Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows network security


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Windows network security

  1. 1. Securing Windows Networks Security Advice From The Front Line Presented by Robert Hensing – PSS Security Incident Response Specialist
  2. 2. Agenda <ul><li>Revealing Hacker Personas </li></ul><ul><li>Top Security Mistakes Everyone Seems To Make </li></ul><ul><li>Securing Windows Networks </li></ul><ul><li>Staying Secure </li></ul><ul><li>Secure Windows Initiative </li></ul><ul><li>Security Improvements in XP Service Pack 2 </li></ul>
  3. 3. Revealing Hacker Personas
  4. 4. Overview – Revealing Hackers Personas <ul><li>Automated vs. Targeted Attacks </li></ul><ul><li>Revealing Hacker Personas </li></ul><ul><ul><li>Lame </li></ul></ul><ul><ul><li>Skilled </li></ul></ul><ul><ul><li>Sophisticated </li></ul></ul><ul><li>Why YOU Were Selected and How You Got 0wn3d </li></ul>
  5. 5. Hacker Personas <ul><li>Automated Attacks </li></ul><ul><ul><li>“ Spreaders” or “Scan’n Sploit Tools” or “auto-rooters” </li></ul></ul><ul><ul><li>Worms That Drop Bots or Trojans </li></ul></ul><ul><li>Targeted Attacks </li></ul><ul><ul><li>0-day Exploits </li></ul></ul><ul><ul><li>Custom Attacks that Exploit Weakness of Your Internet Presence </li></ul></ul>
  6. 6. Hacker Personas <ul><li>Lame - ~75% of all intrusions </li></ul><ul><ul><li>Motive: Wants your storage and bandwidth </li></ul></ul><ul><ul><li>Method: Use of spreaders, bots, well known exploits </li></ul></ul><ul><ul><li>Abilities: Limited high level language ability </li></ul></ul><ul><ul><li>Payload: Usually FTP servers, backdoors disguised as a ‘clever’ service name </li></ul></ul><ul><ul><ul><li>“ TCP/IP” service or “System Security” service </li></ul></ul></ul><ul><ul><ul><li>“ Microsoft ISA Server Common Files” service </li></ul></ul></ul>
  7. 7. Hacker Personas <ul><li>Skilled - ~24% of all intrusions? </li></ul><ul><ul><li>Motive: Wants to explore your network and use your storage and bandwidth, wants to avoid discovery as much as possible. </li></ul></ul><ul><ul><li>Method: Customized intrusion based on identified vulnerabilities for multiple operating systems or applications </li></ul></ul><ul><ul><li>Abilities: Advanced HLL, some ASM </li></ul></ul><ul><ul><li>Payload: FTP servers, keyloggers, backdoors, sniffers, password dumpers </li></ul></ul>
  8. 8. Hacker Personas <ul><li>Sophisticated - < 1% of all intrusions? </li></ul><ul><ul><li>Motive: Wants your money or your secret / confidential data </li></ul></ul><ul><ul><li>Method: Can customize intrusion based on any number of identified vulnerabilities for a variety of operating systems and applications, possibly using 0-day exploits </li></ul></ul><ul><ul><li>Abilities: Advanced HLL, Advanced ASM </li></ul></ul><ul><ul><li>Payload: Rootkits, a single backdoor DLL, extortion letter! </li></ul></ul>
  9. 9. Hacker Personas <ul><li>Why you were selected and how you got 0wn3d . . . </li></ul><ul><ul><li>Odds are great you were 0wn3d by a lamer </li></ul></ul><ul><ul><li>You were easily identified as a Windows host through a simple port-scan (no firewall) </li></ul></ul><ul><ul><li>You are on a big fat pipe (possibly hosted) </li></ul></ul><ul><ul><li>You have weak passwords or missing security patches due to missing or ineffective security policy </li></ul></ul>
  10. 10. Demonstration Windows Rootkit – Hacker Defender
  11. 11. Top Security Mistakes Everyone Seems To Make
  12. 12. Top Security Mistakes <ul><li>Weak or non-existent password policy </li></ul><ul><li>No audit policy </li></ul><ul><li>Sporadic security patch policy </li></ul><ul><li>Patching the OS, but not the apps </li></ul><ul><li>Weak or non-existent firewall policy </li></ul><ul><ul><li>No egress filtering </li></ul></ul><ul><li>No knowledge of securely building a new box which leads to </li></ul><ul><ul><li>Hacked? Rebuild! Hacked Again!? </li></ul></ul>
  13. 13. How To End The Cycle of Violence <ul><li>Install from slipstreamed source </li></ul><ul><ul><li>Don’t have one? Make one! </li></ul></ul><ul><li>Patch or enable a host based firewall (or both) and then connect to the network </li></ul><ul><li>Don’t use the previous admin password </li></ul><ul><ul><li>Including the SQL SA password </li></ul></ul><ul><li>Don’t share local admin passwords across OS installations </li></ul><ul><ul><li>Leads to exploit once, run everywhere </li></ul></ul><ul><li>Patch the applications (SQL, IIS, Exchange etc.) </li></ul>
  14. 14. Securing Windows Networks
  15. 15. Overview – Securing Windows Networks <ul><li>System Administrator Personas </li></ul><ul><li>An example of what not to do </li></ul><ul><li>Threats & Countermeasures – Pruning The Low Hanging Fruit </li></ul>
  16. 16. System Admin Personas <ul><li>Default </li></ul><ul><li>Skilled </li></ul><ul><li>Sophisticated </li></ul>
  17. 17. System Admin Personas <ul><li>Default </li></ul><ul><ul><li>Puts servers right on the Internet with no firewall </li></ul></ul><ul><ul><li>Runs a couple service packs behind (N-2) and doesn’t know how to keep up to date with security patches </li></ul></ul><ul><ul><li>No password policy </li></ul></ul><ul><ul><li>No audit policy </li></ul></ul><ul><ul><li>All default configurations and settings (all defaults, all the time) </li></ul></ul>
  18. 18. System Admin Personas <ul><li>Skilled </li></ul><ul><ul><li>Uses Internet IP’s, but has router ACL’s </li></ul></ul><ul><ul><li>Latest OS SP, all OS critical updates, hasn’t patched the applications in a while if at all </li></ul></ul><ul><ul><li>6 character passwords with account lockouts </li></ul></ul><ul><ul><li>Only audits logon events and monitors for account lockouts by checking event logs periodically </li></ul></ul><ul><ul><li>Suspicious of default settings </li></ul></ul><ul><ul><ul><li>Performed some OS hardening by hand – didn’t harden the applications though </li></ul></ul></ul>
  19. 19. System Admin Personas <ul><li>Sophisticated </li></ul><ul><ul><li>Uses a firewall with NAT and ingress / egress filtering </li></ul></ul><ul><ul><li>Uses an IDS / IPS in the DMZ network </li></ul></ul><ul><ul><li>Ensures critical security patches tested and deployed in 24 hours with rollback plan </li></ul></ul><ul><ul><li>12 character passwords, not shared anywhere, no account lockout, may use 2-factor authN </li></ul></ul><ul><ul><li>Audits everything, archives audit logs daily </li></ul></ul><ul><ul><li>Hardened OS using security templates / group policy, hardened applications </li></ul></ul>
  20. 20. What Not To Do . . . <ul><li>Configure your system with an Internet routable IP address </li></ul><ul><li>Run multiple applications / services on one box </li></ul><ul><ul><li>Active Directory, IIS, SQL, Exchange, PCAnywhere, 3 rd party software </li></ul></ul><ul><li>Avoid installing patches </li></ul><ul><li>Don’t have a password policy </li></ul><ul><ul><li>What are the odds that someone would guess ‘666’ is my admin password? </li></ul></ul>
  21. 21. If you do this, here’s what the hackers see . . .
