additionalsecondarylogon
secondarylogon 时间:2021-02-26 阅读:()
WindowsVistaWindowsVistaSystemIntegritySystemIntegrityTechnologiesTechnologiesWCI442WCI442WhyThebadguysareeverywhere!
Thebadguysareeverywhere!
TheyliterallywanttodoyouharmTheyliterallywanttodoyouharmThreatsexistintwointerestingplacesThreatsexistintwointerestingplaces——Online:systemstartedandshowsaloginscreenorauserisOnline:systemstartedandshowsaloginscreenorauserisloggedinloggedinOffline:systemispowereddownorinhibernationOffline:systemispowereddownorinhibernationPoliciesmustaddressbothPoliciesmustaddressbothCoolstuff!
Coolstuff!
Codeintegrity:protectionagainstonlineattackCodeintegrity:protectionagainstonlineattackBitLocker(securestartup):protectionagainstBitLocker(securestartup):protectionagainstofflineattackofflineattackWindowsservicehardeningWindowsservicehardeningMandatoryintegritycontrolMandatoryintegritycontrolInternetExplorerprotectedmodeInternetExplorerprotectedmodeProtecttheOSWhenRunningThethreatsThethreatsTrojanthatreplacesasystemfiletoinstallarootkitTrojanthatreplacesasystemfiletoinstallarootkitandtakecontrolofthecomputer(e.
g.
FunLoveorandtakecontrolofthecomputer(e.
g.
FunLoveorothersthatuserootkits)othersthatuserootkits)OfflineattackcausedbybootinganalternateOfflineattackcausedbybootinganalternateoperatingsystemandattemptingtocorruptoroperatingsystemandattemptingtocorruptormodifyWindowskernelfilesmodifyWindowskernelfilesThirdThird--partykerneldriversthatarenotsecurepartykerneldriversthatarenotsecureRogueadministratorwhochangeskernelmodeRogueadministratorwhochangeskernelmodecodetohideotheractscodetohideotheractsCodeintegrityCodeintegrityValidatestheintegrityofcertainOSfilesValidatestheintegrityofcertainOSfilesImplementedasafilesystemfilterdriverImplementedasafilesystemfilterdriverHashesstoredinsystemcatalogorinX.
509certificateHashesstoredinsystemcatalogorinX.
509certificateembeddedinfileembeddedinfileAlsovalidatestheintegrityofthebootprocessAlsovalidatestheintegrityofthebootprocessChecksthekernel,theHAL,bootChecksthekernel,theHAL,boot--startdriversstartdriversIfvalidationfails,imagewonIfvalidationfails,imagewon''tloadtloadWhatdoesitcheckWhatdoesitcheckAllkernelmodecode(Allkernelmodecode(x64onlyx64only))AllcodeloadedintoaprotectedprocessAllcodeloadedintoaprotectedprocessModulesimplementingcryptographicfunctionsModulesimplementingcryptographicfunctionsModulesloadedintothesoftwarelicensingserviceModulesloadedintothesoftwarelicensingserviceMoreonkernelmodecodeMoreonkernelmodecodex64x64AllkernelmodecodemustbesignedoritwonAllkernelmodecodemustbesignedoritwon''tloadtloadThirdThird--partycodemustbeWHQLpartycodemustbeWHQL--certifiedorcontainacertifiedorcontainacertificatefromaMicrosoftCAcertificatefromaMicrosoftCANoexceptions,periodNoexceptions,periodAppliestodrivers,utilities,anythinginthekernelAppliestodrivers,utilities,anythinginthekernelx32x32SigningappliesonlytodriversshippedwithWindowsSigningappliesonlytodriversshippedwithWindowsCancontrolbypolicywhattodowiththirdCancontrolbypolicywhattodowiththird--partypartyOtherunsignedkernelmodecodewillloadOtherunsignedkernelmodecodewillloadMoreonprotectedprocessesMoreonprotectedprocessesOnlyonerightnow:MediaFoundationOnlyonerightnow:MediaFoundationLoadedbinariesarecodecsLoadedbinariesarecodecsMicrosoftMicrosoft--supplied:signedbyMicrosoftsupplied:signedbyMicrosoftThirdThird--party:signedbyaWindowsMediaDRMparty:signedbyaWindowsMediaDRMcertificatecertificateAffectspotentialplaybackofnextAffectspotentialplaybackofnext--generationhighgenerationhighdefinitionprotectedcontentdefinitionprotectedcontentContentand/orplaybackappcontrolwhattodoinContentand/orplaybackappcontrolwhattodoinpresenceofunsignedkernelmodedriverspresenceofunsignedkernelmodedriversCodeintegritynonCodeintegritynon--goalsgoalsProtectingfromattackerswithphysicalaccessProtectingfromattackerswithphysicalaccessVerifyingtheintegrityofNTLDRVerifyingtheintegrityofNTLDRRequiressecurestartuponTPMRequiressecurestartuponTPM--enabledmachinesenabledmachinesRequiresreadRequiresread--onlyfixedmediaotherwiseonlyfixedmediaotherwiseSupportingrebindingorhotpatchingSupportingrebindingorhotpatchingThesechangetheonThesechangetheon--diskimagediskimageCIwillworkifpatchincludesupdatedhashCIwillworkifpatchincludesupdatedhashOnlinechecksatbootOnlinechecksatboot--timeforrevocationliststimeforrevocationlistsRevocationlistupdatedafterbootandstoredlocallyRevocationlistupdatedafterbootandstoredlocallyProtecttheOSWhenNotRunningThethreatsThethreatsComputerislostorstolenComputerislostorstolenTheftorcompromiseofdataTheftorcompromiseofdataAttackagainstcorporatenetworkAttackagainstcorporatenetworkDamagetoOSifattackerinstallsalternateOSDamagetoOSifattackerinstallsalternateOSDifficultandtimeDifficultandtime--consumingtotrulyeraseconsumingtotrulyerasedecommissioneddisksdecommissioneddisksExistingwaystomitigatethesethreatsaretooeasyExistingwaystomitigatethesethreatsaretooeasyforusertocircumventforusertocircumventSecurestartup(Securestartup(""BitLockerBitLocker""))EnsurebootEnsurebootintegrityintegrityResilientResilientagainstattackagainstattackProtectsystemfromofflineProtectsystemfromofflinesoftwaresoftware--basedattacksbasedattacksLocktamperedLocktamperedsystemssystemsPreventbootifmonitoredfilesPreventbootifmonitoredfileshavebeenalteredhavebeenalteredProtectdataProtectdatawhenofflinewhenofflineEncryptuserEncryptuserdataanddataandsystemfilessystemfilesAlldataonthevolumeisAlldataonthevolumeisencrypted:user,system,page,encrypted:user,system,page,hibernation,temp,crashdumphibernation,temp,crashdumpUmbrellaUmbrellaprotectionprotectionThirdThird--partyappsbenefitwhenpartyappsbenefitwheninstalledonencryptedvolumeinstalledonencryptedvolumeEaseEaseequipmentequipmentrecyclingrecyclingSimplifySimplifyrecyclingrecyclingRenderdatauselessbydeletingRenderdatauselessbydeletingTPMkeystoreTPMkeystoreSpeeddataSpeeddatadeletiondeletionDecommissioningtakesseconds,Decommissioningtakesseconds,nothoursnothoursWonWon''tEFSprotectmetEFSprotectmeYesYes——forthosewhoknowwhattheyforthosewhoknowwhatthey''redoingredoingUsersoftenstoredataonthedesktopUsersoftenstoredataonthedesktop——isitEFSedisitEFSedEFSdoesnEFSdoesn''tprotecttheoperatingsystemtprotecttheoperatingsystemEFSisverystrongagainstattacksEFSisverystrongagainstattacksFourlevelsofkeyprotectionFourlevelsofkeyprotectionProperlyconfigured,EFSiscomputationallyinfeasibletoProperlyconfigured,EFSiscomputationallyinfeasibletocrackcrackEncryptionscenariosEncryptionscenariosBitLockerBitLockerEFSEFSRMSRMSLaptopsLaptopsBranchofficeserversBranchofficeserversLocalsingleuserfileprotection(Windowspartitiononly)Localsingleuserfileprotection(Windowspartitiononly)LocalmultiLocalmulti--userfileprotectionuserfileprotectionRemotefileprotectionRemotefileprotectionUntrustedadministratorUntrustedadministratorRemotedocumentpolicyenforcementRemotedocumentpolicyenforcementOScoOSco--existenceexistenceBitLockerencryptsBitLockerencryptsWindowsvolumeonlyWindowsvolumeonlyYouwonYouwon''tbeabletodualtbeabletodual--bootanotherOSonthebootanotherOSonthesamevolumesamevolumeOSesonothervolumeswillworkfineOSesonothervolumeswillworkfineDataonprotectedvolumeisunavailableoutsideDataonprotectedvolumeisunavailableoutsidetheOStheOSAttemptstomodifytheprotectedWindowsAttemptstomodifytheprotectedWindowsvolumewillrenderitunbootablevolumewillrenderitunbootableEnablingBitLockerEnablingBitLockerCreatea1.
