http:www.sector.ca

1
http//www.sector.ca/
2
Microsoft Vista How Secure is it Really?
CMS Consulting Inc.
Presented at TASKJanuary 31, 2007
3
CMS Consulting Inc.
Microsoft Infrastructure and Security Experts
Active Directory - Windows Server - Exchange -
SMS - ISA MOM - Clustering - Office Desktop
Deployment - SQL Terminal Services - Security
Assessments - Lockdown Wireless Training by
Experts for Experts MS Infrastructure Security
- Vista and Office Deployment Visit us online
www.cms.ca Downloads Resources White Papers
For Security Solutions For Advanced
Infrastructure For Network Solutions For
Information Worker
4
CMS Training Offerings

• INSPIRE Infrastructure Workshop
• 4 days of classroom training - demo intensiveAD,
  Exchange, ISA, Windows Server, SMS, MOM, Virtual
  Server
• Business Desktop Deployment Deploying
  Vista/Office
• 3 days of classroom training - hands on labs
  (computers provide)Business Desktop Deployment
  Concepts, Tools, Processes, etc. Vista and Office
  
• Securing Internet Information Services
• Securing ActiveDirectory
• Securing Exchange 2003
• 1 day classroom training per topic
• TRAINING BY EXPERTS FOR EXPERTS

5
Session Goals

• We let Microsoft talk so we need a balanced
  view!
• See what the dark side has been up to.
• Is it as secure as advertised?
• You may ask questions.
• Research is current as of Jan 31, 2007
• You may not provide emotional rants.

6
So what is newer, bigger, bad-er?

• User Account Control (UAC)
• Windows Defender
• Windows Firewall
• Windows Security Center
• Malicious Software Removal Tool
• Software Restriction Policies
• BitLocker Drive Encryption
• Encrypting File System (EFS)
• Rights Management Services (RMS)
• Device control
• Address Space Randomization
• Now 2400-ish group policy settings ( XP-SP2 had
  1700)

Exists in, or downloadable for XP
7
Internet Explorer 7

• Internet Explorer Protected Mode
• ActiveX Opt-in
• Cross-domain scripting attack protection
• Security Status Bar
• Phishing Filter
• Etc, etc, etc
• (Included here, because Microsoft always shows it
  as part of Vista security yes - I know it runs
  on XP).

8
The Switch to Vista

• If you dont buy Vista, you should buy Office
  2007 just so you can make pretty pictures like
  mine.

9
Switch to Mac Instead?
10
(No Transcript)
11
The HOT Topic DRM!

• Peter Gutmann wrote A Cost Analysis of Windows
  Vista Content Protection and called Vista DRM
  the Longest Suicide Note in History
• Microsoft rebutted this. The article included
  some technical clarifications, but appeared
  mostly as a PR piece.

12
DRM Highlights

• Vista will only play premium HD content on x64,
  as DRM couldnt be implemented in their x32 OS.
• This basically effects HD-DVD and BluRay
  playback.
• High bandwidth Digital Content Protection (HDCP)
  compatible monitor is required. (Shame you
  bought that nice Dell 24 Ultrasharp)
• Peter thinks a skilled attacker could bypass
  Vista DRM inside a week.
• DRM is a big reason that Vista driver support is
  so limited even based on the RTM media

13
DRM Bottom Line

• Premium content plays at very degraded quality
  unless policy is met.
• Theres 30 checks per second to make sure DRM
  isnt being bypassed (read serious overhead)
• Drivers now have a tilt bit, up to vendors to
  determine was constitutes an attack. After
  tilt detected, graphics subsystem reset
• Drivers can be revoked if they are exploited if
  Microsoft revokes a driver, and the vendor
  doesnt release an update, do you have to buy a
  new video card?
• Still too early to tell the fall out.

