additionalsecondarylogon
secondarylogon 时间:2021-02-26 阅读:()
WindowsVistaWindowsVistaSystemIntegritySystemIntegrityTechnologiesTechnologiesWCI442WCI442WhyThebadguysareeverywhere!
Thebadguysareeverywhere!
TheyliterallywanttodoyouharmTheyliterallywanttodoyouharmThreatsexistintwointerestingplacesThreatsexistintwointerestingplaces——Online:systemstartedandshowsaloginscreenorauserisOnline:systemstartedandshowsaloginscreenorauserisloggedinloggedinOffline:systemispowereddownorinhibernationOffline:systemispowereddownorinhibernationPoliciesmustaddressbothPoliciesmustaddressbothCoolstuff!
Coolstuff!
Codeintegrity:protectionagainstonlineattackCodeintegrity:protectionagainstonlineattackBitLocker(securestartup):protectionagainstBitLocker(securestartup):protectionagainstofflineattackofflineattackWindowsservicehardeningWindowsservicehardeningMandatoryintegritycontrolMandatoryintegritycontrolInternetExplorerprotectedmodeInternetExplorerprotectedmodeProtecttheOSWhenRunningThethreatsThethreatsTrojanthatreplacesasystemfiletoinstallarootkitTrojanthatreplacesasystemfiletoinstallarootkitandtakecontrolofthecomputer(e.
g.
FunLoveorandtakecontrolofthecomputer(e.
g.
FunLoveorothersthatuserootkits)othersthatuserootkits)OfflineattackcausedbybootinganalternateOfflineattackcausedbybootinganalternateoperatingsystemandattemptingtocorruptoroperatingsystemandattemptingtocorruptormodifyWindowskernelfilesmodifyWindowskernelfilesThirdThird--partykerneldriversthatarenotsecurepartykerneldriversthatarenotsecureRogueadministratorwhochangeskernelmodeRogueadministratorwhochangeskernelmodecodetohideotheractscodetohideotheractsCodeintegrityCodeintegrityValidatestheintegrityofcertainOSfilesValidatestheintegrityofcertainOSfilesImplementedasafilesystemfilterdriverImplementedasafilesystemfilterdriverHashesstoredinsystemcatalogorinX.
509certificateHashesstoredinsystemcatalogorinX.
509certificateembeddedinfileembeddedinfileAlsovalidatestheintegrityofthebootprocessAlsovalidatestheintegrityofthebootprocessChecksthekernel,theHAL,bootChecksthekernel,theHAL,boot--startdriversstartdriversIfvalidationfails,imagewonIfvalidationfails,imagewon''tloadtloadWhatdoesitcheckWhatdoesitcheckAllkernelmodecode(Allkernelmodecode(x64onlyx64only))AllcodeloadedintoaprotectedprocessAllcodeloadedintoaprotectedprocessModulesimplementingcryptographicfunctionsModulesimplementingcryptographicfunctionsModulesloadedintothesoftwarelicensingserviceModulesloadedintothesoftwarelicensingserviceMoreonkernelmodecodeMoreonkernelmodecodex64x64AllkernelmodecodemustbesignedoritwonAllkernelmodecodemustbesignedoritwon''tloadtloadThirdThird--partycodemustbeWHQLpartycodemustbeWHQL--certifiedorcontainacertifiedorcontainacertificatefromaMicrosoftCAcertificatefromaMicrosoftCANoexceptions,periodNoexceptions,periodAppliestodrivers,utilities,anythinginthekernelAppliestodrivers,utilities,anythinginthekernelx32x32SigningappliesonlytodriversshippedwithWindowsSigningappliesonlytodriversshippedwithWindowsCancontrolbypolicywhattodowiththirdCancontrolbypolicywhattodowiththird--partypartyOtherunsignedkernelmodecodewillloadOtherunsignedkernelmodecodewillloadMoreonprotectedprocessesMoreonprotectedprocessesOnlyonerightnow:MediaFoundationOnlyonerightnow:MediaFoundationLoadedbinariesarecodecsLoadedbinariesarecodecsMicrosoftMicrosoft--supplied:signedbyMicrosoftsupplied:signedbyMicrosoftThirdThird--party:signedbyaWindowsMediaDRMparty:signedbyaWindowsMediaDRMcertificatecertificateAffectspotentialplaybackofnextAffectspotentialplaybackofnext--generationhighgenerationhighdefinitionprotectedcontentdefinitionprotectedcontentContentand/orplaybackappcontrolwhattodoinContentand/orplaybackappcontrolwhattodoinpresenceofunsignedkernelmodedriverspresenceofunsignedkernelmodedriversCodeintegritynonCodeintegritynon--goalsgoalsProtectingfromattackerswithphysicalaccessProtectingfromattackerswithphysicalaccessVerifyingtheintegrityofNTLDRVerifyingtheintegrityofNTLDRRequiressecurestartuponTPMRequiressecurestartuponTPM--enabledmachinesenabledmachinesRequiresreadRequiresread--onlyfixedmediaotherwiseonlyfixedmediaotherwiseSupportingrebindingorhotpatchingSupportingrebindingorhotpatchingThesechangetheonThesechangetheon--diskimagediskimageCIwillworkifpatchincludesupdatedhashCIwillworkifpatchincludesupdatedhashOnlinechecksatbootOnlinechecksatboot--timeforrevocationliststimeforrevocationlistsRevocationlistupdatedafterbootandstoredlocallyRevocationlistupdatedafterbootandstoredlocallyProtecttheOSWhenNotRunningThethreatsThethreatsComputerislostorstolenComputerislostorstolenTheftorcompromiseofdataTheftorcompromiseofdataAttackagainstcorporatenetworkAttackagainstcorporatenetworkDamagetoOSifattackerinstallsalternateOSDamagetoOSifattackerinstallsalternateOSDifficultandtimeDifficultandtime--consumingtotrulyeraseconsumingtotrulyerasedecommissioneddisksdecommissioneddisksExistingwaystomitigatethesethreatsaretooeasyExistingwaystomitigatethesethreatsaretooeasyforusertocircumventforusertocircumventSecurestartup(Securestartup(""BitLockerBitLocker""))EnsurebootEnsurebootintegrityintegrityResilientResilientagainstattackagainstattackProtectsystemfromofflineProtectsystemfromofflinesoftwaresoftware--basedattacksbasedattacksLocktamperedLocktamperedsystemssystemsPreventbootifmonitoredfilesPreventbootifmonitoredfileshavebeenalteredhavebeenalteredProtectdataProtectdatawhenofflinewhenofflineEncryptuserEncryptuserdataanddataandsystemfilessystemfilesAlldataonthevolumeisAlldataonthevolumeisencrypted:user,system,page,encrypted:user,system,page,hibernation,temp,crashdumphibernation,temp,crashdumpUmbrellaUmbrellaprotectionprotectionThirdThird--partyappsbenefitwhenpartyappsbenefitwheninstalledonencryptedvolumeinstalledonencryptedvolumeEaseEaseequipmentequipmentrecyclingrecyclingSimplifySimplifyrecyclingrecyclingRenderdatauselessbydeletingRenderdatauselessbydeletingTPMkeystoreTPMkeystoreSpeeddataSpeeddatadeletiondeletionDecommissioningtakesseconds,Decommissioningtakesseconds,nothoursnothoursWonWon''tEFSprotectmetEFSprotectmeYesYes——forthosewhoknowwhattheyforthosewhoknowwhatthey''redoingredoingUsersoftenstoredataonthedesktopUsersoftenstoredataonthedesktop——isitEFSedisitEFSedEFSdoesnEFSdoesn''tprotecttheoperatingsystemtprotecttheoperatingsystemEFSisverystrongagainstattacksEFSisverystrongagainstattacksFourlevelsofkeyprotectionFourlevelsofkeyprotectionProperlyconfigured,EFSiscomputationallyinfeasibletoProperlyconfigured,EFSiscomputationallyinfeasibletocrackcrackEncryptionscenariosEncryptionscenariosBitLockerBitLockerEFSEFSRMSRMSLaptopsLaptopsBranchofficeserversBranchofficeserversLocalsingleuserfileprotection(Windowspartitiononly)Localsingleuserfileprotection(Windowspartitiononly)LocalmultiLocalmulti--userfileprotectionuserfileprotectionRemotefileprotectionRemotefileprotectionUntrustedadministratorUntrustedadministratorRemotedocumentpolicyenforcementRemotedocumentpolicyenforcementOScoOSco--existenceexistenceBitLockerencryptsBitLockerencryptsWindowsvolumeonlyWindowsvolumeonlyYouwonYouwon''tbeabletodualtbeabletodual--bootanotherOSonthebootanotherOSonthesamevolumesamevolumeOSesonothervolumeswillworkfineOSesonothervolumeswillworkfineDataonprotectedvolumeisunavailableoutsideDataonprotectedvolumeisunavailableoutsidetheOStheOSAttemptstomodifytheprotectedWindowsAttemptstomodifytheprotectedWindowsvolumewillrenderitunbootablevolumewillrenderitunbootableEnablingBitLockerEnablingBitLockerCreatea1.
5GBactivepartitionCreatea1.
5GBactivepartitionThisbecomesyourThisbecomesyour""systemsystem""partitionpartition——whereOSbootswhereOSbootsTheTPMbootmanagerusesonly50MBTheTPMbootmanagerusesonly50MBWindowsrunsfromonyourWindowsrunsfromonyour""bootboot""partitionpartition——wherethewherethesystemlivessystemlivesInitializeTPMchipifyouInitializeTPMchipifyou''reusingitreusingitInmanagementconsoleorBIOSInmanagementconsoleorBIOSEnableBitLockerinSecurityCenterEnableBitLockerinSecurityCenterUpdateharddiskMBRUpdateharddiskMBREncryptWindowsEncryptWindows""bootboot""partitionpartitionRecoveryoptionsRecoveryoptionsUsefulincaseofsomekindofhardwarefailureUsefulincaseofsomekindofhardwarefailureItIt''sapassword;storedindifferentwayssapassword;storedindifferentways——RemovablemediaRemovablemediaPrintedPrintedActiveDirectoryActiveDirectoryAlso,servicepacksanddriverupgradestriggeraAlso,servicepacksanddriverupgradestriggeraloaderthatrecomputesandresealsTPMsecretsloaderthatrecomputesandresealsTPMsecretsCanuseTPM1.
2chipCanuseTPM1.
