0828 windows server 2008 新安全功能探討
DESCRIPTION
TRANSCRIPT
-1-
Windows Server 2008 新安全功能探討
呂政周精誠恆逸教育訓練處 資深講師http://edu.uuu.com.tw
-2-
課程大綱課程大綱• 前言• 作業系統安全• 存取控制安全• 應用程式安全• 程式執行安全• 資料傳遞安全• 資料儲存安全
前言• 雖然病毒及駭客占據了頭版頭條的位置 , 但是安全管理仍然是企業組織電腦與資訊安全的核心內容 .
• SD3+C– Secure by Design – Secure by Default– Secure in Deployment and Communications
• Trustworthy Computing
-3-
作業系統安全
-4-
Windows Server 2008 安全的開發生命週期
對程式開發人員作定期與強制的安全教育
安全顧問針對所有系統元件為開發人員提供安全的建議
在設計階段對各種威脅模式納入考量
程式碼安全性檢視與測試
Common Criteria 認證
The bad guys are everywhere!• They literally want to do
you harm• Threats exist in two
interesting places—– Online: system started and
shows a login screen or a user is logged in
– Offline: system is powered down or in hibernation
• Policies must address both
Protect the OSWhen Running
The threats
• Trojan that replaces a system file to install a rootkit and take control of the computer (e.g. Fun Love or others that use root kits)
• Offline attack caused by booting an alternate operating system and attempting to corrupt or modify Windows operating system image files
• Third-party kernel drivers that are not secure• Any action by an administrator that threatens the
integrity of the operating system binary files• Rogue administrator who changes an operating system
binary to hide other acts
-8-
Code integrity
• Validates the integrity of each binary image– Checks hashes for every page as it’s loaded– Also checks any image loading to a protected process– Implemented as a file system filter driver– Hashes stored in system catalog or in X.509 certificate
embedded in file
• Also validates the integrity of the boot process– Checks the kernel, the HAL, boot-start drivers
• If validation fails, image won’t load
-9-
Hash validation scope
-10-
Windows binariesWindows binaries Yes
WHQL-certified third-party WHQL-certified third-party driversdrivers
Yes
Unsigned driversUnsigned drivers By policy
Third-party application Third-party application binariesbinaries
No
More on signatures
• Don’t confuse hash validation with signatures
-11-
x64
All kernel mode code must be signed or it won’t loadThird-party drivers must be WHQL-certified or contain a certificate from a Microsoft CANo exceptions, periodUser mode binaries need no signature unless they—
Implement cryptographic functionsImplement cryptographic functionsLoad into the software licensing serviceLoad into the software licensing service
x32
Signing applies only to drivers shipped with WindowsSigning applies only to drivers shipped with WindowsCan control by policy what to do with third-partyCan control by policy what to do with third-partyUnsigned kernel mode code will loadUnsigned kernel mode code will loadUser mode binaries—same as x64User mode binaries—same as x64
Recovering from CI failures
• Potential problems—– OS won’t boot: kernel code or boot-time driver failed CI– OS boots, a device won’t function: non-boot-time driver failed CI– OS boots, system is “weird”: service failed CI– OS boots and behaves, task malfunctions: OS component failed
CI
• Solve boot-critical problems through standard system recovery tools
• Integrated Windows diagnostic infrastructure helps to repair critical files; non-critical files can be replaced through Microsoft Update
-12-
Integrated Windows Defender
• Integrated detection, cleaning, and real-time blocking of malware:– Malware, rootkits, and spyware
– Targeted at consumers – enterprise manageability will be available as a separate product
• Integrated Microsoft Malicious Software Removal Tool (MSRT) will remove worst worms, bots, and trojans during an upgrade and on a monthly basis
Internet Explorer 7
• In addition to building on UAC (see later), IE includes:– Protected Mode that only allows IE to browse
with no other rights, even if the user has them, such as to install software
• “Read-only” mode, except for Temporary Internet Files when browser is in the Internet Zone of security
Phishing Filter in IEDynamic Protection Against Fraudulent Websites
• 3 checks to protect users from phishing scams:
1. Compares web site with local list of known legitimate sites
2. Scans the web site for characteristics common to phishing sites
3. Double checks site with online Microsoft service of reported phishing sites updated several times every hour
• Two Levels of Warning and Protection in IE7 Security Status Bar
Level 1: Warn Suspicious Website
Signaled
Level 2: Block Confirmed Phishing Site
Signaled and Blocked
存取控制安全
-16-
User Account Control
• Helps implement Least Privilege principle in two distinct ways:
1. Every user is a standard user• Older, legacy, or just greedy application’s attempts to change your
system’s settings will be virtualised so they do not break anything
2. Each genuine need to use administrative privileges will require:• Selection of a user who has those permissions, or
• Confirmation of the intent to carry on with the operation
UAC: Fundamental Change to Windows Operation
• Fixes the system to work well as a standard user• Registry and file virtualization to provide
compatibility– Per-machine registry writes are redirected to per-user
locations if the user does not have administrative privileges
– Effectively: standard accounts can run “admin-required” legacy applications safely!
