Your SlideShare is downloading. ×
0
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Windows Vista Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Windows Vista Security

250

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
250
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Windows Vista Security By: Chris Reber April 22, 2008
  • 2. Agenda <ul><li>Vista Security Overview </li></ul><ul><li>User Account Control </li></ul><ul><li>Authentication </li></ul><ul><li>Firewall Enhancement </li></ul><ul><li>Windows Service Hardening </li></ul><ul><li>Data Protection </li></ul>
  • 3. Vista Security Enhancements <ul><li>Windows Vista is hailed as the most secure Windows version yet. </li></ul><ul><li>Microsoft utilized a secure developmental lifecycle to create the system. </li></ul><ul><li>They hardened the services and added enhancements for 64-bit computing. </li></ul><ul><li>There are new User, Network, and Application Security Options. </li></ul><ul><li>New Data Protection Options. </li></ul><ul><li>Added security options in IE7. </li></ul>
  • 4. User Account Controls <ul><li>Allows users to be productive and change common settings while running as a standard user, without requiring administrative privileges. </li></ul><ul><li>Prevents users from making potentially dangerous changes to their computers, without limiting their ability to run applications. </li></ul>
  • 5. Authentication <ul><li>Includes new authentication architecture that is easier for third-party developers to extend. </li></ul><ul><li>This will lead to a wider choice of smart cards, fingerprint scanners, and other forms of strong authentication. </li></ul>
  • 6. Firewall Enhancements <ul><li>The new outbound filtering in the firewall provides administrative control over peer-to-peer sharing applications and other similar applications that businesses want to restrict. </li></ul>
  • 7. Windows Service Hardening <ul><li>Limits the damage attackers can do in the unlikely event that they are able to successfully compromise a service. </li></ul><ul><li>Increased to Six Service Accounts. </li></ul><ul><li>The risk of attackers making permanent changes to the Windows Vista client or attacking other computers on the network is reduced. </li></ul>
  • 8. Data Protection <ul><li>BitLocker </li></ul><ul><li>Helps prevent unauthorized access to data on lost or stolen computers by combining two major data-protection procedures. </li></ul><ul><ul><li>Encrypting the entire Windows operating system volume on the hard disk. </li></ul></ul><ul><ul><li>Verifying the integrity of early boot components and boot configuration data. </li></ul></ul>
  • 9. BitLocker Requirements <ul><li>Two NTFS-formatted volumes: </li></ul><ul><ul><li>A &quot;boot volume&quot; with a minimum size of 1.5GB, where the OS boots from. </li></ul></ul><ul><ul><li>And the &quot;system volume&quot; which contains the operating system. </li></ul></ul><ul><li>Trusted Platform Module (TPM v1.2). </li></ul><ul><li>Trusted Computing Group (TCG)-compliant BIOS for use with TPM. </li></ul>
  • 10. BitLocker Modes <ul><li>Transparent Operation Mode </li></ul><ul><li>User Authentication Mode </li></ul><ul><li>USB Key Mode </li></ul>
  • 11. Transparent Operation Mode <ul><li>This mode exploits the capabilities of the TPM 1.2 hardware to provide for a transparent user experience. </li></ul><ul><li>The user logs onto Windows Vista as normal. </li></ul><ul><ul><li>The key used for the disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified. </li></ul></ul>
  • 12. User Authentication Mode <ul><li>This mode requires that the user provide some authentication to the pre-boot environment in order to be able to boot the OS. </li></ul><ul><li>Two authentication modes are supported: </li></ul><ul><ul><li>a pre-boot PIN entered by the user </li></ul></ul><ul><ul><li>or a USB key. </li></ul></ul>
