Title: http:www.sector.ca
1http//www.sector.ca/
2Microsoft Vista How Secure is it Really?
CMS Consulting Inc.
Presented at TASKJanuary 31, 2007
3CMS Consulting Inc.
Microsoft Infrastructure and Security Experts
Active Directory - Windows Server - Exchange -
SMS - ISA MOM - Clustering - Office Desktop
Deployment - SQL Terminal Services - Security
Assessments - Lockdown Wireless Training by
Experts for Experts MS Infrastructure Security
- Vista and Office Deployment Visit us online
www.cms.ca Downloads Resources White Papers
For Security Solutions For Advanced
Infrastructure For Network Solutions For
Information Worker
4CMS Training Offerings
- INSPIRE Infrastructure Workshop
- 4 days of classroom training - demo intensiveAD,
Exchange, ISA, Windows Server, SMS, MOM, Virtual
Server - Business Desktop Deployment Deploying
Vista/Office - 3 days of classroom training - hands on labs
(computers provide)Business Desktop Deployment
Concepts, Tools, Processes, etc. Vista and Office
- Securing Internet Information Services
- Securing ActiveDirectory
- Securing Exchange 2003
- 1 day classroom training per topic
- TRAINING BY EXPERTS FOR EXPERTS
5Session Goals
- We let Microsoft talk so we need a balanced
view! - See what the dark side has been up to.
- Is it as secure as advertised?
- You may ask questions.
- Research is current as of Jan 31, 2007
- You may not provide emotional rants.
6So what is newer, bigger, bad-er?
- User Account Control (UAC)
- Windows Defender
- Windows Firewall
- Windows Security Center
- Malicious Software Removal Tool
- Software Restriction Policies
- BitLocker Drive Encryption
- Encrypting File System (EFS)
- Rights Management Services (RMS)
- Device control
- Address Space Randomization
- Now 2400-ish group policy settings ( XP-SP2 had
1700)
Exists in, or downloadable for XP
7Internet Explorer 7
- Internet Explorer Protected Mode
- ActiveX Opt-in
- Cross-domain scripting attack protection
- Security Status Bar
- Phishing Filter
- Etc, etc, etc
- (Included here, because Microsoft always shows it
as part of Vista security yes - I know it runs
on XP).
8The Switch to Vista
- If you dont buy Vista, you should buy Office
2007 just so you can make pretty pictures like
mine.
9Switch to Mac Instead?
10(No Transcript)
11The HOT Topic DRM!
- Peter Gutmann wrote A Cost Analysis of Windows
Vista Content Protection and called Vista DRM
the Longest Suicide Note in History - Microsoft rebutted this. The article included
some technical clarifications, but appeared
mostly as a PR piece.
12DRM Highlights
- Vista will only play premium HD content on x64,
as DRM couldnt be implemented in their x32 OS. - This basically effects HD-DVD and BluRay
playback. - High bandwidth Digital Content Protection (HDCP)
compatible monitor is required. (Shame you
bought that nice Dell 24 Ultrasharp) - Peter thinks a skilled attacker could bypass
Vista DRM inside a week. - DRM is a big reason that Vista driver support is
so limited even based on the RTM media
13DRM Bottom Line
- Premium content plays at very degraded quality
unless policy is met. - Theres 30 checks per second to make sure DRM
isnt being bypassed (read serious overhead) - Drivers now have a tilt bit, up to vendors to
determine was constitutes an attack. After
tilt detected, graphics subsystem reset - Drivers can be revoked if they are exploited if
Microsoft revokes a driver, and the vendor
doesnt release an update, do you have to buy a
new video card? - Still too early to tell the fall out.
14DRM Resources
- A Cost Analysis of Windows Vista Content
Protection - http//www.cs.auckland.ac.nz/pgut001/pubs/vista_c
ost.html - Last Update January 27, 2007.
- The Official Microsoft Rebuttal
- http//windowsvistablog.com/blogs/windowsvista/arc
hive/2007/01/20/windows-vista-content-protection-t
wenty-questions-and-answers.aspx
15Windows Defender
- XP and Vista only
- Not supported on W2K, but ORCA edit install
and it works fine - You can also use ORCA to remove WGA check
- Actively scans computers for "spyware, adware,
and other potentially unwanted software. You
just need to trust their definition of whats
unwanted
16Windows Defender
- SpyNets a neat idea.