  22. 22. Threats – Low Hanging Fruit Overview <ul><li>NULL Session Enumeration </li></ul><ul><li>Password / Account Lockout Attacks </li></ul><ul><li>Password Hash Attacks </li></ul><ul><li>Remote Code Execution Vulnerabilities </li></ul><ul><li>Physical Attacks </li></ul><ul><li>Unauthorized Network Access </li></ul><ul><li>The VPN “firewall bypass” Server </li></ul>
  23. 23. Threat - NULL Session Enumeration <ul><li>Understanding the ‘NULL’ user </li></ul><ul><ul><li>Network connection, usually using NetBIOS TCP139 in which no credentials have been passed. </li></ul></ul><ul><ul><li>Network token gets created on the server for the client, ‘Everyone’ SID gets added to the token </li></ul></ul><ul><ul><ul><li>Token can now enumerate sensitive information using the Net* API’s the ‘Everyone’ SID has permissions to! </li></ul></ul></ul><ul><li>Countermeasures </li></ul><ul><ul><li>RestrictAnonymous=2 </li></ul></ul><ul><ul><li>Block access to TCP 139/445 </li></ul></ul><ul><ul><li>Stop server service </li></ul></ul>
  24. 24. Threat – Password Attacks / Account Lockout Attacks <ul><li>Any services that exposes authN protocols are at risk for password guessing attacks </li></ul><ul><ul><li>NetBIOS, SMB, RDP, IIS, FTP etc. </li></ul></ul><ul><li>Countermeasures </li></ul><ul><ul><li>Use strong passwords instead of an account lockout policy (which only protects weak passwords) </li></ul></ul><ul><ul><ul><li>Educate administrators and users on how to create strong passwords. </li></ul></ul></ul><ul><ul><li>Block access to ports that allow authentication from unauthorized networks (i.e. the Internet) with a firewall or IPSec port filtering policy </li></ul></ul><ul><ul><li>Shutdown un-needed services (Server service, FTP service etc.) </li></ul></ul>
  25. 25. Threat – Password Hash Attacks <ul><li>Online attacks </li></ul><ul><ul><li>Dumping password hashes from LSASS while the operating system is running </li></ul></ul><ul><ul><ul><li>Pwdump*.exe, L0phtCrack 5 </li></ul></ul></ul><ul><li>Countermeasure </li></ul><ul><ul><li>Require 2-factor authentication </li></ul></ul><ul><ul><li>Prevent malicious code from running in context of administrator or SYSTEM </li></ul></ul><ul><ul><ul><li>Since this attack requires elevated privileges, any steps taken to counter this can be un-done by the code running with these elevated privileges </li></ul></ul></ul><ul><ul><li>Arriving at this point means your security posture has failed elsewhere and you have other security issues to deal with </li></ul></ul>
  26. 26. Threat – Password Hash Attacks <ul><li>Man In the Middle Attacks </li></ul><ul><ul><li>Sniffing shared-secret authentication exchanges based on a users password between client / server (LM, NTLMv2, Kerberos) </li></ul></ul><ul><ul><ul><li>Everyone seems to think Kerberos solved the MITM password-cracking attack! </li></ul></ul></ul><ul><ul><ul><ul><li>It did not, per the Kerberos v5 RFC : </li></ul></ul></ul></ul><ul><ul><ul><ul><li>&quot;Password guessing&quot; attacks are not solved by Kerberos. If a user chooses a poor password, it is possible for an attacker to successfully mount an offline dictionary attack by repeatedly attempting to decrypt, with successive entries from a dictionary, messages obtained which are encrypted under a key derived from the user's password. </li></ul></ul></ul></ul>
  27. 27. Threat – Password Hash Attacks <ul><li>Man In the Middle Attacks </li></ul><ul><ul><li>Tools available for LM/NTLM and Kerberos v5 </li></ul></ul><ul><ul><ul><li>ScoopLM / BeatLM / Kerbcrack / LC5 </li></ul></ul></ul><ul><ul><ul><ul><li>Security Friday demonstrated NTLMv2 at Blackhat on a 16-node Beowolf cluster in 2002! </li></ul></ul></ul></ul><ul><ul><ul><li>All researchers agree the solution is strong passwords! </li></ul></ul></ul><ul><li>Countermeasures </li></ul><ul><ul><li>Use 2-factor authentication on Windows 2000 and later networks </li></ul></ul><ul><ul><ul><li>Allows the use of the PKINIT Kerberos extension which replaces passwords with public/private keys for initial TGT at logon </li></ul></ul></ul><ul><ul><li>Use strong 10 character or greater passwords </li></ul></ul><ul><ul><li>Use IPSec ESP to encrypt network all network traffic </li></ul></ul><ul><ul><li>Use 802.1x authentication to keep rogue users off your network </li></ul></ul>
  28. 28. Threat – Password Hash Attacks <ul><li>Assume password hashes will eventually be obtained allowing </li></ul><ul><ul><li>Brute-force attacks </li></ul></ul><ul><ul><li>Dictionary attacks </li></ul></ul><ul><ul><ul><li>Hybrid attacks (use a dictionary word then brute-force a few chars) </li></ul></ul></ul><ul><ul><li>Pre-computation attacks ( rainbow tables ) – the latest craze . . . </li></ul></ul><ul><ul><ul><li>L0phtCrack5 utilizes all these methods for cracking hashes </li></ul></ul></ul><ul><li>Countermeasures </li></ul><ul><ul><li>Don’t worry about your hashes being stolen – make them immune to reversing in any reasonable amount of time! </li></ul></ul><ul><ul><li>Use 10 character or stronger complex passwords </li></ul></ul><ul><ul><ul><li>Or better yet pass-phrases! </li></ul></ul></ul><ul><ul><ul><li>NT based operating systems support 128 character pass-phrases </li></ul></ul></ul><ul><ul><li>Change them every 60 days or less. </li></ul></ul><ul><ul><li>Minimum time before password can be changed 1 day </li></ul></ul><ul><ul><li>Number of previous passwords remembered: at least 24 </li></ul></ul>
  29. 29. Threat – Password Hash Attacks 6 6 7 8 9 10 11 Password Length 60 Day Passwords Data from Microsoft calculations based on Phillipe Ochslin’s algorithms with a 1 Terabyte RainbowCrack database (research that is the basis for the new attack).
