Download presentation
Presentation is loading. Please wait.
Published byNeil Scott Modified over 10 years ago
1
Windows Vista And Windows Server Codename “Longhorn” Security Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation Chris Corio Program Manager
2
Agenda Windows Vista and Windows Server codenamed “Longhorn” Security Overview Isolated Desktop Kernel Mode Driver Signing Crypto Next Generation (a.k.a CNG) Base Smart Card CSP Architecture WinLogon Architecture User Account Control and You
3
Secure Operating System Windows Security Overview Access control Isolated DesktopSecure Startup End User Tools Access Control AuthenticationAuthorization AzMan Persistence RBAC Logon Protocol Identity 2 Factor AuthN AuditCredential Management Credential Roaming Lifecycle Management Certificate Server Smart Cards Common Criteria Logging Eventing FIPS Cryptography Services CAPICNG Policy exp. X.509 Processing Kernel Mode Code Signing
4
Services Session Windows XP behavior Session 0 Service A Service C Service B Application A Application B Application C Session 1 Application D Application E Application F Session 2 Application G Application H Application I Session 3 Application J Application K Application L Session 0 Service A Service B Service C Application B Application A Application C
5
Services Session Windows Vista behavior Session 0 Service A Service B Service C Session 1 Application A Application B Application C Session 2 Application D Application E Application F Session 3 Application G Application H Application I
6
Services Session Technology introduction Separation of Services from User Sessions Desktop is the security boundary for Windows user interfaces Interactive Services are vulnerable to compromise through Windows Messaging Currently users can not see or interact with interactive service UI from their session Interactive Services Detection Service is available in the interim
7
Services Session Implementation guidelines Services should never open a window on the interactive desktop Services which need user input can Use WTSSendMessage to pop up a simple message box on user’s desktop Inject process into the target session by using CreateProcessAsUser API Inject process into the target session by using CreateProcessAsUser API
8
Motivation For Kernel Mode Code Signing Trustworthy computing built on a trusted kernel Windows Vista has an identifiable kernel state Secure kernel loads only signed binaries Reduce platform vulnerability from unknown binaries Identifiable kernel enables new scenarios Access next generation premium content Address growing threat of malicious rootkit attacks Improve reliability by identifying and working with kernel mode software publishers
9
Code Integrity Verification Signature checks by OS loader and kernel On x64 64-bit platforms All kernel mode code must be signed in order to load Identity of all kernel mode binaries is verified System audit events for integrity check failures On x86 32-bit platforms Administrator prompted and accepts to install unsigned kernel mode code Load-time checks done on all kernel mode binaries, unsigned code allowed to load Next generation premium content may not be accessible, depending on content protection policy
10
Developer And Test Support For developers and testers Options to disable code verification policy Active kernel debugger attached and turn on debugging F8 key, Advanced Boot Option to disable driver signing enforcement for current boot Boot configuration option to not fail driver load if the integrity check fails (Beta2 only) For pre-release testing WHQL Test signing Bcdedit option to enable load of Test Signed drivers
11
Signing Boot Critical Drivers Boot critical drivers are loaded by OS Loader Start Type = 0, loaded by Winload Boot critical driver files must be embedded signed Signature contained in the binary file Avoids boot time degradation locating catalog file Embedded sign before submitting to WHQL Sign individual driver files, then submit package This is a new WHQL Logo requirement
12
Windows Security Overview Access control Cryptography Services CAPICNG X.509 Processing End User Tools Access Control AuthenticationAuthorization AzMan Persistence RBAC Logon Protocol Identity 2 Factor AuthN AuditCredential Management Credential Roaming Lifecycle Management Certificate Server Smart Cards Common Criteria Logging Eventing FIPS Policy exp. Secure Operating System Isolated DesktopSecure StartupKernel Mode Code Signing