14
DRM Resources

• A Cost Analysis of Windows Vista Content
  Protection
• http//www.cs.auckland.ac.nz/pgut001/pubs/vista_c
  ost.html
• Last Update January 27, 2007.
• The Official Microsoft Rebuttal
• http//windowsvistablog.com/blogs/windowsvista/arc
  hive/2007/01/20/windows-vista-content-protection-t
  wenty-questions-and-answers.aspx

15
Windows Defender

• XP and Vista only
• Not supported on W2K, but ORCA edit install
  and it works fine
• You can also use ORCA to remove WGA check
• Actively scans computers for "spyware, adware,
  and other potentially unwanted software. You
  just need to trust their definition of whats
  unwanted

16
Windows Defender

• SpyNets a neat idea.
• Not an antivirus solution
• (Forefront Client Security is)
• Not enterprise class
• (no central reporting, etc, etc)
• Can distribute updates by WSUS

17
(No Transcript)
18
Malware

• Sophos report summary
• They used the top ten November 2006 forms of
  malware
• Windows Mail blocked all 10
• Using web mail, 3 of 10 infected Vista
• Mydoom, Netsky and Stration all succeeded
• All take advantage of social engineer. None took
  advantage of a security weakness.

19
Exploits for Sale!

• Trend Micro CTO quoted in various articles
  claiming to see Vista 0day on auction boards for
  upwards of 50k
• This isnt really news. Exploits for is not
  new.

20
Attacks for Sale
21
(No Transcript)
22
50k for an Exploit?
23
(No Transcript)
24
Exploit Prediction

• Because Im such an expert on the topic. ?
• (Ok stolen mostly from Symantecs Vista Attack
  Surface paper)
• The networking stack is a complete re-write.
  Symantec found several DoS attacks in pre-release
  Vista and expect more.
• SMB2
• IPv6
• Loopback attacks (exploit at low level connect
  back to medium level process, eg. IE protected
  mode connect back to SMB)

25
User Account Control

• The nuisance

26
User Account Control

• Power Users no longer exists (well it does, but
  does nothing unless you apply security template)
• Harmless tasks no longer require administrator
  (eg. Change time zone, connect to wireless
  network, install approved devices)
• Either on or off, no less annoying, or I said
  yes 5 times today, I still mean yes option
• Not entirely true, there are more group policy
  settings available to control its behaviour (all
  settingsless control, more nuisance)

27
Disabling User Account Control

• Method 1 - Using Control Panel
• Method 2 - Using Control Panel on Single User
• Method 3 - Using Registry Editor
• Method 4 - Using MsConfig System Configuration
• Method 5 - Using Group Policy

28
Registry/File Virtualization

• When running under limited user access (LUA)
  failed (insufficient permission) registry and
  file writes get redirected (virtualized)
• Registry access failures to HKLM redirect to HKCU
• From HKEY_LOCAL_MACHINE\Software
• to
• HKEY_CURRENT_USER\Software\Classes\VirtualStore\MA
  CHINE\Software
• File access failures also redirect
• From C\Progra1 (C\Program Files)
• to
• UserProfile\AppData\Local\VirtualStore\C\Progra
  1

29
Mildly entertaining
30
Windows Firewall

• XP has Domain vs. Standard configs
• Vista has Domain vs. Public vs. Private
• Application outbound rules (not on by default)
• Default config is same configuration as XP SP2
• IP v6 Support
• New console available by MMC thats super cool
• Integration with IPSec
• See Steve Rileys TechEd presentation 102 slides
  on Firewall and IPSec changes

31
Comparing features
32
(No Transcript)
33
Encrypted File System New in Vista

• You can store User keys on smart cards.
• You can store recovery keys on smart cards,
  allowing secure data recovery without a dedicated
  recovery station, even over Remote Desktop
  sessions.
• You can encrypt the Windows paging file using EFS
  with a key that is generated when the system
  starts up. This key is destroyed when the system
  shuts down.
• You can encrypt the Offline Files cache with EFS.
  In Windows Vista this encryption feature employs
  the users key instead of the system key.
• EFS supports a wider range of user certificates
  and keys.

34
Address Space Randomization

• Been used in the Unix world for over 10 years
• Goal is to eliminate overflow attacks (memory
  space is no longer predictable)
• Stack and Heap are randomized
• EXEs and DLLs shipping as part of Vista are
  randomized
• All other EXEs and DLLs will need to explicitly
  opt-in via a new PE header flag by default they
  will not be randomized. 'Note that DLLs marked
  for randomization, such as system DLLs, will be
  randomized in every process (regardless of
  whether other binaries in that process have
  opted-in or not)

35
Address Space Randomization

• Vista only uses 8 bits for randomization (28256)
  
• An attacker has a 1/256 chance of getting an
  address right
• Brute force is always a possibility (if the app
  doesnt die first)
• Side effect memory fragmentation

36
Address Space Randomization

• Ali Rahbar demonstrates in this whitepaper how to
  run an exploit on code not compiled with the
  randomization switch

37
Vista Piracy

• Volume Activation 2.0
• Cracks currently fall into 3 categories
• KMS in Virtual Machine (VMPlayer)
• TimeStop (aka 2099 Crack)
• FrankenBuild (RC1 components mixed with RTM)
• Bottom Line
• Updates to WGA will detect and disable
• Many Cracks come with trojans for no extra
  charge.

