Introducing Windows Vista COPYRIGHTED MATERIALcatalogimages.wiley.com/images/db/pdf/9780470101551.excerpt.pdf · Improved C++ Security Even the software used to write Windows Vista

Introducing Windows Vista

P a r t

I

01551c01.qxd:WileyRed 5/30/07 4:27 PM Page 1

COPYRIG

HTED M

ATERIAL


3

It is not hyperbole to say that almost every line of Windows Vista code has anincreased focus on security. Each subsequent version of the Windows operat-ing system (OS) has been demonstrably more secure than the previous one.Windows Vista is no different. It contains hundreds of new security features,and what isn’t completely new is improved. Windows Vista includes newsecurity mechanisms, improved versions of older features, enhanced integra-tion, improved interfaces, and stronger default settings. Chapter 1 will coverthe most significant new and improved Vista security settings. It’s a long chap-ter, but worth the read.

Security Development Lifecycle

Not surprisingly, the increased security focus of Windows Vista began in theplanning stages. Windows Vista is the first Microsoft OS to be built from the ground up using the Security Development Lifecycle (SDL). SDL isdesigned to infuse security into software development, starting long beforethe first line of code is written.

Crucial to SDL is the identification of potential threats using a methodcalled threat modeling, where every possible threat that can be imagined isdocumented. The lack of a coherent threat model led to most of the securitydesign flaws of past Windows operating systems.

New Security Features

C H A P T E R

1


This time around, Microsoft employees and external security reviewersidentified over 1,400 unique threat modeling scenarios. A large majority of themodels focus on the dangers of automated malware (i.e., viruses, worms, Tro-jans, and bots), which previously were not given enough attention and haveplagued the earlier versions of Windows.

NOTE You can read more about SDL at http://msdn.microsoft.com/msdnmag/issues/05/11/SDL/default.aspx.

Most, if not all, Windows Vista developers have been trained in secure cod-ing and SDL. All code is examined through several cycles of manual and auto-mated review. Programmers review their own code and then submit it to peersfor further analysis. Coders from one team review the code of other teams, andthen hand it off to external code review teams.

Automated code review tools and fuzzers (http://en.wikipedia.org/wiki/Fuzz_testing) are used to spot previously missed code flaws. Microsoftis also expanding the use of meta-language, called Standard Annotation Lan-guage (SAL), which helps static analysis (i.e., code review) tools find morebugs with a bit more upfront annotation and documentation by the developer.See Michael Howard’s blog (http://blogs.msdn.com/micheal_howard/archive/2006/05/19/602077.aspx) for more details.

Microsoft’s Secure Windows Initiative Attack Team (SWIAT), their in-house red-team, along with external penetration testers, try to exploit whatcomes out of the multiple code reviews. Any found flaws are re-submittedback into the SDL process and re-tested. David LeBlanc, Senior MicrosoftSoftware Development Engineer, has stated that the SDL process has madethe number of bugs per thousands of lines of code (known as bugs/kloc)among the lowest in the industry (http://www.infoworld.com/article/05/09/16/38OPsecadvise_1.html).

Improved C++ Security

Even the software used to write Windows Vista has an increased focus on secu-rity. Most of Windows Vista is written in C++ and built with a version of thecompiler in the Microsoft Software Developer Kit (SDK). Visual C++, a compo-nent of Visual Studio 2005, contains many of these same security enhancements,increasing the number of security protections available to developers. All Win-dows code is compiled with the /GS switch by default, which prevents manystack-based buffer overflows from being successful. It inserts a sacrificial canaryvalue into the execution space (before the return address of the function entry, ifyou want the technical details) and in some other strategic places. Using the /GSflag to protect more than the return function is a new feature in the compiler

4 Part I ■ Introducing Windows Vista


used for Windows Vista and in Visual C++ 2005. Many types of buffer over-flows, by their very nature, cannot avoid overwriting the canary value, whichallows Windows to detect the error condition and halt the affected program.

Significantly more effort is focused on preventing attackers from using legit-imate code against itself. Programming functions particularly prone to prob-lems, such as strcpy, strncpy, and so on, have been deprecated and all code inWindows Vista was required to replace them with less vulnerable substitutes.You can find a complete list of banned functions and APIs, and their replace-ments at http://msdn2.microsoft.com/en-us/library/bb288454.aspx.

Malware will often purposefully trigger exceptions and flow the programexecution into a malicious exception handling routine. All Windows code hasbeen compiled with the Safe Exception Handling switch (/SafeSEH), whichhard codes approved exception addresses into the compiled Windows exe-cutable header.

Address Space Layout Randomization

One of the most talked about new programming features is Address Space Lay-out Randomization (or ASLR). In previous versions of Windows, common Win-dows APIs (located in Kernel32.dll, Gdi32.dll, Wsock32.dll, and so on) wereloaded into well-known or easily discoverable locations. In XP and previousversions of Windows, these APIs were always placed in the same memory loca-tion. Malicious code could locate a needed API directly in memory, bypassingOS security mechanisms. ASLR randomly places common Windows APIs in oneof 256 possible places during each boot up. With Vista, a malware program try-ing to directly access the Windows API must guess, on its first try, the correctmemory location. Statistically, the program will only correctly guess 1 in every256 tries. This single feature defeats thousands of old legacy attack programsand makes newer malware programs work less reliably.

Microsoft doesn’t stop there. Function memory address pointers areobscured, heap memory blocks are obscured and checksummed, various heapmemory metadata elements are XOR-encoded with a random number, andheap memory base addresses are randomized. If Windows Vista detects aproblem the application is terminated and recovery is started.

NOTE Many of Windows Vista’s new security features have been discoveredoutside of Microsoft. Various BSD and Linux distributions have had a featuresimilar to ASLR for several years. While some critics blast Microsoft forappropriating open source ideas, most security analysts applaud Microsoft for adopting, and in some cases improving upon, industry-tested solutions.

Chapter 1 ■ New Security Features 5


Data Execution Protection

Buffer overflows work by unexpectedly co-mingling data and executable codein a single memory area. The buffer overflow places executable code into a sec-tion of memory that is then executed by the processor.

Data Execution Protection (DEP), which was introduced in Windows XP ProSP2, and is improved in Windows Vista, can be used to prevent co-mingled datafrom being maliciously executed. DEP can be enabled in software, or on No eXe-cute (NX) processor chips, in hardware. These chips, available both from AMDand Intel, contain a hardware-based security feature that allows pages of mem-ory to be marked as non-executable. NX-capable processors (called XD by AMD)must be accompanied by an NX-capable BIOS and mother board, and furthersupported by an NX-capable OS (such as Windows Vista) and applications.

By default, Windows XP Pro and later (including Windows Server 2003 SP1)system files are protected by DEP, and by NX chips if present. Software devel-opers can also configure their applications to use DEP or NX. Administratorscan use the Advanced Settings option under the System control panel applet,and then Advanced and Performance options to customize which programs tobe protected (see Figure 1-1). However, many programs will refuse to run or willhave operational problems if DEP or NX is enabled, so ensure application com-patibility first before enabling for additional files beyond the Windows defaults.

NOTE NX-enabled software is also available in other operating systems, such asLinux and BSD. See http://en.wikipedia.org/wiki/NX_bit for more details.

Figure 1-1 DEP can be enabled for all processes that are not specifically exempted.



Protected Processes

In prior versions of Windows, parent processes have complete control overtheir child processes, and administratively started processes can control otherprocesses. A common malware ploy is to maliciously manipulate an existinglegitimate application or service into running a new malicious process. Oftenthe new malicious process will incorrectly appear to the operating system andother defense tools as a legitimate child process. Or a rogue invoked processcan modify another completely unrelated legitimate process into doing some-thing malicious.

Windows Vista introduces the concept of protected processes (unfortu-nately currently focused on DRM technologies and content), which run along-side non-protected processes. Only system and application files digitallysigned and belonging to the Windows Protected Media Path (WMPM) can create a protected process. When a process is protected, a non-protectedprocess or thread cannot:

■■ Access the virtual memory area of a protected process

■■ Debug an active protected process

■■ Inject a new thread into a protected process

■■ Impersonate a thread

■■ Set or receive context information

■■ Duplicate a handle from a protected process

There are other process protections, as you can read about at www.microsoft.com/whdc/system/Vista/process_Vista.mspx.

NOTE Protected processes can be recognized in the Task Manager by locatingprocesses (besides System and System Idle) with no values present in the DataExecution Prevention or Virtualization columns. Enable Show processes from allusers and add the Data Execution Prevention and Virtualization columns to the list of columns displayed on Task Manager’s Processes view. You can runVista’s Audiodg.exe program as an example. Protected processes appear in Task Manager.

Windows Vista User Experience

In what Microsoft calls the Windows Vista User Experience (UX), it is promot-ing easier-to-understand, friendlier messages throughout Windows Vista — inthe event logs, error messages, and dialog boxes. There is also added detail



in most instances, which will appeal to administrators. For example, many ofthe security User Interfaces (UI) showing a program filename will display thefull folder path location to the executable. For security administrators, thismakes it easier to track down and identify programs.

