Unintended Consequences - PowerPoint Presentation

477 views
Uploaded On 2017-09-10

Unintended Consequences - PPT Presentation

of Security Lockdowns Aaron Margosis Principal Consultant Microsoft Services SIM304 Session Objectives and Takeaways Session Objectives Understand and explain tradeoffs of security and usability ID: 586873

microsoft security guidance windows security microsoft windows guidance http user root default setting zone file configuration trusted process aspx control update credential

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/586873" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Presentation The PPT/PDF document "Unintended Consequences" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Slide1

Unintended Consequences of Security Lockdowns

Aaron MargosisPrincipal ConsultantMicrosoft Services

SIM304Slide2

Session Objectives and TakeawaysSession Objective(s):

Understand and explain tradeoffs of security and usabilityDiagnose common problems arising from security lockdownsKey Takeaway:“Tightening” a security setting doesn’t

always lead to better security!Slide3

AgendaBrief history of security guidanceSettings and Side Effects

Remove the “Debug” privilege from AdministratorsTurn off Automatic Root Certificates UpdateHide mechanisms to remove zone informationRequire trusted path for credential entry

Do not process the legacy Run list

NtfsDisable8dot3NameCreationSlide4

Security GuidanceSome release dates:Windows NT 4 released in the year 6 BTC

Windows 2000 released in the year 3 BTC (“BTC” = Before Trustworthy Computing)NSA and others stepped inWindows Server 2003, year 1 of the TWC eraNSA says: “What they said”

Windows XP SP2 in year 2 TC

NSA’s guidance didn’t catch up

KB 885409 and Consensus SettingsSlide5

Security GuidanceUS Federal Government guidanceUS DOD STIGs (Security Technical Implementation Guides)

US Air Force, Standard Desktop Configuration (SDC)Standardized locked-down configuration (XP SP2)Everyone runs as standard userFederal Desktop Core Configuration (FDCC)

Now the US Government Configuration Baseline (USGCB)

Microsoft security guidance

Now encapsulated in the Security Compliance Manager (SCM)Slide6

The “Debug Programs” privilege

Location

Security

Settings | Local Policies |

User Rights Assignment

Setting name

Debug programs

Default

Administrators

(

Mis

)guidance

[no one]Slide7

What is “Debug programs”?Allows user to take control of any processBypasses the process’ security descriptor – grants Full Control

Read/write process memoryBreak in with a debugger; control execution pathsTerminate the processNeeded to debug other users’ processes (or the kernel)Needed by some diagnostic/troubleshooting tools

“Admin-equivalent”

Granted to Administrators by default

Should never be granted to non-adminsSlide8

Revoking “Debug programs” privilegePurported benefit:Prevents attacker with an admin account from taking over Lsass.exe or other System processes

Actual benefit:None – trivial to bypassDrawbacks:Breaks legitimate developer scenariosLimits capabilities of Task Manager, Process Explorer, Kill.exe, etc., when used by legitimate admins

Breaks installation of SQL Server / SQL ExpressSlide9

Trivial to BypassAdmin can configure anything to run as SYSTEM

Sc.exe create TakeOverAnyway binpath= ...PsExec -

sid

cmd.exe

Admin can take ownership and change process permissions

Bottom line: restricting admins is futile

Good news:

Recently removed from MS guidance and USGCB.Slide10

demo Revoking “Debug programs”Slide11

Turn off Automatic Root Certificates Update

Location

Computer Configuration |

Administrative

Templates

| System |

Internet Communication Management |

Internet Communication settings

Setting name

Turn off Automatic Root Certificates Update

Default

Not configured (equivalent

Disabled)

(

Mis

)guidance?

EnabledSlide12

Trusted AuthoritiesWindows Root Certificate ProgramDefault trusted CAs baked into WindowsCan be updated via Windows UpdateSlide13

Trusted Authorities in Vista and NewerStarting in Windows Vista, “in the box” changedVery few CAs in the Trusted Root CAs store

Intent: improve performance, reduce resource demandBut roots can be added silently as needed……even if offline!CTLs and Root Certs baked into Crypt32.dll… unless Automatic Root Certificates Update is turned off!Slide14

Why turn off automatic root cert update?Blocks “phone home”All “phone home” is blocked by most government config guides

Note: This has never been part of Microsoft’s guidanceGives administrators absolute control over cert storesSlide15

Impact of this settingMany fewer default trusted root CAs on a USGCB-compliant systemLots of files/programs will be treated as “unsigned”

Lots of HTTPS web sites will show “invalid cert”What you need to do:Manage your root CAs even more carefullyOr… remove this settingMore good news:

USGCB no longer requires this setting for Windows 7Slide16

demo Turning Off Automatic Root Certificates UpdateSlide17

Hide mechanisms to remove zone info

Location

User Configuration | Administrative Templates |

Windows Components | Attachment Manager

Setting name

Hide mechanisms to remove zone information

Default

Not configured (equivalent to Disabled)

(

Mis

)guidance

EnabledSlide18

Ever see this?Or this?

