additionalsecondarylogon
secondarylogon 时间:2021-02-26 阅读:()
WindowsVistaWindowsVistaSystemIntegritySystemIntegrityTechnologiesTechnologiesWCI442WCI442WhyThebadguysareeverywhere!
Thebadguysareeverywhere!
TheyliterallywanttodoyouharmTheyliterallywanttodoyouharmThreatsexistintwointerestingplacesThreatsexistintwointerestingplaces——Online:systemstartedandshowsaloginscreenorauserisOnline:systemstartedandshowsaloginscreenorauserisloggedinloggedinOffline:systemispowereddownorinhibernationOffline:systemispowereddownorinhibernationPoliciesmustaddressbothPoliciesmustaddressbothCoolstuff!
Coolstuff!
Codeintegrity:protectionagainstonlineattackCodeintegrity:protectionagainstonlineattackBitLocker(securestartup):protectionagainstBitLocker(securestartup):protectionagainstofflineattackofflineattackWindowsservicehardeningWindowsservicehardeningMandatoryintegritycontrolMandatoryintegritycontrolInternetExplorerprotectedmodeInternetExplorerprotectedmodeProtecttheOSWhenRunningThethreatsThethreatsTrojanthatreplacesasystemfiletoinstallarootkitTrojanthatreplacesasystemfiletoinstallarootkitandtakecontrolofthecomputer(e.
g.
FunLoveorandtakecontrolofthecomputer(e.
g.
FunLoveorothersthatuserootkits)othersthatuserootkits)OfflineattackcausedbybootinganalternateOfflineattackcausedbybootinganalternateoperatingsystemandattemptingtocorruptoroperatingsystemandattemptingtocorruptormodifyWindowskernelfilesmodifyWindowskernelfilesThirdThird--partykerneldriversthatarenotsecurepartykerneldriversthatarenotsecureRogueadministratorwhochangeskernelmodeRogueadministratorwhochangeskernelmodecodetohideotheractscodetohideotheractsCodeintegrityCodeintegrityValidatestheintegrityofcertainOSfilesValidatestheintegrityofcertainOSfilesImplementedasafilesystemfilterdriverImplementedasafilesystemfilterdriverHashesstoredinsystemcatalogorinX.
509certificateHashesstoredinsystemcatalogorinX.
509certificateembeddedinfileembeddedinfileAlsovalidatestheintegrityofthebootprocessAlsovalidatestheintegrityofthebootprocessChecksthekernel,theHAL,bootChecksthekernel,theHAL,boot--startdriversstartdriversIfvalidationfails,imagewonIfvalidationfails,imagewon''tloadtloadWhatdoesitcheckWhatdoesitcheckAllkernelmodecode(Allkernelmodecode(x64onlyx64only))AllcodeloadedintoaprotectedprocessAllcodeloadedintoaprotectedprocessModulesimplementingcryptographicfunctionsModulesimplementingcryptographicfunctionsModulesloadedintothesoftwarelicensingserviceModulesloadedintothesoftwarelicensingserviceMoreonkernelmodecodeMoreonkernelmodecodex64x64AllkernelmodecodemustbesignedoritwonAllkernelmodecodemustbesignedoritwon''tloadtloadThirdThird--partycodemustbeWHQLpartycodemustbeWHQL--certifiedorcontainacertifiedorcontainacertificatefromaMicrosoftCAcertificatefromaMicrosoftCANoexceptions,periodNoexceptions,periodAppliestodrivers,utilities,anythinginthekernelAppliestodrivers,utilities,anythinginthekernelx32x32SigningappliesonlytodriversshippedwithWindowsSigningappliesonlytodriversshippedwithWindowsCancontrolbypolicywhattodowiththirdCancontrolbypolicywhattodowiththird--partypartyOtherunsignedkernelmodecodewillloadOtherunsignedkernelmodecodewillloadMoreonprotectedprocessesMoreonprotectedprocessesOnlyonerightnow:MediaFoundationOnlyonerightnow:MediaFoundationLoadedbinariesarecodecsLoadedbinariesarecodecsMicrosoftMicrosoft--supplied:signedbyMicrosoftsupplied:signedbyMicrosoftThirdThird--party:signedbyaWindowsMediaDRMparty:signedbyaWindowsMediaDRMcertificatecertificateAffectspotentialplaybackofnextAffectspotentialplaybackofnext--generationhighgenerationhighdefinitionprotectedcontentdefinitionprotectedcontentContentand/orplaybackappcontrolwhattodoinContentand/orplaybackappcontrolwhattodoinpresenceofunsignedkernelmodedriverspresenceofunsignedkernelmodedriversCodeintegritynonCodeintegritynon--goalsgoalsProtectingfromattackerswithphysicalaccessProtectingfromattackerswithphysicalaccessVerifyingtheintegrityofNTLDRVerifyingtheintegrityofNTLDRRequiressecurestartuponTPMRequiressecurestartuponTPM--enabledmachinesenabledmachinesRequiresreadRequiresread--onlyfixedmediaotherwiseonlyfixedmediaotherwiseSupportingrebindingorhotpatchingSupportingrebindingorhotpatchingThesechangetheonThesechangetheon--diskimagediskimageCIwillworkifpatchincludesupdatedhashCIwillworkifpatchincludesupdatedhashOnlinechecksatbootOnlinechecksatboot--timeforrevocationliststimeforrevocationlistsRevocationlistupdatedafterbootandstoredlocallyRevocationlistupdatedafterbootandstoredlocallyProtecttheOSWhenNotRunningThethreatsThethreatsComputerislostorstolenComputerislostorstolenTheftorcompromiseofdataTheftorcompromiseofdataAttackagainstcorporatenetworkAttackagainstcorporatenetworkDamagetoOSifattackerinstallsalternateOSDamagetoOSifattackerinstallsalternateOSDifficultandtimeDifficultandtime--consumingtotrulyeraseconsumingtotrulyerasedecommissioneddisksdecommissioneddisksExistingwaystomitigatethesethreatsaretooeasyExistingwaystomitigatethesethreatsaretooeasyforusertocircumventforusertocircumventSecurestartup(Securestartup(""BitLockerBitLocker""))EnsurebootEnsurebootintegrityintegrityResilientResilientagainstattackagainstattackProtectsystemfromofflineProtectsystemfromofflinesoftwaresoftware--basedattacksbasedattacksLocktamperedLocktamperedsystemssystemsPreventbootifmonitoredfilesPreventbootifmonitoredfileshavebeenalteredhavebeenalteredProtectdataProtectdatawhenofflinewhenofflineEncryptuserEncryptuserdataanddataandsystemfilessystemfilesAlldataonthevolumeisAlldataonthevolumeisencrypted:user,system,page,encrypted:user,system,page,hibernation,temp,crashdumphibernation,temp,crashdumpUmbrellaUmbrellaprotectionprotectionThirdThird--partyappsbenefitwhenpartyappsbenefitwheninstalledonencryptedvolumeinstalledonencryptedvolumeEaseEaseequipmentequipmentrecyclingrecyclingSimplifySimplifyrecyclingrecyclingRenderdatauselessbydeletingRenderdatauselessbydeletingTPMkeystoreTPMkeystoreSpeeddataSpeeddatadeletiondeletionDecommissioningtakesseconds,Decommissioningtakesseconds,nothoursnothoursWonWon''tEFSprotectmetEFSprotectmeYesYes——forthosewhoknowwhattheyforthosewhoknowwhatthey''redoingredoingUsersoftenstoredataonthedesktopUsersoftenstoredataonthedesktop——isitEFSedisitEFSedEFSdoesnEFSdoesn''tprotecttheoperatingsystemtprotecttheoperatingsystemEFSisverystrongagainstattacksEFSisverystrongagainstattacksFourlevelsofkeyprotectionFourlevelsofkeyprotectionProperlyconfigured,EFSiscomputationallyinfeasibletoProperlyconfigured,EFSiscomputationallyinfeasibletocrackcrackEncryptionscenariosEncryptionscenariosBitLockerBitLockerEFSEFSRMSRMSLaptopsLaptopsBranchofficeserversBranchofficeserversLocalsingleuserfileprotection(Windowspartitiononly)Localsingleuserfileprotection(Windowspartitiononly)LocalmultiLocalmulti--userfileprotectionuserfileprotectionRemotefileprotectionRemotefileprotectionUntrustedadministratorUntrustedadministratorRemotedocumentpolicyenforcementRemotedocumentpolicyenforcementOScoOSco--existenceexistenceBitLockerencryptsBitLockerencryptsWindowsvolumeonlyWindowsvolumeonlyYouwonYouwon''tbeabletodualtbeabletodual--bootanotherOSonthebootanotherOSonthesamevolumesamevolumeOSesonothervolumeswillworkfineOSesonothervolumeswillworkfineDataonprotectedvolumeisunavailableoutsideDataonprotectedvolumeisunavailableoutsidetheOStheOSAttemptstomodifytheprotectedWindowsAttemptstomodifytheprotectedWindowsvolumewillrenderitunbootablevolumewillrenderitunbootableEnablingBitLockerEnablingBitLockerCreatea1.
5GBactivepartitionCreatea1.
5GBactivepartitionThisbecomesyourThisbecomesyour""systemsystem""partitionpartition——whereOSbootswhereOSbootsTheTPMbootmanagerusesonly50MBTheTPMbootmanagerusesonly50MBWindowsrunsfromonyourWindowsrunsfromonyour""bootboot""partitionpartition——wherethewherethesystemlivessystemlivesInitializeTPMchipifyouInitializeTPMchipifyou''reusingitreusingitInmanagementconsoleorBIOSInmanagementconsoleorBIOSEnableBitLockerinSecurityCenterEnableBitLockerinSecurityCenterUpdateharddiskMBRUpdateharddiskMBREncryptWindowsEncryptWindows""bootboot""partitionpartitionRecoveryoptionsRecoveryoptionsUsefulincaseofsomekindofhardwarefailureUsefulincaseofsomekindofhardwarefailureItIt''sapassword;storedindifferentwayssapassword;storedindifferentways——RemovablemediaRemovablemediaPrintedPrintedActiveDirectoryActiveDirectoryAlso,servicepacksanddriverupgradestriggeraAlso,servicepacksanddriverupgradestriggeraloaderthatrecomputesandresealsTPMsecretsloaderthatrecomputesandresealsTPMsecretsCanuseTPM1.
2chipCanuseTPM1.