Although there are ways to defeat all of the new security programming mech-anisms, it makes the job considerably more difficult for malware writers. This, in fact, was all Microsoft intended. One thing that is refreshing is that the coresecurity team, at least, never lost sight of the reality that nothing is foolproof.

Host-Based Security

Most of the new security changes directly affect the Windows Vista com-puter — the host. This section starts with the boot and startup changes, andthen discusses the operational aspects.

Boot ChangesThere are major differences in the Windows Vista boot sequence, including theBoot Configuration Data store, new boot files, new system recovery tools, andBitLocker Drive Encryption technology.

Boot Configuration Data

In most of today’s PC-based systems, the BIOS is responsible for locating theprimary boot drive, which loads the system partition, which then loads the operating system.

A newer emerging boot process open standard called Extensible FirmwareInterface (EFI) will work on EFI-enabled computing devices. EFI is a more flex-ible framework for bridging the boot-up gap between hardware and software,storing EFI-related variables in non-volatile RAM. EFI will allow operating sys-tems to move more transparently beyond traditional desktop and laptop com-puter form factors (for example, to PDAs, cell phones, wearable computers, andso on). EFI-enabled operating systems require more hierarchal complexity thana simple text file can provide.

The Boot Configuration Data (BCD) store replaces the Boot.ini file used inprevious versions of Windows. If Windows Vista is the only OS installed on aboot volume, the boot.ini file will not be created or used. However, the boot.inifile is still supported for legacy dual-booting scenarios on computers with anAT/BIOS chip.

The BCD store and its associated editor, Bcdedit.exe, are intended to inter-face Windows Vista and later operating systems with EFI. Unfortunately, the



complete EFI standard emerged too late to be included in 32-bit versions ofWindows Vista. EFI support is available in 64-bit versions of Windows Vistaand Longhorn.

Windows Vista’s boot process now includes the following new files(among others):

■■ Bootmgr, a hidden file located in the root directory of the boot volume,controls boot flow and multi-boot options on a dual- or multi-boot situation

■■ The BCD store is a (non-hidden) hierarchical binary file stored in thehidden \boot folder. Microsoft describes it as a registry hive file, but it isnot supposed to be accessed using normal registry tools. On EFI-enabledcomputers, BCD will be stored under \EFI\Microsoft\Boot on the EFIsystem partition.

■■ Located in the hidden \boot folder is also a hidden 64K Bootstat.dat filecreated at install, and one or more hidden BCD log files named BCD.log,BCD.LOG1, BCD.LOG2, and so on, which can be used for diagnosticpurposes.

■■ Winload.exe (located in \Windows\System32) is the new OS loader,replacing NTLDR. It loads the kernel files, HAL, and boot device drivers into memory.

Firmware-independent BCD can work with PC AT/BIOS or EFI-enabledcomputers and is designed to handle multiple versions of Windows and evennon-Windows operating systems. If a legacy (i.e., prior to Windows Vista) ver-sion of Windows is installed on a separate partition on the same computer asWindows Vista, the legacy Windows program will still use its own NTLDRand boot.ini files.

The BCD store should be managed using the new command-line program,Bcdedit.exe located in \Windows\System32 or with the BCD WMI provider.Administrative privileges are required to view and modify BCD settings usingBcdedit.exe. You can type in Bcdedit.exe /enum to see current settings or Bcdedit.exe /export to export current settings. Type in Bcdedit.exe /? topicsto get a full list of commands and syntax.

NOTE To get an administrative command prompt, all you need to do is right-click on a shortcut to the command prompt and select “Run as administrator . . .”.See Chapter 4 for more details on User Account Control (UAC).

The System control panel applet still interfaces with the global boot settingsthat allow administrators to pick the boot order and boot manager timeoutsetting. Msconfig.exe interfaces with the BCD store as well. As was possible



with the Boot.ini and Bootcfg.exe files in previous versions, a troubleshootercan set special diagnostic parameters or EMS parameters, or enable kerneldebugging using Bcdedit.exe. Bootcfg.exe is included with Windows Vista,but cannot modify the BCD store. It can be used only to view and modifylegacy Boot.ini files on dual-boot systems. Bcdedit.exe can also be used tomodify earlier versions of Windows.

NOTE Winresume.exe is located in \Windows\System32 and helps WindowsVista resume from hibernation along with the hidden Hiberfil.sys file in the rootdirectory that would hold the saved memory contents.

You can read more about BCD and EFI at www.microsoft.com/whdc/system/platform/firmware/bcd.mspx.

System Recovery

Windows Vista includes major improvements to Microsoft system recoverytools, including the Windows Pre-Installation Environment (WinPE), Win-dows Recovery Environment (WinRE), and the Startup Recovery Tool (SRT).

WinPE essentially replaces the DOS boot diskettes and/or Recovery Con-sole needed in previous versions of Windows. It loads a mini-version of theWindows Vista OS, and can be used for deployment scenarios, troubleshoot-ing, and system recovery.

WinPE is loaded from the large \sources\boot.wim (Windows Imaging) filelocated on the original installation media during Windows Vista’s initialinstall, but can be loaded from any bootable media, including a USB FlashMemory drive. (See Appendix A for directions on how to build a USB MemoryStick with WinPE.) During installation of Windows Vista, WinPE boots to thefirst GUI the user sees. During this time a user can press Shift+F10 to exit the displayed GUI to a WinPE command prompt.

WinPE runs completely in memory (requires 256MB memory), and has thefollowing features:

■■ Provides full access to FAT and NTFS file systems (for file copying, datarecovery, and so on)

■■ Creates and formats disk partitions

■■ Driver injection, where critical drivers can be loaded before WinPEboots fully

■■ Detects and enables most hardware devices, and supports 32-bit and64-bit device drivers

■■ Enables TCP/IP networking support



■■ Runs a robust Win32 API, which supports most 32-bit applications,scripts, batch files, ActiveX, and HTML applications

■■ Text-based console, WinRE, with several built-in diagnostic tools andcommands (including Diskpart, Drvload, Net, and Netcfg)

WinPE was previously available to XP environments with Software Assur-ance agreements, but in Windows Vista everyone gets an improved versionknown as WinPE 2.0.

Startup Repair Tool

If Windows Vista fails to boot up and load properly, WinPE (often loaded onan OEM hard drive partition) will automatically load WinRE and the StartupRepair Tool (SRT). Microsoft did a lot of research on bootup system failuresand their causes. SRT analyzes the startup logs looking for the problem. TheSRT and its Setup Repair Wizard can fix upwards of 80 percent of all knownfailures (according to Microsoft).

If the failure cannot be automatically repaired, the SRT will attempt to rollback the system into a previously known good state. Only time will tell if thenew rollback is better than it was in previous versions. If the rollback does notrepair the problem, the SRT will provide detailed diagnostic information andoffers additional support options.

Administrators can use WinPE, WinRE, and the SRT to diagnose and repairdamage, malicious and otherwise. Because WinPE allows 32-bit applicationsto be run and recognizes NTFS partitions, it is possible to run fully functionalantivirus and malware removal tools. Access to NTFS partitions assumes theuser has appropriate administrative permissions, of course, and that the bootdrive is not encrypted.

BitLocker Drive Encryption and TPM

In previous versions of Windows, malicious attackers have been successful inbooting around the operating system protections provided by Microsoft. If theattacker can boot up on another operating system (for example, Linux, Knoppix,and so on) that can read NTFS partitions, the attacker can copy data and pass-word hashes from the exploited system.

To prevent physical “boot-around” attacks, the Enterprise and Ultimate ver-sions of Windows Vista have the ability to encrypt the entire OS boot volumeusing a new feature called BitLocker Drive Encryption. When enabled, the pri-mary boot volume remains encrypted until decryption keys are supplied. Thekey can be stored in a Trust Platform Module (TPM) chip located on themother board or on a USB key (and, for backup purposes, a recovery key canstored in Active Directory as well if the domain controllers have beenupgraded with the appropriate schema).



A TPM chip is a specialized cryptographic chip located on the motherboardor added on via an interface card, with a supporting TPM-enabled mother-board and Trusted Computing Group- (TCG-) compliant BIOS. Among manyother possible functions, a TPM chip can securely protect the BitLockerdecryption key. The TPM can be configured to automatically decrypt the Bit-Locker volume decryption key when Windows boots (and is in control of secu-rity), or to require a PIN to be entered by a local user, or read from a USB flashmemory drive, or a combination of all three. If a TPM chip is used, it will alsoverify that the hardware has not been tampered with. This is why it is crucialto turn off BitLocker before upgrading the BIOS on your computer. Otherwisethe TPM will detect that the hardware has been tampered with and will lockthe system and require a recovery key to boot it.

In order for BitLocker to work, the participating primary boot drive musthave two NTFS partitions. The first is for the unencrypted boot information,and the second holds the encrypted partition. There is a new Control Panelapplet to enable, configure, and disable BitLocker. BitLocker will be covered inmore detail in Chapter 3.

