Upload
vanessa-gray
View
223
Download
2
Tags:
Embed Size (px)
Citation preview
Windows Vista Security Windows Vista Security TidbitsTidbits
Steve LambTechnical Security Evangelist @ Microsoft Ltd
[email protected]://blogs.technet.com/steve_lamb
OverviewOverview
User And Group ChangesUser And Group ChangesAdmin accountAdmin accountNew/Missing SIDsNew/Missing SIDsNew/Missing Users and GroupsNew/Missing Users and GroupsCached credentialsCached credentials
Kernel ChangesKernel ChangesBuffer overflow protectionBuffer overflow protection
ACL ChangesACL ChangesEncryption changesEncryption changes
Suite BSuite BTS SSOTS SSOEFS with Smart CardsEFS with Smart Cards
Audit changesAudit changesUser rightsUser rightsNew and changed security optionsNew and changed security optionsFirewallFirewall
Auth IPAuth IP
SMBv2SMBv2
User and Group ChangesUser and Group Changes
Administrator Account StatusAdministrator Account Status
Administrator Account StatusAdministrator Account Status
Power Users Are Not AnymorePower Users Are Not Anymore
The Support and Help AccountsThe Support and Help Accounts
New GroupsNew Groups
Some Additional SIDsSome Additional SIDs
And A Few More SIDsAnd A Few More SIDs
The Trusted Installer
A Service
INTERNET USER
High integrity SID
Low integrity SIDMedium
integrity SID
System integrity SID
Integrity Levels in TokenIntegrity Levels in Token
ACL ChangesACL Changes
ACL ModificationsACL Modifications
Old ACL UIOld ACL UI
New ACL UINew ACL UI
Owner Needs Explicit PermsOwner Needs Explicit Perms
Kernel ChangesKernel Changes
Better Buffer Overflow ProtectionBetter Buffer Overflow Protection
Second cookie protects exception handlersSecond cookie protects exception handlers
Safer CRT exception handlersSafer CRT exception handlers
No more executable pages outside imagesNo more executable pages outside imagesEnforced by better development practices and Enforced by better development practices and code scanning toolscode scanning tools
/NXCOMPAT linker flag in build tools/NXCOMPAT linker flag in build toolsIf all binaries in a process are marked NX is If all binaries in a process are marked NX is automatically enabled for the processautomatically enabled for the process
Heap protectionHeap protection
Signed kernel code (x64 only)Signed kernel code (x64 only)
Crypto ChangesCrypto Changes
Offline Files Encrypted Per UserOffline Files Encrypted Per User
Encrypted PagefileEncrypted Pagefile
Suite-B CryptoSuite-B Crypto
Software and Smart Card Key Storage ProvidersSoftware and Smart Card Key Storage Providers
Cryptographic configurationCryptographic configuration
NIST ECC Prime Curves support (smart cards NIST ECC Prime Curves support (smart cards too)too)
AESAES
SHA-2SHA-2
IPsec support for AES and ECDHIPsec support for AES and ECDH
ECC cipher suites in SSLECC cipher suites in SSL
EFS with smart cardsEFS with smart cards
Cached Credentials Much TougherCached Credentials Much Tougher
Improved AuditingImproved Auditing
Granular Audit Granular Audit PolicyPolicy
Object Access AuditingObject Access Auditing
Object Access Attempt:Object Server: %1Handle ID: %2Object Type: %3Process ID: %4Image File Name: %5Access Mask: %6
Object Access AuditingObject Access Auditing
An operation was performed on an object.Subject : Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Object Type: %6 Object Name: %7 Handle ID: %9Operation: Operation Type: %8 Accesses: %10 Access Mask: %11 Properties: %12 Additional Info: %13 Additional Info2: %14
Added Auditing ForAdded Auditing For
Registry value change audit events (old+new values)Registry value change audit events (old+new values)
AD change audit events (old+new values)AD change audit events (old+new values)
Improved operation-based auditImproved operation-based audit
Audit events for UACAudit events for UAC
Improved IPSec audit events including support for Improved IPSec audit events including support for AuthIPAuthIP
RPC Call audit eventsRPC Call audit events
Share Access audit eventsShare Access audit events
Share Management eventsShare Management events
Cryptographic function audit eventsCryptographic function audit events
NAP audit events (server only)NAP audit events (server only)
IAS (RADIUS) audit events (server only)IAS (RADIUS) audit events (server only)
More Info In Event Log UIMore Info In Event Log UI
XML EventsXML Events
New Event NumbersNew Event Numbers
New and Modified User New and Modified User RightsRights
Changes to User RightsChanges to User Rights
All rights for Power Users removedAll rights for Power Users removed
