1. Windows Vista Security Tidbits
Steve Lamb
Technical Security Microsoft Ltd

2. Overview User And Group Changes Kernel Changes ACL Changes
Admin account
New/Missing SIDs
New/Missing Users and Groups
Cached credentials
Kernel Changes
Buffer overflow protection
ACL Changes
Encryption changes
Suite B
TS SSO
EFS with Smart Cards
Audit changes
User rights
New and changed security options
Firewall
Auth IP
SMBv2

3. User and Group Changes

4. Administrator Account Status.

5. Administrator Account Status

6. Power Users Are Not Anymore

7. The Support and Help Accounts

8. New Groups

9. Some Additional SIDs

10. And A Few More SIDs The Trusted Installer INTERNET USER
High integrity SID
System integrity SID
A Service
Low integrity SID
Medium integrity SID

11. Integrity Levels in Token

12. ACL Changes

13. ACL Modifications

14. Old ACL UI

15. New ACL UI

16. Owner Needs Explicit Perms

17. Kernel Changes

18. Better Buffer Overflow Protection
Second cookie protects exception handlers
Safer CRT exception handlers
No more executable pages outside images
Enforced by better development practices and code scanning tools
/NXCOMPAT linker flag in build tools
If all binaries in a process are marked NX is automatically enabled for the process
Heap protection
Signed kernel code (x64 only)

19. Crypto Changes

20. Offline Files Encrypted Per User

21. Encrypted Pagefile

22. Suite-B Crypto Software and Smart Card Key Storage Providers
Cryptographic configuration
NIST ECC Prime Curves support (smart cards too)
AES
SHA-2
IPsec support for AES and ECDH
ECC cipher suites in SSL
EFS with smart cards

23. Cached Credentials Much Tougher

24. Improved Auditing

25. Granular Audit Policy

26. Object Access Auditing
Object Access Attempt:
Object Server: %1
Handle ID: %2
Object Type: %3
Process ID: %4
Image File Name: %5
Access Mask: %6

27. Object Access Auditing
An operation was performed on an object.
Subject :                                                
                Security ID: %1
                Account Name: %2         
                Account Domain: %3
                Logon ID: %4         
Object:
                Object Server: %5
                Object Type: %6
                Object Name: %7
                Handle ID: %9
Operation:
                Operation Type: %8
                Accesses: %10
                Access Mask: %11
                Properties: %12
                Additional Info: %13
                Additional Info2: %14

28. Added Auditing For Registry value change audit events (old+new values)
AD change audit events (old+new values)
Improved operation-based audit
Audit events for UAC
Improved IPSec audit events including support for AuthIP
RPC Call audit events
Share Access audit events
Share Management events
Cryptographic function audit events
NAP audit events (server only)
IAS (RADIUS) audit events (server only)

29. More Info In Event Log UI

30. XML Events

31. New Event Numbers

32. New and Modified User Rights

33. Changes to User Rights All rights for Power Users removed
Create global objects does not have INTERACTIVE
SE_IMPERSONATE has added IIS_IUSRS and removed ASPNET
Logon as a service is now empty by default

34. New User Rights Access credential manager as a trusted caller
Change time zone user right
Create symbolic links
Modify an object label
Synchronize directory service data
Increase a process working set .

35. Security Options With Modified Defaults

36. Anonymous Named Pipes

37. Anonymous Named Pipes

38. Network access: remotely accessible registry paths

39. Network access: remotely accessible registry paths

40. Network access: shares that can be accessed anonymously

41. Network access: shares that can be accessed anonymously

42. Network Security: Do not store LAN Manager hash value on next password change

43. Network Security: Do not store LAN Manager hash value on next password change

44. Network security: LAN Manager authentication level

45. Network security: LAN Manager authentication level

46. Devices: Allowed to format and eject removable media

47. Devices: Allowed to format and eject removable media

48. Devices: Restrict CD-ROM/Floppy access to locally logged on user only

49. Devices: Restrict CD-ROM/Floppy access to locally logged on user only

50. Devices: Unsigned driver installation behavior

51. Devices: Unsigned driver installation behavior

52. Why Change It?

53. Interactive logon: Require smart card

54. Interactive logon: Require smart card

55. New Security Options

56. Network access: remotely accessible registry paths and sub-paths

57. Network access: Restrict anonymous access to named pipes and shares

58. System settings: Optional subsystems

59. System settings: Use certificate rules on windows executables for software restriction policies

60. Lots and lots and lots of GP changes

61. Last Logon Display

62. Trusted Path Credential Entry

63. Smart Card Policies

64. SMBv2

65. What’s New In SMBv2 (in 30 seconds)
Only 16 commands (80 in SMBv1)
Implicit sequence number speeds up hashing
SHA-256 signatures (MD-5 in SMBv1)
Handles reconnections more reliably
Client-side file encryption (yay!!!)
Symbolic links across shares (disabled by default)
Better load balancing mitigates DOS attacks

66. Miscellany

67. New RDP Control

68. New RDP Control

69. Timeless Security Advice!
Order online:

70. Technical Security Evangelist @ Microsoft Ltd
IE NDA Presentation
3/25/2017
Thanks to Jesper M. Johansson, Ph.D. for creating the slides
Steve Lamb
Technical Security Microsoft Ltd
© 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Confidential -- Subject to Microsoft NDA