WindowsVistaWindowsVistaSystemIntegritySystemIntegrityTechnologiesTechnologiesWCI442WCI442WhyThebadguysareeverywhere!
Thebadguysareeverywhere!
TheyliterallywanttodoyouharmTheyliterallywanttodoyouharmThreatsexistintwointerestingplacesThreatsexistintwointerestingplaces——Online:systemstartedandshowsaloginscreenorauserisOnline:systemstartedandshowsaloginscreenorauserisloggedinloggedinOffline:systemispowereddownorinhibernationOffline:systemispowereddownorinhibernationPoliciesmustaddressbothPoliciesmustaddressbothCoolstuff!
Coolstuff!
Codeintegrity:protectionagainstonlineattackCodeintegrity:protectionagainstonlineattackBitLocker(securestartup):protectionagainstBitLocker(securestartup):protectionagainstofflineattackofflineattackWindowsservicehardeningWindowsservicehardeningMandatoryintegritycontrolMandatoryintegritycontrolInternetExplorerprotectedmodeInternetExplorerprotectedmodeProtecttheOSWhenRunningThethreatsThethreatsTrojanthatreplacesasystemfiletoinstallarootkitTrojanthatreplacesasystemfiletoinstallarootkitandtakecontrolofthecomputer(e.
g.
FunLoveorandtakecontrolofthecomputer(e.
g.
FunLoveorothersthatuserootkits)othersthatuserootkits)OfflineattackcausedbybootinganalternateOfflineattackcausedbybootinganalternateoperatingsystemandattemptingtocorruptoroperatingsystemandattemptingtocorruptormodifyWindowskernelfilesmodifyWindowskernelfilesThirdThird--partykerneldriversthatarenotsecurepartykerneldriversthatarenotsecureRogueadministratorwhochangeskernelmodeRogueadministratorwhochangeskernelmodecodetohideotheractscodetohideotheractsCodeintegrityCodeintegrityValidatestheintegrityofcertainOSfilesValidatestheintegrityofcertainOSfilesImplementedasafilesystemfilterdriverImplementedasafilesystemfilterdriverHashesstoredinsystemcatalogorinX.
509certificateHashesstoredinsystemcatalogorinX.
509certificateembeddedinfileembeddedinfileAlsovalidatestheintegrityofthebootprocessAlsovalidatestheintegrityofthebootprocessChecksthekernel,theHAL,bootChecksthekernel,theHAL,boot--startdriversstartdriversIfvalidationfails,imagewonIfvalidationfails,imagewon''tloadtloadWhatdoesitcheckWhatdoesitcheckAllkernelmodecode(Allkernelmodecode(x64onlyx64only))AllcodeloadedintoaprotectedprocessAllcodeloadedintoaprotectedprocessModulesimplementingcryptographicfunctionsModulesimplementingcryptographicfunctionsModulesloadedintothesoftwarelicensingserviceModulesloadedintothesoftwarelicensingserviceMoreonkernelmodecodeMoreonkernelmodecodex64x64AllkernelmodecodemustbesignedoritwonAllkernelmodecodemustbesignedoritwon''tloadtloadThirdThird--partycodemustbeWHQLpartycodemustbeWHQL--certifiedorcontainacertifiedorcontainacertificatefromaMicrosoftCAcertificatefromaMicrosoftCANoexceptions,periodNoexceptions,periodAppliestodrivers,utilities,anythinginthekernelAppliestodrivers,utilities,anythinginthekernelx32x32SigningappliesonlytodriversshippedwithWindowsSigningappliesonlytodriversshippedwithWindowsCancontrolbypolicywhattodowiththirdCancontrolbypolicywhattodowiththird--partypartyOtherunsignedkernelmodecodewillloadOtherunsignedkernelmodecodewillloadMoreonprotectedprocessesMoreonprotectedprocessesOnlyonerightnow:MediaFoundationOnlyonerightnow:MediaFoundationLoadedbinariesarecodecsLoadedbinariesarecodecsMicrosoftMicrosoft--supplied:signedbyMicrosoftsupplied:signedbyMicrosoftThirdThird--party:signedbyaWindowsMediaDRMparty:signedbyaWindowsMediaDRMcertificatecertificateAffectspotentialplaybackofnextAffectspotentialplaybackofnext--generationhighgenerationhighdefinitionprotectedcontentdefinitionprotectedcontentContentand/orplaybackappcontrolwhattodoinContentand/orplaybackappcontrolwhattodoinpresenceofunsignedkernelmodedriverspresenceofunsignedkernelmodedriversCodeintegritynonCodeintegritynon--goalsgoalsProtectingfromattackerswithphysicalaccessProtectingfromattackerswithphysicalaccessVerifyingtheintegrityofNTLDRVerifyingtheintegrityofNTLDRRequiressecurestartuponTPMRequiressecurestartuponTPM--enabledmachinesenabledmachinesRequiresreadRequiresread--onlyfixedmediaotherwiseonlyfixedmediaotherwiseSupportingrebindingorhotpatchingSupportingrebindingorhotpatchingThesechangetheonThesechangetheon--diskimagediskimageCIwillworkifpatchincludesupdatedhashCIwillworkifpatchincludesupdatedhashOnlinechecksatbootOnlinechecksatboot--timeforrevocationliststimeforrevocationlistsRevocationlistupdatedafterbootandstoredlocallyRevocationlistupdatedafterbootandstoredlocallyProtecttheOSWhenNotRunningThethreatsThethreatsComputerislostorstolenComputerislostorstolenTheftorcompromiseofdataTheftorcompromiseofdataAttackagainstcorporatenetworkAttackagainstcorporatenetworkDamagetoOSifattackerinstallsalternateOSDamagetoOSifattackerinstallsalternateOSDifficultandtimeDifficultandtime--consumingtotrulyeraseconsumingtotrulyerasedecommissioneddisksdecommissioneddisksExistingwaystomitigatethesethreatsaretooeasyExistingwaystomitigatethesethreatsaretooeasyforusertocircumventforusertocircumventSecurestartup(Securestartup(""BitLockerBitLocker""))EnsurebootEnsurebootintegrityintegrityResilientResilientagainstattackagainstattackProtectsystemfromofflineProtectsystemfromofflinesoftwaresoftware--basedattacksbasedattacksLocktamperedLocktamperedsystemssystemsPreventbootifmonitoredfilesPreventbootifmonitoredfileshavebeenalteredhavebeenalteredProtectdataProtectdatawhenofflinewhenofflineEncryptuserEncryptuserdataanddataandsystemfilessystemfilesAlldataonthevolumeisAlldataonthevolumeisencrypted:user,system,page,encrypted:user,system,page,hibernation,temp,crashdumphibernation,temp,crashdumpUmbrellaUmbrellaprotectionprotectionThirdThird--partyappsbenefitwhenpartyappsbenefitwheninstalledonencryptedvolumeinstalledonencryptedvolumeEaseEaseequipmentequipmentrecyclingrecyclingSimplifySimplifyrecyclingrecyclingRenderdatauselessbydeletingRenderdatauselessbydeletingTPMkeystoreTPMkeystoreSpeeddataSpeeddatadeletiondeletionDecommissioningtakesseconds,Decommissioningtakesseconds,nothoursnothoursWonWon''tEFSprotectmetEFSprotectmeYesYes——forthosewhoknowwhattheyforthosewhoknowwhatthey''redoingredoingUsersoftenstoredataonthedesktopUsersoftenstoredataonthedesktop——isitEFSedisitEFSedEFSdoesnEFSdoesn''tprotecttheoperatingsystemtprotecttheoperatingsystemEFSisverystrongagainstattacksEFSisverystrongagainstattacksFourlevelsofkeyprotectionFourlevelsofkeyprotectionProperlyconfigured,EFSiscomputationallyinfeasibletoProperlyconfigured,EFSiscomputationallyinfeasibletocrackcrackEncryptionscenariosEncryptionscenariosBitLockerBitLockerEFSEFSRMSRMSLaptopsLaptopsBranchofficeserversBranchofficeserversLocalsingleuserfileprotection(Windowspartitiononly)Localsingleuserfileprotection(Windowspartitiononly)LocalmultiLocalmulti--userfileprotectionuserfileprotectionRemotefileprotectionRemotefileprotectionUntrustedadministratorUntrustedadministratorRemotedocumentpolicyenforcementRemotedocumentpolicyenforcementOScoOSco--existenceexistenceBitLockerencryptsBitLockerencryptsWindowsvolumeonlyWindowsvolumeonlyYouwonYouwon''tbeabletodualtbeabletodual--bootanotherOSonthebootanotherOSonthesamevolumesamevolumeOSesonothervolumeswillworkfineOSesonothervolumeswillworkfineDataonprotectedvolumeisunavailableoutsideDataonprotectedvolumeisunavailableoutsidetheOStheOSAttemptstomodifytheprotectedWindowsAttemptstomodifytheprotectedWindowsvolumewillrenderitunbootablevolumewillrenderitunbootableEnablingBitLockerEnablingBitLockerCreatea1.
5GBactivepartitionCreatea1.
5GBactivepartitionThisbecomesyourThisbecomesyour""systemsystem""partitionpartition——whereOSbootswhereOSbootsTheTPMbootmanagerusesonly50MBTheTPMbootmanagerusesonly50MBWindowsrunsfromonyourWindowsrunsfromonyour""bootboot""partitionpartition——wherethewherethesystemlivessystemlivesInitializeTPMchipifyouInitializeTPMchipifyou''reusingitreusingitInmanagementconsoleorBIOSInmanagementconsoleorBIOSEnableBitLockerinSecurityCenterEnableBitLockerinSecurityCenterUpdateharddiskMBRUpdateharddiskMBREncryptWindowsEncryptWindows""bootboot""partitionpartitionRecoveryoptionsRecoveryoptionsUsefulincaseofsomekindofhardwarefailureUsefulincaseofsomekindofhardwarefailureItIt''sapassword;storedindifferentwayssapassword;storedindifferentways——RemovablemediaRemovablemediaPrintedPrintedActiveDirectoryActiveDirectoryAlso,servicepacksanddriverupgradestriggeraAlso,servicepacksanddriverupgradestriggeraloaderthatrecomputesandresealsTPMsecretsloaderthatrecomputesandresealsTPMsecretsCanuseTPM1.
2chipCanuseTPM1.
