Dean IacovelliChief Security Advisor – State and Local GovernmentMicrosoft Corporationdeaniac@microsoft.com

Security and Compliance

AgendaOverview of Windows Vista security areas:

FundamentalsThreat and vulnerability mitigationIdentity and access controlInformation protection

NOTE: we only have 50 minutes – film at 11 !!

Security and Compliance

Security Development LifecycleThreat Modeling and Code ReviewsWindows Service Hardening

Fundamentals

User Account ControlPlug and Play SmartcardsGranular AuditingCredential manager

Identity and Access Control

Internet Explorer Protected ModeWindows Defender

Threat and Vulnerability Mitigation

BitLocker™ Drive EncryptionEFS SmartcardsIntegrated RMS client

Information Protection

Fundamentals Securing the codebase and services

DesignDefine security architecture and design guidelines Document elements of software attack surfaceThreat Modeling

Standards, best practices, and toolsApply coding and testing standardsApply security tools (fuzzingtools, static-analysis tools, etc)

Security PushSecurity code reviewsFocused security testingReview against new threatsMeet signoff criteria

Final Security Review Independent review conducted by the security team Penetration testingArchiving ofcompliance info

RTM and Deployment

Signoff

Security ResponsePlan and process in placeFeedback loop back into the development processPostmortems

Product InceptionAssign security advisorIdentify security milestonesPlan security integration into product

User

Admin

System services

Windows XP Services

Kernel

• Few layers• Mostly high-

privileged• Limited guards

between layers

• Reduced size of high-risk layers

• Increased number of layers

• Services are segmented

• Per service SIDs to apply ACLs, firewall rules

• Device drivers moved to user mode

User

LUA user

Low privilege servicesAdmin

System services

Windows Vista Service Hardening

Kernel

D

D

SS

D D D

S

S

D D

S

S Kernel drivers

System services

Low-privilege services

User mode drivers

Service Service hardeninghardening

User Account User Account ProtectionProtection

Vista Service ChangesServices common to both platforms

Windows XP SP2LocalSystem Wireless

ConfigurationSystem Event NotificationNetwork Connections (netman)COM+ Event SystemNLARasautoShell Hardware DetectionThemesTelephonyWindows AudioError ReportingWorkstationICS

RemoteAccessDHCP ClientW32timeRasmanbrowser6to4Help and supportTask schedulerTrkWksCryptographic ServicesRemovable StorageWMI Perf AdapterAutomatic updatesWMIApp ManagementSecondary LogonBITS

NetworkService

DNS Client

Local Service SSDPWebClientTCP/IP NetBIOS helperRemote registry

Vista clientLocalSystemFirewall Restricted

Removable StorageWMI Perf AdapterAutomatic updates

WMIApp ManagementSecondary Logon

LocalSystemDemand started

BITS

Network ServiceFully Restricted

DNS ClientICSRemoteAccessDHCP ClientW32timeRasman

browser6to4Task schedulerIPSEC ServicesServerNLA

Network ServiceNetwork Restricted

TrkWksCryptographic Services

Local ServiceNo Network Access

Wireless ConfigurationSystem Event NotificationNetwork ConnectionsShell Hardware Detection

RasautoThemesCOM+ Event System

Local ServiceFully Restricted

TelephonyWindows AudioTCP/IP NetBIOS helperWebClientSSDP

Error ReportingEvent LogWorkstationRemote registry

Threat And Vulnerability MitigationProtect against malware and intrusions

Social Engineering ProtectionsPhishing Filter and Colored Address BarDangerous Settings NotificationSecure defaults for all settings

Protection from ExploitsProtected Mode to prevent malicious softwareCode quality improvementsActiveX Opt-in

Internet Explorer 7

ActiveX Opt-in And Protected ModeDefending systems from malicious attack

ActiveX Opt-in puts users in controlReduces attack surfacePreviously unused controls disabledRetain ActiveX benefits, increase user securityProtected Mode reduces severity of threatsEliminates silent malware installIE process ‘sandboxed’ to protect OS

ActiveX Opt-in

EnabledControls

Windows

DisabledControlsUser

Action

Protected Mode

User

Action

IECache My Computer (C:)

BrokerProcess

Low Rights

Windows DefenderImproved Detection and RemovalRedesigned and Simplified User InterfaceProtection for all users

Windows Vista FirewallCombined firewall and IPsec management

New management consoleReduces conflicts and coordination overhead between technologies

Firewall rules become more intelligent

Specify authentication and encryptionSpecify Active Directory computer or user groups

Outbound filteringEnterprise management feature – not for consumers

Group Policy Device Restriction

Identity And Access ControlEnable Secure Access to Information

ChallengesToo many users running as local admin by default

Whatever users can do, malware can doToo many apps requiring local admin to run

System security must be relaxed to run the application

Common OS tasks require local admin Simple scenarios like changing the time zone don’t work

User Account ControlSimplify common tasks

Standard users can change time zone, power mgmt, printer, wireless, and other settings

High application compatibilityFile and registry virtualization for legacy apps

Perform most tasks as standard userPrivilege level switch in UI without logoffAdministrators privilege elevated only for administrative tasks or applicationsUser provides explicit consent before using elevated privilege

Elevated Privileges

Consent PromptsOperating System ApplicationOperating System Application

Signed ApplicationSigned Application Unsigned ApplicationUnsigned Application

Improved AuditingMore Granularity

New subcategories for Logon, logoff, file system access, registry access, use of administrative privilege

New Logging InfrastructureEasier to filter out “noise” in logs and find the event you’re looking forTasks tied to events: When an event occurs, such as administrative privilege use, tasks such as sending an Email to an auditor can run automatically

Authentication ImprovementsPlug and Play Smart Cards

Drivers and Certificate Service Provider (CSP) included in Windows VistaLogin and credential prompts for User Account Control all support Smart Cards

New logon architectureGINA (the old Windows logon model) is gone. Less coding required for 3rd party biometric, one-time password tokens, and other authentication methods to Windows

Information ProtectionProtect Corporate Intellectual Property and Customer Data

BitLocker™ Drive Encryption Designed to prevent a thief from breaking OSProvides data protection on your Windows client systems, even when the system is in unauthorized handsUses a v1.2 TPM or USB flash drive for key storage

BitLockerBitLocker

TPM Only“What it is.”

