of Security Lockdowns Aaron Margosis Principal Consultant Microsoft Services SIM304 Session Objectives and Takeaways Session Objectives Understand and explain tradeoffs of security and usability ID: 586873
Download Presentation The PPT/PDF document "Unintended Consequences" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Unintended Consequences of Security Lockdowns
Aaron MargosisPrincipal ConsultantMicrosoft Services
SIM304Slide2
Session Objectives and TakeawaysSession Objective(s):
Understand and explain tradeoffs of security and usabilityDiagnose common problems arising from security lockdownsKey Takeaway:“Tightening” a security setting doesn’t
always lead to better security!Slide3
AgendaBrief history of security guidanceSettings and Side Effects
Remove the “Debug” privilege from AdministratorsTurn off Automatic Root Certificates UpdateHide mechanisms to remove zone informationRequire trusted path for credential entry
Do not process the legacy Run list
NtfsDisable8dot3NameCreationSlide4
Security GuidanceSome release dates:Windows NT 4 released in the year 6 BTC
Windows 2000 released in the year 3 BTC (“BTC” = Before Trustworthy Computing)NSA and others stepped inWindows Server 2003, year 1 of the TWC eraNSA says: “What they said”
Windows XP SP2 in year 2 TC
NSA’s guidance didn’t catch up
KB 885409 and Consensus SettingsSlide5
Security GuidanceUS Federal Government guidanceUS DOD STIGs (Security Technical Implementation Guides)
US Air Force, Standard Desktop Configuration (SDC)Standardized locked-down configuration (XP SP2)Everyone runs as standard userFederal Desktop Core Configuration (FDCC)
Now the US Government Configuration Baseline (USGCB)
Microsoft security guidance
Now encapsulated in the Security Compliance Manager (SCM)Slide6
The “Debug Programs” privilege
Location
Security
Settings | Local Policies |
User Rights Assignment
Setting name
Debug programs
Default
Administrators
(
Mis
)guidance
[no one]Slide7
What is “Debug programs”?Allows user to take control of any processBypasses the process’ security descriptor – grants Full Control
Read/write process memoryBreak in with a debugger; control execution pathsTerminate the processNeeded to debug other users’ processes (or the kernel)Needed by some diagnostic/troubleshooting tools
“Admin-equivalent”
Granted to Administrators by default
Should never be granted to non-adminsSlide8
Revoking “Debug programs” privilegePurported benefit:Prevents attacker with an admin account from taking over Lsass.exe or other System processes
Actual benefit:None – trivial to bypassDrawbacks:Breaks legitimate developer scenariosLimits capabilities of Task Manager, Process Explorer, Kill.exe, etc., when used by legitimate admins
Breaks installation of SQL Server / SQL ExpressSlide9
Trivial to BypassAdmin can configure anything to run as SYSTEM
Sc.exe create TakeOverAnyway binpath= ...PsExec -
sid
cmd.exe
Admin can take ownership and change process permissions
Bottom line: restricting admins is futile
Good news:
Recently removed from MS guidance and USGCB.Slide10
demo Revoking “Debug programs”Slide11
Turn off Automatic Root Certificates Update
Location
Computer Configuration |
Administrative
Templates
| System |
Internet Communication Management |
Internet Communication settings
Setting name
Turn off Automatic Root Certificates Update
Default
Not configured (equivalent
to
Disabled)
(
Mis
)guidance?
EnabledSlide12
Trusted AuthoritiesWindows Root Certificate ProgramDefault trusted CAs baked into WindowsCan be updated via Windows UpdateSlide13
Trusted Authorities in Vista and NewerStarting in Windows Vista, “in the box” changedVery few CAs in the Trusted Root CAs store
Intent: improve performance, reduce resource demandBut roots can be added silently as needed……even if offline!CTLs and Root Certs baked into Crypt32.dll… unless Automatic Root Certificates Update is turned off!Slide14
Why turn off automatic root cert update?Blocks “phone home”All “phone home” is blocked by most government config guides
Note: This has never been part of Microsoft’s guidanceGives administrators absolute control over cert storesSlide15
Impact of this settingMany fewer default trusted root CAs on a USGCB-compliant systemLots of files/programs will be treated as “unsigned”
Lots of HTTPS web sites will show “invalid cert”What you need to do:Manage your root CAs even more carefullyOr… remove this settingMore good news:
USGCB no longer requires this setting for Windows 7Slide16
demo Turning Off Automatic Root Certificates UpdateSlide17
Hide mechanisms to remove zone info
Location
User Configuration | Administrative Templates |
Windows Components | Attachment Manager
Setting name
Hide mechanisms to remove zone information
Default
Not configured (equivalent to Disabled)
(
Mis
)guidance
EnabledSlide18
Ever see this?Or this?
Cause:
Security Zone info attached to fileSlide19
Zone InformationWindows tags files with source-zone metadataUses Internet Explorer security zones
Stored in NTFS alternate data streamAfter download, shell still handles file as from that zoneBy default, users can remove zone info via Properties dialog or checkboxSome security guidance hides those interfacesSlide20
Mechanisms that get hiddenSlide21
And this is good why?Beats me.Annoying “security” dialog that provides no info
Doesn’t stop the user from running the programTrains users to expect and ignore warningsOK, one benefit: blocks execution of code in a malicious CHMWorth it?Slide22
Mechanisms that remain…
Or just overwrite the stream; e.g.,echo. > procmon.chm:Zone.IdentifierSlide23
demo
No! UAC elevation is
not
a security boundary!