2chipMicrocontrolleraffixedtomotherboardMicrocontrolleraffixedtomotherboardStoreskeysanddigitalcertificatesStoreskeysanddigitalcertificatesForBitLocker,TPMstoresstoragerootkeyForBitLocker,TPMstoresstoragerootkeySRKdecryptsvolumeencryptionkeySRKdecryptsvolumeencryptionkeyonlywhensystemonlywhensystembootsnormally;bootsnormally;compareseachbootprocessagainstcompareseachbootprocessagainstpreviouslystoredmeasurementspreviouslystoredmeasurementsNouserinteractionorvisibility(unlessyourequireaPINNouserinteractionorvisibility(unlessyourequireaPINoradditionalstartoradditionalstart--upkey)upkey)RecoverykeycanbearchivedinActiveDirectoryfortheRecoverykeycanbearchivedinActiveDirectoryfortheinevitableinevitable""omgomg""momentmomentProhibitsmeaningfuluseofsoftwaredebuggersduringProhibitsmeaningfuluseofsoftwaredebuggersduringbootbootTPMarchitectureTPMarchitectureResetallregisters,transferexecutiontoResetallregisters,transferexecutiontoCoreRootofTrustMeasurementCoreRootofTrustMeasurementMeasurenextstageoffirmwareintoPCR[0]MeasurenextstageoffirmwareintoPCR[0]anddataintoPCR[1]anddataintoPCR[1]HardwaretestandconfigurationHardwaretestandconfigurationCodealwaysmeasuredfirst,thenexecutedCodealwaysmeasuredfirst,thenexecutedNewPCRvalueisSHANewPCRvalueisSHA--1hashedthen1hashedthenconcatenatedwithprevioushash;concatenatedwithprevioushash;permanentlywrittentoPCRpermanentlywrittentoPCROptionROMsanddataintoPCR[2]and[3]OptionROMsanddataintoPCR[2]and[3]MBRintoPCR[4],partitiontableinPCR[5]MBRintoPCR[4],partitiontableinPCR[5]PCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureMBRtakesover;loadsfirstsectorofactiveMBRtakesover;loadsfirstsectorofactivebootpartitionintomemory;measuresfirstbootpartitionintomemory;measuresfirst512bytesintoPCR[8]512bytesintoPCR[8]Bootsectorloads;measuresremainderintoBootsectorloads;measuresremainderintoPCR[9]andtransfersexecutionPCR[9]andtransfersexecutionBootcodemeasuresBOOTMGRintoBootcodemeasuresBOOTMGRintoPCR[10]andtransfersexecutionPCR[10]andtransfersexecutionAnyadditionalbootapplicationsmustloadAnyadditionalbootapplicationsmustloadonlyfromBitLockervolumeonlyfromBitLockervolumeBitLockerkeysareinPCR[11]BitLockerkeysareinPCR[11]Finally,BOOTMGRtransferscontroltoFinally,BOOTMGRtransferscontroltooperatingsystem;OSchecksintegrityofalloperatingsystem;OSchecksintegrityofallexecutablesloadedexecutablesloadedPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureTPMmeasuresallcodeandreportsresultsTPMmeasuresallcodeandreportsresultsDefaultBitLockerconsumption:4,8,9,10,11DefaultBitLockerconsumption:4,8,9,10,11Youcanaddothers,withcaveatsYoucanaddothers,withcaveatsOptionROMsin2,3OptionROMsin2,3AnychangeinvalidatesthePCRsAnychangeinvalidatesthePCRsIncludesinsertingsmartcardreaderorUSBdriveIncludesinsertingsmartcardreaderorUSBdriveBIOSROMsin0,1BIOSROMsin0,1ReflashingBIOSinvalidatesthePCRsReflashingBIOSinvalidatesthePCRsPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersBitLockercanBitLockercan''tstopeverythingtstopeverythingHardwaredebuggersHardwaredebuggersOnlineattacksOnlineattacks——BitLockerisconcernedonlywithBitLockerisconcernedonlywiththesystemthesystem''sstartupprocesssstartupprocessPostlogonattacksPostlogonattacksSabotagebyadministratorsSabotagebyadministratorsPoorsecuritymaintenancePoorsecuritymaintenanceDeploymentconsiderationsDeploymentconsiderationsRequireshardwareandsoftwareupgradesRequireshardwareandsoftwareupgradesPhasein,startwithhighprioritycomputersPhasein,startwithhighprioritycomputersMostlyafeatureforlaptopsMostlyafeatureforlaptopsAlsoconsiderfordesktopcomputersininsecureAlsoconsiderfordesktopcomputersininsecureenvironments(factoryfloor,kiosk,environments(factoryfloor,kiosk,……))EnterprisekeymanagementEnterprisekeymanagementProtectServicesFromExploitThethreatsThethreatsRememberBlasterRememberBlasterTookoverRPCSSTookoverRPCSS——madeitwritemsblast.
exetofilemadeitwritemsblast.
exetofilesystemandaddedrunkeystotheregistrysystemandaddedrunkeystotheregistryNosoftwareisperfect;someonestillmightfindaNosoftwareisperfect;someonestillmightfindavulnerabilityinaservicevulnerabilityinaserviceMalwareoftenlookstoexploitsuchvulnerabilitiesMalwareoftenlookstoexploitsuchvulnerabilitiesServicesareattractiveServicesareattractiveRunwithoutuserinteractionRunwithoutuserinteractionManyservicesoftenhavefreereignoverthesystemManyservicesoftenhavefreereignoverthesystem——toomuchaccesstoomuchaccessMostservicescancommunicateoveranyportMostservicescancommunicateoveranyportServicehardeningServicehardeningServiceServicerefactoringrefactoringMoveservicefromLocalSystemtosomethinglessMoveservicefromLocalSystemtosomethinglessprivilegedprivilegedIfnecessary,splitservicesothatonlythepartIfnecessary,splitservicesothatonlythepartrequiringLocalSystemreceivesthatrequiringLocalSystemreceivesthatServiceServiceprofilingprofilingEnablesservicetorestrictitsbehaviorEnablesservicetorestrictitsbehaviorResourcescanhaveACLsthatallowtheserviceResourcescanhaveACLsthatallowtheservice''ssIDtoaccessonlywhatitneedsIDtoaccessonlywhatitneedsAlsoincludesrulesforspecifyingrequiredAlsoincludesrulesforspecifyingrequirednetworkbehaviornetworkbehaviorItIt''sabouttheprincipleofleastprivilegesabouttheprincipleofleastprivilege——itit''sgoodforpeople,anditsgoodforpeople,andit''sgoodforservicessgoodforservicesMemoryMemoryRefactoringRefactoringIdeally,removetheserviceoutofLocalSystemIdeally,removetheserviceoutofLocalSystemIfitdoesnIfitdoesn''tperformprivilegedoperationstperformprivilegedoperationsMakeACLchangestoregistrykeysanddriverobjectsMakeACLchangestoregistrykeysanddriverobjectsOtherwise,splitintotwopiecesOtherwise,splitintotwopiecesThemainserviceThemainserviceThebitsthatperformprivilegedoperationsThebitsthatperformprivilegedoperationsAuthenticatethecallbetweenthemAuthenticatethecallbetweenthemMainserviceMainservicerunsasLocalServicerunsasLocalServicePrivilegedPrivilegedLocalSystemLocalSystemSVCHOSTgrouprefactoringSVCHOSTgrouprefactoringWindowsXPServicePack2WindowsXPServicePack2LocalSystemLocalSystemWirelessConfigurationWirelessConfigurationSystemEventSystemEventNotificationNotificationNetworkConnectionsNetworkConnectionsCOM+EventSystemCOM+EventSystemNLANLARasautoRasautoShellHardwareShellHardwareDetectionDetectionThemesThemesTelephonyTelephonyWindowsAudioWindowsAudioErrorReportingErrorReportingWorkstationWorkstationICSICSBITSBITSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanBrowserBrowser6to46to4HelpandSupportHelpandSupportTaskSchedulerTaskSchedulerTrkWksTrkWksCryptographicCryptographicServicesServicesRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonNetworkNetworkServiceServiceDNSClientDNSClientLocalLocalServiceServiceSSDPSSDPWebClientWebClientTCP/IPNetBIOShelperTCP/IPNetBIOShelperRemoteRegistryRemoteRegistryWindowsVistaWindowsVistaLocalSystemLocalSystemNetworkrestrictedNetworkrestrictedRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesTrkWksTrkWksWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonLocalSystemLocalSystemDemandstartedDemandstartedBITSBITSNetworkServiceNetworkServiceRestrictedRestrictedDNSClientDNSClientICSICSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanNLANLABrowserBrowser6to46to4TaskschedulerTaskschedulerIPSECServicesIPSECServicesServerServerCryptographicCryptographicServicesServicesLocalServiceLocalServiceRestrictedRestrictedNonetworkaccessNonetworkaccessWirelessWirelessConfigurationConfigurationSystemEventSystemEventNotificationNotificationShellHardwareShellHardwareDetectionDetectionNetworkNetworkConnectionsConnectionsRasautoRasautoThemesThemesCOM+EventCOM+EventSystemSystemLocalServiceLocalServiceRestrictedRestrictedTelephonyTelephonyWindowsAudioWindowsAudioTCP/IPNetBIOSTCP/IPNetBIOShelperhelperWebClientWebClientErrorReportingErrorReportingEventLogEventLogWorkstationWorkstationRemoteRegistryRemoteRegistrySSDPSSDPProfilingProfilingEveryservicehasauniqueserviceidentifiercalledEveryservicehasauniqueserviceidentifiercalledaa""serviceSIDserviceSID""SS--11--8080--1hashoflogicalservicename>AA""serviceprofileserviceprofile""isasetofACLsthatisasetofACLsthat——AllowaservicetousearesourceAllowaservicetousearesourceConstraintheservicetotheresourcesitneedsConstraintheservicetotheresourcesitneedsDefinewhichnetworkportsaservicecanuseDefinewhichnetworkportsaservicecanuseBlocktheservicefromusingotherportsBlocktheservicefromusingotherportsNow,servicecanrunasLocalServiceorNow,servicecanrunasLocalServiceorNetworkServiceandstillreceiveadditionalaccessNetworkServiceandstillreceiveadditionalaccesswhennecessarywhennecessaryRestrictingservicesRestrictingservicesSCMcomputesSCMcomputesserviceSIDserviceSIDSCMaddstheSCMaddstheSIDtoserviceSIDtoserviceprocessprocess''stokenstokenSCMcreateswriteSCMcreateswrite--restrictedtokenrestrictedtokenSCMremovesSCMremovesunneededprivilegesunneededprivilegesfromprocesstokenfromprocesstokenServiceplacesACLonServiceplacesACLonresourceresource——onlyserviceonlyservicecanwritetoitcanwritetoitExample:eventlogExample:eventlogSysEvent.
evtSysEvent.
evtEventlogEventlogserviceserviceWriteWrite--restrictedrestrictedtokentokenACLACLEventlog:WEventlog:WRestrictingservices:knowthisRestrictingservices:knowthisArestrictableservicewillsettwoproperties(storedArestrictableservicewillsettwoproperties(storedintheregistry)intheregistry)——OnetoindicatethatitcanberestrictedOnetoindicatethatitcanberestrictedOnetoshowwhichprivilegesitrequiresOnetoshowwhichprivilegesitrequiresNote!
Note!
Thisisavoluntaryprocess.
TheserviceisThisisavoluntaryprocess.
Theserviceischoosingtorestrictitself.
Itchoosingtorestrictitself.
It''sgooddevelopmentsgooddevelopmentpracticebecauseitreducesthelikelihoodofaservicepracticebecauseitreducesthelikelihoodofaservicebeingabusedbymalware,butitisnbeingabusedbymalware,butitisn''tafulltafull--onsystemonsystem--widerestrictionmechanism.
Thirdwiderestrictionmechanism.
