Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Windows Vista and “Longhorn” Server: Understanding, Enhancing and Extending Security End-to-end FUN210 Avi Ben-Menahem Lead Program Manager Microsoft.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Windows Vista and “Longhorn” Server: Understanding, Enhancing and Extending Security End-to-end FUN210 Avi Ben-Menahem Lead Program Manager Microsoft."— Presentation transcript:

1 1 Windows Vista and “Longhorn” Server: Understanding, Enhancing and Extending Security End-to-end FUN210 Avi Ben-Menahem Lead Program Manager Microsoft Corporation Andrew Tucker Development Lead Microsoft Corporation

2 2 Agenda Windows Vista and “Longhorn” Server Security Overview Isolated Desktop Crypto Next Generation (a.k.a CNG) Base Smart Card CSP architecture X.509 Enrollment classes WinLogon Architecture User Account Protection and You

3 3 Secure Operating System Vista Security Overview Access Control End User Tools Isolated Desktop Secure Startup Access Control AuthenticationAuthorization App AuthZ Azman RBAC Logon Protocol Identity 2 Factor AuthN Audit Credential Management Credential Roaming Lifecycle Management Certificate Server Smart Cards Common Criteria Logging Eventing FIPS Cryptography Services CAPICNG Policy exp. X.509 Processing

4 4 Session 0 Isolation Windows XP behavior Session 0 Service A Service C Service B Application A Application B Application C Session 1 Application D Application E Application F Session 2 Application G Application H Application I Session 3 Application J Application K Application L

5 5 Session 0 Isolation Windows Vista behavior Session 1 Application A Application B Application C Session 2 Application D Application E Application F Session 3 Application G Application H Application I Session 0 Service A Service B Service C

6 6 Session 0 Isolation Technology Introduction Separation of Services from User Sessions Desktop is the security boundary for Windows user interfaces Interactive Services are vulnerable to compromise through Windows Messaging Currently users can not see or interact with interactive service UI from their session

7 7 Session 0 Isolation Implementation Guidelines Services should NEVER open a window on the interactive desktop Services which need user input can: Use WTSSendMessage to pop up a simple message box on user’s desktop Inject process into the target session by using CreateProcessAsUser API Inject process into the target session by using CreateProcessAsUser API

8 8 Secure Operating System Vista Security Overview Access Control End User Tools Isolated Desktop Secure Startup Access Control AuthenticationAuthorization App AuthZ Azman RBAC Logon Protocol Identity 2 Factor AuthN Audit Credential Management Credential Roaming Lifecycle Management Certificate Server Smart Cards Common Criteria Logging Eventing FIPS Cryptography Services CAPICNG Policy exp. X.509 Processing

9 9 Crypto Next Generation Technology Overview New crypto infrastructure to replace existing CAPI 1.0 APIs CAPI will still be available in Vista but it will be deprecated in some future version Customers can plug a new crypto algorithm into Windows or replace the implementation of an existing algorithm New crypto algorithms can be plugged into OS protocols (e.g. SSL, S/MIME)

10 10 Crypto Next Generation Why replace CAPI? Design is 10 years old and shows it Plug-in model is monolithic, error prone and inflexible Lacks centralized configuration system Not available in kernel mode Performance has much to be desired

11 11 Crypto Next Generation Feature highlights Crypto agility Flexible configuration system that includes machine and enterprise level settings Simple and granular plug-in model that supports both kernel and user mode Support a super set of the algorithms in CAPI, including elliptic curve crypto (ECDH, ECDSA) and “Suite-B” compliance Private key isolation for Common Criteria compliance Improved performance

12 12 Crypto Next Generation Three layers of plug-ins Protocol Providers Applications Key Storage Providers Primitive Providers Symmetric Crypto Router Symmetric Crypto Router Hash Router Hash Router Asymmetric Crypto Router Asymmetric Crypto Router Signature Router Signature Router Key Exchange Router Key Exchange Router RNG Router RNG Router Key Storage Router Key Storage Router

13 13 Crypto Next Generation Primitive Providers Low level algorithm implementations Six different types: Symmetric encryption Hash functions Asymmetric encryption Secret agreement Signatures Random number generation No persistent keys or key isolation Protocol Providers Application s Key Storage Providers Primitive Providers

14 14 Protocol Providers Application s Key Storage Providers Primitive Providers Crypto Next Generation Key Storage Provider Provides persistent key support for public/private keys Isolates all private key usage to a secure process rather than the client process Can be used to interface hardware such as HSMs, Smart Cards, etc.