  30. 30. Threat – Password Hash Attacks
  31. 31. Threat - Remote Code Execution <ul><li>RCE vulnerabilities in exposed network services allow malicious attackers to run code of their choice on a remote system </li></ul><ul><ul><li>Stack & Heap overflows </li></ul></ul><ul><ul><li>Integer under/overflows </li></ul></ul><ul><ul><li>Format string vulnerabilities </li></ul></ul><ul><li>Countermeasures </li></ul><ul><li>Disable unnecessary services </li></ul><ul><li>Block unnecessary ports </li></ul><ul><li>Install all critical security updates within 24 hours </li></ul><ul><li>Write secure code .  </li></ul><ul><li>Run critical services using the new built-in low-privileged accounts </li></ul><ul><li>Compile C++ code with the VC7 compiler /GS switch </li></ul><ul><li>Use behavioral blocking software </li></ul><ul><ul><li>Sana Security Products </li></ul></ul><ul><li>Use Intrusion Prevention Systems </li></ul>
  32. 32. Threat – Physical Attacks <ul><li>Assume the worst – physical theft of machine </li></ul><ul><li>Countermeasures </li></ul><ul><ul><li>SYSKEY in mode 2 or 3 </li></ul></ul><ul><ul><ul><li>Key stored in your head (mode 2) </li></ul></ul></ul><ul><ul><ul><li>Key stored on a floppy (mode 3) </li></ul></ul></ul><ul><ul><ul><ul><li>Protects password hashes with 128 bit symmetric encryption </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Either mode prevents ‘ Nordahl’ boot-disk attack </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Also prevents the DS Restore mode style attacks </li></ul></ul></ul></ul><ul><ul><li>EFS </li></ul></ul><ul><ul><ul><li>Can be used to encrypt sensitive information </li></ul></ul></ul>
  33. 33. Threat – Unauthorized Network Access <ul><li>Applies to both wired and wireless networks </li></ul><ul><li>Unauthorized user connects or associates with network and receives IP address </li></ul><ul><ul><li>Starts scanning, enumerating and hacking </li></ul></ul><ul><li>Countermeasure </li></ul><ul><ul><li>Use 802.1x to authenticate network clients before allowing them to use the network </li></ul></ul><ul><ul><li>Port-based authentication (requires supporting hardware infrastructure) </li></ul></ul>
  34. 34. Threat – VPN Servers <ul><li>VPN servers usually allow users un-filtered access to the corporate intranet </li></ul><ul><li>Users contaminate the intranet with malware they’ve collected while surfing the Internet (worms, etc.) </li></ul><ul><li>Countermeasure </li></ul><ul><ul><li>Employ a network quarantine solution </li></ul></ul><ul><ul><ul><li>Quarantines VPN users in a DMZ network while machine is checked for security policy compliance </li></ul></ul></ul><ul><ul><ul><li>After machine checks, packets are routed </li></ul></ul></ul><ul><ul><ul><li>If machine fails check, connection is dropped </li></ul></ul></ul>
  35. 35. Countermeasures - Summary <ul><li>The vast majority of security threats can be fully mitigated by doing two things well: </li></ul><ul><ul><li>Passwords </li></ul></ul><ul><ul><li>Security updates </li></ul></ul><ul><li>Security should not be ‘bolted on’ </li></ul><ul><ul><li>Design security into the solution from the beginning </li></ul></ul>
  36. 36. Microsoft Solutions for Security <ul><li>Review the new Security Guidance Center </li></ul><ul><li>Windows 2000 Security Hardening Guide </li></ul><ul><li>Windows 2000 Solution for Securing Windows 2000 Server </li></ul><ul><li>Windows Server 2003 Security Guide </li></ul><ul><ul><li>Covers environments running Win9x and later! </li></ul></ul><ul><ul><li>This is our best solution for securing Windows networks! </li></ul></ul>