NOTE Windows Vista contains a new MMC console, Tpm.msc, foradministrating and initializing TPM, which must be enabled before turning on BitLocker, if you wish to use the TPM to store BitLocker keys.

Security DefaultsWindows Vista has considerably stronger default security settings than Win-dows XP Pro, particularly the early versions. Here are some of the defaultsettings:

■■ Administrator account is often disabled, but can be enabled.

■■ User Account Control is enabled.

■■ Internet Explorer is in Protected Mode (covered below) for all securityzones except the Trusted sites zone.

■■ Most inbound connections are blocked by Windows Firewall (most out-bound connections are allowed by default, but many programs and ser-vices are blocked from communicating out).

■■ Automatic Updates is enabled.

■■ Windows Security Center is activated.

■■ Windows Defender (and SpyNet) is enabled by default.

■■ A password-protected screensaver is enabled by default.



These settings make Windows Vista relatively secure out-of-the-box. TheWindows Security Center display will appear reporting on the current statusof most of the items in the preceding list and allow you to make adjustments,if needed.

Windows DefenderWindows Vista actively uses Microsoft Windows Defender (see Figure 1-2),which was previously released as an extended beta trial for XP SP2 users.Bought originally from Giant Software, Windows Defender is an excellent spy-ware prevention and removal program. It allows scheduled scans and real-timeprotection. When enabled, the real-time protection monitors the registry, auto-start locations, services, and Internet Explorer for spyware-like activity. In inde-pendent tests with other competitors, it always ranks near the top in accuracy.

Figure 1-2 Windows Defender is included in Windows Vista.

By default, users are joined to Microsoft’s SpyNet online community.SpyNet membership instructs Windows Defender to send each user’s per-sonal decision on what to do with newly identified potential spyware (i.e.,allow or remove) to the SpyNet database. Collected responses are used toidentify new spyware, which then updates the Windows Defender definitions.Windows Defender is covered in more detail in Chapter 7.

Malicious Software Removal ToolThe Microsoft Malicious Software Removal Tool is executed by default duringnew installs and when the system is updated with Microsoft Update. Originally



written for Windows XP SP2, the Malicious Software Removal Tool checks forand removes only the most popular malware at the time of its download. Itdoes not check for all malware as a more general anti-malware program might.

Microsoft created the tool in response to failed installations of its updatesdue to malware. Many of the failed installations could be traced to customershaving actively compromised and exploited computers. The installed mal-ware programs would prevent Microsoft’s new software from being installed,which the users then blamed on Microsoft.

Microsoft uses both Windows Defender and the Malicious SoftwareRemoval Tool to gauge how popular a particular malware program is. This, inturn, helps guide its response. Some very critical dangerous zero-day threatshave been measured as infecting only a handful out of 25 million users. Whenthe spread of a threat is small, as in the previous example, Microsoft waits torelease the defense patch until the normal monthly “Patch Tuesday” cycle. Ifthe malware is spreading quickly and is a critical threat, Microsoft will oftenrelease the offsetting patch “out-of-band” before the normal release date.

Improved Logon ArchitectureWindows Vista strengthens existing password authentication and hasimproved support for smart cards, fingerprint scanners, biometrics, and so on.

LAN Manager Disabled

First, LAN Manager (LM) password hashes are disabled by default. DisablingLM password hashes is the single best step to prevent Windows passwordcracking (i.e., hash to plain-text conversions) that Microsoft could have made.The option to disable LM hashes was available in past Windows versions, butwas disabled by default, so most administrators never did it.

Windows Vista also disables outbound LM and NTLM version 1 authenti-cation protocols, leaving only NTLM version 2 and Kerberos enabled bydefault (although all four authentication protocols are still accepted inboundfor backward compatibility with connecting clients without increasing mali-cious risk). This step helps prevent password cracking from network eaves-dropping programs (Cain, for example). Both decisions are long overdue andhave very solid security goals, but may cause problems in some environmentswith legacy Windows computers and applications.

Better Support for Additional Authentication Methods

Microsoft has also made it easier to integrate non-password authenticationmethods, and even multiple, simultaneous authentication methods, in the



logon process. Since Windows 2000 you can use smart cards for authentication,and more recently, you can replace the logon interface with one from third-party providers to log on with RSA SecurID tokens, for example. However, youcan use only one authentication method at a time. Windows Vista has a com-pletely new Winlogon architecture and a new Credential Providers API thatgives improved built-in support for smart cards, USB tokens, two-factorauthentication, and more, and allows for multiple credentials to be used at thesame time.

In past versions of Windows, end users interacted with the MicrosoftGraphical Interface for Network Authentication (GINA), implemented inMsgina.dll, to logon. Winlogon.exe handled the logon process, but theMicrosoft GINA displayed the logon dialog box where the user typed in theiruser account name and password (and any other necessary information suchas target domain name). When administrators wanted to add another formof authentication, it required (in most cases) that the Microsoft GINA bereplaced by another vendor’s GINA. For instance, if biometrics were imple-mented, the Microsoft GINA would be replaced by the biometrics vendor’sGINA, so it could prompt users for a copy of their fingerprints, instead of a password.

Unfortunately, when a vendor replaced the original GINA, the vendor’ssoftware was now in total control of the user’s logon security. Replacing theoriginal GINA often caused problems or prevented the use of other Windowsfeatures (for example, Terminal Services, Remote Desktop, and so on) andbroke many other applications. To make matters worse, many vendors poorlycoded their replacement GINAs so it weakened overall security. Microsoft,having not written the GINA, could not patch it, and getting vendor patchesoften proved complicated.

In Windows Vista, a new Credential Providers API replaces the legacyGINA and all user logons are accomplished through a new user logon inter-face (Logonui.exe). Vendors must write their authentication interfaces andprograms to interface with the new Credential Providers API (see Figure 1-3for an old versus new comparison). The Credential Providers API interfaceswith the logon user interface (called LogonUI), and the LogonUI can handlemultiple vendor implementations at once. Vendors use COM programming toask the LogonUI to gather the necessary data on their behalf. More on this inChapter 3.

Windows Vista ships with built-in password and smart card credentialproviders, but Microsoft is working heavily to influence other creden -tial providers into using the new API.



Figure 1-3 The new Windows logon process provides more granular hooks forenhancement.

Session Isolation

Another huge improvement has been made to logon session security. Multipleuser sessions can be started in Windows at one time. One session is alwaysstarted when Windows starts and the services are loaded. Another session isstarted when the first user logs on. Additional sessions can be started (for exam-ple, using RunAs, Remote Desktop, Terminal Services, Fast User Switching, andso on). The first session is numbered Session 0, and additional sessions are given

Legacy Logon Process

Vista Logon Process

Winlogon.exe MSGina.dll

Or Vendor GINA

Authentication Database (s)

Credential Provider 1 Microsoft Passwords

Credential Provider 2 Smart card vendor

Credential Provider 3 Biometric provider

Password Authentication

Database

Crypto Authentication

Database

Biometric Image Authentication

Database

Winlogon.exe

LogonUI

Winlogon.exe Winlogon.exeCredential Provider API/Interfaces



incremented numbers (for example, Session 1, Session 2, and so on). Unbe-knownst to most users, many applications (for example, antivirus software)actually run in additional sessions.

In previous versions of Windows, all the programs started by the first userran in Session 0, along with the already started services and other kernel modeprocesses. Additional sessions could be started, but could easily interact andcommunicate with the other sessions. This allowed applications and servicesin one session to talk to users and software in other sessions. For example, thebackground running antivirus scan (running in a different session) could senda message (for example, “Virus found!”) to the user computing in Session 0.

Unfortunately, there are two weaknesses to this method. First, having a reg-ular user whose interactive desktop is in the same session as system servicespresents an obvious security problem. Second, allowing additional sessions tocommunicate with and interact with the first session (i.e., Session 0) opens upother potential vulnerabilities. Attackers used a class of attacks called “shat-ter” vulnerabilities to exploit more privileged sessions using less privilegedsessions (i.e., privileged escalation).

In Windows Vista, Session 0 is reserved for Windows kernel code and systemservices. Users never interact with Session 0 directly, and other sessions cannotcommunicate directly to Session 0. This prevents many different types of attacks,including the whole class of shatter attacks. Unfortunately, this also means thatany application that installs itself as a service will no longer be able to directlyinteract with Windows system services (for example, graphics driver, and so on)or with the end user (which is often the done by many poorly written services).Service applications will have to be re-written to work correctly or interface withthe end user for Windows Vista.

A new service called the Interactive Service Detection Service is available tohelp bridge legacy service applications until they can be re-written. When thenew service detects a legacy application trying to send a message to the inter-active user, the message will be intercepted, and the user prompted to acceptthe incoming communication from the application. Although getting theapproval of a user before being able to accept a dialog box from an applicationmay appear draconian, session isolation is a much needed improvement forWindows security. Without it, Windows would continue to be very vulnerableto local privilege escalation attacks.