2chipMicrocontrolleraffixedtomotherboardMicrocontrolleraffixedtomotherboardStoreskeysanddigitalcertificatesStoreskeysanddigitalcertificatesForBitLocker,TPMstoresstoragerootkeyForBitLocker,TPMstoresstoragerootkeySRKdecryptsvolumeencryptionkeySRKdecryptsvolumeencryptionkeyonlywhensystemonlywhensystembootsnormally;bootsnormally;compareseachbootprocessagainstcompareseachbootprocessagainstpreviouslystoredmeasurementspreviouslystoredmeasurementsNouserinteractionorvisibility(unlessyourequireaPINNouserinteractionorvisibility(unlessyourequireaPINoradditionalstartoradditionalstart--upkey)upkey)RecoverykeycanbearchivedinActiveDirectoryfortheRecoverykeycanbearchivedinActiveDirectoryfortheinevitableinevitable""omgomg""momentmomentProhibitsmeaningfuluseofsoftwaredebuggersduringProhibitsmeaningfuluseofsoftwaredebuggersduringbootbootTPMarchitectureTPMarchitectureResetallregisters,transferexecutiontoResetallregisters,transferexecutiontoCoreRootofTrustMeasurementCoreRootofTrustMeasurementMeasurenextstageoffirmwareintoPCR[0]MeasurenextstageoffirmwareintoPCR[0]anddataintoPCR[1]anddataintoPCR[1]HardwaretestandconfigurationHardwaretestandconfigurationCodealwaysmeasuredfirst,thenexecutedCodealwaysmeasuredfirst,thenexecutedNewPCRvalueisSHANewPCRvalueisSHA--1hashedthen1hashedthenconcatenatedwithprevioushash;concatenatedwithprevioushash;permanentlywrittentoPCRpermanentlywrittentoPCROptionROMsanddataintoPCR[2]and[3]OptionROMsanddataintoPCR[2]and[3]MBRintoPCR[4],partitiontableinPCR[5]MBRintoPCR[4],partitiontableinPCR[5]PCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureMBRtakesover;loadsfirstsectorofactiveMBRtakesover;loadsfirstsectorofactivebootpartitionintomemory;measuresfirstbootpartitionintomemory;measuresfirst512bytesintoPCR[8]512bytesintoPCR[8]Bootsectorloads;measuresremainderintoBootsectorloads;measuresremainderintoPCR[9]andtransfersexecutionPCR[9]andtransfersexecutionBootcodemeasuresBOOTMGRintoBootcodemeasuresBOOTMGRintoPCR[10]andtransfersexecutionPCR[10]andtransfersexecutionAnyadditionalbootapplicationsmustloadAnyadditionalbootapplicationsmustloadonlyfromBitLockervolumeonlyfromBitLockervolumeBitLockerkeysareinPCR[11]BitLockerkeysareinPCR[11]Finally,BOOTMGRtransferscontroltoFinally,BOOTMGRtransferscontroltooperatingsystem;OSchecksintegrityofalloperatingsystem;OSchecksintegrityofallexecutablesloadedexecutablesloadedPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureTPMmeasuresallcodeandreportsresultsTPMmeasuresallcodeandreportsresultsDefaultBitLockerconsumption:4,8,9,10,11DefaultBitLockerconsumption:4,8,9,10,11Youcanaddothers,withcaveatsYoucanaddothers,withcaveatsOptionROMsin2,3OptionROMsin2,3AnychangeinvalidatesthePCRsAnychangeinvalidatesthePCRsIncludesinsertingsmartcardreaderorUSBdriveIncludesinsertingsmartcardreaderorUSBdriveBIOSROMsin0,1BIOSROMsin0,1ReflashingBIOSinvalidatesthePCRsReflashingBIOSinvalidatesthePCRsPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersBitLockercanBitLockercan''tstopeverythingtstopeverythingHardwaredebuggersHardwaredebuggersOnlineattacksOnlineattacks——BitLockerisconcernedonlywithBitLockerisconcernedonlywiththesystemthesystem''sstartupprocesssstartupprocessPostlogonattacksPostlogonattacksSabotagebyadministratorsSabotagebyadministratorsPoorsecuritymaintenancePoorsecuritymaintenanceDeploymentconsiderationsDeploymentconsiderationsRequireshardwareandsoftwareupgradesRequireshardwareandsoftwareupgradesPhasein,startwithhighprioritycomputersPhasein,startwithhighprioritycomputersMostlyafeatureforlaptopsMostlyafeatureforlaptopsAlsoconsiderfordesktopcomputersininsecureAlsoconsiderfordesktopcomputersininsecureenvironments(factoryfloor,kiosk,environments(factoryfloor,kiosk,……))EnterprisekeymanagementEnterprisekeymanagementProtectServicesFromExploitThethreatsThethreatsRememberBlasterRememberBlasterTookoverRPCSSTookoverRPCSS——madeitwritemsblast.
exetofilemadeitwritemsblast.
exetofilesystemandaddedrunkeystotheregistrysystemandaddedrunkeystotheregistryNosoftwareisperfect;someonestillmightfindaNosoftwareisperfect;someonestillmightfindavulnerabilityinaservicevulnerabilityinaserviceMalwareoftenlookstoexploitsuchvulnerabilitiesMalwareoftenlookstoexploitsuchvulnerabilitiesServicesareattractiveServicesareattractiveRunwithoutuserinteractionRunwithoutuserinteractionManyservicesoftenhavefreereignoverthesystemManyservicesoftenhavefreereignoverthesystem——toomuchaccesstoomuchaccessMostservicescancommunicateoveranyportMostservicescancommunicateoveranyportServicehardeningServicehardeningServiceServicerefactoringrefactoringMoveservicefromLocalSystemtosomethinglessMoveservicefromLocalSystemtosomethinglessprivilegedprivilegedIfnecessary,splitservicesothatonlythepartIfnecessary,splitservicesothatonlythepartrequiringLocalSystemreceivesthatrequiringLocalSystemreceivesthatServiceServiceprofilingprofilingEnablesservicetorestrictitsbehaviorEnablesservicetorestrictitsbehaviorResourcescanhaveACLsthatallowtheserviceResourcescanhaveACLsthatallowtheservice''ssIDtoaccessonlywhatitneedsIDtoaccessonlywhatitneedsAlsoincludesrulesforspecifyingrequiredAlsoincludesrulesforspecifyingrequirednetworkbehaviornetworkbehaviorItIt''sabouttheprincipleofleastprivilegesabouttheprincipleofleastprivilege——itit''sgoodforpeople,anditsgoodforpeople,andit''sgoodforservicessgoodforservicesMemoryMemoryRefactoringRefactoringIdeally,removetheserviceoutofLocalSystemIdeally,removetheserviceoutofLocalSystemIfitdoesnIfitdoesn''tperformprivilegedoperationstperformprivilegedoperationsMakeACLchangestoregistrykeysanddriverobjectsMakeACLchangestoregistrykeysanddriverobjectsOtherwise,splitintotwopiecesOtherwise,splitintotwopiecesThemainserviceThemainserviceThebitsthatperformprivilegedoperationsThebitsthatperformprivilegedoperationsAuthenticatethecallbetweenthemAuthenticatethecallbetweenthemMainserviceMainservicerunsasLocalServicerunsasLocalServicePrivilegedPrivilegedLocalSystemLocalSystemSVCHOSTgrouprefactoringSVCHOSTgrouprefactoringWindowsXPServicePack2WindowsXPServicePack2LocalSystemLocalSystemWirelessConfigurationWirelessConfigurationSystemEventSystemEventNotificationNotificationNetworkConnectionsNetworkConnectionsCOM+EventSystemCOM+EventSystemNLANLARasautoRasautoShellHardwareShellHardwareDetectionDetectionThemesThemesTelephonyTelephonyWindowsAudioWindowsAudioErrorReportingErrorReportingWorkstationWorkstationICSICSBITSBITSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanBrowserBrowser6to46to4HelpandSupportHelpandSupportTaskSchedulerTaskSchedulerTrkWksTrkWksCryptographicCryptographicServicesServicesRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonNetworkNetworkServiceServiceDNSClientDNSClientLocalLocalServiceServiceSSDPSSDPWebClientWebClientTCP/IPNetBIOShelperTCP/IPNetBIOShelperRemoteRegistryRemoteRegistryWindowsVistaWindowsVistaLocalSystemLocalSystemNetworkrestrictedNetworkrestrictedRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesTrkWksTrkWksWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonLocalSystemLocalSystemDemandstartedDemandstartedBITSBITSNetworkServiceNetworkServiceRestrictedRestrictedDNSClientDNSClientICSICSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanNLANLABrowserBrowser6to46to4TaskschedulerTaskschedulerIPSECServicesIPSECServicesServerServerCryptographicCryptographicServicesServicesLocalServiceLocalServiceRestrictedRestrictedNonetworkaccessNonetworkaccessWirelessWirelessConfigurationConfigurationSystemEventSystemEventNotificationNotificationShellHardwareShellHardwareDetectionDetectionNetworkNetworkConnectionsConnectionsRasautoRasautoThemesThemesCOM+EventCOM+EventSystemSystemLocalServiceLocalServiceRestrictedRestrictedTelephonyTelephonyWindowsAudioWindowsAudioTCP/IPNetBIOSTCP/IPNetBIOShelperhelperWebClientWebClientErrorReportingErrorReportingEventLogEventLogWorkstationWorkstationRemoteRegistryRemoteRegistrySSDPSSDPProfilingProfilingEveryservicehasauniqueserviceidentifiercalledEveryservicehasauniqueserviceidentifiercalledaa""serviceSIDserviceSID""SS--11--8080--1hashoflogicalservicename>AA""serviceprofileserviceprofile""isasetofACLsthatisasetofACLsthat——AllowaservicetousearesourceAllowaservicetousearesourceConstraintheservicetotheresourcesitneedsConstraintheservicetotheresourcesitneedsDefinewhichnetworkportsaservicecanuseDefinewhichnetworkportsaservicecanuseBlocktheservicefromusingotherportsBlocktheservicefromusingotherportsNow,servicecanrunasLocalServiceorNow,servicecanrunasLocalServiceorNetworkServiceandstillreceiveadditionalaccessNetworkServiceandstillreceiveadditionalaccesswhennecessarywhennecessaryRestrictingservicesRestrictingservicesSCMcomputesSCMcomputesserviceSIDserviceSIDSCMaddstheSCMaddstheSIDtoserviceSIDtoserviceprocessprocess''stokenstokenSCMcreateswriteSCMcreateswrite--restrictedtokenrestrictedtokenSCMremovesSCMremovesunneededprivilegesunneededprivilegesfromprocesstokenfromprocesstokenServiceplacesACLonServiceplacesACLonresourceresource——onlyserviceonlyservicecanwritetoitcanwritetoitExample:eventlogExample:eventlogSysEvent.
evtSysEvent.
evtEventlogEventlogserviceserviceWriteWrite--restrictedrestrictedtokentokenACLACLEventlog:WEventlog:WRestrictingservices:knowthisRestrictingservices:knowthisArestrictableservicewillsettwoproperties(storedArestrictableservicewillsettwoproperties(storedintheregistry)intheregistry)——OnetoindicatethatitcanberestrictedOnetoindicatethatitcanberestrictedOnetoshowwhichprivilegesitrequiresOnetoshowwhichprivilegesitrequiresNote!
Note!
Thisisavoluntaryprocess.
TheserviceisThisisavoluntaryprocess.
Theserviceischoosingtorestrictitself.
Itchoosingtorestrictitself.
It''sgooddevelopmentsgooddevelopmentpracticebecauseitreducesthelikelihoodofaservicepracticebecauseitreducesthelikelihoodofaservicebeingabusedbymalware,butitisnbeingabusedbymalware,butitisn''tafulltafull--onsystemonsystem--widerestrictionmechanism.
Thirdwiderestrictionmechanism.