2chipMicrocontrolleraffixedtomotherboardMicrocontrolleraffixedtomotherboardStoreskeysanddigitalcertificatesStoreskeysanddigitalcertificatesForBitLocker,TPMstoresstoragerootkeyForBitLocker,TPMstoresstoragerootkeySRKdecryptsvolumeencryptionkeySRKdecryptsvolumeencryptionkeyonlywhensystemonlywhensystembootsnormally;bootsnormally;compareseachbootprocessagainstcompareseachbootprocessagainstpreviouslystoredmeasurementspreviouslystoredmeasurementsNouserinteractionorvisibility(unlessyourequireaPINNouserinteractionorvisibility(unlessyourequireaPINoradditionalstartoradditionalstart--upkey)upkey)RecoverykeycanbearchivedinActiveDirectoryfortheRecoverykeycanbearchivedinActiveDirectoryfortheinevitableinevitable""omgomg""momentmomentProhibitsmeaningfuluseofsoftwaredebuggersduringProhibitsmeaningfuluseofsoftwaredebuggersduringbootbootTPMarchitectureTPMarchitectureResetallregisters,transferexecutiontoResetallregisters,transferexecutiontoCoreRootofTrustMeasurementCoreRootofTrustMeasurementMeasurenextstageoffirmwareintoPCR[0]MeasurenextstageoffirmwareintoPCR[0]anddataintoPCR[1]anddataintoPCR[1]HardwaretestandconfigurationHardwaretestandconfigurationCodealwaysmeasuredfirst,thenexecutedCodealwaysmeasuredfirst,thenexecutedNewPCRvalueisSHANewPCRvalueisSHA--1hashedthen1hashedthenconcatenatedwithprevioushash;concatenatedwithprevioushash;permanentlywrittentoPCRpermanentlywrittentoPCROptionROMsanddataintoPCR[2]and[3]OptionROMsanddataintoPCR[2]and[3]MBRintoPCR[4],partitiontableinPCR[5]MBRintoPCR[4],partitiontableinPCR[5]PCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureMBRtakesover;loadsfirstsectorofactiveMBRtakesover;loadsfirstsectorofactivebootpartitionintomemory;measuresfirstbootpartitionintomemory;measuresfirst512bytesintoPCR[8]512bytesintoPCR[8]Bootsectorloads;measuresremainderintoBootsectorloads;measuresremainderintoPCR[9]andtransfersexecutionPCR[9]andtransfersexecutionBootcodemeasuresBOOTMGRintoBootcodemeasuresBOOTMGRintoPCR[10]andtransfersexecutionPCR[10]andtransfersexecutionAnyadditionalbootapplicationsmustloadAnyadditionalbootapplicationsmustloadonlyfromBitLockervolumeonlyfromBitLockervolumeBitLockerkeysareinPCR[11]BitLockerkeysareinPCR[11]Finally,BOOTMGRtransferscontroltoFinally,BOOTMGRtransferscontroltooperatingsystem;OSchecksintegrityofalloperatingsystem;OSchecksintegrityofallexecutablesloadedexecutablesloadedPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureTPMmeasuresallcodeandreportsresultsTPMmeasuresallcodeandreportsresultsDefaultBitLockerconsumption:4,8,9,10,11DefaultBitLockerconsumption:4,8,9,10,11Youcanaddothers,withcaveatsYoucanaddothers,withcaveatsOptionROMsin2,3OptionROMsin2,3AnychangeinvalidatesthePCRsAnychangeinvalidatesthePCRsIncludesinsertingsmartcardreaderorUSBdriveIncludesinsertingsmartcardreaderorUSBdriveBIOSROMsin0,1BIOSROMsin0,1ReflashingBIOSinvalidatesthePCRsReflashingBIOSinvalidatesthePCRsPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersBitLockercanBitLockercan''tstopeverythingtstopeverythingHardwaredebuggersHardwaredebuggersOnlineattacksOnlineattacks——BitLockerisconcernedonlywithBitLockerisconcernedonlywiththesystemthesystem''sstartupprocesssstartupprocessPostlogonattacksPostlogonattacksSabotagebyadministratorsSabotagebyadministratorsPoorsecuritymaintenancePoorsecuritymaintenanceDeploymentconsiderationsDeploymentconsiderationsRequireshardwareandsoftwareupgradesRequireshardwareandsoftwareupgradesPhasein,startwithhighprioritycomputersPhasein,startwithhighprioritycomputersMostlyafeatureforlaptopsMostlyafeatureforlaptopsAlsoconsiderfordesktopcomputersininsecureAlsoconsiderfordesktopcomputersininsecureenvironments(factoryfloor,kiosk,environments(factoryfloor,kiosk,……))EnterprisekeymanagementEnterprisekeymanagementProtectServicesFromExploitThethreatsThethreatsRememberBlasterRememberBlasterTookoverRPCSSTookoverRPCSS——madeitwritemsblast.
exetofilemadeitwritemsblast.
exetofilesystemandaddedrunkeystotheregistrysystemandaddedrunkeystotheregistryNosoftwareisperfect;someonestillmightfindaNosoftwareisperfect;someonestillmightfindavulnerabilityinaservicevulnerabilityinaserviceMalwareoftenlookstoexploitsuchvulnerabilitiesMalwareoftenlookstoexploitsuchvulnerabilitiesServicesareattractiveServicesareattractiveRunwithoutuserinteractionRunwithoutuserinteractionManyservicesoftenhavefreereignoverthesystemManyservicesoftenhavefreereignoverthesystem——toomuchaccesstoomuchaccessMostservicescancommunicateoveranyportMostservicescancommunicateoveranyportServicehardeningServicehardeningServiceServicerefactoringrefactoringMoveservicefromLocalSystemtosomethinglessMoveservicefromLocalSystemtosomethinglessprivilegedprivilegedIfnecessary,splitservicesothatonlythepartIfnecessary,splitservicesothatonlythepartrequiringLocalSystemreceivesthatrequiringLocalSystemreceivesthatServiceServiceprofilingprofilingEnablesservicetorestrictitsbehaviorEnablesservicetorestrictitsbehaviorResourcescanhaveACLsthatallowtheserviceResourcescanhaveACLsthatallowtheservice''ssIDtoaccessonlywhatitneedsIDtoaccessonlywhatitneedsAlsoincludesrulesforspecifyingrequiredAlsoincludesrulesforspecifyingrequirednetworkbehaviornetworkbehaviorItIt''sabouttheprincipleofleastprivilegesabouttheprincipleofleastprivilege——itit''sgoodforpeople,anditsgoodforpeople,andit''sgoodforservicessgoodforservicesMemoryMemoryRefactoringRefactoringIdeally,removetheserviceoutofLocalSystemIdeally,removetheserviceoutofLocalSystemIfitdoesnIfitdoesn''tperformprivilegedoperationstperformprivilegedoperationsMakeACLchangestoregistrykeysanddriverobjectsMakeACLchangestoregistrykeysanddriverobjectsOtherwise,splitintotwopiecesOtherwise,splitintotwopiecesThemainserviceThemainserviceThebitsthatperformprivilegedoperationsThebitsthatperformprivilegedoperationsAuthenticatethecallbetweenthemAuthenticatethecallbetweenthemMainserviceMainservicerunsasLocalServicerunsasLocalServicePrivilegedPrivilegedLocalSystemLocalSystemSVCHOSTgrouprefactoringSVCHOSTgrouprefactoringWindowsXPServicePack2WindowsXPServicePack2LocalSystemLocalSystemWirelessConfigurationWirelessConfigurationSystemEventSystemEventNotificationNotificationNetworkConnectionsNetworkConnectionsCOM+EventSystemCOM+EventSystemNLANLARasautoRasautoShellHardwareShellHardwareDetectionDetectionThemesThemesTelephonyTelephonyWindowsAudioWindowsAudioErrorReportingErrorReportingWorkstationWorkstationICSICSBITSBITSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanBrowserBrowser6to46to4HelpandSupportHelpandSupportTaskSchedulerTaskSchedulerTrkWksTrkWksCryptographicCryptographicServicesServicesRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonNetworkNetworkServiceServiceDNSClientDNSClientLocalLocalServiceServiceSSDPSSDPWebClientWebClientTCP/IPNetBIOShelperTCP/IPNetBIOShelperRemoteRegistryRemoteRegistryWindowsVistaWindowsVistaLocalSystemLocalSystemNetworkrestrictedNetworkrestrictedRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesTrkWksTrkWksWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonLocalSystemLocalSystemDemandstartedDemandstartedBITSBITSNetworkServiceNetworkServiceRestrictedRestrictedDNSClientDNSClientICSICSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanNLANLABrowserBrowser6to46to4TaskschedulerTaskschedulerIPSECServicesIPSECServicesServerServerCryptographicCryptographicServicesServicesLocalServiceLocalServiceRestrictedRestrictedNonetworkaccessNonetworkaccessWirelessWirelessConfigurationConfigurationSystemEventSystemEventNotificationNotificationShellHardwareShellHardwareDetectionDetectionNetworkNetworkConnectionsConnectionsRasautoRasautoThemesThemesCOM+EventCOM+EventSystemSystemLocalServiceLocalServiceRestrictedRestrictedTelephonyTelephonyWindowsAudioWindowsAudioTCP/IPNetBIOSTCP/IPNetBIOShelperhelperWebClientWebClientErrorReportingErrorReportingEventLogEventLogWorkstationWorkstationRemoteRegistryRemoteRegistrySSDPSSDPProfilingProfilingEveryservicehasauniqueserviceidentifiercalledEveryservicehasauniqueserviceidentifiercalledaa""serviceSIDserviceSID""SS--11--8080--1hashoflogicalservicename>AA""serviceprofileserviceprofile""isasetofACLsthatisasetofACLsthat——AllowaservicetousearesourceAllowaservicetousearesourceConstraintheservicetotheresourcesitneedsConstraintheservicetotheresourcesitneedsDefinewhichnetworkportsaservicecanuseDefinewhichnetworkportsaservicecanuseBlocktheservicefromusingotherportsBlocktheservicefromusingotherportsNow,servicecanrunasLocalServiceorNow,servicecanrunasLocalServiceorNetworkServiceandstillreceiveadditionalaccessNetworkServiceandstillreceiveadditionalaccesswhennecessarywhennecessaryRestrictingservicesRestrictingservicesSCMcomputesSCMcomputesserviceSIDserviceSIDSCMaddstheSCMaddstheSIDtoserviceSIDtoserviceprocessprocess''stokenstokenSCMcreateswriteSCMcreateswrite--restrictedtokenrestrictedtokenSCMremovesSCMremovesunneededprivilegesunneededprivilegesfromprocesstokenfromprocesstokenServiceplacesACLonServiceplacesACLonresourceresource——onlyserviceonlyservicecanwritetoitcanwritetoitExample:eventlogExample:eventlogSysEvent.
evtSysEvent.
evtEventlogEventlogserviceserviceWriteWrite--restrictedrestrictedtokentokenACLACLEventlog:WEventlog:WRestrictingservices:knowthisRestrictingservices:knowthisArestrictableservicewillsettwoproperties(storedArestrictableservicewillsettwoproperties(storedintheregistry)intheregistry)——OnetoindicatethatitcanberestrictedOnetoindicatethatitcanberestrictedOnetoshowwhichprivilegesitrequiresOnetoshowwhichprivilegesitrequiresNote!
Note!
Thisisavoluntaryprocess.
TheserviceisThisisavoluntaryprocess.
Theserviceischoosingtorestrictitself.
Itchoosingtorestrictitself.
It''sgooddevelopmentsgooddevelopmentpracticebecauseitreducesthelikelihoodofaservicepracticebecauseitreducesthelikelihoodofaservicebeingabusedbymalware,butitisnbeingabusedbymalware,butitisn''tafulltafull--onsystemonsystem--widerestrictionmechanism.
Thirdwiderestrictionmechanism.