– You can redirect the virtualization store
Control Over Device Installation
• Control over removable device installation via a policy– Mainly to disable USB-device installation, as many corporations
worry about intellectual property leak– You can control them by device class or driver
• Approved drivers can be pre-populated into trusted Driver Store
• Driver Store Policies (group policies) govern driver packages that are not in the Driver Store:– Non-corporate standard drivers– Unsigned drivers
Using Network Access Protection
11
Client requests access to network and presents Client requests access to network and presents current health statecurrent health state
11
WindowsWindowsClientClient
Policy ServersPolicy Serverssuch as: Patch, AVsuch as: Patch, AV
MSFT NPS MSFT NPS
Corporate Corporate NetworkNetwork
DHCP, VPNDHCP, VPNSwitch/Router Switch/Router
Using Network Access Protection
11
Client requests access to network and presents Client requests access to network and presents current health statecurrent health state
11
WindowsWindowsClientClient
22
22Dynamic Host Configuration Protocol (DHCP), virtual Dynamic Host Configuration Protocol (DHCP), virtual private network (VPN) or Switch/Router relays private network (VPN) or Switch/Router relays health status to Microsoft Network Policy Server health status to Microsoft Network Policy Server (RADIUS)(RADIUS)
Policy ServersPolicy Serverssuch as: Patch, AVsuch as: Patch, AV
MSFT NPS MSFT NPS
Corporate Corporate NetworkNetwork
DHCP, VPNDHCP, VPNSwitch/Router Switch/Router
Using Network Access Protection
11
Client requests access to network and presents current health state
11
WindowsClient
22
22DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)
33
33 Network Policy Server (NPS) validates against IT-defined health policy
Policy ServersPolicy Serverssuch as: Patch, AVsuch as: Patch, AV
MSFT NPS
Corporate Corporate NetworkNetwork
DHCP, VPNSwitch/Router
RestrictedRestrictedNetworkNetwork
Using Network Access Protection
11
Client requests access to network and presents Client requests access to network and presents current health statecurrent health state
11
WindowsWindowsClientClient
22
22DHCP, VPN or Switch/Router relays health status to DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)Microsoft Network Policy Server (RADIUS)
33
33 Network Policy Server (NPS) validates against IT-Network Policy Server (NPS) validates against IT-defined health policydefined health policy
Policy ServersPolicy Serverssuch as: Patch, AVsuch as: Patch, AV
44If not policy compliant, client is put in a restricted virtual local area If not policy compliant, client is put in a restricted virtual local area network (VLAN) and given access to fix up resources to download patches, network (VLAN) and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)configurations, signatures (Repeat 1 - 4)
Not policy Not policy compliantcompliant Fix UpFix Up
ServersServersExample: PatchExample: PatchMSFT NPS MSFT NPS
Corporate Corporate NetworkNetwork
44
DHCP, VPNDHCP, VPNSwitch/Router Switch/Router
RestrictedRestrictedNetworkNetwork
Using Network Access Protection
11
Client requests access to network and presents Client requests access to network and presents current health statecurrent health state
11
WindowsWindowsClientClient
22
22DHCP, VPN or Switch/Router relays health status to DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)Microsoft Network Policy Server (RADIUS)
33
33 Network Policy Server (NPS) validates against IT-Network Policy Server (NPS) validates against IT-defined health policydefined health policy
Policy ServersPolicy Serverssuch as: Patch, AVsuch as: Patch, AV
44If not policy compliant, client is put in a restricted VLAN and given access to If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - fix up resources to download patches, configurations, signatures (Repeat 1 - 4)4)
Not policy Not policy compliantcompliant Fix UpFix Up
