additionalsecondarylogon
secondarylogon 时间:2021-02-26 阅读:()
WindowsVistaWindowsVistaSystemIntegritySystemIntegrityTechnologiesTechnologiesWCI442WCI442WhyThebadguysareeverywhere!
Thebadguysareeverywhere!
TheyliterallywanttodoyouharmTheyliterallywanttodoyouharmThreatsexistintwointerestingplacesThreatsexistintwointerestingplaces——Online:systemstartedandshowsaloginscreenorauserisOnline:systemstartedandshowsaloginscreenorauserisloggedinloggedinOffline:systemispowereddownorinhibernationOffline:systemispowereddownorinhibernationPoliciesmustaddressbothPoliciesmustaddressbothCoolstuff!
Coolstuff!
Codeintegrity:protectionagainstonlineattackCodeintegrity:protectionagainstonlineattackBitLocker(securestartup):protectionagainstBitLocker(securestartup):protectionagainstofflineattackofflineattackWindowsservicehardeningWindowsservicehardeningMandatoryintegritycontrolMandatoryintegritycontrolInternetExplorerprotectedmodeInternetExplorerprotectedmodeProtecttheOSWhenRunningThethreatsThethreatsTrojanthatreplacesasystemfiletoinstallarootkitTrojanthatreplacesasystemfiletoinstallarootkitandtakecontrolofthecomputer(e.
g.
FunLoveorandtakecontrolofthecomputer(e.
g.
FunLoveorothersthatuserootkits)othersthatuserootkits)OfflineattackcausedbybootinganalternateOfflineattackcausedbybootinganalternateoperatingsystemandattemptingtocorruptoroperatingsystemandattemptingtocorruptormodifyWindowskernelfilesmodifyWindowskernelfilesThirdThird--partykerneldriversthatarenotsecurepartykerneldriversthatarenotsecureRogueadministratorwhochangeskernelmodeRogueadministratorwhochangeskernelmodecodetohideotheractscodetohideotheractsCodeintegrityCodeintegrityValidatestheintegrityofcertainOSfilesValidatestheintegrityofcertainOSfilesImplementedasafilesystemfilterdriverImplementedasafilesystemfilterdriverHashesstoredinsystemcatalogorinX.
509certificateHashesstoredinsystemcatalogorinX.
509certificateembeddedinfileembeddedinfileAlsovalidatestheintegrityofthebootprocessAlsovalidatestheintegrityofthebootprocessChecksthekernel,theHAL,bootChecksthekernel,theHAL,boot--startdriversstartdriversIfvalidationfails,imagewonIfvalidationfails,imagewon''tloadtloadWhatdoesitcheckWhatdoesitcheckAllkernelmodecode(Allkernelmodecode(x64onlyx64only))AllcodeloadedintoaprotectedprocessAllcodeloadedintoaprotectedprocessModulesimplementingcryptographicfunctionsModulesimplementingcryptographicfunctionsModulesloadedintothesoftwarelicensingserviceModulesloadedintothesoftwarelicensingserviceMoreonkernelmodecodeMoreonkernelmodecodex64x64AllkernelmodecodemustbesignedoritwonAllkernelmodecodemustbesignedoritwon''tloadtloadThirdThird--partycodemustbeWHQLpartycodemustbeWHQL--certifiedorcontainacertifiedorcontainacertificatefromaMicrosoftCAcertificatefromaMicrosoftCANoexceptions,periodNoexceptions,periodAppliestodrivers,utilities,anythinginthekernelAppliestodrivers,utilities,anythinginthekernelx32x32SigningappliesonlytodriversshippedwithWindowsSigningappliesonlytodriversshippedwithWindowsCancontrolbypolicywhattodowiththirdCancontrolbypolicywhattodowiththird--partypartyOtherunsignedkernelmodecodewillloadOtherunsignedkernelmodecodewillloadMoreonprotectedprocessesMoreonprotectedprocessesOnlyonerightnow:MediaFoundationOnlyonerightnow:MediaFoundationLoadedbinariesarecodecsLoadedbinariesarecodecsMicrosoftMicrosoft--supplied:signedbyMicrosoftsupplied:signedbyMicrosoftThirdThird--party:signedbyaWindowsMediaDRMparty:signedbyaWindowsMediaDRMcertificatecertificateAffectspotentialplaybackofnextAffectspotentialplaybackofnext--generationhighgenerationhighdefinitionprotectedcontentdefinitionprotectedcontentContentand/orplaybackappcontrolwhattodoinContentand/orplaybackappcontrolwhattodoinpresenceofunsignedkernelmodedriverspresenceofunsignedkernelmodedriversCodeintegritynonCodeintegritynon--goalsgoalsProtectingfromattackerswithphysicalaccessProtectingfromattackerswithphysicalaccessVerifyingtheintegrityofNTLDRVerifyingtheintegrityofNTLDRRequiressecurestartuponTPMRequiressecurestartuponTPM--enabledmachinesenabledmachinesRequiresreadRequiresread--onlyfixedmediaotherwiseonlyfixedmediaotherwiseSupportingrebindingorhotpatchingSupportingrebindingorhotpatchingThesechangetheonThesechangetheon--diskimagediskimageCIwillworkifpatchincludesupdatedhashCIwillworkifpatchincludesupdatedhashOnlinechecksatbootOnlinechecksatboot--timeforrevocationliststimeforrevocationlistsRevocationlistupdatedafterbootandstoredlocallyRevocationlistupdatedafterbootandstoredlocallyProtecttheOSWhenNotRunningThethreatsThethreatsComputerislostorstolenComputerislostorstolenTheftorcompromiseofdataTheftorcompromiseofdataAttackagainstcorporatenetworkAttackagainstcorporatenetworkDamagetoOSifattackerinstallsalternateOSDamagetoOSifattackerinstallsalternateOSDifficultandtimeDifficultandtime--consumingtotrulyeraseconsumingtotrulyerasedecommissioneddisksdecommissioneddisksExistingwaystomitigatethesethreatsaretooeasyExistingwaystomitigatethesethreatsaretooeasyforusertocircumventforusertocircumventSecurestartup(Securestartup(""BitLockerBitLocker""))EnsurebootEnsurebootintegrityintegrityResilientResilientagainstattackagainstattackProtectsystemfromofflineProtectsystemfromofflinesoftwaresoftware--basedattacksbasedattacksLocktamperedLocktamperedsystemssystemsPreventbootifmonitoredfilesPreventbootifmonitoredfileshavebeenalteredhavebeenalteredProtectdataProtectdatawhenofflinewhenofflineEncryptuserEncryptuserdataanddataandsystemfilessystemfilesAlldataonthevolumeisAlldataonthevolumeisencrypted:user,system,page,encrypted:user,system,page,hibernation,temp,crashdumphibernation,temp,crashdumpUmbrellaUmbrellaprotectionprotectionThirdThird--partyappsbenefitwhenpartyappsbenefitwheninstalledonencryptedvolumeinstalledonencryptedvolumeEaseEaseequipmentequipmentrecyclingrecyclingSimplifySimplifyrecyclingrecyclingRenderdatauselessbydeletingRenderdatauselessbydeletingTPMkeystoreTPMkeystoreSpeeddataSpeeddatadeletiondeletionDecommissioningtakesseconds,Decommissioningtakesseconds,nothoursnothoursWonWon''tEFSprotectmetEFSprotectmeYesYes——forthosewhoknowwhattheyforthosewhoknowwhatthey''redoingredoingUsersoftenstoredataonthedesktopUsersoftenstoredataonthedesktop——isitEFSedisitEFSedEFSdoesnEFSdoesn''tprotecttheoperatingsystemtprotecttheoperatingsystemEFSisverystrongagainstattacksEFSisverystrongagainstattacksFourlevelsofkeyprotectionFourlevelsofkeyprotectionProperlyconfigured,EFSiscomputationallyinfeasibletoProperlyconfigured,EFSiscomputationallyinfeasibletocrackcrackEncryptionscenariosEncryptionscenariosBitLockerBitLockerEFSEFSRMSRMSLaptopsLaptopsBranchofficeserversBranchofficeserversLocalsingleuserfileprotection(Windowspartitiononly)Localsingleuserfileprotection(Windowspartitiononly)LocalmultiLocalmulti--userfileprotectionuserfileprotectionRemotefileprotectionRemotefileprotectionUntrustedadministratorUntrustedadministratorRemotedocumentpolicyenforcementRemotedocumentpolicyenforcementOScoOSco--existenceexistenceBitLockerencryptsBitLockerencryptsWindowsvolumeonlyWindowsvolumeonlyYouwonYouwon''tbeabletodualtbeabletodual--bootanotherOSonthebootanotherOSonthesamevolumesamevolumeOSesonothervolumeswillworkfineOSesonothervolumeswillworkfineDataonprotectedvolumeisunavailableoutsideDataonprotectedvolumeisunavailableoutsidetheOStheOSAttemptstomodifytheprotectedWindowsAttemptstomodifytheprotectedWindowsvolumewillrenderitunbootablevolumewillrenderitunbootableEnablingBitLockerEnablingBitLockerCreatea1.
5GBactivepartitionCreatea1.
5GBactivepartitionThisbecomesyourThisbecomesyour""systemsystem""partitionpartition——whereOSbootswhereOSbootsTheTPMbootmanagerusesonly50MBTheTPMbootmanagerusesonly50MBWindowsrunsfromonyourWindowsrunsfromonyour""bootboot""partitionpartition——wherethewherethesystemlivessystemlivesInitializeTPMchipifyouInitializeTPMchipifyou''reusingitreusingitInmanagementconsoleorBIOSInmanagementconsoleorBIOSEnableBitLockerinSecurityCenterEnableBitLockerinSecurityCenterUpdateharddiskMBRUpdateharddiskMBREncryptWindowsEncryptWindows""bootboot""partitionpartitionRecoveryoptionsRecoveryoptionsUsefulincaseofsomekindofhardwarefailureUsefulincaseofsomekindofhardwarefailureItIt''sapassword;storedindifferentwayssapassword;storedindifferentways——RemovablemediaRemovablemediaPrintedPrintedActiveDirectoryActiveDirectoryAlso,servicepacksanddriverupgradestriggeraAlso,servicepacksanddriverupgradestriggeraloaderthatrecomputesandresealsTPMsecretsloaderthatrecomputesandresealsTPMsecretsCanuseTPM1.
2chipCanuseTPM1.
