http:www.sector.ca

1 / 46
About This Presentation
Title:

http:www.sector.ca

Description:

Windows Defender. XP and Vista only ... Windows Defender. SpyNet's a neat idea. Not an antivirus solution (Forefront Client Security is) ... – PowerPoint PPT presentation

Number of Views:75
Avg rating:3.0/5.0
Slides: 47
Provided by: task7

less

Transcript and Presenter's Notes

Title: http:www.sector.ca


1
http//www.sector.ca/
2
Microsoft Vista How Secure is it Really?
CMS Consulting Inc.
Presented at TASKJanuary 31, 2007
3
CMS Consulting Inc.
Microsoft Infrastructure and Security Experts
Active Directory - Windows Server - Exchange -
SMS - ISA MOM - Clustering - Office Desktop
Deployment - SQL Terminal Services - Security
Assessments - Lockdown Wireless Training by
Experts for Experts MS Infrastructure Security
- Vista and Office Deployment Visit us online
www.cms.ca Downloads Resources White Papers
For Security Solutions For Advanced
Infrastructure For Network Solutions For
Information Worker
4
CMS Training Offerings
  • INSPIRE Infrastructure Workshop
  • 4 days of classroom training - demo intensiveAD,
    Exchange, ISA, Windows Server, SMS, MOM, Virtual
    Server
  • Business Desktop Deployment Deploying
    Vista/Office
  • 3 days of classroom training - hands on labs
    (computers provide)Business Desktop Deployment
    Concepts, Tools, Processes, etc. Vista and Office
  • Securing Internet Information Services
  • Securing ActiveDirectory
  • Securing Exchange 2003
  • 1 day classroom training per topic
  • TRAINING BY EXPERTS FOR EXPERTS

5
Session Goals
  • We let Microsoft talk so we need a balanced
    view!
  • See what the dark side has been up to.
  • Is it as secure as advertised?
  • You may ask questions.
  • Research is current as of Jan 31, 2007
  • You may not provide emotional rants.

6
So what is newer, bigger, bad-er?
  • User Account Control (UAC)
  • Windows Defender
  • Windows Firewall
  • Windows Security Center
  • Malicious Software Removal Tool
  • Software Restriction Policies
  • BitLocker Drive Encryption
  • Encrypting File System (EFS)
  • Rights Management Services (RMS)
  • Device control
  • Address Space Randomization
  • Now 2400-ish group policy settings ( XP-SP2 had
    1700)

Exists in, or downloadable for XP
7
Internet Explorer 7
  • Internet Explorer Protected Mode
  • ActiveX Opt-in
  • Cross-domain scripting attack protection
  • Security Status Bar
  • Phishing Filter
  • Etc, etc, etc
  • (Included here, because Microsoft always shows it
    as part of Vista security yes - I know it runs
    on XP).

8
The Switch to Vista
  • If you dont buy Vista, you should buy Office
    2007 just so you can make pretty pictures like
    mine.

9
Switch to Mac Instead?
10
(No Transcript)
11
The HOT Topic DRM!
  • Peter Gutmann wrote A Cost Analysis of Windows
    Vista Content Protection and called Vista DRM
    the Longest Suicide Note in History
  • Microsoft rebutted this. The article included
    some technical clarifications, but appeared
    mostly as a PR piece.

12
DRM Highlights
  • Vista will only play premium HD content on x64,
    as DRM couldnt be implemented in their x32 OS.
  • This basically effects HD-DVD and BluRay
    playback.
  • High bandwidth Digital Content Protection (HDCP)
    compatible monitor is required. (Shame you
    bought that nice Dell 24 Ultrasharp)
  • Peter thinks a skilled attacker could bypass
    Vista DRM inside a week.
  • DRM is a big reason that Vista driver support is
    so limited even based on the RTM media

13
DRM Bottom Line
  • Premium content plays at very degraded quality
    unless policy is met.
  • Theres 30 checks per second to make sure DRM
    isnt being bypassed (read serious overhead)
  • Drivers now have a tilt bit, up to vendors to
    determine was constitutes an attack. After
    tilt detected, graphics subsystem reset
  • Drivers can be revoked if they are exploited if
    Microsoft revokes a driver, and the vendor
    doesnt release an update, do you have to buy a
    new video card?
  • Still too early to tell the fall out.