Cause:

Security Zone info attached to fileSlide19

Zone InformationWindows tags files with source-zone metadataUses Internet Explorer security zones

Stored in NTFS alternate data streamAfter download, shell still handles file as from that zoneBy default, users can remove zone info via Properties dialog or checkboxSome security guidance hides those interfacesSlide20

Mechanisms that get hiddenSlide21

And this is good why?Beats me.Annoying “security” dialog that provides no info

Doesn’t stop the user from running the programTrains users to expect and ignore warningsOK, one benefit: blocks execution of code in a malicious CHMWorth it?Slide22

Mechanisms that remain…

Or just overwrite the stream; e.g.,echo. > procmon.chm:Zone.IdentifierSlide23

demo

No! UAC elevation is

not

a security boundary!

WTF???

Show

me!

UAC elevation is safe if you have to enter a password, isn’t it?Slide24

Ctrl + Alt + Del“Secure Attention Sequence” (SAS)Handled directly by the OSCannot be intercepted by other software

Ensures that control transferred to Secure DesktopA.k.a., “Winlogon” desktopAccessible only to software running as SYSTEMEnsures that UI cannot be spoofed

Ensures that credentials cannot be intercepted

Note: UAC elevation switches to Winlogon without SASSlide25

Require Trusted Path for Credential Entry

Location

Computer Configuration |

Administrative Templates |

Windows Components | Credential User Interface

Setting name

Require trusted path for credential entry

Default

Not configured (equivalent to Disabled)

Ex-guidance

Enabled

(USGCB “Alpha” – removed for final)Slide26

What is “Trusted path for credential entry”?GUI credential entry (via CredUI) requires Ctrl+Alt+DelPolicy enforced by:

UAC elevationRemote Desktop clientExplorer: Map network drive with different credentialsThis last one in Windows 7, but not in VistaSlide27

Is it more secure?Prevents some credential prompt spoofing and stealing

… if you notice a prompt without Ctrl+Alt+Del…before you enter the creds!Is it worth it?

More steps needed

Your users will hate you, and they will let you know it!

Also applied to same-user, consent-only elevation (WTF?)Slide28

Do Not Process the Legacy Run List

Location

Computer Configuration |

Administrative Templates | System | Logon

Setting name

Do not process the legacy run list

Default

Not configured (equivalent to Disabled)

(

Mis

)guidance

EnabledSlide29

The “Run” keys under HKLMHKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunCommand lines executed by Explorer during logonRun with the rights of the logged-on user

Used by legitimate programs and by malware

Adding, modifying or deleting entries requires admin rights

Note: there is also a per-user (HKCU) counterpart

(For some reason, HKCU never touched by security guidance)Slide30

Benefits?On well-managed systems: no benefitAdding/modifying requires admin rightsAttacker with admin has tons of other ASEPs

What is typically there?Slide31

HKLM “Run” key settings…Slide32

NtfsDisable8dot3NameCreation

Location

Security

Settings | Local Policies |

Security Options

Setting name

MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)

Default

Disabled (configured per-volume)

(

Mis

)guidance

EnabledSlide33

NtfsDisable8dot3NameCreationVulnerability (try to keep a straight face)

“If you allow 8.3 style file names, an attacker only needs eight characters to refer to a file that may be 20 characters long. [...]Attackers could use short file names to access data files and applications with long file names that would normally be difficult to locate. An attacker who has gained access to the file system could access data or execute applications.”

Status

Removed from USGCB

Removed from MS guidance for Server 2008 R2 (SSLF)Slide34

Blog Posts and KB ArticlesSecurity configuration guidance support (KB 885409)

http://support.microsoft.com/kb/885409Sticking with Well-Known and Proven Solutions

http://

blogs.technet.com/b/fdcc/archive/2010/10/06/sticking-with-well-known-and-proven-solutions.aspx

Disabling User Account Control (UAC) on Windows Server

http://

blogs.msdn.com/b/aaron_margosis/archive/2011/03/04/disabling-user-account-control-uac-on-windows-server.aspx

and just posted

http://