2chipMicrocontrolleraffixedtomotherboardMicrocontrolleraffixedtomotherboardStoreskeysanddigitalcertificatesStoreskeysanddigitalcertificatesForBitLocker,TPMstoresstoragerootkeyForBitLocker,TPMstoresstoragerootkeySRKdecryptsvolumeencryptionkeySRKdecryptsvolumeencryptionkeyonlywhensystemonlywhensystembootsnormally;bootsnormally;compareseachbootprocessagainstcompareseachbootprocessagainstpreviouslystoredmeasurementspreviouslystoredmeasurementsNouserinteractionorvisibility(unlessyourequireaPINNouserinteractionorvisibility(unlessyourequireaPINoradditionalstartoradditionalstart--upkey)upkey)RecoverykeycanbearchivedinActiveDirectoryfortheRecoverykeycanbearchivedinActiveDirectoryfortheinevitableinevitable""omgomg""momentmomentProhibitsmeaningfuluseofsoftwaredebuggersduringProhibitsmeaningfuluseofsoftwaredebuggersduringbootbootTPMarchitectureTPMarchitectureResetallregisters,transferexecutiontoResetallregisters,transferexecutiontoCoreRootofTrustMeasurementCoreRootofTrustMeasurementMeasurenextstageoffirmwareintoPCR[0]MeasurenextstageoffirmwareintoPCR[0]anddataintoPCR[1]anddataintoPCR[1]HardwaretestandconfigurationHardwaretestandconfigurationCodealwaysmeasuredfirst,thenexecutedCodealwaysmeasuredfirst,thenexecutedNewPCRvalueisSHANewPCRvalueisSHA--1hashedthen1hashedthenconcatenatedwithprevioushash;concatenatedwithprevioushash;permanentlywrittentoPCRpermanentlywrittentoPCROptionROMsanddataintoPCR[2]and[3]OptionROMsanddataintoPCR[2]and[3]MBRintoPCR[4],partitiontableinPCR[5]MBRintoPCR[4],partitiontableinPCR[5]PCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureMBRtakesover;loadsfirstsectorofactiveMBRtakesover;loadsfirstsectorofactivebootpartitionintomemory;measuresfirstbootpartitionintomemory;measuresfirst512bytesintoPCR[8]512bytesintoPCR[8]Bootsectorloads;measuresremainderintoBootsectorloads;measuresremainderintoPCR[9]andtransfersexecutionPCR[9]andtransfersexecutionBootcodemeasuresBOOTMGRintoBootcodemeasuresBOOTMGRintoPCR[10]andtransfersexecutionPCR[10]andtransfersexecutionAnyadditionalbootapplicationsmustloadAnyadditionalbootapplicationsmustloadonlyfromBitLockervolumeonlyfromBitLockervolumeBitLockerkeysareinPCR[11]BitLockerkeysareinPCR[11]Finally,BOOTMGRtransferscontroltoFinally,BOOTMGRtransferscontroltooperatingsystem;OSchecksintegrityofalloperatingsystem;OSchecksintegrityofallexecutablesloadedexecutablesloadedPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureTPMmeasuresallcodeandreportsresultsTPMmeasuresallcodeandreportsresultsDefaultBitLockerconsumption:4,8,9,10,11DefaultBitLockerconsumption:4,8,9,10,11Youcanaddothers,withcaveatsYoucanaddothers,withcaveatsOptionROMsin2,3OptionROMsin2,3AnychangeinvalidatesthePCRsAnychangeinvalidatesthePCRsIncludesinsertingsmartcardreaderorUSBdriveIncludesinsertingsmartcardreaderorUSBdriveBIOSROMsin0,1BIOSROMsin0,1ReflashingBIOSinvalidatesthePCRsReflashingBIOSinvalidatesthePCRsPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersBitLockercanBitLockercan''tstopeverythingtstopeverythingHardwaredebuggersHardwaredebuggersOnlineattacksOnlineattacks——BitLockerisconcernedonlywithBitLockerisconcernedonlywiththesystemthesystem''sstartupprocesssstartupprocessPostlogonattacksPostlogonattacksSabotagebyadministratorsSabotagebyadministratorsPoorsecuritymaintenancePoorsecuritymaintenanceDeploymentconsiderationsDeploymentconsiderationsRequireshardwareandsoftwareupgradesRequireshardwareandsoftwareupgradesPhasein,startwithhighprioritycomputersPhasein,startwithhighprioritycomputersMostlyafeatureforlaptopsMostlyafeatureforlaptopsAlsoconsiderfordesktopcomputersininsecureAlsoconsiderfordesktopcomputersininsecureenvironments(factoryfloor,kiosk,environments(factoryfloor,kiosk,……))EnterprisekeymanagementEnterprisekeymanagementProtectServicesFromExploitThethreatsThethreatsRememberBlasterRememberBlasterTookoverRPCSSTookoverRPCSS——madeitwritemsblast.
exetofilemadeitwritemsblast.
exetofilesystemandaddedrunkeystotheregistrysystemandaddedrunkeystotheregistryNosoftwareisperfect;someonestillmightfindaNosoftwareisperfect;someonestillmightfindavulnerabilityinaservicevulnerabilityinaserviceMalwareoftenlookstoexploitsuchvulnerabilitiesMalwareoftenlookstoexploitsuchvulnerabilitiesServicesareattractiveServicesareattractiveRunwithoutuserinteractionRunwithoutuserinteractionManyservicesoftenhavefreereignoverthesystemManyservicesoftenhavefreereignoverthesystem——toomuchaccesstoomuchaccessMostservicescancommunicateoveranyportMostservicescancommunicateoveranyportServicehardeningServicehardeningServiceServicerefactoringrefactoringMoveservicefromLocalSystemtosomethinglessMoveservicefromLocalSystemtosomethinglessprivilegedprivilegedIfnecessary,splitservicesothatonlythepartIfnecessary,splitservicesothatonlythepartrequiringLocalSystemreceivesthatrequiringLocalSystemreceivesthatServiceServiceprofilingprofilingEnablesservicetorestrictitsbehaviorEnablesservicetorestrictitsbehaviorResourcescanhaveACLsthatallowtheserviceResourcescanhaveACLsthatallowtheservice''ssIDtoaccessonlywhatitneedsIDtoaccessonlywhatitneedsAlsoincludesrulesforspecifyingrequiredAlsoincludesrulesforspecifyingrequirednetworkbehaviornetworkbehaviorItIt''sabouttheprincipleofleastprivilegesabouttheprincipleofleastprivilege——itit''sgoodforpeople,anditsgoodforpeople,andit''sgoodforservicessgoodforservicesMemoryMemoryRefactoringRefactoringIdeally,removetheserviceoutofLocalSystemIdeally,removetheserviceoutofLocalSystemIfitdoesnIfitdoesn''tperformprivilegedoperationstperformprivilegedoperationsMakeACLchangestoregistrykeysanddriverobjectsMakeACLchangestoregistrykeysanddriverobjectsOtherwise,splitintotwopiecesOtherwise,splitintotwopiecesThemainserviceThemainserviceThebitsthatperformprivilegedoperationsThebitsthatperformprivilegedoperationsAuthenticatethecallbetweenthemAuthenticatethecallbetweenthemMainserviceMainservicerunsasLocalServicerunsasLocalServicePrivilegedPrivilegedLocalSystemLocalSystemSVCHOSTgrouprefactoringSVCHOSTgrouprefactoringWindowsXPServicePack2WindowsXPServicePack2LocalSystemLocalSystemWirelessConfigurationWirelessConfigurationSystemEventSystemEventNotificationNotificationNetworkConnectionsNetworkConnectionsCOM+EventSystemCOM+EventSystemNLANLARasautoRasautoShellHardwareShellHardwareDetectionDetectionThemesThemesTelephonyTelephonyWindowsAudioWindowsAudioErrorReportingErrorReportingWorkstationWorkstationICSICSBITSBITSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanBrowserBrowser6to46to4HelpandSupportHelpandSupportTaskSchedulerTaskSchedulerTrkWksTrkWksCryptographicCryptographicServicesServicesRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonNetworkNetworkServiceServiceDNSClientDNSClientLocalLocalServiceServiceSSDPSSDPWebClientWebClientTCP/IPNetBIOShelperTCP/IPNetBIOShelperRemoteRegistryRemoteRegistryWindowsVistaWindowsVistaLocalSystemLocalSystemNetworkrestrictedNetworkrestrictedRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesTrkWksTrkWksWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonLocalSystemLocalSystemDemandstartedDemandstartedBITSBITSNetworkServiceNetworkServiceRestrictedRestrictedDNSClientDNSClientICSICSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanNLANLABrowserBrowser6to46to4TaskschedulerTaskschedulerIPSECServicesIPSECServicesServerServerCryptographicCryptographicServicesServicesLocalServiceLocalServiceRestrictedRestrictedNonetworkaccessNonetworkaccessWirelessWirelessConfigurationConfigurationSystemEventSystemEventNotificationNotificationShellHardwareShellHardwareDetectionDetectionNetworkNetworkConnectionsConnectionsRasautoRasautoThemesThemesCOM+EventCOM+EventSystemSystemLocalServiceLocalServiceRestrictedRestrictedTelephonyTelephonyWindowsAudioWindowsAudioTCP/IPNetBIOSTCP/IPNetBIOShelperhelperWebClientWebClientErrorReportingErrorReportingEventLogEventLogWorkstationWorkstationRemoteRegistryRemoteRegistrySSDPSSDPProfilingProfilingEveryservicehasauniqueserviceidentifiercalledEveryservicehasauniqueserviceidentifiercalledaa""serviceSIDserviceSID""SS--11--8080--1hashoflogicalservicename>AA""serviceprofileserviceprofile""isasetofACLsthatisasetofACLsthat——AllowaservicetousearesourceAllowaservicetousearesourceConstraintheservicetotheresourcesitneedsConstraintheservicetotheresourcesitneedsDefinewhichnetworkportsaservicecanuseDefinewhichnetworkportsaservicecanuseBlocktheservicefromusingotherportsBlocktheservicefromusingotherportsNow,servicecanrunasLocalServiceorNow,servicecanrunasLocalServiceorNetworkServiceandstillreceiveadditionalaccessNetworkServiceandstillreceiveadditionalaccesswhennecessarywhennecessaryRestrictingservicesRestrictingservicesSCMcomputesSCMcomputesserviceSIDserviceSIDSCMaddstheSCMaddstheSIDtoserviceSIDtoserviceprocessprocess''stokenstokenSCMcreateswriteSCMcreateswrite--restrictedtokenrestrictedtokenSCMremovesSCMremovesunneededprivilegesunneededprivilegesfromprocesstokenfromprocesstokenServiceplacesACLonServiceplacesACLonresourceresource——onlyserviceonlyservicecanwritetoitcanwritetoitExample:eventlogExample:eventlogSysEvent.
evtSysEvent.
evtEventlogEventlogserviceserviceWriteWrite--restrictedrestrictedtokentokenACLACLEventlog:WEventlog:WRestrictingservices:knowthisRestrictingservices:knowthisArestrictableservicewillsettwoproperties(storedArestrictableservicewillsettwoproperties(storedintheregistry)intheregistry)——OnetoindicatethatitcanberestrictedOnetoindicatethatitcanberestrictedOnetoshowwhichprivilegesitrequiresOnetoshowwhichprivilegesitrequiresNote!
Note!
Thisisavoluntaryprocess.
TheserviceisThisisavoluntaryprocess.
Theserviceischoosingtorestrictitself.
Itchoosingtorestrictitself.
It''sgooddevelopmentsgooddevelopmentpracticebecauseitreducesthelikelihoodofaservicepracticebecauseitreducesthelikelihoodofaservicebeingabusedbymalware,butitisnbeingabusedbymalware,butitisn''tafulltafull--onsystemonsystem--widerestrictionmechanism.
Thirdwiderestrictionmechanism.
