0828 Windows Server 2008 新安全功能探討

-1-

Windows Server 2008 新安全功能探討

呂政周精誠恆逸教育訓練處資深講師http://edu.uuu.com.tw

-2-

課程大綱課程大綱• 前言• 作業系統安全• 存取控制安全• 應用程式安全• 程式執行安全• 資料傳遞安全• 資料儲存安全

前言• 雖然病毒及駭客占據了頭版頭條的位置 , 但是安全管理仍然是企業組織電腦與資訊安全的核心內容 .

• SD3+C– Secure by Design – Secure by Default– Secure in Deployment and Communications

• Trustworthy Computing

-3-

作業系統安全

-4-

Windows Server 2008 安全的開發生命週期

對程式開發人員作定期與強制的安全教育

安全顧問針對所有系統元件為開發人員提供安全的建議

在設計階段對各種威脅模式納入考量

程式碼安全性檢視與測試

Common Criteria 認證

The bad guys are everywhere!• They literally want to do

you harm• Threats exist in two

interesting places—– Online: system started and

shows a login screen or a user is logged in

– Offline: system is powered down or in hibernation

• Policies must address both

Protect the OSWhen Running

The threats

• Trojan that replaces a system file to install a rootkit and take control of the computer (e.g. Fun Love or others that use root kits)

• Offline attack caused by booting an alternate operating system and attempting to corrupt or modify Windows operating system image files

• Third-party kernel drivers that are not secure• Any action by an administrator that threatens the

integrity of the operating system binary files• Rogue administrator who changes an operating system

binary to hide other acts

-8-

Code integrity

• Validates the integrity of each binary image– Checks hashes for every page as it’s loaded– Also checks any image loading to a protected process– Implemented as a file system filter driver– Hashes stored in system catalog or in X.509 certificate

embedded in file

• Also validates the integrity of the boot process– Checks the kernel, the HAL, boot-start drivers

• If validation fails, image won’t load

-9-

Hash validation scope

-10-

Windows binariesWindows binaries Yes

WHQL-certified third-party WHQL-certified third-party driversdrivers

Yes

Unsigned driversUnsigned drivers By policy

Third-party application Third-party application binariesbinaries

No

More on signatures

• Don’t confuse hash validation with signatures

-11-

x64

All kernel mode code must be signed or it won’t loadThird-party drivers must be WHQL-certified or contain a certificate from a Microsoft CANo exceptions, periodUser mode binaries need no signature unless they—

Implement cryptographic functionsImplement cryptographic functionsLoad into the software licensing serviceLoad into the software licensing service

x32

Signing applies only to drivers shipped with WindowsSigning applies only to drivers shipped with WindowsCan control by policy what to do with third-partyCan control by policy what to do with third-partyUnsigned kernel mode code will loadUnsigned kernel mode code will loadUser mode binaries—same as x64User mode binaries—same as x64

Recovering from CI failures

• Potential problems—– OS won’t boot: kernel code or boot-time driver failed CI– OS boots, a device won’t function: non-boot-time driver failed CI– OS boots, system is “weird”: service failed CI– OS boots and behaves, task malfunctions: OS component failed

CI

• Solve boot-critical problems through standard system recovery tools

• Integrated Windows diagnostic infrastructure helps to repair critical files; non-critical files can be replaced through Microsoft Update

-12-

Integrated Windows Defender

• Integrated detection, cleaning, and real-time blocking of malware:– Malware, rootkits, and spyware

– Targeted at consumers – enterprise manageability will be available as a separate product

• Integrated Microsoft Malicious Software Removal Tool (MSRT) will remove worst worms, bots, and trojans during an upgrade and on a monthly basis

Internet Explorer 7

• In addition to building on UAC (see later), IE includes:– Protected Mode that only allows IE to browse

with no other rights, even if the user has them, such as to install software

• “Read-only” mode, except for Temporary Internet Files when browser is in the Internet Zone of security

Phishing Filter in IEDynamic Protection Against Fraudulent Websites

• 3 checks to protect users from phishing scams:

1. Compares web site with local list of known legitimate sites

2. Scans the web site for characteristics common to phishing sites

3. Double checks site with online Microsoft service of reported phishing sites updated several times every hour

• Two Levels of Warning and Protection in IE7 Security Status Bar

Level 1: Warn Suspicious Website

Signaled

Level 2: Block Confirmed Phishing Site

Signaled and Blocked

存取控制安全

-16-

User Account Control

• Helps implement Least Privilege principle in two distinct ways:

1. Every user is a standard user• Older, legacy, or just greedy application’s attempts to change your

system’s settings will be virtualised so they do not break anything

2. Each genuine need to use administrative privileges will require:• Selection of a user who has those permissions, or

• Confirmation of the intent to carry on with the operation

UAC: Fundamental Change to Windows Operation

• Fixes the system to work well as a standard user• Registry and file virtualization to provide

compatibility– Per-machine registry writes are redirected to per-user

locations if the user does not have administrative privileges

– Effectively: standard accounts can run “admin-required” legacy applications safely!