ServersServersExample: PatchExample: Patch
55 If policy compliant, client is granted full access to corporate If policy compliant, client is granted full access to corporate networknetwork
Policy Policy compliancomplian
tt
MSFT NPS MSFT NPS
Corporate Corporate NetworkNetwork
55
44
DHCP, VPNDHCP, VPNSwitch/Router Switch/Router
Windows Firewall Advanced Security
Filter both incoming and outgoing traffic
Filter both incoming and outgoing traffic
New Microsoft® Management Console (MMC) snap-in for GUI configuration
New Microsoft® Management Console (MMC) snap-in for GUI configuration
Windows Firewall Advanced Security
Windows Firewall Advanced Security
Integrated firewall and IP security (IPsec) settings
Integrated firewall and IP security (IPsec) settings
Windows Firewall Advanced Security
Several ways to configure exceptions
Several ways to configure exceptions
NG TCP/IPNext Generation TCP/IP in Vista and “Longhorn”
• A new, fully re-worked replacement of the old TCP/IP stack• Dual-stack IPv6 implementation, with now obligatory IPSec
– IPv6 is more secure than IPv4 by design, esp.:• Privacy, tracking, network port scanning, confidentiality and integrity
• Other network-level security enhancements for both IPv4 and IPv6– Strong Host model– Windows Filtering Platform– Improved stack-level resistance to all known TCP/IP-based denial of
service and other types of network attacks– Routing Compartments– Auto-configuration and no-restart reconfiguration
應用程式安全與
程式執行安全
-30-
The threats
• Remember Blaster?– Took over RPCSS—made it write msblast.exe to file system and
added run keys to the registry
• No software is perfect; someone still might find a vulnerability in a service
• Malware often looks to exploit such vulnerabilities• Services are attractive
– Run without user interaction– Many services often have free reign over the system—too much
access– Most services can communicate over any port
-31-
Service hardening
-32-
Service refactorin
g
Move service from LocalSystem to Move service from LocalSystem to something less privilegedsomething less privilegedIf necessary, split service so that only If necessary, split service so that only the part requiring LocalSystem receives the part requiring LocalSystem receives that that
Service profiling
Enables service to restrict its behaviorEnables service to restrict its behaviorResources can have ACLs that allow the Resources can have ACLs that allow the service’s ID to access only what it needsservice’s ID to access only what it needsAlso includes rules for specifying Also includes rules for specifying required network behaviorrequired network behavior
It’s about the principle of least privilege—It’s about the principle of least privilege—it’s good for people, and it’s good for servicesit’s good for people, and it’s good for services
MemoryMemory
Refactoring• Ideally, remove the service out of LocalSystem
– If it doesn’t perform privileged operations– Make ACL changes to registry keys and driver objects
• Otherwise, split into two pieces– The main service– The bits that perform privileged operations– Authenticate the call between them
Main serviceMain serviceruns as LocalServiceruns as LocalService
PrivilegedPrivilegedLocalSystemLocalSystem
Profiling• Every service has a unique service identifier called a
“service SID”– S-1-80-<SHA-1 hash of logical service name>
• A “service profile” is a set of ACLs that—– Allow a service to use a resource– Constrain the service to the resources it needs– Define which network ports a service can use– Block the service from using other ports
• Now, service can run as LocalService or NetworkService and still receive additional access when necessary
Restricting servicesSCM computesSCM computesservice SIDservice SID
SCM adds theSCM adds theSID to serviceSID to serviceprocess’s tokenprocess’s token
SCM creates write-SCM creates write-restricted tokenrestricted token