5GBactivepartitionCreatea1.
5GBactivepartitionThisbecomesyourThisbecomesyour""systemsystem""partitionpartition——whereOSbootswhereOSbootsTheTPMbootmanagerusesonly50MBTheTPMbootmanagerusesonly50MBWindowsrunsfromonyourWindowsrunsfromonyour""bootboot""partitionpartition——wherethewherethesystemlivessystemlivesInitializeTPMchipifyouInitializeTPMchipifyou''reusingitreusingitInmanagementconsoleorBIOSInmanagementconsoleorBIOSEnableBitLockerinSecurityCenterEnableBitLockerinSecurityCenterUpdateharddiskMBRUpdateharddiskMBREncryptWindowsEncryptWindows""bootboot""partitionpartitionRecoveryoptionsRecoveryoptionsUsefulincaseofsomekindofhardwarefailureUsefulincaseofsomekindofhardwarefailureItIt''sapassword;storedindifferentwayssapassword;storedindifferentways——RemovablemediaRemovablemediaPrintedPrintedActiveDirectoryActiveDirectoryAlso,servicepacksanddriverupgradestriggeraAlso,servicepacksanddriverupgradestriggeraloaderthatrecomputesandresealsTPMsecretsloaderthatrecomputesandresealsTPMsecretsCanuseTPM1.
2chipCanuseTPM1.
2chipMicrocontrolleraffixedtomotherboardMicrocontrolleraffixedtomotherboardStoreskeysanddigitalcertificatesStoreskeysanddigitalcertificatesForBitLocker,TPMstoresstoragerootkeyForBitLocker,TPMstoresstoragerootkeySRKdecryptsvolumeencryptionkeySRKdecryptsvolumeencryptionkeyonlywhensystemonlywhensystembootsnormally;bootsnormally;compareseachbootprocessagainstcompareseachbootprocessagainstpreviouslystoredmeasurementspreviouslystoredmeasurementsNouserinteractionorvisibility(unlessyourequireaPINNouserinteractionorvisibility(unlessyourequireaPINoradditionalstartoradditionalstart--upkey)upkey)RecoverykeycanbearchivedinActiveDirectoryfortheRecoverykeycanbearchivedinActiveDirectoryfortheinevitableinevitable""omgomg""momentmomentProhibitsmeaningfuluseofsoftwaredebuggersduringProhibitsmeaningfuluseofsoftwaredebuggersduringbootbootTPMarchitectureTPMarchitectureResetallregisters,transferexecutiontoResetallregisters,transferexecutiontoCoreRootofTrustMeasurementCoreRootofTrustMeasurementMeasurenextstageoffirmwareintoPCR[0]MeasurenextstageoffirmwareintoPCR[0]anddataintoPCR[1]anddataintoPCR[1]HardwaretestandconfigurationHardwaretestandconfigurationCodealwaysmeasuredfirst,thenexecutedCodealwaysmeasuredfirst,thenexecutedNewPCRvalueisSHANewPCRvalueisSHA--1hashedthen1hashedthenconcatenatedwithprevioushash;concatenatedwithprevioushash;permanentlywrittentoPCRpermanentlywrittentoPCROptionROMsanddataintoPCR[2]and[3]OptionROMsanddataintoPCR[2]and[3]MBRintoPCR[4],partitiontableinPCR[5]MBRintoPCR[4],partitiontableinPCR[5]PCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureMBRtakesover;loadsfirstsectorofactiveMBRtakesover;loadsfirstsectorofactivebootpartitionintomemory;measuresfirstbootpartitionintomemory;measuresfirst512bytesintoPCR[8]512bytesintoPCR[8]Bootsectorloads;measuresremainderintoBootsectorloads;measuresremainderintoPCR[9]andtransfersexecutionPCR[9]andtransfersexecutionBootcodemeasuresBOOTMGRintoBootcodemeasuresBOOTMGRintoPCR[10]andtransfersexecutionPCR[10]andtransfersexecutionAnyadditionalbootapplicationsmustloadAnyadditionalbootapplicationsmustloadonlyfromBitLockervolumeonlyfromBitLockervolumeBitLockerkeysareinPCR[11]BitLockerkeysareinPCR[11]Finally,BOOTMGRtransferscontroltoFinally,BOOTMGRtransferscontroltooperatingsystem;OSchecksintegrityofalloperatingsystem;OSchecksintegrityofallexecutablesloadedexecutablesloadedPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureTPMmeasuresallcodeandreportsresultsTPMmeasuresallcodeandreportsresultsDefaultBitLockerconsumption:4,8,9,10,11DefaultBitLockerconsumption:4,8,9,10,11Youcanaddothers,withcaveatsYoucanaddothers,withcaveatsOptionROMsin2,3OptionROMsin2,3AnychangeinvalidatesthePCRsAnychangeinvalidatesthePCRsIncludesinsertingsmartcardreaderorUSBdriveIncludesinsertingsmartcardreaderorUSBdriveBIOSROMsin0,1BIOSROMsin0,1ReflashingBIOSinvalidatesthePCRsReflashingBIOSinvalidatesthePCRsPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersBitLockercanBitLockercan''tstopeverythingtstopeverythingHardwaredebuggersHardwaredebuggersOnlineattacksOnlineattacks——BitLockerisconcernedonlywithBitLockerisconcernedonlywiththesystemthesystem''sstartupprocesssstartupprocessPostlogonattacksPostlogonattacksSabotagebyadministratorsSabotagebyadministratorsPoorsecuritymaintenancePoorsecuritymaintenanceDeploymentconsiderationsDeploymentconsiderationsRequireshardwareandsoftwareupgradesRequireshardwareandsoftwareupgradesPhasein,startwithhighprioritycomputersPhasein,startwithhighprioritycomputersMostlyafeatureforlaptopsMostlyafeatureforlaptopsAlsoconsiderfordesktopcomputersininsecureAlsoconsiderfordesktopcomputersininsecureenvironments(factoryfloor,kiosk,environments(factoryfloor,kiosk,……))EnterprisekeymanagementEnterprisekeymanagementProtectServicesFromExploitThethreatsThethreatsRememberBlasterRememberBlasterTookoverRPCSSTookoverRPCSS——madeitwritemsblast.
exetofilemadeitwritemsblast.