WTF???
Show
me!
UAC elevation is safe if you have to enter a password, isn’t it?Slide24
Ctrl + Alt + Del“Secure Attention Sequence” (SAS)Handled directly by the OSCannot be intercepted by other software
Ensures that control transferred to Secure DesktopA.k.a., “Winlogon” desktopAccessible only to software running as SYSTEMEnsures that UI cannot be spoofed
Ensures that credentials cannot be intercepted
Note: UAC elevation switches to Winlogon without SASSlide25
Require Trusted Path for Credential Entry
Location
Computer Configuration |
Administrative Templates |
Windows Components | Credential User Interface
Setting name
Require trusted path for credential entry
Default
Not configured (equivalent to Disabled)
Ex-guidance
Enabled
(USGCB “Alpha” – removed for final)Slide26
What is “Trusted path for credential entry”?GUI credential entry (via CredUI) requires Ctrl+Alt+DelPolicy enforced by:
UAC elevationRemote Desktop clientExplorer: Map network drive with different credentialsThis last one in Windows 7, but not in VistaSlide27
Is it more secure?Prevents some credential prompt spoofing and stealing
… if you notice a prompt without Ctrl+Alt+Del…before you enter the creds!Is it worth it?
More steps needed
Your users will hate you, and they will let you know it!
Also applied to same-user, consent-only elevation (WTF?)Slide28
Do Not Process the Legacy Run List
Location
Computer Configuration |
Administrative Templates | System | Logon
Setting name
Do not process the legacy run list
Default
Not configured (equivalent to Disabled)
(
Mis
)guidance
EnabledSlide29
The “Run” keys under HKLMHKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunCommand lines executed by Explorer during logonRun with the rights of the logged-on user
Used by legitimate programs and by malware
Adding, modifying or deleting entries requires admin rights
Note: there is also a per-user (HKCU) counterpart
(For some reason, HKCU never touched by security guidance)Slide30
Benefits?On well-managed systems: no benefitAdding/modifying requires admin rightsAttacker with admin has tons of other ASEPs
What is typically there?Slide31
HKLM “Run” key settings…Slide32
NtfsDisable8dot3NameCreation
Location
Security
Settings | Local Policies |
Security Options
Setting name
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)
Default
Disabled (configured per-volume)
(
Mis
)guidance
EnabledSlide33
NtfsDisable8dot3NameCreationVulnerability (try to keep a straight face)
“If you allow 8.3 style file names, an attacker only needs eight characters to refer to a file that may be 20 characters long. [...]Attackers could use short file names to access data files and applications with long file names that would normally be difficult to locate. An attacker who has gained access to the file system could access data or execute applications.”
Status
Removed from USGCB
Removed from MS guidance for Server 2008 R2 (SSLF)Slide34
Blog Posts and KB ArticlesSecurity configuration guidance support (KB 885409)
http://support.microsoft.com/kb/885409Sticking with Well-Known and Proven Solutions
http://
blogs.technet.com/b/fdcc/archive/2010/10/06/sticking-with-well-known-and-proven-solutions.aspx
Disabling User Account Control (UAC) on Windows Server
http://
blogs.msdn.com/b/aaron_margosis/archive/2011/03/04/disabling-user-account-control-uac-on-windows-server.aspx
and just posted
to
http://
support.microsoft.com/kb/2526083
Problems with FDCC’s XP
File Permissions
http://
blogs.technet.com/b/fdcc/archive/2009/12/03/problems-with-fdcc-s-xp-file-permissions.aspx
The Case of the Unexplained Installation Failure (and an ill-advised
registry hack)
http://
blogs.technet.com/b/fdcc/archive/2009/09/28/the-case-of-the-unexplained-installation-failure-and-an-ill-advised-registry-hack.aspx
Slide35
ResourcesSecurity Compliance Manager (SCM)http://technet.microsoft.com/en-us/library/cc677002.aspx
Links to SCM webcasts and demoshttp://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx Aaron’s Local Group Policy management tools
http://blogs.technet.com/b/fdcc/archive/2008/05/07/lgpo-utilities.aspx
Webcast:
http://www.msteched.com/2010/Europe/WCL324
Slide36
Related Content
Breakout Sessions
SIM305
– Implementing a Security Baseline in Your Environment
SIM307
– Securing Your Windows Platform
WSV325
– Security
Configurations Simplified with the Microsoft Security Compliance
Manager
Hands-On Labs
WCL384-HOL
– Establishing
Security Baselines for Windows Internet ExplorerSlide37
Safety and Security Center
http://www.microsoft.com/security
Security Development Lifecycle
http://www.microsoft.com/sdl
Security Intelligence Report
http://www.microsoft.com/sir
End to End Trust
http://www.microsoft.com/endtoendtrust
Trustworthy ComputingSlide38
Resources
www.microsoft.com/teched
Sessions On-Demand & Community
Microsoft Certification & Training Resources
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.Slide39
Complete an evaluation on
CommNet
and
enter to win!Slide40Slide41
©
2011 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation
. MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide42