Security in Today’s Operating

Systems – Windows Vista &

Server 2008

Ravi Sankar

Technology Evangelist | Microsoft Corporation

ravi.sankar@microsoft.com

Agenda

• Fundamentals

• Threat and Vulnerability Mitigation

• Identity and Access Control

• Information Protection

Fundamentals

• Service Hardening

• Kernel Protection

• Windows Firewall

• Next Generation Cryptography

• Networking Improvements

• The Web Components (browser and server)

• Terminal Services Gateway

D

D D

Windows Service Hardening

D DD

• Reduce size of

high risk layers

• Segment the

services

• Increase #

of layers

Kernel DriversD

D User-mode Drivers

Service 1

Service 2

Service 3

Service…

Service …

Service A

Service B

Windows Service Hardening

Windows® XP SP2/Server 2003 R2

LocalSystem

Windows Vista/Server 2008

Network Service

Local Service

LocalSystemFirewall Restricted

Network ServiceNetwork Restricted

Local ServiceNo Network Access

LocalSystem

Network ServiceFully Restricted

Local ServiceFully Restricted

Service ChangesWindows XP Windows Vista and Server 2008

Account Services Account Services

LocalSystem Wireless

Configuration

System Event

Notification

Network

Connections

(netman)

COM+ Event

System

NLA

Rasauto

Shell Hardware

Detection

Themes

Telephony

Windows Audio

Error Reporting

Workstation

ICS

RemoteAccess

DHCP Client

W32time

Rasman

browser

6to4

Help and support

Task scheduler

TrkWks

Cryptographic Services

Removable Storage

WMI Perf Adapter

Automatic updates

WMI

App Management

Secondary Logon

BITS

LocalSystem

Firewall Restricted

WMI Perf Adapter

Automatic updates

Secondary Logon

App Management

Wireless Configuration

LocalSystem BITS

Themes

Rasman

TrkWks

Error Reporting

6to4

Task scheduler

RemoteAccess

Rasauto

WMI

Network Service

Fully Restricted

DNS Client

ICS

DHCP Client

browser

Server

W32time

Network Service

Network Restricted

Cryptographic Services

Telephony

PolicyAgent

Nlasvc

Network

Service

DNS Client Local Service

No Network Access

System Event

Notification

Network Connections

Shell Hardware

Detection

COM+ Event System

Local Service SSDP

WebClient

TCP/IP NetBIOS helper

Remote registry

Local Service

Fully Restricted

Windows Audio

TCP/IP NetBIOS helper

WebClient

SSDP

Event Log

Workstation

Remote registry

Kernel protection

Security Features

Kernel patch protection Code signing Code integrity

Management Mechanisms

Registry innovations New Services modelMicrosoft Windows®

Hardware Error Architecture

Memory and Heap Management

Prefetch clustering for page faults

Windows Firewall with Advanced

Security

Combined Firewall and IPSec Management

• New management tools – Windows Firewall with Advanced Security MMC snap-in

• Reduces conflicts and coordination overhead between technologies

Firewall Rules Become More Intelligent

• Specify security requirements such as authentication and encryption

• Specify Active Directory® computer or user groups

Outbound Filtering

Simplified Protection Policy Reduces Management Overhead

DEMO: WINDOWS FIREWALL

Creating a New rule

DEMO: WINDOWS FIREWALL

Creating a Connection Security Rule

Enterprise PKI

(PKIView)

Online Certificate

Status Protocol

(OSCP)

Simple Certificate

Enrollment Protocol

Network Device

Enrollment Service

and Web

Enrollment

PKI Improvements

• Dual-IP layers for IPv4 and IPv6 support

• Seamless security through expanded IPsec integration

• Improved performance

• Network auto-tuning

• Greater extensibility and reliability

Next Generation TCP/IP Stack

Win

do

ws F

ilterin

g

Pla

tform

AP

I

IPv4

802.3

WSK

WSK Clients TDI Clients

NDIS

WLAN 802.11IPv4

TunnelIPv6

Tunnel

IPv6

RAWUDPTCP

Next Generation TCP/IP Stack (tcpip.sys)