Third--partyservicescanpartyservicescanstillrunwildandfreestillrunwildandfree……NetworkenforcementscenariosNetworkenforcementscenariosNoportsNoportsServicesthatneitherlistennorconnectServicesthatneitherlistennorconnectFixedportsFixedportsServicesthatlistenorsendonknownfixedportsServicesthatlistenorsendonknownfixedportsshouldbeconstrainedtothoseportsonlyshouldbeconstrainedtothoseportsonlyConfigurableConfigurableportsportsAdministratorconfiguresportinserviceAdministratorconfiguresportinservice''ssadministrationUI;networkrulesandfirewalladministrationUI;networkrulesandfirewallautomaticallyupdatetheirownconfigurationsautomaticallyupdatetheirownconfigurationsDynamicDynamicportsportsServicesthatlistenorsendondynamicallyServicesthatlistenorsendondynamically--allocatedportsallocatedportsAuditingAuditingManagementeventsManagementeventsInitialrulesconfigurationInitialrulesconfigurationRulechangesRulechangesRuledeletionsRuledeletionsEnforcementeventsEnforcementeventsTrafficallowedTrafficallowedTrafficdeniedTrafficdeniedglobalvulnglobalvulnmitigationsandmitigationsandsystemlockdownssystemlockdownsnetworknetworkenforcementenforcementrulesrulesInteractionwithhostfirewallsInteractionwithhostfirewallsConfigurationchangesConfigurationchangesimplementedimmediatelyimplementedimmediatelyRulescanRulescan''tbedisabledbytbedisabledbyWForthirdWForthird--partypartyRulescanRulescan''tbestoppedtbestoppedwhileservicesarerunningwhileservicesarerunningFordynamicports,netenfFordynamicports,netenfpushesconfigurationtopushesconfigurationtoWFWFhosthostfirewallfirewallrulesrulesExamplerulesExamplerulesBlockanynetworkaccessforBFE"V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=bfe;Name=Blockanytraffictoandfrombfe;"AllowoutboundPolicyAgenttraffic"V2.
0;Action=Allow;Dir=Out;RPort=389;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=AllowPolicyAgenttcp/udpLDAPtraffictoAD;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=BlockanyothertraffictoandfromPolicyAgent;"Allowinbound/outboundtraffictoRpcss"V2.
0;Action=Allow;Dir=Out;RPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowoutboundrpcsstcp/udptraffic;""V2.
0;Action=Allow;Dir=in;LPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowinboundtcp/udprpcss;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Blockanyothertraffictoandfromrpcss;"ProtecttheOSandDatafromUnknownCodeThethreatsThethreatsAuserunknowinglyrunscodefromanunknownAuserunknowinglyrunscodefromanunknownsourcethatattemptstomodifyordeletefilessourcethatattemptstomodifyordeletefilesCoderunningasLUAattemptsalocalelevationofCoderunningasLUAattemptsalocalelevationofprivilegebyinjectingcodeintoaprocessrunningprivilegebyinjectingcodeintoaprocessrunningasadministratorasadministratorTrojansthatattempttoexecutewithfullTrojansthatattempttoexecutewithfulladministratorprivilegeadministratorprivilegeSystemcodereadsdatafromtheInternet(anSystemcodereadsdatafromtheInternet(anuntrustworthysource)thatcontainscorruptdatauntrustworthysource)thatcontainscorruptdatadesignedtoelevateprivilegebyexploitingabugdesignedtoelevateprivilegebyexploitingabugMandatoryintegritycontrolMandatoryintegritycontrolMethodtopreventlowMethodtopreventlow--integritycodefromintegritycodefrommodifyinghighmodifyinghigh--integritycodeintegritycodeProtectTCBfilesanddatafrommodificationbyProtectTCBfilesanddatafrommodificationbyprivilegedusersprivilegedusersProtectuserdatafrommodificationbyunknownProtectuserdatafrommodificationbyunknownmaliciouscodemaliciouscodeProtectprocessesrunningasprivilegeduserfromProtectprocessesrunningasprivilegeduserfrommodificationbyprocessesrunningasstandardusermodificationbyprocessesrunningasstandarduserunderthesameuserSIDunderthesameuserSIDClassicalcomputersecurityconceptknownsinceClassicalcomputersecurityconceptknownsincethe1970sthe1970sLotsofrecentworkinvariousoperatingsystemsLotsofrecentworkinvariousoperatingsystemsDonDon''tconfusewithcodeintegritytconfusewithcodeintegrityCICIVerifiescodeduringmoduleloadingVerifiescodeduringmoduleloadingMICMICImplementsatypeofinformationflowpolicyImplementsatypeofinformationflowpolicyImplementsanenforcementmechanismImplementsanenforcementmechanismIntegritylevelchangestriggerasecurityauditeventIntegritylevelchangestriggerasecurityauditeventMandatoryintegritycontrolpolicyisbasedonMandatoryintegritycontrolpolicyisbasedontrustworthinesstrustworthiness.
Subjectswith.
Subjectswithlowlowdegreesofdegreesoftrustworthinesscantrustworthinesscan''tchangedataofatchangedataofahigherhigherdegrees.
degrees.
SubjectswithSubjectswithhighhighdegreesoftrustworthinesscandegreesoftrustworthinesscan''tbetbeforcedtorelyondataofforcedtorelyondataoflowerlowerdegrees.
degrees.
ThelimitationsofDACLsThelimitationsofDACLsNoprotectionofsystemstabilityNoprotectionofsystemstabilityThirdThird--partyinstallersredistributesystembinariespartyinstallersredistributesystembinariesWanttostopthis,evenifrunbyadministratorWanttostopthis,evenifrunbyadministratorNoprotectionfromtrickysoftwareNoprotectionfromtrickysoftwareNonNon--savvyuserscanbeconvincedtoinstallmalwaresavvyuserscanbeconvincedtoinstallmalwareRunswithfullcapabilitiesofuserRunswithfullcapabilitiesofuserWeakenspowerofUACWeakenspowerofUACCanCan''tdistinguishlimitedversionfromfull(possiblytdistinguishlimitedversionfromfull(possiblyadministrator)versionofuseradministrator)versionofuserBothversionshavesameuserSIDBothversionshavesameuserSIDDefinedintegritylevelsDefinedintegritylevelsSystemSystemHighHighMediumMediumLowLowUntrustedUntrusted0x40000x40000x30000x30000x20000x20000x10000x100000LocalLocalSystemSystemLocalServiceLocalServiceNetworkNetworkServiceServiceElevatedElevated(full)user(full)usertokenstokensStandarduserStandardusertokenstokensAuthenticatedAuthenticatedUsersUsersWorldWorld(Everyone)(Everyone)AnonymousAnonymousShellrunshereShellrunshereMICexpressionMICexpressionAddanintegritySIDtoausertokenatlogonAddanintegritySIDtoausertokenatlogonSS--11--1616--AnnouncestheintegritylevelofthetokenAnnouncestheintegritylevelofthetokenDetermineslevelofaccessthetokencanachieveDetermineslevelofaccessthetokencanachievePossiblesecondSIDusedbySecureDesktoptoPossiblesecondSIDusedbySecureDesktoptodetermineprotectionringofanapplicationdetermineprotectionringofanapplicationStoreintegritySIDintheSACLofeveryobjectStoreintegritySIDintheSACLofeveryobject''sssecuritydescriptor(usersecuritydescriptor(user--createdandOS)createdandOS)SpecifiestheintegrityleveloftheobjectSpecifiestheintegrityleveloftheobjectCheckingMIClevelCheckingMIClevelDuringaccesscheck,verifytheuserpassesDuringaccesscheck,verifytheuserpassesintegritycheckagainstanobjectforwriteaccessintegritycheckagainstanobjectforwriteaccessHowever,canaddACEtoDACLtodenyreadaccesstoHowever,canaddACEtoDACLtodenyreadaccesstolowintegrityuserslowintegrityusers(moreonthislater)(moreonthislater)UsermustUsermustdominatedominateobjecttoobtainwriteaccessobjecttoobtainwriteaccessUser/processlevel>=objectlevelUser/processlevel>=objectlevelAlluserspassintegritycheckforreadingandexecutingAlluserspassintegritycheckforreadingandexecutingMICtrumpsDACLMICtrumpsDACLIftheDACLletsyouwrite,butyoudonIftheDACLletsyouwrite,butyoudon''tdominatethetdominatetheobject,yourwritefailsobject,yourwritefailsConsiderfourscenariosConsiderfourscenariosAnattachmentarrivesinmail.
Whilesaving,fileiswrittenAnattachmentarrivesinmail.
Whilesaving,fileiswrittenwithwithlowlowintegrity.
Whenexecuted,itrunsatintegrity.
Whenexecuted,itrunsatlowlowintegrityintegrityandcanandcan''twritetousertwritetouser''sdata.
sdata.
MICpreventsprocessfromMICpreventsprocessfromperformingcapabilitiesatuserperformingcapabilitiesatuser''slevel.
slevel.
IEdownloadsfilefromsiteinInternetzone.
IEprocessthatIEdownloadsfilefromsiteinInternetzone.
IEprocessthatwritesfiletoTIFrunsatwritesfiletoTIFrunsatlowlowintegrity;thusfileisreceivesintegrity;thusfileisreceiveslowlowintegrity.
integrity.
MICdoesnMICdoesn''ttrustcontentorcodefromtheInternet.
ttrustcontentorcodefromtheInternet.
AmaliciousprogramisrunningatAmaliciousprogramisrunningatstandardstandarduserXanduserXandattemptstoopenprocessrunningasattemptstoopenprocessrunningasprivilegedprivilegeduserXforuserXforwrite,tobypassUACandexecutecodewillfullprivileges.
write,tobypassUACandexecutecodewillfullprivileges.
MICstopsthisbecausedesiredaccessiswrite.
MICstopsthisbecausedesiredaccessiswrite.
Admin(IL=Admin(IL=highhigh)runsdownloadedprogram.
Processrunsas)runsdownloadedprogram.
Processrunsasstandardstandardadmin(IL=admin(IL=mediummedium).
).
MICpreventsprocessesfromMICpreventsprocessesfromwritewrite--accessingresourcesACLedfortheadministrator.
accessingresourcesACLedfortheadministrator.
ProcessesalsoaffectedProcessesalsoaffectedWhenuserlaunches.
EXE,processreceiveslowerofWhenuserlaunches.
EXE,processreceiveslowerofuseruser''sorfilesorfile''sintegritylevel(ifithasone)sintegritylevel(ifithasone)Processneverrunshigherthanfile,regardlessofILofProcessneverrunshigherthanfile,regardlessofILofuserwhostartedituserwhostarteditProtectsevenadministratorsfrommaliciousactionsofProtectsevenadministratorsfrommaliciousactionsofdownloadedcodedownloadedcodeAlsoprotectsanyuserdata,whoselevelistypicallythatAlsoprotectsanyuserdata,whoselevelistypicallythatoftheuseroftheuser——itit''shigherthanthecodeshigherthanthecodeControlledbyAIS(appinstallerservice)ControlledbyAIS(appinstallerservice)CheckILsofuserandfileCheckILsofuserandfileAdjustprocessILaccordinglyAdjustprocessILaccordinglyImpersonateuserwithcorrectILandcontinuecreationImpersonateuserwithcorrectILandcontinuecreationModifyingintegritylevelsModifyingintegritylevelsTokencanloweritsownlevelTokencanloweritsownlevelNotreversibleNotreversibleOnlyaTCBcallercanraiseOnlyaTCBcallercanraiseSecureInputSecureInputDefault:UIringSID=objectintegritySIDDefault:UIringSID=objectintegritySIDTCBcallercanelevatetokenUIringTCBcallercanelevatetokenUIringTypicallynecessaryforaccessibilityutilitiesTypicallynecessaryforaccessibilityutilities——cannowcannowcontrolUIbutnotbypassMICcontrolofobjectaccesscontrolUIbutnotbypassMICcontrolofobjectaccessButIwanttoadministermybox!