14
DRM Resources
  • A Cost Analysis of Windows Vista Content
    Protection
  • http//www.cs.auckland.ac.nz/pgut001/pubs/vista_c
    ost.html
  • Last Update January 27, 2007.
  • The Official Microsoft Rebuttal
  • http//windowsvistablog.com/blogs/windowsvista/arc
    hive/2007/01/20/windows-vista-content-protection-t
    wenty-questions-and-answers.aspx

15
Windows Defender
  • XP and Vista only
  • Not supported on W2K, but ORCA edit install
    and it works fine
  • You can also use ORCA to remove WGA check
  • Actively scans computers for "spyware, adware,
    and other potentially unwanted software. You
    just need to trust their definition of whats
    unwanted

16
Windows Defender
  • SpyNets a neat idea.
  • Not an antivirus solution
  • (Forefront Client Security is)
  • Not enterprise class
  • (no central reporting, etc, etc)
  • Can distribute updates by WSUS

17
(No Transcript)
18
Malware
  • Sophos report summary
  • They used the top ten November 2006 forms of
    malware
  • Windows Mail blocked all 10
  • Using web mail, 3 of 10 infected Vista
  • Mydoom, Netsky and Stration all succeeded
  • All take advantage of social engineer. None took
    advantage of a security weakness.

19
Exploits for Sale!
  • Trend Micro CTO quoted in various articles
    claiming to see Vista 0day on auction boards for
    upwards of 50k
  • This isnt really news. Exploits for is not
    new.

20
Attacks for Sale
21
(No Transcript)
22
50k for an Exploit?
23
(No Transcript)
24
Exploit Prediction
  • Because Im such an expert on the topic. ?
  • (Ok stolen mostly from Symantecs Vista Attack
    Surface paper)
  • The networking stack is a complete re-write.
    Symantec found several DoS attacks in pre-release
    Vista and expect more.
  • SMB2
  • IPv6
  • Loopback attacks (exploit at low level connect
    back to medium level process, eg. IE protected
    mode connect back to SMB)

25
User Account Control
  • The nuisance

26
User Account Control
  • Power Users no longer exists (well it does, but
    does nothing unless you apply security template)
  • Harmless tasks no longer require administrator
    (eg. Change time zone, connect to wireless
    network, install approved devices)
  • Either on or off, no less annoying, or I said
    yes 5 times today, I still mean yes option
  • Not entirely true, there are more group policy
    settings available to control its behaviour (all
    settingsless control, more nuisance)

27
Disabling User Account Control
  • Method 1 - Using Control Panel
  • Method 2 - Using Control Panel on Single User
  • Method 3 - Using Registry Editor
  • Method 4 - Using MsConfig System Configuration
  • Method 5 - Using Group Policy

28
Registry/File Virtualization
  • When running under limited user access (LUA)
    failed (insufficient permission) registry and
    file writes get redirected (virtualized)
  • Registry access failures to HKLM redirect to HKCU
  • From HKEY_LOCAL_MACHINE\Software
  • to
  • HKEY_CURRENT_USER\Software\Classes\VirtualStore\MA
    CHINE\Software
  • File access failures also redirect
  • From C\Progra1 (C\Program Files)
  • to
  • UserProfile\AppData\Local\VirtualStore\C\Progra
    1

29
Mildly entertaining
30
Windows Firewall
  • XP has Domain vs. Standard configs
  • Vista has Domain vs. Public vs. Private
  • Application outbound rules (not on by default)
  • Default config is same configuration as XP SP2
  • IP v6 Support
  • New console available by MMC thats super cool
  • Integration with IPSec
  • See Steve Rileys TechEd presentation 102 slides
    on Firewall and IPSec changes

31
Comparing features
32
(No Transcript)
33
Encrypted File System New in Vista
  • You can store User keys on smart cards.
  • You can store recovery keys on smart cards,
    allowing secure data recovery without a dedicated
    recovery station, even over Remote Desktop
    sessions.
  • You can encrypt the Windows paging file using EFS
    with a key that is generated when the system
    starts up. This key is destroyed when the system
    shuts down.
  • You can encrypt the Offline Files cache with EFS.
    In Windows Vista this encryption feature employs
    the users key instead of the system key.
  • EFS supports a wider range of user certificates
    and keys.