15 15 Crypto Next Generation Protocol Providers Crypto functionality that is specific to a protocol SSL – add new cipher suites or replace implementations of existing cipher suites S/MIME – plug in new algorithms for signing and encrypting email Protocol Providers Application s Key Storage Providers Primitive Providers

16 16 Crypto Next Generation CNG is expected to be an Open Cryptographic Interface (OCI) and will no longer require plug-ins to be signed by Microsoft We are working to enable this under US export law Eliminates one of the big headaches of CAPI CSPs

17 17 Implementing Symmetric Encryption Provider Implement, install and use a symmetric encryption primitive provider Open Algorithm Provider Get/Set Algorithm Property Create Key Get/Set Key Property Crypto Operation (s) Destroy Key Close Algorithm Provider

18 18 Secure Operating System Vista Security Overview Access Control End User Tools Isolated Desktop Secure Startup Access Control AuthenticationAuthorization App AuthZ Azman RBAC Logon Protocol Identity 2 Factor AuthN Audit Credential Management Credential Roaming Lifecycle Management Certificate Server Smart Cards Common Criteria Logging Eventing FIPS Cryptography Services CAPICNG Policy exp. X.509 Processing

19 19 WinLogon Architecture Windows XP Session 0 WinLogon User GP LSA Shell Machine GP Profiles MSGINA SCM Other Sessions WinLogon User GP Shell MSGINA

20 20 WinLogon Architecture Vista Session 0 WinInit RCM LSA Group Policy Profiles SCM Other Sessions WinLogon LogonUI Credential Provider 1 Credential Provider 2 Credential Provider 3

21 21 Credential Providers Technology Introduction Credential Providers replace GINA Credential Providers plug in to Logon UI Logon UI can interact simultaneously with multiple credential providers Credential Providers can be user selected and/or event driven Inbox Credential Providers Password Smart Card What Credential Providers cannot do Replace the UI for the logon screen

22 22 Credential Providers Value Proposition Easier to write a Credential Provider than it was to write a GINA LogonUI and CredUI provide all UI Winlogon handles LSALogonUser and Terminal Services support Credential providers simply define credentials and use LogonUI to gather the data Uses COM to interact with LogonUI and CredUI

23 23 Credential Providers Password Example LSA WinLogon LogonUI Credential Provider Interfaces Credential Provider 2 7. Get credential for logon 1. Ctrl+Alt+Delete 2. Request Credential 9. LSALogonUser 5. Click on tile, type user name & password, click Go 3. Get credential information 4. Display UI Credential Provider 1 Credential Provider 3 8. Return Credential 6. Go received

24 24 Smart Card Subsystem Current Crypto Applications (IE, Outlook) CAPI Smart Card CSP #1 Smart Card CSP #2 Smart Card CSP #n Smart Card Resource Manager Non Crypto Applications SCard API

25 25 Smart Card Subsystem Vista and Beyond Crypto Applications (IE, Outlook) CAPI ECC Card Module RSA/ECC Card Module Smart Card Resource Manager Non Crypto Applications SCard API Base CSP CNG Smart Card KSP RSA Card Module Smart Card CSP

26 26 Smart Card Subsystem Simplified Software Development Common crypto operations handled in the platform API for card manufacturers Enhanced User Experience Planned Certification and Testing Program for Smartcard middleware on Windows Update PnP support for Smart Cards Enhanced Smart Card Logon Scenarios Root certificates propagation Integrated Smart Card unblock

27 27 X.509 Enrollment Classes What’s new ActiveX controls Xenroll and ScrdEnrl are retired New comprehensive COM classes (CertEnroll) for PKI operations “Suite-B” algorithm support

28 28 X.509 Enrollment Classes Value Proposition Xenroll Difficult to use monolithic interfaces High cost of maintenance for... Microsoft to support Xenroll Customers and Third Party CAs if and when Xenroll is updated CertEnroll Easy to use modular interfaces No download required