Third--partyservicescanpartyservicescanstillrunwildandfreestillrunwildandfree……NetworkenforcementscenariosNetworkenforcementscenariosNoportsNoportsServicesthatneitherlistennorconnectServicesthatneitherlistennorconnectFixedportsFixedportsServicesthatlistenorsendonknownfixedportsServicesthatlistenorsendonknownfixedportsshouldbeconstrainedtothoseportsonlyshouldbeconstrainedtothoseportsonlyConfigurableConfigurableportsportsAdministratorconfiguresportinserviceAdministratorconfiguresportinservice''ssadministrationUI;networkrulesandfirewalladministrationUI;networkrulesandfirewallautomaticallyupdatetheirownconfigurationsautomaticallyupdatetheirownconfigurationsDynamicDynamicportsportsServicesthatlistenorsendondynamicallyServicesthatlistenorsendondynamically--allocatedportsallocatedportsAuditingAuditingManagementeventsManagementeventsInitialrulesconfigurationInitialrulesconfigurationRulechangesRulechangesRuledeletionsRuledeletionsEnforcementeventsEnforcementeventsTrafficallowedTrafficallowedTrafficdeniedTrafficdeniedglobalvulnglobalvulnmitigationsandmitigationsandsystemlockdownssystemlockdownsnetworknetworkenforcementenforcementrulesrulesInteractionwithhostfirewallsInteractionwithhostfirewallsConfigurationchangesConfigurationchangesimplementedimmediatelyimplementedimmediatelyRulescanRulescan''tbedisabledbytbedisabledbyWForthirdWForthird--partypartyRulescanRulescan''tbestoppedtbestoppedwhileservicesarerunningwhileservicesarerunningFordynamicports,netenfFordynamicports,netenfpushesconfigurationtopushesconfigurationtoWFWFhosthostfirewallfirewallrulesrulesExamplerulesExamplerulesBlockanynetworkaccessforBFE"V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=bfe;Name=Blockanytraffictoandfrombfe;"AllowoutboundPolicyAgenttraffic"V2.
0;Action=Allow;Dir=Out;RPort=389;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=AllowPolicyAgenttcp/udpLDAPtraffictoAD;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=BlockanyothertraffictoandfromPolicyAgent;"Allowinbound/outboundtraffictoRpcss"V2.
0;Action=Allow;Dir=Out;RPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowoutboundrpcsstcp/udptraffic;""V2.
0;Action=Allow;Dir=in;LPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowinboundtcp/udprpcss;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Blockanyothertraffictoandfromrpcss;"ProtecttheOSandDatafromUnknownCodeThethreatsThethreatsAuserunknowinglyrunscodefromanunknownAuserunknowinglyrunscodefromanunknownsourcethatattemptstomodifyordeletefilessourcethatattemptstomodifyordeletefilesCoderunningasLUAattemptsalocalelevationofCoderunningasLUAattemptsalocalelevationofprivilegebyinjectingcodeintoaprocessrunningprivilegebyinjectingcodeintoaprocessrunningasadministratorasadministratorTrojansthatattempttoexecutewithfullTrojansthatattempttoexecutewithfulladministratorprivilegeadministratorprivilegeSystemcodereadsdatafromtheInternet(anSystemcodereadsdatafromtheInternet(anuntrustworthysource)thatcontainscorruptdatauntrustworthysource)thatcontainscorruptdatadesignedtoelevateprivilegebyexploitingabugdesignedtoelevateprivilegebyexploitingabugMandatoryintegritycontrolMandatoryintegritycontrolMethodtopreventlowMethodtopreventlow--integritycodefromintegritycodefrommodifyinghighmodifyinghigh--integritycodeintegritycodeProtectTCBfilesanddatafrommodificationbyProtectTCBfilesanddatafrommodificationbyprivilegedusersprivilegedusersProtectuserdatafrommodificationbyunknownProtectuserdatafrommodificationbyunknownmaliciouscodemaliciouscodeProtectprocessesrunningasprivilegeduserfromProtectprocessesrunningasprivilegeduserfrommodificationbyprocessesrunningasstandardusermodificationbyprocessesrunningasstandarduserunderthesameuserSIDunderthesameuserSIDClassicalcomputersecurityconceptknownsinceClassicalcomputersecurityconceptknownsincethe1970sthe1970sLotsofrecentworkinvariousoperatingsystemsLotsofrecentworkinvariousoperatingsystemsDonDon''tconfusewithcodeintegritytconfusewithcodeintegrityCICIVerifiescodeduringmoduleloadingVerifiescodeduringmoduleloadingMICMICImplementsatypeofinformationflowpolicyImplementsatypeofinformationflowpolicyImplementsanenforcementmechanismImplementsanenforcementmechanismIntegritylevelchangestriggerasecurityauditeventIntegritylevelchangestriggerasecurityauditeventMandatoryintegritycontrolpolicyisbasedonMandatoryintegritycontrolpolicyisbasedontrustworthinesstrustworthiness.
Subjectswith.
Subjectswithlowlowdegreesofdegreesoftrustworthinesscantrustworthinesscan''tchangedataofatchangedataofahigherhigherdegrees.
degrees.
SubjectswithSubjectswithhighhighdegreesoftrustworthinesscandegreesoftrustworthinesscan''tbetbeforcedtorelyondataofforcedtorelyondataoflowerlowerdegrees.
degrees.
ThelimitationsofDACLsThelimitationsofDACLsNoprotectionofsystemstabilityNoprotectionofsystemstabilityThirdThird--partyinstallersredistributesystembinariespartyinstallersredistributesystembinariesWanttostopthis,evenifrunbyadministratorWanttostopthis,evenifrunbyadministratorNoprotectionfromtrickysoftwareNoprotectionfromtrickysoftwareNonNon--savvyuserscanbeconvincedtoinstallmalwaresavvyuserscanbeconvincedtoinstallmalwareRunswithfullcapabilitiesofuserRunswithfullcapabilitiesofuserWeakenspowerofUACWeakenspowerofUACCanCan''tdistinguishlimitedversionfromfull(possiblytdistinguishlimitedversionfromfull(possiblyadministrator)versionofuseradministrator)versionofuserBothversionshavesameuserSIDBothversionshavesameuserSIDDefinedintegritylevelsDefinedintegritylevelsSystemSystemHighHighMediumMediumLowLowUntrustedUntrusted0x40000x40000x30000x30000x20000x20000x10000x100000LocalLocalSystemSystemLocalServiceLocalServiceNetworkNetworkServiceServiceElevatedElevated(full)user(full)usertokenstokensStandarduserStandardusertokenstokensAuthenticatedAuthenticatedUsersUsersWorldWorld(Everyone)(Everyone)AnonymousAnonymousShellrunshereShellrunshereMICexpressionMICexpressionAddanintegritySIDtoausertokenatlogonAddanintegritySIDtoausertokenatlogonSS--11--1616--AnnouncestheintegritylevelofthetokenAnnouncestheintegritylevelofthetokenDetermineslevelofaccessthetokencanachieveDetermineslevelofaccessthetokencanachievePossiblesecondSIDusedbySecureDesktoptoPossiblesecondSIDusedbySecureDesktoptodetermineprotectionringofanapplicationdetermineprotectionringofanapplicationStoreintegritySIDintheSACLofeveryobjectStoreintegritySIDintheSACLofeveryobject''sssecuritydescriptor(usersecuritydescriptor(user--createdandOS)createdandOS)SpecifiestheintegrityleveloftheobjectSpecifiestheintegrityleveloftheobjectCheckingMIClevelCheckingMIClevelDuringaccesscheck,verifytheuserpassesDuringaccesscheck,verifytheuserpassesintegritycheckagainstanobjectforwriteaccessintegritycheckagainstanobjectforwriteaccessHowever,canaddACEtoDACLtodenyreadaccesstoHowever,canaddACEtoDACLtodenyreadaccesstolowintegrityuserslowintegrityusers(moreonthislater)(moreonthislater)UsermustUsermustdominatedominateobjecttoobtainwriteaccessobjecttoobtainwriteaccessUser/processlevel>=objectlevelUser/processlevel>=objectlevelAlluserspassintegritycheckforreadingandexecutingAlluserspassintegritycheckforreadingandexecutingMICtrumpsDACLMICtrumpsDACLIftheDACLletsyouwrite,butyoudonIftheDACLletsyouwrite,butyoudon''tdominatethetdominatetheobject,yourwritefailsobject,yourwritefailsConsiderfourscenariosConsiderfourscenariosAnattachmentarrivesinmail.
Whilesaving,fileiswrittenAnattachmentarrivesinmail.
Whilesaving,fileiswrittenwithwithlowlowintegrity.
Whenexecuted,itrunsatintegrity.
Whenexecuted,itrunsatlowlowintegrityintegrityandcanandcan''twritetousertwritetouser''sdata.
sdata.
MICpreventsprocessfromMICpreventsprocessfromperformingcapabilitiesatuserperformingcapabilitiesatuser''slevel.
slevel.
IEdownloadsfilefromsiteinInternetzone.
IEprocessthatIEdownloadsfilefromsiteinInternetzone.
IEprocessthatwritesfiletoTIFrunsatwritesfiletoTIFrunsatlowlowintegrity;thusfileisreceivesintegrity;thusfileisreceiveslowlowintegrity.
integrity.
MICdoesnMICdoesn''ttrustcontentorcodefromtheInternet.
ttrustcontentorcodefromtheInternet.
AmaliciousprogramisrunningatAmaliciousprogramisrunningatstandardstandarduserXanduserXandattemptstoopenprocessrunningasattemptstoopenprocessrunningasprivilegedprivilegeduserXforuserXforwrite,tobypassUACandexecutecodewillfullprivileges.
write,tobypassUACandexecutecodewillfullprivileges.
MICstopsthisbecausedesiredaccessiswrite.
MICstopsthisbecausedesiredaccessiswrite.
Admin(IL=Admin(IL=highhigh)runsdownloadedprogram.
Processrunsas)runsdownloadedprogram.
Processrunsasstandardstandardadmin(IL=admin(IL=mediummedium).
).
MICpreventsprocessesfromMICpreventsprocessesfromwritewrite--accessingresourcesACLedfortheadministrator.
accessingresourcesACLedfortheadministrator.
ProcessesalsoaffectedProcessesalsoaffectedWhenuserlaunches.
EXE,processreceiveslowerofWhenuserlaunches.
EXE,processreceiveslowerofuseruser''sorfilesorfile''sintegritylevel(ifithasone)sintegritylevel(ifithasone)Processneverrunshigherthanfile,regardlessofILofProcessneverrunshigherthanfile,regardlessofILofuserwhostartedituserwhostarteditProtectsevenadministratorsfrommaliciousactionsofProtectsevenadministratorsfrommaliciousactionsofdownloadedcodedownloadedcodeAlsoprotectsanyuserdata,whoselevelistypicallythatAlsoprotectsanyuserdata,whoselevelistypicallythatoftheuseroftheuser——itit''shigherthanthecodeshigherthanthecodeControlledbyAIS(appinstallerservice)ControlledbyAIS(appinstallerservice)CheckILsofuserandfileCheckILsofuserandfileAdjustprocessILaccordinglyAdjustprocessILaccordinglyImpersonateuserwithcorrectILandcontinuecreationImpersonateuserwithcorrectILandcontinuecreationModifyingintegritylevelsModifyingintegritylevelsTokencanloweritsownlevelTokencanloweritsownlevelNotreversibleNotreversibleOnlyaTCBcallercanraiseOnlyaTCBcallercanraiseSecureInputSecureInputDefault:UIringSID=objectintegritySIDDefault:UIringSID=objectintegritySIDTCBcallercanelevatetokenUIringTCBcallercanelevatetokenUIringTypicallynecessaryforaccessibilityutilitiesTypicallynecessaryforaccessibilityutilities——cannowcannowcontrolUIbutnotbypassMICcontrolofobjectaccesscontrolUIbutnotbypassMICcontrolofobjectaccessButIwanttoadministermybox!