Third--partyservicescanpartyservicescanstillrunwildandfreestillrunwildandfree……NetworkenforcementscenariosNetworkenforcementscenariosNoportsNoportsServicesthatneitherlistennorconnectServicesthatneitherlistennorconnectFixedportsFixedportsServicesthatlistenorsendonknownfixedportsServicesthatlistenorsendonknownfixedportsshouldbeconstrainedtothoseportsonlyshouldbeconstrainedtothoseportsonlyConfigurableConfigurableportsportsAdministratorconfiguresportinserviceAdministratorconfiguresportinservice''ssadministrationUI;networkrulesandfirewalladministrationUI;networkrulesandfirewallautomaticallyupdatetheirownconfigurationsautomaticallyupdatetheirownconfigurationsDynamicDynamicportsportsServicesthatlistenorsendondynamicallyServicesthatlistenorsendondynamically--allocatedportsallocatedportsAuditingAuditingManagementeventsManagementeventsInitialrulesconfigurationInitialrulesconfigurationRulechangesRulechangesRuledeletionsRuledeletionsEnforcementeventsEnforcementeventsTrafficallowedTrafficallowedTrafficdeniedTrafficdeniedglobalvulnglobalvulnmitigationsandmitigationsandsystemlockdownssystemlockdownsnetworknetworkenforcementenforcementrulesrulesInteractionwithhostfirewallsInteractionwithhostfirewallsConfigurationchangesConfigurationchangesimplementedimmediatelyimplementedimmediatelyRulescanRulescan''tbedisabledbytbedisabledbyWForthirdWForthird--partypartyRulescanRulescan''tbestoppedtbestoppedwhileservicesarerunningwhileservicesarerunningFordynamicports,netenfFordynamicports,netenfpushesconfigurationtopushesconfigurationtoWFWFhosthostfirewallfirewallrulesrulesExamplerulesExamplerulesBlockanynetworkaccessforBFE"V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=bfe;Name=Blockanytraffictoandfrombfe;"AllowoutboundPolicyAgenttraffic"V2.
0;Action=Allow;Dir=Out;RPort=389;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=AllowPolicyAgenttcp/udpLDAPtraffictoAD;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=BlockanyothertraffictoandfromPolicyAgent;"Allowinbound/outboundtraffictoRpcss"V2.
0;Action=Allow;Dir=Out;RPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowoutboundrpcsstcp/udptraffic;""V2.
0;Action=Allow;Dir=in;LPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowinboundtcp/udprpcss;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Blockanyothertraffictoandfromrpcss;"ProtecttheOSandDatafromUnknownCodeThethreatsThethreatsAuserunknowinglyrunscodefromanunknownAuserunknowinglyrunscodefromanunknownsourcethatattemptstomodifyordeletefilessourcethatattemptstomodifyordeletefilesCoderunningasLUAattemptsalocalelevationofCoderunningasLUAattemptsalocalelevationofprivilegebyinjectingcodeintoaprocessrunningprivilegebyinjectingcodeintoaprocessrunningasadministratorasadministratorTrojansthatattempttoexecutewithfullTrojansthatattempttoexecutewithfulladministratorprivilegeadministratorprivilegeSystemcodereadsdatafromtheInternet(anSystemcodereadsdatafromtheInternet(anuntrustworthysource)thatcontainscorruptdatauntrustworthysource)thatcontainscorruptdatadesignedtoelevateprivilegebyexploitingabugdesignedtoelevateprivilegebyexploitingabugMandatoryintegritycontrolMandatoryintegritycontrolMethodtopreventlowMethodtopreventlow--integritycodefromintegritycodefrommodifyinghighmodifyinghigh--integritycodeintegritycodeProtectTCBfilesanddatafrommodificationbyProtectTCBfilesanddatafrommodificationbyprivilegedusersprivilegedusersProtectuserdatafrommodificationbyunknownProtectuserdatafrommodificationbyunknownmaliciouscodemaliciouscodeProtectprocessesrunningasprivilegeduserfromProtectprocessesrunningasprivilegeduserfrommodificationbyprocessesrunningasstandardusermodificationbyprocessesrunningasstandarduserunderthesameuserSIDunderthesameuserSIDClassicalcomputersecurityconceptknownsinceClassicalcomputersecurityconceptknownsincethe1970sthe1970sLotsofrecentworkinvariousoperatingsystemsLotsofrecentworkinvariousoperatingsystemsDonDon''tconfusewithcodeintegritytconfusewithcodeintegrityCICIVerifiescodeduringmoduleloadingVerifiescodeduringmoduleloadingMICMICImplementsatypeofinformationflowpolicyImplementsatypeofinformationflowpolicyImplementsanenforcementmechanismImplementsanenforcementmechanismIntegritylevelchangestriggerasecurityauditeventIntegritylevelchangestriggerasecurityauditeventMandatoryintegritycontrolpolicyisbasedonMandatoryintegritycontrolpolicyisbasedontrustworthinesstrustworthiness.
Subjectswith.
Subjectswithlowlowdegreesofdegreesoftrustworthinesscantrustworthinesscan''tchangedataofatchangedataofahigherhigherdegrees.
degrees.
SubjectswithSubjectswithhighhighdegreesoftrustworthinesscandegreesoftrustworthinesscan''tbetbeforcedtorelyondataofforcedtorelyondataoflowerlowerdegrees.
degrees.
ThelimitationsofDACLsThelimitationsofDACLsNoprotectionofsystemstabilityNoprotectionofsystemstabilityThirdThird--partyinstallersredistributesystembinariespartyinstallersredistributesystembinariesWanttostopthis,evenifrunbyadministratorWanttostopthis,evenifrunbyadministratorNoprotectionfromtrickysoftwareNoprotectionfromtrickysoftwareNonNon--savvyuserscanbeconvincedtoinstallmalwaresavvyuserscanbeconvincedtoinstallmalwareRunswithfullcapabilitiesofuserRunswithfullcapabilitiesofuserWeakenspowerofUACWeakenspowerofUACCanCan''tdistinguishlimitedversionfromfull(possiblytdistinguishlimitedversionfromfull(possiblyadministrator)versionofuseradministrator)versionofuserBothversionshavesameuserSIDBothversionshavesameuserSIDDefinedintegritylevelsDefinedintegritylevelsSystemSystemHighHighMediumMediumLowLowUntrustedUntrusted0x40000x40000x30000x30000x20000x20000x10000x100000LocalLocalSystemSystemLocalServiceLocalServiceNetworkNetworkServiceServiceElevatedElevated(full)user(full)usertokenstokensStandarduserStandardusertokenstokensAuthenticatedAuthenticatedUsersUsersWorldWorld(Everyone)(Everyone)AnonymousAnonymousShellrunshereShellrunshereMICexpressionMICexpressionAddanintegritySIDtoausertokenatlogonAddanintegritySIDtoausertokenatlogonSS--11--1616--AnnouncestheintegritylevelofthetokenAnnouncestheintegritylevelofthetokenDetermineslevelofaccessthetokencanachieveDetermineslevelofaccessthetokencanachievePossiblesecondSIDusedbySecureDesktoptoPossiblesecondSIDusedbySecureDesktoptodetermineprotectionringofanapplicationdetermineprotectionringofanapplicationStoreintegritySIDintheSACLofeveryobjectStoreintegritySIDintheSACLofeveryobject''sssecuritydescriptor(usersecuritydescriptor(user--createdandOS)createdandOS)SpecifiestheintegrityleveloftheobjectSpecifiestheintegrityleveloftheobjectCheckingMIClevelCheckingMIClevelDuringaccesscheck,verifytheuserpassesDuringaccesscheck,verifytheuserpassesintegritycheckagainstanobjectforwriteaccessintegritycheckagainstanobjectforwriteaccessHowever,canaddACEtoDACLtodenyreadaccesstoHowever,canaddACEtoDACLtodenyreadaccesstolowintegrityuserslowintegrityusers(moreonthislater)(moreonthislater)UsermustUsermustdominatedominateobjecttoobtainwriteaccessobjecttoobtainwriteaccessUser/processlevel>=objectlevelUser/processlevel>=objectlevelAlluserspassintegritycheckforreadingandexecutingAlluserspassintegritycheckforreadingandexecutingMICtrumpsDACLMICtrumpsDACLIftheDACLletsyouwrite,butyoudonIftheDACLletsyouwrite,butyoudon''tdominatethetdominatetheobject,yourwritefailsobject,yourwritefailsConsiderfourscenariosConsiderfourscenariosAnattachmentarrivesinmail.
Whilesaving,fileiswrittenAnattachmentarrivesinmail.
Whilesaving,fileiswrittenwithwithlowlowintegrity.
Whenexecuted,itrunsatintegrity.
Whenexecuted,itrunsatlowlowintegrityintegrityandcanandcan''twritetousertwritetouser''sdata.
sdata.
MICpreventsprocessfromMICpreventsprocessfromperformingcapabilitiesatuserperformingcapabilitiesatuser''slevel.
slevel.
IEdownloadsfilefromsiteinInternetzone.
IEprocessthatIEdownloadsfilefromsiteinInternetzone.
IEprocessthatwritesfiletoTIFrunsatwritesfiletoTIFrunsatlowlowintegrity;thusfileisreceivesintegrity;thusfileisreceiveslowlowintegrity.
integrity.
MICdoesnMICdoesn''ttrustcontentorcodefromtheInternet.
ttrustcontentorcodefromtheInternet.
AmaliciousprogramisrunningatAmaliciousprogramisrunningatstandardstandarduserXanduserXandattemptstoopenprocessrunningasattemptstoopenprocessrunningasprivilegedprivilegeduserXforuserXforwrite,tobypassUACandexecutecodewillfullprivileges.
write,tobypassUACandexecutecodewillfullprivileges.
MICstopsthisbecausedesiredaccessiswrite.
MICstopsthisbecausedesiredaccessiswrite.
Admin(IL=Admin(IL=highhigh)runsdownloadedprogram.
Processrunsas)runsdownloadedprogram.
Processrunsasstandardstandardadmin(IL=admin(IL=mediummedium).
).
MICpreventsprocessesfromMICpreventsprocessesfromwritewrite--accessingresourcesACLedfortheadministrator.
accessingresourcesACLedfortheadministrator.
ProcessesalsoaffectedProcessesalsoaffectedWhenuserlaunches.
EXE,processreceiveslowerofWhenuserlaunches.
EXE,processreceiveslowerofuseruser''sorfilesorfile''sintegritylevel(ifithasone)sintegritylevel(ifithasone)Processneverrunshigherthanfile,regardlessofILofProcessneverrunshigherthanfile,regardlessofILofuserwhostartedituserwhostarteditProtectsevenadministratorsfrommaliciousactionsofProtectsevenadministratorsfrommaliciousactionsofdownloadedcodedownloadedcodeAlsoprotectsanyuserdata,whoselevelistypicallythatAlsoprotectsanyuserdata,whoselevelistypicallythatoftheuseroftheuser——itit''shigherthanthecodeshigherthanthecodeControlledbyAIS(appinstallerservice)ControlledbyAIS(appinstallerservice)CheckILsofuserandfileCheckILsofuserandfileAdjustprocessILaccordinglyAdjustprocessILaccordinglyImpersonateuserwithcorrectILandcontinuecreationImpersonateuserwithcorrectILandcontinuecreationModifyingintegritylevelsModifyingintegritylevelsTokencanloweritsownlevelTokencanloweritsownlevelNotreversibleNotreversibleOnlyaTCBcallercanraiseOnlyaTCBcallercanraiseSecureInputSecureInputDefault:UIringSID=objectintegritySIDDefault:UIringSID=objectintegritySIDTCBcallercanelevatetokenUIringTCBcallercanelevatetokenUIringTypicallynecessaryforaccessibilityutilitiesTypicallynecessaryforaccessibilityutilities——cannowcannowcontrolUIbutnotbypassMICcontrolofobjectaccesscontrolUIbutnotbypassMICcontrolofobjectaccessButIwanttoadministermybox!