29 29 X.509 Enrollment Classes Architectural Block Diagram 3 rd Party Applications Web Enrollment Services Auto-Enrollment Provider, Certificate Management MMC, CertReq.exe Public Enrollment Classes Internal Enrollment Classes Aero Wizard & Direct UI CAPI, CNG and Win32 API

30 30 X.509 Enrollment Classes Class diagram overview IDispatch IX509CertificateReque st IX509CertificateRequestPkcs10 IX509CertificateRequestCertificat e IX509CertificateRequestPkc s7 IX509CertificateRequestCmc Request Classes Enrollment Classes IDispatch IX509Enrollment IX509Enrollments IX509EnrollmentStatus IDispatch ICspAlgorithm ICspAlgorithms ICspInformatio n ICspInformations IcspStatus ICspStatuses IX509PublicKey IX509PrivateKe y Crypto Classes IDispatch IX509Attribute IX509Attributes IX509AttributeExtensions ICryptAttribute ICryptAttribute s Attribute Classes IX509Extension IX509ExtensionKeyUsag e IX509ExtensionEnhancedKeyUsa ge IX509ExtensionTemplateNam e IX509ExtensionTemplate

31 31 X.509 Enrollment Walkthrough

32 32 Service Hardening Motivation Services are attractive targets for malware Run without user interaction Number of critical vulnerabilities in services Large number of services run as “System” Worms target services Sasser, Blaster, CodeRed, Slammer, etc…

33 33 Service Hardening Developer Guidance Move to a least privileged account Use “Local Service” or “Network Service” Remove privileges that are not needed Grant Service Sid access via ACLs on service specific resources Use Service-SID, ACLs and “write- restricted token” to isolate services Supply network firewall rules

34 34 User Account Protection Previously known as “LUA” Users will logon as non-administrator by default Protects the system from the user Enables the system to protect the user Consent UI allows elevation to administrator Applications and administrator tools should be UAP aware Differentiate capabilities based on UAP Apply correct security checks to product features Start testing your software in LH Beta1 and LH Beta2 with UAP

35 35 User Account Protection Additional Information Where can I find more information? Come get Whitepaper from FUNdamentals Cabana! FUN406 - Windows Vista: User Account Protection ”Securing Your Application with Least Privilege Administration Contact info? Darren Canavor – darrenc@Microsoft.com

36 36 CNG Additional Information CNG Documentation available for review API documentation - currently only available with signed NDA and EULA Contacts Tomas Palmer - tomasp@Microsoft.com tomasp@Microsoft.com Tolga Acar - tolga@Microsoft.com tolga@Microsoft.com

37 37 Smart Card Subsystem Additional Information Where can I find more information? Base CSP and Card Module specifications have been published to over 20 card vendors – ask if your card vendor has a card module Card module developer kit including card module spec, Base CSP binary, test suite, etc. is currently only available with signed NDA and EULA Card module developer information will be made public via MSDN in the coming months A whitepaper on the new smart card infrastructure will be released at the same time as the Base CSP Contact info Contact info Derek Adam (DerekA@microsoft.com) Derek Adam (DerekA@microsoft.com)DerekA@microsoft.com

38 38 X.509 Enrollment Classes Additional Information Where can I find more information? Libraries included in Vista Beta 1 Specifications are currently only available with signed NDA and EULA Contact info? Anand Abhyankar Anand.Abhyankar@Microsoft.com

39 39 Service Hardening Additional Information Related Sessions FUNHOL019 – “Best Practices for writing Vista Services” Contacts Windows Service Hardening - wsh@Microsoft.com wsh@Microsoft.com

40 40 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "1 Windows Vista and “Longhorn” Server: Understanding, Enhancing and Extending Security End-to-end FUN210 Avi Ben-Menahem Lead Program Manager Microsoft."

Similar presentations

Windows Vista Security Tidbits

Windows Vista Security Tidbits
Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Remote Desktop Services

Remote Desktop Services
©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation
Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft

Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Windows Vista Security model and vulnerabilities.

Windows Vista Security model and vulnerabilities.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Similar presentations

Ads by Google