- Not an antivirus solution
- (Forefront Client Security is)
- Not enterprise class
- (no central reporting, etc, etc)
- Can distribute updates by WSUS
17(No Transcript)
18Malware
- Sophos report summary
- They used the top ten November 2006 forms of
malware - Windows Mail blocked all 10
- Using web mail, 3 of 10 infected Vista
- Mydoom, Netsky and Stration all succeeded
- All take advantage of social engineer. None took
advantage of a security weakness.
19Exploits for Sale!
- Trend Micro CTO quoted in various articles
claiming to see Vista 0day on auction boards for
upwards of 50k - This isnt really news. Exploits for is not
new.
20Attacks for Sale
21(No Transcript)
2250k for an Exploit?
23(No Transcript)
24Exploit Prediction
- Because Im such an expert on the topic. ?
- (Ok stolen mostly from Symantecs Vista Attack
Surface paper) - The networking stack is a complete re-write.
Symantec found several DoS attacks in pre-release
Vista and expect more. - SMB2
- IPv6
- Loopback attacks (exploit at low level connect
back to medium level process, eg. IE protected
mode connect back to SMB)
25User Account Control
26User Account Control
- Power Users no longer exists (well it does, but
does nothing unless you apply security template) - Harmless tasks no longer require administrator
(eg. Change time zone, connect to wireless
network, install approved devices) - Either on or off, no less annoying, or I said
yes 5 times today, I still mean yes option - Not entirely true, there are more group policy
settings available to control its behaviour (all
settingsless control, more nuisance)
27Disabling User Account Control
- Method 1 - Using Control Panel
- Method 2 - Using Control Panel on Single User
- Method 3 - Using Registry Editor
- Method 4 - Using MsConfig System Configuration
- Method 5 - Using Group Policy
28Registry/File Virtualization
- When running under limited user access (LUA)
failed (insufficient permission) registry and
file writes get redirected (virtualized) - Registry access failures to HKLM redirect to HKCU
- From HKEY_LOCAL_MACHINE\Software
- to
- HKEY_CURRENT_USER\Software\Classes\VirtualStore\MA
CHINE\Software - File access failures also redirect
- From C\Progra1 (C\Program Files)
- to
- UserProfile\AppData\Local\VirtualStore\C\Progra
1
29Mildly entertaining
30Windows Firewall
- XP has Domain vs. Standard configs
- Vista has Domain vs. Public vs. Private
- Application outbound rules (not on by default)
- Default config is same configuration as XP SP2
- IP v6 Support
- New console available by MMC thats super cool
- Integration with IPSec
- See Steve Rileys TechEd presentation 102 slides
on Firewall and IPSec changes
31Comparing features
32(No Transcript)
33Encrypted File System New in Vista
- You can store User keys on smart cards.
- You can store recovery keys on smart cards,
allowing secure data recovery without a dedicated
recovery station, even over Remote Desktop
sessions. - You can encrypt the Windows paging file using EFS
with a key that is generated when the system
starts up. This key is destroyed when the system
shuts down. - You can encrypt the Offline Files cache with EFS.
In Windows Vista this encryption feature employs
the users key instead of the system key. - EFS supports a wider range of user certificates
and keys.
34Address Space Randomization
- Been used in the Unix world for over 10 years
- Goal is to eliminate overflow attacks (memory
space is no longer predictable) - Stack and Heap are randomized
- EXEs and DLLs shipping as part of Vista are
randomized - All other EXEs and DLLs will need to explicitly
opt-in via a new PE header flag by default they
will not be randomized. 'Note that DLLs marked
for randomization, such as system DLLs, will be
randomized in every process (regardless of
whether other binaries in that process have
opted-in or not)
35Address Space Randomization
- Vista only uses 8 bits for randomization (28256)
- An attacker has a 1/256 chance of getting an
address right - Brute force is always a possibility (if the app
doesnt die first) - Side effect memory fragmentation
36Address Space Randomization
- Ali Rahbar demonstrates in this whitepaper how to
run an exploit on code not compiled with the
randomization switch
37Vista Piracy
- Volume Activation 2.0
- Cracks currently fall into 3 categories
- KMS in Virtual Machine (VMPlayer)
- TimeStop (aka 2099 Crack)
- FrankenBuild (RC1 components mixed with RTM)
- Bottom Line
- Updates to WGA will detect and disable
- Many Cracks come with trojans for no extra
charge.