ButIwanttoadministermybox!
Fullprivilegetokens,includingmembersoftheFullprivilegetokens,includingmembersofthelocalAdministratorsgroup,arecontrolledbyMIClocalAdministratorsgroup,arecontrolledbyMICCanCan''tdeletefilesiftheirlevelissystemtdeletefilesiftheirlevelissystemCanCan''tlowerthelevelofobjectsorfilestlowerthelevelofobjectsorfilesBuiltBuilt--inin""AdministratorAdministrator""accounthasanadditionalaccounthasanadditionalprivilegeprivilegeGrantscalleraccesstoobjectGrantscalleraccesstoobjectCouldgranttootherusers,butbecareful!
Couldgranttootherusers,butbecareful!
GrantinganduseofprivilegeisauditedGrantinganduseofprivilegeisauditedDenyingreadaccessDenyingreadaccessCanusedenyACEtopreventlowerlevelprincipalsCanusedenyACEtopreventlowerlevelprincipalsfromreadingorexecutinghigherlevelobjectsfromreadingorexecutinghigherlevelobjectsGoodforadministratorprogramsGoodforadministratorprogramsSetILtohighSetILtohighAdddenyACEforanythingwithalowerILAdddenyACEforanythingwithalowerILPreventsmalwarerunningatlowerlevelfromPreventsmalwarerunningatlowerlevelfromattemptingtocalladmintoolsattemptingtocalladmintoolsUnlabeledobjectsUnlabeledobjectsSystemassumesdefaultMICofmediumduringSystemassumesdefaultMICofmediumduringaccesscheckaccesscheckPreventsuntrustworthycoderunningatlowfromPreventsuntrustworthycoderunningatlowfrommodifyingunlabeledobjectsmodifyingunlabeledobjectsRegardlessofDACLRegardlessofDACLOSfilesareunlabeledOSfilesareunlabeledProtectedfrommodificationwithanACLProtectedfrommodificationwithanACLObjectswithoutaSIDhavenoMICconsiderationObjectswithoutaSIDhavenoMICconsiderationNonNon--goalsgoalsProvideforconfidentialityofdataProvideforconfidentialityofdataThisistheBellThisistheBell--LaPadulamodelLaPadulamodelAlthoughwithnoAlthoughwithno--readread--upACEs,youcanuseMICtoupACEs,youcanuseMICtoachievesimilarbehaviorachievesimilarbehaviorPreventhighILprocessesfromreadingdataataPreventhighILprocessesfromreadingdataatalowerILifthepolicyallowsthatlowerILifthepolicyallowsthatImplementdynamicintegrityImplementdynamicintegrityPreventofflineattacksthroughmodificationsofILsPreventofflineattacksthroughmodificationsofILsonfilesonfilesButBitLockercouldhelphereButBitLockercouldhelphere……ProtecttheOSfromtheInternetThethreatsThethreatsAlas,mostWindowsusersstillrunasadminAlas,mostWindowsusersstillrunasadminMeaning:theInternetrunsasadminonyourPC!
Meaning:theInternetrunsasadminonyourPC!
""DriveDrive--byby""installsofspywareandviruscodeinstallsofspywareandviruscodeExploitsofvulnerabilitiesgiveattackersfullremoteExploitsofvulnerabilitiesgiveattackersfullremoteaccessaccessEvennonEvennon--adminsstillvulnerabletomaliciousadminsstillvulnerabletomaliciousdestructionofpersonaldatadestructionofpersonaldataInternetExplorerprotectedmodeInternetExplorerprotectedmodeBuiltonmandatoryintegritycontrolBuiltonmandatoryintegritycontrolInternetExplorerrunsatlowintegritylevelInternetExplorerrunsatlowintegritylevelReducetheseverityofthreatstoIEaddReducetheseverityofthreatstoIEadd--onsonsEliminatethesilentinstallofmaliciouscodeEliminatethesilentinstallofmaliciouscodethroughsoftwarevulnerabilitiesthroughsoftwarevulnerabilitiesPreservecompatibilitywheneverpossiblePreservecompatibilitywheneverpossibleProvidethecapabilityandguidanceforaddProvidethecapabilityandguidanceforadd--onstoonstorestorefunctionalityrestorefunctionalityMinimizerequireduserinvolvementMinimizerequireduserinvolvementSometimescalledSometimescalled""lowlow--rightsIErightsIE""ProtectedmodesummaryProtectedmodesummaryRestrictsIEfromwritingoutsideoftheTemporaryRestrictsIEfromwritingoutsideoftheTemporaryInternetFiles(TIF)folderInternetFiles(TIF)folderIEIE''sprocesshaslowerwriteprivilegesthanLUAsprocesshaslowerwriteprivilegesthanLUAItbuildsontheMandatoryIntegrityControl(MIC)whichItbuildsontheMandatoryIntegrityControl(MIC)whichrestrictswritestohigherintegrityfoldersrestrictswritestohigherintegrityfoldersProtectedmodeusesCOMtocalltwonewbrokerProtectedmodeusesCOMtocalltwonewbrokerprocesseswhichallowIEtowriteoutsideoftheTIFprocesseswhichallowIEtowriteoutsideoftheTIFAcompatibilitylayerallowsaddAcompatibilitylayerallowsadd--onstoelevateonstoelevateThisisnotaThisisnota""sandboxingsandboxing""technology.
IEisrefactoredintoatechnology.
IEisrefactoredintoamultimulti--processapplication,withvaryingILsforeachprocess.
processapplication,withvaryingILsforeachprocess.
RefactoringIERefactoringIELPIELPIEIEUserIEUserIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseLPIELPIEInternetZoneInternetZoneIL=lowIL=lowIntranet/TrustedZoneIntranet/TrustedZoneIL=mediumIL=mediumSeparateTIFSeparateTIFIEPolicyIEPolicyIL=highIL=highAgain:theprincipleofleastprivilegeAgain:theprincipleofleastprivilegeRefactoringattheprocesslevelRefactoringattheprocesslevel——moreefficientmoreefficientandlessexpensivethanavirtualmachineandlessexpensivethanavirtualmachineComponentsandzonesComponentsandzonesOperationOperationRequirementsRequirementsProcessProcessURLnavigationandHTMLrenderingURLnavigationandHTMLrenderingLeastprivilegeLeastprivilegeLowintegrityLowintegrityLPIELPIEManaginguserManaginguser--controlledsettingscontrolledsettingsLeastprivilegeLeastprivilegeMediumintegrityMediumintegrityIEUserIEUserEnforcingpolicyindownloadedcodeEnforcingpolicyindownloadedcodeInitiatingexecutionInitiatingexecutionFullprivilegeFullprivilegeHighintegrityHighintegrityIEPolicyIEPolicy(service)(service)OperationOperationLPIElowLPIElowLPIEmediumLPIEmediumFilesdownloadedinzoneFilesdownloadedinzoneLowILLowILMediumILMediumILModifyoutsideTIFModifyoutsideTIFNoNoYesYesInteractwithotherappsondesktopInteractwithotherappsondesktopNoNoYesYesInjectDLLandcreateremotethreadInjectDLLandcreateremotethreadNoNoYesYesRendersHTMLfilesinlocalzoneRendersHTMLfilesinlocalzoneYesYesYesYesInstallingfromtheWebInstallingfromtheWebLPIELPIEIEPolicyIEPolicyRunRungreatstuff.
comgreatstuff.
com……\\TIFTIF\\greatstuff.
exegreatstuff.
exeTrustTrustGreatStuffGreatStuffIL=lowIL=low……\\MyDocsMyDocs\\greatstuff.
exegreatstuff.
exeIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseAISAISRunwithRunwithfullprivsfullprivsgreatstuff.
exegreatstuff.
exe\\ProgsProgs\\GSGS\\stuff.
exestuff.
exestuff.
dllstuff.
dllIL=highIL=highfullprivfullprivInIn--proccompatibilitylayerproccompatibilitylayerRedirectsfileandregistrykeywritestonewlowRedirectsfileandregistrykeywritestonewlowintegritylocationsintegritylocations——HKCUHKCU\\SoftwareSoftware\\MicrosoftMicrosoft\\InternetExplorerInternetExplorer\\LowLowRightsRights\\VirtualVirtualDocumentsandSettingsDocumentsandSettings\\%userprofile%%userprofile%\\LocalLocalSettingsSettings\\TemporaryInternetFilesTemporaryInternetFiles\\VirtualVirtualAddedtothelocationIEistryingAddedtothelocationIEistryingIfIEtriestowritehereIfIEtriestowritehere…………itgetsredirectedhereitgetsredirectedhereHKCUHKCU\\SoftwareSoftware\\FooBarFooBarHKCUHKCU\Software\MS\IE\LowRights\Virtual\\SoftwareSoftware\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%user%userprofile%profile%\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%userprofile%%userprofile%\LocalSettings\TemporaryInternetFiles\Virtual\\FooBarFooBarSteveRileySteveRileysteve.
riley@microsoft.
comsteve.
riley@microsoft.
comhttp://blogs.
technet.
com/sterileyhttp://blogs.
technet.
com/sterileywww.
protectyourwindowsnetwork.
comwww.
protectyourwindowsnetwork.
comThanksverymuch!
Thanksverymuch!
2006MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,WindowsVistaandotherproductnamesareormayberegisteredtrademarksand/ortrademarksintheU.
S.
and/orothercountries.
TheinformationhereinisforinformationalpurposesonlyandrepresentsthecurrentviewofMicrosoftCorporationasofthedateofthispresentation.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationprovidedafterthedateofthispresentation.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISPRESENTATION.
Thebadguysareeverywhere!
TheyliterallywanttodoyouharmTheyliterallywanttodoyouharmThreatsexistintwointerestingplacesThreatsexistintwointerestingplaces——Online:systemstartedandshowsaloginscreenorauserisOnline:systemstartedandshowsaloginscreenorauserisloggedinloggedinOffline:systemispowereddownorinhibernationOffline:systemispowereddownorinhibernationPoliciesmustaddressbothPoliciesmustaddressbothCoolstuff!
Coolstuff!
Codeintegrity:protectionagainstonlineattackCodeintegrity:protectionagainstonlineattackBitLocker(securestartup):protectionagainstBitLocker(securestartup):protectionagainstofflineattackofflineattackWindowsservicehardeningWindowsservicehardeningMandatoryintegritycontrolMandatoryintegritycontrolInternetExplorerprotectedmodeInternetExplorerprotectedmodeProtecttheOSWhenRunningThethreatsThethreatsTrojanthatreplacesasystemfiletoinstallarootkitTrojanthatreplacesasystemfiletoinstallarootkitandtakecontrolofthecomputer(e.
g.
FunLoveorandtakecontrolofthecomputer(e.
g.
