Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Operating Systems Lesson E: Windows Security - Overview.

Published byRegina Greer Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Operating Systems Lesson E: Windows Security - Overview."— Presentation transcript:

1 Secure Operating Systems Lesson E: Windows Security - Overview

2 Where are we?  We’ve discovered SELinux is moderately cool  How does this compare to Windows? There’s a lot here, so we’ll just scratch the surface

3 Windows: History  So, Windows really does have a long history  DOS survived for a long time, until we moved on to the NT core  The current version of Windows 8 has finally started to move away from the backward compatibility that has dogged us

4 Bitlocker  Full hard drive encryption is actually pretty cool: Bitlocker  Can leverage the TPM, which is nice Can provide remote attestation for hardware and software Not only for disk encryption; has been used for DRM too Can use in combination with a USB token

5 TPM Structure  Picture from Guillaume Piolle

6 Windows Integrity Control  Although we don’t think about them, Windows uses MACLs (Mandatory Access Control Lists)  Thus, the OS can make a security decision based on how trusted an object is Let’s take a look with Process Explorer (from sysinternals)

7 SACLS and DACLS  SACLS beat DACLS System Access Control List Discretionary Access Control List  Thus, even if the DACL grants access, the SACL must also grant access for the operation to go through  This is all documented well by MS… http://msdn.microsoft.com/en- us/library/windows/desktop/bb648648(v=vs.85).aspx http://msdn.microsoft.com/en- us/library/windows/desktop/bb648648(v=vs.85).aspx  Enables things like SYSTEM_MANDATORY_LABEL_NO_READ_UP

8 Managing all of this

9 Of course, we need  Run As… administrator  icacls templow /setintegritylevel L for example  But of course, we never use this, except for using the defaults, which seems like a pity, eh? There’s a philosophical point here

10 UAC (Woohoo!)  Everyone seems to hate UAC, but it does help in terms of users making mistakes  It’s certainly not bulletproof (cue Shaun)  The idea is the principle of least privilege  The problem is that we don’t read the popups very well  The basic idea: run with lower privileges, and then upgrade as you need it

11 Service Resource Isolation  What happens when a service gets broken in to?  Let’s look  sc query type= service | more  sc showsid AdobeActiveFileMonitor9.0  psgetsid  Can create a *restricted* SID Two checks: one on the enabled token, one on the restricted SID

12 Service Refactoring  Basically, run services with base least privilege  New service hosts (low to high): LocalServiceNoNetwork LocalServiceRestricted LocalServiceNetworkRestricted NetworkServiceRestricted NetworkServiceNetworkRestricted LocalSystemNetworkRestricted

13 Restricted Network Access  Network restriction policies can be applied to services too  Direction: ingress and egress  Protocol: what protocols should be allowed?  Principal: Rules apply to specific users  Interface: WLAN, Wireless, LAN etc.

14 Buffer Overflows  Let’s remind ourselves how buffer overflows work  The compiler now adds Cookies… let’s look at the code

15 Questions & Comments  What do you want to know?

Download ppt "Secure Operating Systems Lesson E: Windows Security - Overview."

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.
Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
© Neeraj Suri EU-NSF ICT March 2006 Budapesti Műszaki és Gazdaságtudományi Egyetem Méréstechnika és Információs Rendszerek Tanszék Zoltán Micskei

© Neeraj Suri EU-NSF ICT March 2006 Budapesti Műszaki és Gazdaságtudományi Egyetem Méréstechnika és Információs Rendszerek Tanszék Zoltán Micskei
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,

HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
NTFS. Authentication Is the person who she says she is? If so, access is allowed In Windows, authentication is handled by a password-protected user account.

NTFS. Authentication Is the person who she says she is? If so, access is allowed In Windows, authentication is handled by a password-protected user account.
© Paradigm Publishing Inc. 4-1 Chapter 4 System Software.

© Paradigm Publishing Inc. 4-1 Chapter 4 System Software.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

Similar presentations

Ads by Google