Create global objects does not have INTERACTIVECreate global objects does not have INTERACTIVE
SE_IMPERSONATE has added IIS_IUSRS and SE_IMPERSONATE has added IIS_IUSRS and removed ASPNETremoved ASPNET
Logon as a service is now empty by defaultLogon as a service is now empty by default
New User RightsNew User Rights
Access credential manager as a trusted caller Access credential manager as a trusted caller
Change time zone user right Change time zone user right
Create symbolic links Create symbolic links
Modify an object label Modify an object label
Synchronize directory service data Synchronize directory service data
Increase a process working setIncrease a process working set
Security Options With Modified Security Options With Modified DefaultsDefaults
Anonymous Named PipesAnonymous Named Pipes
Anonymous Named PipesAnonymous Named Pipes
Network access: remotely accessible Network access: remotely accessible registry pathsregistry paths
Network access: remotely accessible Network access: remotely accessible registry pathsregistry paths
Network access: shares that can be Network access: shares that can be accessed anonymouslyaccessed anonymously
Network access: shares that can be Network access: shares that can be accessed anonymouslyaccessed anonymously
Network Security: Do not store LAN Network Security: Do not store LAN Manager hash value on next password Manager hash value on next password changechange
Network Security: Do not store LAN Network Security: Do not store LAN Manager hash value on next password Manager hash value on next password changechange
Network security: LAN Manager Network security: LAN Manager authentication levelauthentication level
Network security: LAN Manager Network security: LAN Manager authentication levelauthentication level
Devices: Allowed to format and eject Devices: Allowed to format and eject removable mediaremovable media
Devices: Allowed to format and eject Devices: Allowed to format and eject removable mediaremovable media
Devices: Restrict CD-ROM/Floppy access Devices: Restrict CD-ROM/Floppy access to locally logged on user onlyto locally logged on user only
Devices: Restrict CD-ROM/Floppy access Devices: Restrict CD-ROM/Floppy access to locally logged on user onlyto locally logged on user only
Devices: Unsigned driver installation Devices: Unsigned driver installation behaviorbehavior
Devices: Unsigned driver installation Devices: Unsigned driver installation behaviorbehavior
Why Change It?Why Change It?
Interactive logon: Require smart cardInteractive logon: Require smart card
Interactive logon: Require smart cardInteractive logon: Require smart card
New Security OptionsNew Security Options
Network access: remotely accessible Network access: remotely accessible registry paths and sub-pathsregistry paths and sub-paths
Network access: Restrict anonymous Network access: Restrict anonymous access to named pipes and sharesaccess to named pipes and shares
System settings: Optional subsystemsSystem settings: Optional subsystems
System settings: Use certificate rules on System settings: Use certificate rules on windows executables for software windows executables for software restriction policiesrestriction policies
Lots and lots and lots of GP changesLots and lots and lots of GP changes
Last Logon DisplayLast Logon Display
Trusted Path Credential EntryTrusted Path Credential Entry
Smart Card PoliciesSmart Card Policies
SMBv2SMBv2
What’s New In SMBv2 What’s New In SMBv2 (in 30 seconds)(in 30 seconds)
Only 16 commands (80 in SMBv1)Only 16 commands (80 in SMBv1)
Implicit sequence number speeds up hashingImplicit sequence number speeds up hashing
SHA-256 signatures (MD-5 in SMBv1)SHA-256 signatures (MD-5 in SMBv1)
Handles reconnections more reliablyHandles reconnections more reliably
Client-side file encryption (yay!!!)Client-side file encryption (yay!!!)
Symbolic links across shares (disabled by Symbolic links across shares (disabled by default)default)
Better load balancing mitigates DOS attacksBetter load balancing mitigates DOS attacks
MiscellanyMiscellany
New RDP ControlNew RDP Control
New RDP ControlNew RDP Control
Timeless Security Advice!Timeless Security Advice!
Order online:Order online:http://www.protectyourwindowsnetwohttp://www.protectyourwindowsnetwork.comrk.com
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Steve LambTechnical Security Evangelist @ Microsoft Ltd
[email protected]://blogs.technet.com/steve_lamb
Thanks to Jesper M. Johansson, Ph.D. for creating the slidesThanks to Jesper M. Johansson, Ph.D. for creating the slides