FunLoveorothersthatuserootkits)othersthatuserootkits)OfflineattackcausedbybootinganalternateOfflineattackcausedbybootinganalternateoperatingsystemandattemptingtocorruptoroperatingsystemandattemptingtocorruptormodifyWindowskernelfilesmodifyWindowskernelfilesThirdThird--partykerneldriversthatarenotsecurepartykerneldriversthatarenotsecureRogueadministratorwhochangeskernelmodeRogueadministratorwhochangeskernelmodecodetohideotheractscodetohideotheractsCodeintegrityCodeintegrityValidatestheintegrityofcertainOSfilesValidatestheintegrityofcertainOSfilesImplementedasafilesystemfilterdriverImplementedasafilesystemfilterdriverHashesstoredinsystemcatalogorinX.
509certificateHashesstoredinsystemcatalogorinX.
509certificateembeddedinfileembeddedinfileAlsovalidatestheintegrityofthebootprocessAlsovalidatestheintegrityofthebootprocessChecksthekernel,theHAL,bootChecksthekernel,theHAL,boot--startdriversstartdriversIfvalidationfails,imagewonIfvalidationfails,imagewon''tloadtloadWhatdoesitcheckWhatdoesitcheckAllkernelmodecode(Allkernelmodecode(x64onlyx64only))AllcodeloadedintoaprotectedprocessAllcodeloadedintoaprotectedprocessModulesimplementingcryptographicfunctionsModulesimplementingcryptographicfunctionsModulesloadedintothesoftwarelicensingserviceModulesloadedintothesoftwarelicensingserviceMoreonkernelmodecodeMoreonkernelmodecodex64x64AllkernelmodecodemustbesignedoritwonAllkernelmodecodemustbesignedoritwon''tloadtloadThirdThird--partycodemustbeWHQLpartycodemustbeWHQL--certifiedorcontainacertifiedorcontainacertificatefromaMicrosoftCAcertificatefromaMicrosoftCANoexceptions,periodNoexceptions,periodAppliestodrivers,utilities,anythinginthekernelAppliestodrivers,utilities,anythinginthekernelx32x32SigningappliesonlytodriversshippedwithWindowsSigningappliesonlytodriversshippedwithWindowsCancontrolbypolicywhattodowiththirdCancontrolbypolicywhattodowiththird--partypartyOtherunsignedkernelmodecodewillloadOtherunsignedkernelmodecodewillloadMoreonprotectedprocessesMoreonprotectedprocessesOnlyonerightnow:MediaFoundationOnlyonerightnow:MediaFoundationLoadedbinariesarecodecsLoadedbinariesarecodecsMicrosoftMicrosoft--supplied:signedbyMicrosoftsupplied:signedbyMicrosoftThirdThird--party:signedbyaWindowsMediaDRMparty:signedbyaWindowsMediaDRMcertificatecertificateAffectspotentialplaybackofnextAffectspotentialplaybackofnext--generationhighgenerationhighdefinitionprotectedcontentdefinitionprotectedcontentContentand/orplaybackappcontrolwhattodoinContentand/orplaybackappcontrolwhattodoinpresenceofunsignedkernelmodedriverspresenceofunsignedkernelmodedriversCodeintegritynonCodeintegritynon--goalsgoalsProtectingfromattackerswithphysicalaccessProtectingfromattackerswithphysicalaccessVerifyingtheintegrityofNTLDRVerifyingtheintegrityofNTLDRRequiressecurestartuponTPMRequiressecurestartuponTPM--enabledmachinesenabledmachinesRequiresreadRequiresread--onlyfixedmediaotherwiseonlyfixedmediaotherwiseSupportingrebindingorhotpatchingSupportingrebindingorhotpatchingThesechangetheonThesechangetheon--diskimagediskimageCIwillworkifpatchincludesupdatedhashCIwillworkifpatchincludesupdatedhashOnlinechecksatbootOnlinechecksatboot--timeforrevocationliststimeforrevocationlistsRevocationlistupdatedafterbootandstoredlocallyRevocationlistupdatedafterbootandstoredlocallyProtecttheOSWhenNotRunningThethreatsThethreatsComputerislostorstolenComputerislostorstolenTheftorcompromiseofdataTheftorcompromiseofdataAttackagainstcorporatenetworkAttackagainstcorporatenetworkDamagetoOSifattackerinstallsalternateOSDamagetoOSifattackerinstallsalternateOSDifficultandtimeDifficultandtime--consumingtotrulyeraseconsumingtotrulyerasedecommissioneddisksdecommissioneddisksExistingwaystomitigatethesethreatsaretooeasyExistingwaystomitigatethesethreatsaretooeasyforusertocircumventforusertocircumventSecurestartup(Securestartup(""BitLockerBitLocker""))EnsurebootEnsurebootintegrityintegrityResilientResilientagainstattackagainstattackProtectsystemfromofflineProtectsystemfromofflinesoftwaresoftware--basedattacksbasedattacksLocktamperedLocktamperedsystemssystemsPreventbootifmonitoredfilesPreventbootifmonitoredfileshavebeenalteredhavebeenalteredProtectdataProtectdatawhenofflinewhenofflineEncryptuserEncryptuserdataanddataandsystemfilessystemfilesAlldataonthevolumeisAlldataonthevolumeisencrypted:user,system,page,encrypted:user,system,page,hibernation,temp,crashdumphibernation,temp,crashdumpUmbrellaUmbrellaprotectionprotectionThirdThird--partyappsbenefitwhenpartyappsbenefitwheninstalledonencryptedvolumeinstalledonencryptedvolumeEaseEaseequipmentequipmentrecyclingrecyclingSimplifySimplifyrecyclingrecyclingRenderdatauselessbydeletingRenderdatauselessbydeletingTPMkeystoreTPMkeystoreSpeeddataSpeeddatadeletiondeletionDecommissioningtakesseconds,Decommissioningtakesseconds,nothoursnothoursWonWon''tEFSprotectmetEFSprotectmeYesYes——forthosewhoknowwhattheyforthosewhoknowwhatthey''redoingredoingUsersoftenstoredataonthedesktopUsersoftenstoredataonthedesktop——isitEFSedisitEFSedEFSdoesnEFSdoesn''tprotecttheoperatingsystemtprotecttheoperatingsystemEFSisverystrongagainstattacksEFSisverystrongagainstattacksFourlevelsofkeyprotectionFourlevelsofkeyprotectionProperlyconfigured,EFSiscomputationallyinfeasibletoProperlyconfigured,EFSiscomputationallyinfeasibletocrackcrackEncryptionscenariosEncryptionscenariosBitLockerBitLockerEFSEFSRMSRMSLaptopsLaptopsBranchofficeserversBranchofficeserversLocalsingleuserfileprotection(Windowspartitiononly)Localsingleuserfileprotection(Windowspartitiononly)LocalmultiLocalmulti--userfileprotectionuserfileprotectionRemotefileprotectionRemotefileprotectionUntrustedadministratorUntrustedadministratorRemotedocumentpolicyenforcementRemotedocumentpolicyenforcementOScoOSco--existenceexistenceBitLockerencryptsBitLockerencryptsWindowsvolumeonlyWindowsvolumeonlyYouwonYouwon''tbeabletodualtbeabletodual--bootanotherOSonthebootanotherOSonthesamevolumesamevolumeOSesonothervolumeswillworkfineOSesonothervolumeswillworkfineDataonprotectedvolumeisunavailableoutsideDataonprotectedvolumeisunavailableoutsidetheOStheOSAttemptstomodifytheprotectedWindowsAttemptstomodifytheprotectedWindowsvolumewillrenderitunbootablevolumewillrenderitunbootableEnablingBitLockerEnablingBitLockerCreatea1.
5GBactivepartitionCreatea1.
5GBactivepartitionThisbecomesyourThisbecomesyour""systemsystem""partitionpartition——whereOSbootswhereOSbootsTheTPMbootmanagerusesonly50MBTheTPMbootmanagerusesonly50MBWindowsrunsfromonyourWindowsrunsfromonyour""bootboot""partitionpartition——wherethewherethesystemlivessystemlivesInitializeTPMchipifyouInitializeTPMchipifyou''reusingitreusingitInmanagementconsoleorBIOSInmanagementconsoleorBIOSEnableBitLockerinSecurityCenterEnableBitLockerinSecurityCenterUpdateharddiskMBRUpdateharddiskMBREncryptWindowsEncryptWindows""bootboot""partitionpartitionRecoveryoptionsRecoveryoptionsUsefulincaseofsomekindofhardwarefailureUsefulincaseofsomekindofhardwarefailureItIt''sapassword;storedindifferentwayssapassword;storedindifferentways——RemovablemediaRemovablemediaPrintedPrintedActiveDirectoryActiveDirectoryAlso,servicepacksanddriverupgradestriggeraAlso,servicepacksanddriverupgradestriggeraloaderthatrecomputesandresealsTPMsecretsloaderthatrecomputesandresealsTPMsecretsCanuseTPM1.
2chipCanuseTPM1.
