Windows Vista Security

Rafal Lukawiecki, Strategic Consultantrafal@projectbotticelli.co.uk Project Botticelli Ltd

This presentation is based on work by Microsoft TechNet, MSDN and various Microsoft authors including, with special thanks: Ramprabhu Rathnam, Tony Northrup, and Austin Wilson

Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.

Objectives

Overview new security features of Windows Vista explaining their purpose

Relate Vista to emergent security technologies

Excite you about the new opportunities

Session AgendaIntroductionA Corporate ScenarioFoundational ProtectionNetworkingUser Account ControlAuthentication & AuthorizationIntegrated Security ControlSecure StartupData ProtectionSummary

Engineering ExcellenceWindows Vista Development Process

Microsoft followed their Security Development Lifecycle (SDL) process while creating Windows Vista

Periodic mandatory security trainingAssignment of security advisors for all components Threat modeling as part of design phaseSecurity reviews and testing built into the scheduleSecurity metrics for product teams

Common Criteria (CC) Certification compliance is one of major goals (see later)

CC is maintained by US National Institute of Standards and Technology (who are also responsible for FIPS)csrc.nist.gov/cc

A Corporate Scenario

With Windows Vista…1. While starting up, system is protected through BitLocker and TPM (Trusted

Platform Module), preventing off-line modifications2. NAP (Network Access Protection) ensures computer adheres to your policy

(e.g. has required updates, virus signatures etc.) before “Longhorn” servers allow it to use the network

If PC is non-compliant, it will be given a chance to update

3. Multiple types of logon devices and identities can be selected by the user without losing a consistent UI

4. User logs on using non-admin accounts. If admin rights are truly needed user’s approval is requested. For legacy apps, virtualisation of admin changes is offered.

5. IE improvements help user browse the web with no fear of malware and better privacy protection

6. When updates are available, Restart Manager ensures minimum of disruption, even if running applications are left on a locked workstation

Read: www.microsoft.com/technet/windowsvista/evaluate/admin/mngsec.mspx

Foundational Protection

Windows Service HardeningDefense-in-Depth: Factoring and Profiling of Windows Kernel

DD DDDD

Reduce size of high risk layers

Segment the services

Increase number of layers

Kernel DriversKernel DriversDD

DD User-mode DriversUser-mode Drivers

DDDD DD

Service Service 11

Service Service 22

Service Service 33

ServiceService……

Service Service ……

Service Service AA

Service Service BB

Windows Service Hardening

Windows Services became a large surface attack area due to privileges and being “always-on”

Improvements:SID (per-service Security Identifier) recognised in ACLs (Access Control Lists), so service can protect its resources

Firewall policy prohibiting network access by services (subject to ACLs and SIDs)

Stripping of unnecessary privileges on per-service basis

Moving from LocalSystem to LocalService or NetworkService when possible

Use of write-restricted tokens for service processes

Integrated Windows Defender

Integrated detection, cleaning, and real-time blocking of malware:

Malware, rootkits, and spyware

Targeted at consumers – enterprise manageability will be available as a separate product

Integrated Microsoft Malicious Software Removal Tool (MSRT) will remove worst worms, bots, and trojans during an upgrade and on a monthly basis

Windows Live OneCare

Optional fee-based service

Antivirus

Integration with Antispyware (Windows Defender)

System tuning

Update assurance

Backup

Internet Explorer 7

In addition to building on UAC (see later), IE includes:

Protected Mode (planned for Vista Beta 2) that only allows IE to browse with no other rights, even if the user has them, such as to install software

“Read-only” mode, except for Temporary Internet Files when browser is in the Internet Zone of security

All cached data cleared with a single click

Phishing Filter in IEDynamic Protection Against Fraudulent Websites

3 checks to protect users from phishing scams:

1. Compares web site with local list of known legitimate sites

2. Scans the web site for characteristics common to phishing sites

3. Double checks site with online Microsoft service of reported phishing sites updated several times every hour

Two Levels of Warning and Protection in IE7 Security Status Bar

Level 1: Warn Suspicious Website

Signaled

Level 2: Block Confirmed Phishing Site

Signaled and Blocked

Developers: WinFX and WCF

WinFX, the new .NET-based set of APIs provides a stronger support for Code Access Security and Evidence Based Security

