9. HTTP Strict Transport Security (HSTS)
Martijn Bellaard Slide 9
1X http://mijnbank.nl
Ga naar httpS://mijnbank.nl
Mijnbank.nl=SSL site
2X https://mijnbank.nl
18. • Staat standaard uit
• Voorwaarden:
– Enterprise
– UEFI firmware version 2.3.1 (Secure Boot)
– Virtualization Extensions
– X64
– TPM 2.0
– Geen VDI
Credential Guard
Martijn Bellaard Slide 18
19. • Korte DEMO
1. Zorg dat je voldoet aan de voorwaarden ;-)
2. Open een GPO
3. Ga naar
Computer ConfigurationAdministrative TemplatesSystemDevice Guard
4. Open Virualization Based Security
5. Enable Credential Guard
Credential Guard
Martijn Bellaard Slide 19
23. 1. Een applicatie of driver
2. signed application
3. Code Integrity policy
Device Guard
Martijn Bellaard Slide 23
24. 2. signed application
a) “Standaard”
b) Windows Store
OF
a) Certificaat uit eigen PKI
b) Certificaat kopen
c) Microsoft-provided web service (is er nog niet)
Device Guard
Martijn Bellaard Slide 24
25. 3. Code Integrity policy
a) Code integrity policy
b) Distribueer de policy
Device Guard
Martijn Bellaard Slide 25
26. • code integrity policy
– Een voorbeeld systeem
– New-CIPolicy
– Set-RuleOption –option 3 (Audit)
– Maak een p7b bestand
– GPO maken of
c:WindowsSystem32CodeIntegritySIPolicy.p7b
Device Guard
Martijn Bellaard Slide 26
27. • Samengevat
– Gebaseerd op certificaten
– Draait lager dan de kernel
– Werkt met bestaande en
eigen certificaten
Maar …
– Niet gebruikers vriendelijk
– Computer niveau
– Lijkt nog niet klaar
(https://technet.microsoft.com/en-
us/library/mt243445%28v=vs.85%29.aspx)
Device Guard
Martijn Bellaard Slide 27
28. Rule option Description
0 Enabled:UMCI
Code integrity policies restrict both kernel-mode and user-mode binaries.
By default, only kernel-mode binaries are restricted. Enabling this rule
option validates user mode executables and scripts.
1 Enabled:Boot Menu Protection This option is not currently supported.
2 Required:WHQL
By default, legacy drivers that are not Windows Hardware Quality Labs
(WHQL) signed are allowed to execute. Enabling this rule requires that
every executed driver is WHQL signed and removes legacy driver support.
Going forward, every new Windows 10–compatible driver must be WHQL
certified.
3 Enabled:Audit Mode (Default)
Enables the execution of binaries outside of the code integrity policy but
logs each occurrence in the CodeIntegrity event log, which can be used to
update the existing policy before enforcement. To enforce a code
integrity policy, remove this option.
4 Disabled:Flight Signing
If enabled, code integrity policies will not trust flightroot-signed binaries.
This would be used in the scenario in which organizations only want to run
released binaries, not flighted builds.
5 Enabled:Inherent Default Policy This option is not currently supported.
6 Enabled:Unsigned System Integrity Policy (Default)
Allows the policy to remain unsigned. When this option is removed, the
policy must be signed and have UpdatePolicySigners added to the policy
to enable future policy modifications.
7 Allowed:Debug Policy Augmented This option is not currently supported.
8 Required:EV Signers
In addition to being WHQL signed, this rule requires that drivers must
have been submitted by a partner that has an Extended Verification (EV)
certificate. All future Windows 10 and later drivers will meet this
requirement.
9 Enabled:Advanced Boot Options Menu
The F8 preboot menu is disabled by default for all code integrity policies.
Setting this rule option allows the F8 menu to appear to physically present
users.
10 Enabled:Boot Audit on Failure
Used when the code integrity policy is in enforcement mode. When a
driver fails during startup, the code integrity policy will be placed in audit
mode so that Windows will load. Administrators can validate the reason
for the failure in the CodeIntegrity event log.
Martijn Bellaard Slide 28
VML=Vector Markup Language, plaatjes
is tegen XSS
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect secure HTTPS websites against downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.
The HSTS Policy[2] is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in a secure-only fashion.
A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer.
Bitlokcher zit in de Pro versie
$CIPolicyPath='D:\DGpolicy\'
$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"
$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"
$CISoftwarePath = 'D:\Software'
New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy -ScanPath $CISoftwarePath -UserPEs
Set-RuleOption -Option 3 .\InitialScan.xml
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
New-CIPolicy
-FilePath Destination file
-Audit Create from audit log
-Level Level of detail – RootCertificate, PCACertificate, LeafCertificate, FileName, Hash, FilePublisher
-ScanPath Scan Path
-UserPEs Include user mode code integrity
Merge-CIPolicy
-PolicyPaths Comma separated list of policy file paths
-OutputFilePath Destination file
Set-RuleOption
-Help List available options
-Option Identifier for option to configure
-Delete Remove the specified option
-FilePath Policy file path
P7b link http://blogs.msdn.com/b/kaushal/archive/2010/11/05/ssl-certificates.aspx