13
Crypto Next Generation Technology overview New crypto infrastructure to replace existing Crypto API 1.0 Crypto API will still be available in Windows Vista but it will be deprecated in some future version Customers can plug a new crypto algorithm into Windows or replace the implementation of an existing algorithm New crypto algorithms can be plugged into OS protocols (e.g., SSL, S/MIME)
14
Crypto Next Generation Feature highlights Crypto agility Flexible configuration system that includes machine and enterprise level settings Simple and granular plug-in model that supports both kernel and user mode Support a super set of the algorithms in Crypto API, including elliptic curve crypto (ECDH, ECDSA) and “Suite-B” compliance Private key isolation for Common Criteria compliance Improved performance
15
Crypto Next Generation Three layers of plug-ins Protocol Providers Applications Key Storage Providers Primitive Providers Symmetric Crypto Router Hash Router Asymmetric Crypto Router Signature Router Key Exchange Router RNG Router Key Storage Router
16
Windows Security Overview Access control End User Tools Access Control AuthenticationAuthorization AzMan Persistence RBAC Logon Protocol Identity 2 Factor AuthN AuditCredential Management Credential Roaming Lifecycle Management Certificate Server Smart Cards Common Criteria Logging Eventing FIPS Policy exp. Secure Operating System Isolated DesktopSecure Startup Cryptography Services CAPICNG X.509 Processing Kernel Mode Code Signing
17
WinLogon Architecture Windows XP Session 0 WinLogon User GP LSA Shell Machine GP Profiles MSGINA SCM Other Sessions WinLogon User GP Shell MSGINA
18
WinLogon Architecture Windows Vista Session 0 WinInit RCM LSA Group Policy Profiles SCM Other Sessions WinLogon LogonUI Credential Provider 1 Credential Provider 2 Credential Provider 3
19
Credential Providers Technology introduction Credential Providers replace GINA Credential Providers “plug in” to Logon UI Logon UI can interact simultaneously with multiple credential providers Credential Providers can be user selected and/or event driven Inbox Credential Providers Password Smart Card What Credential Providers cannot do Replace the UI for the logon screen
20
Credential Providers Value proposition Easier to write a Credential Provider than it was to write a GINA LogonUI and CredUI provide all UI Winlogon handles LSALogonUser and Terminal Services support Credential providers simply define credentials and use LogonUI to gather the data Uses COM to interact with LogonUI and CredUI
21
Credential Providers Password example LSA WinLogon LogonUI Credential Provider Interfaces Credential Provider 2 7. Get credential for logon 1. Ctrl+Alt+Delete 2. Request Credential 9. LSALogonUser 5. Click on tile, type user name and password, click Go 4. Display UI Credential Provider 1 Credential Provider 3 8. Return Credential 6. Go received 3. Get credential information
22
Smart Card Subsystem Current Crypto Applications (IE, Outlook) CAPI Smart Card CSP #1 Smart Card CSP #2 Smart Card CSP #n Smart Card Resource Manager Non-Crypto Applications SCard API
23
Smart Card Subsystem Vista and beyond Crypto Applications (IE, Outlook) CAPI ECC Card Module RSA/ECC Card Module Smart Card Resource Manager Non-Crypto Applications SCard API Base CSP CNG Smart Card KSP RSA Card Module Smart Card CSP
24
Smart Card Subsystem Simplified Software Development Common crypto operations handled in the platform API for card manufacturers Enhanced User Experience Planned Certification and Testing Program for Smartcard middleware on Windows Update PnP support for Smart Cards Enhanced Smart Card Logon Scenarios Root certificates propagation Integrated Smart Card unblock
25
Service Hardening Motivation Services are attractive targets for malware Run without user interaction Number of critical vulnerabilities in services Large number of services run as “System” Worms target services Sasser, Blaster, CodeRed, Slammer, etc…
26
Service Hardening Developer guidance Move to a least privileged account Use “Local Service” or “Network Service” Grant Service Sid access via ACLs on service specific resources Use Service-SID, ACLs and “write- restricted token” to isolate services Supply network firewall rules
27
User Account Control Motivation Everybody runs as an administrator on XP There is tremendous security benefit to running as a “Standard User” Most software doesn’t need Administrator privileges to run
28