SCM removes unneeded SCM removes unneeded privileges from process privileges from process tokentoken
Service places ACL on Service places ACL on resource—only service resource—only service can write to itcan write to it
Restricting services: know this• A restrictable service will set two properties (stored
in the registry)—– One to indicate that it can be restricted– One to show which privileges it requires
Note! This is a voluntary process. The service is choosing to restrict itself. It’s good development practice because it reduces the likelihood of a service being abused by malware, but it isn’t a full-on system-wide restriction mechanism. Third-party services can still run wild and free…
Windows Server 2008 Services Hardening
Kernel DriversKernel DriversDD
DD User-mode DriversUser-mode Drivers
DD D
Windows Server 2008 Services Hardening
Kernel DriversKernel DriversDD
DD User-mode DriversUser-mode Drivers
DD D
• Reduce size of high-Reduce size of high-risk layersrisk layers
Windows Server 2008 Services Hardening
Kernel DriversKernel DriversDD
DD User-mode DriversUser-mode Drivers
DD D
Service 1
Service 2Servic
e 3
Service…
Service …
Service A Servic
e B
• Reduce size of high-risk layers
• Segment the services
Windows Server 2008 Services Hardening
• Reduce size of high-risk layers
• Segment the services• Increase number of
layers
D DDKernel DriversKernel DriversDD
DD User-mode DriversUser-mode Drivers
DD D
Service 1
Service 2
Service 3
Service…
Service …
Service A
Service B
Granular Audit Policy
Object Access Auditing
Object Access Attempt:Object Server: %1Handle ID: %2Object Type: %3Process ID: %4Image File Name: %5Access Mask: %6
Object Access AuditingAn operation was performed on an object.Subject : Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Object Type: %6 Object Name: %7 Handle ID: %9Operation: Operation Type: %8 Accesses: %10 Access Mask: %11 Properties: %12 Additional Info: %13 Additional Info2: %14
Added Auditing ForRegistry value change audit events (old+new values)
AD change audit events (old+new values)
Improved operation-based audit
Audit events for UAC
Improved IPSec audit events including support for AuthIP
RPC Call audit events
Share Access audit events
Share Management events
Cryptographic function audit events
NAP audit events (server only)IAS (RADIUS) audit events (server only)
Address Space Load Randomization (ASLR)
Prior to Windows VistaPrior to Windows VistaExecutables and DLLs load at fixed locationsExecutables and DLLs load at fixed locations
Buffer overflows commonly relied on known system Buffer overflows commonly relied on known system function addresses to cause specific code to executefunction addresses to cause specific code to execute
The Windows Vista loader bases modules at one of The Windows Vista loader bases modules at one of 256 random points in the address space256 random points in the address space
OS images now include relocation informationOS images now include relocation information
Relocation performed once per image and shared across Relocation performed once per image and shared across processesprocesses
User stack locations are also randomizedUser stack locations are also randomized
資料傳遞安全與
資料儲存安全
-46-
Terminal Services GatewayTerminal Services GatewayPerimeter Perimeter networknetwork
InternetInternet Corp LANCorp LAN
Exte
rnal Fir
ew
all
Exte
rnal Fir
ew
all
Inte
rnal Fir
ew
all
Inte
rnal Fir
ew
all
HomeHome Terminal Terminal ServerServer
InternetInternet
TerminalTerminalServerServer
Terminal Services Terminal Services Gateway ServerGateway Server
E-mailE-mailServerServer
Business Business partner / partner / client siteclient site
Roaming Roaming wirelesswireless
HotelHotel
Tunnels RDP over
HTTPS
Tunnels RDP over
HTTPS
RMS, EFS, and BitLocker
• Three levels of protection:– Rights Management Services
• Per-document enforcement of policy-based rights
