Computer Security: Principles And Practice, 1/e

Computer Security:Principles and PracticeChapter 24 – Windows and WindowsVista SecurityFirst Editionby William Stallings and Lawrie BrownLecture slides by Lawrie Brown

Windows and Windows VistaSecurity¾ Windows is the world’s most popular O/S¾ advantage is that security enhancementscan protect millions of nontechnical users¾ challenge is that vulnerabilities in Windowscan also affect millions of users¾ will review overall security architecture ofWindows 2000 and later (but not Win9X)¾ then security defenses built into Windows

Windows Security Architecture¾ Security Reference Monitor (SRM)za kernel-mode component that performsaccess checks, generates audit log entries,and manipulates user rights (privileges)¾ Local Security Authority (LSA)zresponsible for enforcing local security policy¾ Security Account Manager (SAM)zzza database that stores user accounts andlocal users and groups security informationlocal logins perform lookup against SAM DBpasswords are stored using MD4

Windows Security Architecture¾ Active Directory (AD)zzzzMicrosoft’s LDAP directoryall Windows clients can use AD to performsecurity operations including account logonauthenticate using AD when the user logs onusing a domain rather than local accountuser’s credential information is sent securelyacross the network to be verified by AD¾ WinLogon (local) and NetLogon (net)handle login requests

Local vs Domain Accounts¾ a networked Windows computer can be:¾ domain joinedzzzcan login with either domain or local accountsif local may not access domain resourcescentrally managed and much more secure¾ in a workgroupzzza collection of computers connected togetheronly local accounts in SAM can be usedno infrastructure to support AD domain

Windows Login Example¾¾domain admin adds user’s account info (name,account, password, groups, privileges)account is represented by a Security ID (SID)zz¾username in one of two forms:zz¾¾unique to each account within a domainof form: S-1–5–21-AAA-BBB-CCC-RRRSAM format: DOMAIN\UsernameUser Principal Name (UPN):username@domain.company.comlogin using username & password or smartcardissued with token (SID, groups, privileges)zassigned to every process run by user

Windows Privileges¾ are systemwide permissions assigned touser accountsze.g. backup computer, or change system time¾ some are deemed “dangerous” such as:zzzact as part of operating system privilegedebug programs privilegebackup files and directories privilege¾ others are deemed “benign” such aszbypass traverse checking privilege

Access Control Lists¾ two forms of access control list (ACL):¾ Discretionary ACL (DACL)zgrants or denies access to protected resourcessuch as files, shared memory, named pipes etc¾ System ACL (ACL)zused for auditing and in Windows Vista toenforce mandatory integrity policy

Access Control Lists¾ objects needing protection are assigned aDACL (and possible SACL) that includeszzSID of the object ownerlist of access control entries (ACEs)¾ each ACE includes a SID & access mask¾ access mask could include ability to:zread, write, create, delete, modify, etc¾ access masks are object-type specificze.g. service abilities are create, enumerate

Security Descriptor (SD)¾data structure with object owner, DACL, & SACLze.g.O wner: CORP\BlakeACE[0]: Allow CORP\Paige Full ControlACE[1]: Allow Adm inistrators Full ControlACE[2]: Allow CORP\Cheryl Read, Write and Delete¾¾have no implied access, if there is no ACE forrequesting user, then access is deniedapplications must request correct type of accesszif just request “all access” when need less (e.g. read)some user’s who should have access will be denied

More SD’s & Access Checks¾ each ACE in the DACL determines access¾ an ACE can be an allow or a deny ACE¾ Windows evaluates each ACE in the ACLuntil access is granted or explicitly denied¾ so deny ACEs come before allow ACEszzdefault if set using GUIexplicitly order if create programmatically¾ when user attempts to access a protectedobject, the O/S performs an access checkzcomparing user/group info with ACE’s in ACL

Impersonation¾ process can have multiple threadszcommon for both clients and servers¾ impersonation allows a server to serve auser, using their access privilegeszzze.g. ImpersonateNamedPipeClient functionsets user’s token on the current threadthen access checks for that thread areperformed against this token not server’swith user’s access rights

Mandatory Access Control¾¾¾have Integrity Control in Windows Vistathat limits operations changing an object’s stateobjects and principals are labeled (using SID)as:zzzz¾¾Low integrity (S-1-16-4096)Medium integrity (S-1-16-8192)High integrity (S-1-16-12288)System integrity (S-1-16-16384)when write operation occurs first check subject’sintegrity level dominates object’s integrity levelmuch of O/S marked medium or higher integrity