ButIwanttoadministermybox!
Fullprivilegetokens,includingmembersoftheFullprivilegetokens,includingmembersofthelocalAdministratorsgroup,arecontrolledbyMIClocalAdministratorsgroup,arecontrolledbyMICCanCan''tdeletefilesiftheirlevelissystemtdeletefilesiftheirlevelissystemCanCan''tlowerthelevelofobjectsorfilestlowerthelevelofobjectsorfilesBuiltBuilt--inin""AdministratorAdministrator""accounthasanadditionalaccounthasanadditionalprivilegeprivilegeGrantscalleraccesstoobjectGrantscalleraccesstoobjectCouldgranttootherusers,butbecareful!
Couldgranttootherusers,butbecareful!
GrantinganduseofprivilegeisauditedGrantinganduseofprivilegeisauditedDenyingreadaccessDenyingreadaccessCanusedenyACEtopreventlowerlevelprincipalsCanusedenyACEtopreventlowerlevelprincipalsfromreadingorexecutinghigherlevelobjectsfromreadingorexecutinghigherlevelobjectsGoodforadministratorprogramsGoodforadministratorprogramsSetILtohighSetILtohighAdddenyACEforanythingwithalowerILAdddenyACEforanythingwithalowerILPreventsmalwarerunningatlowerlevelfromPreventsmalwarerunningatlowerlevelfromattemptingtocalladmintoolsattemptingtocalladmintoolsUnlabeledobjectsUnlabeledobjectsSystemassumesdefaultMICofmediumduringSystemassumesdefaultMICofmediumduringaccesscheckaccesscheckPreventsuntrustworthycoderunningatlowfromPreventsuntrustworthycoderunningatlowfrommodifyingunlabeledobjectsmodifyingunlabeledobjectsRegardlessofDACLRegardlessofDACLOSfilesareunlabeledOSfilesareunlabeledProtectedfrommodificationwithanACLProtectedfrommodificationwithanACLObjectswithoutaSIDhavenoMICconsiderationObjectswithoutaSIDhavenoMICconsiderationNonNon--goalsgoalsProvideforconfidentialityofdataProvideforconfidentialityofdataThisistheBellThisistheBell--LaPadulamodelLaPadulamodelAlthoughwithnoAlthoughwithno--readread--upACEs,youcanuseMICtoupACEs,youcanuseMICtoachievesimilarbehaviorachievesimilarbehaviorPreventhighILprocessesfromreadingdataataPreventhighILprocessesfromreadingdataatalowerILifthepolicyallowsthatlowerILifthepolicyallowsthatImplementdynamicintegrityImplementdynamicintegrityPreventofflineattacksthroughmodificationsofILsPreventofflineattacksthroughmodificationsofILsonfilesonfilesButBitLockercouldhelphereButBitLockercouldhelphere……ProtecttheOSfromtheInternetThethreatsThethreatsAlas,mostWindowsusersstillrunasadminAlas,mostWindowsusersstillrunasadminMeaning:theInternetrunsasadminonyourPC!
Meaning:theInternetrunsasadminonyourPC!
""DriveDrive--byby""installsofspywareandviruscodeinstallsofspywareandviruscodeExploitsofvulnerabilitiesgiveattackersfullremoteExploitsofvulnerabilitiesgiveattackersfullremoteaccessaccessEvennonEvennon--adminsstillvulnerabletomaliciousadminsstillvulnerabletomaliciousdestructionofpersonaldatadestructionofpersonaldataInternetExplorerprotectedmodeInternetExplorerprotectedmodeBuiltonmandatoryintegritycontrolBuiltonmandatoryintegritycontrolInternetExplorerrunsatlowintegritylevelInternetExplorerrunsatlowintegritylevelReducetheseverityofthreatstoIEaddReducetheseverityofthreatstoIEadd--onsonsEliminatethesilentinstallofmaliciouscodeEliminatethesilentinstallofmaliciouscodethroughsoftwarevulnerabilitiesthroughsoftwarevulnerabilitiesPreservecompatibilitywheneverpossiblePreservecompatibilitywheneverpossibleProvidethecapabilityandguidanceforaddProvidethecapabilityandguidanceforadd--onstoonstorestorefunctionalityrestorefunctionalityMinimizerequireduserinvolvementMinimizerequireduserinvolvementSometimescalledSometimescalled""lowlow--rightsIErightsIE""ProtectedmodesummaryProtectedmodesummaryRestrictsIEfromwritingoutsideoftheTemporaryRestrictsIEfromwritingoutsideoftheTemporaryInternetFiles(TIF)folderInternetFiles(TIF)folderIEIE''sprocesshaslowerwriteprivilegesthanLUAsprocesshaslowerwriteprivilegesthanLUAItbuildsontheMandatoryIntegrityControl(MIC)whichItbuildsontheMandatoryIntegrityControl(MIC)whichrestrictswritestohigherintegrityfoldersrestrictswritestohigherintegrityfoldersProtectedmodeusesCOMtocalltwonewbrokerProtectedmodeusesCOMtocalltwonewbrokerprocesseswhichallowIEtowriteoutsideoftheTIFprocesseswhichallowIEtowriteoutsideoftheTIFAcompatibilitylayerallowsaddAcompatibilitylayerallowsadd--onstoelevateonstoelevateThisisnotaThisisnota""sandboxingsandboxing""technology.
IEisrefactoredintoatechnology.
IEisrefactoredintoamultimulti--processapplication,withvaryingILsforeachprocess.
processapplication,withvaryingILsforeachprocess.
RefactoringIERefactoringIELPIELPIEIEUserIEUserIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseLPIELPIEInternetZoneInternetZoneIL=lowIL=lowIntranet/TrustedZoneIntranet/TrustedZoneIL=mediumIL=mediumSeparateTIFSeparateTIFIEPolicyIEPolicyIL=highIL=highAgain:theprincipleofleastprivilegeAgain:theprincipleofleastprivilegeRefactoringattheprocesslevelRefactoringattheprocesslevel——moreefficientmoreefficientandlessexpensivethanavirtualmachineandlessexpensivethanavirtualmachineComponentsandzonesComponentsandzonesOperationOperationRequirementsRequirementsProcessProcessURLnavigationandHTMLrenderingURLnavigationandHTMLrenderingLeastprivilegeLeastprivilegeLowintegrityLowintegrityLPIELPIEManaginguserManaginguser--controlledsettingscontrolledsettingsLeastprivilegeLeastprivilegeMediumintegrityMediumintegrityIEUserIEUserEnforcingpolicyindownloadedcodeEnforcingpolicyindownloadedcodeInitiatingexecutionInitiatingexecutionFullprivilegeFullprivilegeHighintegrityHighintegrityIEPolicyIEPolicy(service)(service)OperationOperationLPIElowLPIElowLPIEmediumLPIEmediumFilesdownloadedinzoneFilesdownloadedinzoneLowILLowILMediumILMediumILModifyoutsideTIFModifyoutsideTIFNoNoYesYesInteractwithotherappsondesktopInteractwithotherappsondesktopNoNoYesYesInjectDLLandcreateremotethreadInjectDLLandcreateremotethreadNoNoYesYesRendersHTMLfilesinlocalzoneRendersHTMLfilesinlocalzoneYesYesYesYesInstallingfromtheWebInstallingfromtheWebLPIELPIEIEPolicyIEPolicyRunRungreatstuff.
comgreatstuff.
com……\\TIFTIF\\greatstuff.
exegreatstuff.
exeTrustTrustGreatStuffGreatStuffIL=lowIL=low……\\MyDocsMyDocs\\greatstuff.
exegreatstuff.
exeIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseAISAISRunwithRunwithfullprivsfullprivsgreatstuff.
exegreatstuff.
exe\\ProgsProgs\\GSGS\\stuff.
exestuff.
exestuff.
dllstuff.
dllIL=highIL=highfullprivfullprivInIn--proccompatibilitylayerproccompatibilitylayerRedirectsfileandregistrykeywritestonewlowRedirectsfileandregistrykeywritestonewlowintegritylocationsintegritylocations——HKCUHKCU\\SoftwareSoftware\\MicrosoftMicrosoft\\InternetExplorerInternetExplorer\\LowLowRightsRights\\VirtualVirtualDocumentsandSettingsDocumentsandSettings\\%userprofile%%userprofile%\\LocalLocalSettingsSettings\\TemporaryInternetFilesTemporaryInternetFiles\\VirtualVirtualAddedtothelocationIEistryingAddedtothelocationIEistryingIfIEtriestowritehereIfIEtriestowritehere…………itgetsredirectedhereitgetsredirectedhereHKCUHKCU\\SoftwareSoftware\\FooBarFooBarHKCUHKCU\Software\MS\IE\LowRights\Virtual\\SoftwareSoftware\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%user%userprofile%profile%\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%userprofile%%userprofile%\LocalSettings\TemporaryInternetFiles\Virtual\\FooBarFooBarSteveRileySteveRileysteve.
riley@microsoft.
comsteve.
riley@microsoft.
comhttp://blogs.
technet.
com/sterileyhttp://blogs.
technet.
com/sterileywww.
protectyourwindowsnetwork.
comwww.
protectyourwindowsnetwork.
comThanksverymuch!
Thanksverymuch!
2006MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,WindowsVistaandotherproductnamesareormayberegisteredtrademarksand/ortrademarksintheU.
S.
and/orothercountries.
TheinformationhereinisforinformationalpurposesonlyandrepresentsthecurrentviewofMicrosoftCorporationasofthedateofthispresentation.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationprovidedafterthedateofthispresentation.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISPRESENTATION.
Thebadguysareeverywhere!
TheyliterallywanttodoyouharmTheyliterallywanttodoyouharmThreatsexistintwointerestingplacesThreatsexistintwointerestingplaces——Online:systemstartedandshowsaloginscreenorauserisOnline:systemstartedandshowsaloginscreenorauserisloggedinloggedinOffline:systemispowereddownorinhibernationOffline:systemispowereddownorinhibernationPoliciesmustaddressbothPoliciesmustaddressbothCoolstuff!
Coolstuff!
Codeintegrity:protectionagainstonlineattackCodeintegrity:protectionagainstonlineattackBitLocker(securestartup):protectionagainstBitLocker(securestartup):protectionagainstofflineattackofflineattackWindowsservicehardeningWindowsservicehardeningMandatoryintegritycontrolMandatoryintegritycontrolInternetExplorerprotectedmodeInternetExplorerprotectedmodeProtecttheOSWhenRunningThethreatsThethreatsTrojanthatreplacesasystemfiletoinstallarootkitTrojanthatreplacesasystemfiletoinstallarootkitandtakecontrolofthecomputer(e.
g.
FunLoveorandtakecontrolofthecomputer(e.
g.
