Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

Similar presentations


Presentation on theme: "©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation"— Presentation transcript:

1 ©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

2 ©2006 Microsoft Corporation. All rights reserved. Overview User And Group Changes Admin account New/Missing SIDs New/Missing Users and Groups Cached credentials Kernel Changes Buffer overflow protection ACL Changes Encryption changes Suite B TS SSO EFS with Smart Cards Audit changes User rights New and changed security options Firewall Auth IP SMBv2

3 ©2006 Microsoft Corporation. All rights reserved. User and Group Changes

4 ©2006 Microsoft Corporation. All rights reserved. Administrator Account Status

5 ©2006 Microsoft Corporation. All rights reserved. Built-in “Administrator” Safe mode created a hole: reboot and login without a password! New behavior: Non-domain: if you have a local admin, safe mode prohibits use of BA Domain: BA can never be used

6 ©2006 Microsoft Corporation. All rights reserved. Power Users Are Not Anymore

7 ©2006 Microsoft Corporation. All rights reserved. New Groups

8 ©2006 Microsoft Corporation. All rights reserved. Some Additional SIDs

9 ©2006 Microsoft Corporation. All rights reserved. And A Few More SIDs The Trusted Installer A Service INTERNET USER High integrity SID Low integrity SID Medium integrity SID System integrity SID

10 ©2006 Microsoft Corporation. All rights reserved. Integrity Levels in Token

11 ©2006 Microsoft Corporation. All rights reserved. ACL Changes

12 ©2006 Microsoft Corporation. All rights reserved. ACL Modifications

13 ©2006 Microsoft Corporation. All rights reserved. Old ACL UI

14 ©2006 Microsoft Corporation. All rights reserved. New ACL UI

15 ©2006 Microsoft Corporation. All rights reserved. Owner Needs Explicit Perms

16 ©2006 Microsoft Corporation. All rights reserved. Kernel Changes

17 ©2006 Microsoft Corporation. All rights reserved. Better Buffer Overflow Protection Second cookie protects exception handlers Safer CRT exception handlers No more executable pages outside images Enforced by better development practices and code scanning tools /NXCOMPAT linker flag in build tools If all binaries in a process are marked NX is automatically enabled for the process Heap protection Signed kernel code (x64 only)

18 ©2006 Microsoft Corporation. All rights reserved. Crypto Changes

19 ©2006 Microsoft Corporation. All rights reserved. Offline Files Encrypted Per User

20 ©2006 Microsoft Corporation. All rights reserved. Encrypted Pagefile

21 ©2006 Microsoft Corporation. All rights reserved. Suite-B Crypto Software and Smart Card Key Storage Providers Cryptographic configuration NIST ECC Prime Curves support (smart cards too) AESSHA-2 IPsec support for AES and ECDH ECC cipher suites in SSL EFS with smart cards

22 ©2006 Microsoft Corporation. All rights reserved. Cached Credentials Much Tougher

23 ©2006 Microsoft Corporation. All rights reserved. Improved Auditing

24 ©2006 Microsoft Corporation. All rights reserved. Granular Audit Policy

25 ©2006 Microsoft Corporation. All rights reserved. Object Access Auditing Object Access Attempt: Object Server:%1 Handle ID:%2 Object Type:%3 Process ID:%4 Image File Name:%5 Access Mask:%6

26 ©2006 Microsoft Corporation. All rights reserved. Object Access Auditing An operation was performed on an object. Subject : Security ID:%1 Account Name:%2 Account Domain:%3 Logon ID:%4 Object: Object Server:%5 Object Type:%6 Object Name:%7 Handle ID:%9 Operation: Operation Type:%8 Accesses:%10 Access Mask:%11 Properties:%12 Additional Info:%13 Additional Info2:%14

27 ©2006 Microsoft Corporation. All rights reserved. Added Auditing For Registry value change audit events (old+new values) AD change audit events (old+new values) Improved operation-based audit Audit events for UAC Improved IPSec audit events including support for AuthIP RPC Call audit events Share Access audit events Share Management events Cryptographic function audit events NAP audit events (server only) IAS (RADIUS) audit events (server only)