2chipMicrocontrolleraffixedtomotherboardMicrocontrolleraffixedtomotherboardStoreskeysanddigitalcertificatesStoreskeysanddigitalcertificatesForBitLocker,TPMstoresstoragerootkeyForBitLocker,TPMstoresstoragerootkeySRKdecryptsvolumeencryptionkeySRKdecryptsvolumeencryptionkeyonlywhensystemonlywhensystembootsnormally;bootsnormally;compareseachbootprocessagainstcompareseachbootprocessagainstpreviouslystoredmeasurementspreviouslystoredmeasurementsNouserinteractionorvisibility(unlessyourequireaPINNouserinteractionorvisibility(unlessyourequireaPINoradditionalstartoradditionalstart--upkey)upkey)RecoverykeycanbearchivedinActiveDirectoryfortheRecoverykeycanbearchivedinActiveDirectoryfortheinevitableinevitable""omgomg""momentmomentProhibitsmeaningfuluseofsoftwaredebuggersduringProhibitsmeaningfuluseofsoftwaredebuggersduringbootbootTPMarchitectureTPMarchitectureResetallregisters,transferexecutiontoResetallregisters,transferexecutiontoCoreRootofTrustMeasurementCoreRootofTrustMeasurementMeasurenextstageoffirmwareintoPCR[0]MeasurenextstageoffirmwareintoPCR[0]anddataintoPCR[1]anddataintoPCR[1]HardwaretestandconfigurationHardwaretestandconfigurationCodealwaysmeasuredfirst,thenexecutedCodealwaysmeasuredfirst,thenexecutedNewPCRvalueisSHANewPCRvalueisSHA--1hashedthen1hashedthenconcatenatedwithprevioushash;concatenatedwithprevioushash;permanentlywrittentoPCRpermanentlywrittentoPCROptionROMsanddataintoPCR[2]and[3]OptionROMsanddataintoPCR[2]and[3]MBRintoPCR[4],partitiontableinPCR[5]MBRintoPCR[4],partitiontableinPCR[5]PCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureMBRtakesover;loadsfirstsectorofactiveMBRtakesover;loadsfirstsectorofactivebootpartitionintomemory;measuresfirstbootpartitionintomemory;measuresfirst512bytesintoPCR[8]512bytesintoPCR[8]Bootsectorloads;measuresremainderintoBootsectorloads;measuresremainderintoPCR[9]andtransfersexecutionPCR[9]andtransfersexecutionBootcodemeasuresBOOTMGRintoBootcodemeasuresBOOTMGRintoPCR[10]andtransfersexecutionPCR[10]andtransfersexecutionAnyadditionalbootapplicationsmustloadAnyadditionalbootapplicationsmustloadonlyfromBitLockervolumeonlyfromBitLockervolumeBitLockerkeysareinPCR[11]BitLockerkeysareinPCR[11]Finally,BOOTMGRtransferscontroltoFinally,BOOTMGRtransferscontroltooperatingsystem;OSchecksintegrityofalloperatingsystem;OSchecksintegrityofallexecutablesloadedexecutablesloadedPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureTPMmeasuresallcodeandreportsresultsTPMmeasuresallcodeandreportsresultsDefaultBitLockerconsumption:4,8,9,10,11DefaultBitLockerconsumption:4,8,9,10,11Youcanaddothers,withcaveatsYoucanaddothers,withcaveatsOptionROMsin2,3OptionROMsin2,3AnychangeinvalidatesthePCRsAnychangeinvalidatesthePCRsIncludesinsertingsmartcardreaderorUSBdriveIncludesinsertingsmartcardreaderorUSBdriveBIOSROMsin0,1BIOSROMsin0,1ReflashingBIOSinvalidatesthePCRsReflashingBIOSinvalidatesthePCRsPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersBitLockercanBitLockercan''tstopeverythingtstopeverythingHardwaredebuggersHardwaredebuggersOnlineattacksOnlineattacks——BitLockerisconcernedonlywithBitLockerisconcernedonlywiththesystemthesystem''sstartupprocesssstartupprocessPostlogonattacksPostlogonattacksSabotagebyadministratorsSabotagebyadministratorsPoorsecuritymaintenancePoorsecuritymaintenanceDeploymentconsiderationsDeploymentconsiderationsRequireshardwareandsoftwareupgradesRequireshardwareandsoftwareupgradesPhasein,startwithhighprioritycomputersPhasein,startwithhighprioritycomputersMostlyafeatureforlaptopsMostlyafeatureforlaptopsAlsoconsiderfordesktopcomputersininsecureAlsoconsiderfordesktopcomputersininsecureenvironments(factoryfloor,kiosk,environments(factoryfloor,kiosk,……))EnterprisekeymanagementEnterprisekeymanagementProtectServicesFromExploitThethreatsThethreatsRememberBlasterRememberBlasterTookoverRPCSSTookoverRPCSS——madeitwritemsblast.
exetofilemadeitwritemsblast.
exetofilesystemandaddedrunkeystotheregistrysystemandaddedrunkeystotheregistryNosoftwareisperfect;someonestillmightfindaNosoftwareisperfect;someonestillmightfindavulnerabilityinaservicevulnerabilityinaserviceMalwareoftenlookstoexploitsuchvulnerabilitiesMalwareoftenlookstoexploitsuchvulnerabilitiesServicesareattractiveServicesareattractiveRunwithoutuserinteractionRunwithoutuserinteractionManyservicesoftenhavefreereignoverthesystemManyservicesoftenhavefreereignoverthesystem——toomuchaccesstoomuchaccessMostservicescancommunicateoveranyportMostservicescancommunicateoveranyportServicehardeningServicehardeningServiceServicerefactoringrefactoringMoveservicefromLocalSystemtosomethinglessMoveservicefromLocalSystemtosomethinglessprivilegedprivilegedIfnecessary,splitservicesothatonlythepartIfnecessary,splitservicesothatonlythepartrequiringLocalSystemreceivesthatrequiringLocalSystemreceivesthatServiceServiceprofilingprofilingEnablesservicetorestrictitsbehaviorEnablesservicetorestrictitsbehaviorResourcescanhaveACLsthatallowtheserviceResourcescanhaveACLsthatallowtheservice''ssIDtoaccessonlywhatitneedsIDtoaccessonlywhatitneedsAlsoincludesrulesforspecifyingrequiredAlsoincludesrulesforspecifyingrequirednetworkbehaviornetworkbehaviorItIt''sabouttheprincipleofleastprivilegesabouttheprincipleofleastprivilege——itit''sgoodforpeople,anditsgoodforpeople,andit''sgoodforservicessgoodforservicesMemoryMemoryRefactoringRefactoringIdeally,removetheserviceoutofLocalSystemIdeally,removetheserviceoutofLocalSystemIfitdoesnIfitdoesn''tperformprivilegedoperationstperformprivilegedoperationsMakeACLchangestoregistrykeysanddriverobjectsMakeACLchangestoregistrykeysanddriverobjectsOtherwise,splitintotwopiecesOtherwise,splitintotwopiecesThemainserviceThemainserviceThebitsthatperformprivilegedoperationsThebitsthatperformprivilegedoperationsAuthenticatethecallbetweenthemAuthenticatethecallbetweenthemMainserviceMainservicerunsasLocalServicerunsasLocalServicePrivilegedPrivilegedLocalSystemLocalSystemSVCHOSTgrouprefactoringSVCHOSTgrouprefactoringWindowsXPServicePack2WindowsXPServicePack2LocalSystemLocalSystemWirelessConfigurationWirelessConfigurationSystemEventSystemEventNotificationNotificationNetworkConnectionsNetworkConnectionsCOM+EventSystemCOM+EventSystemNLANLARasautoRasautoShellHardwareShellHardwareDetectionDetectionThemesThemesTelephonyTelephonyWindowsAudioWindowsAudioErrorReportingErrorReportingWorkstationWorkstationICSICSBITSBITSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanBrowserBrowser6to46to4HelpandSupportHelpandSupportTaskSchedulerTaskSchedulerTrkWksTrkWksCryptographicCryptographicServicesServicesRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonNetworkNetworkServiceServiceDNSClientDNSClientLocalLocalServiceServiceSSDPSSDPWebClientWebClientTCP/IPNetBIOShelperTCP/IPNetBIOShelperRemoteRegistryRemoteRegistryWindowsVistaWindowsVistaLocalSystemLocalSystemNetworkrestrictedNetworkrestrictedRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesTrkWksTrkWksWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonLocalSystemLocalSystemDemandstartedDemandstartedBITSBITSNetworkServiceNetworkServiceRestrictedRestrictedDNSClientDNSClientICSICSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanNLANLABrowserBrowser6to46to4TaskschedulerTaskschedulerIPSECServicesIPSECServicesServerServerCryptographicCryptographicServicesServicesLocalServiceLocalServiceRestrictedRestrictedNonetworkaccessNonetworkaccessWirelessWirelessConfigurationConfigurationSystemEventSystemEventNotificationNotificationShellHardwareShellHardwareDetectionDetectionNetworkNetworkConnectionsConnectionsRasautoRasautoThemesThemesCOM+EventCOM+EventSystemSystemLocalServiceLocalServiceRestrictedRestrictedTelephonyTelephonyWindowsAudioWindowsAudioTCP/IPNetBIOSTCP/IPNetBIOShelperhelperWebClientWebClientErrorReportingErrorReportingEventLogEventLogWorkstationWorkstationRemoteRegistryRemoteRegistrySSDPSSDPProfilingProfilingEveryservicehasauniqueserviceidentifiercalledEveryservicehasauniqueserviceidentifiercalledaa""serviceSIDserviceSID""SS--11--8080--1hashoflogicalservicename>AA""serviceprofileserviceprofile""isasetofACLsthatisasetofACLsthat——AllowaservicetousearesourceAllowaservicetousearesourceConstraintheservicetotheresourcesitneedsConstraintheservicetotheresourcesitneedsDefinewhichnetworkportsaservicecanuseDefinewhichnetworkportsaservicecanuseBlocktheservicefromusingotherportsBlocktheservicefromusingotherportsNow,servicecanrunasLocalServiceorNow,servicecanrunasLocalServiceorNetworkServiceandstillreceiveadditionalaccessNetworkServiceandstillreceiveadditionalaccesswhennecessarywhennecessaryRestrictingservicesRestrictingservicesSCMcomputesSCMcomputesserviceSIDserviceSIDSCMaddstheSCMaddstheSIDtoserviceSIDtoserviceprocessprocess''stokenstokenSCMcreateswriteSCMcreateswrite--restrictedtokenrestrictedtokenSCMremovesSCMremovesunneededprivilegesunneededprivilegesfromprocesstokenfromprocesstokenServiceplacesACLonServiceplacesACLonresourceresource——onlyserviceonlyservicecanwritetoitcanwritetoitExample:eventlogExample:eventlogSysEvent.
evtSysEvent.
evtEventlogEventlogserviceserviceWriteWrite--restrictedrestrictedtokentokenACLACLEventlog:WEventlog:WRestrictingservices:knowthisRestrictingservices:knowthisArestrictableservicewillsettwoproperties(storedArestrictableservicewillsettwoproperties(storedintheregistry)intheregistry)——OnetoindicatethatitcanberestrictedOnetoindicatethatitcanberestrictedOnetoshowwhichprivilegesitrequiresOnetoshowwhichprivilegesitrequiresNote!
Note!
Thisisavoluntaryprocess.
TheserviceisThisisavoluntaryprocess.
Theserviceischoosingtorestrictitself.
Itchoosingtorestrictitself.
It''sgooddevelopmentsgooddevelopmentpracticebecauseitreducesthelikelihoodofaservicepracticebecauseitreducesthelikelihoodofaservicebeingabusedbymalware,butitisnbeingabusedbymalware,butitisn''tafulltafull--onsystemonsystem--widerestrictionmechanism.
Thirdwiderestrictionmechanism.
Third--partyservicescanpartyservicescanstillrunwildandfreestillrunwildandfree……NetworkenforcementscenariosNetworkenforcementscenariosNoportsNoportsServicesthatneitherlistennorconnectServicesthatneitherlistennorconnectFixedportsFixedportsServicesthatlistenorsendonknownfixedportsServicesthatlistenorsendonknownfixedportsshouldbeconstrainedtothoseportsonlyshouldbeconstrainedtothoseportsonlyConfigurableConfigurableportsportsAdministratorconfiguresportinserviceAdministratorconfiguresportinservice''ssadministrationUI;networkrulesandfirewalladministrationUI;networkrulesandfirewallautomaticallyupdatetheirownconfigurationsautomaticallyupdatetheirownconfigurationsDynamicDynamicportsportsServicesthatlistenorsendondynamicallyServicesthatlistenorsendondynamically--allocatedportsallocatedportsAuditingAuditingManagementeventsManagementeventsInitialrulesconfigurationInitialrulesconfigurationRulechangesRulechangesRuledeletionsRuledeletionsEnforcementeventsEnforcementeventsTrafficallowedTrafficallowedTrafficdeniedTrafficdeniedglobalvulnglobalvulnmitigationsandmitigationsandsystemlockdownssystemlockdownsnetworknetworkenforcementenforcementrulesrulesInteractionwithhostfirewallsInteractionwithhostfirewallsConfigurationchangesConfigurationchangesimplementedimmediatelyimplementedimmediatelyRulescanRulescan''tbedisabledbytbedisabledbyWForthirdWForthird--partypartyRulescanRulescan''tbestoppedtbestoppedwhileservicesarerunningwhileservicesarerunningFordynamicports,netenfFordynamicports,netenfpushesconfigurationtopushesconfigurationtoWFWFhosthostfirewallfirewallrulesrulesExamplerulesExamplerulesBlockanynetworkaccessforBFE"V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=bfe;Name=Blockanytraffictoandfrombfe;"AllowoutboundPolicyAgenttraffic"V2.