In essence, the improvements of .NET Framework 2.0

Windows Communication Foundation (WCF) introduces a model of abstracted security and full support for WS-* Security Guidelines

Formerly known as “Indigo”

Networking

NG TCP/IPNext Generation TCP/IP in Vista and “Longhorn”

A new, fully re-worked replacement of the old TCP/IP stackDual-stack IPv6 implementation, with now obligatory IPSec

IPv6 is more secure than IPv4 by design, esp.:Privacy, tracking, network port scanning, confidentiality and integrity

Other network-level security enhancements for both IPv4 and IPv6Strong Host modelWindows Filtering PlatformImproved stack-level resistance to all known TCP/IP-based denial of service and other types of network attacksRouting CompartmentsAuto-configuration and no-restart reconfiguration

Read: www.microsoft.com/technet/community/columns/cableguy/cg0905.mspx

Windows Vista FirewallBoth inbound and outbound

Authentication and authorization aware

Outbound application-aware filtering is now possible

Includes IPSec management

Of course, policy-based administration

Great for Peer-to-Peer control

Network Access ProtectionNAP is a new technology that has roots in VPN quarantine, but now extends to all network clients, not just remote access

Relies on NAP-aware servers, which means Windows “Longhorn” Servers for now

You specify a policy of:required OS patches, virus signature updates, presence or absence of certain applications, any arbitrary checks

…and the system disallows all access to network if policy has not been met, except:

access to a location where updates etc. can be downloaded

Network Access Protection

11

RestrictedRestrictedNetworkNetworkMicrosoftMicrosoft

NetworkNetworkPolicy Server Policy Server

33

Policy ServersPolicy Serverse.g. Microsoft Security e.g. Microsoft Security Center, SMS, AntigenCenter, SMS, Antigen

or 3or 3rd rd party party

Policy Policy compliantcompliantDHCP, VPNDHCP, VPN

Switch/Router Switch/Router

22

WindowsWindowsVista ClientVista Client

Fix UpFix UpServersServers

e.g. WSUS, SMS e.g. WSUS, SMS & 3& 3rdrd party party

Corporate NetworkCorporate Network55

Not policy Not policy compliantcompliant 44

User Account Control

User Account ControlHelps implement Least Privilege principle in two distinct ways:

1. Every user is a standard userOlder, legacy, or just greedy application’s attempts to change your system’s settings will be virtualised so they do not break anything

2. Each genuine need to use administrative privileges will require:Selection of a user who has those permissions, or

Confirmation of the intent to carry on with the operation

Read: www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx

Credential Prompting

Consent Prompting

Applies in a situation when the user has all the necessary rights, but before they have been exercised

A new, secondary protection

UAC: Fundamental Change to Windows Operation

Fixes the system to work well as a standard user

Registry and file virtualization to provide compatibility

Per-machine registry writes are redirected to per-user locations if the user does not have administrative privileges

Effectively: standard accounts can run “admin-required” legacy applications safely!

You can redirect the virtualization store

Authentication & Authorization

Windows Logon ExperienceGINA has been replaced with Credential Service Provider interfaces

Logon UI can interact with multiple plug-in Credential ProvidersDirect support for multi-factor authentication: smartcards and tokens, biometrics etc.Plug-and-play for smartcards

Common CSPs (Cryptographic Service Providers), andCard Communication ModulesKey Storage Providers

Root certificate propagationIntegrated smartcard unblocking

"InfoCard"

Consistent user experience

Helps eliminate unames and passwords

Helps protect users from many forms of phishing & phraud attack

Support for two-factor authentication

Easier Safer

Built on WS-* Web Services Protocols

InfoCardConsistent UI for Identity Selection & Provisioning

Users need an easy visual way to handle multiple electronic identities:

Government-issued IDs, corporate IDs, self-signed IDs (such as a username and password for a web site)Simple visual abstraction of any identity type (PKI, password, token, secret, passphrase, etc.)