28 ©2006 Microsoft Corporation. All rights reserved. More Info In Event Log UI

29 ©2006 Microsoft Corporation. All rights reserved. XML Events

30 ©2006 Microsoft Corporation. All rights reserved. New Event Numbers

31 ©2006 Microsoft Corporation. All rights reserved. New and Modified User Rights

32 ©2006 Microsoft Corporation. All rights reserved. Changes to User Rights All rights for Power Users removed Create global objects does not have INTERACTIVE SE_IMPERSONATE has added IIS_IUSRS and removed ASPNET Logon as a service is now empty by default

33 ©2006 Microsoft Corporation. All rights reserved. New User Rights Access credential manager as a trusted caller Winlogon uses for credential manager backup/restore Change time zone user right Create symbolic links Modify an object’s integrity label Synchronize directory service data Increase a process working set

34 ©2006 Microsoft Corporation. All rights reserved. Security Options With Modified Defaults

35 ©2006 Microsoft Corporation. All rights reserved. Anonymous Named Pipes

36 ©2006 Microsoft Corporation. All rights reserved. Anonymous Named Pipes

37 ©2006 Microsoft Corporation. All rights reserved. Network access: remotely accessible registry paths

38 ©2006 Microsoft Corporation. All rights reserved. Network access: remotely accessible registry paths

39 ©2006 Microsoft Corporation. All rights reserved. Network access: shares that can be accessed anonymously

40 ©2006 Microsoft Corporation. All rights reserved. Network access: shares that can be accessed anonymously

41 ©2006 Microsoft Corporation. All rights reserved. Network Security: Do not store LAN Manager hash value on next password change

42 ©2006 Microsoft Corporation. All rights reserved. Network Security: Do not store LAN Manager hash value on next password change

43 ©2006 Microsoft Corporation. All rights reserved. Network security: LAN Manager authentication level

44 ©2006 Microsoft Corporation. All rights reserved. Network security: LAN Manager authentication level

45 ©2006 Microsoft Corporation. All rights reserved. Devices: Allowed to format and eject removable media

46 ©2006 Microsoft Corporation. All rights reserved. Devices: Allowed to format and eject removable media

47 ©2006 Microsoft Corporation. All rights reserved. Devices: Restrict CD-ROM/Floppy access to locally logged on user only

48 ©2006 Microsoft Corporation. All rights reserved. Devices: Restrict CD-ROM/Floppy access to locally logged on user only

49 ©2006 Microsoft Corporation. All rights reserved. Devices: Unsigned driver installation behavior

50 ©2006 Microsoft Corporation. All rights reserved. Devices: Unsigned driver installation behavior

51 ©2006 Microsoft Corporation. All rights reserved. Why Change It?

52 ©2006 Microsoft Corporation. All rights reserved. Devices and Drivers

53 ©2006 Microsoft Corporation. All rights reserved. Allowing users to install drivers

54 ©2006 Microsoft Corporation. All rights reserved. Installing devices

55 ©2006 Microsoft Corporation. All rights reserved. Configuring device restrictions

56 ©2006 Microsoft Corporation. All rights reserved. New Security Options

57 ©2006 Microsoft Corporation. All rights reserved. Network access: Restrict anonymous access to named pipes and shares

58 ©2006 Microsoft Corporation. All rights reserved. System settings: Optional subsystems

59 ©2006 Microsoft Corporation. All rights reserved. System settings: Use certificate rules on windows executables for software restriction policies

60 ©2006 Microsoft Corporation. All rights reserved. Lots and lots and lots of GP changes

61 ©2006 Microsoft Corporation. All rights reserved. Last Logon Display

62 ©2006 Microsoft Corporation. All rights reserved. Trusted Path Credential Entry

63 ©2006 Microsoft Corporation. All rights reserved. Smart Card Policies

64 ©2006 Microsoft Corporation. All rights reserved. RDP

65 ©2006 Microsoft Corporation. All rights reserved. New RDP Control

66 ©2006 Microsoft Corporation. All rights reserved. New RDP Control

67 ©2006 Microsoft Corporation. All rights reserved. Timeless Security Advice! Order online: om


Download ppt "©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation"

Similar presentations


Ads by Google