ButIwanttoadministermybox!
Fullprivilegetokens,includingmembersoftheFullprivilegetokens,includingmembersofthelocalAdministratorsgroup,arecontrolledbyMIClocalAdministratorsgroup,arecontrolledbyMICCanCan''tdeletefilesiftheirlevelissystemtdeletefilesiftheirlevelissystemCanCan''tlowerthelevelofobjectsorfilestlowerthelevelofobjectsorfilesBuiltBuilt--inin""AdministratorAdministrator""accounthasanadditionalaccounthasanadditionalprivilegeprivilegeGrantscalleraccesstoobjectGrantscalleraccesstoobjectCouldgranttootherusers,butbecareful!
Couldgranttootherusers,butbecareful!
GrantinganduseofprivilegeisauditedGrantinganduseofprivilegeisauditedDenyingreadaccessDenyingreadaccessCanusedenyACEtopreventlowerlevelprincipalsCanusedenyACEtopreventlowerlevelprincipalsfromreadingorexecutinghigherlevelobjectsfromreadingorexecutinghigherlevelobjectsGoodforadministratorprogramsGoodforadministratorprogramsSetILtohighSetILtohighAdddenyACEforanythingwithalowerILAdddenyACEforanythingwithalowerILPreventsmalwarerunningatlowerlevelfromPreventsmalwarerunningatlowerlevelfromattemptingtocalladmintoolsattemptingtocalladmintoolsUnlabeledobjectsUnlabeledobjectsSystemassumesdefaultMICofmediumduringSystemassumesdefaultMICofmediumduringaccesscheckaccesscheckPreventsuntrustworthycoderunningatlowfromPreventsuntrustworthycoderunningatlowfrommodifyingunlabeledobjectsmodifyingunlabeledobjectsRegardlessofDACLRegardlessofDACLOSfilesareunlabeledOSfilesareunlabeledProtectedfrommodificationwithanACLProtectedfrommodificationwithanACLObjectswithoutaSIDhavenoMICconsiderationObjectswithoutaSIDhavenoMICconsiderationNonNon--goalsgoalsProvideforconfidentialityofdataProvideforconfidentialityofdataThisistheBellThisistheBell--LaPadulamodelLaPadulamodelAlthoughwithnoAlthoughwithno--readread--upACEs,youcanuseMICtoupACEs,youcanuseMICtoachievesimilarbehaviorachievesimilarbehaviorPreventhighILprocessesfromreadingdataataPreventhighILprocessesfromreadingdataatalowerILifthepolicyallowsthatlowerILifthepolicyallowsthatImplementdynamicintegrityImplementdynamicintegrityPreventofflineattacksthroughmodificationsofILsPreventofflineattacksthroughmodificationsofILsonfilesonfilesButBitLockercouldhelphereButBitLockercouldhelphere……ProtecttheOSfromtheInternetThethreatsThethreatsAlas,mostWindowsusersstillrunasadminAlas,mostWindowsusersstillrunasadminMeaning:theInternetrunsasadminonyourPC!
Meaning:theInternetrunsasadminonyourPC!
""DriveDrive--byby""installsofspywareandviruscodeinstallsofspywareandviruscodeExploitsofvulnerabilitiesgiveattackersfullremoteExploitsofvulnerabilitiesgiveattackersfullremoteaccessaccessEvennonEvennon--adminsstillvulnerabletomaliciousadminsstillvulnerabletomaliciousdestructionofpersonaldatadestructionofpersonaldataInternetExplorerprotectedmodeInternetExplorerprotectedmodeBuiltonmandatoryintegritycontrolBuiltonmandatoryintegritycontrolInternetExplorerrunsatlowintegritylevelInternetExplorerrunsatlowintegritylevelReducetheseverityofthreatstoIEaddReducetheseverityofthreatstoIEadd--onsonsEliminatethesilentinstallofmaliciouscodeEliminatethesilentinstallofmaliciouscodethroughsoftwarevulnerabilitiesthroughsoftwarevulnerabilitiesPreservecompatibilitywheneverpossiblePreservecompatibilitywheneverpossibleProvidethecapabilityandguidanceforaddProvidethecapabilityandguidanceforadd--onstoonstorestorefunctionalityrestorefunctionalityMinimizerequireduserinvolvementMinimizerequireduserinvolvementSometimescalledSometimescalled""lowlow--rightsIErightsIE""ProtectedmodesummaryProtectedmodesummaryRestrictsIEfromwritingoutsideoftheTemporaryRestrictsIEfromwritingoutsideoftheTemporaryInternetFiles(TIF)folderInternetFiles(TIF)folderIEIE''sprocesshaslowerwriteprivilegesthanLUAsprocesshaslowerwriteprivilegesthanLUAItbuildsontheMandatoryIntegrityControl(MIC)whichItbuildsontheMandatoryIntegrityControl(MIC)whichrestrictswritestohigherintegrityfoldersrestrictswritestohigherintegrityfoldersProtectedmodeusesCOMtocalltwonewbrokerProtectedmodeusesCOMtocalltwonewbrokerprocesseswhichallowIEtowriteoutsideoftheTIFprocesseswhichallowIEtowriteoutsideoftheTIFAcompatibilitylayerallowsaddAcompatibilitylayerallowsadd--onstoelevateonstoelevateThisisnotaThisisnota""sandboxingsandboxing""technology.
IEisrefactoredintoatechnology.
IEisrefactoredintoamultimulti--processapplication,withvaryingILsforeachprocess.
processapplication,withvaryingILsforeachprocess.
RefactoringIERefactoringIELPIELPIEIEUserIEUserIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseLPIELPIEInternetZoneInternetZoneIL=lowIL=lowIntranet/TrustedZoneIntranet/TrustedZoneIL=mediumIL=mediumSeparateTIFSeparateTIFIEPolicyIEPolicyIL=highIL=highAgain:theprincipleofleastprivilegeAgain:theprincipleofleastprivilegeRefactoringattheprocesslevelRefactoringattheprocesslevel——moreefficientmoreefficientandlessexpensivethanavirtualmachineandlessexpensivethanavirtualmachineComponentsandzonesComponentsandzonesOperationOperationRequirementsRequirementsProcessProcessURLnavigationandHTMLrenderingURLnavigationandHTMLrenderingLeastprivilegeLeastprivilegeLowintegrityLowintegrityLPIELPIEManaginguserManaginguser--controlledsettingscontrolledsettingsLeastprivilegeLeastprivilegeMediumintegrityMediumintegrityIEUserIEUserEnforcingpolicyindownloadedcodeEnforcingpolicyindownloadedcodeInitiatingexecutionInitiatingexecutionFullprivilegeFullprivilegeHighintegrityHighintegrityIEPolicyIEPolicy(service)(service)OperationOperationLPIElowLPIElowLPIEmediumLPIEmediumFilesdownloadedinzoneFilesdownloadedinzoneLowILLowILMediumILMediumILModifyoutsideTIFModifyoutsideTIFNoNoYesYesInteractwithotherappsondesktopInteractwithotherappsondesktopNoNoYesYesInjectDLLandcreateremotethreadInjectDLLandcreateremotethreadNoNoYesYesRendersHTMLfilesinlocalzoneRendersHTMLfilesinlocalzoneYesYesYesYesInstallingfromtheWebInstallingfromtheWebLPIELPIEIEPolicyIEPolicyRunRungreatstuff.
comgreatstuff.
com……\\TIFTIF\\greatstuff.
exegreatstuff.
exeTrustTrustGreatStuffGreatStuffIL=lowIL=low……\\MyDocsMyDocs\\greatstuff.
exegreatstuff.
exeIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseAISAISRunwithRunwithfullprivsfullprivsgreatstuff.
exegreatstuff.
exe\\ProgsProgs\\GSGS\\stuff.
exestuff.
exestuff.
dllstuff.
dllIL=highIL=highfullprivfullprivInIn--proccompatibilitylayerproccompatibilitylayerRedirectsfileandregistrykeywritestonewlowRedirectsfileandregistrykeywritestonewlowintegritylocationsintegritylocations——HKCUHKCU\\SoftwareSoftware\\MicrosoftMicrosoft\\InternetExplorerInternetExplorer\\LowLowRightsRights\\VirtualVirtualDocumentsandSettingsDocumentsandSettings\\%userprofile%%userprofile%\\LocalLocalSettingsSettings\\TemporaryInternetFilesTemporaryInternetFiles\\VirtualVirtualAddedtothelocationIEistryingAddedtothelocationIEistryingIfIEtriestowritehereIfIEtriestowritehere…………itgetsredirectedhereitgetsredirectedhereHKCUHKCU\\SoftwareSoftware\\FooBarFooBarHKCUHKCU\Software\MS\IE\LowRights\Virtual\\SoftwareSoftware\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%user%userprofile%profile%\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%userprofile%%userprofile%\LocalSettings\TemporaryInternetFiles\Virtual\\FooBarFooBarSteveRileySteveRileysteve.
riley@microsoft.
comsteve.
riley@microsoft.
comhttp://blogs.
technet.
com/sterileyhttp://blogs.
technet.
com/sterileywww.
protectyourwindowsnetwork.
comwww.
protectyourwindowsnetwork.
comThanksverymuch!
Thanksverymuch!
2006MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,WindowsVistaandotherproductnamesareormayberegisteredtrademarksand/ortrademarksintheU.
S.
and/orothercountries.
TheinformationhereinisforinformationalpurposesonlyandrepresentsthecurrentviewofMicrosoftCorporationasofthedateofthispresentation.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationprovidedafterthedateofthispresentation.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISPRESENTATION.
Thebadguysareeverywhere!
TheyliterallywanttodoyouharmTheyliterallywanttodoyouharmThreatsexistintwointerestingplacesThreatsexistintwointerestingplaces——Online:systemstartedandshowsaloginscreenorauserisOnline:systemstartedandshowsaloginscreenorauserisloggedinloggedinOffline:systemispowereddownorinhibernationOffline:systemispowereddownorinhibernationPoliciesmustaddressbothPoliciesmustaddressbothCoolstuff!
Coolstuff!
Codeintegrity:protectionagainstonlineattackCodeintegrity:protectionagainstonlineattackBitLocker(securestartup):protectionagainstBitLocker(securestartup):protectionagainstofflineattackofflineattackWindowsservicehardeningWindowsservicehardeningMandatoryintegritycontrolMandatoryintegritycontrolInternetExplorerprotectedmodeInternetExplorerprotectedmodeProtecttheOSWhenRunningThethreatsThethreatsTrojanthatreplacesasystemfiletoinstallarootkitTrojanthatreplacesasystemfiletoinstallarootkitandtakecontrolofthecomputer(e.
g.
FunLoveorandtakecontrolofthecomputer(e.
g.