Service HardeningMicrosoft has done more than separate the services from the user and applica-tion sessions. It has also made every default installed Windows service followa least privileged security model. Each service was reviewed, and unnecessarypermissions were removed. On the book’s Web site you will find a completelist of services in Windows Vista, along with their associated security settings.



Windows XP introduced the lower privileged service accounts of Local Ser-vice and Network Service, which replaced Local System when possible. Win-dows Vista continues this trend, and percentage-wise, more services usenon-Local System security contexts than any of the previous Windows operat-ing systems. Windows Vista introduces even more service security.

Every service is assigned a SID, which is something the previous operatingsystems did not do. This allows the service to be tracked uniquely, and makes iteasier to assign permissions. The Service Control Manager (SCM) reviews theprivileges a service needs during start up and removes unnecessary privileges.

Once started, the service cannot be given new or additional privileges. TheSCM adds many services to the Restricted SID to further restrict what a servicecan do. By default, a service can only write to an object that specifically allowsservices to write to it. For example, the Remote Procedure Call service cannotreplace system files, modify the registry, or modify other system services orapplications (for example, antivirus scanning protection). This change alonewould have prevented the Blaster worm outbreak a few years ago. (SIDs arediscussed more in Chapter 5.)

Services are now allowed to have failure actions even when the servicedoesn’t become fully inoperable. In past operating systems, failure actionscould be defined only when the service stopped responding and crashed com-pletely. Now, high CPU utilization loads, memory leaks, and so on can triggerrecovery actions.

On a slightly related note, services can now avail themselves of a new Auto-matic startup type called delayed start. Delayed start services don’t immedi-ately start when the system boots, but instead wait a short period of time, andeven then start with low priority.

Services are also assigned a default network firewall policy and connectionscope. It makes it harder for a local service to initiate outbound connectionsattacking other non-local networks. Many of the previously successful bufferoverflow attacks worked by overrunning a service and then using the infectedhost to attack remote networks. This change would have significantly lessenedthe impact of the Blaster and SQL.Slammer worms. Microsoft is working withvendors to help them follow the new service hardening methodologies. Servicesthat don’t may not work in Windows Vista. This is discussed more in Chapter 11.

Enhanced Device Driver ExperienceAll Microsoft device drivers are extensively tested for security, reliability, anddigitally signed by default. All critical system drivers must be signed to beloaded into the kernel smoothly. On 32-bit systems, unsigned drivers will senda warning to administrators, but can still be loaded. On 64-bit systems,unsigned drivers cannot be loaded — period. Windows Vista even ships witha list of device drivers known to cause problems and not allow them to load.



The Windows Vista Device Driver Experience allows administrators to signtheir own drivers and have the ability to restrict what devices and device driverscan be installed in their own environments. Administrators can even place a device driver on a network share and point managed computers to automati-cally install it.

User-Mode Driver Framework

According to Microsoft and Mark Russinovich, 99 percent of “blue screens”are caused by incorrectly written third-party device drivers. Windows Vista’snew User-Mode Driver Framework (UMDF) is a new device driver methodol-ogy that attempts to prevent operating system crashes. With UMDF, a UMDFservice running in the Local Service (not Local System) security context hostsall UMDF device drivers. UMDF drivers cannot directly access kernel modecode, memory, or hardware. Developers using the new UMDF host driver canbe assured that their software additions will not compromise Vista’s kernelcausing critical operational errors.

Portable Media Device Control

Whether users can use portable media devices, such as USB flash memory drives,CD-ROMs, DVDs, and so on, can now be controlled. Administrators can decidewhether to allow read-only or read and write access to the portable media, on aper machine or per user basis. Of course, settings can be controlled using grouppolicy. This enables administrators to make theft of confidential data more incon-venient and makes injecting malicious code accidentally harder. The DeviceManager applet contains a new Auto-play applet, which allows administrators tochoose which media devices will allow auto-play or not.

ReadyBoost Memory

Windows Vista’s ReadyBoost technology will also allow USB flash memorydrives (256MB–4GB) and other memory cards (for example, SD memory, Com-pact Flash, and so on) to be used for additional page file virtual memory toincrease Windows performance when more memory is needed. It’s restrictedto one device per computer, and the USB device must support USB 2.0 and fastmemory transfers. All paging file data stored on the USB device is first storedon the local hard drive, and then cached to the USB device. All data stored onthe USB flash memory device is automatically encrypted using 128-bit AES.When the device is unplugged, Windows Vista immediately drops back tousing the local drive cache.



User Account ControlUser Account Control (UAC) is certainly the most talked about security improve-ment to Windows Vista, and has the most end-user experience impact. CalledUser Account Protection during early development, UAC was created to mini-mize the risk of a user being logged in as an administrator when not conductingadministrative business (e.g. browsing the Web, picking up e-mail, etc.). If regu-lar end users and administrators were not logged in as members of the Adminis-trators group all the time, the majority of all popular malware and hacker attackswould not work. Not running as an Administrator constantly is one of the mostsignificant security improvement steps any Windows user can take.

However, if an end user isn’t an administrator, it means she cannot installnew applications, or easily manage her own environment. Previous versionsof Windows could be very unfriendly for users without admin privileges. Forexample, non-admin users could not:

■■ Change their system time or time zone

■■ Change power management settings

■■ Change the default programs

■■ Install Internet Explorer add-ons or change security settings

■■ Create a share

■■ Add a printer

■■ Add a new device

With the exception of modifying personal profile and desktop settings, anon-admin user can’t modify Windows much at all. And that is the intent. Anon-admin user shouldn’t be able to do anything that would affect the securityof Windows. Unfortunately, most organizations would find their end usersrioting if the end users could not install their own programs, drivers, andchange system configuration settings.

The net effect of the way that previous versions of Windows handled adminversus non-admin users was that most companies made all their end usersmembers of the local Administrators group. Microsoft didn’t make mattersbetter by making all newly created user accounts automatically members ofthe Administrators group by default on non-domain computers.

Windows Vista and UAC to the rescue! UAC ensures that even if a user islogged on with an admin-level account all the time, that they don’t have admin-istrator-level privileges enabled all the time. UAC works by assigning all adminusers two security access tokens- one non-admin used most of the time and oneadmin only used when needed. UAC only enables Administrator privileges



when needed and only on additional approval by the user. For more details onUAC, see Chapter 4.

Secure DesktopMicrosoft has gone to great effort to secure the desktop environment againstmalicious code and malware. Prior versions of Windows also had what iscalled the Secure Desktop. The Secure Desktop is where logon dialog boxes,password change dialog boxes, and so on show up. In Windows Vista, that isalso where UAC dialog boxes show up by default. This prevents them frombeing dismissed by malware on the user’s desktop.

When UAC dims the rest of the screen while you answer a UAC or applica-tion message you are actually seeing the Secure Desktop (see Figure 1-4). TheOS actually takes a screenshot of your desktop, puts a gray mask over it, anddisplays that as the background behind the UAC dialog box. So, even if theuser was able to move their mouse cursor or keyboard focus off the correctforeground object, there would be nothing to click on or to respond to. Thebackground is an image with no real controls or objects. It’s a brilliant idea thatprevents many attack types. This will be discussed in Chapter 4.

Figure 1-4 The UAC elevation dialog box is on the secure desktop.



Mandatory Integrity ControlAll security principals (user, computer, service, and so on), or processes act-ing on behalf of a security principal, and resources are now assigned anintegrity SID in their access token. This is another huge improvement to Win-dows security, and is the keystone technology that allows Microsoft to imple-ment UAC, Internet Explorer–Protected Mode, and many other significantadvances. Understanding this new feature is critical for Windows adminis-trators and security managers.

In all NT-class versions of Windows (i.e., NT, XP, Server 2003, Windows Vista,and so on), after a security principal logs on and is successfully authenticated, itis assigned an access token. The access token holds (among many items) thesecurity principal’s individual security identifier (SID), the SIDs of the groupsthey belong to, and assigned user rights. When a security principal or a processon behalf of a security principal attempts to access an object, the security princi-pal’s access token is handed over for inspection by the Windows security man-ager process (Lsass.exe). The access token essentially says, “This is who I am andthe groups I belong to, and the rights I have.” The Windows security managercompares to the access token to the object’s access control list (ACL) to deter-mine effective permissions. It’s the way NTFS permissions work in Windowsand it is covered in detail in Chapter 5.

Windows Vista adds a new integrity SID to the access token. Its value canindicate low, medium, high, or system integrity. All Windows objects (forexample, files, printers, registry keys, and so on) are also assigned defaultintegrity values. System objects are given the highest integrity rating of sys-tem. Most users and applications are given medium integrity by default. Allnormal Windows files and the desktop have medium integrity, but InternetExplorer running in Protected Mode, and all of its add-ons, toolbars, etc., runwith low integrity.