– Encrypting File Systems• Per file or folder encryption of data for confidentiality
– BitLocker™ Full Volume Encryption• Per volume encryption (see earlier)
• Note: it is not necessary to use a TPM for RMS and EFS– EFS can use smartcards and tokens in Vista– RMS is based, at present, on a “lockbox.dll” technology, not a
TPM
CNG: Cryptography Next Generation
• CAPI 1.0 has been deprecated– May be dropped altogether in future Windows releases
• CNG: Open Cryptographic Interface for Windows– Ability to plug in kernel or user mode implementations for:
• Proprietary cryptographic algorithms
• Replacements for standard cryptographic algorithms
• Key Storage Providers (KSP)
– Enables cryptography configuration at enterprise and machine levels
Offline Files Encrypted Per User
Encrypted Pagefile
Regulatory Compliance
• Windows Vista cryptography will comply with:– Common Criteria (CC)
• csrc.nist.gov/cc • Currently in version 3
– FIPS requirements for strong isolation and auditing• FIPS-140-2 on selected platforms and 140-1 on all
– US NSA (National Security Agency) CSS (Central Security Service) Suite B
Supports NSA Suite Bwww.nsa.gov/ia/industry/crypto_suite_b.cfm
• Required cryptographic algorithms for all US non-classified and classified (SECRET and TOP-SECRET) needs– Higher special-security needs (e.g. nuclear security) – guided by Suite A
(definition classified)– Announced by NSA at RSA conference in Feb 2005
• Encryption: AES– FIPS 197 (with keys sizes of 128 and 256 bits)
• Digital Signature: Elliptic Curve Digital Signature Algorithm– FIPS 186-2 (using the curves with 256 and 384-bit prime moduli)
• Key Exchange: Elliptic Curve Diffie-Hellman or Elliptic Curve MQV– Draft NIST Special Publication 800-56 (using the curves with 256 and
384-bit prime moduli)• Hashing: Secure Hash Algorithm
– FIPS 180-2 (using SHA-256 and SHA-384)
Trusted Platform ModuleTPM Chip Version 1.2
• Hardware present in the computer, usually a chip on the motherboard
• Securely stores credentials, such as a private key of a machine certificate and is crypto-enabled– Effectively, the essence of a smart
smartcard• TPM can be used to request
encryption and digital signing of code and files and for mutual authentication of devices
• See www.trustedcomputinggroup.org
Code IntegrityCode Integrity
• All DLLs and other OS executables All DLLs and other OS executables have been digitally signedhave been digitally signed
• Signatures verified when Signatures verified when components load into memorycomponents load into memory
BitLocker™• BitLocker strongly encrypts and signs the entire hard drive
(full volume encryption)– TPM chip provides key management– Can use additional protection factors such as a USB dongle, PIN
or password• Any unauthorised off-line modification to your data or OS
is discovered and no access is granted– Prevents attacks which use utilities that access the hard drive
while Windows is not running and enforces Windows boot process• Protects data after laptop theft etc.• Data recovery strategy must be planned carefully!
– Vista supports three modes: key escrow, recovery agent, backup
結論
Defense-in-Depth
-58-
Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness
Guards, locks, tracking devicesPhysical securityPhysical security
Application hardeningApplication
OS hardening, authentication, update management, antivirus updates, auditing
Host
Network segments, IPSec, NIDSInternal network
Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter
Strong passwords, ACLs, encryption, EFS, backup and restore strategy
Data
• Increases an attacker’s risk of detection • Reduces an attacker’s chance of success
Defense-in-Depth ( 續 )
-59-
Policies, procedures, and awarenessPolicies, procedures, and awareness
Physical securityPhysical security
Perimeter
Internal network
Network defenses
Host
Application
Data
Client defenses
Server defenses
Host
Application
Data
-60-
© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.