FunLoveorothersthatuserootkits)othersthatuserootkits)OfflineattackcausedbybootinganalternateOfflineattackcausedbybootinganalternateoperatingsystemandattemptingtocorruptoroperatingsystemandattemptingtocorruptormodifyWindowskernelfilesmodifyWindowskernelfilesThirdThird--partykerneldriversthatarenotsecurepartykerneldriversthatarenotsecureRogueadministratorwhochangeskernelmodeRogueadministratorwhochangeskernelmodecodetohideotheractscodetohideotheractsCodeintegrityCodeintegrityValidatestheintegrityofcertainOSfilesValidatestheintegrityofcertainOSfilesImplementedasafilesystemfilterdriverImplementedasafilesystemfilterdriverHashesstoredinsystemcatalogorinX.
509certificateHashesstoredinsystemcatalogorinX.
509certificateembeddedinfileembeddedinfileAlsovalidatestheintegrityofthebootprocessAlsovalidatestheintegrityofthebootprocessChecksthekernel,theHAL,bootChecksthekernel,theHAL,boot--startdriversstartdriversIfvalidationfails,imagewonIfvalidationfails,imagewon''tloadtloadWhatdoesitcheckWhatdoesitcheckAllkernelmodecode(Allkernelmodecode(x64onlyx64only))AllcodeloadedintoaprotectedprocessAllcodeloadedintoaprotectedprocessModulesimplementingcryptographicfunctionsModulesimplementingcryptographicfunctionsModulesloadedintothesoftwarelicensingserviceModulesloadedintothesoftwarelicensingserviceMoreonkernelmodecodeMoreonkernelmodecodex64x64AllkernelmodecodemustbesignedoritwonAllkernelmodecodemustbesignedoritwon''tloadtloadThirdThird--partycodemustbeWHQLpartycodemustbeWHQL--certifiedorcontainacertifiedorcontainacertificatefromaMicrosoftCAcertificatefromaMicrosoftCANoexceptions,periodNoexceptions,periodAppliestodrivers,utilities,anythinginthekernelAppliestodrivers,utilities,anythinginthekernelx32x32SigningappliesonlytodriversshippedwithWindowsSigningappliesonlytodriversshippedwithWindowsCancontrolbypolicywhattodowiththirdCancontrolbypolicywhattodowiththird--partypartyOtherunsignedkernelmodecodewillloadOtherunsignedkernelmodecodewillloadMoreonprotectedprocessesMoreonprotectedprocessesOnlyonerightnow:MediaFoundationOnlyonerightnow:MediaFoundationLoadedbinariesarecodecsLoadedbinariesarecodecsMicrosoftMicrosoft--supplied:signedbyMicrosoftsupplied:signedbyMicrosoftThirdThird--party:signedbyaWindowsMediaDRMparty:signedbyaWindowsMediaDRMcertificatecertificateAffectspotentialplaybackofnextAffectspotentialplaybackofnext--generationhighgenerationhighdefinitionprotectedcontentdefinitionprotectedcontentContentand/orplaybackappcontrolwhattodoinContentand/orplaybackappcontrolwhattodoinpresenceofunsignedkernelmodedriverspresenceofunsignedkernelmodedriversCodeintegritynonCodeintegritynon--goalsgoalsProtectingfromattackerswithphysicalaccessProtectingfromattackerswithphysicalaccessVerifyingtheintegrityofNTLDRVerifyingtheintegrityofNTLDRRequiressecurestartuponTPMRequiressecurestartuponTPM--enabledmachinesenabledmachinesRequiresreadRequiresread--onlyfixedmediaotherwiseonlyfixedmediaotherwiseSupportingrebindingorhotpatchingSupportingrebindingorhotpatchingThesechangetheonThesechangetheon--diskimagediskimageCIwillworkifpatchincludesupdatedhashCIwillworkifpatchincludesupdatedhashOnlinechecksatbootOnlinechecksatboot--timeforrevocationliststimeforrevocationlistsRevocationlistupdatedafterbootandstoredlocallyRevocationlistupdatedafterbootandstoredlocallyProtecttheOSWhenNotRunningThethreatsThethreatsComputerislostorstolenComputerislostorstolenTheftorcompromiseofdataTheftorcompromiseofdataAttackagainstcorporatenetworkAttackagainstcorporatenetworkDamagetoOSifattackerinstallsalternateOSDamagetoOSifattackerinstallsalternateOSDifficultandtimeDifficultandtime--consumingtotrulyeraseconsumingtotrulyerasedecommissioneddisksdecommissioneddisksExistingwaystomitigatethesethreatsaretooeasyExistingwaystomitigatethesethreatsaretooeasyforusertocircumventforusertocircumventSecurestartup(Securestartup(""BitLockerBitLocker""))EnsurebootEnsurebootintegrityintegrityResilientResilientagainstattackagainstattackProtectsystemfromofflineProtectsystemfromofflinesoftwaresoftware--basedattacksbasedattacksLocktamperedLocktamperedsystemssystemsPreventbootifmonitoredfilesPreventbootifmonitoredfileshavebeenalteredhavebeenalteredProtectdataProtectdatawhenofflinewhenofflineEncryptuserEncryptuserdataanddataandsystemfilessystemfilesAlldataonthevolumeisAlldataonthevolumeisencrypted:user,system,page,encrypted:user,system,page,hibernation,temp,crashdumphibernation,temp,crashdumpUmbrellaUmbrellaprotectionprotectionThirdThird--partyappsbenefitwhenpartyappsbenefitwheninstalledonencryptedvolumeinstalledonencryptedvolumeEaseEaseequipmentequipmentrecyclingrecyclingSimplifySimplifyrecyclingrecyclingRenderdatauselessbydeletingRenderdatauselessbydeletingTPMkeystoreTPMkeystoreSpeeddataSpeeddatadeletiondeletionDecommissioningtakesseconds,Decommissioningtakesseconds,nothoursnothoursWonWon''tEFSprotectmetEFSprotectmeYesYes——forthosewhoknowwhattheyforthosewhoknowwhatthey''redoingredoingUsersoftenstoredataonthedesktopUsersoftenstoredataonthedesktop——isitEFSedisitEFSedEFSdoesnEFSdoesn''tprotecttheoperatingsystemtprotecttheoperatingsystemEFSisverystrongagainstattacksEFSisverystrongagainstattacksFourlevelsofkeyprotectionFourlevelsofkeyprotectionProperlyconfigured,EFSiscomputationallyinfeasibletoProperlyconfigured,EFSiscomputationallyinfeasibletocrackcrackEncryptionscenariosEncryptionscenariosBitLockerBitLockerEFSEFSRMSRMSLaptopsLaptopsBranchofficeserversBranchofficeserversLocalsingleuserfileprotection(Windowspartitiononly)Localsingleuserfileprotection(Windowspartitiononly)LocalmultiLocalmulti--userfileprotectionuserfileprotectionRemotefileprotectionRemotefileprotectionUntrustedadministratorUntrustedadministratorRemotedocumentpolicyenforcementRemotedocumentpolicyenforcementOScoOSco--existenceexistenceBitLockerencryptsBitLockerencryptsWindowsvolumeonlyWindowsvolumeonlyYouwonYouwon''tbeabletodualtbeabletodual--bootanotherOSonthebootanotherOSonthesamevolumesamevolumeOSesonothervolumeswillworkfineOSesonothervolumeswillworkfineDataonprotectedvolumeisunavailableoutsideDataonprotectedvolumeisunavailableoutsidetheOStheOSAttemptstomodifytheprotectedWindowsAttemptstomodifytheprotectedWindowsvolumewillrenderitunbootablevolumewillrenderitunbootableEnablingBitLockerEnablingBitLockerCreatea1.
5GBactivepartitionCreatea1.
5GBactivepartitionThisbecomesyourThisbecomesyour""systemsystem""partitionpartition——whereOSbootswhereOSbootsTheTPMbootmanagerusesonly50MBTheTPMbootmanagerusesonly50MBWindowsrunsfromonyourWindowsrunsfromonyour""bootboot""partitionpartition——wherethewherethesystemlivessystemlivesInitializeTPMchipifyouInitializeTPMchipifyou''reusingitreusingitInmanagementconsoleorBIOSInmanagementconsoleorBIOSEnableBitLockerinSecurityCenterEnableBitLockerinSecurityCenterUpdateharddiskMBRUpdateharddiskMBREncryptWindowsEncryptWindows""bootboot""partitionpartitionRecoveryoptionsRecoveryoptionsUsefulincaseofsomekindofhardwarefailureUsefulincaseofsomekindofhardwarefailureItIt''sapassword;storedindifferentwayssapassword;storedindifferentways——RemovablemediaRemovablemediaPrintedPrintedActiveDirectoryActiveDirectoryAlso,servicepacksanddriverupgradestriggeraAlso,servicepacksanddriverupgradestriggeraloaderthatrecomputesandresealsTPMsecretsloaderthatrecomputesandresealsTPMsecretsCanuseTPM1.
2chipCanuseTPM1.
2chipMicrocontrolleraffixedtomotherboardMicrocontrolleraffixedtomotherboardStoreskeysanddigitalcertificatesStoreskeysanddigitalcertificatesForBitLocker,TPMstoresstoragerootkeyForBitLocker,TPMstoresstoragerootkeySRKdecryptsvolumeencryptionkeySRKdecryptsvolumeencryptionkeyonlywhensystemonlywhensystembootsnormally;bootsnormally;compareseachbootprocessagainstcompareseachbootprocessagainstpreviouslystoredmeasurementspreviouslystoredmeasurementsNouserinteractionorvisibility(unlessyourequireaPINNouserinteractionorvisibility(unlessyourequireaPINoradditionalstartoradditionalstart--upkey)upkey)RecoverykeycanbearchivedinActiveDirectoryfortheRecoverykeycanbearchivedinActiveDirectoryfortheinevitableinevitable""omgomg""momentmomentProhibitsmeaningfuluseofsoftwaredebuggersduringProhibitsmeaningfuluseofsoftwaredebuggersduringbootbootTPMarchitectureTPMarchitectureResetallregisters,transferexecutiontoResetallregisters,transferexecutiontoCoreRootofTrustMeasurementCoreRootofTrustMeasurementMeasurenextstageoffirmwareintoPCR[0]MeasurenextstageoffirmwareintoPCR[0]anddataintoPCR[1]anddataintoPCR[1]HardwaretestandconfigurationHardwaretestandconfigurationCodealwaysmeasuredfirst,thenexecutedCodealwaysmeasuredfirst,thenexecutedNewPCRvalueisSHANewPCRvalueisSHA--1hashedthen1hashedthenconcatenatedwithprevioushash;concatenatedwithprevioushash;permanentlywrittentoPCRpermanentlywrittentoPCROptionROMsanddataintoPCR[2]and[3]OptionROMsanddataintoPCR[2]and[3]MBRintoPCR[4],partitiontableinPCR[5]MBRintoPCR[4],partitiontableinPCR[5]PCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureMBRtakesover;loadsfirstsectorofactiveMBRtakesover;loadsfirstsectorofactivebootpartitionintomemory;measuresfirstbootpartitionintomemory;measuresfirst512bytesintoPCR[8]512bytesintoPCR[8]Bootsectorloads;measuresremainderintoBootsectorloads;measuresremainderintoPCR[9]andtransfersexecutionPCR[9]andtransfersexecutionBootcodemeasuresBOOTMGRintoBootcodemeasuresBOOTMGRintoPCR[10]andtransfersexecutionPCR[10]andtransfersexecutionAnyadditionalbootapplicationsmustloadAnyadditionalbootapplicationsmustloadonlyfromBitLockervolumeonlyfromBitLockervolumeBitLockerkeysareinPCR[11]BitLockerkeysareinPCR[11]Finally,BOOTMGRtransferscontroltoFinally,BOOTMGRtransferscontroltooperatingsystem;OSchecksintegrityofalloperatingsystem;OSchecksintegrityofallexecutablesloadedexecutablesloadedPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureTPMmeasuresallcodeandreportsresultsTPMmeasuresallcodeandreportsresultsDefaultBitLockerconsumption:4,8,9,10,11DefaultBitLockerconsumption:4,8,9,10,11Youcanaddothers,withcaveatsYoucanaddothers,withcaveatsOptionROMsin2,3OptionROMsin2,3AnychangeinvalidatesthePCRsAnychangeinvalidatesthePCRsIncludesinsertingsmartcardreaderorUSBdriveIncludesinsertingsmartcardreaderorUSBdriveBIOSROMsin0,1BIOSROMsin0,1ReflashingBIOSinvalidatesthePCRsReflashingBIOSinvalidatesthePCRsPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersBitLockercanBitLockercan''tstopeverythingtstopeverythingHardwaredebuggersHardwaredebuggersOnlineattacksOnlineattacks——BitLockerisconcernedonlywithBitLockerisconcernedonlywiththesystemthesystem''sstartupprocesssstartupprocessPostlogonattacksPostlogonattacksSabotagebyadministratorsSabotagebyadministratorsPoorsecuritymaintenancePoorsecuritymaintenanceDeploymentconsiderationsDeploymentconsiderationsRequireshardwareandsoftwareupgradesRequireshardwareandsoftwareupgradesPhasein,startwithhighprioritycomputersPhasein,startwithhighprioritycomputersMostlyafeatureforlaptopsMostlyafeatureforlaptopsAlsoconsiderfordesktopcomputersininsecureAlsoconsiderfordesktopcomputersininsecureenvironments(factoryfloor,kiosk,environments(factoryfloor,kiosk,……))EnterprisekeymanagementEnterprisekeymanagementProtectServicesFromExploitThethreatsThethreatsRememberBlasterRememberBlasterTookoverRPCSSTookoverRPCSS——madeitwritemsblast.