  37. 37. Windows Server 2003 Security Guide <ul><li>Theme </li></ul><ul><ul><li>Group Policy can be used to automate the application of security hardening and threat countermeasures through the use of pre-defined security templates applied to GPO’s </li></ul></ul><ul><ul><li>Automated – policy applied as machines join the domain / moved into organizational units </li></ul></ul><ul><li>The Windows 2000 and Windows Server 2003 Solutions for Security come with pre-configured ready to deploy templates </li></ul><ul><ul><li>Obviously you should test them before deploying them in a production environment </li></ul></ul><ul><ul><li>They WILL break something </li></ul></ul>
  38. 38. Windows Server 2003 Security Guide <ul><li>Provides 3 different security levels for the enterprise </li></ul><ul><ul><li>Legacy Client (Compatible with Win9x – XP) </li></ul></ul><ul><ul><li>Enterprise Client (Compatible with 2000 & XP only) </li></ul></ul><ul><ul><li>High Security Client (Compatible with 2000 & XP only) </li></ul></ul>
  39. 40. Demonstration Securing Windows Servers using Group Policy
  40. 41. Staying Secure
  41. 42. Overview – Staying Secure <ul><li>Awareness </li></ul><ul><ul><li>Security Alert Notification Services </li></ul></ul><ul><ul><li>Vulnerability Assessment </li></ul></ul><ul><li>Responding to Security Events </li></ul><ul><ul><li>Patch Warfare – Thursday, Tutorial 6 </li></ul></ul><ul><ul><li>Incident Response – Thursday, Tutorial 6 </li></ul></ul>
  42. 43. Staying Secure <ul><li>Security Alert Notification Service </li></ul><ul><ul><li>Get e-mail alerts of Microsoft security bulletins for all Microsoft products </li></ul></ul><ul><ul><li>Plain-text e-mail, PGP signed with the MSRC PGP key </li></ul></ul><ul><ul><li> </li></ul></ul>
  43. 44. Staying Secure <ul><li>Vulnerability Assessment </li></ul><ul><ul><li>Microsoft Baseline Security Analyzer 1.2 </li></ul></ul><ul><ul><li>Local or Remote Vulnerability & Patch scanner </li></ul></ul><ul><ul><li>Scans for Windows, IE, IIS, SQL, MSDE, Exchange, Office, Commerce, Biztalk, SNA, and HIS vulnerabilities / patches. </li></ul></ul><ul><ul><ul><li>English, German, French or Japanese builds! </li></ul></ul></ul>
  44. 45. Staying Secure <ul><li>MBSA Pro’s and Con’s </li></ul><ul><ul><li>Pro’s </li></ul></ul><ul><ul><ul><li>Free </li></ul></ul></ul><ul><ul><ul><li>Great product coverage </li></ul></ul></ul><ul><ul><ul><li>Agent-less </li></ul></ul></ul><ul><ul><li>Con’s </li></ul></ul><ul><ul><ul><li>Requires Authentication with remote machine and the Remote Registry and Server Services </li></ul></ul></ul><ul><ul><ul><li>Slow when scanning large networks </li></ul></ul></ul><ul><ul><ul><li>No easy way to aggregate XML output </li></ul></ul></ul>
  45. 46. Staying Secure <ul><li>3 rd Party vulnerability assessment software </li></ul><ul><ul><li>ISS Internet Scanner – System Scanner </li></ul></ul><ul><ul><li>Foundstone FoundScan </li></ul></ul><ul><ul><ul><li>Much more in-depth than MBSA 1.2 </li></ul></ul></ul>
  46. 47. Secure Windows Initiative
  47. 48. Secure Windows Initiative <ul><li>Microsoft’s New Security Culture </li></ul><ul><ul><li>Started with Bill Gates Trustworthy Computing Memo </li></ul></ul><ul><ul><li>Lead to SD3+C </li></ul></ul><ul><ul><ul><li>Secure By Design, Secure By Default, Secure in Deployment + Communications </li></ul></ul></ul><ul><ul><li>Secure Windows Initiative </li></ul></ul><ul><ul><ul><li>Windows Server 2003 first product to result from SWI, makes use of many Attack Surface Reductions (ASR’s) </li></ul></ul></ul>
  48. 49. Secure Windows Initiative SD3+C Secure by Default <ul><li>60% less attack surface area by default compared to Windows NT 4.0 SP3 </li></ul><ul><li>Services off by default </li></ul><ul><li>Services run at lower privilege </li></ul><ul><li>Code reviews </li></ul><ul><li>IIS re-architecture </li></ul><ul><li>Threat models </li></ul><ul><li>$200M investment </li></ul>Secure by Design Communications Secure by Design <ul><li>Code reviews </li></ul><ul><li>IIS re-architecture </li></ul><ul><li>Threat models </li></ul><ul><li>$200M investment </li></ul>Secure in Deployment <ul><li>Configuration automation </li></ul><ul><li>Identity management </li></ul><ul><li>Monitoring infrastructure </li></ul><ul><li>Prescriptive guidance </li></ul><ul><li>Community investment </li></ul><ul><li>Architecture webcasts </li></ul><ul><li>Writing Secure Code 2.0 </li></ul>