– You can redirect the virtualization store

Control Over Device Installation

• Control over removable device installation via a policy– Mainly to disable USB-device installation, as many corporations

worry about intellectual property leak– You can control them by device class or driver

• Approved drivers can be pre-populated into trusted Driver Store

• Driver Store Policies (group policies) govern driver packages that are not in the Driver Store:– Non-corporate standard drivers– Unsigned drivers

Using Network Access Protection

11

Client requests access to network and presents Client requests access to network and presents current health statecurrent health state

11

WindowsWindowsClientClient

Policy ServersPolicy Serverssuch as: Patch, AVsuch as: Patch, AV

MSFT NPS MSFT NPS

Corporate Corporate NetworkNetwork

DHCP, VPNDHCP, VPNSwitch/Router Switch/Router


11


11


22

22Dynamic Host Configuration Protocol (DHCP), virtual Dynamic Host Configuration Protocol (DHCP), virtual private network (VPN) or Switch/Router relays private network (VPN) or Switch/Router relays health status to Microsoft Network Policy Server health status to Microsoft Network Policy Server (RADIUS)(RADIUS)


MSFT NPS MSFT NPS




11

Client requests access to network and presents current health state

11

WindowsClient

22

22DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)

33

33 Network Policy Server (NPS) validates against IT-defined health policy


MSFT NPS


DHCP, VPNSwitch/Router

RestrictedRestrictedNetworkNetwork


11


11


22

22DHCP, VPN or Switch/Router relays health status to DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)Microsoft Network Policy Server (RADIUS)

33

33 Network Policy Server (NPS) validates against IT-Network Policy Server (NPS) validates against IT-defined health policydefined health policy


44If not policy compliant, client is put in a restricted virtual local area If not policy compliant, client is put in a restricted virtual local area network (VLAN) and given access to fix up resources to download patches, network (VLAN) and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)configurations, signatures (Repeat 1 - 4)

Not policy Not policy compliantcompliant Fix UpFix Up

ServersServersExample: PatchExample: PatchMSFT NPS MSFT NPS


44


RestrictedRestrictedNetworkNetwork


11


11


22

22DHCP, VPN or Switch/Router relays health status to DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)Microsoft Network Policy Server (RADIUS)

33

33 Network Policy Server (NPS) validates against IT-Network Policy Server (NPS) validates against IT-defined health policydefined health policy


44If not policy compliant, client is put in a restricted VLAN and given access to If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - fix up resources to download patches, configurations, signatures (Repeat 1 - 4)4)

Not policy Not policy compliantcompliant Fix UpFix Up

ServersServersExample: PatchExample: Patch

55 If policy compliant, client is granted full access to corporate If policy compliant, client is granted full access to corporate networknetwork

Policy Policy compliancomplian

tt

MSFT NPS MSFT NPS


55

44


Windows Firewall Advanced Security

Filter both incoming and outgoing traffic

Filter both incoming and outgoing traffic

New Microsoft® Management Console (MMC) snap-in for GUI configuration

New Microsoft® Management Console (MMC) snap-in for GUI configuration



Integrated firewall and IP security (IPsec) settings

Integrated firewall and IP security (IPsec) settings


Several ways to configure exceptions

Several ways to configure exceptions

NG TCP/IPNext Generation TCP/IP in Vista and “Longhorn”

• A new, fully re-worked replacement of the old TCP/IP stack• Dual-stack IPv6 implementation, with now obligatory IPSec

– IPv6 is more secure than IPv4 by design, esp.:• Privacy, tracking, network port scanning, confidentiality and integrity

• Other network-level security enhancements for both IPv4 and IPv6– Strong Host model– Windows Filtering Platform– Improved stack-level resistance to all known TCP/IP-based denial of

service and other types of network attacks– Routing Compartments– Auto-configuration and no-restart reconfiguration