exetofilemadeitwritemsblast.
exetofilesystemandaddedrunkeystotheregistrysystemandaddedrunkeystotheregistryNosoftwareisperfect;someonestillmightfindaNosoftwareisperfect;someonestillmightfindavulnerabilityinaservicevulnerabilityinaserviceMalwareoftenlookstoexploitsuchvulnerabilitiesMalwareoftenlookstoexploitsuchvulnerabilitiesServicesareattractiveServicesareattractiveRunwithoutuserinteractionRunwithoutuserinteractionManyservicesoftenhavefreereignoverthesystemManyservicesoftenhavefreereignoverthesystem——toomuchaccesstoomuchaccessMostservicescancommunicateoveranyportMostservicescancommunicateoveranyportServicehardeningServicehardeningServiceServicerefactoringrefactoringMoveservicefromLocalSystemtosomethinglessMoveservicefromLocalSystemtosomethinglessprivilegedprivilegedIfnecessary,splitservicesothatonlythepartIfnecessary,splitservicesothatonlythepartrequiringLocalSystemreceivesthatrequiringLocalSystemreceivesthatServiceServiceprofilingprofilingEnablesservicetorestrictitsbehaviorEnablesservicetorestrictitsbehaviorResourcescanhaveACLsthatallowtheserviceResourcescanhaveACLsthatallowtheservice''ssIDtoaccessonlywhatitneedsIDtoaccessonlywhatitneedsAlsoincludesrulesforspecifyingrequiredAlsoincludesrulesforspecifyingrequirednetworkbehaviornetworkbehaviorItIt''sabouttheprincipleofleastprivilegesabouttheprincipleofleastprivilege——itit''sgoodforpeople,anditsgoodforpeople,andit''sgoodforservicessgoodforservicesMemoryMemoryRefactoringRefactoringIdeally,removetheserviceoutofLocalSystemIdeally,removetheserviceoutofLocalSystemIfitdoesnIfitdoesn''tperformprivilegedoperationstperformprivilegedoperationsMakeACLchangestoregistrykeysanddriverobjectsMakeACLchangestoregistrykeysanddriverobjectsOtherwise,splitintotwopiecesOtherwise,splitintotwopiecesThemainserviceThemainserviceThebitsthatperformprivilegedoperationsThebitsthatperformprivilegedoperationsAuthenticatethecallbetweenthemAuthenticatethecallbetweenthemMainserviceMainservicerunsasLocalServicerunsasLocalServicePrivilegedPrivilegedLocalSystemLocalSystemSVCHOSTgrouprefactoringSVCHOSTgrouprefactoringWindowsXPServicePack2WindowsXPServicePack2LocalSystemLocalSystemWirelessConfigurationWirelessConfigurationSystemEventSystemEventNotificationNotificationNetworkConnectionsNetworkConnectionsCOM+EventSystemCOM+EventSystemNLANLARasautoRasautoShellHardwareShellHardwareDetectionDetectionThemesThemesTelephonyTelephonyWindowsAudioWindowsAudioErrorReportingErrorReportingWorkstationWorkstationICSICSBITSBITSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanBrowserBrowser6to46to4HelpandSupportHelpandSupportTaskSchedulerTaskSchedulerTrkWksTrkWksCryptographicCryptographicServicesServicesRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonNetworkNetworkServiceServiceDNSClientDNSClientLocalLocalServiceServiceSSDPSSDPWebClientWebClientTCP/IPNetBIOShelperTCP/IPNetBIOShelperRemoteRegistryRemoteRegistryWindowsVistaWindowsVistaLocalSystemLocalSystemNetworkrestrictedNetworkrestrictedRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesTrkWksTrkWksWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonLocalSystemLocalSystemDemandstartedDemandstartedBITSBITSNetworkServiceNetworkServiceRestrictedRestrictedDNSClientDNSClientICSICSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanNLANLABrowserBrowser6to46to4TaskschedulerTaskschedulerIPSECServicesIPSECServicesServerServerCryptographicCryptographicServicesServicesLocalServiceLocalServiceRestrictedRestrictedNonetworkaccessNonetworkaccessWirelessWirelessConfigurationConfigurationSystemEventSystemEventNotificationNotificationShellHardwareShellHardwareDetectionDetectionNetworkNetworkConnectionsConnectionsRasautoRasautoThemesThemesCOM+EventCOM+EventSystemSystemLocalServiceLocalServiceRestrictedRestrictedTelephonyTelephonyWindowsAudioWindowsAudioTCP/IPNetBIOSTCP/IPNetBIOShelperhelperWebClientWebClientErrorReportingErrorReportingEventLogEventLogWorkstationWorkstationRemoteRegistryRemoteRegistrySSDPSSDPProfilingProfilingEveryservicehasauniqueserviceidentifiercalledEveryservicehasauniqueserviceidentifiercalledaa""serviceSIDserviceSID""SS--11--8080--1hashoflogicalservicename>AA""serviceprofileserviceprofile""isasetofACLsthatisasetofACLsthat——AllowaservicetousearesourceAllowaservicetousearesourceConstraintheservicetotheresourcesitneedsConstraintheservicetotheresourcesitneedsDefinewhichnetworkportsaservicecanuseDefinewhichnetworkportsaservicecanuseBlocktheservicefromusingotherportsBlocktheservicefromusingotherportsNow,servicecanrunasLocalServiceorNow,servicecanrunasLocalServiceorNetworkServiceandstillreceiveadditionalaccessNetworkServiceandstillreceiveadditionalaccesswhennecessarywhennecessaryRestrictingservicesRestrictingservicesSCMcomputesSCMcomputesserviceSIDserviceSIDSCMaddstheSCMaddstheSIDtoserviceSIDtoserviceprocessprocess''stokenstokenSCMcreateswriteSCMcreateswrite--restrictedtokenrestrictedtokenSCMremovesSCMremovesunneededprivilegesunneededprivilegesfromprocesstokenfromprocesstokenServiceplacesACLonServiceplacesACLonresourceresource——onlyserviceonlyservicecanwritetoitcanwritetoitExample:eventlogExample:eventlogSysEvent.
evtSysEvent.
evtEventlogEventlogserviceserviceWriteWrite--restrictedrestrictedtokentokenACLACLEventlog:WEventlog:WRestrictingservices:knowthisRestrictingservices:knowthisArestrictableservicewillsettwoproperties(storedArestrictableservicewillsettwoproperties(storedintheregistry)intheregistry)——OnetoindicatethatitcanberestrictedOnetoindicatethatitcanberestrictedOnetoshowwhichprivilegesitrequiresOnetoshowwhichprivilegesitrequiresNote!
Note!
Thisisavoluntaryprocess.
TheserviceisThisisavoluntaryprocess.
Theserviceischoosingtorestrictitself.
Itchoosingtorestrictitself.
It''sgooddevelopmentsgooddevelopmentpracticebecauseitreducesthelikelihoodofaservicepracticebecauseitreducesthelikelihoodofaservicebeingabusedbymalware,butitisnbeingabusedbymalware,butitisn''tafulltafull--onsystemonsystem--widerestrictionmechanism.
Thirdwiderestrictionmechanism.
Third--partyservicescanpartyservicescanstillrunwildandfreestillrunwildandfree……NetworkenforcementscenariosNetworkenforcementscenariosNoportsNoportsServicesthatneitherlistennorconnectServicesthatneitherlistennorconnectFixedportsFixedportsServicesthatlistenorsendonknownfixedportsServicesthatlistenorsendonknownfixedportsshouldbeconstrainedtothoseportsonlyshouldbeconstrainedtothoseportsonlyConfigurableConfigurableportsportsAdministratorconfiguresportinserviceAdministratorconfiguresportinservice''ssadministrationUI;networkrulesandfirewalladministrationUI;networkrulesandfirewallautomaticallyupdatetheirownconfigurationsautomaticallyupdatetheirownconfigurationsDynamicDynamicportsportsServicesthatlistenorsendondynamicallyServicesthatlistenorsendondynamically--allocatedportsallocatedportsAuditingAuditingManagementeventsManagementeventsInitialrulesconfigurationInitialrulesconfigurationRulechangesRulechangesRuledeletionsRuledeletionsEnforcementeventsEnforcementeventsTrafficallowedTrafficallowedTrafficdeniedTrafficdeniedglobalvulnglobalvulnmitigationsandmitigationsandsystemlockdownssystemlockdownsnetworknetworkenforcementenforcementrulesrulesInteractionwithhostfirewallsInteractionwithhostfirewallsConfigurationchangesConfigurationchangesimplementedimmediatelyimplementedimmediatelyRulescanRulescan''tbedisabledbytbedisabledbyWForthirdWForthird--partypartyRulescanRulescan''tbestoppedtbestoppedwhileservicesarerunningwhileservicesarerunningFordynamicports,netenfFordynamicports,netenfpushesconfigurationtopushesconfigurationtoWFWFhosthostfirewallfirewallrulesrulesExamplerulesExamplerulesBlockanynetworkaccessforBFE"V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=bfe;Name=Blockanytraffictoandfrombfe;"AllowoutboundPolicyAgenttraffic"V2.