  49. 50. Secure Windows Initiative <ul><li>Does SWI work? Let’s have a look . . . </li></ul><ul><li>MS03-007, vulnerability exploited through IIS 5.0 + WebDAV </li></ul><ul><li>WS2003 / IIS 6 not affected because: </li></ul><ul><ul><li>IIS6 not installed by default </li></ul></ul><ul><ul><ul><li>If it was installed, WebDAV disabled by default </li></ul></ul></ul><ul><ul><ul><ul><li>If it was enabled, IIS6 rejects long URL’s by default </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>If it didn’t reject long URL’s, BO would occur in low privilege process not a process running as SYSTEM </li></ul></ul></ul></ul></ul>
  50. 51. Secure Windows Initiative <ul><li>Are there other examples? </li></ul><ul><li>MS04-011, fixes 14 Windows vulnerabilities </li></ul><ul><li>Of these 14 vulnerabilities the LSASS and PCT vulnerabilities are critical on Windows 2000 and exploits were in the wild days after the patch was released! </li></ul>
  51. 52. Secure Windows Initiative <ul><li>These vulnerabilities were rated as ‘Low’ on Windows Server 2003 – why? </li></ul><ul><ul><li>Attack Surface Reductions (ASR’s) as a result of SWI </li></ul></ul><ul><ul><ul><li>PCT is not enabled by default! </li></ul></ul></ul><ul><ul><ul><li>LSASS vulnerability not remotely exploitable by default! </li></ul></ul></ul>
  52. 53. Secure Windows Initiative <ul><li>Want more? Coming soon: </li></ul><ul><ul><li>Secure Server Roles for Windows Server 2003 </li></ul></ul><ul><ul><ul><li>Task based security wizard to further automate hardening WS2003 server roles </li></ul></ul></ul><ul><ul><li>Windows XP Service Pack 2 </li></ul></ul><ul><ul><ul><li>The most secure consumer operating system to date! </li></ul></ul></ul>
  53. 54. Security Improvements in XP Service Pack 2
  54. 55. Security Improvements in XP SP2 <ul><li>Overview </li></ul><ul><ul><li>Network Protection Technologies </li></ul></ul><ul><ul><li>Memory Protection Technologies </li></ul></ul><ul><ul><li>Safer E-Mail </li></ul></ul><ul><ul><li>Safer Browsing </li></ul></ul><ul><ul><li>Windows Installer 3.0 </li></ul></ul>
  55. 56. Network Protection Technologies <ul><li>Alerter & Messenger – GONE! (Okay, disabled) </li></ul><ul><ul><li>Universal Plug & Play also disabled by default </li></ul></ul><ul><li>Bluetooth network stack included by default </li></ul><ul><ul><li>Disabled unless WHQL Bluetooth device is present </li></ul></ul>
  56. 57. Network Protection Technologies <ul><li>DCOM – Locked down by default! </li></ul><ul><ul><li>Previously, no way for administrators to enforce machine-wide access policy for all DCOM applications </li></ul></ul><ul><ul><ul><li>XP has over 150 DCOM servers OOB! </li></ul></ul></ul><ul><ul><ul><li>Many DCOM applications have weak “Launch” and “Access” permissions that allow anonymous remote activation / access! </li></ul></ul></ul><ul><ul><ul><li>Administrators had no way to centrally manage / override these settings! </li></ul></ul></ul>
  57. 58. Network Protection Technologies <ul><ul><li>DCOM Solution: Machine-wide access check performed before any server-specific access checks are performed. </li></ul></ul><ul><ul><ul><li>Starting with XP SP2, only administrators can remotely launch / activate DCOM servers! </li></ul></ul></ul><ul><ul><ul><ul><li>Everyone is granted local launch, activation and call permissions </li></ul></ul></ul></ul>
