Windows Vista and LH Server: Understanding and Enhancing Security

1
Windows Vista and LH Server Understanding and
Enhancing Security

• Idan Plotnik
• CTO, MSecurity
• Microsoft Security Regional Director of ISA
  Server
• V-IdanP_at_Microsoft.COM
• Idan_at_MSecurity.NET

2
Agenda

• Windows Vista and Longhorn Server Security
  Overview
• Isolated Desktop
• WinLogon Architecture
• Service Hardening
• User Account Control (UAC a.k.a UAP a.k.a
  LUA)
• Network Access Protection (NAP)
• Group Policy Object (GPO) Improvements
• Wireless improvements in Longhorn and Vista

3
Vista Security OverviewAccess Control
Credential Management
Identity
Policy exp.
Certificate Server
Eventing
Protocol
RBAC
Lifecycle Management
Logging

Logon
Azman
Credential Roaming
Common Criteria
2 Factor AuthN
App AuthZ
Smart Cards
FIPS
CAPI
CNG
X.509 Processing
Isolated Desktop
Secure Startup
4
Session 0 IsolationWindows XP behavior
5
Session 0 IsolationWindows Vista behavior
Session 0
Service A
Service B
Service C
6
WinLogon ArchitectureWindows XP
Session 0
WinLogon
LSA
Profiles
User GP
SCM
Machine GP
MSGINA
Shell
Other Sessions
WinLogon
User GP
MSGINA
Shell
7
WinLogon ArchitectureVista
Session 0
WinInit
Profiles
SCM
Group Policy
Other Sessions
WinLogon
LogonUI
Credential Provider 1
Credential Provider 2
Credential Provider 3
8
Credential ProvidersPassword Example

LSA
WinLogon
1. CtrlAltDelete
9. LSALogonUser
2. Request Credential
8. Return Credential
5. Click on tile, type user name password,
click Go
LogonUI
4. Display UI
Credential Provider Interfaces
6. Go received
7. Get credential for logon
3. Get credential information
Credential Provider 2
Credential Provider 1
Credential Provider 3
9
Service HardeningMotivation

• Services are attractive targets for malware
• Run without user interaction
• Number of critical vulnerabilities in services
• Large number of services run as System
• Worms target services
• Sasser, Blaster, CodeRed, Slammer, etc

10
User Account Control

• Previously known as UAP and LUA
• Users will logon as non-administrator by default
• Protects the system from the user
• Enables the system to protect the user
  (Virtualization)
• Consent UI allows elevation to administrator
• Applications and administrator tools should be
  UAC aware
• Differentiate capabilities based on UAC
• Apply correct security checks to product features
• Start testing your software in LH Beta2 with UAC

11
User Account Control
12
Network Access Protection(NAP)
13
Why Network Access Protection?

• Customer environment
• Customer requirements
• Solution overview
• Policy Validation
• Network Restriction
• Remediation
• Ongoing Compliance

14
Network Access Protection Components
Enforcement Components
Health Components
Platform Components

• Quarantine Agent (QA) Reports client health
  status, coordinates between SHA and NAD.

• System Health Agents (SHA) Declare health
  (patch state, virus signature, system
  configuration, etc.).

• Quarantine Enforcement Clients (QEC) Negotiate
  access with network access device(s) DHCP, VPN,
  1X, IPSec QECs.

• Quarantine Server (QS) Restricts clients
  network access based on what SHV certifies.

• System Health Validators (SHV) Certify
  declarations made by health agents.

• Network Access Devices Provide network access
  to healthy endpoints.

• System Health Servers Define health
  requirements for system components on the client.

• Health Registration Authority Issues
  certificates to clients that pass health checks.

• Remediation Servers Install necessary patches,
  configurations, applications. Bring clients to
  healthy state.