When a security principal (or process) attempts to access an object, thesecurity principal’s and object’s integrity SIDs are checked first. If the securityprincipal’s integrity rating is equal to or greater than the object’s integrityvalue, then it is still possible for the security principal to write, modify, ordelete the object, if the subsequent NTFS security permissions also allow it. Ifthe security principal’s integrity level is lower, the security principal will notbe able to write, modify, or delete the object they are attempting to accessregardless of their NTFS permissions. Integrity SIDs have precedence overNTFS permissions. This is an incredibly important feature.

The idea is that even if a malicious program is able to “break out” into a sys-tem, if it originates from a low or medium integrity process, it will have a hardtime modifying the system files of Windows, as they are protected not only byan access control list, but also by the system integrity label. For example, Inter-net Explorer in Protected mode runs with low integrity. If malware exploits



Internet Explorer and then attempts to leverage that exploit into further com-promising the system, the new integrity controls will make it much more dif-ficult to accomplish.

This is yet again another security mechanism that will help prevent malwareand hackers from modifying local system resources, especially if those attacksoriginate using Internet Explorer or on the user’s desktop.

Improved File, Folder, and Registry ProtectionMicrosoft has invested significantly in preventing unauthorized access to files,folders, and registry keys located on Windows Vista. Many folders and files havemoved or no longer exist. For instance, the \Documents and Settings folderwhere profiles and user documents are stored has become \Users. The All Usersprofile, which is applied for all logon users, has been moved out of the normalprofile file (now \Users) and moved to %userprofiles%\public in the root direc-tory, to simplify security on the individual user profiles.

Several potentially dangerous \Windows\System32 files, which all userscould execute, have been removed, such as: tftp.exe, tlntsvr.exe, clpsrv.exe,ntbackup.exe, tsshutdn.exe, auditusr.exe, ddeshare.exe, rcp.exe, rexec.exe,rsh.exe, rsm.exe, and telnet.exe. Although why regular end users still haveaccess to debug.exe, edlin.exe, and tskill.exe, still makes you wonder. There areplenty of new files in \Windows\System32, such as Atbroker.exe, Bcdedit.exe,and Bridgeunattend.exe available for users and hackers to explore.

NTFS Changes

Microsoft made several changes to NTFS (Windows NT file system), althoughmost are continuations or improvements from previous Windows versions.NTFS is now more reliable. File or registry keys written to by Transactional NTFS(TxF)-aware applications can be rolled back if the write operation is incompletefor any reason. Making sure a transaction is complete before it is committed per-manently is known as atomicity. Databases and Active Directory have had thisfor a long time; it’s just new to NTFS files and registry keys.

NTFS now allows end users to create symbolic links. A symbolic link is ashortcut placeholder that, if chosen, will take the end user or program toanother location or resource. NTFS has supported junction points (similar to symbolic links) for directories, but only if they were made programmatically,and even then only barely supported. However, junction points could onlyrefer to local resources, whereas symbolic links can even point to remoteresources. Windows Vista allows end users to make, manage, or delete sym-bolic links on files or folders using the new Mlink.exe utility. And symboliclinks will show up in DOS directory listings (dir /ah) with a <JUNCTION>descriptor attached. In Windows Explorer, symbolic links show up with a mod-ified folder icon (arrow jutting out from the left side).



Windows Vista now supports Previous Version file and folder restores onlocal files as well as network-based files. By default, the Volume Shadow Copyservice is running and protecting files and folders on the system volume. TheSystem Restore feature of Windows Vista regularly makes Restore Points beforeimportant events (for example, big installs, bootups, prior to patch updates,and so on), periodically if no big events happen, and can be made manually atany time (using the System Protection tab under the System applet).

Prior versions of System Restore Points made a backup of only Windowssystem files, but now it captures file and folder changes made under the\Users folder as well. If an end user accidentally makes a file or folder modifi-cation they did not intend, they can right-click the file or folder (or parentfolder if they deleted the file or folder) and restore a previous version.

Creator Owners Can Be Prevented from Having Full Control

Object creators can now be prevented from automatically having Full Controlover an object that they created. Windows Vista has a feature called OwnerAccess Restriction (OAR), which allows Administrators to define the defaultpermissions given to a Creator Owner for a given resource or location. To dothis, Microsoft had to add a Creator Owner access control entry (ACE) as anavailable security permission that can be modified and controlled. This newfeature will also be covered in Chapter 5.

Per Socket Permissions

Access control list permissions on a resource can be controlled on a per socket(http://en.wikipedia.org/wiki/Internet_socket) basis. Discretionary ACLs(security permissions) were available on a per socket basis starting with Win-dows Server 2003 SP1. Windows Vista allows System ACLS (SACLs) to be set ona per socket basis as well. Although non-programmers won’t understand thesecurity significance, it essentially allows programmers to prevent unauthorizedapplications and security principals from binding to an unauthorized socket.The overall effect can prevent some forms of malware from easily working. Formore information on controlling access to sockets, see Chapter 11.

New Built-in Users and Groups

Several new built-in groups have been added to Windows Vista, including:

■■ Cryptographic Operators

■■ IIS_IUSRS

■■ Event Log Readers



Other groups, like IIS_WPG and Power Users, have been deprecated. Thesegroup changes will be covered in more detail in Chapter 3.

File and Registry Virtualization

Many programs (and malware) require administrative access to \Windows\System32, HKLM\Software, and other Windows critical areas to install andrun. However, if given that type of access, they can literally modify Windowsitself. Malware often does exactly that. The user is tricked into running a mali-cious program — perhaps by making him believe he is installing some harm-less program — but instead, or in addition to that, the malware maliciouslymodifies Windows to install keylogging Trojans, backdoors, spyware, andidentity theft mechanisms.

Windows Vista uses virtualization technology to permit legacy programs torun even though they do not have permissions to modify critical folder and reg-istry areas. If a low or medium integrity program (by default most legacy pro-grams are given medium integrity and Internet Explorer in Protected Mode islow) attempts to write to the most popular Windows critical areas, WindowsVista will redirect the writes (and reads) to a virtualized, per-user, copy of thefile system and registry. So, although it appears to the low or medium integrityprogram as if they are accessing the normal folder and registry areas, theyreally are being redirected to a low integrity resource where it can do less over-all harm. Virtualization can be enabled or disabled via group policy. By default,the following locations will be redirected to virtualized areas:

■■ \Program Files

■■ \Windows

■■ \Windows\System32

■■ \Documents and Settings

■■ HKLM\Software

Overall, Windows Vista’s integrity controls and virtualization technologywill further complicate malware exploitation. See Chapter 4 for a lot moredetail on these features.

Windows Resource Protection

Since Windows ME and Windows 2000, the majority of Windows systemfiles have been protected from deletion and unauthorized modification. InME, the protection was called System File Protection. In Windows 2000 andlater, it is known as Windows File Protection (WFP). For example, if a user



deleted the Wscript.exe file in the \Windows\System32 folder, it would“magically” re-appear a few seconds later. If a virus modified Kernel32.dll,the modified version would be replaced with an original, unmodified copy.

Although WFP was not created with the intent to defeat computer viruses,that’s essentially what happened. If a computer virus modified any protectedWindows file, Windows removed the infection by replacing the modified filewith a clean copy. WFP wasn’t perfect to be sure, but it did have its value, anddid lead to the decrease in number of computer viruses. Computer wormsand Trojans became more popular with malware writers because they don’trely on modifying legitimate host files to spread.

In Windows Vista, WFP is now called Windows Resource Protection (WRP).Like WFP, it prevents the replacement of essential system files, folders, andregistry keys that are installed as part of Windows Vista. But it does a betterjob. WFP wasn’t prevention. It allowed the protected file to be modified orerased, but quickly responded to replace the modified or deleted file. WRPprevents the modification or deletion in the first place. Even the Administratoror elevated user cannot delete or modify system files. Only the Trusted -Installer Service can do so, subject to integrity controls and NTFS permissions.(Trusted Installer is discussed further in Chapter 5.)

Encryption EnhancementsWindows Vista improves upon Microsoft’s previous encryption support. First, Windows Vista includes a Suite B–compliant crypto implementation(www.nsa.gov/ia/industry/crypto_suite_b.cfm?MenuID=10.2.7). That meansthat the latest encryption algorithms are available, including kernel support forAsymmetric Encryption Standard (AES) and Elliptical Curve Cryptography(ECC). With kernel support for the newest algorithms, these algorithms can beused for things that in the past were impossible, such as IPsec. Consequently, thedefault IPsec configuration is to use AES-128 for encryption and SHA-1 forintegrity. Diffie-Hellman Group 2 is used for key-exchange to maintain backwardcompatibility but organizations with a pure Windows Vista/Windows Code-name Longhorn Server deployment may elect to use several algorithms, includ-ing Elliptic Curve Diffie-Hellman, P-384 if processing overhead is no objectiveand security is paramount.

Microsoft has submitted not only its cryptographic providers, but also thecode integrity module, BitLocker, the boot loader, and the OS loader valida-tion against the Federal Information Processing Standard (FIPS) 140-2. Vali-dation may take a year or more, however.