應用程式安全與

程式執行安全

-30-

The threats

• Remember Blaster?– Took over RPCSS—made it write msblast.exe to file system and

added run keys to the registry

• No software is perfect; someone still might find a vulnerability in a service

• Malware often looks to exploit such vulnerabilities• Services are attractive

– Run without user interaction– Many services often have free reign over the system—too much

access– Most services can communicate over any port

-31-

Service hardening

-32-

Service refactorin

g

Move service from LocalSystem to Move service from LocalSystem to something less privilegedsomething less privilegedIf necessary, split service so that only If necessary, split service so that only the part requiring LocalSystem receives the part requiring LocalSystem receives that that

Service profiling

Enables service to restrict its behaviorEnables service to restrict its behaviorResources can have ACLs that allow the Resources can have ACLs that allow the service’s ID to access only what it needsservice’s ID to access only what it needsAlso includes rules for specifying Also includes rules for specifying required network behaviorrequired network behavior

It’s about the principle of least privilege—It’s about the principle of least privilege—it’s good for people, and it’s good for servicesit’s good for people, and it’s good for services

MemoryMemory

Refactoring• Ideally, remove the service out of LocalSystem

– If it doesn’t perform privileged operations– Make ACL changes to registry keys and driver objects

• Otherwise, split into two pieces– The main service– The bits that perform privileged operations– Authenticate the call between them

Main serviceMain serviceruns as LocalServiceruns as LocalService

PrivilegedPrivilegedLocalSystemLocalSystem

Profiling• Every service has a unique service identifier called a

“service SID”– S-1-80-<SHA-1 hash of logical service name>

• A “service profile” is a set of ACLs that—– Allow a service to use a resource– Constrain the service to the resources it needs– Define which network ports a service can use– Block the service from using other ports

• Now, service can run as LocalService or NetworkService and still receive additional access when necessary

Restricting servicesSCM computesSCM computesservice SIDservice SID

SCM adds theSCM adds theSID to serviceSID to serviceprocess’s tokenprocess’s token

SCM creates write-SCM creates write-restricted tokenrestricted token

SCM removes unneeded SCM removes unneeded privileges from process privileges from process tokentoken

Service places ACL on Service places ACL on resource—only service resource—only service can write to itcan write to it

Restricting services: know this• A restrictable service will set two properties (stored

in the registry)—– One to indicate that it can be restricted– One to show which privileges it requires

Note! This is a voluntary process. The service is choosing to restrict itself. It’s good development practice because it reduces the likelihood of a service being abused by malware, but it isn’t a full-on system-wide restriction mechanism. Third-party services can still run wild and free…

Windows Server 2008 Services Hardening

Kernel DriversKernel DriversDD

DD User-mode DriversUser-mode Drivers

DD D




DD D

• Reduce size of high-Reduce size of high-risk layersrisk layers




DD D

Service 1

Service 2Servic

e 3

Service…

Service …

Service A Servic

e B

• Reduce size of high-risk layers

• Segment the services


• Reduce size of high-risk layers

• Segment the services• Increase number of

layers

D DDKernel DriversKernel DriversDD


DD D

Service 1

Service 2

Service 3

Service…

Service …

Service A

Service B

Granular Audit Policy

Object Access Auditing

Object Access Attempt:Object Server: %1Handle ID: %2Object Type: %3Process ID: %4Image File Name: %5Access Mask: %6

Object Access AuditingAn operation was performed on an object.Subject : Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Object Type: %6 Object Name: %7 Handle ID: %9Operation: Operation Type: %8 Accesses: %10 Access Mask: %11 Properties: %12 Additional Info: %13 Additional Info2: %14

Added Auditing ForRegistry value change audit events (old+new values)

AD change audit events (old+new values)

Improved operation-based audit

Audit events for UAC

Improved IPSec audit events including support for AuthIP

RPC Call audit events

Share Access audit events

Share Management events

Cryptographic function audit events

NAP audit events (server only)IAS (RADIUS) audit events (server only)

Address Space Load Randomization (ASLR)

Prior to Windows VistaPrior to Windows VistaExecutables and DLLs load at fixed locationsExecutables and DLLs load at fixed locations

Buffer overflows commonly relied on known system Buffer overflows commonly relied on known system function addresses to cause specific code to executefunction addresses to cause specific code to execute

The Windows Vista loader bases modules at one of The Windows Vista loader bases modules at one of 256 random points in the address space256 random points in the address space

OS images now include relocation informationOS images now include relocation information

Relocation performed once per image and shared across Relocation performed once per image and shared across processesprocesses

User stack locations are also randomizedUser stack locations are also randomized

資料傳遞安全與

資料儲存安全

-46-

Terminal Services GatewayTerminal Services GatewayPerimeter Perimeter networknetwork