Third--partyservicescanpartyservicescanstillrunwildandfreestillrunwildandfree……NetworkenforcementscenariosNetworkenforcementscenariosNoportsNoportsServicesthatneitherlistennorconnectServicesthatneitherlistennorconnectFixedportsFixedportsServicesthatlistenorsendonknownfixedportsServicesthatlistenorsendonknownfixedportsshouldbeconstrainedtothoseportsonlyshouldbeconstrainedtothoseportsonlyConfigurableConfigurableportsportsAdministratorconfiguresportinserviceAdministratorconfiguresportinservice''ssadministrationUI;networkrulesandfirewalladministrationUI;networkrulesandfirewallautomaticallyupdatetheirownconfigurationsautomaticallyupdatetheirownconfigurationsDynamicDynamicportsportsServicesthatlistenorsendondynamicallyServicesthatlistenorsendondynamically--allocatedportsallocatedportsAuditingAuditingManagementeventsManagementeventsInitialrulesconfigurationInitialrulesconfigurationRulechangesRulechangesRuledeletionsRuledeletionsEnforcementeventsEnforcementeventsTrafficallowedTrafficallowedTrafficdeniedTrafficdeniedglobalvulnglobalvulnmitigationsandmitigationsandsystemlockdownssystemlockdownsnetworknetworkenforcementenforcementrulesrulesInteractionwithhostfirewallsInteractionwithhostfirewallsConfigurationchangesConfigurationchangesimplementedimmediatelyimplementedimmediatelyRulescanRulescan''tbedisabledbytbedisabledbyWForthirdWForthird--partypartyRulescanRulescan''tbestoppedtbestoppedwhileservicesarerunningwhileservicesarerunningFordynamicports,netenfFordynamicports,netenfpushesconfigurationtopushesconfigurationtoWFWFhosthostfirewallfirewallrulesrulesExamplerulesExamplerulesBlockanynetworkaccessforBFE"V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=bfe;Name=Blockanytraffictoandfrombfe;"AllowoutboundPolicyAgenttraffic"V2.
0;Action=Allow;Dir=Out;RPort=389;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=AllowPolicyAgenttcp/udpLDAPtraffictoAD;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=BlockanyothertraffictoandfromPolicyAgent;"Allowinbound/outboundtraffictoRpcss"V2.
0;Action=Allow;Dir=Out;RPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowoutboundrpcsstcp/udptraffic;""V2.
0;Action=Allow;Dir=in;LPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowinboundtcp/udprpcss;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Blockanyothertraffictoandfromrpcss;"ProtecttheOSandDatafromUnknownCodeThethreatsThethreatsAuserunknowinglyrunscodefromanunknownAuserunknowinglyrunscodefromanunknownsourcethatattemptstomodifyordeletefilessourcethatattemptstomodifyordeletefilesCoderunningasLUAattemptsalocalelevationofCoderunningasLUAattemptsalocalelevationofprivilegebyinjectingcodeintoaprocessrunningprivilegebyinjectingcodeintoaprocessrunningasadministratorasadministratorTrojansthatattempttoexecutewithfullTrojansthatattempttoexecutewithfulladministratorprivilegeadministratorprivilegeSystemcodereadsdatafromtheInternet(anSystemcodereadsdatafromtheInternet(anuntrustworthysource)thatcontainscorruptdatauntrustworthysource)thatcontainscorruptdatadesignedtoelevateprivilegebyexploitingabugdesignedtoelevateprivilegebyexploitingabugMandatoryintegritycontrolMandatoryintegritycontrolMethodtopreventlowMethodtopreventlow--integritycodefromintegritycodefrommodifyinghighmodifyinghigh--integritycodeintegritycodeProtectTCBfilesanddatafrommodificationbyProtectTCBfilesanddatafrommodificationbyprivilegedusersprivilegedusersProtectuserdatafrommodificationbyunknownProtectuserdatafrommodificationbyunknownmaliciouscodemaliciouscodeProtectprocessesrunningasprivilegeduserfromProtectprocessesrunningasprivilegeduserfrommodificationbyprocessesrunningasstandardusermodificationbyprocessesrunningasstandarduserunderthesameuserSIDunderthesameuserSIDClassicalcomputersecurityconceptknownsinceClassicalcomputersecurityconceptknownsincethe1970sthe1970sLotsofrecentworkinvariousoperatingsystemsLotsofrecentworkinvariousoperatingsystemsDonDon''tconfusewithcodeintegritytconfusewithcodeintegrityCICIVerifiescodeduringmoduleloadingVerifiescodeduringmoduleloadingMICMICImplementsatypeofinformationflowpolicyImplementsatypeofinformationflowpolicyImplementsanenforcementmechanismImplementsanenforcementmechanismIntegritylevelchangestriggerasecurityauditeventIntegritylevelchangestriggerasecurityauditeventMandatoryintegritycontrolpolicyisbasedonMandatoryintegritycontrolpolicyisbasedontrustworthinesstrustworthiness.
Subjectswith.
Subjectswithlowlowdegreesofdegreesoftrustworthinesscantrustworthinesscan''tchangedataofatchangedataofahigherhigherdegrees.
degrees.
SubjectswithSubjectswithhighhighdegreesoftrustworthinesscandegreesoftrustworthinesscan''tbetbeforcedtorelyondataofforcedtorelyondataoflowerlowerdegrees.
degrees.