38(No Transcript)
39Bitlocker Crash Course
- Several Options
- TPM Only (this is default)
- TPM PIN
- TPM USB
- USB Only (no TPM present)
- AES 128bit or 256bit based encryption
- Brute Force currently computationally unfeasible
- If no PIN present, then stolen machines can still
be attacked by traditional methods (ie. TPM is
present, and decryption happens at boot)
40Bitlocker Secure Enough?
- Attacks against TPM only mode
- Warm boot without destroying memory, grab keys
from memory ghosts - Cold ghosting (memory remains charged long enough
to capture) - PCI bus exploit with repurposed PC Card device
and DMA (direct memory access) (e.g. CardBus DMA
technique demoed by David Hulton at ShmooCon,
2006) - Xbox v1-style attacks
- BIOS attacks (may involve removal, re-programming
and compromise of Core Root of Trust for
Measurement (CRTM) - TPMMultiFactor
- Brute force PIN (mitigated by TPM anti-hammering)
- Key wear analysis (theoretical)
- BitLocker Aware Boot-Rootkits
- Multi-Visit Attacks (Hobble Bitlocker, then steal
laptop) - Lost machine while unlocked (one chance threat)
- The best presentation I could find on bypassing
BitLocker was actually put out by Microsoft
themselves. Presentation by Douglas MacIver at
Hack in the Box 2006.
41BitLocker Secure Enough?
- Team Blog violently opposes and denies any govt
backdoor. If one is legislated, they promise to
disclose or withdraw the feature - No apparent easy to execute attacks (yet)
42PatchGuard
- Also known as Kernel Patch Protection (KPP)
- Not to be confused with requirement for signed
drivers - Means you cant mess with the kernel
- Exists for all x64 versions of Windows
- 5 or 6 bypass methods can be found searching,
although little PoC exists, no methods appear to
work with Vista - Authentium "broke" Patchguard on RC
- Joannas raw-disk access Patchguard exploit
shutdown with RC2 - Designed to both limit rootkit exposure and stop
vendors from using undocumented kernel
manipulation
43PatchGuard
- This really is what all the AV vendors are upset
about - Symantec has posted a paper on how to disable
first the kernel signed driver requirement and
then Patchguard (not updated with RTM info, but I
believe it would still work). Involves taking
ownership on ACLs from TrustedInstaller (set by
Windows Resource Protection), then patching
NTOSKRNL.EXE and WINLOAD.EXE - Most recent paper by Ken Johnson (Skywing) at
http//www.nynaeve.net/ - Posted Jan 29
44Notes on Secure Deployment
- Use BDD 3.0 for standardized rollout
- Read all 107 pages of Microsofts Vista Security
Guide ? - GPOAccelerator.wsf creates Domain, User, Desktop
and Laptops GPOs for you! - Deploy 64bit if possible (its more secure)
- Make sure your AV vendor supports Vista and x64
- Train users on UAC
- Replace Defender with something enterprise class
45CMS Training Offerings
- INSPIRE Infrastructure Workshop
- 4 days of classroom training - demo intensiveAD,
Exchange, ISA, Windows Server, SMS, MOM, Virtual
Server - Business Desktop Deployment Deploying
Vista/Office - 3 days of classroom training - hands on labs
(computers provide)Business Desktop Deployment
Concepts, Tools, Processes, etc. Vista and Office
- Securing Internet Information Services
- Securing ActiveDirectory
- Securing Exchange 2003
- 1 day classroom training per topic
- TRAINING BY EXPERTS FOR EXPERTS
46SIGN UP NOW!http//www.sector.ca/