Protocols that had security issues in Windows XP are enhanced in WindowsVista, including Remote Desktop Protocol (RDP), which is used in Remote Desk-top, Remote Assistance, and Terminal Services. In Windows XP and Windows



2000, RDP was not authenticated, meaning that it is possible to conduct man-in-the-middle (MitM) attacks against it and its encryption. While Windows Vistasupports the legacy versions of RDP, the newer default version requires success-ful authentication first, before the encryption channels are negotiated.

EFS Enhancements

Encryption File System (EFS) was introduced in Windows 2000 and furtherimproved in Windows XP Pro and Windows Server 2003. Available in theBusiness, Enterprise, and Ultimate editions of Windows Vista, newer EFS hasadditional improvements, including:

■■ Smart card integration (EFS keys can be stored on smart cards).

■■ Offline files are encrypted by user certificates, and not machine certifi-cates as before. This means that if a system is stolen, offline files areactually encrypted with a token that is not present on the system,unlike in Windows XP. This is a significant security improvement inoffline files; although the encryption is still only as secure as the userpassword it is based upon.

■■ Several new group policy settings.

■■ EFS uses client-side encryption/decryption (so that encrypted datafrom remote locations is protected when sent across network).

EFS still has plenty of legitimate competition when it comes to protectingconfidential data, but for many environments it can provide a sufficientamount of protection without additional software or costs.

RMS-Integrated Client

Windows Rights Management Service (RMS) is a phenomenal product. Usingasymmetric authentication and encryption, it allows access to documents andcontent to be controlled even after the document or content has been distrib-uted. For example, if an employee leaves a company, their access to even exist-ing documents on their hard drive can be removed with a click of theadministrative mouse. RMS was released with Windows Server 2003, and XPPro clients could download an RMS client. Now, an improved version isincluded by default. Longhorn Server will integrate RMS with Active Direc-tory Federation Services to support cross-company protected collaboration.

Windows Vista will also include improved digital certificate handling and enrollment, and improved backing up and restoring credentials on local computer.



Unix on Windows

Windows Vista Enterprise and Ultimate contain an entire Unix-based environ-ment capable of seamlessly running many Unix and Linux applications. Thedownloadable utilities even include the ubiquitous gcc compiler. Open sourcecritics have wanted to pan Microsoft’s Subsystem for Unix-Based Applications(SUA) from the beginning, but continuous testing has made believers. Thismeans security administrators can run some of their beloved Unix securityutilities on Windows Vista, and it also means another (foreign) area to monitorand secure if used by end user applications.

Improved Patch ManagementUp-to-date patch management is necessary to secure any OS. Microsoft hasincluded several patch management enhancements to Windows Vista.

Hot Patching and Restart ManagerAgain, Microsoft promises fewer reboots. When Windows Vista patches aredownloaded, the new Restart Manager examines the patches and determineswhat software and processes are affected by the update. As long as the patchdoes not update critical kernel code (for example, Kernel32.dll, Gdi32.dll, andso on), Restart Manager preserves the state of any opened data, stop theprocess, applies the patch, restarts the process, and restores the open data backto its previous state.

For example, suppose you are working in Microsoft Office when a MicrosoftWord patch gets downloaded. Restart Manager asks the user for permission toproceed, saves the state of any current open Microsoft Word documents, closesthe document, unloads Microsoft Word, applies the patches, re-starts MicrosoftWord, and re-opens the documents into their previous opened state. Imagine, apatch upgrade to Microsoft Office taking only a few seconds, instead of havingto close down, reboot the system, and re-open everything else.

NOTE Released in Windows Vista, Windows Installer 4.0 supports the RestartManager and UAC. No backwards compatibility is planned for previous versionsof Windows Installer.

Improved Event LogsIt’s hard to get excited about Windows event logs, but there are significant, realimprovements to impress anyone who has had to sift through Windows eventlog messages. Event log improvements include:

■■ Significantly more event logs all collected in one place



■■ Improved messages with more detail

■■ Custom views

■■ XML formatting

■■ Running a task in response to a given event (called event triggers)

■■ More granular event logging

■■ Event forwarding (collecting events from one or more computers on asingle collector computer)

Subscription and Forwarded EventsMicrosoft has tried hard to collect more logs into one location. In the past,although the three (or five if you were on a domain controller) generic Win-dows logs were available in one location, nearly every other application andprocess had its own logs that were located in a different location.

In Windows Vista, there are dozens of logs by default, each attached to aprocess, application, or mechanism. For example, there are logs for InternetExplorer, User Account Control, Offline Files, Backup, Setup-relatedprocesses, and Group Policy. And vendors can add their logs to the central-ized Event Log application.

NOTE Sadly, the Windows firewall log does not appear in the Event Viewer orany of its log files.

Each event log message contains more detail and more understandable text(in most cases). Administrators can create customized views (see Figure 1-5)that pull out only particular events that meet a certain criteria. Events can becollected from multiple sources, both local and remote, and seen as one cus-tom view. Custom view configuration files can be exported, sent, andimported to other computers. In addition, the log and the configuration filedata are available in XML format for easy integration with databases andevent log management systems.

It is important to note that many events have been renumbered in WindowsVista. The rationale is that the events contain more data and a different schemafor that data. Most event log management systems are driven by event IDs andchanging the schema for existing event IDs would most likely break thoseevent log management systems. Therefore events that have received a modi-fied schema also have a new number.

Any single event log message can be right-clicked and then tied to particu-lar response if it occurs again. By default, an event message can trigger therunning of a particular program, sending an e-mail, or displaying a message.



Figure 1-5 The new Event Log interface is a vast improvement.

Last, events can be forwarded to other computers or pulled (i.e., subscribed)from other computers. Forwarding and event log subscriptions require thatthe Windows Remote Management (WinRM) and Windows Event Collector(Wecsvc) services be running.

All-in-all, the Event Viewer application is significantly improved fromnearly all angles. Unfortunately, all the improvements will not replace the factthat there are still unrecognizable error messages with little practical detail tohelp diagnose the real problem. Making sense of it all is not the event log’s job,but unfortunately, nobody else seems to have picked up that dropped, and for-gotten, gauntlet either.

NOTE The Auditpol.exe command will show current audit policy, and replacesthe Per-User auditing tool, Auditusr.exe, introduced in Windows XP SP2 andWindows Server 2003 SP1. Auditpol.exe can also be used to configure moregranular event logging, such as if you only want to log logon events, but notlogoff events. Run auditpol /list /subcategory:* for more details.

Task ManagerEven the security of Task Manager has been improved. Every process and itslaunching executable can be traced back to the original directory path. This



was a feature sorely missing for years. Trojans will now have a more difficulttime tricking administrators by hiding as Svchost.exe in C:\Windows\Fonts.You can also click any process and create a dump file, if you are of the hex-viewing persuasion.

Increased Emphasis on BackupA comprehensive security plan always starts and ends with an automated,reliable backup. Microsoft has improved its default backup application. Nownamed Windows Backup, it can back up the system and/or data to normalbackup media (i.e., tape) or to optical disk, USB flash drive, or even to a net-work share. A complete system image backup can be created using the newCompletePC backup feature. It can be used to quickly restore a completelydead or lost hard drive or computer. A CompletePC restore can be initiatedby entering the Windows Recovery Environment (discussed previously) and choosing Windows CompletePC Backup option. And, of course, SystemRestores and Previous Version restores can also recover user data (if section of the disk where the data is stored is not corrupted) in certain circumstances.

Securing E-mail and the Internet

Outlook Express, Internet Explorer, and Internet Information Server have beenimproved as well.

Windows MailWindows Mail is the new name of Outlook Express. It has been re-written toinclude intelligent anti-spam and anti-phishing filters. Per the Microsoftdevelopment team, the filtering technologies are more sophisticated than thestandard Bayesian filters used by most e-mail vendors.

One of the biggest changes from Outlook Express is that each e-mail isstored as a separate .eml file under the \mail folder. Contrast this to the sin-gle monolithic file used in the past. Having separate e-mail files meansimproved performance and improved integration with Windows Explorer.e-mails will be heavily indexed and available in other Explorer content views.Users can also directly access .eml files to reply to a particular e-mail or recip-ient. Of course, Windows Mail continues Outlook Express’s blocking ofActive Content in e-mail and opens all e-mail in the Internet ExplorerRestricted sites zone. Chapter 10 covers e-mail security.



Internet ExplorerMicrosoft has done a fairly good job regarding computer security on nearlyevery current product with the possible exception of Internet Explorer (IE).With IE running on 95 percent of users’ desktops and functionally embeddedwith every current version of Windows, it gets more attacks than any otherMicrosoft application. Over the last three years it has announced dozens of vul-nerabilities (http://secunia.com/product/11). Although competing productsare not doing any better. Mozilla Firefox was announced as the browser prod-uct that was supposed to be better at security as IE, but in the two years sinceits release, it has nearly as many vulnerabilities as IE (http://secunia.com/product/4227), with a significantly lower market share. Unfortunately, IE isstill a prime target and its success or failure is often the only impression mostusers have of Microsoft computer security.