ThelimitationsofDACLsThelimitationsofDACLsNoprotectionofsystemstabilityNoprotectionofsystemstabilityThirdThird--partyinstallersredistributesystembinariespartyinstallersredistributesystembinariesWanttostopthis,evenifrunbyadministratorWanttostopthis,evenifrunbyadministratorNoprotectionfromtrickysoftwareNoprotectionfromtrickysoftwareNonNon--savvyuserscanbeconvincedtoinstallmalwaresavvyuserscanbeconvincedtoinstallmalwareRunswithfullcapabilitiesofuserRunswithfullcapabilitiesofuserWeakenspowerofUACWeakenspowerofUACCanCan''tdistinguishlimitedversionfromfull(possiblytdistinguishlimitedversionfromfull(possiblyadministrator)versionofuseradministrator)versionofuserBothversionshavesameuserSIDBothversionshavesameuserSIDDefinedintegritylevelsDefinedintegritylevelsSystemSystemHighHighMediumMediumLowLowUntrustedUntrusted0x40000x40000x30000x30000x20000x20000x10000x100000LocalLocalSystemSystemLocalServiceLocalServiceNetworkNetworkServiceServiceElevatedElevated(full)user(full)usertokenstokensStandarduserStandardusertokenstokensAuthenticatedAuthenticatedUsersUsersWorldWorld(Everyone)(Everyone)AnonymousAnonymousShellrunshereShellrunshereMICexpressionMICexpressionAddanintegritySIDtoausertokenatlogonAddanintegritySIDtoausertokenatlogonSS--11--1616--AnnouncestheintegritylevelofthetokenAnnouncestheintegritylevelofthetokenDetermineslevelofaccessthetokencanachieveDetermineslevelofaccessthetokencanachievePossiblesecondSIDusedbySecureDesktoptoPossiblesecondSIDusedbySecureDesktoptodetermineprotectionringofanapplicationdetermineprotectionringofanapplicationStoreintegritySIDintheSACLofeveryobjectStoreintegritySIDintheSACLofeveryobject''sssecuritydescriptor(usersecuritydescriptor(user--createdandOS)createdandOS)SpecifiestheintegrityleveloftheobjectSpecifiestheintegrityleveloftheobjectCheckingMIClevelCheckingMIClevelDuringaccesscheck,verifytheuserpassesDuringaccesscheck,verifytheuserpassesintegritycheckagainstanobjectforwriteaccessintegritycheckagainstanobjectforwriteaccessHowever,canaddACEtoDACLtodenyreadaccesstoHowever,canaddACEtoDACLtodenyreadaccesstolowintegrityuserslowintegrityusers(moreonthislater)(moreonthislater)UsermustUsermustdominatedominateobjecttoobtainwriteaccessobjecttoobtainwriteaccessUser/processlevel>=objectlevelUser/processlevel>=objectlevelAlluserspassintegritycheckforreadingandexecutingAlluserspassintegritycheckforreadingandexecutingMICtrumpsDACLMICtrumpsDACLIftheDACLletsyouwrite,butyoudonIftheDACLletsyouwrite,butyoudon''tdominatethetdominatetheobject,yourwritefailsobject,yourwritefailsConsiderfourscenariosConsiderfourscenariosAnattachmentarrivesinmail.
Whilesaving,fileiswrittenAnattachmentarrivesinmail.
Whilesaving,fileiswrittenwithwithlowlowintegrity.
Whenexecuted,itrunsatintegrity.
Whenexecuted,itrunsatlowlowintegrityintegrityandcanandcan''twritetousertwritetouser''sdata.
sdata.
MICpreventsprocessfromMICpreventsprocessfromperformingcapabilitiesatuserperformingcapabilitiesatuser''slevel.
slevel.
IEdownloadsfilefromsiteinInternetzone.
IEprocessthatIEdownloadsfilefromsiteinInternetzone.
IEprocessthatwritesfiletoTIFrunsatwritesfiletoTIFrunsatlowlowintegrity;thusfileisreceivesintegrity;thusfileisreceiveslowlowintegrity.
integrity.
MICdoesnMICdoesn''ttrustcontentorcodefromtheInternet.
ttrustcontentorcodefromtheInternet.
AmaliciousprogramisrunningatAmaliciousprogramisrunningatstandardstandarduserXanduserXandattemptstoopenprocessrunningasattemptstoopenprocessrunningasprivilegedprivilegeduserXforuserXforwrite,tobypassUACandexecutecodewillfullprivileges.
write,tobypassUACandexecutecodewillfullprivileges.
MICstopsthisbecausedesiredaccessiswrite.
MICstopsthisbecausedesiredaccessiswrite.
Admin(IL=Admin(IL=highhigh)runsdownloadedprogram.
Processrunsas)runsdownloadedprogram.
Processrunsasstandardstandardadmin(IL=admin(IL=mediummedium).
).
MICpreventsprocessesfromMICpreventsprocessesfromwritewrite--accessingresourcesACLedfortheadministrator.
accessingresourcesACLedfortheadministrator.
ProcessesalsoaffectedProcessesalsoaffectedWhenuserlaunches.
EXE,processreceiveslowerofWhenuserlaunches.
EXE,processreceiveslowerofuseruser''sorfilesorfile''sintegritylevel(ifithasone)sintegritylevel(ifithasone)Processneverrunshigherthanfile,regardlessofILofProcessneverrunshigherthanfile,regardlessofILofuserwhostartedituserwhostarteditProtectsevenadministratorsfrommaliciousactionsofProtectsevenadministratorsfrommaliciousactionsofdownloadedcodedownloadedcodeAlsoprotectsanyuserdata,whoselevelistypicallythatAlsoprotectsanyuserdata,whoselevelistypicallythatoftheuseroftheuser——itit''shigherthanthecodeshigherthanthecodeControlledbyAIS(appinstallerservice)ControlledbyAIS(appinstallerservice)CheckILsofuserandfileCheckILsofuserandfileAdjustprocessILaccordinglyAdjustprocessILaccordinglyImpersonateuserwithcorrectILandcontinuecreationImpersonateuserwithcorrectILandcontinuecreationModifyingintegritylevelsModifyingintegritylevelsTokencanloweritsownlevelTokencanloweritsownlevelNotreversibleNotreversibleOnlyaTCBcallercanraiseOnlyaTCBcallercanraiseSecureInputSecureInputDefault:UIringSID=objectintegritySIDDefault:UIringSID=objectintegritySIDTCBcallercanelevatetokenUIringTCBcallercanelevatetokenUIringTypicallynecessaryforaccessibilityutilitiesTypicallynecessaryforaccessibilityutilities——cannowcannowcontrolUIbutnotbypassMICcontrolofobjectaccesscontrolUIbutnotbypassMICcontrolofobjectaccessButIwanttoadministermybox!
ButIwanttoadministermybox!
Fullprivilegetokens,includingmembersoftheFullprivilegetokens,includingmembersofthelocalAdministratorsgroup,arecontrolledbyMIClocalAdministratorsgroup,arecontrolledbyMICCanCan''tdeletefilesiftheirlevelissystemtdeletefilesiftheirlevelissystemCanCan''tlowerthelevelofobjectsorfilestlowerthelevelofobjectsorfilesBuiltBuilt--inin""AdministratorAdministrator""accounthasanadditionalaccounthasanadditionalprivilegeprivilegeGrantscalleraccesstoobjectGrantscalleraccesstoobjectCouldgranttootherusers,butbecareful!
