Windows Vista and Windows protect system settings from corruption or inadvertent changes that can cause the system to run incorrectly or to not run at all Windows Resource Protection (WRP), the follow-up to the Windows File Protection (WFP) feature found in previous Windows platforms, sets tight ACLs on critical system settings, files, and folders to protect them from changes by any source (including administrators) except a trusted installer This prevents users from accidentally changing critical system settings that can render systems inoperable Windows Vista and Windows also prevent poorly written drivers from corrupting the registry This protection enables the memory-management feature to achieve protection the vast majority of the time, with low overhead Protected resources include: n Executable files, libraries, and other critical files installed by Windows n Critical folders n Essential registry keys installed by Windows WRP does not allow you to modify protected resources, even if you provide administrative credentials Kernel Patch Protection 64-bit versions of Windows Vista and Windows 7, like the 64-bit versions of Windows XP and Windows Server 2003, support Kernel Patch Protection technology Kernel Patch Protection prevents unauthorized programs from patching the Windows kernel, giving you greater control over core aspects of the system that can affect overall performance, security, and reliability Kernel Patch Protection detects changes to critical portions of kernel memory If a change is made in an unsupported way (for example, a user-mode application does not call the proper operating system functions), Kernel Patch Protection creates a Stop error to halt the operating system This prevents kernel-mode drivers from extending or replacing other kernel services and prevents third-party software from updating any part of the kernel Specifically, to prevent Kernel Patch Protection from generating a Stop error, 64-bit drivers must avoid the following practices: n Modifying system service tables n Modifying the interrupt descriptor table (IDT) n Modifying the global descriptor table (GDT) n Using kernel stacks that are not allocated by the kernel n Updating any part of the kernel on AMD64-based systems In practice, these factors are primarily significant to driver developers No 64-bit driver should ever be released that can cause problems with Kernel Patch Protection, so administrators should never need to manage or troubleshoot Kernel Patch Protection For detailed information, read “An Introduction to Kernel Patch Protection” at http://blogs.msdn.com /windowsvistasecurity/archive/2006/08/11/695993.aspx 54 Chapter 2  Security in Windows Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Note  Kernel Patch Protection, hardware-based Data Execution Prevention (DEP), and required driver signing are the primary reasons that 64-bit systems can be more secure than 32-bit systems Required Driver Signing Drivers typically run as part of the kernel, which gives them almost unprotected access to system resources As a result, drivers that have bugs or are poorly written, or malware drivers specifically written to abuse these privileges, can significantly affect a computer’s reliability and security To help reduce the impact of drivers, Microsoft introduced driver signing beginning with Microsoft Windows 2000 Signed drivers have a digital signature that indicates they have been approved by Microsoft and are likely to be free from major weaknesses that might affect system reliability Administrators can configure Windows 2000 and later operating systems to block all unsigned drivers, which can dramatically decrease the risk of driver-related problems However, the large number of unsigned 32-bit drivers has made blocking unsigned drivers impractical for most organizations As a result, most existing Windows computers allow unsigned drivers to be installed With 64-bit versions of Windows Vista and Windows 7, all kernel-mode drivers must be digitally signed A kernel module that is corrupt or has been subject to tampering will not load Any driver that is not properly signed cannot enter the kernel space and will fail to load Although a signed driver is not a guarantee of security, it does help identify and prevent many malicious attacks while allowing Microsoft to help developers improve the overall quality of drivers and reduce the number of driver-related crashes Mandatory driver signing also helps improve the reliability of Windows Vista and Windows because many system crashes result from vulnerabilities in kernel-mode drivers Requiring the authors of these drivers to identify themselves makes it easier for Microsoft to determine the cause of system crashes and work with the responsible vendor to resolve the issue System administrators also benefit from digitally signed and identified drivers because they get additional visibility into software inventory and install state on client computers From a compatibility perspective, existing Windows Hardware Quality Labs–certified x64 kernel drivers are considered validly signed in Windows Vista and Windows Windows Service Hardening Historically, many Windows network compromises (especially worms) resulted from attackers exploiting vulnerabilities in Windows services Because many Windows services listen for incoming connections and often have system-level privileges, a vulnerability can allow an attacker to perform administrative tasks on a remote computer Security Features Previously Introduced in Windows Vista   Chapter Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 55 Windows Service Hardening, a feature of Windows Vista and Windows 7, restricts all Windows services from performing abnormal activities in the file system, registry, network, or other resources that can be used to allow malware to install itself or attack other computers For example, the Remote Procedure Call (RPC) service is restricted to performing network communications on defined ports only, eliminating the possibility of abusing it to, for instance, replace system files or modify the registry (which is what the Blaster worm did) Essentially, Windows Service Hardening enforces the security concept of least privilege on services, granting them only enough permission to perform their required tasks Note  Windows Service Hardening provides an additional layer of protection for services based on the security principle of defense-in-depth Windows Service Hardening cannot prevent a vulnerable service from being compromised—a task