  58. 59. Network Protection Technologies <ul><li>RPC – Locked down by default (RPC Interface Restriction) </li></ul><ul><ul><li>Previously RPC interfaces were wide open for anonymous access </li></ul></ul><ul><ul><li>SP2 adds RestrictRemoteClients setting and enables it by default </li></ul></ul><ul><ul><ul><li>Requires all remote RPC clients to authenticate </li></ul></ul></ul><ul><ul><li>The EPM now requires AuthN </li></ul></ul><ul><ul><ul><li>Must set EnableAuthEpResolution to 1 on clients to get the EPM working again. </li></ul></ul></ul>
  59. 60. Network Protection Technologies <ul><li>Windows Firewall (the software formerly known as ICF) </li></ul><ul><ul><li>Boot time security </li></ul></ul><ul><ul><li>On by default for all interfaces, global configuration (all interfaces can share same configuration) </li></ul></ul><ul><ul><li>Local subnet restriction </li></ul></ul><ul><ul><li>Command line support (via netsh) for scriptomatic configuration (think logon scripts) </li></ul></ul><ul><ul><li>“ On with no exceptions” </li></ul></ul><ul><ul><li>Exception List </li></ul></ul><ul><ul><li>Multiple Profiles </li></ul></ul><ul><ul><li>RPC Support </li></ul></ul><ul><ul><li>Restore Defaults </li></ul></ul><ul><ul><li>Unattended Setup for OEM’s </li></ul></ul><ul><ul><li>Multicast / Broadcast support </li></ul></ul><ul><ul><li>New and improved Group Policy configuration (via System.adm) </li></ul></ul>
  60. 61. Memory Protection Technologies <ul><li>Introducing Data Execution Protection (NX) </li></ul><ul><ul><li>Buffer overflows usually place ‘shellcode’ on the stack or in the heap and cause execution to jump to this location </li></ul></ul><ul><ul><li>NX marks areas of the stack / heap as non-executable preventing this mal-code from running </li></ul></ul><ul><ul><ul><li>Usermode apps that attempt to run code will AV </li></ul></ul></ul><ul><ul><ul><li>Kernelmode drivers that attempt to run code will bluescreen </li></ul></ul></ul><ul><ul><li>Supported on AMD64, IA64 and forthcoming x64 Intel CPU’s for both 32bit and 64bit Windows XP </li></ul></ul>
  61. 62. Memory Protection Technologies <ul><li>/GS </li></ul><ul><ul><li>Stack based buffer overflow protection </li></ul></ul><ul><ul><li>Places ‘canary’ value on the stack before / after stack allocations </li></ul></ul><ul><ul><li>Value is checked when values are read from the stack to make sure the stack hasn’t been overwritten </li></ul></ul><ul><ul><li>If canary value has changed, process crashes vs. allowing code to execute </li></ul></ul>
  62. 63. Safer E-Mail <ul><li>Outlook Express will read all e-mail as plain-text by default </li></ul><ul><ul><li>Blocks HTML e-mail exploits </li></ul></ul><ul><li>“ Don’t download external HTML content </li></ul><ul><ul><li>If you chose to render HTML e-mail, external HTML is not rendered / downloaded </li></ul></ul><ul><ul><li>Blocks “web bugs” etc. </li></ul></ul><ul><li>AES API (Attachment Execution Service) </li></ul><ul><ul><li>Apps no longer have to roll their own attachment handling code (can be shared by IM, e-mail etc) </li></ul></ul>
  63. 64. Safer Browsing <ul><li>Internet Explorer </li></ul><ul><ul><li>Add-On Management / Crash Protection </li></ul></ul><ul><ul><li>Binary Behaviors locked down now </li></ul></ul><ul><ul><ul><li>Option appears in each zone for configuring </li></ul></ul></ul><ul><ul><li>BindToObject mitigation </li></ul></ul><ul><ul><ul><li>ActiveX security model now applied to URL binding </li></ul></ul></ul><ul><ul><li>Microsoft Java VM can be disabled per zone </li></ul></ul><ul><ul><li>Local Machine Zone lockdown </li></ul></ul><ul><ul><ul><li>All local files / content processed by IE run in LMZ </li></ul></ul></ul><ul><ul><ul><ul><li>No ActiveX objects allowed </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Scripts set to Prompt </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Binary Behaviors – disallowed </li></ul></ul></ul></ul><ul><ul><ul><ul><li>No Java! </li></ul></ul></ul></ul>