FunLoveorothersthatuserootkits)othersthatuserootkits)OfflineattackcausedbybootinganalternateOfflineattackcausedbybootinganalternateoperatingsystemandattemptingtocorruptoroperatingsystemandattemptingtocorruptormodifyWindowskernelfilesmodifyWindowskernelfilesThirdThird--partykerneldriversthatarenotsecurepartykerneldriversthatarenotsecureRogueadministratorwhochangeskernelmodeRogueadministratorwhochangeskernelmodecodetohideotheractscodetohideotheractsCodeintegrityCodeintegrityValidatestheintegrityofcertainOSfilesValidatestheintegrityofcertainOSfilesImplementedasafilesystemfilterdriverImplementedasafilesystemfilterdriverHashesstoredinsystemcatalogorinX.
509certificateHashesstoredinsystemcatalogorinX.
509certificateembeddedinfileembeddedinfileAlsovalidatestheintegrityofthebootprocessAlsovalidatestheintegrityofthebootprocessChecksthekernel,theHAL,bootChecksthekernel,theHAL,boot--startdriversstartdriversIfvalidationfails,imagewonIfvalidationfails,imagewon''tloadtloadWhatdoesitcheckWhatdoesitcheckAllkernelmodecode(Allkernelmodecode(x64onlyx64only))AllcodeloadedintoaprotectedprocessAllcodeloadedintoaprotectedprocessModulesimplementingcryptographicfunctionsModulesimplementingcryptographicfunctionsModulesloadedintothesoftwarelicensingserviceModulesloadedintothesoftwarelicensingserviceMoreonkernelmodecodeMoreonkernelmodecodex64x64AllkernelmodecodemustbesignedoritwonAllkernelmodecodemustbesignedoritwon''tloadtloadThirdThird--partycodemustbeWHQLpartycodemustbeWHQL--certifiedorcontainacertifiedorcontainacertificatefromaMicrosoftCAcertificatefromaMicrosoftCANoexceptions,periodNoexceptions,periodAppliestodrivers,utilities,anythinginthekernelAppliestodrivers,utilities,anythinginthekernelx32x32SigningappliesonlytodriversshippedwithWindowsSigningappliesonlytodriversshippedwithWindowsCancontrolbypolicywhattodowiththirdCancontrolbypolicywhattodowiththird--partypartyOtherunsignedkernelmodecodewillloadOtherunsignedkernelmodecodewillloadMoreonprotectedprocessesMoreonprotectedprocessesOnlyonerightnow:MediaFoundationOnlyonerightnow:MediaFoundationLoadedbinariesarecodecsLoadedbinariesarecodecsMicrosoftMicrosoft--supplied:signedbyMicrosoftsupplied:signedbyMicrosoftThirdThird--party:signedbyaWindowsMediaDRMparty:signedbyaWindowsMediaDRMcertificatecertificateAffectspotentialplaybackofnextAffectspotentialplaybackofnext--generationhighgenerationhighdefinitionprotectedcontentdefinitionprotectedcontentContentand/orplaybackappcontrolwhattodoinContentand/orplaybackappcontrolwhattodoinpresenceofunsignedkernelmodedriverspresenceofunsignedkernelmodedriversCodeintegritynonCodeintegritynon--goalsgoalsProtectingfromattackerswithphysicalaccessProtectingfromattackerswithphysicalaccessVerifyingtheintegrityofNTLDRVerifyingtheintegrityofNTLDRRequiressecurestartuponTPMRequiressecurestartuponTPM--enabledmachinesenabledmachinesRequiresreadRequiresread--onlyfixedmediaotherwiseonlyfixedmediaotherwiseSupportingrebindingorhotpatchingSupportingrebindingorhotpatchingThesechangetheonThesechangetheon--diskimagediskimageCIwillworkifpatchincludesupdatedhashCIwillworkifpatchincludesupdatedhashOnlinechecksatbootOnlinechecksatboot--timeforrevocationliststimeforrevocationlistsRevocationlistupdatedafterbootandstoredlocallyRevocationlistupdatedafterbootandstoredlocallyProtecttheOSWhenNotRunningThethreatsThethreatsComputerislostorstolenComputerislostorstolenTheftorcompromiseofdataTheftorcompromiseofdataAttackagainstcorporatenetworkAttackagainstcorporatenetworkDamagetoOSifattackerinstallsalternateOSDamagetoOSifattackerinstallsalternateOSDifficultandtimeDifficultandtime--consumingtotrulyeraseconsumingtotrulyerasedecommissioneddisksdecommissioneddisksExistingwaystomitigatethesethreatsaretooeasyExistingwaystomitigatethesethreatsaretooeasyforusertocircumventforusertocircumventSecurestartup(Securestartup(""BitLockerBitLocker""))EnsurebootEnsurebootintegrityintegrityResilientResilientagainstattackagainstattackProtectsystemfromofflineProtectsystemfromofflinesoftwaresoftware--basedattacksbasedattacksLocktamperedLocktamperedsystemssystemsPreventbootifmonitoredfilesPreventbootifmonitoredfileshavebeenalteredhavebeenalteredProtectdataProtectdatawhenofflinewhenofflineEncryptuserEncryptuserdataanddataandsystemfilessystemfilesAlldataonthevolumeisAlldataonthevolumeisencrypted:user,system,page,encrypted:user,system,page,hibernation,temp,crashdumphibernation,temp,crashdumpUmbrellaUmbrellaprotectionprotectionThirdThird--partyappsbenefitwhenpartyappsbenefitwheninstalledonencryptedvolumeinstalledonencryptedvolumeEaseEaseequipmentequipmentrecyclingrecyclingSimplifySimplifyrecyclingrecyclingRenderdatauselessbydeletingRenderdatauselessbydeletingTPMkeystoreTPMkeystoreSpeeddataSpeeddatadeletiondeletionDecommissioningtakesseconds,Decommissioningtakesseconds,nothoursnothoursWonWon''tEFSprotectmetEFSprotectmeYesYes——forthosewhoknowwhattheyforthosewhoknowwhatthey''redoingredoingUsersoftenstoredataonthedesktopUsersoftenstoredataonthedesktop——isitEFSedisitEFSedEFSdoesnEFSdoesn''tprotecttheoperatingsystemtprotecttheoperatingsystemEFSisverystrongagainstattacksEFSisverystrongagainstattacksFourlevelsofkeyprotectionFourlevelsofkeyprotectionProperlyconfigured,EFSiscomputationallyinfeasibletoProperlyconfigured,EFSiscomputationallyinfeasibletocrackcrackEncryptionscenariosEncryptionscenariosBitLockerBitLockerEFSEFSRMSRMSLaptopsLaptopsBranchofficeserversBranchofficeserversLocalsingleuserfileprotection(Windowspartitiononly)Localsingleuserfileprotection(Windowspartitiononly)LocalmultiLocalmulti--userfileprotectionuserfileprotectionRemotefileprotectionRemotefileprotectionUntrustedadministratorUntrustedadministratorRemotedocumentpolicyenforcementRemotedocumentpolicyenforcementOScoOSco--existenceexistenceBitLockerencryptsBitLockerencryptsWindowsvolumeonlyWindowsvolumeonlyYouwonYouwon''tbeabletodualtbeabletodual--bootanotherOSonthebootanotherOSonthesamevolumesamevolumeOSesonothervolumeswillworkfineOSesonothervolumeswillworkfineDataonprotectedvolumeisunavailableoutsideDataonprotectedvolumeisunavailableoutsidetheOStheOSAttemptstomodifytheprotectedWindowsAttemptstomodifytheprotectedWindowsvolumewillrenderitunbootablevolumewillrenderitunbootableEnablingBitLockerEnablingBitLockerCreatea1.
5GBactivepartitionCreatea1.
5GBactivepartitionThisbecomesyourThisbecomesyour""systemsystem""partitionpartition——whereOSbootswhereOSbootsTheTPMbootmanagerusesonly50MBTheTPMbootmanagerusesonly50MBWindowsrunsfromonyourWindowsrunsfromonyour""bootboot""partitionpartition——wherethewherethesystemlivessystemlivesInitializeTPMchipifyouInitializeTPMchipifyou''reusingitreusingitInmanagementconsoleorBIOSInmanagementconsoleorBIOSEnableBitLockerinSecurityCenterEnableBitLockerinSecurityCenterUpdateharddiskMBRUpdateharddiskMBREncryptWindowsEncryptWindows""bootboot""partitionpartitionRecoveryoptionsRecoveryoptionsUsefulincaseofsomekindofhardwarefailureUsefulincaseofsomekindofhardwarefailureItIt''sapassword;storedindifferentwayssapassword;storedindifferentways——RemovablemediaRemovablemediaPrintedPrintedActiveDirectoryActiveDirectoryAlso,servicepacksanddriverupgradestriggeraAlso,servicepacksanddriverupgradestriggeraloaderthatrecomputesandresealsTPMsecretsloaderthatrecomputesandresealsTPMsecretsCanuseTPM1.
2chipCanuseTPM1.