0;Action=Allow;Dir=Out;RPort=389;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=AllowPolicyAgenttcp/udpLDAPtraffictoAD;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=BlockanyothertraffictoandfromPolicyAgent;"Allowinbound/outboundtraffictoRpcss"V2.
0;Action=Allow;Dir=Out;RPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowoutboundrpcsstcp/udptraffic;""V2.
0;Action=Allow;Dir=in;LPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowinboundtcp/udprpcss;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Blockanyothertraffictoandfromrpcss;"ProtecttheOSandDatafromUnknownCodeThethreatsThethreatsAuserunknowinglyrunscodefromanunknownAuserunknowinglyrunscodefromanunknownsourcethatattemptstomodifyordeletefilessourcethatattemptstomodifyordeletefilesCoderunningasLUAattemptsalocalelevationofCoderunningasLUAattemptsalocalelevationofprivilegebyinjectingcodeintoaprocessrunningprivilegebyinjectingcodeintoaprocessrunningasadministratorasadministratorTrojansthatattempttoexecutewithfullTrojansthatattempttoexecutewithfulladministratorprivilegeadministratorprivilegeSystemcodereadsdatafromtheInternet(anSystemcodereadsdatafromtheInternet(anuntrustworthysource)thatcontainscorruptdatauntrustworthysource)thatcontainscorruptdatadesignedtoelevateprivilegebyexploitingabugdesignedtoelevateprivilegebyexploitingabugMandatoryintegritycontrolMandatoryintegritycontrolMethodtopreventlowMethodtopreventlow--integritycodefromintegritycodefrommodifyinghighmodifyinghigh--integritycodeintegritycodeProtectTCBfilesanddatafrommodificationbyProtectTCBfilesanddatafrommodificationbyprivilegedusersprivilegedusersProtectuserdatafrommodificationbyunknownProtectuserdatafrommodificationbyunknownmaliciouscodemaliciouscodeProtectprocessesrunningasprivilegeduserfromProtectprocessesrunningasprivilegeduserfrommodificationbyprocessesrunningasstandardusermodificationbyprocessesrunningasstandarduserunderthesameuserSIDunderthesameuserSIDClassicalcomputersecurityconceptknownsinceClassicalcomputersecurityconceptknownsincethe1970sthe1970sLotsofrecentworkinvariousoperatingsystemsLotsofrecentworkinvariousoperatingsystemsDonDon''tconfusewithcodeintegritytconfusewithcodeintegrityCICIVerifiescodeduringmoduleloadingVerifiescodeduringmoduleloadingMICMICImplementsatypeofinformationflowpolicyImplementsatypeofinformationflowpolicyImplementsanenforcementmechanismImplementsanenforcementmechanismIntegritylevelchangestriggerasecurityauditeventIntegritylevelchangestriggerasecurityauditeventMandatoryintegritycontrolpolicyisbasedonMandatoryintegritycontrolpolicyisbasedontrustworthinesstrustworthiness.
Subjectswith.
Subjectswithlowlowdegreesofdegreesoftrustworthinesscantrustworthinesscan''tchangedataofatchangedataofahigherhigherdegrees.
degrees.
SubjectswithSubjectswithhighhighdegreesoftrustworthinesscandegreesoftrustworthinesscan''tbetbeforcedtorelyondataofforcedtorelyondataoflowerlowerdegrees.
degrees.
ThelimitationsofDACLsThelimitationsofDACLsNoprotectionofsystemstabilityNoprotectionofsystemstabilityThirdThird--partyinstallersredistributesystembinariespartyinstallersredistributesystembinariesWanttostopthis,evenifrunbyadministratorWanttostopthis,evenifrunbyadministratorNoprotectionfromtrickysoftwareNoprotectionfromtrickysoftwareNonNon--savvyuserscanbeconvincedtoinstallmalwaresavvyuserscanbeconvincedtoinstallmalwareRunswithfullcapabilitiesofuserRunswithfullcapabilitiesofuserWeakenspowerofUACWeakenspowerofUACCanCan''tdistinguishlimitedversionfromfull(possiblytdistinguishlimitedversionfromfull(possiblyadministrator)versionofuseradministrator)versionofuserBothversionshavesameuserSIDBothversionshavesameuserSIDDefinedintegritylevelsDefinedintegritylevelsSystemSystemHighHighMediumMediumLowLowUntrustedUntrusted0x40000x40000x30000x30000x20000x20000x10000x100000LocalLocalSystemSystemLocalServiceLocalServiceNetworkNetworkServiceServiceElevatedElevated(full)user(full)usertokenstokensStandarduserStandardusertokenstokensAuthenticatedAuthenticatedUsersUsersWorldWorld(Everyone)(Everyone)AnonymousAnonymousShellrunshereShellrunshereMICexpressionMICexpressionAddanintegritySIDtoausertokenatlogonAddanintegritySIDtoausertokenatlogonSS--11--1616--AnnouncestheintegritylevelofthetokenAnnouncestheintegritylevelofthetokenDetermineslevelofaccessthetokencanachieveDetermineslevelofaccessthetokencanachievePossiblesecondSIDusedbySecureDesktoptoPossiblesecondSIDusedbySecureDesktoptodetermineprotectionringofanapplicationdetermineprotectionringofanapplicationStoreintegritySIDintheSACLofeveryobjectStoreintegritySIDintheSACLofeveryobject''sssecuritydescriptor(usersecuritydescriptor(user--createdandOS)createdandOS)SpecifiestheintegrityleveloftheobjectSpecifiestheintegrityleveloftheobjectCheckingMIClevelCheckingMIClevelDuringaccesscheck,verifytheuserpassesDuringaccesscheck,verifytheuserpassesintegritycheckagainstanobjectforwriteaccessintegritycheckagainstanobjectforwriteaccessHowever,canaddACEtoDACLtodenyreadaccesstoHowever,canaddACEtoDACLtodenyreadaccesstolowintegrityuserslowintegrityusers(moreonthislater)(moreonthislater)UsermustUsermustdominatedominateobjecttoobtainwriteaccessobjecttoobtainwriteaccessUser/processlevel>=objectlevelUser/processlevel>=objectlevelAlluserspassintegritycheckforreadingandexecutingAlluserspassintegritycheckforreadingandexecutingMICtrumpsDACLMICtrumpsDACLIftheDACLletsyouwrite,butyoudonIftheDACLletsyouwrite,butyoudon''tdominatethetdominatetheobject,yourwritefailsobject,yourwritefailsConsiderfourscenariosConsiderfourscenariosAnattachmentarrivesinmail.
Whilesaving,fileiswrittenAnattachmentarrivesinmail.
Whilesaving,fileiswrittenwithwithlowlowintegrity.
Whenexecuted,itrunsatintegrity.
Whenexecuted,itrunsatlowlowintegrityintegrityandcanandcan''twritetousertwritetouser''sdata.
sdata.
MICpreventsprocessfromMICpreventsprocessfromperformingcapabilitiesatuserperformingcapabilitiesatuser''slevel.
slevel.
IEdownloadsfilefromsiteinInternetzone.
IEprocessthatIEdownloadsfilefromsiteinInternetzone.
IEprocessthatwritesfiletoTIFrunsatwritesfiletoTIFrunsatlowlowintegrity;thusfileisreceivesintegrity;thusfileisreceiveslowlowintegrity.
integrity.
MICdoesnMICdoesn''ttrustcontentorcodefromtheInternet.
ttrustcontentorcodefromtheInternet.
AmaliciousprogramisrunningatAmaliciousprogramisrunningatstandardstandarduserXanduserXandattemptstoopenprocessrunningasattemptstoopenprocessrunningasprivilegedprivilegeduserXforuserXforwrite,tobypassUACandexecutecodewillfullprivileges.
write,tobypassUACandexecutecodewillfullprivileges.
MICstopsthisbecausedesiredaccessiswrite.
MICstopsthisbecausedesiredaccessiswrite.
Admin(IL=Admin(IL=highhigh)runsdownloadedprogram.
Processrunsas)runsdownloadedprogram.
Processrunsasstandardstandardadmin(IL=admin(IL=mediummedium).
).
MICpreventsprocessesfromMICpreventsprocessesfromwritewrite--accessingresourcesACLedfortheadministrator.
accessingresourcesACLedfortheadministrator.
ProcessesalsoaffectedProcessesalsoaffectedWhenuserlaunches.
EXE,processreceiveslowerofWhenuserlaunches.
EXE,processreceiveslowerofuseruser''sorfilesorfile''sintegritylevel(ifithasone)sintegritylevel(ifithasone)Processneverrunshigherthanfile,regardlessofILofProcessneverrunshigherthanfile,regardlessofILofuserwhostartedituserwhostarteditProtectsevenadministratorsfrommaliciousactionsofProtectsevenadministratorsfrommaliciousactionsofdownloadedcodedownloadedcodeAlsoprotectsanyuserdata,whoselevelistypicallythatAlsoprotectsanyuserdata,whoselevelistypicallythatoftheuseroftheuser——itit''shigherthanthecodeshigherthanthecodeControlledbyAIS(appinstallerservice)ControlledbyAIS(appinstallerservice)CheckILsofuserandfileCheckILsofuserandfileAdjustprocessILaccordinglyAdjustprocessILaccordinglyImpersonateuserwithcorrectILandcontinuecreationImpersonateuserwithcorrectILandcontinuecreationModifyingintegritylevelsModifyingintegritylevelsTokencanloweritsownlevelTokencanloweritsownlevelNotreversibleNotreversibleOnlyaTCBcallercanraiseOnlyaTCBcallercanraiseSecureInputSecureInputDefault:UIringSID=objectintegritySIDDefault:UIringSID=objectintegritySIDTCBcallercanelevatetokenUIringTCBcallercanelevatetokenUIringTypicallynecessaryforaccessibilityutilitiesTypicallynecessaryforaccessibilityutilities——cannowcannowcontrolUIbutnotbypassMICcontrolofobjectaccesscontrolUIbutnotbypassMICcontrolofobjectaccessButIwanttoadministermybox!
ButIwanttoadministermybox!
Fullprivilegetokens,includingmembersoftheFullprivilegetokens,includingmembersofthelocalAdministratorsgroup,arecontrolledbyMIClocalAdministratorsgroup,arecontrolledbyMICCanCan''tdeletefilesiftheirlevelissystemtdeletefilesiftheirlevelissystemCanCan''tlowerthelevelofobjectsorfilestlowerthelevelofobjectsorfilesBuiltBuilt--inin""AdministratorAdministrator""accounthasanadditionalaccounthasanadditionalprivilegeprivilegeGrantscalleraccesstoobjectGrantscalleraccesstoobjectCouldgranttootherusers,butbecareful!
Couldgranttootherusers,butbecareful!