Windows Vista UAC goals All users run as Standard User by default Filtered token created during logon Only specially marked apps get the unfiltered token Explicit consent required for elevation Predictable shell elevation paths High application compatibility Data redirection Enabling legacy apps to run as standard user Installer Detection
29
UAC Architecture Standard User Rights Administrative Rights Admin logon “Standard User” Token Admin Token Abby
30
UAC Architecture Standard User Rights Administrative Rights User Process Change Time Zone Run IT Approved Applications Install Fonts Install Printers Run MSN Messenger Etc. Standard User Mode Standard User Privilege User
31
UAC Architecture Standard User Rights Administrative Rights User Process Change Time ZoneChange Time Zone Run IT Approved ApplicationsRun IT Approved Applications Install FontsInstall Fonts Install PrintersInstall Printers Run MSN MessengerRun MSN Messenger Etc.Etc. Admin Privileges Standard User Privilege User Admin Process Install Application Admin Process Configure IIS Admin Process Change Time Admin Privilege
32
Guidance For Application Developers Installation Best Practices Use MSI 3.1 for Install and Update Alternate to MSI3.1 – call Update.exe marked as admin to do the update Self Updating Code – Don’t Do It! This is our largest App Compat problem Home consumer user applications Examples of what not to do Do not assume the user is an administrator Run Custom Actions in right context! ClickOnce is a great deployment technology for Standard User apps
33
Guidance For Developers Application Data Best Practices Your apps per user setup is performed at first run Place per-user data into %LOCALAPPDATA% Roaming into %APPDATA% Place Per-Machine (Shared) data into %ALLUSERPROFILE% Examples of what not to do Do not perform admin configuration at first run Do your admin operations during setup Do not perform explicit Admin checks for Standard User applications UAC and Code Access Security (CAS) can be used together for defense in depth
34
User Account Control In Windows Vista Chris Corio Program Manager Windows Security
35
Call To Action Ensure that your device and driver work on ALL 64-bit enable Windows operating systems Test your applications soon; understand the difference that UAC will make
36
Additional Resources CNG API documentation – currently only available with signed NDA and EULA Smart Card Subsystem Base CSP and Card Module specifications have been published to over 20 card vendors – ask if your card vendor has a card module Card module developer kit including card module spec, Base CSP binary, test suite, etc. is currently only available with signed NDA and EULA Card module developer information will be made public via MSDN in the coming months A whitepaper on the new smart card infrastructure will be released at the same time as the Base CSP Windows Service Hardening Email: User Account Control Getting Started with UAC: http://www.microsoft.com/technet/windowsvista/ evaluate/feat/uaprot.mspx http://www.microsoft.com/technet/windowsvista/ evaluate/feat/uaprot.mspxhttp://www.microsoft.com/technet/windowsvista/ evaluate/feat/uaprot.mspx UAC Developer Guidelines: http://msdn.microsoft.com/library/default.asp?url=/ library/en-us/dnlong/html/AccProtVista.asp UAC Developer Guidelines: http://msdn.microsoft.com/library/default.asp?url=/ library/en-us/dnlong/html/AccProtVista.asp http://msdn.microsoft.com/library/default.asp?url=/ library/en-us/dnlong/html/AccProtVista.asphttp://msdn.microsoft.com/library/default.asp?url=/ library/en-us/dnlong/html/AccProtVista.asp UAC Blog: http://blogs.msdn.com/uac http://blogs.msdn.com/uac wsh @ microsoft.com
37
Additional Resources Kernel Mode Code Signing White paper titled “Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista” http://www.microsoft.com/whdc/system/ platform/64bit/kmsigning.mspx http://www.microsoft.com/whdc/system/ platform/64bit/kmsigning.mspx http://www.microsoft.com/whdc/system/ platform/64bit/kmsigning.mspx 64-bit and kernel mode http://www.microsoft.com/whdc/ driver/kernel/64bit_chklist.mspx http://www.microsoft.com/whdc/ driver/kernel/64bit_chklist.mspx http://www.microsoft.com/whdc/ driver/kernel/64bit_chklist.mspx Vista Logo requirements http://www.microsoft.com/whdc/ winlogo/hwrequirements.mspx http://www.microsoft.com/whdc/ winlogo/hwrequirements.mspx http://www.microsoft.com/whdc/ winlogo/hwrequirements.mspx
38
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.