2chipMicrocontrolleraffixedtomotherboardMicrocontrolleraffixedtomotherboardStoreskeysanddigitalcertificatesStoreskeysanddigitalcertificatesForBitLocker,TPMstoresstoragerootkeyForBitLocker,TPMstoresstoragerootkeySRKdecryptsvolumeencryptionkeySRKdecryptsvolumeencryptionkeyonlywhensystemonlywhensystembootsnormally;bootsnormally;compareseachbootprocessagainstcompareseachbootprocessagainstpreviouslystoredmeasurementspreviouslystoredmeasurementsNouserinteractionorvisibility(unlessyourequireaPINNouserinteractionorvisibility(unlessyourequireaPINoradditionalstartoradditionalstart--upkey)upkey)RecoverykeycanbearchivedinActiveDirectoryfortheRecoverykeycanbearchivedinActiveDirectoryfortheinevitableinevitable""omgomg""momentmomentProhibitsmeaningfuluseofsoftwaredebuggersduringProhibitsmeaningfuluseofsoftwaredebuggersduringbootbootTPMarchitectureTPMarchitectureResetallregisters,transferexecutiontoResetallregisters,transferexecutiontoCoreRootofTrustMeasurementCoreRootofTrustMeasurementMeasurenextstageoffirmwareintoPCR[0]MeasurenextstageoffirmwareintoPCR[0]anddataintoPCR[1]anddataintoPCR[1]HardwaretestandconfigurationHardwaretestandconfigurationCodealwaysmeasuredfirst,thenexecutedCodealwaysmeasuredfirst,thenexecutedNewPCRvalueisSHANewPCRvalueisSHA--1hashedthen1hashedthenconcatenatedwithprevioushash;concatenatedwithprevioushash;permanentlywrittentoPCRpermanentlywrittentoPCROptionROMsanddataintoPCR[2]and[3]OptionROMsanddataintoPCR[2]and[3]MBRintoPCR[4],partitiontableinPCR[5]MBRintoPCR[4],partitiontableinPCR[5]PCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureMBRtakesover;loadsfirstsectorofactiveMBRtakesover;loadsfirstsectorofactivebootpartitionintomemory;measuresfirstbootpartitionintomemory;measuresfirst512bytesintoPCR[8]512bytesintoPCR[8]Bootsectorloads;measuresremainderintoBootsectorloads;measuresremainderintoPCR[9]andtransfersexecutionPCR[9]andtransfersexecutionBootcodemeasuresBOOTMGRintoBootcodemeasuresBOOTMGRintoPCR[10]andtransfersexecutionPCR[10]andtransfersexecutionAnyadditionalbootapplicationsmustloadAnyadditionalbootapplicationsmustloadonlyfromBitLockervolumeonlyfromBitLockervolumeBitLockerkeysareinPCR[11]BitLockerkeysareinPCR[11]Finally,BOOTMGRtransferscontroltoFinally,BOOTMGRtransferscontroltooperatingsystem;OSchecksintegrityofalloperatingsystem;OSchecksintegrityofallexecutablesloadedexecutablesloadedPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureTPMmeasuresallcodeandreportsresultsTPMmeasuresallcodeandreportsresultsDefaultBitLockerconsumption:4,8,9,10,11DefaultBitLockerconsumption:4,8,9,10,11Youcanaddothers,withcaveatsYoucanaddothers,withcaveatsOptionROMsin2,3OptionROMsin2,3AnychangeinvalidatesthePCRsAnychangeinvalidatesthePCRsIncludesinsertingsmartcardreaderorUSBdriveIncludesinsertingsmartcardreaderorUSBdriveBIOSROMsin0,1BIOSROMsin0,1ReflashingBIOSinvalidatesthePCRsReflashingBIOSinvalidatesthePCRsPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersBitLockercanBitLockercan''tstopeverythingtstopeverythingHardwaredebuggersHardwaredebuggersOnlineattacksOnlineattacks——BitLockerisconcernedonlywithBitLockerisconcernedonlywiththesystemthesystem''sstartupprocesssstartupprocessPostlogonattacksPostlogonattacksSabotagebyadministratorsSabotagebyadministratorsPoorsecuritymaintenancePoorsecuritymaintenanceDeploymentconsiderationsDeploymentconsiderationsRequireshardwareandsoftwareupgradesRequireshardwareandsoftwareupgradesPhasein,startwithhighprioritycomputersPhasein,startwithhighprioritycomputersMostlyafeatureforlaptopsMostlyafeatureforlaptopsAlsoconsiderfordesktopcomputersininsecureAlsoconsiderfordesktopcomputersininsecureenvironments(factoryfloor,kiosk,environments(factoryfloor,kiosk,……))EnterprisekeymanagementEnterprisekeymanagementProtectServicesFromExploitThethreatsThethreatsRememberBlasterRememberBlasterTookoverRPCSSTookoverRPCSS——madeitwritemsblast.
exetofilemadeitwritemsblast.
exetofilesystemandaddedrunkeystotheregistrysystemandaddedrunkeystotheregistryNosoftwareisperfect;someonestillmightfindaNosoftwareisperfect;someonestillmightfindavulnerabilityinaservicevulnerabilityinaserviceMalwareoftenlookstoexploitsuchvulnerabilitiesMalwareoftenlookstoexploitsuchvulnerabilitiesServicesareattractiveServicesareattractiveRunwithoutuserinteractionRunwithoutuserinteractionManyservicesoftenhavefreereignoverthesystemManyservicesoftenhavefreereignoverthesystem——toomuchaccesstoomuchaccessMostservicescancommunicateoveranyportMostservicescancommunicateoveranyportServicehardeningServicehardeningServiceServicerefactoringrefactoringMoveservicefromLocalSystemtosomethinglessMoveservicefromLocalSystemtosomethinglessprivilegedprivilegedIfnecessary,splitservicesothatonlythepartIfnecessary,splitservicesothatonlythepartrequiringLocalSystemreceivesthatrequiringLocalSystemreceivesthatServiceServiceprofilingprofilingEnablesservicetorestrictitsbehaviorEnablesservicetorestrictitsbehaviorResourcescanhaveACLsthatallowtheserviceResourcescanhaveACLsthatallowtheservice''ssIDtoaccessonlywhatitneedsIDtoaccessonlywhatitneedsAlsoincludesrulesforspecifyingrequiredAlsoincludesrulesforspecifyingrequirednetworkbehaviornetworkbehaviorItIt''sabouttheprincipleofleastprivilegesabouttheprincipleofleastprivilege——itit''sgoodforpeople,anditsgoodforpeople,andit''sgoodforservicessgoodforservicesMemoryMemoryRefactoringRefactoringIdeally,removetheserviceoutofLocalSystemIdeally,removetheserviceoutofLocalSystemIfitdoesnIfitdoesn''tperformprivilegedoperationstperformprivilegedoperationsMakeACLchangestoregistrykeysanddriverobjectsMakeACLchangestoregistrykeysanddriverobjectsOtherwise,splitintotwopiecesOtherwise,splitintotwopiecesThemainserviceThemainserviceThebitsthatperformprivilegedoperationsThebitsthatperformprivilegedoperationsAuthenticatethecallbetweenthemAuthenticatethecallbetweenthemMainserviceMainservicerunsasLocalServicerunsasLocalServicePrivilegedPrivilegedLocalSystemLocalSystemSVCHOSTgrouprefactoringSVCHOSTgrouprefactoringWindowsXPServicePack2WindowsXPServicePack2LocalSystemLocalSystemWirelessConfigurationWirelessConfigurationSystemEventSystemEventNotificationNotificationNetworkConnectionsNetworkConnectionsCOM+EventSystemCOM+EventSystemNLANLARasautoRasautoShellHardwareShellHardwareDetectionDetectionThemesThemesTelephonyTelephonyWindowsAudioWindowsAudioErrorReportingErrorReportingWorkstationWorkstationICSICSBITSBITSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanBrowserBrowser6to46to4HelpandSupportHelpandSupportTaskSchedulerTaskSchedulerTrkWksTrkWksCryptographicCryptographicServicesServicesRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonNetworkNetworkServiceServiceDNSClientDNSClientLocalLocalServiceServiceSSDPSSDPWebClientWebClientTCP/IPNetBIOShelperTCP/IPNetBIOShelperRemoteRegistryRemoteRegistryWindowsVistaWindowsVistaLocalSystemLocalSystemNetworkrestrictedNetworkrestrictedRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesTrkWksTrkWksWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonLocalSystemLocalSystemDemandstartedDemandstartedBITSBITSNetworkServiceNetworkServiceRestrictedRestrictedDNSClientDNSClientICSICSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanNLANLABrowserBrowser6to46to4TaskschedulerTaskschedulerIPSECServicesIPSECServicesServerServerCryptographicCryptographicServicesServicesLocalServiceLocalServiceRestrictedRestrictedNonetworkaccessNonetworkaccessWirelessWirelessConfigurationConfigurationSystemEventSystemEventNotificationNotificationShellHardwareShellHardwareDetectionDetectionNetworkNetworkConnectionsConnectionsRasautoRasautoThemesThemesCOM+EventCOM+EventSystemSystemLocalServiceLocalServiceRestrictedRestrictedTelephonyTelephonyWindowsAudioWindowsAudioTCP/IPNetBIOSTCP/IPNetBIOShelperhelperWebClientWebClientErrorReportingErrorReportingEventLogEventLogWorkstationWorkstationRemoteRegistryRemoteRegistrySSDPSSDPProfilingProfilingEveryservicehasauniqueserviceidentifiercalledEveryservicehasauniqueserviceidentifiercalledaa""serviceSIDserviceSID""SS--11--8080--1hashoflogicalservicename>AA""serviceprofileserviceprofile""isasetofACLsthatisasetofACLsthat——AllowaservicetousearesourceAllowaservicetousearesourceConstraintheservicetotheresourcesitneedsConstraintheservicetotheresourcesitneedsDefinewhichnetworkportsaservicecanuseDefinewhichnetworkportsaservicecanuseBlocktheservicefromusingotherportsBlocktheservicefromusingotherportsNow,servicecanrunasLocalServiceorNow,servicecanrunasLocalServiceorNetworkServiceandstillreceiveadditionalaccessNetworkServiceandstillreceiveadditionalaccesswhennecessarywhennecessaryRestrictingservicesRestrictingservicesSCMcomputesSCMcomputesserviceSIDserviceSIDSCMaddstheSCMaddstheSIDtoserviceSIDtoserviceprocessprocess''stokenstokenSCMcreateswriteSCMcreateswrite--restrictedtokenrestrictedtokenSCMremovesSCMremovesunneededprivilegesunneededprivilegesfromprocesstokenfromprocesstokenServiceplacesACLonServiceplacesACLonresourceresource——onlyserviceonlyservicecanwritetoitcanwritetoitExample:eventlogExample:eventlogSysEvent.
evtSysEvent.
evtEventlogEventlogserviceserviceWriteWrite--restrictedrestrictedtokentokenACLACLEventlog:WEventlog:WRestrictingservices:knowthisRestrictingservices:knowthisArestrictableservicewillsettwoproperties(storedArestrictableservicewillsettwoproperties(storedintheregistry)intheregistry)——OnetoindicatethatitcanberestrictedOnetoindicatethatitcanberestrictedOnetoshowwhichprivilegesitrequiresOnetoshowwhichprivilegesitrequiresNote!
Note!
Thisisavoluntaryprocess.
TheserviceisThisisavoluntaryprocess.
Theserviceischoosingtorestrictitself.
Itchoosingtorestrictitself.
It''sgooddevelopmentsgooddevelopmentpracticebecauseitreducesthelikelihoodofaservicepracticebecauseitreducesthelikelihoodofaservicebeingabusedbymalware,butitisnbeingabusedbymalware,butitisn''tafulltafull--onsystemonsystem--widerestrictionmechanism.
Thirdwiderestrictionmechanism.
Third--partyservicescanpartyservicescanstillrunwildandfreestillrunwildandfree……NetworkenforcementscenariosNetworkenforcementscenariosNoportsNoportsServicesthatneitherlistennorconnectServicesthatneitherlistennorconnectFixedportsFixedportsServicesthatlistenorsendonknownfixedportsServicesthatlistenorsendonknownfixedportsshouldbeconstrainedtothoseportsonlyshouldbeconstrainedtothoseportsonlyConfigurableConfigurableportsportsAdministratorconfiguresportinserviceAdministratorconfiguresportinservice''ssadministrationUI;networkrulesandfirewalladministrationUI;networkrulesandfirewallautomaticallyupdatetheirownconfigurationsautomaticallyupdatetheirownconfigurationsDynamicDynamicportsportsServicesthatlistenorsendondynamicallyServicesthatlistenorsendondynamically--allocatedportsallocatedportsAuditingAuditingManagementeventsManagementeventsInitialrulesconfigurationInitialrulesconfigurationRulechangesRulechangesRuledeletionsRuledeletionsEnforcementeventsEnforcementeventsTrafficallowedTrafficallowedTrafficdeniedTrafficdeniedglobalvulnglobalvulnmitigationsandmitigationsandsystemlockdownssystemlockdownsnetworknetworkenforcementenforcementrulesrulesInteractionwithhostfirewallsInteractionwithhostfirewallsConfigurationchangesConfigurationchangesimplementedimmediatelyimplementedimmediatelyRulescanRulescan''tbedisabledbytbedisabledbyWForthirdWForthird--partypartyRulescanRulescan''tbestoppedtbestoppedwhileservicesarerunningwhileservicesarerunningFordynamicports,netenfFordynamicports,netenfpushesconfigurationtopushesconfigurationtoWFWFhosthostfirewallfirewallrulesrulesExamplerulesExamplerulesBlockanynetworkaccessforBFE"V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=bfe;Name=Blockanytraffictoandfrombfe;"AllowoutboundPolicyAgenttraffic"V2.