34
Address Space Randomization
  • Been used in the Unix world for over 10 years
  • Goal is to eliminate overflow attacks (memory
    space is no longer predictable)
  • Stack and Heap are randomized
  • EXEs and DLLs shipping as part of Vista are
    randomized
  • All other EXEs and DLLs will need to explicitly
    opt-in via a new PE header flag by default they
    will not be randomized. 'Note that DLLs marked
    for randomization, such as system DLLs, will be
    randomized in every process (regardless of
    whether other binaries in that process have
    opted-in or not)

35
Address Space Randomization
  • Vista only uses 8 bits for randomization (28256)
  • An attacker has a 1/256 chance of getting an
    address right
  • Brute force is always a possibility (if the app
    doesnt die first)
  • Side effect memory fragmentation

36
Address Space Randomization
  • Ali Rahbar demonstrates in this whitepaper how to
    run an exploit on code not compiled with the
    randomization switch

37
Vista Piracy
  • Volume Activation 2.0
  • Cracks currently fall into 3 categories
  • KMS in Virtual Machine (VMPlayer)
  • TimeStop (aka 2099 Crack)
  • FrankenBuild (RC1 components mixed with RTM)
  • Bottom Line
  • Updates to WGA will detect and disable
  • Many Cracks come with trojans for no extra
    charge.

38
(No Transcript)
39
Bitlocker Crash Course
  • Several Options
  • TPM Only (this is default)
  • TPM PIN
  • TPM USB
  • USB Only (no TPM present)
  • AES 128bit or 256bit based encryption
  • Brute Force currently computationally unfeasible
  • If no PIN present, then stolen machines can still
    be attacked by traditional methods (ie. TPM is
    present, and decryption happens at boot)

40
Bitlocker Secure Enough?
  • Attacks against TPM only mode
  • Warm boot without destroying memory, grab keys
    from memory ghosts
  • Cold ghosting (memory remains charged long enough
    to capture)
  • PCI bus exploit with repurposed PC Card device
    and DMA (direct memory access) (e.g. CardBus DMA
    technique demoed by David Hulton at ShmooCon,
    2006)
  • Xbox v1-style attacks
  • BIOS attacks (may involve removal, re-programming
    and compromise of Core Root of Trust for
    Measurement (CRTM)
  • TPMMultiFactor
  • Brute force PIN (mitigated by TPM anti-hammering)
  • Key wear analysis (theoretical)
  • BitLocker Aware Boot-Rootkits
  • Multi-Visit Attacks (Hobble Bitlocker, then steal
    laptop)
  • Lost machine while unlocked (one chance threat)
  • The best presentation I could find on bypassing
    BitLocker was actually put out by Microsoft
    themselves. Presentation by Douglas MacIver at
    Hack in the Box 2006.

41
BitLocker Secure Enough?
  • Team Blog violently opposes and denies any govt
    backdoor. If one is legislated, they promise to
    disclose or withdraw the feature
  • No apparent easy to execute attacks (yet)

42
PatchGuard
  • Also known as Kernel Patch Protection (KPP)
  • Not to be confused with requirement for signed
    drivers
  • Means you cant mess with the kernel
  • Exists for all x64 versions of Windows
  • 5 or 6 bypass methods can be found searching,
    although little PoC exists, no methods appear to
    work with Vista
  • Authentium "broke" Patchguard on RC
  • Joannas raw-disk access Patchguard exploit
    shutdown with RC2
  • Designed to both limit rootkit exposure and stop
    vendors from using undocumented kernel
    manipulation

43
PatchGuard
  • This really is what all the AV vendors are upset
    about
  • Symantec has posted a paper on how to disable
    first the kernel signed driver requirement and
    then Patchguard (not updated with RTM info, but I
    believe it would still work). Involves taking
    ownership on ACLs from TrustedInstaller (set by
    Windows Resource Protection), then patching
    NTOSKRNL.EXE and WINLOAD.EXE
  • Most recent paper by Ken Johnson (Skywing) at
    http//www.nynaeve.net/ - Posted Jan 29

44
Notes on Secure Deployment
  • Use BDD 3.0 for standardized rollout
  • Read all 107 pages of Microsofts Vista Security
    Guide ?
  • GPOAccelerator.wsf creates Domain, User, Desktop
    and Laptops GPOs for you!
  • Deploy 64bit if possible (its more secure)
  • Make sure your AV vendor supports Vista and x64
  • Train users on UAC
  • Replace Defender with something enterprise class

45
CMS Training Offerings
  • INSPIRE Infrastructure Workshop
  • 4 days of classroom training - demo intensiveAD,
    Exchange, ISA, Windows Server, SMS, MOM, Virtual
    Server
  • Business Desktop Deployment Deploying
    Vista/Office
  • 3 days of classroom training - hands on labs
    (computers provide)Business Desktop Deployment
    Concepts, Tools, Processes, etc. Vista and Office
  • Securing Internet Information Services
  • Securing ActiveDirectory
  • Securing Exchange 2003
  • 1 day classroom training per topic
  • TRAINING BY EXPERTS FOR EXPERTS

46
SIGN UP NOW!http//www.sector.ca/
Write a Comment
User Comments (0)