Professional Documents
Culture Documents
Raphael (Raf) Cox Senior Security Consultant CISSP Microsoft Consulting Services - BeLux
Objectives
Understand what AppCompat technologies/solutions are available for Windows 7 and how they work Understand what hardening tools are available Understand the impact of increasing security on Application Compatibility
Intro
App-compat and Security: its a challenge
Examples:
Dont apply security baseline: it will break everything We just need to disable a couple of settings to get this app working Its fixed: the app runs when the user is an admin
Rationalization Planning
A Simple Three-Phase Approach
Inventory
Rationalize
What do we have?
What do we need?
Decisions Made Now Drive the Endto-End Project from Budgeting Through Supporting Decisions
Deployment
C us
tom
er E xa m pl e
List of commercial off the shelf (COTS) software analyzed Reviewing the list, there appeared to be opportunity to reduce
Multiple versions of the same application Driver support applications Redundant applications
Significant cost savingsover 80% of the applications discovered removed with a first pass review Security: fewer apps less patching required, fewer vulnerabilities
Some apps can not be properly fixed for various reasons: have to find secure work-arounds.
User as admin
On XP:
Perfect for AppCompat security nightmare!
Application Compatibility
Security
Windows XP : Windows 7
On Windows 7:
Some legacy apps still break
Default security is more strict Memory access management is more strict OS version changed Default folders changed Some APIs changed
Windows 7 XP-Mode
Why not have both? XP-Mode!
VM with Windows XP SP3 Seamless apps on Win7 desktop USB redirection supported
Security???
Twice the number of systems to maintain
High risk that virtual XP is not up-to-date with patching, AV signatures, etc
IE6 to be used in Virtual XP? Limit the use! Risk: Users can now install their own VMs (without
Security of MED-V
MED-V workspace will wake up the VM regularly to install updates IE (by default) is configured to prevent browsing to other sites IE Internet Security Zone: highest level Still relies on Virtual PC: user can create new VMs!
LUA enforced
Application Compatibility
Security
LUA bugs are often the #1 cause of app compat problems. Some LUA Bugs can be fixed using SHIMS
The Solution s?
Offers mitigations for selected issues using SHIMS Security? SHIMS executed in the user-context! (no extra privileges can be granted through SHIMS)
Some fixes (e.g. OpenDirectoryACL fix) can change ACLs on a directory during installation (elevated context)
SUA Architecture
Application
LuaPriv
AppVerifier Logs
XML
Windows
SUA
demo
4/23/12
Microsoft Confidential
Application Compatibility
Security hardening
(the soft way)
Security
Relaxed security hardening on W7 = enforcing secure defaults low risk on AppCompat issues
Automatic security baseline updates Centralized baseline library: unified experience from security baseline deployment to compliance check Baseline customization, exporting & management Monitor and report security baseline compliance using System Center DCM
MS Baselines
Creat e Cre e at
SCAP Scanner
Ch ck e Re ort p
Imp rt o
eat Cr e
Active Directory
App ly
demo
Security hardening
(the strict way)
Application Compatibility
Security
Privileges: might break apps that use local services, like SQL express Network security: be aware of 3rd party SMB servers (e.g. SAMBA) or LDAP clients (e.g. VPN devices) AppLocker is a great functionality to block drive-by downloads and other malware
Security hardening
Top 7 settings that have impact on AppCompat
Log on as a service (set to no one in the W7 SSLF settings!) Do not process legacy run key (enabled in SSLF!) Enable the computer to stop generating 8.3 style filenames (enabled in SSLF) Use FIPS compliant algorithms for encryption, hashing & signing (enabled in SSLF) Enable Admin Shares (set to not defined in SSLF) DCOM Permissions (set to not defined in SSLF) CD-ROM Access to locally logged-on user only
Advanced hardening
Use advanced tools to mitigate exploit techniques EMET = Enhanced Mitigation Experience Toolkit
Adds an additional protection layer against 0-day exploits Relies on build-in security features: DEP, ASLR, SEHOP Extends these features, e.g. by making them mandatory (e.g. Mandatory ASLR) Adds other techniques such as EAF (EAF (Extended Address Table) Access Filtering)
Blocks typical behavior of ShellCode (exploit code)
Application Compatibility
Security
Objective Make it impossible or very costly to exploit vulnerabilities Approach Break or reduce the reliability of exploitation
demo
EMET Demo
Click to edit Master subtitle style
References
Unintended Consequences ofSecurity Lockdowns , Aaron Margosis, TechEd 2011 The AppCompat Guy, http ://blogs.msdn.com/b/cjacks/, Chris Jackson Security Compliance Manager: http:// technet.microsoft.com/en-us/solutionaccelerators/cc83 Application Compatibility Toolkit (ACT): http:// www.microsoft.com/download/en/details.aspx?displayla EMET V2.1: http:// www.microsoft.com/download/en/details.aspx?id=1677
2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.