VistaUserAccount

Windows Vulnerabilities¾ Windows, like all O/S’s, has security bugszand bugs have been exploited by attackers tocompromise customer operating systems¾ Microsoft now uses process improvementcalled the Security Development Lifecycleznet effect approx 50% reduction in bugs¾ Windows Vista used SDL start to finish¾ IIS v6 (in Windows Server 2003) had only3 vulnerabilities in 4 years, none critical

Windows Security Defenses¾ attackers are now criminals rather thanyoung, anarchic miscreants, and arehighly motivated by money¾ have categories of security defenses:zzzzaccount defensesnetwork defensesbuffer overrun defenses.browser defenses

Windows System Hardening¾process of shoring up defenses, reducingexposed functionality, disabling featureszzzzz¾known as attack surface reductionuse 80/20 rule on featuresnot always achievablee.g. requiring RPC authentication in XP SP2e.g. strip mobile code support on serversservers easier to harden:1.2.are used for very specific and controlled purposesperceive server users are administrators with bettercomputer configuration skills than typical users

Account Defenses¾¾¾user accounts can have privileged SIDsleast privilege dictates that users operate withjust enough privilege for tasksWindows XP users in local Administratorszzz¾for application compatibility reasonscan use “Secondary Logon” to run appsalso restricted tokens reduce per-thread privilegeWindows Vista reverses default with UACzzusers prompted to perform a privileged operationunless admin on Server

Low Privilege Service Accounts¾Windows services are long-lived processesstarted after bootingzz¾Windows XP added Local Service and Networkservice accountszz¾many ran with elevated privilegesbut many do not need elevated requirementsallow a service local or network accessotherwise operate at much lower privilege levelWindows XP SP2 split RPC service (RPCSS) intwo (RPCSS and DCOM Server Process)zexample of least privilege in action, see also IIS6

Stripping Privileges¾ another defense is to strip privileges froman account soon after an application startszzze.g. Index server process runs as system toaccess all disk volumesbut then sheds any unneeded privileges assoon as possibleusing AdjustTokenPrivileges¾ Windows Vista can define privilegesrequired by a servicezusing ChangeServiceConfig2

Network Defenses¾ need more than user defenses¾ vulnerable to attack via network service¾ have IPSec and IPv6 with authenticatednetwork packets enabled by default inWindows VistazIPv4 also enabled by default, expect less use¾ have built-in software firewallzblock inbound connections on specific ports Vista can allow local net access onlyzzoptionally block outbound connections (Vista)default was off (XP) but now default on (Vista)

Buffer Overrun Defenses¾ many compromises exploit buffer overruns¾ Windows Vista has “Stack-Based BufferOverrun Detection (/GS)” default enabledzzsource code compiled with special /GS optiondoes not affect every function; only those withat least 4-bytes of contiguous stack data andthat takes a pointer or buffer as an argument¾ defends against “classic stack smash”

Windows Stack and /GS flag

Buffer Overrun Defenses¾No eXecuteNamed (NX) / Data ExecutionPrevention (DEP) / eXecution Disable (XD)zzz¾Stack Randomization (Vista only)z¾prevent code executing in data segmentsas commonly used by buffer overrun exploitsapplications linked with /NXCOMPAT optionrandomizes thread stack base addressesHeap-based buffer overrun defenses:zzzadd and check random value on each heap blockheap integrity checkingheap randomization (Vista only)

Other Defenses¾ Image RandomizationzzO/S boots in one of 256 configurationsmakes O/S less predictable for attackers¾ Service Restart Policyzzzzservices can be configured to restart if failgreat for reliability but lousy for securityVista sets some critical services so can onlyrestart twice, then manual restart neededgives attacker only two attempts

Browser Defenses¾ web browser is a key point of attackzvia script code, graphics, helper objects¾ Microsoft added many defenses to IE7zActiveX opt-in unloads ActiveX controls by default when any then first run prompts user to confirmzprotected mode IE runs at low integrity level (see earlier) so more difficult for malware to manipulate O/S

Cryptographic Services¾¾low-level crypto for encryption, hashing, signingEncrypting File System (EFS)zz¾Data Protection API (DPAPI)zz¾allows files / directories to be encrypted / decryptedtransparently for authorized usersgenerates random key, protected by DPAPImanages encryption key maintenance protectionkeys derived in part from user’s passwordBitLocker Drive Encryptionzzencrypts an entire volume with AESkey either on USB or TPM chip

Summary¾ Windows security architecture¾ vulnerabilities¾ security defenseszaccount, network, buffer, browser¾ crypto services

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 24 – Windows and Windows Vista Security. . zv