Vision: UI and metasystem that would be common across industry

See 7 “Laws of Identity” on www.identityblog.com Relationship to Identity MetasystemInfoCard is one of the WinFX APIs

Integrated Security Control

Control Over Device Installation

Control over removable device installation via a policyMainly to disable USB-device installation, as many corporations worry about intellectual property leak

You can control them by device class or driver

Approved drivers can be pre-populated into trusted Driver Store

Driver Store Policies (group policies) govern driver packages that are not in the Driver Store:

Non-corporate standard drivers

Unsigned drivers

Client Security ScannerFinds out and reports Windows client’s security state:

Patch and update levels

Security state

Signature files

Anti-malware status

Ability for Windows to self-report its state

Information can be collected centrally, or just reviewed in the Security Center by the users and admins

Restart Manager

Some updates require a restart

Restart Manager will:Minimise the number of needed restarts by pooling updates

Deal with restarts of computers that may be left locked by a user with applications running

E.g. after restart, Microsoft Word will re-open a document on page 42, as it was before the restart

This function of most importance to centralised desktop management in corporations, not home users, of course

Secure Startup

Trusted Platform ModuleTPM Chip Version 1.2

Hardware present in the computer, usually a chip on the motherboardSecurely stores credentials, such as a private key of a machine certificate and is crypto-enabled

Effectively, the essence of a smart smartcard

TPM can be used to request encryption and digital signing of code and files and for mutual authentication of devicesSee www.trustedcomputinggroup.org

Code Integrity

All DLLs and other OS executables have been digitally signed

Signatures verified when components load into memory

BitLocker™BitLocker strongly encrypts and signs the entire hard drive (full volume encryption)

TPM chip provides key managementCan use additional protection factors such as a USB dongle, PIN or password

Any unauthorised off-line modification to your data or OS is discovered and no access is granted

Prevents attacks which use utilities that access the hard drive while Windows is not running and enforces Windows boot process

Protects data after laptop theft etc.Data recovery strategy must be planned carefully!

Vista supports three modes: key escrow, recovery agent, backup

Data Protection

RMS, EFS, and BitLockerThree levels of protection:

Rights Management ServicesPer-document enforcement of policy-based rights

Encrypting File SystemsPer file or folder encryption of data for confidentiality

BitLocker™ Full Volume EncryptionPer volume encryption (see earlier)

Note: it is not necessary to use a TPM for RMS and EFSEFS can use smartcards and tokens in Vista

RMS is based, at present, on a “lockbox.dll” technology, not a TPM

CNG: Cryptography Next Generation

CAPI 1.0 has been deprecatedMay be dropped altogether in future Windows releases

CNG: Open Cryptographic Interface for WindowsAbility to plug in kernel or user mode implementations for:

Proprietary cryptographic algorithms

Replacements for standard cryptographic algorithms

Key Storage Providers (KSP)

Enables cryptography configuration at enterprise and machine levels

Regulatory Compliance

Windows Vista cryptography will comply with:Common Criteria (CC)

csrc.nist.gov/cc

Currently in version 3

FIPS requirements for strong isolation and auditingFIPS-140-2 on selected platforms and 140-1 on all

US NSA (National Security Agency) CSS (Central Security Service) Suite B

Vista Supports NSA Suite Bwww.nsa.gov/ia/industry/crypto_suite_b.cfm

Required cryptographic algorithms for all US non-classified and classified (SECRET and TOP-SECRET) needs

Higher special-security needs (e.g. nuclear security) – guided by Suite A (definition classified)Announced by NSA at RSA conference in Feb 2005

Encryption: AESFIPS 197 (with keys sizes of 128 and 256 bits)

Digital Signature: Elliptic Curve Digital Signature AlgorithmFIPS 186-2 (using the curves with 256 and 384-bit prime moduli)

Key Exchange: Elliptic Curve Diffie-Hellman or Elliptic Curve MQVDraft NIST Special Publication 800-56 (using the curves with 256 and 384-bit prime moduli)

Hashing: Secure Hash AlgorithmFIPS 180-2 (using SHA-256 and SHA-384)

Summary

The Most Secure Windows Yet

SDL

Service Hardening

Code Scanning

Default configuration

Code Integrity

IE –protected mode/anti-phishing

Windows Defender

Bi-directional Firewall

IPSEC improvements

Network Access Protection (NAP)

Threat and Vulnerability

Mitigation

Fundamentals

Identity and Access

ControlUser Account Control

Plug and Play Smartcards

Simplified Logon architecture

Bitlocker

RMS Client