AFD

TDX

TDI

Winsock User Mode

Kernel Mode

SSTP (Secure Socket Tunneling Protocol)

SSTP is a new form of Layer 3 VPN tunnel

SSTP encapsulate PPP packet over HTTPS

(Port 443)

SSTP supported in Windows Vista and

Windows Server 2008

End-to-End scenario

Domain Controller

1

2

DMZPublic Network Corp LAN

NPS Server

APP Server

RRAS Server

3

4

7

Internet

Application packets are sent back and forth over VPN tunnel

Authenticate User

Tunnel Established. Server gives various IP parameters to client

Dial the SSTP connectoid over port 443

Client connects to the Internet

IP Interface created

User Starts

Application

5

6

• Phishing Filter and Colored Address

Bar

• Dangerous Settings Notification

• Secure defaults for IDN

• Unified URL Parsing

• Code quality improvements (SDLC)

• ActiveX Opt-in

• Protected help restrict malicious software

Internet Explorer 7.0

Social Engineering ProtectionsProtection from Exploits

Internet Explorer Protected Mode

C:\...\Temporary Internet Files

C:\...\Startup

Internet Explorer Protected Mode

Exploit can

install

MALWARE

Exploit can

install

MALWARE

IE6

Install a driver & run

Windows Update

Change Settings,

download a Picture

Cache Web content

HKLM

Program Files

Admin-Rights Access

User-Rights Access

HKCU

My Documents

Startup Folder

Temp Internet Files

Un-trusted files &

settings

IExploreC

om

pat

Red

irecto

r

Redirected settings & files

Install an

ActiveX

control

Change

settings,

save a

picture

IEA

dm

inIE

User

Inte

gri

ty C

on

tro

l

ActiveX Opt-in

IE7

Disabled Controls by default

IE7 blocks ActiveX Control

IE7 Confirms Install

ActiveX

Control

enabled

Windows Defender

• Helps Detect and Remove

Spyware and other Potentially

Unwanted Software

• Automatic Download Scanning in

Internet Explorer

• Allows Standard Users to Remove

Spyware

• Can be Enabled/Disabled via

Group Policy

Internet Information Services (IIS) 7.0

Http Protocol Support

ValidationRangeModule TraceVerbModule

OptionsVerbModule ClientRedirectionModule

Logging and Diagnostics

HttpLoggingModule

CustomLoggingModule

Configuration and Metadata Caches

ConfigurationModule UriCacheModule

SiteCacheModule FileCacheModule

Core Web Server

DirectoryListingModule CustomErrorModule

DynamicCompressionModule StaticCompressionModule

StaticFileModule DefaultDocumentModule

HttpCacheModule

RequestMonitorModule

TracingModule

AuthN/AuthZ

BasicAuthModule

DigestAuthModule

WindowsAuthModule

CertificateAuthModule

AnonymousAuthModule

FormsAuthModule

AccessCheckModule

UrlAuthorizationModule

Extensibility

ISAPIModule

ISAPIFilterModule

CGIModule

ServerSideIncludeModule

ManagedEngineModule

Publishing

DavModule

•Componentized Architecture•Delegated Management

Terminal Services Gateway

InternetPerimeter

NetworkCorporate

Network

Remote/

Mobile UserTerminal

Services

Gateway

Network

Policy ServerActive

Directory DC

Tunnels RDP

over HTTPs

Strips off

RDP / HTTPs

Terminal

Servers

and other

RDP Hosts

RDP traffic

passed to TS

Internet

Agenda

Fundamentals

Threat and Vulnerability Mitigation

Identity and Access Control

Information Protection

Integrating the Edge

• Policy, not topology defines the edge

Define the Boundary

Federated identityUniversal

Addressability

Authentication and Authorization

Secure the Boundary

Anywhere AccessIPSec Policies

Active Directory

2-factor and biometricsClaims-based Security

IPv6

Network Access ProtectionAnti-malware

Per-application VPNand Firewalls

Integrating the EdgePolicy, not topology defines the edge

Network Access Protection

RemediationServers

Example: PatchRestrictedNetwork

Windows

ClientPolicy

compliant

NPSDHCP, VPN

Switch/Router

Policy Serverssuch as: Patch, AV

Corporate Network

Not policy

compliant

What is Network Access Protection?