Couldgranttootherusers,butbecareful!
GrantinganduseofprivilegeisauditedGrantinganduseofprivilegeisauditedDenyingreadaccessDenyingreadaccessCanusedenyACEtopreventlowerlevelprincipalsCanusedenyACEtopreventlowerlevelprincipalsfromreadingorexecutinghigherlevelobjectsfromreadingorexecutinghigherlevelobjectsGoodforadministratorprogramsGoodforadministratorprogramsSetILtohighSetILtohighAdddenyACEforanythingwithalowerILAdddenyACEforanythingwithalowerILPreventsmalwarerunningatlowerlevelfromPreventsmalwarerunningatlowerlevelfromattemptingtocalladmintoolsattemptingtocalladmintoolsUnlabeledobjectsUnlabeledobjectsSystemassumesdefaultMICofmediumduringSystemassumesdefaultMICofmediumduringaccesscheckaccesscheckPreventsuntrustworthycoderunningatlowfromPreventsuntrustworthycoderunningatlowfrommodifyingunlabeledobjectsmodifyingunlabeledobjectsRegardlessofDACLRegardlessofDACLOSfilesareunlabeledOSfilesareunlabeledProtectedfrommodificationwithanACLProtectedfrommodificationwithanACLObjectswithoutaSIDhavenoMICconsiderationObjectswithoutaSIDhavenoMICconsiderationNonNon--goalsgoalsProvideforconfidentialityofdataProvideforconfidentialityofdataThisistheBellThisistheBell--LaPadulamodelLaPadulamodelAlthoughwithnoAlthoughwithno--readread--upACEs,youcanuseMICtoupACEs,youcanuseMICtoachievesimilarbehaviorachievesimilarbehaviorPreventhighILprocessesfromreadingdataataPreventhighILprocessesfromreadingdataatalowerILifthepolicyallowsthatlowerILifthepolicyallowsthatImplementdynamicintegrityImplementdynamicintegrityPreventofflineattacksthroughmodificationsofILsPreventofflineattacksthroughmodificationsofILsonfilesonfilesButBitLockercouldhelphereButBitLockercouldhelphere……ProtecttheOSfromtheInternetThethreatsThethreatsAlas,mostWindowsusersstillrunasadminAlas,mostWindowsusersstillrunasadminMeaning:theInternetrunsasadminonyourPC!
Meaning:theInternetrunsasadminonyourPC!
""DriveDrive--byby""installsofspywareandviruscodeinstallsofspywareandviruscodeExploitsofvulnerabilitiesgiveattackersfullremoteExploitsofvulnerabilitiesgiveattackersfullremoteaccessaccessEvennonEvennon--adminsstillvulnerabletomaliciousadminsstillvulnerabletomaliciousdestructionofpersonaldatadestructionofpersonaldataInternetExplorerprotectedmodeInternetExplorerprotectedmodeBuiltonmandatoryintegritycontrolBuiltonmandatoryintegritycontrolInternetExplorerrunsatlowintegritylevelInternetExplorerrunsatlowintegritylevelReducetheseverityofthreatstoIEaddReducetheseverityofthreatstoIEadd--onsonsEliminatethesilentinstallofmaliciouscodeEliminatethesilentinstallofmaliciouscodethroughsoftwarevulnerabilitiesthroughsoftwarevulnerabilitiesPreservecompatibilitywheneverpossiblePreservecompatibilitywheneverpossibleProvidethecapabilityandguidanceforaddProvidethecapabilityandguidanceforadd--onstoonstorestorefunctionalityrestorefunctionalityMinimizerequireduserinvolvementMinimizerequireduserinvolvementSometimescalledSometimescalled""lowlow--rightsIErightsIE""ProtectedmodesummaryProtectedmodesummaryRestrictsIEfromwritingoutsideoftheTemporaryRestrictsIEfromwritingoutsideoftheTemporaryInternetFiles(TIF)folderInternetFiles(TIF)folderIEIE''sprocesshaslowerwriteprivilegesthanLUAsprocesshaslowerwriteprivilegesthanLUAItbuildsontheMandatoryIntegrityControl(MIC)whichItbuildsontheMandatoryIntegrityControl(MIC)whichrestrictswritestohigherintegrityfoldersrestrictswritestohigherintegrityfoldersProtectedmodeusesCOMtocalltwonewbrokerProtectedmodeusesCOMtocalltwonewbrokerprocesseswhichallowIEtowriteoutsideoftheTIFprocesseswhichallowIEtowriteoutsideoftheTIFAcompatibilitylayerallowsaddAcompatibilitylayerallowsadd--onstoelevateonstoelevateThisisnotaThisisnota""sandboxingsandboxing""technology.
IEisrefactoredintoatechnology.
IEisrefactoredintoamultimulti--processapplication,withvaryingILsforeachprocess.
processapplication,withvaryingILsforeachprocess.