38
(No Transcript)
39
Bitlocker Crash Course

• Several Options
• TPM Only (this is default)
• TPM PIN
• TPM USB
• USB Only (no TPM present)
• AES 128bit or 256bit based encryption
• Brute Force currently computationally unfeasible
• If no PIN present, then stolen machines can still
  be attacked by traditional methods (ie. TPM is
  present, and decryption happens at boot)

40
Bitlocker Secure Enough?

• Attacks against TPM only mode
• Warm boot without destroying memory, grab keys
  from memory ghosts
• Cold ghosting (memory remains charged long enough
  to capture)
• PCI bus exploit with repurposed PC Card device
  and DMA (direct memory access) (e.g. CardBus DMA
  technique demoed by David Hulton at ShmooCon,
  2006)
• Xbox v1-style attacks
• BIOS attacks (may involve removal, re-programming
  and compromise of Core Root of Trust for
  Measurement (CRTM)
• TPMMultiFactor
• Brute force PIN (mitigated by TPM anti-hammering)
• Key wear analysis (theoretical)
• BitLocker Aware Boot-Rootkits
• Multi-Visit Attacks (Hobble Bitlocker, then steal
  laptop)
• Lost machine while unlocked (one chance threat)
• The best presentation I could find on bypassing
  BitLocker was actually put out by Microsoft
  themselves. Presentation by Douglas MacIver at
  Hack in the Box 2006.

41
BitLocker Secure Enough?

• Team Blog violently opposes and denies any govt
  backdoor. If one is legislated, they promise to
  disclose or withdraw the feature
• No apparent easy to execute attacks (yet)

42
PatchGuard

• Also known as Kernel Patch Protection (KPP)
• Not to be confused with requirement for signed
  drivers
• Means you cant mess with the kernel
• Exists for all x64 versions of Windows
• 5 or 6 bypass methods can be found searching,
  although little PoC exists, no methods appear to
  work with Vista
• Authentium "broke" Patchguard on RC
• Joannas raw-disk access Patchguard exploit
  shutdown with RC2
• Designed to both limit rootkit exposure and stop
  vendors from using undocumented kernel
  manipulation

43
PatchGuard

• This really is what all the AV vendors are upset
  about
• Symantec has posted a paper on how to disable
  first the kernel signed driver requirement and
  then Patchguard (not updated with RTM info, but I
  believe it would still work). Involves taking
  ownership on ACLs from TrustedInstaller (set by
  Windows Resource Protection), then patching
  NTOSKRNL.EXE and WINLOAD.EXE
• Most recent paper by Ken Johnson (Skywing) at
  http//www.nynaeve.net/ - Posted Jan 29

44
Notes on Secure Deployment

• Use BDD 3.0 for standardized rollout
• Read all 107 pages of Microsofts Vista Security
  Guide ?
• GPOAccelerator.wsf creates Domain, User, Desktop
  and Laptops GPOs for you!
• Deploy 64bit if possible (its more secure)
• Make sure your AV vendor supports Vista and x64
• Train users on UAC
• Replace Defender with something enterprise class

45
CMS Training Offerings

• INSPIRE Infrastructure Workshop
• 4 days of classroom training - demo intensiveAD,
  Exchange, ISA, Windows Server, SMS, MOM, Virtual
  Server
• Business Desktop Deployment Deploying
  Vista/Office
• 3 days of classroom training - hands on labs
  (computers provide)Business Desktop Deployment
  Concepts, Tools, Processes, etc. Vista and Office
  
• Securing Internet Information Services
• Securing ActiveDirectory
• Securing Exchange 2003
• 1 day classroom training per topic
• TRAINING BY EXPERTS FOR EXPERTS

46
SIGN UP NOW!http//www.sector.ca/