Windows Firewall and Automatic Updates supports Instead, Windows Service Hardening limits how much damage an attacker can in the event the attacker is able to identify and exploit a vulnerable service Windows Service Hardening reduces the damage potential of a compromised service by: n Introducing a per-service security identifier (SID) to uniquely identify services, which subsequently enables access control partitioning through the existing Windows access control model covering all objects and resource managers that use ACLs Services can now apply explicit ACLs to resources that are private to the service, which prevents other services, as well as the user, from accessing the resource n Moving services from LocalSystem to a lesser-privileged account, such as LocalService or NetworkService, to reduce the privilege level of the service n Stripping unnecessary Windows privileges on a per-service basis—for example, the ability to perform debugging n Applying a write-restricted token to services that access a limited set of files and other resources so that the service cannot update other aspects of the system n Assigning a network firewall policy to services to prevent network access outside the normal bounds of the service program The firewall policy is linked directly to the per-service SID and cannot be overridden or relaxed by user- or administrator-defined exceptions or rules A specific goal of Windows Service Hardening is to avoid introducing management complexity for users and system administrators Every service included in Windows Vista and Windows has been through a rigorous process to define its Windows Service Hardening profile, which is applied automatically during Windows setup and requires no ongoing administration, maintenance, or interaction from the end user For these reasons, there is no administrative interface for managing Windows Service Hardening For more information about Windows Service Hardening, see Chapter 26 56 Chapter 2  Security in Windows Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Note  Third-party software developers can also take advantage of the Windows Service Hardening security benefits by providing profiles for custom services Network Access Protection Client Most networks have perimeter firewalls to help protect the internal network from worms, viruses, and other attackers However, attackers can penetrate your network through remote access connections (such as a VPN) or by infecting a mobile PC and then spreading to other internal computers after the mobile PC connects to your LAN Windows Vista and Windows 7, when connecting to a Windows Server 2008 infrastructure, support Network Access Protection (NAP) to reduce the risk of attackers entering through remote access and LAN connections using the built-in NAP client software of Windows Vista If a Windows client computer lacks current security updates or antivirus signatures or otherwise fails to meet your requirements for a healthy computer, NAP can block the computer from reaching your internal network However, if a computer fails to meet the requirements to join your network, the user doesn’t have to remain frustrated Client computers can be directed to an isolated quarantine network to download the updates, antivirus signatures, or configuration settings required to comply with your health requirements policy Within minutes, a potentially vulnerable computer can be protected and once again allowed to connect to your network NAP is an extensible platform that provides an infrastructure and an application programming interface (API) for health policy enforcement Independent hardware and software vendors can plug their security solutions into NAP so that IT administrators can choose the security solutions that meet their unique needs NAP helps to ensure that every machine on the network makes full use of those custom solutions Microsoft will also release NAP client support with Windows XP SP3 For more information about NAP, see http://www.microsoft.com/nap/ Web Services for Management Web Services for Management (WS-Management) makes Windows Vista and Windows easier to manage remotely An industry-standard Web services protocol for protected remote management of hardware and software, WS-Management—along with the proper software tools—allows administrators to run scripts and perform other management tasks remotely In Windows Vista and Windows 7, communications can be both encrypted and authenticated, limiting security risks Microsoft management tools, such as Systems Center Configuration Manager 2007, use WS-Management to provide safe and secure management of both hardware and software Security Features Previously Introduced in Windows Vista   Chapter Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 57 Crypto Next Generation Services Cryptography is a critical feature of Windows authentication and authorization services, which use cryptography for encryption, hashing, and digital signatures Windows Vista and Windows deliver Crypto Next Generation (CNG) services, which are requested by many governments and organizations CNG allows new algorithms to be added to Windows for use in Secure Sockets Layer/Transport Layer Security (SSL/TLS) and IPsec Windows Vista and Windows also include a new security processor to enable trust decisions for services, such as rights management For organizations that are required to use specific cryptography algorithms and approved libraries, CNG is an absolute requirement Data Execution Prevention One of the most commonly used techniques for exploiting vulnerabilities in software is the buffer overflow attack A buffer overflow occurs when an application attempts to store too much data in a buffer, and memory not allocated to the buffer is overwritten An attacker might be able to intentionally induce a buffer overflow by entering more data than the application expects A particularly crafty attacker can even enter data that instructs the operating system to run the attacker’s malicious code with the application’s privileges One well-known buffer overflow exploit is the CodeRed worm, which exploited a vulnerability in an Index Server Internet Server Application Programming Interface (ISAPI) application shipped as part of an earlier version of Microsoft Internet Information Services (IIS) to run malicious software The impact of the CodeRed worm was tremendous, and it could have been prevented by the presence of Data Execution Prevention (DEP) DEP marks sections of memory as containing either data or application code The