0;Action=Allow;Dir=Out;RPort=389;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=AllowPolicyAgenttcp/udpLDAPtraffictoAD;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=BlockanyothertraffictoandfromPolicyAgent;"Allowinbound/outboundtraffictoRpcss"V2.
0;Action=Allow;Dir=Out;RPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowoutboundrpcsstcp/udptraffic;""V2.
0;Action=Allow;Dir=in;LPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowinboundtcp/udprpcss;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Blockanyothertraffictoandfromrpcss;"ProtecttheOSandDatafromUnknownCodeThethreatsThethreatsAuserunknowinglyrunscodefromanunknownAuserunknowinglyrunscodefromanunknownsourcethatattemptstomodifyordeletefilessourcethatattemptstomodifyordeletefilesCoderunningasLUAattemptsalocalelevationofCoderunningasLUAattemptsalocalelevationofprivilegebyinjectingcodeintoaprocessrunningprivilegebyinjectingcodeintoaprocessrunningasadministratorasadministratorTrojansthatattempttoexecutewithfullTrojansthatattempttoexecutewithfulladministratorprivilegeadministratorprivilegeSystemcodereadsdatafromtheInternet(anSystemcodereadsdatafromtheInternet(anuntrustworthysource)thatcontainscorruptdatauntrustworthysource)thatcontainscorruptdatadesignedtoelevateprivilegebyexploitingabugdesignedtoelevateprivilegebyexploitingabugMandatoryintegritycontrolMandatoryintegritycontrolMethodtopreventlowMethodtopreventlow--integritycodefromintegritycodefrommodifyinghighmodifyinghigh--integritycodeintegritycodeProtectTCBfilesanddatafrommodificationbyProtectTCBfilesanddatafrommodificationbyprivilegedusersprivilegedusersProtectuserdatafrommodificationbyunknownProtectuserdatafrommodificationbyunknownmaliciouscodemaliciouscodeProtectprocessesrunningasprivilegeduserfromProtectprocessesrunningasprivilegeduserfrommodificationbyprocessesrunningasstandardusermodificationbyprocessesrunningasstandarduserunderthesameuserSIDunderthesameuserSIDClassicalcomputersecurityconceptknownsinceClassicalcomputersecurityconceptknownsincethe1970sthe1970sLotsofrecentworkinvariousoperatingsystemsLotsofrecentworkinvariousoperatingsystemsDonDon''tconfusewithcodeintegritytconfusewithcodeintegrityCICIVerifiescodeduringmoduleloadingVerifiescodeduringmoduleloadingMICMICImplementsatypeofinformationflowpolicyImplementsatypeofinformationflowpolicyImplementsanenforcementmechanismImplementsanenforcementmechanismIntegritylevelchangestriggerasecurityauditeventIntegritylevelchangestriggerasecurityauditeventMandatoryintegritycontrolpolicyisbasedonMandatoryintegritycontrolpolicyisbasedontrustworthinesstrustworthiness.
Subjectswith.
Subjectswithlowlowdegreesofdegreesoftrustworthinesscantrustworthinesscan''tchangedataofatchangedataofahigherhigherdegrees.
degrees.
SubjectswithSubjectswithhighhighdegreesoftrustworthinesscandegreesoftrustworthinesscan''tbetbeforcedtorelyondataofforcedtorelyondataoflowerlowerdegrees.
degrees.
ThelimitationsofDACLsThelimitationsofDACLsNoprotectionofsystemstabilityNoprotectionofsystemstabilityThirdThird--partyinstallersredistributesystembinariespartyinstallersredistributesystembinariesWanttostopthis,evenifrunbyadministratorWanttostopthis,evenifrunbyadministratorNoprotectionfromtrickysoftwareNoprotectionfromtrickysoftwareNonNon--savvyuserscanbeconvincedtoinstallmalwaresavvyuserscanbeconvincedtoinstallmalwareRunswithfullcapabilitiesofuserRunswithfullcapabilitiesofuserWeakenspowerofUACWeakenspowerofUACCanCan''tdistinguishlimitedversionfromfull(possiblytdistinguishlimitedversionfromfull(possiblyadministrator)versionofuseradministrator)versionofuserBothversionshavesameuserSIDBothversionshavesameuserSIDDefinedintegritylevelsDefinedintegritylevelsSystemSystemHighHighMediumMediumLowLowUntrustedUntrusted0x40000x40000x30000x30000x20000x20000x10000x100000LocalLocalSystemSystemLocalServiceLocalServiceNetworkNetworkServiceServiceElevatedElevated(full)user(full)usertokenstokensStandarduserStandardusertokenstokensAuthenticatedAuthenticatedUsersUsersWorldWorld(Everyone)(Everyone)AnonymousAnonymousShellrunshereShellrunshereMICexpressionMICexpressionAddanintegritySIDtoausertokenatlogonAddanintegritySIDtoausertokenatlogonSS--11--1616--AnnouncestheintegritylevelofthetokenAnnouncestheintegritylevelofthetokenDetermineslevelofaccessthetokencanachieveDetermineslevelofaccessthetokencanachievePossiblesecondSIDusedbySecureDesktoptoPossiblesecondSIDusedbySecureDesktoptodetermineprotectionringofanapplicationdetermineprotectionringofanapplicationStoreintegritySIDintheSACLofeveryobjectStoreintegritySIDintheSACLofeveryobject''sssecuritydescriptor(usersecuritydescriptor(user--createdandOS)createdandOS)SpecifiestheintegrityleveloftheobjectSpecifiestheintegrityleveloftheobjectCheckingMIClevelCheckingMIClevelDuringaccesscheck,verifytheuserpassesDuringaccesscheck,verifytheuserpassesintegritycheckagainstanobjectforwriteaccessintegritycheckagainstanobjectforwriteaccessHowever,canaddACEtoDACLtodenyreadaccesstoHowever,canaddACEtoDACLtodenyreadaccesstolowintegrityuserslowintegrityusers(moreonthislater)(moreonthislater)UsermustUsermustdominatedominateobjecttoobtainwriteaccessobjecttoobtainwriteaccessUser/processlevel>=objectlevelUser/processlevel>=objectlevelAlluserspassintegritycheckforreadingandexecutingAlluserspassintegritycheckforreadingandexecutingMICtrumpsDACLMICtrumpsDACLIftheDACLletsyouwrite,butyoudonIftheDACLletsyouwrite,butyoudon''tdominatethetdominatetheobject,yourwritefailsobject,yourwritefailsConsiderfourscenariosConsiderfourscenariosAnattachmentarrivesinmail.
Whilesaving,fileiswrittenAnattachmentarrivesinmail.
Whilesaving,fileiswrittenwithwithlowlowintegrity.
Whenexecuted,itrunsatintegrity.
Whenexecuted,itrunsatlowlowintegrityintegrityandcanandcan''twritetousertwritetouser''sdata.
sdata.
MICpreventsprocessfromMICpreventsprocessfromperformingcapabilitiesatuserperformingcapabilitiesatuser''slevel.
slevel.
IEdownloadsfilefromsiteinInternetzone.
IEprocessthatIEdownloadsfilefromsiteinInternetzone.
IEprocessthatwritesfiletoTIFrunsatwritesfiletoTIFrunsatlowlowintegrity;thusfileisreceivesintegrity;thusfileisreceiveslowlowintegrity.
integrity.
MICdoesnMICdoesn''ttrustcontentorcodefromtheInternet.
ttrustcontentorcodefromtheInternet.
AmaliciousprogramisrunningatAmaliciousprogramisrunningatstandardstandarduserXanduserXandattemptstoopenprocessrunningasattemptstoopenprocessrunningasprivilegedprivilegeduserXforuserXforwrite,tobypassUACandexecutecodewillfullprivileges.
write,tobypassUACandexecutecodewillfullprivileges.
MICstopsthisbecausedesiredaccessiswrite.
MICstopsthisbecausedesiredaccessiswrite.
Admin(IL=Admin(IL=highhigh)runsdownloadedprogram.
Processrunsas)runsdownloadedprogram.
Processrunsasstandardstandardadmin(IL=admin(IL=mediummedium).
).
MICpreventsprocessesfromMICpreventsprocessesfromwritewrite--accessingresourcesACLedfortheadministrator.
accessingresourcesACLedfortheadministrator.
ProcessesalsoaffectedProcessesalsoaffectedWhenuserlaunches.
EXE,processreceiveslowerofWhenuserlaunches.
EXE,processreceiveslowerofuseruser''sorfilesorfile''sintegritylevel(ifithasone)sintegritylevel(ifithasone)Processneverrunshigherthanfile,regardlessofILofProcessneverrunshigherthanfile,regardlessofILofuserwhostartedituserwhostarteditProtectsevenadministratorsfrommaliciousactionsofProtectsevenadministratorsfrommaliciousactionsofdownloadedcodedownloadedcodeAlsoprotectsanyuserdata,whoselevelistypicallythatAlsoprotectsanyuserdata,whoselevelistypicallythatoftheuseroftheuser——itit''shigherthanthecodeshigherthanthecodeControlledbyAIS(appinstallerservice)ControlledbyAIS(appinstallerservice)CheckILsofuserandfileCheckILsofuserandfileAdjustprocessILaccordinglyAdjustprocessILaccordinglyImpersonateuserwithcorrectILandcontinuecreationImpersonateuserwithcorrectILandcontinuecreationModifyingintegritylevelsModifyingintegritylevelsTokencanloweritsownlevelTokencanloweritsownlevelNotreversibleNotreversibleOnlyaTCBcallercanraiseOnlyaTCBcallercanraiseSecureInputSecureInputDefault:UIringSID=objectintegritySIDDefault:UIringSID=objectintegritySIDTCBcallercanelevatetokenUIringTCBcallercanelevatetokenUIringTypicallynecessaryforaccessibilityutilitiesTypicallynecessaryforaccessibilityutilities——cannowcannowcontrolUIbutnotbypassMICcontrolofobjectaccesscontrolUIbutnotbypassMICcontrolofobjectaccessButIwanttoadministermybox!
ButIwanttoadministermybox!
Fullprivilegetokens,includingmembersoftheFullprivilegetokens,includingmembersofthelocalAdministratorsgroup,arecontrolledbyMIClocalAdministratorsgroup,arecontrolledbyMICCanCan''tdeletefilesiftheirlevelissystemtdeletefilesiftheirlevelissystemCanCan''tlowerthelevelofobjectsorfilestlowerthelevelofobjectsorfilesBuiltBuilt--inin""AdministratorAdministrator""accounthasanadditionalaccounthasanadditionalprivilegeprivilegeGrantscalleraccesstoobjectGrantscalleraccesstoobjectCouldgranttootherusers,butbecareful!
Couldgranttootherusers,butbecareful!