Microsoft understands this and has invested years of time and dozens of teammembers in making IE 7.0 as strong a security product as it can. Chapter 8 covers IE 7.0 in detail. Here are some highlights.

First, by default on Windows Vista, it runs in Protected Mode (IE-PM). WithIE-PM, IE runs as a low integrity process, and even if the logged on user is anadministrator, IE-PM, its add-ons, toolbars, or child processes cannot accesshigher level integrity resources. Because most applications and resources aremedium level integrity it effectively means that IE-PM doesn’t have a lot ofdefault access. Even content downloaded from the Internet or Restricted siteszones to the \Temporary Internet Files (TIF) folder is no longer a huge threat.TIF is another virtualized folder marked with low integrity (low integrity filesare actually stored in a sub-folder called TIF\Low). IE’s History, Cookie, andFavorites files are also marked with low integrity if they were created duringa low-integrity browser session. As far as the registry is concerned, IE canaccess only the low integrity HKCU\Software\Low registry key.

Another huge feature of IE is its new phishing filter. IE has new intelligenceto scan incoming web content looking heuristically for signs that might indi-cate a malicious phishing Web site. By default, IE will also check withMicrosoft on every incoming Web site URL to see if it has been previouslyreported as a malicious Web site. Users can report any Web site to Microsoft aspotentially malicious, and Microsoft will verify the site’s intent before addingit to its database as malicious.

Other improved IE features are:

■■ Parental controls

■■ Privacy improvements

■■ Pop-up blocking

■■ Improved add-on controls

■■ Cross domain scripting (XSS) scripting protections



■■ URL handling protections

■■ Improved digital certificate handling

■■ Improved ActiveX control handling

■■ Over a dozen new security options

■■ Security status bar (easier and quick identification of Internet problems)

■■ One-click Fix My Settings feature

■■ Single-click Browser Content Cache Deletion

Another much need security improvement is the default prevention ofActiveX controls from being called though IE when they were never intendedto be used in IE. Windows, and other installed applications, contain dozens ofActiveX controls. Prior to Windows Vista, if the installed ActiveX control wasmarked “safe for scripting,” any IE content could launch the control and use itagainst the system. The new model is an opt-in policy, where all controls aredisabled from being able to be launched in IE, except the ones the administra-tors or end users add as approved.

Windows CardSpace is Microsoft’s new way for managing and providingcredentials and other information (for example, credit card numbers, personalidentity information) to participating Web sites and network resources. Userscreate individual “cards” (see Figure 1-6), which can then be securely trans-mitted to requesting sites. When creating and transmitting cards, CardSpaceopens on the secure desktop, in order to prevent malicious interactions on theuser’s desktop. There is a great wiki discussion on CardSpace located athttp://en.wikipedia.org/wiki/Windows_CardSpace.

Figure 1-6 Windows CardSpace can represent credentials for many sites as “cards.”



Many reviewers have called CardSpace a replacement for Microsoft Pass-port services. This is too simple an explanation. CardSpace is an entirely newway of delivering logon credentials and other confidential informationbetween two hosts. Passport is being depreciated and active Passport accountswill be moved into a new Microsoft offering called Windows Live ID.

NOTE CardSpace fully supports the new OpenID open standard.

Internet Explorer (IE) 7.0 is a huge improvement over its earlier predeces-sors. Whether IE can stand up to the volume of attacks that accompaniesbeing the world’s most exposed Internet application we will not know untilsome time passes.

IIS 7Internet Information Services (IIS) 7 hopes to continue on the very positivesecurity tradition of IIS 6. IIS 7 is an optional component in Windows Vista, butby default is not installed or enabled. The single biggest security change in IIS7 is the compartmentalization of its code. In previous versions, most featureswere contained in large monolithic code bases. For instance, regardless ofwhich authentication method you wanted to use for your Web site (for exam-ple, Anonymous, Basic, Windows Integrated, Digest Authentication, and soon), the code for all four methods was contained in one file and was loadedinto memory together.

IIS 7 changes this by separating the code into individual modules. If youonly want to load Digest Authentication, only that code will be loaded intomemory. The same thing applies for dozens of other components. The lesscode that is loaded into memory the fewer potential exploits. This is an ideaavailable in the open source competitor, Apache (www.apache.org), for years,but only now being added to IIS.

Configuration and management of IIS has been completely revamped. Thedreaded metabase file has been traded in for an .XML formatted file with asimpler interface. Values can easily be directly viewed and edited, and theXML configuration files can be readily copied and replicated. IIS 7 is the focusof Chapter 9.

Securing Windows Networks

Microsoft completely re-wrote the TCP/IP stack from scratch and is increas-ingly focusing on the idea of domain isolation and more secure networkingcomponents. Windows Firewall has been more tightly integrated with IPsecand given outbound blocking ability. Microsoft also introduces many new fea-tures that are sure to come under scrutiny by attackers.



Enhanced Network Location AwarenessWindows Vista’s networking often focuses on three predefined networkdomain profiles:

■■ Domain

■■ Public

■■ Private

The Domain profile refers to the network configuration settings while thecomputer can reach an Active Directory domain controller.

All other network connections are automatically classified as Public untilthe user (if the user is an administrator) elects to change that classification.Public includes all networks that the computer might be connected to whiletraveling (such as airport, hotel, café WiFi, and so on), public access networks,open wireless access points at the neighbor’s house, and so on.

NOTE There is a fourth network domain called Work, which only comes intoplay if a domain controller on the Domain network cannot be located.

A network can be configured to be Private by the computer’s operator oradministrator. These three network profiles allow Windows Vista users toquickly define different network and security policies for all three domains,allowing quick “switch-on-the-fly” flexibility.

The Network Location Awareness service attempts to notice when a Windows host changes network locations (for example, roving laptop) or a significant network topology change has occurred (for example, downrouter, VPN, and so on). Changes in network location can affect many Win-dows components, including group policy, DHCP settings, and router tables.The algorithms used to detect a network change have been improved. Slowlink detection, used in group policy and other features, no longer uses just ICMP.

Network MapMicrosoft has included a great network mapping tool that graphically repre-sents the physical/logical TCP/IP components between the Windows Vistahost and a target destination, plus the other devices on the local network. It’sa great network troubleshooting tool, and might prove useful when diagnos-ing a malicious re-direction attack. To do this, Microsoft created a new net-work protocol, Link-Layer Topology Discovery, and a new service, Link-LayerTopology Discovery Responder.



The Rebuilt TCP/IP Stack with IPv6Along with rebuilding the entire TCP/IP stack, Microsoft has added strongersupport for the long awaited IP version 6 (IPv6), performance self tuning,new APIs for packet inspection (called the Windows Filtering Platform), and a bevy of diagnostic tools. IPv6 has significant security improvementsbuilt into the protocol. Finally, after a decade of waiting, IPv6 is starting togain increased usage, with some countries running the Internet and their own infrastructures entirely on IPv6. Windows Vista can run both IPv4and IPv6 protocols at the same time, as well as tunnel IPv6 traffic within IPv4 traffic.

Not everyone is happy that Microsoft rebuilt the Windows TCP/IP stackfrom the ground up. Windows Vista beta testers have found simple, old, net-work stack vulnerabilities in the beta code (http://securityresponse.symantec.com/avcenter/reference/ATR-VistaAttackSurface.pdf). Mostof the found vulnerabilities were fixed before release, but critics, particularlythose with a vested interest in Microsoft not entirely succeeding in security,pointed out the simple vulnerabilities found (for example, LAND attack) asevidence of an overall lack of maturity in the Windows Vista TCP/IP stack.

Routing CompartmentalizationHost-based routing has become more compartmentalized. An administratorcan define separate routing tables for different users or different network loca-tions. For instance, if the PC connects to a VPN, one router table can be createdfor all VPN-related traffic, and an entirely different router table used for othernetwork connections and locations.

Windows FirewallMicrosoft’s enabling Windows Firewall by default in XP SP2 led to an imme-diate and measurable decrease in the spread of malicious code. Windows Fire-wall in Windows Vista has been completely rewritten, and includes outboundblocking. The improved Windows Firewall comes with pre-configured excep-tions (predefined allowed connections) for many common applications,although the majority are not enabled by default. Exceptions can be config-ured by source and destination IP addresses, TCP and UDP port numbers, byinterface, groups, network domain, and by service account. For more informa-tion on the changes in Windows Firewall, see Chapter 11.

Domain IsolationMicrosoft is focusing on network domain isolation. A domain is any prede-fined network address scope that requires its own access control permissions.



Traditional domains represented on the standard network firewall are internalnetwork, DMZ, and external network. Domain isolation just extends to thewhole security domain concept to any set of hosts or network devices theadministrator wants to define. For example, the marketing and IT computerresources can be kept from communicating with each other. Or the back-enddatabase server can be configured to accept only inbound connections on portTCP 1433 (the SQL Server port, from the DMZ web server). This latter restric-tion would actually be something called “server isolation,” which is a varianton domain isolation. We will discuss domain isolation further in Chapter 12.