operating system will not run code contained in memory marked for data User input—and data received across a network—should always be stored as data and is therefore not eligible to run as an application The 32-bit versions of Windows Vista and Windows include a software implementation of DEP that can prevent memory not marked for execution from running The 64-bit versions of Windows Vista and Windows work with the 64-bit processor’s built-in DEP capabilities to enforce this security at the hardware layer, where it is very difficult for an attacker to circumvent it Note  DEP provides an important layer of security for protection from malicious soft- ware However, it must be used alongside other technologies, such as Windows Defender, to provide sufficient protection to meet business requirements As Figure 2-6 shows, DEP is enabled by default in both 32- and 64-bit versions of Windows Vista and Windows By default, DEP protects only essential Windows programs and services to provide optimal compatibility For additional security, you can protect all programs and services 58 Chapter 2  Security in Windows Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Figure 2-6  You can enable or disable DEP from the Performance Options dialog box or from Group Policy settings Address Space Layout Randomization Address Space Layout Randomization (ASLR) is another defense capability in Windows Vista and Windows that makes it harder for malicious code to exploit a system function Whenever a Windows Vista or Windows computer is rebooted, ASLR randomly assigns executable images (.dll and exe files) included as part of the operating system to one of multiple possible locations in memory This makes it harder for exploitative code to locate and therefore take advantage of functionality inside the executables Windows Vista and Windows also introduce improvements in heap buffer overrun detection that are even more rigorous than those introduced in Windows XP SP2 When signs of heap buffer tampering are detected, the operating system can immediately terminate the affected program, limiting damage that might result from the tampering This protection technology is enabled for operating system features, including built-in system services, and can also be leveraged by Independent Software Vendors (ISVs) through a single API call Security Features Previously Introduced in Windows Vista   Chapter Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 59 New Logon Architecture Logging on to Windows provides access to local resources (including EFS-encrypted files) and, in AD DS environments, protected network resources Many organizations require more than a user name and password to authenticate users For example, they might require multifactor authentication using both a password and biometric identification or a one-time password token In Windows XP and earlier versions of Windows, implementing custom authentication methods required developers to completely rewrite the Graphical Identification and Authentication (GINA) interface Often, the effort required did not justify the benefits provided by strong authentication, and the project was abandoned Additionally, Windows XP supported only a single GINA With Windows Vista and Windows 7, developers can now provide custom authentication methods by creating a new credential provider This requires significantly less development effort, allowing more organizations to offer custom authentication methods The new architecture also enables credential providers to be event driven and integrated throughout the user experience For example, the same code used to implement a fingerprint authentication scheme at the Windows logon screen can be used to prompt the user for a fingerprint when accessing a particular corporate resource The same prompt also can be used by applications that use the new credential user interface API Additionally, the Windows logon user interface can use multiple credential providers simultaneously, providing greater flexibility for environments that might have different authentication requirements for different users Rights Management Services Windows Rights Management Services (RMS) is an information-protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use both inside and outside your private network RMS provides persistent usage policies (also known as usage rights and conditions) that remain with a file no matter where it goes RMS persistently protects any binary format of data, so the usage rights remain with the information—even in transport—rather than merely residing on an organization’s network RMS works by encrypting documents and then providing decryption keys only to authorized users with an approved RMS client To be approved, the RMS client must enforce the usage rights assigned to a document For example, if the document owner has specified that the contents of the document should not be copied, forwarded, or printed, the RMS client will not allow the user to take these actions In Windows Vista and Windows 7, RMS is now integrated with the XPS format XPS is an open, cross-platform document format that helps customers effortlessly create, share, print, archive, and protect rich digital documents With a print driver that outputs XPS, any application can produce XPS documents that can be protected with RMS This basic functionality significantly broadens the range of information that can be protected by RMS 60 Chapter 2  Security in Windows Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark The 2007 Microsoft Office system provides even deeper integration with RMS through new developments in Microsoft SharePoint SharePoint administrators can set access policies for the SharePoint document libraries on a per-user basis that will be inherited by RMS policies This means that users who have “view-only” rights to access the content will have that “view-only” access (no print, copy, or paste) enforced by RMS, even when the document has been removed from the SharePoint site Enterprise customers can set usage policies that are enforced not only when the document is at rest, but also when the information is outside the direct control of the enterprise Although the RMS features are built into Windows Vista and Windows 7, they can be used only with a rights management infrastructure and an application that supports RMS, such as Microsoft Office The RMS client can also be installed on Windows 2000 and later operating systems For more information about how to use RMS, visit http://www.microsoft.com/rms