Application Compatibility versus Security? Application Compatibility AND Security!

Raphael (Raf) Cox Senior Security Consultant CISSP Microsoft Consulting Services - BeLux

Click to edit Master subtitle style

Objectives
Understand what AppCompat technologies/solutions are available for Windows 7 and how they work Understand what hardening tools are available Understand the impact of increasing security on Application Compatibility

Intro
App-compat and Security: its a challenge
Examples:
Dont apply security baseline: it will break everything We just need to disable a couple of settings to get this app working Its fixed: the app runs when the user is an admin

Increasing security baseline need to test all apps

Migration to new OS need to test all apps So, why not increase security at the same time as rolling out the new OS?

The Application Compatibility process

Click to edit Master subtitle style

Rationalization Planning
A Simple Three-Phase Approach

Inventory

Rationalize

Test and Mitigate

What do we have?

What do we need?

How do we get there?

Decisions Made Now Drive the Endto-End Project from Budgeting Through Supporting Decisions
Deployment

Substantially Reduced with a Strong Up-Front Triage Process Discovered Applications

Over 20,000 applications

C us

tom

er E xa m pl e

List of commercial off the shelf (COTS) software analyzed Reviewing the list, there appeared to be opportunity to reduce
Multiple versions of the same application Driver support applications Redundant applications

Categori ze Prioriti ze Rationali ze Standardi ze

Application inventory with assigned priority

Investigated ~1,000 applications

One hour time limit Removed applications based on business knowledge

Significant cost savingsover 80% of the applications discovered removed with a first pass review Security: fewer apps less patching required, fewer vulnerabilities

Fixing the bad apps

3rd party applications
Get the latest version from the vendors Get official support statement from the vendors Check alternatives

In house developed applications:

Have them fixed by the development team Designed for Windows 7 Logo guides
msdn.microsoft.com/en-us/windows/dd203105.aspx) (http://

Some apps can not be properly fixed for various reasons: have to find secure work-arounds.

AppCompat versus Security

User as admin
On XP:
Perfect for AppCompat security nightmare!

Application Compatibility

Security

Windows XP : Windows 7

On Windows 7:
Some legacy apps still break
Default security is more strict Memory access management is more strict OS version changed Default folders changed Some APIs changed

Windows 7 XP-Mode
Why not have both? XP-Mode!
VM with Windows XP SP3 Seamless apps on Win7 desktop USB redirection supported

Security???
Twice the number of systems to maintain
High risk that virtual XP is not up-to-date with patching, AV signatures, etc

IE6 to be used in Virtual XP? Limit the use! Risk: Users can now install their own VMs (without

MED-V: the better VirtualXP?

Manageability? use MED-V!
MED-V is part of MDOP Extra management capabilities

Security of MED-V
MED-V workspace will wake up the VM regularly to install updates IE (by default) is configured to prevent browsing to other sites IE Internet Security Zone: highest level Still relies on Virtual PC: user can create new VMs!

LUA enforced

LUA = Least-Privilege User Accounts (user is no longer admin on the workstation)

User can not install programs (and also no malware), change system configuration, etc On XP, user can e.g. not change his time-zone (solved in W7 )

Application Compatibility

Security

Breaks several legacy apps on XP

Apps want to write data or temporary files to e.g. c:\program files or HKLM registry Auto-updaters are a security nightmare

The problem: LUA bugs

LUA bug is:
Application or feature that works with administrator (admin) privileges, and Fails as normal (LUA) user, and No technical or business need for admin privileges

LUA bugs are often the #1 cause of app compat problems. Some LUA Bugs can be fixed using SHIMS

The Solution s?

Standard User Analyzer

Standard User Analyzer

Based on AppVerifier LUAPriv Predicts whether API calls fail for standard user
Predictive (elevated) Diagnostic (non-elevated)

Offers mitigations for selected issues using SHIMS Security? SHIMS executed in the user-context! (no extra privileges can be granted through SHIMS)
Some fixes (e.g. OpenDirectoryACL fix) can change ACLs on a directory during installation (elevated context)

SUA API Coverage

File system access Registry access INI WriteProfile Token checking Privilege Namespace Other securable objects Process creation

SUA Architecture
Application

LuaPriv

AppVerifier Logs

XML

Windows

SUA

demo

4/23/12

Microsoft Confidential

Application Compatibility

Security hardening
(the soft way)

Security

But that will break everything

Changing security hardening requires extra testing Difficult to change in a production environment

Build security in the system from day 1

Create hardening policies before deploying a new OS Ensure that AppCompat testing includes hardening policies

Relaxed security hardening on W7 = enforcing secure defaults low risk on AppCompat issues

Security Compliance Manager

Automatic security baseline updates Centralized baseline library: unified experience from security baseline deployment to compliance check Baseline customization, exporting & management Monitor and report security baseline compliance using System Center DCM

Security Compliance Manager

Impo rt
GPO Backup

MS Baselines

Best Practices Settings

Creat e Cre e at

DCM Impo Pack rt SCAP Impo rt

System Center Config Manager

SCAP Scanner

Ch ck e Re ort p

Imp rt o

Customi ze MS Security Baseline Compliance s Manager

eat Cr e

Active Directory

App ly

demo

Security Compliance Manager

Click to edit Master subtitle style

Security hardening
(the strict way)

Application Compatibility

Security

Use SCM! Start strict, relax later Attention points:

Privileges: might break apps that use local services, like SQL express Network security: be aware of 3rd party SMB servers (e.g. SAMBA) or LDAP clients (e.g. VPN devices) AppLocker is a great functionality to block drive-by downloads and other malware

Security hardening
Top 7 settings that have impact on AppCompat
Log on as a service (set to no one in the W7 SSLF settings!) Do not process legacy run key (enabled in SSLF!) Enable the computer to stop generating 8.3 style filenames (enabled in SSLF) Use FIPS compliant algorithms for encryption, hashing & signing (enabled in SSLF) Enable Admin Shares (set to not defined in SSLF) DCOM Permissions (set to not defined in SSLF) CD-ROM Access to locally logged-on user only

Advanced hardening

Use advanced tools to mitigate exploit techniques EMET = Enhanced Mitigation Experience Toolkit
Adds an additional protection layer against 0-day exploits Relies on build-in security features: DEP, ASLR, SEHOP Extends these features, e.g. by making them mandatory (e.g. Mandatory ASLR) Adds other techniques such as EAF (EAF (Extended Address Table) Access Filtering)
Blocks typical behavior of ShellCode (exploit code)

Application Compatibility

Security

What are exploit mitigations?

Attacker Softwar e Update Software Exploit vulnerabilit y
Exploit Mitigation

Arbitrary code execution

Objective Make it impossible or very costly to exploit vulnerabilities Approach Break or reduce the reliability of exploitation

demo

EMET Demo
Click to edit Master subtitle style

References

Unintended Consequences ofSecurity Lockdowns , Aaron Margosis, TechEd 2011 The AppCompat Guy, http ://blogs.msdn.com/b/cjacks/, Chris Jackson Security Compliance Manager: http:// technet.microsoft.com/en-us/solutionaccelerators/cc83 Application Compatibility Toolkit (ACT): http:// www.microsoft.com/download/en/details.aspx?displayla EMET V2.1: http:// www.microsoft.com/download/en/details.aspx?id=1677

 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.