GrantinganduseofprivilegeisauditedGrantinganduseofprivilegeisauditedDenyingreadaccessDenyingreadaccessCanusedenyACEtopreventlowerlevelprincipalsCanusedenyACEtopreventlowerlevelprincipalsfromreadingorexecutinghigherlevelobjectsfromreadingorexecutinghigherlevelobjectsGoodforadministratorprogramsGoodforadministratorprogramsSetILtohighSetILtohighAdddenyACEforanythingwithalowerILAdddenyACEforanythingwithalowerILPreventsmalwarerunningatlowerlevelfromPreventsmalwarerunningatlowerlevelfromattemptingtocalladmintoolsattemptingtocalladmintoolsUnlabeledobjectsUnlabeledobjectsSystemassumesdefaultMICofmediumduringSystemassumesdefaultMICofmediumduringaccesscheckaccesscheckPreventsuntrustworthycoderunningatlowfromPreventsuntrustworthycoderunningatlowfrommodifyingunlabeledobjectsmodifyingunlabeledobjectsRegardlessofDACLRegardlessofDACLOSfilesareunlabeledOSfilesareunlabeledProtectedfrommodificationwithanACLProtectedfrommodificationwithanACLObjectswithoutaSIDhavenoMICconsiderationObjectswithoutaSIDhavenoMICconsiderationNonNon--goalsgoalsProvideforconfidentialityofdataProvideforconfidentialityofdataThisistheBellThisistheBell--LaPadulamodelLaPadulamodelAlthoughwithnoAlthoughwithno--readread--upACEs,youcanuseMICtoupACEs,youcanuseMICtoachievesimilarbehaviorachievesimilarbehaviorPreventhighILprocessesfromreadingdataataPreventhighILprocessesfromreadingdataatalowerILifthepolicyallowsthatlowerILifthepolicyallowsthatImplementdynamicintegrityImplementdynamicintegrityPreventofflineattacksthroughmodificationsofILsPreventofflineattacksthroughmodificationsofILsonfilesonfilesButBitLockercouldhelphereButBitLockercouldhelphere……ProtecttheOSfromtheInternetThethreatsThethreatsAlas,mostWindowsusersstillrunasadminAlas,mostWindowsusersstillrunasadminMeaning:theInternetrunsasadminonyourPC!
Meaning:theInternetrunsasadminonyourPC!
""DriveDrive--byby""installsofspywareandviruscodeinstallsofspywareandviruscodeExploitsofvulnerabilitiesgiveattackersfullremoteExploitsofvulnerabilitiesgiveattackersfullremoteaccessaccessEvennonEvennon--adminsstillvulnerabletomaliciousadminsstillvulnerabletomaliciousdestructionofpersonaldatadestructionofpersonaldataInternetExplorerprotectedmodeInternetExplorerprotectedmodeBuiltonmandatoryintegritycontrolBuiltonmandatoryintegritycontrolInternetExplorerrunsatlowintegritylevelInternetExplorerrunsatlowintegritylevelReducetheseverityofthreatstoIEaddReducetheseverityofthreatstoIEadd--onsonsEliminatethesilentinstallofmaliciouscodeEliminatethesilentinstallofmaliciouscodethroughsoftwarevulnerabilitiesthroughsoftwarevulnerabilitiesPreservecompatibilitywheneverpossiblePreservecompatibilitywheneverpossibleProvidethecapabilityandguidanceforaddProvidethecapabilityandguidanceforadd--onstoonstorestorefunctionalityrestorefunctionalityMinimizerequireduserinvolvementMinimizerequireduserinvolvementSometimescalledSometimescalled""lowlow--rightsIErightsIE""ProtectedmodesummaryProtectedmodesummaryRestrictsIEfromwritingoutsideoftheTemporaryRestrictsIEfromwritingoutsideoftheTemporaryInternetFiles(TIF)folderInternetFiles(TIF)folderIEIE''sprocesshaslowerwriteprivilegesthanLUAsprocesshaslowerwriteprivilegesthanLUAItbuildsontheMandatoryIntegrityControl(MIC)whichItbuildsontheMandatoryIntegrityControl(MIC)whichrestrictswritestohigherintegrityfoldersrestrictswritestohigherintegrityfoldersProtectedmodeusesCOMtocalltwonewbrokerProtectedmodeusesCOMtocalltwonewbrokerprocesseswhichallowIEtowriteoutsideoftheTIFprocesseswhichallowIEtowriteoutsideoftheTIFAcompatibilitylayerallowsaddAcompatibilitylayerallowsadd--onstoelevateonstoelevateThisisnotaThisisnota""sandboxingsandboxing""technology.
IEisrefactoredintoatechnology.
IEisrefactoredintoamultimulti--processapplication,withvaryingILsforeachprocess.
processapplication,withvaryingILsforeachprocess.
RefactoringIERefactoringIELPIELPIEIEUserIEUserIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseLPIELPIEInternetZoneInternetZoneIL=lowIL=lowIntranet/TrustedZoneIntranet/TrustedZoneIL=mediumIL=mediumSeparateTIFSeparateTIFIEPolicyIEPolicyIL=highIL=highAgain:theprincipleofleastprivilegeAgain:theprincipleofleastprivilegeRefactoringattheprocesslevelRefactoringattheprocesslevel——moreefficientmoreefficientandlessexpensivethanavirtualmachineandlessexpensivethanavirtualmachineComponentsandzonesComponentsandzonesOperationOperationRequirementsRequirementsProcessProcessURLnavigationandHTMLrenderingURLnavigationandHTMLrenderingLeastprivilegeLeastprivilegeLowintegrityLowintegrityLPIELPIEManaginguserManaginguser--controlledsettingscontrolledsettingsLeastprivilegeLeastprivilegeMediumintegrityMediumintegrityIEUserIEUserEnforcingpolicyindownloadedcodeEnforcingpolicyindownloadedcodeInitiatingexecutionInitiatingexecutionFullprivilegeFullprivilegeHighintegrityHighintegrityIEPolicyIEPolicy(service)(service)OperationOperationLPIElowLPIElowLPIEmediumLPIEmediumFilesdownloadedinzoneFilesdownloadedinzoneLowILLowILMediumILMediumILModifyoutsideTIFModifyoutsideTIFNoNoYesYesInteractwithotherappsondesktopInteractwithotherappsondesktopNoNoYesYesInjectDLLandcreateremotethreadInjectDLLandcreateremotethreadNoNoYesYesRendersHTMLfilesinlocalzoneRendersHTMLfilesinlocalzoneYesYesYesYesInstallingfromtheWebInstallingfromtheWebLPIELPIEIEPolicyIEPolicyRunRungreatstuff.
comgreatstuff.
com……\\TIFTIF\\greatstuff.
exegreatstuff.
exeTrustTrustGreatStuffGreatStuffIL=lowIL=low……\\MyDocsMyDocs\\greatstuff.
exegreatstuff.
exeIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseAISAISRunwithRunwithfullprivsfullprivsgreatstuff.
exegreatstuff.
exe\\ProgsProgs\\GSGS\\stuff.
exestuff.
exestuff.
dllstuff.
dllIL=highIL=highfullprivfullprivInIn--proccompatibilitylayerproccompatibilitylayerRedirectsfileandregistrykeywritestonewlowRedirectsfileandregistrykeywritestonewlowintegritylocationsintegritylocations——HKCUHKCU\\SoftwareSoftware\\MicrosoftMicrosoft\\InternetExplorerInternetExplorer\\LowLowRightsRights\\VirtualVirtualDocumentsandSettingsDocumentsandSettings\\%userprofile%%userprofile%\\LocalLocalSettingsSettings\\TemporaryInternetFilesTemporaryInternetFiles\\VirtualVirtualAddedtothelocationIEistryingAddedtothelocationIEistryingIfIEtriestowritehereIfIEtriestowritehere…………itgetsredirectedhereitgetsredirectedhereHKCUHKCU\\SoftwareSoftware\\FooBarFooBarHKCUHKCU\Software\MS\IE\LowRights\Virtual\\SoftwareSoftware\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%user%userprofile%profile%\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%userprofile%%userprofile%\LocalSettings\TemporaryInternetFiles\Virtual\\FooBarFooBarSteveRileySteveRileysteve.
riley@microsoft.
comsteve.
riley@microsoft.
comhttp://blogs.
technet.
com/sterileyhttp://blogs.
technet.
com/sterileywww.
protectyourwindowsnetwork.
comwww.
protectyourwindowsnetwork.
comThanksverymuch!
Thanksverymuch!
2006MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,WindowsVistaandotherproductnamesareormayberegisteredtrademarksand/ortrademarksintheU.
S.
and/orothercountries.
TheinformationhereinisforinformationalpurposesonlyandrepresentsthecurrentviewofMicrosoftCorporationasofthedateofthispresentation.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationprovidedafterthedateofthispresentation.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISPRESENTATION.
- additionalsecondarylogon相关文档
- settingsecondarylogon
- Logoffstatusmessagessecondarylogon
- POSIXsecondarylogon
- Levelsecondarylogon
- secondarylogon魔兽世界下载器不动Secondary Logon 在哪?
- secondarylogonSecondary Logon 等等是什么意思?
HostYun 新增可选洛杉矶/日本机房 全场9折月付19.8元起
关于HostYun主机商在之前也有几次分享,这个前身是我们可能熟悉的小众的HostShare商家,主要就是提供廉价主机,那时候官方还声称选择这个品牌的机器不要用于正式生产项目,如今这个品牌重新转变成Hostyun。目前提供的VPS主机包括KVM和XEN架构,数据中心可选日本、韩国、香港和美国的多个地区机房,电信双程CN2 GIA线路,香港和日本机房,均为国内直连线路,访问质量不错。今天和大家分享下...
HaloCloud:日本软银vps100M/200M/500M带宽,,¥45.00元/月
halocloud怎么样?halocloud是一个于2019下半年建立的商家,主要提供日本软银VPS,广州移动VDS,株洲联通VDS,广州移动独立服务器,Halo邮局服务,Azure香港1000M带宽月抛机器等。日本软银vps,100M/200M/500M带宽,可看奈飞,香港azure1000M带宽,可以解锁奈飞等流媒体,有需要看奈飞的朋友可以入手!点击进入:halocloud官方网站地址日本vp...
racknerd:美国大硬盘服务器,$599/月,Ryzen7-3700X/32G内存/120gSSD+192T hdd
racknerd当前对美国犹他州数据中心的大硬盘服务器(存储服务器)进行低价促销,价格跌破眼镜啊。提供AMD和Intel两个选择,默认32G内存,120G SSD系统盘,12个16T HDD做数据盘,接入1Gbps带宽,每个月默认给100T流量,5个IPv4... 官方网站:https://www.racknerd.com 加密数字货币、信用卡、PayPal、支付宝、银联(卡),可以付款! ...
secondarylogon为你推荐
-
拂晓雅阁有什么网站是学电脑技术的`?在线代理网站最好的免费在线代理网站有哪些~急!网站联盟网盟跟b2b平台有什么区别今日热点怎么删除“今日热点”到底要怎样才能取消弹窗,每次开机都会中小企业信息化中小企业如何进行企业信息化规划如何建立一个网站如何建立一个网站硬盘人什么叫“软盘人”和“硬盘人”?商标注册查询官网商标注册网的官网是哪个?微信怎么看聊天记录微信怎样查询聊天记录微信怎么看聊天记录如何查找微信聊天记录