Multiple Local Group Policy Objects As an administrator, you can now apply multiple Local Group Policy Objects to a single computer This simplifies configuration management because you can create separate Group Policy Objects for different roles and apply them individually, just as you can with AD DS Group Policy Objects For example, you might have a Group Policy Object for computers that are members of the Marketing group and a separate Group Policy Object for mobile computers If you need to configure a mobile computer for a member of the Marketing group, you can simply apply both local Group Policy Objects rather than creating a single Local Group Policy Object that combines all of the settings New and Improved Security Features of Windows This section describes the most visible and tangible Windows security improvements, which are listed in Table 2-3 Architectural and internal improvements—as well as improvements that require additional applications or infrastructure—are described later in this chapter Table 2-3  Windows Security Improvements Improvement Description BitLocker and BitLocker To Go Encrypts entire volumes, including system volumes, non-system volumes, and removable drives AppLocker Provides flexible control over which applications users can run Multiple active firewall profiles Provides different firewall profiles for the physical network adapter and virtual network adapters used by VPNs New and Improved Security Features of Windows 7  Chapter Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 61 Improvement Description User Account Control Gives standard users the opportunity to provide administrative credentials when the operating system requires them For administrators, it runs processes with standard privileges by default and prompts the administrator to confirm before granting administrative privileges to a process Internet Explorer security features Reduces the risk of phishing and malware attacks when users browse the Web Auditing enhancements Provide more granular control over which events are audited Safe unlinking in the kernel pool Reduces the risk of overrun attacks Windows Biometric Framework Provides a uniform interface for fingerprint scanners Smart cards Provides a standard smart card driver interface Service accounts Enables administrators to create accounts for services without needing to manage service account passwords The sections that follow describe these features in more detail BitLocker and BitLocker To Go Using BitLocker Drive Encryption, organizations can reduce the risk of confidential data being lost when a user’s mobile PC is stolen Its full-volume encryption seals the symmetric encryption key in a Trusted Platform Module (TPM) 1.2 chip (available in some newer computers) or a USB flash drive BitLocker has four TPM modes: 62 n TPM only  This is transparent to the user, and the user logon experience is unchanged However, if the TPM is missing or changed, BitLocker will enter recovery mode, and you will need a recovery key or PIN to regain access to the data This provides protection from hard-disk theft with no user training necessary n TPM with startup key  The user will also need a startup key to start Windows A startup key can be either physical (a USB flash drive with a computer-readable key written to it) or personal (a password set by the user) This provides protection from both hard-disk theft and stolen computers (assuming the computer was shut down or locked); however, it requires some effort from the user n TPM with PIN  The user will need to type a PIN to start Windows Like requiring a startup key, this provides protection from both hard-disk theft and stolen computers (assuming the computer was shut down or locked); however, it requires some effort from the user n TPM with PIN and startup key  The user will need to type a PIN and insert the startup key to start Windows Chapter 2  Security in Windows Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Note  To manage TPM chips, Windows includes the TPM Management snap-in BitLocker works by storing measurements of various parts of the computer and operating system in the TPM chip In its default configuration, BitLocker instructs the TPM to measure the master boot record, the active boot partition, the boot sector, the Windows Boot Manager, and the BitLocker storage root key Each time the computer is booted, the TPM computes the SHA-1 hash of the measured code and compares this to the hash stored in the TPM from the previous boot If the hashes match, the boot process continues; if the hashes not match, the boot process halts At the conclusion of a successful boot process, the TPM releases the storage root key to BitLocker; BitLocker decrypts data as Windows reads it from the protected volume BitLocker protects Windows from offline attacks An offline attack is a scenario in which an attacker starts an alternate operating system to gain control of the computer The TPM releases the storage root key only when instructed to by BitLocker running within the instance of Windows that initially created the key Because no other operating system can this (even an alternate instance of Windows), the TPM never releases the key, and therefore the volume remains a useless encrypted blob Any attempts to modify the protected volume will render it unbootable Note Prior to SP1, BitLocker Drive Encryption could protect only the Windows partition To protect other partitions before SP1, you could use EFS After installing SP1, you can use BitLocker Drive Encryption to encrypt any partition However, you should still use EFS to protect data when multiple users use the same computer As shown in Figure 2-7, individual users can enable BitLocker from Control Panel Most enterprises should use AD DS to manage keys, however Figure 2-7  You can enable BitLocker from Control Panel New and Improved Security Features of Windows 7  Chapter Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 63 ... in Windows Vista   Chapter Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 55 Windows Service Hardening, a feature of Windows Vista and Windows 7, restricts all Windows. .. running Windows XP with SP3, Windows Vista with SP1, or Windows 7, the AutoPlay capability opens a tool that prompts the user for a password and allows the user to copy the unencrypted files On Windows. .. prompts for user actions in Windows? ?7 and Windows Server 2008 R2 with the number of UAC prompts in Windows? ?Vista SP1 New and Improved Security Features of Windows 7? ?? Chapter Please purchase PDF