RefactoringIERefactoringIELPIELPIEIEUserIEUserIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseLPIELPIEInternetZoneInternetZoneIL=lowIL=lowIntranet/TrustedZoneIntranet/TrustedZoneIL=mediumIL=mediumSeparateTIFSeparateTIFIEPolicyIEPolicyIL=highIL=highAgain:theprincipleofleastprivilegeAgain:theprincipleofleastprivilegeRefactoringattheprocesslevelRefactoringattheprocesslevel——moreefficientmoreefficientandlessexpensivethanavirtualmachineandlessexpensivethanavirtualmachineComponentsandzonesComponentsandzonesOperationOperationRequirementsRequirementsProcessProcessURLnavigationandHTMLrenderingURLnavigationandHTMLrenderingLeastprivilegeLeastprivilegeLowintegrityLowintegrityLPIELPIEManaginguserManaginguser--controlledsettingscontrolledsettingsLeastprivilegeLeastprivilegeMediumintegrityMediumintegrityIEUserIEUserEnforcingpolicyindownloadedcodeEnforcingpolicyindownloadedcodeInitiatingexecutionInitiatingexecutionFullprivilegeFullprivilegeHighintegrityHighintegrityIEPolicyIEPolicy(service)(service)OperationOperationLPIElowLPIElowLPIEmediumLPIEmediumFilesdownloadedinzoneFilesdownloadedinzoneLowILLowILMediumILMediumILModifyoutsideTIFModifyoutsideTIFNoNoYesYesInteractwithotherappsondesktopInteractwithotherappsondesktopNoNoYesYesInjectDLLandcreateremotethreadInjectDLLandcreateremotethreadNoNoYesYesRendersHTMLfilesinlocalzoneRendersHTMLfilesinlocalzoneYesYesYesYesInstallingfromtheWebInstallingfromtheWebLPIELPIEIEPolicyIEPolicyRunRungreatstuff.
comgreatstuff.
com……\\TIFTIF\\greatstuff.
exegreatstuff.
exeTrustTrustGreatStuffGreatStuffIL=lowIL=low……\\MyDocsMyDocs\\greatstuff.
exegreatstuff.
exeIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseAISAISRunwithRunwithfullprivsfullprivsgreatstuff.
exegreatstuff.
exe\\ProgsProgs\\GSGS\\stuff.
exestuff.
exestuff.
dllstuff.
dllIL=highIL=highfullprivfullprivInIn--proccompatibilitylayerproccompatibilitylayerRedirectsfileandregistrykeywritestonewlowRedirectsfileandregistrykeywritestonewlowintegritylocationsintegritylocations——HKCUHKCU\\SoftwareSoftware\\MicrosoftMicrosoft\\InternetExplorerInternetExplorer\\LowLowRightsRights\\VirtualVirtualDocumentsandSettingsDocumentsandSettings\\%userprofile%%userprofile%\\LocalLocalSettingsSettings\\TemporaryInternetFilesTemporaryInternetFiles\\VirtualVirtualAddedtothelocationIEistryingAddedtothelocationIEistryingIfIEtriestowritehereIfIEtriestowritehere…………itgetsredirectedhereitgetsredirectedhereHKCUHKCU\\SoftwareSoftware\\FooBarFooBarHKCUHKCU\Software\MS\IE\LowRights\Virtual\\SoftwareSoftware\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%user%userprofile%profile%\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%userprofile%%userprofile%\LocalSettings\TemporaryInternetFiles\Virtual\\FooBarFooBarSteveRileySteveRileysteve.
riley@microsoft.
comsteve.
riley@microsoft.
comhttp://blogs.
technet.
com/sterileyhttp://blogs.
technet.
com/sterileywww.
protectyourwindowsnetwork.
comwww.
protectyourwindowsnetwork.
comThanksverymuch!
Thanksverymuch!
2006MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,WindowsVistaandotherproductnamesareormayberegisteredtrademarksand/ortrademarksintheU.
S.
and/orothercountries.
TheinformationhereinisforinformationalpurposesonlyandrepresentsthecurrentviewofMicrosoftCorporationasofthedateofthispresentation.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationprovidedafterthedateofthispresentation.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISPRESENTATION.
主机参考最新消息:JustHost怎么样?JustHost服务器好不好?JustHost好不好?JustHost是一家成立于2006年的俄罗斯服务器提供商,支持支付宝付款,服务器价格便宜,200Mbps大带宽不限流量,支持免费更换5次IP,支持控制面板自由切换机房,目前JustHost有俄罗斯5个机房可以自由切换选择,最重要的还是价格真的特别便宜,最低只需要87卢布/月,约8.5元/月起!just...
Virtono是一家成立于2014年的国外VPS主机商,提供VPS和服务器租用等产品,商家支持PayPal、信用卡、支付宝等国内外付款方式,可选数据中心共7个:罗马尼亚2个,美国3个(圣何塞、达拉斯、迈阿密),英国和德国各1个。目前,商家针对美国圣何塞机房VPS提供75折优惠码,同时,下单后在LET回复订单号还能获得双倍内存的升级。下面以圣何塞为例,分享几款VPS主机配置信息。Cloud VPSC...
今天CloudCone发布了最新的消息,推送了几款特价独立服务器/杜甫产品,美国洛杉矶MC机房,分配100Mbps带宽不限流量,可以选择G口限制流量计划方案,存储分配的比较大,选择HDD硬盘的话2TB起,MC机房到大陆地区线路还不错,有需要美国特价独立服务器的朋友可以关注一下。CloudCone怎么样?CloudCone服务器好不好?CloudCone值不值得购买?CloudCone是一家成立于2...
secondarylogon为你推荐
伪装微信地理位置如何用伪装微信地理位置?依赖注入依赖注入到底是为了解决什么问题的自助建站自助建站哪个平台最好?不兼容安卓手机软件不兼容怎么办?开机滚动条电脑开机有滚动条的画面xv播放器下载除了迅雷看看播放器还有什么播放器支持xv格式的视频?iphone6上市时间iphone6什么时候上市,价格是多少?网络广告投放怎样在网络上进行广告的投放?什么是云平台什么是家庭云平台?虚拟机软件下载那里可以下载虚拟系统,又该怎么安装呢??
网络域名 duniu flashfxp怎么用 ixwebhosting 12306抢票助手 长沙服务器 国内php空间 什么是刀片服务器 1g内存 亚马逊香港官网 免费美国空间 酷番云 t云 google台湾 免费邮件服务器 秒杀品 华为k3 国外网页代理 域名和主机 97rb 更多