  • 13. USB Key Mode <ul><li>The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS. </li></ul><ul><li>Note that this mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-OS environment. </li></ul>
  • 14. Combinations of Modes <ul><li>The following combination of the modes are supported: </li></ul><ul><ul><li>TPM </li></ul></ul><ul><ul><li>TPM + PIN </li></ul></ul><ul><ul><li>TPM + PIN + USB Key </li></ul></ul><ul><ul><li>TPM + USB Key </li></ul></ul><ul><ul><li>USB Key </li></ul></ul>
  • 15. BitLocker Key Relationships
  • 16. BitLocker Relationships
  • 17. BitLocker Relationships
  • 18. BitLocker Encryption <ul><li>AES-CBC + Elephant Diffuser </li></ul><ul><li>There are four separate operations in each encryption. The plaintext is exclusive-orred (xorred) with a sector key, then run through two (unkeyed) diffusers, and finally encrypted with AES in CBC mode. </li></ul>
  • 19. AES-CBC + diffuser
  • 20. Sector Key Creation <ul><li>Where E () is the AES encryption function, K sec is the 128 or 256-bit key for this component. </li></ul><ul><li>e() is the encoding function used in the AES-CBC layer, and e ‘ ( s ) is the same as e ( s ) except that the last byte of the result has the value 128. </li></ul><ul><li>The sector key Ks is repeated as many times as necessary to get a key the size of the block, and the result is xorred into the plaintext. </li></ul>
  • 21. Diffuser A (Encryption) <ul><li>The value i is a loop counter that goes around the data array A cycles = 5 times. (Remember that all indices are modulo n , so the wrap-around is automatic.) The addition is modulo 2 32 , <<< is the rotate-left operator, and R ( a ) := [9 ; 0 ; 13 ; 0] is an array of 4 constants that specify the rotation amounts. </li></ul>
  • 22. Diffuser B (Encryption) <ul><li>Diffuser B is very similar to Diffuser A, however, the R ( b ) := [0 ; 10 ; 0 ; 25] and the B cycles is only 3. </li></ul>
  • 23. AES-CBC <ul><li>The AES key K AES is either 128 bits or 256 bits, depending on the selected version. The block size is a always a multiple of 16 bytes, so no padding is necessary. </li></ul><ul><li>E () is the AES encryption function, and e () is an encoding function that maps each sector number s into a unique 16-byte value. </li></ul><ul><li>Note that IVs depends on the key and the sector number, but not on the data. </li></ul>
  • 24. AES-CBC + diffuser
  • 25. Current Limitations <ul><li>Bitlocker only available on Windows Vista Ultimate, Enterprise and Server 2008. </li></ul><ul><li>Vista can only encrypt the system volume, further capability to be added with SP1. </li></ul>
  • 26. Security Concerns <ul><li>No Back Door for Law Enforcement </li></ul><ul><li>When operating in “Transparent Operation Mode” or “User Authentication Mode” the system is vulnerable to “Cold Boot Attacks” </li></ul><ul><li>When in &quot;USB Key&quot;-only mode a piece of software could read and record the key for later use to exploit the machine. </li></ul>
  • 27. Agenda <ul><li>Vista Security Overview </li></ul><ul><li>User Account Control </li></ul><ul><li>Authentication </li></ul><ul><li>Firewall Enhancement </li></ul><ul><li>Windows Service Hardening </li></ul><ul><li>Data Protection </li></ul><ul><li>Questions </li></ul>
  • 28. Questions
  • 29. References <ul><li>http://technet2.microsoft.com/WindowsVista/en/library/ba1a3800-ce29-4f09-89ef-65bce923cdb51033.mspx?mfr=true </li></ul><ul><li>http://207.46.196.114/windowsserver2008/en/library/2d130e11-a796-43b7-98ed-d389cad285f51033.mspx?mfr=true </li></ul><ul><li>http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption </li></ul><ul><li>“ AES-CBC + Elephant diffuser A Disk Encryption Algorithm for Windows Vista”, Niels Ferguson, Microsoft, August 2006 </li></ul><ul><li>“ Security Enhancements in Windows Vista”, Microsoft Corp, May 2007. http://www.microsoft.com/presspass/newsroom/ security / VistaSecurity .mspx </li></ul>

×