Protects against:SW-only attacks

Vulnerable to: HW attacks (including potentially “easy”

HW attacks)

TPM + PIN“What you know.”Protects against:Many HW attacks

Vulnerable to: TPM breaking attacks

Dongle Only“What you have.” Protects against:All HW attacksVulnerable to:Losing donglePre-OS attacks

TPM + Dongle“Two what I

have’s.”Protects against:Many HW attacksVulnerable to: HW

attacks

BDE offers a spectrum of protection allowing customers to balance ease-of-use against the

threats they are most concerned with.

Spectrum Of Protection

**************

Recovery OptionsBitLocker™ setup will automatically escrow keys and passwords into AD

Centralized storage/management keysCan also backup keys and passwords onto a USB dongle or to a file location (set via policy)

Default for non-domain-joined users Recovery password known by the user/administrator

Recovery can occur “in the field” – 48 char recovery password

Delete the keys and you have securely de-provisioned that machine !!

EFS EnhancementsExtended Security Scenarios

Support for private keys stored on smartcardsNew Group Policies for enterprise managementKey and certificate backup notificationDiagnostics wizard for troubleshooting

Windows Vista SecuritySummary

SDLService HardeningCode ScanningDefault configurationCode Integrity

IE –protected mode/anti-phishingWindows DefenderBi-directional FirewallIPSEC improvementsNetwork Access Protection (NAP)

Threat and Vulnerability Mitigation

Fundamentals

Identify and Access Control

User Account ControlPlug and Play SmartcardsSimplified Logon architectureBitlockerRMS Client

ResourcesVista security overviewhttp://www.microsoft.com/technet/windowsvista/security/default.mspxWhite papershttp://www.microsoft.com/security/windowsvista/default.mspxVista security bloghttp://blogs.msdn.com/windowsvistasecurity/Vista security o-demand webcastshttp://msevents.microsoft.com/cui/eventdetail.aspx?eventID=10322930

03&Culture=en-UShttp://go.microsoft.com/?linkid=4573437http://www.microsoft.com/winme/0605/27914/Mike_Nash_Vista_Demo

_MBR.asxCOMING AT LAUNCH: Windows Vista Security Guide

Q&A

Appendix

Phishing FilterDynamic Protection Against Fraudulent Websites

3 “checks” to protect users from phishing scams:1.Compares web site with local list of known legitimate sites

2.Scans the web site for characteristics common to phishing sites

3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour

Level 1: WarnSuspicious Website

Signaled

Level 2: Block Confirmed Phishing Site

Signaled and Blocked

Two Levels of Warning and Protection Two Levels of Warning and Protection in IE7 Security Status Barin IE7 Security Status Bar

IE6IE6

IE6 running with Admin Rights

Install a driver,

Run Windows Update

Change Settings,

Download a Picture

Cache Web content

Exploit can install MALWARE

Exploit can install MALWARE

Admin-Rights AccessAdmin-Rights Access

User-Rights AccessUser-Rights Access

Temp Internet FilesTemp Internet Files

Untrusted files & settings

HKLM

Program Files

HKCU

My Documents

Startup Folder

IExploreIExplore

Install an ActiveX control

Changesettings,

Save a picture

Inte

grity

Con

trol

IEU

ser

Redirected settings & files

Com

patR

edire

ctor

Cache Web content

Admin-Rights AccessAdmin-Rights Access

User-Rights AccessUser-Rights Access

Temp Internet FilesTemp Internet Files

HKLM

HKCR

Program Files

HKCU

My Documents

Startup Folder

Untrusted files & settings

Advanced Malware ProtectionProtected Mode IE, UAC contain threats

IEA

dmin

Bitlocker™ Hardware Requirements

Hardware requirements to support BDETrusted Platform Module (TPM) v1.2

Provides platform integrity measurement and reportingRequires platform support for TPM Interface (TIS)

Firmware (Conventional or EFI BIOS) – TCG compliant

Establishes chain of trust for pre-OS bootMust support TCG specified Static Root Trust Measurement (SRTM)

Additional functionality enabled by USB dongleAt least 2 partitions. Partitions should be NTFS.

What Is A Trusted Platform Module (TPM)?

Smartcard-like module on the motherboard that:Helps protect secrets Performs cryptographic functions

RSA, SHA-1, RNGMeets encryption export requirements

Can create, store and manage keysProvides a unique Endorsement Key (EK)Provides a unique Storage Root Key (SRK)

Performs digital signature operationsHolds Platform Measurements (hashes)Anchors chain of trust for keys and credentialsProtects itself against attacks

TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org

Bitlocker™ Features Overview

BitLocker Drive Encryption (BDE)

Prevents bypass of Window’s boot process

TPM Base Services (TBS)

Windows and 3rd party SW access to TPM

Pre-OS multi-factor authentication

Dongle, BIOS, and TPM-backed SW Identity

Bit-chippingSys-admin ONLY tool to securely speed-up PC re-deployment

Single MS TPM driver Improved stability and security

Scenarios: Lost or stolen laptopBranch-office Server

Bitlocker™ Drive Appears In XP

Bitlocker™ Drive Appears In Vista