System Health Servers
Remediation Servers
Health policy
Updates
Network Access Requests
Client
Health Statements
IAS Policy Server
SHA1
SHA2
Health Certificate
SHV1
SHV2
Quarantine Agent (QA)
Network Access Device Health Registration
Authority
QEC1
QEC2
Quarantine Server (QS)
15
Network Access Protection Walk-through
Corporate Network
Restricted Network
Remediation Servers
Here you go.
Can I have updates?
Ongoing policy updates to IAS Policy Server
May I have access? Heres my current health
status.
Should this client be restricted based on its
health?
Requesting access. Heres my new health status.
According to policy, the client is not up to
date. Quarantine client, request it to update.
According to policy, the client is up to date.
Grant access.
You are given restricted access until fix-up.
Client
Network Access Device (DHCP, VPN)
IAS Policy Server
Client is granted access to full intranet.
16
Network Access Protection
17
Group Policy Whats New in Vista and Longhorn
Server More Settings, Applied More Reliably,
Easier to Use
18
Group Policy Client Service

• Reliability A fundamental Vista goal
• Prior to Windows Vista, Group Policy processing
  was implemented within the Winlogon process
• Group Policy now runs in a shared service host on
  the client
• Service has been hardened
• A local administrator needs elevated privilege to
  stop the service
• Service restart configuration provides recovery
  from any unexpected failures
• Isolation of 3rd party Client Side Extensions
• Note This is transparent to users

19
Improved Network Awareness

• More Responsive to Network Changes
• No longer just 90 minutes or so
• If previous policy application cycle was skipped
  or failed then it retries whenever network
  connectivity (Ability to reach DC) is available
• Leverages NLA v2.0 (Network Location Awareness)
• Subscribe for DC availability notification
• Removal of dependence on ICMP (no more Ping!)
• Improved bandwidth determination (through NLA)
• Note Network Quarantine scenario needs
  additional configuration

20
Local GPO Customer Request

• The problem
• Local GPOs are primarily used in
• Customer Request Ability to set different
  configurations for different users using just
  Local GPO
• The solutions Multiple LGPOs
• Supports having different policy settings for
  different local users
• LGPOs for
• The machine (same LGPO as today)
• NEW Local groups (Admin or Non-Admin)
• NEW Individual local users

21
Troubleshooting Group Policy Some Challenges

• Cryptic Error messages
• No consistent diagnosis or resolution information
• Error help link broken
• Not Actionable
• Userenv.log
• Not many users aware of this option
• Not IT Admin friendly
• Each GP extension has a different format and
  location of its log
• No consolidated centralized reporting

22
Vista GP Logging Enhancements

• Leverages new Crimson event
  management feature
• XML based event logs
• Simple event consolidation using Subscription
• Can associate actions to events (Send email,
  execute script/WMI jobs)
• Two levels of logging
• Admin events
• Operational events
• HKLM\Software\Microsoft\Windows
  NT\CurrentVersion\Diagnostics
• GpSvcDebugLevel REG_DWORD 10002 (Hex)
• NOTE new GP Service is dynamic no service
  restart / reboot is require. New file
  gpsvclog.log

23
Wireless in Longhorn and Vista
24
Wireless Security

• Highest level of standards based security
  including
• WPA2, WPA, Wireless 802.1x
• PEAP MSCHAP v2 (default in Vista), PEAPTLS,
  EAPTLS
• Secure Ad-Hoc Networking
• WPA2-PSK security for Ad-Hoc networks
• Single-Sign-On Experience
• EAPHost Extensibility Framework
• Enable 3rd party EAP methods
• Security management through GP and CLI
• Network Access Protection Support
• Specific wireless networks or network types can
  be Blocked / Allowed

25
Wireless Group PolicyVista Policy Enhancements

• Deployment Simplified
• Support for mixed wireless security environments
• Separation of wired 802.1x and wireless services
• Granular Manageability Supported
• Allow / Deny Lists
• WPA2, WPA, WEP, EAP-TLS, PEAP-MSCHAPv2, etc.
• Hidden network support
• Automatic / Manual connectivity
• User Experience Improved
• Extensibility Supported
• For IHV specific settings

26
GPO Infrastructure Enhancements Wireless UI
27
Wireless interfaceNETSH Commands

• Wireless Commands
• add profile
• add filter
• show profiles
• show filters
• show settings
• show interfaces
• delete profile
• delete filter
• set preferenceorder
• set autoconfig
• set blockednetworks
• export profile
• dump

• Wired Commands
• add profile
• show profiles
• show settings
• show interfaces
• delete profile
• set autoconfig
• export profile

28
Summary

• Vista and LH Security model
• Isolation Desktop
• WinLogon architecture
• Service Hardening
• UAC
• NAP
• GPO
• Wireless

29
Resources

• Windows Vista Security Protection
• User Account Control
• Security Update Webcast

30
Thank you very much for your time!
31
(No Transcript)