Control Scenarios

31 Windows Vista UAC Goals All users run as Standard User by default  Filtered token created during logon  Only specially marked apps get the unfiltered token Administrators use full privilege only for administrative tasks or applications! User provides explicit consent before using elevated privilege Predictable shell elevation paths High application compatibility  Data redirection  Enabling legacy apps to run as standard user  Installer Detection

32 UAC Architecture Standard User Rights Administrative Rights Admin logon “Standard User” Token Admin Token User Process Change Time ZoneChange Time Zone Run IT Approved ApplicationsRun IT Approved Applications Install FontsInstall Fonts Install PrintersInstall Printers Run MSN MessengerRun MSN Messenger Etc.Etc. Admin Process Install Application Admin Process Configure IIS Admin Process Change Time Standard User Mode Split Token Admin Privileges Admin Privilege Standard User Privilege Admin Privilege Abby Token

33 Taxonomy of a Standard User Token Privileges typically in Standard User token Bypass traverse checking (SeChangeNotify) Shut down the system (SeShutdown) Increase Working Set Size (SeIncreaseWorkingSet) Remove computer from docking station (SeUndock) Change Time Zone (SeChangeTimeZone) New in Vista All other privileges removed. Privileged RIDs set to DENY_ONLY E.g. Administrators, Enterprise Admins, Policy Admins, Power User, etc.

34 How to Run Code Elevated Mark application as requiring Administrator privileges using manifest. Installer detection Application Compatibility shims Compatibility Tab on Program Properties Right-click Run Elevated…

35 UX Goals: Simple & Predictable 1 st Choice: Make application Standard user only 2 nd Choice: Clearly identify Administrative tasks Ensure Standard users can be fully productive Identify tasks that need elevation with a “shield” Command line tools run AsInvoker…

36 UX: The Shield Attached to controls which, if clicked, will require elevation as the next step Has only one state (I.e. no hover, disabled etc.) Does not remember elevated state Not an unlock operation

37 Shield UI Examples

38 Elevation Prompts

39 Consent UI OS Application Unsigned Application Signed Application

40 Low rights IE Used in internet zone Less privileged than UAC user Can only write to limited areas of the file system Cannot manipulate other processes at higher privilege level Sensitive operations moved to broker process Installing ActiveX Changing internet settings Single purpose constrained interfaces Broker cannot be programmatically manipulated Uses MIC and UIPI isolation

41 Protecting Administrative Applications with Process Isolation Administrative and Standard User applications share the same desktop Primary threats Cross-process Window messages DLL injection and create remote thread Process Isolation mechanisms Integrity level for processes UI privilege isolation “Lower” cannot interfere with “Higher”

42 Separation of Admin Code Cannot elevate a running process Three Design Patterns: Service Broker Model RPC Side by Side Processes Shared memory RPC Creation of an Administrator COM object to perform elevated task. CoCreateAsAdmin

43 High Application Compatibility for Legacy Applications Legacy apps write to admin locations HLKM\Software %SystemDrive%\Program Files %SystemRoot% Redirection allows legacy apps to run as Standard User Writes to HKLM go to HKCU redirected store Writes to system directories redirected to per- user store, copy-on-write … you can still write Admin code This is a crutch for legacy applications.

44 Logo Application - Configuration Best Practices Your app’s per-user setup is performed at first run Place per-user data into %LOCALAPPDATA% Roaming into %APPDATA% Place Per-Machine (Shared) data into %ALLUSERPROFILE% Examples of what not to do: Do not perform admin configuration at first run. Do your admin operations during setup Do not perform explicit Admin checks for Standard User applications UAP and Code Access Security (CAS) can be used together for defense in depth

45 Logo Application Install Best Practices Use MSI 3.1 for Install and Update Alternate to MSI3.1 – call Update.exe marked as admin to do the update Self Updating Code – DON’T DO IT This is our LARGEST App Compat problem Home consumer user applications Examples of what not to do: Do not assume the user is an administrator Run Custom Actions in right context! ClickOnce is a great deployment technology for Standard User apps

46 ISV Impact Summary Windows XP Logo’d for Standard User? It will just work on Windows Vista Fails on Windows XP as Standard User? Mitigated by Redirection Mitigated by App Compat Shim “IsAdmin()?” Simple app with Admin dependencies Admin app on Windows XP? Needs to be marked! Web apps need special attention due to Protected Mode IE Use the LUA Predictor to fix your app now! Tool Location: http://www.microsoft.com/windows/appcompatibility/d efault.mspx http://www.microsoft.com/windows/appcompatibility/d efault.mspx http://www.microsoft.com/windows/appcompatibility/d efault.mspx

47 Future UAC Direction Continue Isolation of Admin code on Standard User Desktop Integrate AppIDs into OS for Standard User code Integrate Software Restriction Policies into AppIDs Tighten down power of Setup applications PUSH ISVs to write Logo compliant code!

48 Deck from PDC2005: Deck from PDC2005: http://commnet.microsoftpdc.com/content/downloads.aspxhttp://commnet.microsoftpdc.com/content/downloads.aspx search for FUN406 http://commnet.microsoftpdc.com/content/downloads.aspx General Security Info: http://msdn.microsoft.com/windowsvista/security/ http://msdn.microsoft.com/windowsvista/security/ Getting Started with UAC: Getting Started with UAC: http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.m spx http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.m spx UAP Developer Guidelines: UAP Developer Guidelines: http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnlong/html/AccProtVista.asphttp://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnlong/html/AccProtVista.asp http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnlong/html/AccProtVista.asp http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnlong/html/AccProtVista.asp UAC Blog: http://blogs.msdn.com/uac http://blogs.msdn.com/uac UAC Question on Update: UAC Question on Update: http://forums.microsoft.com/msdn/showpost.aspx?postid=111453&site id=1 http://forums.microsoft.com/msdn/showpost.aspx?postid=111453&site id=1 Aaron’s Blog: “Not running as administrator” http://blogs.msdn.com/Aaron_Margosis http://blogs.msdn.com/Aaron_Margosis More Information on UAC

49 FAQ If I mark my app as “admin”, can I skip the elevation consent dialog? – No Can you modify the privilege of a running application? - No Will LUA elevate whenever a privileged API is used? – No, the entire process is either elevated or not How long does the elevated process last? Can it time out? – Life of the process Can I enable which users will use UAC? – Currently this is a per machine setting Does UAC apply to all processes and services? – Interactive processes only What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, %ProgramFiles% Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit What happens when installer detection fails? – The app runs as non-admin Will UAC be going down-level? - No

50 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Vista Security For Developers Silvano Coriani Developer Evangelist Microsoft."

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Windows Vista Security model and vulnerabilities.

Windows Vista Security model and vulnerabilities.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:

CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Information for Developers Windows XP Service Pack 2 Information for Developers.

Information for Developers Windows XP Service Pack 2 Information for Developers.
Week:#14 Windows Recovery

Week:#14 Windows Recovery
Installation Requirements. Agenda Installation requirements Installation options Installing to correct folder locations Installing Windows resources Creating.

Installation Requirements. Agenda Installation requirements Installation options Installing to correct folder locations Installing Windows resources Creating.
Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)
Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.

Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.
SP2 Mikael Nystrom. Agenda Översikt Installation.

SP2 Mikael Nystrom. Agenda Översikt Installation.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.

Similar presentations

Ads by Google