0;Action=Allow;Dir=Out;RPort=389;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=AllowPolicyAgenttcp/udpLDAPtraffictoAD;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=BlockanyothertraffictoandfromPolicyAgent;"Allowinbound/outboundtraffictoRpcss"V2.
0;Action=Allow;Dir=Out;RPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowoutboundrpcsstcp/udptraffic;""V2.
0;Action=Allow;Dir=in;LPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowinboundtcp/udprpcss;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Blockanyothertraffictoandfromrpcss;"ProtecttheOSandDatafromUnknownCodeThethreatsThethreatsAuserunknowinglyrunscodefromanunknownAuserunknowinglyrunscodefromanunknownsourcethatattemptstomodifyordeletefilessourcethatattemptstomodifyordeletefilesCoderunningasLUAattemptsalocalelevationofCoderunningasLUAattemptsalocalelevationofprivilegebyinjectingcodeintoaprocessrunningprivilegebyinjectingcodeintoaprocessrunningasadministratorasadministratorTrojansthatattempttoexecutewithfullTrojansthatattempttoexecutewithfulladministratorprivilegeadministratorprivilegeSystemcodereadsdatafromtheInternet(anSystemcodereadsdatafromtheInternet(anuntrustworthysource)thatcontainscorruptdatauntrustworthysource)thatcontainscorruptdatadesignedtoelevateprivilegebyexploitingabugdesignedtoelevateprivilegebyexploitingabugMandatoryintegritycontrolMandatoryintegritycontrolMethodtopreventlowMethodtopreventlow--integritycodefromintegritycodefrommodifyinghighmodifyinghigh--integritycodeintegritycodeProtectTCBfilesanddatafrommodificationbyProtectTCBfilesanddatafrommodificationbyprivilegedusersprivilegedusersProtectuserdatafrommodificationbyunknownProtectuserdatafrommodificationbyunknownmaliciouscodemaliciouscodeProtectprocessesrunningasprivilegeduserfromProtectprocessesrunningasprivilegeduserfrommodificationbyprocessesrunningasstandardusermodificationbyprocessesrunningasstandarduserunderthesameuserSIDunderthesameuserSIDClassicalcomputersecurityconceptknownsinceClassicalcomputersecurityconceptknownsincethe1970sthe1970sLotsofrecentworkinvariousoperatingsystemsLotsofrecentworkinvariousoperatingsystemsDonDon''tconfusewithcodeintegritytconfusewithcodeintegrityCICIVerifiescodeduringmoduleloadingVerifiescodeduringmoduleloadingMICMICImplementsatypeofinformationflowpolicyImplementsatypeofinformationflowpolicyImplementsanenforcementmechanismImplementsanenforcementmechanismIntegritylevelchangestriggerasecurityauditeventIntegritylevelchangestriggerasecurityauditeventMandatoryintegritycontrolpolicyisbasedonMandatoryintegritycontrolpolicyisbasedontrustworthinesstrustworthiness.
Subjectswith.
Subjectswithlowlowdegreesofdegreesoftrustworthinesscantrustworthinesscan''tchangedataofatchangedataofahigherhigherdegrees.
degrees.
SubjectswithSubjectswithhighhighdegreesoftrustworthinesscandegreesoftrustworthinesscan''tbetbeforcedtorelyondataofforcedtorelyondataoflowerlowerdegrees.
degrees.
ThelimitationsofDACLsThelimitationsofDACLsNoprotectionofsystemstabilityNoprotectionofsystemstabilityThirdThird--partyinstallersredistributesystembinariespartyinstallersredistributesystembinariesWanttostopthis,evenifrunbyadministratorWanttostopthis,evenifrunbyadministratorNoprotectionfromtrickysoftwareNoprotectionfromtrickysoftwareNonNon--savvyuserscanbeconvincedtoinstallmalwaresavvyuserscanbeconvincedtoinstallmalwareRunswithfullcapabilitiesofuserRunswithfullcapabilitiesofuserWeakenspowerofUACWeakenspowerofUACCanCan''tdistinguishlimitedversionfromfull(possiblytdistinguishlimitedversionfromfull(possiblyadministrator)versionofuseradministrator)versionofuserBothversionshavesameuserSIDBothversionshavesameuserSIDDefinedintegritylevelsDefinedintegritylevelsSystemSystemHighHighMediumMediumLowLowUntrustedUntrusted0x40000x40000x30000x30000x20000x20000x10000x100000LocalLocalSystemSystemLocalServiceLocalServiceNetworkNetworkServiceServiceElevatedElevated(full)user(full)usertokenstokensStandarduserStandardusertokenstokensAuthenticatedAuthenticatedUsersUsersWorldWorld(Everyone)(Everyone)AnonymousAnonymousShellrunshereShellrunshereMICexpressionMICexpressionAddanintegritySIDtoausertokenatlogonAddanintegritySIDtoausertokenatlogonSS--11--1616--AnnouncestheintegritylevelofthetokenAnnouncestheintegritylevelofthetokenDetermineslevelofaccessthetokencanachieveDetermineslevelofaccessthetokencanachievePossiblesecondSIDusedbySecureDesktoptoPossiblesecondSIDusedbySecureDesktoptodetermineprotectionringofanapplicationdetermineprotectionringofanapplicationStoreintegritySIDintheSACLofeveryobjectStoreintegritySIDintheSACLofeveryobject''sssecuritydescriptor(usersecuritydescriptor(user--createdandOS)createdandOS)SpecifiestheintegrityleveloftheobjectSpecifiestheintegrityleveloftheobjectCheckingMIClevelCheckingMIClevelDuringaccesscheck,verifytheuserpassesDuringaccesscheck,verifytheuserpassesintegritycheckagainstanobjectforwriteaccessintegritycheckagainstanobjectforwriteaccessHowever,canaddACEtoDACLtodenyreadaccesstoHowever,canaddACEtoDACLtodenyreadaccesstolowintegrityuserslowintegrityusers(moreonthislater)(moreonthislater)UsermustUsermustdominatedominateobjecttoobtainwriteaccessobjecttoobtainwriteaccessUser/processlevel>=objectlevelUser/processlevel>=objectlevelAlluserspassintegritycheckforreadingandexecutingAlluserspassintegritycheckforreadingandexecutingMICtrumpsDACLMICtrumpsDACLIftheDACLletsyouwrite,butyoudonIftheDACLletsyouwrite,butyoudon''tdominatethetdominatetheobject,yourwritefailsobject,yourwritefailsConsiderfourscenariosConsiderfourscenariosAnattachmentarrivesinmail.
Whilesaving,fileiswrittenAnattachmentarrivesinmail.
Whilesaving,fileiswrittenwithwithlowlowintegrity.
Whenexecuted,itrunsatintegrity.
Whenexecuted,itrunsatlowlowintegrityintegrityandcanandcan''twritetousertwritetouser''sdata.
sdata.
MICpreventsprocessfromMICpreventsprocessfromperformingcapabilitiesatuserperformingcapabilitiesatuser''slevel.
slevel.
IEdownloadsfilefromsiteinInternetzone.
IEprocessthatIEdownloadsfilefromsiteinInternetzone.
IEprocessthatwritesfiletoTIFrunsatwritesfiletoTIFrunsatlowlowintegrity;thusfileisreceivesintegrity;thusfileisreceiveslowlowintegrity.
integrity.
MICdoesnMICdoesn''ttrustcontentorcodefromtheInternet.
ttrustcontentorcodefromtheInternet.
AmaliciousprogramisrunningatAmaliciousprogramisrunningatstandardstandarduserXanduserXandattemptstoopenprocessrunningasattemptstoopenprocessrunningasprivilegedprivilegeduserXforuserXforwrite,tobypassUACandexecutecodewillfullprivileges.
write,tobypassUACandexecutecodewillfullprivileges.
MICstopsthisbecausedesiredaccessiswrite.
MICstopsthisbecausedesiredaccessiswrite.
Admin(IL=Admin(IL=highhigh)runsdownloadedprogram.
Processrunsas)runsdownloadedprogram.
Processrunsasstandardstandardadmin(IL=admin(IL=mediummedium).
).
MICpreventsprocessesfromMICpreventsprocessesfromwritewrite--accessingresourcesACLedfortheadministrator.
accessingresourcesACLedfortheadministrator.
ProcessesalsoaffectedProcessesalsoaffectedWhenuserlaunches.
EXE,processreceiveslowerofWhenuserlaunches.
EXE,processreceiveslowerofuseruser''sorfilesorfile''sintegritylevel(ifithasone)sintegritylevel(ifithasone)Processneverrunshigherthanfile,regardlessofILofProcessneverrunshigherthanfile,regardlessofILofuserwhostartedituserwhostarteditProtectsevenadministratorsfrommaliciousactionsofProtectsevenadministratorsfrommaliciousactionsofdownloadedcodedownloadedcodeAlsoprotectsanyuserdata,whoselevelistypicallythatAlsoprotectsanyuserdata,whoselevelistypicallythatoftheuseroftheuser——itit''shigherthanthecodeshigherthanthecodeControlledbyAIS(appinstallerservice)ControlledbyAIS(appinstallerservice)CheckILsofuserandfileCheckILsofuserandfileAdjustprocessILaccordinglyAdjustprocessILaccordinglyImpersonateuserwithcorrectILandcontinuecreationImpersonateuserwithcorrectILandcontinuecreationModifyingintegritylevelsModifyingintegritylevelsTokencanloweritsownlevelTokencanloweritsownlevelNotreversibleNotreversibleOnlyaTCBcallercanraiseOnlyaTCBcallercanraiseSecureInputSecureInputDefault:UIringSID=objectintegritySIDDefault:UIringSID=objectintegritySIDTCBcallercanelevatetokenUIringTCBcallercanelevatetokenUIringTypicallynecessaryforaccessibilityutilitiesTypicallynecessaryforaccessibilityutilities——cannowcannowcontrolUIbutnotbypassMICcontrolofobjectaccesscontrolUIbutnotbypassMICcontrolofobjectaccessButIwanttoadministermybox!
ButIwanttoadministermybox!
Fullprivilegetokens,includingmembersoftheFullprivilegetokens,includingmembersofthelocalAdministratorsgroup,arecontrolledbyMIClocalAdministratorsgroup,arecontrolledbyMICCanCan''tdeletefilesiftheirlevelissystemtdeletefilesiftheirlevelissystemCanCan''tlowerthelevelofobjectsorfilestlowerthelevelofobjectsorfilesBuiltBuilt--inin""AdministratorAdministrator""accounthasanadditionalaccounthasanadditionalprivilegeprivilegeGrantscalleraccesstoobjectGrantscalleraccesstoobjectCouldgranttootherusers,butbecareful!
Couldgranttootherusers,butbecareful!
