Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Vista Security model and vulnerabilities.

Published byAleesha Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows Vista Security model and vulnerabilities."— Presentation transcript:

1 Windows Vista Security model and vulnerabilities

2 Features of Vista Security Model User account protection (UAP) New in Vista Goal: implement least-privilege user accounts Accounts created during installation are protected administrators and subject to UAP, and are limited user accounts (LUA) When executing without restrictions, a protected administrator user can make changes to key registry, start services, and perform all privileged functions However, processes launched by that user (including programs) do not inherit this full range of privileges

3 LUA (continued) Some processes cannot run properly without administrator privileges These processes can be allowed to inherit the full privileges from the administrator at launch A pop-up box will require the user to approve privilege escalation Claim: no process escalate its privileges without explicit consent from the protected administrator

4 Integrity levels (privilege levels) Integrity access levelSystem privileges HighAdministrative (install to Program Files folder, write system registry entries, etc.) MediumUser (access to its Documents folder and its section of the registry) LowUntrusted (access to Temporary Internet folders and low-privilege sections of current user’s registry)

5 Unprivileged user accounts Windows Vista (as XP) allows for the creation of standard user accounts (without administrator privileges) Creation of such accounts require additional steps Reasonable to expect that non-administrative accounts will be the default in well-managed corporate networks Reasonable to expect that administrative user accounts will be used by home users for all activities, including browsing the web

6 Mandatory Integrity Control (MIC) Also referred as Integrity Levels New in Vista Controlled by Access Control Entries (ACE) in System Access Control List (SACL) Applies to all securable objects (files, processes, registry keys, etc.) Spawned process inherit parent’s privileges MIC is enabled/disabled through a windows registry entry

7 SACL ACE types SIDIntegrity Level S-1-16-16384System Mandatory Level S-1-16-12288High Mandatory Level S-1-16-8192Medium Mandatory Level S-1-16-4096Low Mandatory Level

8 Integrity enforcement A process cannot interact with another process at a higher integrity level directly However, it is possible for a higher integrity process to directly interact with a lower privilege process It is possible for a process with any privilege to interact through IPC (named pipes,etc.) A lower integrity server to impersonate a higher integrity client using calls such as ImpersonateNamedPipeClient, as long as the impersonation level of the client allows it?! Registry entry keys have associated privilege levels. For instance, if IE has been given low privileges, it will only have access to a limited section of the registry even if launched by a protected administrator

9 Other restrictions A process is not generally able to send windowing messages to higher-privilege processes sharing the desktop Need to have explicit UI privileges in SACL Mechanisms to create processes that inherit only some of the user’s privileges via CreateRestrictedToken API. E.g: Removed privileges Match only DENY rules for an SID type

10 Elevation of process privileges Installer applications Has extension.msi, matches common installers, or has name SETUP.EXE Application has a compatibility entry in the registry key or a entry in the compatibility database Manifest file contains requestedExecutionLevel or requireAdministrator entries User manually selects “Run Elevated…” by right-clicking the application in Windows Explorer Lauched through a privileged process without using the restricted API Fixed bug: Launched through TaskManager COM objects configured as such in the registry (either builti-in or through user consent)

11 Lauching from Windows Explorer Windows explorer has a restricted token and medium integrity level To launch processes at higher integrity levels, it requests it to AppInfo Admin Broker RunAsAdminProcess system call Requets user consent (pop-up box) Triggers CreateProcessAsUser

12 Registry virtualization Application developers have traditionally assumed administrator privileges User-area registry files are written transparently if application requests to write to registry and fails, lacking privilege User-area registry overrides system registry for that user Augmented by file virtualization: C:\Progra~1 (C:\Program Files) to: %UserProfile%\AppData\Local\VirtualStore\C\P rogra~1 In this fashion, unprivileged applications can modify a localized win.ini, for instance Special virtualization rules apply to low-integrity processes such as IE

13 IE7 in Protected Mode IE7 in protected mode (Low IL) Compatibility Layer Integrity Mechanism IEInstal.exe Admin Broker (High IL) IEUser.exe User Broker (Medium IL) Administrative Rights Required User Rights Required Low Rights Required

14 Registry protection Not only files protected, but registry entries Modifications of system files made only through trusted installer Trusted installer called for updates (only accepts signed updates) Resolves a major security issue with earlier windows versions

15 Privilege escalation Processes by the same user can be running with medium or high privileges Since a medium privilege process can write to the current user registry, it can modify entries that control the behavior of the same user’s high-privilege processes (if written to that user’s registry) By default, user processes and files have medium integrity level, while IE7 (as before) is low integrity Examples of privilege escalation from low  medium  high  local system are provided by Matthew Conover, Principal Security Researcher, Symantec Corporation, in “Analysis of the Windows Vista Security Model,” a SYMANTEC ADVANCED THREAT RESEARCH technical report

16 Low to Medium IE7 cannot write files in the user account or the medium integrity area of the user registry, including adding startup items But it may be able to connect through the loopback interface to a file sharing service and achieve the same result

17 Medium to High Program runs in the background, listening to calls to consent.exe When it is called, it checks if it has write privileges to the caller Overwrite the caller with its own malicious code Launched w/ high privileges

18 High to LocalSystem If the high integrity process launched is not LUA restricted, it can Take ownership of security objects Change all registry files to grant administrators full privilege to system modification Apply patches to libraries that disabled signature checking for system files Modify the operating system arbitrarily There is no longer monitoring of modification of system files Still, overall a much stronger security architecture than earlier versions of windows

Download ppt "Windows Vista Security model and vulnerabilities."

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
System Center Configuration Manager Push Software By, Teresa Behm.

System Center Configuration Manager Push Software By, Teresa Behm.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
MIS 431 - Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.

MIS Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Lesson 4: Configuring File and Share Access

Lesson 4: Configuring File and Share Access
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies

Similar presentations

Ads by Google