GrantinganduseofprivilegeisauditedGrantinganduseofprivilegeisauditedDenyingreadaccessDenyingreadaccessCanusedenyACEtopreventlowerlevelprincipalsCanusedenyACEtopreventlowerlevelprincipalsfromreadingorexecutinghigherlevelobjectsfromreadingorexecutinghigherlevelobjectsGoodforadministratorprogramsGoodforadministratorprogramsSetILtohighSetILtohighAdddenyACEforanythingwithalowerILAdddenyACEforanythingwithalowerILPreventsmalwarerunningatlowerlevelfromPreventsmalwarerunningatlowerlevelfromattemptingtocalladmintoolsattemptingtocalladmintoolsUnlabeledobjectsUnlabeledobjectsSystemassumesdefaultMICofmediumduringSystemassumesdefaultMICofmediumduringaccesscheckaccesscheckPreventsuntrustworthycoderunningatlowfromPreventsuntrustworthycoderunningatlowfrommodifyingunlabeledobjectsmodifyingunlabeledobjectsRegardlessofDACLRegardlessofDACLOSfilesareunlabeledOSfilesareunlabeledProtectedfrommodificationwithanACLProtectedfrommodificationwithanACLObjectswithoutaSIDhavenoMICconsiderationObjectswithoutaSIDhavenoMICconsiderationNonNon--goalsgoalsProvideforconfidentialityofdataProvideforconfidentialityofdataThisistheBellThisistheBell--LaPadulamodelLaPadulamodelAlthoughwithnoAlthoughwithno--readread--upACEs,youcanuseMICtoupACEs,youcanuseMICtoachievesimilarbehaviorachievesimilarbehaviorPreventhighILprocessesfromreadingdataataPreventhighILprocessesfromreadingdataatalowerILifthepolicyallowsthatlowerILifthepolicyallowsthatImplementdynamicintegrityImplementdynamicintegrityPreventofflineattacksthroughmodificationsofILsPreventofflineattacksthroughmodificationsofILsonfilesonfilesButBitLockercouldhelphereButBitLockercouldhelphere……ProtecttheOSfromtheInternetThethreatsThethreatsAlas,mostWindowsusersstillrunasadminAlas,mostWindowsusersstillrunasadminMeaning:theInternetrunsasadminonyourPC!
Meaning:theInternetrunsasadminonyourPC!
""DriveDrive--byby""installsofspywareandviruscodeinstallsofspywareandviruscodeExploitsofvulnerabilitiesgiveattackersfullremoteExploitsofvulnerabilitiesgiveattackersfullremoteaccessaccessEvennonEvennon--adminsstillvulnerabletomaliciousadminsstillvulnerabletomaliciousdestructionofpersonaldatadestructionofpersonaldataInternetExplorerprotectedmodeInternetExplorerprotectedmodeBuiltonmandatoryintegritycontrolBuiltonmandatoryintegritycontrolInternetExplorerrunsatlowintegritylevelInternetExplorerrunsatlowintegritylevelReducetheseverityofthreatstoIEaddReducetheseverityofthreatstoIEadd--onsonsEliminatethesilentinstallofmaliciouscodeEliminatethesilentinstallofmaliciouscodethroughsoftwarevulnerabilitiesthroughsoftwarevulnerabilitiesPreservecompatibilitywheneverpossiblePreservecompatibilitywheneverpossibleProvidethecapabilityandguidanceforaddProvidethecapabilityandguidanceforadd--onstoonstorestorefunctionalityrestorefunctionalityMinimizerequireduserinvolvementMinimizerequireduserinvolvementSometimescalledSometimescalled""lowlow--rightsIErightsIE""ProtectedmodesummaryProtectedmodesummaryRestrictsIEfromwritingoutsideoftheTemporaryRestrictsIEfromwritingoutsideoftheTemporaryInternetFiles(TIF)folderInternetFiles(TIF)folderIEIE''sprocesshaslowerwriteprivilegesthanLUAsprocesshaslowerwriteprivilegesthanLUAItbuildsontheMandatoryIntegrityControl(MIC)whichItbuildsontheMandatoryIntegrityControl(MIC)whichrestrictswritestohigherintegrityfoldersrestrictswritestohigherintegrityfoldersProtectedmodeusesCOMtocalltwonewbrokerProtectedmodeusesCOMtocalltwonewbrokerprocesseswhichallowIEtowriteoutsideoftheTIFprocesseswhichallowIEtowriteoutsideoftheTIFAcompatibilitylayerallowsaddAcompatibilitylayerallowsadd--onstoelevateonstoelevateThisisnotaThisisnota""sandboxingsandboxing""technology.
IEisrefactoredintoatechnology.
IEisrefactoredintoamultimulti--processapplication,withvaryingILsforeachprocess.
processapplication,withvaryingILsforeachprocess.
RefactoringIERefactoringIELPIELPIEIEUserIEUserIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseLPIELPIEInternetZoneInternetZoneIL=lowIL=lowIntranet/TrustedZoneIntranet/TrustedZoneIL=mediumIL=mediumSeparateTIFSeparateTIFIEPolicyIEPolicyIL=highIL=highAgain:theprincipleofleastprivilegeAgain:theprincipleofleastprivilegeRefactoringattheprocesslevelRefactoringattheprocesslevel——moreefficientmoreefficientandlessexpensivethanavirtualmachineandlessexpensivethanavirtualmachineComponentsandzonesComponentsandzonesOperationOperationRequirementsRequirementsProcessProcessURLnavigationandHTMLrenderingURLnavigationandHTMLrenderingLeastprivilegeLeastprivilegeLowintegrityLowintegrityLPIELPIEManaginguserManaginguser--controlledsettingscontrolledsettingsLeastprivilegeLeastprivilegeMediumintegrityMediumintegrityIEUserIEUserEnforcingpolicyindownloadedcodeEnforcingpolicyindownloadedcodeInitiatingexecutionInitiatingexecutionFullprivilegeFullprivilegeHighintegrityHighintegrityIEPolicyIEPolicy(service)(service)OperationOperationLPIElowLPIElowLPIEmediumLPIEmediumFilesdownloadedinzoneFilesdownloadedinzoneLowILLowILMediumILMediumILModifyoutsideTIFModifyoutsideTIFNoNoYesYesInteractwithotherappsondesktopInteractwithotherappsondesktopNoNoYesYesInjectDLLandcreateremotethreadInjectDLLandcreateremotethreadNoNoYesYesRendersHTMLfilesinlocalzoneRendersHTMLfilesinlocalzoneYesYesYesYesInstallingfromtheWebInstallingfromtheWebLPIELPIEIEPolicyIEPolicyRunRungreatstuff.
comgreatstuff.
com……\\TIFTIF\\greatstuff.
exegreatstuff.
exeTrustTrustGreatStuffGreatStuffIL=lowIL=low……\\MyDocsMyDocs\\greatstuff.
exegreatstuff.
exeIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseAISAISRunwithRunwithfullprivsfullprivsgreatstuff.
exegreatstuff.
exe\\ProgsProgs\\GSGS\\stuff.
exestuff.
exestuff.
dllstuff.
dllIL=highIL=highfullprivfullprivInIn--proccompatibilitylayerproccompatibilitylayerRedirectsfileandregistrykeywritestonewlowRedirectsfileandregistrykeywritestonewlowintegritylocationsintegritylocations——HKCUHKCU\\SoftwareSoftware\\MicrosoftMicrosoft\\InternetExplorerInternetExplorer\\LowLowRightsRights\\VirtualVirtualDocumentsandSettingsDocumentsandSettings\\%userprofile%%userprofile%\\LocalLocalSettingsSettings\\TemporaryInternetFilesTemporaryInternetFiles\\VirtualVirtualAddedtothelocationIEistryingAddedtothelocationIEistryingIfIEtriestowritehereIfIEtriestowritehere…………itgetsredirectedhereitgetsredirectedhereHKCUHKCU\\SoftwareSoftware\\FooBarFooBarHKCUHKCU\Software\MS\IE\LowRights\Virtual\\SoftwareSoftware\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%user%userprofile%profile%\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%userprofile%%userprofile%\LocalSettings\TemporaryInternetFiles\Virtual\\FooBarFooBarSteveRileySteveRileysteve.
riley@microsoft.
comsteve.
riley@microsoft.
comhttp://blogs.
technet.
com/sterileyhttp://blogs.
technet.
com/sterileywww.
protectyourwindowsnetwork.
comwww.
protectyourwindowsnetwork.
comThanksverymuch!
Thanksverymuch!
2006MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,WindowsVistaandotherproductnamesareormayberegisteredtrademarksand/ortrademarksintheU.
S.
and/orothercountries.
TheinformationhereinisforinformationalpurposesonlyandrepresentsthecurrentviewofMicrosoftCorporationasofthedateofthispresentation.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationprovidedafterthedateofthispresentation.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISPRESENTATION.
- additionalsecondarylogon相关文档
- settingsecondarylogon
- Logoffstatusmessagessecondarylogon
- POSIXsecondarylogon
- Levelsecondarylogon
- secondarylogon魔兽世界下载器不动Secondary Logon 在哪?
- secondarylogonSecondary Logon 等等是什么意思?
gcorelabs:CDN业务节点分布100多个国家地区,免费版提供1T/月流量
卢森堡商家gcorelabs是个全球数据中心集大成的运营者,不但提供超过32个数据中心的VPS、13个数据中心的cloud(云服务器)、超过44个数据中心的独立服务器,还提供超过100个数据中心节点的CDN业务。CDN的总带宽容量超过50Tbps,支持免费测试! Gcorelabs根据业务分,有2套后台,分别是: CDN、流媒体平台、DDoS高防业务、块存储、cloud云服务器、裸金属服务器...
月神科技-美国CERA 5折半价倒计时,上新华中100G高防云59起!
官方网站:点击访问月神科技官网优惠码:美国优惠方案:CPU:E5-2696V2,机房:国人热衷的优质 CeraNetworks机房,优惠码:3wuZD43F 【过期时间:5.31,季付年付均可用】活动方案:1、美国机房:洛杉矶CN2-GIA,100%高性能核心:2核CPU内存:2GB硬盘:50GB流量:Unmilited端口:10Mbps架构:KVM折后价:15元/月、150元/年传送:购买链接洛...
青果云(590元/年),美国vps洛杉矶CN2 GIA主机测评 1核1G 10M
青果网络QG.NET定位为高效多云管理服务商,已拥有工信部颁发的全网云计算/CDN/IDC/ISP/IP-VPN等多项资质,是CNNIC/APNIC联盟的成员之一,2019年荣获国家高薪技术企业、福建省省级高新技术企业双项荣誉。那么青果网络作为国内主流的IDC厂商之一,那么其旗下美国洛杉矶CN2 GIA线路云服务器到底怎么样?官方网站:https://www.qg.net/CPU内存系统盘流量宽带...
secondarylogon为你推荐
-
cornerradiuscorner radius是什么意思伪装微信地理位置用软件 伪装微信地理位置 在相册上传图片显示所在城市还是我目前的位置?中国论坛大全甘肃论坛都有哪些?arm开发板ARM开发板具体有什么作用?有什么商业价值?如何建立一个网站要建立一个网站怎么弄啊?淘宝网页显示不正常淘宝网页不能正常显示淘宝网页显示不正常淘宝网显示不正常ejb开发什么是EJB?虚拟专用网虚拟专用网适用于什么行业什么是云平台谁能简单说一下什么是云平台啊?