GrantinganduseofprivilegeisauditedGrantinganduseofprivilegeisauditedDenyingreadaccessDenyingreadaccessCanusedenyACEtopreventlowerlevelprincipalsCanusedenyACEtopreventlowerlevelprincipalsfromreadingorexecutinghigherlevelobjectsfromreadingorexecutinghigherlevelobjectsGoodforadministratorprogramsGoodforadministratorprogramsSetILtohighSetILtohighAdddenyACEforanythingwithalowerILAdddenyACEforanythingwithalowerILPreventsmalwarerunningatlowerlevelfromPreventsmalwarerunningatlowerlevelfromattemptingtocalladmintoolsattemptingtocalladmintoolsUnlabeledobjectsUnlabeledobjectsSystemassumesdefaultMICofmediumduringSystemassumesdefaultMICofmediumduringaccesscheckaccesscheckPreventsuntrustworthycoderunningatlowfromPreventsuntrustworthycoderunningatlowfrommodifyingunlabeledobjectsmodifyingunlabeledobjectsRegardlessofDACLRegardlessofDACLOSfilesareunlabeledOSfilesareunlabeledProtectedfrommodificationwithanACLProtectedfrommodificationwithanACLObjectswithoutaSIDhavenoMICconsiderationObjectswithoutaSIDhavenoMICconsiderationNonNon--goalsgoalsProvideforconfidentialityofdataProvideforconfidentialityofdataThisistheBellThisistheBell--LaPadulamodelLaPadulamodelAlthoughwithnoAlthoughwithno--readread--upACEs,youcanuseMICtoupACEs,youcanuseMICtoachievesimilarbehaviorachievesimilarbehaviorPreventhighILprocessesfromreadingdataataPreventhighILprocessesfromreadingdataatalowerILifthepolicyallowsthatlowerILifthepolicyallowsthatImplementdynamicintegrityImplementdynamicintegrityPreventofflineattacksthroughmodificationsofILsPreventofflineattacksthroughmodificationsofILsonfilesonfilesButBitLockercouldhelphereButBitLockercouldhelphere……ProtecttheOSfromtheInternetThethreatsThethreatsAlas,mostWindowsusersstillrunasadminAlas,mostWindowsusersstillrunasadminMeaning:theInternetrunsasadminonyourPC!
Meaning:theInternetrunsasadminonyourPC!
""DriveDrive--byby""installsofspywareandviruscodeinstallsofspywareandviruscodeExploitsofvulnerabilitiesgiveattackersfullremoteExploitsofvulnerabilitiesgiveattackersfullremoteaccessaccessEvennonEvennon--adminsstillvulnerabletomaliciousadminsstillvulnerabletomaliciousdestructionofpersonaldatadestructionofpersonaldataInternetExplorerprotectedmodeInternetExplorerprotectedmodeBuiltonmandatoryintegritycontrolBuiltonmandatoryintegritycontrolInternetExplorerrunsatlowintegritylevelInternetExplorerrunsatlowintegritylevelReducetheseverityofthreatstoIEaddReducetheseverityofthreatstoIEadd--onsonsEliminatethesilentinstallofmaliciouscodeEliminatethesilentinstallofmaliciouscodethroughsoftwarevulnerabilitiesthroughsoftwarevulnerabilitiesPreservecompatibilitywheneverpossiblePreservecompatibilitywheneverpossibleProvidethecapabilityandguidanceforaddProvidethecapabilityandguidanceforadd--onstoonstorestorefunctionalityrestorefunctionalityMinimizerequireduserinvolvementMinimizerequireduserinvolvementSometimescalledSometimescalled""lowlow--rightsIErightsIE""ProtectedmodesummaryProtectedmodesummaryRestrictsIEfromwritingoutsideoftheTemporaryRestrictsIEfromwritingoutsideoftheTemporaryInternetFiles(TIF)folderInternetFiles(TIF)folderIEIE''sprocesshaslowerwriteprivilegesthanLUAsprocesshaslowerwriteprivilegesthanLUAItbuildsontheMandatoryIntegrityControl(MIC)whichItbuildsontheMandatoryIntegrityControl(MIC)whichrestrictswritestohigherintegrityfoldersrestrictswritestohigherintegrityfoldersProtectedmodeusesCOMtocalltwonewbrokerProtectedmodeusesCOMtocalltwonewbrokerprocesseswhichallowIEtowriteoutsideoftheTIFprocesseswhichallowIEtowriteoutsideoftheTIFAcompatibilitylayerallowsaddAcompatibilitylayerallowsadd--onstoelevateonstoelevateThisisnotaThisisnota""sandboxingsandboxing""technology.
IEisrefactoredintoatechnology.
IEisrefactoredintoamultimulti--processapplication,withvaryingILsforeachprocess.
processapplication,withvaryingILsforeachprocess.
RefactoringIERefactoringIELPIELPIEIEUserIEUserIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseLPIELPIEInternetZoneInternetZoneIL=lowIL=lowIntranet/TrustedZoneIntranet/TrustedZoneIL=mediumIL=mediumSeparateTIFSeparateTIFIEPolicyIEPolicyIL=highIL=highAgain:theprincipleofleastprivilegeAgain:theprincipleofleastprivilegeRefactoringattheprocesslevelRefactoringattheprocesslevel——moreefficientmoreefficientandlessexpensivethanavirtualmachineandlessexpensivethanavirtualmachineComponentsandzonesComponentsandzonesOperationOperationRequirementsRequirementsProcessProcessURLnavigationandHTMLrenderingURLnavigationandHTMLrenderingLeastprivilegeLeastprivilegeLowintegrityLowintegrityLPIELPIEManaginguserManaginguser--controlledsettingscontrolledsettingsLeastprivilegeLeastprivilegeMediumintegrityMediumintegrityIEUserIEUserEnforcingpolicyindownloadedcodeEnforcingpolicyindownloadedcodeInitiatingexecutionInitiatingexecutionFullprivilegeFullprivilegeHighintegrityHighintegrityIEPolicyIEPolicy(service)(service)OperationOperationLPIElowLPIElowLPIEmediumLPIEmediumFilesdownloadedinzoneFilesdownloadedinzoneLowILLowILMediumILMediumILModifyoutsideTIFModifyoutsideTIFNoNoYesYesInteractwithotherappsondesktopInteractwithotherappsondesktopNoNoYesYesInjectDLLandcreateremotethreadInjectDLLandcreateremotethreadNoNoYesYesRendersHTMLfilesinlocalzoneRendersHTMLfilesinlocalzoneYesYesYesYesInstallingfromtheWebInstallingfromtheWebLPIELPIEIEPolicyIEPolicyRunRungreatstuff.
comgreatstuff.
com……\\TIFTIF\\greatstuff.
exegreatstuff.
exeTrustTrustGreatStuffGreatStuffIL=lowIL=low……\\MyDocsMyDocs\\greatstuff.
exegreatstuff.
exeIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseAISAISRunwithRunwithfullprivsfullprivsgreatstuff.
exegreatstuff.
exe\\ProgsProgs\\GSGS\\stuff.
exestuff.
exestuff.
dllstuff.
dllIL=highIL=highfullprivfullprivInIn--proccompatibilitylayerproccompatibilitylayerRedirectsfileandregistrykeywritestonewlowRedirectsfileandregistrykeywritestonewlowintegritylocationsintegritylocations——HKCUHKCU\\SoftwareSoftware\\MicrosoftMicrosoft\\InternetExplorerInternetExplorer\\LowLowRightsRights\\VirtualVirtualDocumentsandSettingsDocumentsandSettings\\%userprofile%%userprofile%\\LocalLocalSettingsSettings\\TemporaryInternetFilesTemporaryInternetFiles\\VirtualVirtualAddedtothelocationIEistryingAddedtothelocationIEistryingIfIEtriestowritehereIfIEtriestowritehere…………itgetsredirectedhereitgetsredirectedhereHKCUHKCU\\SoftwareSoftware\\FooBarFooBarHKCUHKCU\Software\MS\IE\LowRights\Virtual\\SoftwareSoftware\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%user%userprofile%profile%\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%userprofile%%userprofile%\LocalSettings\TemporaryInternetFiles\Virtual\\FooBarFooBarSteveRileySteveRileysteve.
riley@microsoft.
comsteve.
riley@microsoft.
comhttp://blogs.
technet.
com/sterileyhttp://blogs.
technet.
com/sterileywww.
protectyourwindowsnetwork.
comwww.
protectyourwindowsnetwork.
comThanksverymuch!
Thanksverymuch!
2006MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,WindowsVistaandotherproductnamesareormayberegisteredtrademarksand/ortrademarksintheU.
S.
and/orothercountries.
TheinformationhereinisforinformationalpurposesonlyandrepresentsthecurrentviewofMicrosoftCorporationasofthedateofthispresentation.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationprovidedafterthedateofthispresentation.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISPRESENTATION.
- additionalsecondarylogon相关文档
- settingsecondarylogon
- Logoffstatusmessagessecondarylogon
- POSIXsecondarylogon
- Levelsecondarylogon
- secondarylogon魔兽世界下载器不动Secondary Logon 在哪?
- secondarylogonSecondary Logon 等等是什么意思?
UCloud:美国云服务器,洛杉矶节点大促,低至7元起/1个月
ucloud美国云服务器怎么样?ucloud是国内知名云计算品牌服务商家,目前推出全球多地机房的海外云服务器。UCloud主打的优势是海外多机房,目前正在进行的2021全球大促活动参与促销的云服务器机房就多达18个。UCloud新一代旗舰产品快杰云服务器已上线洛杉矶节点,覆盖北美和亚太地区,火热促销中, 首月低至7元,轻松体验具备优秀性能与极高性价比的快杰云服务器。点击进入:ucloud美国洛杉矶...
digital-vm:VPS低至$4/月,服务器$80/月,10Gbps超大带宽,不限流量,机房可选:日本新加坡美国英国西班牙荷兰挪威丹麦
digital-vm,这家注册在罗马尼亚的公司在国内应该有不少人比较熟悉了,主要提供VPS业务,最高10Gbps带宽,还不限制流量,而且还有日本、新加坡、美国洛杉矶、英国、西班牙、荷兰、挪威、丹麦这些可选数据中心。2020年,digital-vm新增了“独立服务器”业务,暂时只限“日本”、“新加坡”机房,最高也是支持10Gbps带宽... 官方网站:https://digital-vm.co...
香港、美国、日本、韩国、新加坡、越南、泰国、加拿大、英国、德国、法国等VPS,全球独立服务器99元起步 湘南科技
全球独立服务器、站群多IP服务器、VPS(哪个国家都有),香港、美国、日本、韩国、新加坡、越南、泰国、加拿大、英国、德国、法国等等99元起步,湘南科技郴州市湘南科技有限公司官方网址:www.xiangnankeji.cn产品内容:全球独立服务器、站群多IP服务器、VPS(哪个国家都有),香港、美国、日本、韩国、新加坡、越南、泰国、加拿大、英国、德国、法国等等99元起步,湘南科技VPS价格表:独立服...
secondarylogon为你推荐
-
依赖注入请问下依赖注入的三种方式的区别微信如何建群在微信里怎么创建一个群别人可以加入扫描二维码的加入在线代理网站求有效的代理服务器地址?唱吧电脑版官方下载电脑上可以安装唱吧吗?iphone越狱后怎么恢复苹果手机越狱后怎么恢复直播加速有没有软件使已经下载好了的视频播放加速,例如30分钟的视频15分钟或者20分钟播放完qq怎么发邮件qq怎么发文件和邮件开机滚动条开机滚动条要很长时间怎么解决?创维云电视功能创维健康云电视有什么功能?怎么升级ios6iPad怎么升级到iOS6正式版?