InternetInternet Corp LANCorp LAN

Exte

rnal Fir

ew

all

Exte

rnal Fir

ew

all

Inte

rnal Fir

ew

all

Inte

rnal Fir

ew

all

HomeHome Terminal Terminal ServerServer

InternetInternet

TerminalTerminalServerServer

Terminal Services Terminal Services Gateway ServerGateway Server

E-mailE-mailServerServer

Business Business partner / partner / client siteclient site

Roaming Roaming wirelesswireless

HotelHotel

Tunnels RDP over

HTTPS

Tunnels RDP over

HTTPS

RMS, EFS, and BitLocker

• Three levels of protection:– Rights Management Services

• Per-document enforcement of policy-based rights

– Encrypting File Systems• Per file or folder encryption of data for confidentiality

– BitLocker™ Full Volume Encryption• Per volume encryption (see earlier)

• Note: it is not necessary to use a TPM for RMS and EFS– EFS can use smartcards and tokens in Vista– RMS is based, at present, on a “lockbox.dll” technology, not a

TPM

CNG: Cryptography Next Generation

• CAPI 1.0 has been deprecated– May be dropped altogether in future Windows releases

• CNG: Open Cryptographic Interface for Windows– Ability to plug in kernel or user mode implementations for:

• Proprietary cryptographic algorithms

• Replacements for standard cryptographic algorithms

• Key Storage Providers (KSP)

– Enables cryptography configuration at enterprise and machine levels

Offline Files Encrypted Per User

Encrypted Pagefile

Regulatory Compliance

• Windows Vista cryptography will comply with:– Common Criteria (CC)

• csrc.nist.gov/cc • Currently in version 3

– FIPS requirements for strong isolation and auditing• FIPS-140-2 on selected platforms and 140-1 on all

– US NSA (National Security Agency) CSS (Central Security Service) Suite B

Supports NSA Suite Bwww.nsa.gov/ia/industry/crypto_suite_b.cfm

• Required cryptographic algorithms for all US non-classified and classified (SECRET and TOP-SECRET) needs– Higher special-security needs (e.g. nuclear security) – guided by Suite A

(definition classified)– Announced by NSA at RSA conference in Feb 2005

• Encryption: AES– FIPS 197 (with keys sizes of 128 and 256 bits)

• Digital Signature: Elliptic Curve Digital Signature Algorithm– FIPS 186-2 (using the curves with 256 and 384-bit prime moduli)

• Key Exchange: Elliptic Curve Diffie-Hellman or Elliptic Curve MQV– Draft NIST Special Publication 800-56 (using the curves with 256 and

384-bit prime moduli)• Hashing: Secure Hash Algorithm

– FIPS 180-2 (using SHA-256 and SHA-384)

Trusted Platform ModuleTPM Chip Version 1.2

• Hardware present in the computer, usually a chip on the motherboard

• Securely stores credentials, such as a private key of a machine certificate and is crypto-enabled– Effectively, the essence of a smart

smartcard• TPM can be used to request

encryption and digital signing of code and files and for mutual authentication of devices

• See www.trustedcomputinggroup.org

Code IntegrityCode Integrity

• All DLLs and other OS executables All DLLs and other OS executables have been digitally signedhave been digitally signed

• Signatures verified when Signatures verified when components load into memorycomponents load into memory

BitLocker™• BitLocker strongly encrypts and signs the entire hard drive

(full volume encryption)– TPM chip provides key management– Can use additional protection factors such as a USB dongle, PIN

or password• Any unauthorised off-line modification to your data or OS

is discovered and no access is granted– Prevents attacks which use utilities that access the hard drive

while Windows is not running and enforces Windows boot process• Protects data after laptop theft etc.• Data recovery strategy must be planned carefully!

– Vista supports three modes: key escrow, recovery agent, backup

結論

Defense-in-Depth

-58-

Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness

Guards, locks, tracking devicesPhysical securityPhysical security

Application hardeningApplication

OS hardening, authentication, update management, antivirus updates, auditing

Host

Network segments, IPSec, NIDSInternal network

Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter

Strong passwords, ACLs, encryption, EFS, backup and restore strategy

Data

• Increases an attacker’s risk of detection • Reduces an attacker’s chance of success

Defense-in-Depth ( 續 )

-59-

Policies, procedures, and awarenessPolicies, procedures, and awareness

Physical securityPhysical security

Perimeter

Internal network

Network defenses

Host

Application

Data

Client defenses

Server defenses

Host

Application

Data

-60-

© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Documents

0828 Windows Server 2008 新安全功能探討