  64. 65. Safer Browsing <ul><li>Internet Explorer </li></ul><ul><ul><li>Improved MIME handling </li></ul></ul><ul><ul><ul><li>4 different checks performed (file extension, Content-Type/Disposition from header and MIME sniff) </li></ul></ul></ul><ul><ul><li>Object caching / Scope </li></ul></ul><ul><ul><ul><li>Objects lose scope when browsing to a different domain /FQDN </li></ul></ul></ul><ul><ul><ul><li>Sites can no longer access cached objects from other sites </li></ul></ul></ul><ul><ul><li>POP UP BLOCKER!!!!! </li></ul></ul><ul><ul><li>“ Never trust content from Publishername” </li></ul></ul><ul><ul><li>One Prompt Per Control Per Page </li></ul></ul><ul><ul><ul><li>Endless loop attack </li></ul></ul></ul>
  65. 66. Safer Browsing <ul><li>Internet Explorer </li></ul><ul><ul><li>Authenticode Dialog box supports ellipses </li></ul></ul><ul><ul><ul><li>Annoying Active X controls with overly long descriptions can now be viewed </li></ul></ul></ul><ul><ul><li>Window Restrictions </li></ul></ul><ul><ul><ul><li>Prevents UI spoofing attacks </li></ul></ul></ul><ul><ul><li>Script Sizing / Repositioning restrictions </li></ul></ul><ul><ul><ul><li>Prevents scripts from moving windows to hide URL bars / status bars etc </li></ul></ul></ul><ul><ul><li>Status bar always visible </li></ul></ul><ul><ul><ul><li>Scripts can no longer disable it </li></ul></ul></ul>
  66. 67. Safer Browsing <ul><li>Internet Explorer </li></ul><ul><ul><li>Script Pop-up Window Placement, pop-ups now constrained so that they </li></ul></ul><ul><ul><ul><li>Do not extend above the top or below the bottom of the parent Internet Explorer Web Object Control (WebOC) window. </li></ul></ul></ul><ul><ul><ul><li>Are smaller in height than the parent WebOC window. </li></ul></ul></ul><ul><ul><ul><li>Overlap the parent window horizontally. </li></ul></ul></ul><ul><ul><ul><li>Stay with the parent window if the parent window moves. </li></ul></ul></ul><ul><ul><ul><li>Appear above its parent so other windows (such as a dialog box) cannot be hidden. </li></ul></ul></ul><ul><ul><ul><ul><li>Mitigates chromeless window attacks </li></ul></ul></ul></ul>
  67. 68. Safer Browsing <ul><li>Internet Explorer </li></ul><ul><ul><li>Zone Elevation blocks </li></ul></ul><ul><ul><ul><li>Internet Explorer prevents the overall security context for any link on a page from being higher than the security context of the root URL </li></ul></ul></ul><ul><ul><ul><ul><li>Scripts can not navigate from Internet Zone to Local Machine Zone </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>AND Local Machine Zone is locked down by default now even if it could happen! </li></ul></ul></ul></ul></ul><ul><ul><ul><li>Zone Elevation Attacks are one of the most exploited IE attack vectors </li></ul></ul></ul>
  68. 69. Windows Installer 3.0 <ul><li>SUS 2.0 will utilize MSI 3.0 </li></ul><ul><li>Improved inventory functions across user and installation contexts </li></ul><ul><li>Support for binary delta compression </li></ul><ul><ul><li>Makes patches smaller / quicker to download </li></ul></ul><ul><li>Patch Sequencing </li></ul><ul><ul><li>Authors can provide explicit installation order </li></ul></ul><ul><li>Supports WinHTTP (vs. WinInet) for web downloads </li></ul><ul><li>No longer interactive </li></ul><ul><ul><li>Runs as SYSTEM, Interactive SYSTEM services can be “shattered” </li></ul></ul>
  69. 70. Demonstration (time permitting) <ul><li>Out of Box Experience </li></ul><ul><li>Automatic Updates </li></ul><ul><li>Security Center </li></ul><ul><li>Windows Firewall </li></ul><ul><li>RPC Hardening </li></ul><ul><li>Internet Explorer Add-ons Manager </li></ul>
  70. 71. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. So are we there yet? We’re getting there, stay tuned . . .