Cisco and Microsoft Integration Story

Health Policy Validation Health Policy Compliance

Ability to Provide Limited Access

Enhanced Security

Increased Business Value

Security

Policy-based Dynamic Segmentation

Untrusted

Unmanaged/Rogue

Computer

Domain

Isolation

Active Directory

Domain Controller

X

Server

Isolation

Servers with

Sensitive DataHR Workstation

Managed

Computer

X

Managed

Computer

Trusted Resource

Server

Corporate Network

Define the logical isolation boundariesDistribute policies and credentialsManaged computers can communicateBlock inbound connections from untrustedEnable tiered-access to sensitive resources

Agenda

Fundamentals

Threat and Vulnerability Mitigation

Identity and Access Control

Information Protection

WinLogon Architecture

Session 0

WinInit

RCMLSA

Group Policy

ProfilesSCM

Other Sessions

WinLogon

LogonUI

Credential Provider 1

Credential Provider 2

Credential Provider 3

•GINA Replaced

•New Credential Providers

•NOTE: Session 0 Isolation

Windows CardSpace™

Easier

• Provides consistent user

experience

• Replaces usernames and

passwords with strong tokens

Safer

• Protects users from phishing &

fraud attacks

• Support for two-factor

authentication

• Tokens are crypto-graphically

strong

Standards, standards, standards!!

• Built on WS-* Web Services Protocols

• Can be supported by websites on any technology & platform

CardSpace Environment

• Runs under separate

desktop and restricted

account

• Isolates CardSpace

runtime from Windows

desktop

• Deters hacking attempts

by user-mode processes

• Contains claims about my identity that I assert

• Not corroborated

• Stored locally

• Signed and encrypted to prevent replay attacks

• Provided by banks, stores, government, clubs, etc

• Locally stored cards contain metadata only!

• Data stored by Identity Provider and obtained only when card submitted

CardSpace Cards

SELF - ISSUED MANAGED

Participants

User

Relying Party (website)Identity Provider

User Account Control

Challenges Windows Vista

Solution

Easier to Run as Standard UserUsers can do more on their own

Change time zone, power settings, VPN, and more Install approved devicesAdmin commands clearly marked

Higher application compatibilityFile and registry virtualization

Greater Protection for Admins

Software runs with lower privileges by default

Administrator provides consentbefore elevation

Most users run with full administrator privileges all the time

At risk from malware

Can’t manage desktops or enforce policy

Expensive to support

Difficult to run a standard user

User can’t perform many tasks

Many applications don’t run

User Account Control Sample

Elevated Privileges

Consent PromptsOperating System Application

Signed Application Unsigned Application

Agenda

• Fundamentals

• Threat and Vulnerability Mitigation

• Identity and Access Control

• Information Protection

Windows Vista/Server 2008 Information

Protection• Who are you protecting against?

• Other users or administrators on the machine? EFS

• Unauthorized users with physical access? BitLocker™

Scenarios BitLocker EFS RMS

Laptops

Branch office server

Local single-user file & folder protection

Local multi-user file & folder protection

Remote file & folder protection

Untrusted network admin

Remote document policy enforcement

Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins)

Summary

• Stronger Fundamentals

• Layered approach for threat and vulnerability

mitigation

• More options and granularity in identity and access

management

• Holistic approach towards information protection

using encryption technologies