Microsoft is pushing administrators to better define their network domainsusing a least privilege policy, to prevent unauthorized access and maliciousbehavior. Administrators can use any Windows access control mechanismavailable, but in most cases Microsoft domain isolation refers to WindowsFirewall, IPsec, and, optionally, Network Access Protection (NAP).

NAP requires one or more Windows servers and attempts to restrict attach-ing network hosts to a limited subset of network resources until they are exam-ined, queried, and approved (for example, is the Windows Firewall turned on,are client patches up-to-date, is client computer running an up-to-dateantivirus scanner, and so on). Once approved, they can connect to either theentire network or isolated to particular domains. Microsoft has significantlyimproved domain isolation and NAP in Windows Vista, and in the forthcom-ing Longhorn server product.

Improved Wireless SecurityWireless connectivity has been moved into the main TCP/IP stack. Previously,wireless connectivity was a separate client and a separate stack, which meantthat many normal networking features did not integrate as well into wirelessconnections. Windows Vista supports the latest wireless open standards,including 802.1x, WPA, WPA2, PEAP-TLS, and 802.11i. Wireless connectionscan now get logon scripts and GPO updates, prior to the user logging in suc-cessfully (something that did not occur in XP). Wireless security is covered indetail in Chapter 13.

New Peer-to-Peer NetworkingWindows Vista contains more peer-to-peer (P2P) and collaborative network-ing components, including a new Peer Name Resolution Protocol (PNRP).Windows Shared View is a new collaboration program that allows up to tenpeople to share sessions, applications, and data. From a security standpoint,P2P applications and components, especially the seamless type that Microsoftis promoting, are often avenues for malicious attack.



SMB 2.0The Server Message Block (SMB) protocol is used for Windows networking.SMB is often associated with folder and printer sharing, but it used through-out Windows for many things, including logging on to a domain, group policydistribution, and remote management. Windows Vista includes a new versionof the SMB protocol, SMB 2.0, which improves on both performance and secu-rity over SMB 1.0.

SMB 2.0 is more resistant to many attacks, including anonymous connec-tions and MitM attacks. Windows Vista and Longhorn Server will use SMB 2.0when talking to Windows Vista and Longhorn servers and clients. When talk-ing to down-level clients, they will use SMB 1.0.

One of my favorite new default settings is that Windows Vista no longerlooks for and enumerates all local network shares when it boots up. By default,XP Pro, using the browser service will enumerate all shares and printers on thelocal network when it starts. Although this feature could be turned off,because it is a default setting, it leads to lots of shares being unnecessarilyrevealed to non-admin users.

Group Policy

Windows Vista contains over 800 new group policy settings. Improved man-agement and configuration settings include:

■■ Blocking portable media device installation

■■ More Internet Explorer security settings

■■ Improved IPsec and Windows Firewall settings

■■ Improved administrative templates

■■ Improved printer control (location-based, can allow users to install)

■■ Improved power management

There are also several new user rights, such as the ability to grant users the right to change time zones. In addition, there are dozens of new securitysettings.

The Group Policy Management Console (GPMC) is installed by default, nolonger requiring a separate download. On the client-side, one of the biggestchanges is that group policy application is no longer under the mandate of theWinlogon.exe process, as it is in prior Windows operating systems. It is now itsown separate Group Policy Client, with increased reliability, increased func-tionality, and more intelligence about what to apply when. And, even moreimportant, it has significantly better logging (see the Improved Event Logssection above).



There is a new Administrative Templates format, known as ADMX files(matching their new file extension). ADMX files are “easily” editable XMLfiles, with increased functionality and capable of multi-language support.They will be stored more efficiently in Longhorn server, with ADMX templatesbeing stored in a central Sysvol location, instead of individually beingattached to one or more group policy objects. Legacy ADM files are still sup-ported, however.

Another important client-side change is the ability to have multiple LocalComputer security policies, instead of the computer having only one. Actually,there is still only one Local Computer policy, but it can have different settingsfor different users or groups. Chapter 14 will cover group policy in more detail.

64-bit Only Improvements

Windows (and other PC-based operating systems) are quickly moving to 64-bit environments. XP Pro and Windows Server 2003 are available in both32-bit and 64-bit versions. Windows Vista shipped simultaneously in 32-bitand x64 versions, a first for Microsoft. In the near future, only 64-bit PC hard-ware will be available for purchase and Microsoft will be strongly pushing 64-bit versions of Windows. In fact, already as of this writing, it seems themajority of desktops are 64-bit capable, although laptops appear to lag farbehind, sadly.

The 64-bit versions of Windows are significantly more secure than the 32-bitversions. For one, all boot critical code, including the HAL and OS kernel, iscode integrity-checked before running. System catalogs (for example, Nt5.cat)contain the image hash integrity values. In addition, because all device driversmust be re-written to take advantage of the 64-bit platform, Microsoft caresless about backward compatibility and more about making third-party ven-dors build in security from the start.

This new approach allows Microsoft to mandate things it could not beforeFor instance, all kernel code must be digitally signed by a certificate obtainedby Microsoft. This is known as PatchGuard or Kernel Patch Protection.Unsigned code cannot be loaded into the kernel under normal operations.Microsoft is releasing dozens of new tools to third-party vendors so they cancheck for security problems and stability issues. In 32-bit versions of Windows,unsigned kernel code can be loaded, although it is still not recommended.

64-bit versions of Windows include a 32-bit emulation layer for legacy appli-cations, and contain a virtualized 32-bit registry area for 32-bit applications.Microsoft is doing its best to prevent 32-bit code from touching 64-bit code andmemory. 16-bit drivers and programs will not be supported on 64-bit versions ofthe OS, and can only be hosted by running in virtual sessions. By default, futureWindows server versions will include virtualization software built-in. There will



be no need to purchase separate virtualization software (for example, VirtualPC, VMware, and so on) for many purposes.

Future Improvements

Microsoft is already hard at work on improving security even more in Long-horn server and the next generations of Windows. Some of the changes include:

■■ Improved IPv6 stack and support

■■ RDP over HTTP (don’t confuse with RPC over HTTP)

■■ Application IDs (uniquely identifying the integrity of registry vendor code)

■■ Read-only domain controllers (BDCs anyone?)

A much anticipated future security feature is something called Server Core.Server Core will be a supremely stripped down, locked down version ofserver editions of Windows. It will contain no GUI, and function solely as aninfrastructure server. The roles it will play include file server, print server,domain controller, DHCP server, and DNS server. It will be high performanceand high security.

Summary

For years Microsoft has been cast as a company that didn’t understand com-puter security. But the tide has been turning and now Microsoft is turning outsome of the most secure software in the industry. Since Windows XP Pro SP2and Windows Server 2003 SP1, Microsoft has been taking increasing flack forpushing too much security too fast on end users, often at the expense of secu-rity over functionality. This is quite a change from the past. For those of us withover a decade of experience in securing Windows, we can’t believe our fortune.Will Windows Vista finally defeat malicious hackers and malware? Probablynot, but it will make the job tough on those who mean to cause others harm.

This chapter covered the most significant new security features in WindowsVista. To recap, the features most likely to make a practical impact on yourcomputing experience are:

■■ User Account Control

■■ Internet Explorer-Protected Mode

■■ Mandatory Integrity Controls

■■ BitLocker Drive Encryption

■■ Portable Media Control



■■ Device/Driver Control

■■ 800 New Group Policy Settings

■■ More Secure Defaults

■■ Harden Services

■■ Secure Desktop

■■ Startup Repair Tool

■■ Improved Event Logs

■■ Event Triggers and Event Forwarding

■■ IIS 7

■■ Improved Patch Management

■■ Decrease Risk when admins are logged in

■■ Potentially Less Admins Needed

■■ Session Isolation

■■ Previous Version client installed by default

■■ Improved EFS

■■ CardSpace

■■ Windows Defender

■■ Improved RDP authentication

■■ IPv6

■■ File and Registry Virtualization

■■ Improved Crash Diagnostics

■■ New Logon API

Believe it or not, as long as this chapter is, there are hundreds of otherimproved security features that could not be fit in this introduction. Nearlyevery application, aspect, and feature has been re-examined, starting with anincreased focus on the Security Development Lifecycle, threat modeling, and amore secure programming language. Significant security improvements havebeen made to host applications, booting sequence, logon architecture, NTFS,encryption, Internet security, and networking stack. Windows Vista’s newmandatory integrity controls, User Account Control, and file and registry vir-tualization are truly paradigm shifting changes, which will make Windows aneven more secure platform choice.

Upcoming chapters will cover the major improvements in more detail.Chapter 2 describes how attackers and malware exploit Windows, and intro-duces a few areas of potential weaknesses in Windows Vista.



Best Practices

■■ Familiarize yourself with the features that are new or significantly dif-ferent in Windows Vista.

■■ Do not disable security features, at least not until you have given thema try.

Insofar as you can, push your vendors to write software that works well asa non-administrator. Favor software that is properly written over that whichis not.