exetofilesystemandaddedrunkeystotheregistrysystemandaddedrunkeystotheregistryNosoftwareisperfect;someonestillmightfindaNosoftwareisperfect;someonestillmightfindavulnerabilityinaservicevulnerabilityinaserviceMalwareoftenlookstoexploitsuchvulnerabilitiesMalwareoftenlookstoexploitsuchvulnerabilitiesServicesareattractiveServicesareattractiveRunwithoutuserinteractionRunwithoutuserinteractionManyservicesoftenhavefreereignoverthesystemManyservicesoftenhavefreereignoverthesystem——toomuchaccesstoomuchaccessMostservicescancommunicateoveranyportMostservicescancommunicateoveranyportServicehardeningServicehardeningServiceServicerefactoringrefactoringMoveservicefromLocalSystemtosomethinglessMoveservicefromLocalSystemtosomethinglessprivilegedprivilegedIfnecessary,splitservicesothatonlythepartIfnecessary,splitservicesothatonlythepartrequiringLocalSystemreceivesthatrequiringLocalSystemreceivesthatServiceServiceprofilingprofilingEnablesservicetorestrictitsbehaviorEnablesservicetorestrictitsbehaviorResourcescanhaveACLsthatallowtheserviceResourcescanhaveACLsthatallowtheservice''ssIDtoaccessonlywhatitneedsIDtoaccessonlywhatitneedsAlsoincludesrulesforspecifyingrequiredAlsoincludesrulesforspecifyingrequirednetworkbehaviornetworkbehaviorItIt''sabouttheprincipleofleastprivilegesabouttheprincipleofleastprivilege——itit''sgoodforpeople,anditsgoodforpeople,andit''sgoodforservicessgoodforservicesMemoryMemoryRefactoringRefactoringIdeally,removetheserviceoutofLocalSystemIdeally,removetheserviceoutofLocalSystemIfitdoesnIfitdoesn''tperformprivilegedoperationstperformprivilegedoperationsMakeACLchangestoregistrykeysanddriverobjectsMakeACLchangestoregistrykeysanddriverobjectsOtherwise,splitintotwopiecesOtherwise,splitintotwopiecesThemainserviceThemainserviceThebitsthatperformprivilegedoperationsThebitsthatperformprivilegedoperationsAuthenticatethecallbetweenthemAuthenticatethecallbetweenthemMainserviceMainservicerunsasLocalServicerunsasLocalServicePrivilegedPrivilegedLocalSystemLocalSystemSVCHOSTgrouprefactoringSVCHOSTgrouprefactoringWindowsXPServicePack2WindowsXPServicePack2LocalSystemLocalSystemWirelessConfigurationWirelessConfigurationSystemEventSystemEventNotificationNotificationNetworkConnectionsNetworkConnectionsCOM+EventSystemCOM+EventSystemNLANLARasautoRasautoShellHardwareShellHardwareDetectionDetectionThemesThemesTelephonyTelephonyWindowsAudioWindowsAudioErrorReportingErrorReportingWorkstationWorkstationICSICSBITSBITSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanBrowserBrowser6to46to4HelpandSupportHelpandSupportTaskSchedulerTaskSchedulerTrkWksTrkWksCryptographicCryptographicServicesServicesRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonNetworkNetworkServiceServiceDNSClientDNSClientLocalLocalServiceServiceSSDPSSDPWebClientWebClientTCP/IPNetBIOShelperTCP/IPNetBIOShelperRemoteRegistryRemoteRegistryWindowsVistaWindowsVistaLocalSystemLocalSystemNetworkrestrictedNetworkrestrictedRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesTrkWksTrkWksWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonLocalSystemLocalSystemDemandstartedDemandstartedBITSBITSNetworkServiceNetworkServiceRestrictedRestrictedDNSClientDNSClientICSICSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanNLANLABrowserBrowser6to46to4TaskschedulerTaskschedulerIPSECServicesIPSECServicesServerServerCryptographicCryptographicServicesServicesLocalServiceLocalServiceRestrictedRestrictedNonetworkaccessNonetworkaccessWirelessWirelessConfigurationConfigurationSystemEventSystemEventNotificationNotificationShellHardwareShellHardwareDetectionDetectionNetworkNetworkConnectionsConnectionsRasautoRasautoThemesThemesCOM+EventCOM+EventSystemSystemLocalServiceLocalServiceRestrictedRestrictedTelephonyTelephonyWindowsAudioWindowsAudioTCP/IPNetBIOSTCP/IPNetBIOShelperhelperWebClientWebClientErrorReportingErrorReportingEventLogEventLogWorkstationWorkstationRemoteRegistryRemoteRegistrySSDPSSDPProfilingProfilingEveryservicehasauniqueserviceidentifiercalledEveryservicehasauniqueserviceidentifiercalledaa""serviceSIDserviceSID""SS--11--8080--1hashoflogicalservicename>AA""serviceprofileserviceprofile""isasetofACLsthatisasetofACLsthat——AllowaservicetousearesourceAllowaservicetousearesourceConstraintheservicetotheresourcesitneedsConstraintheservicetotheresourcesitneedsDefinewhichnetworkportsaservicecanuseDefinewhichnetworkportsaservicecanuseBlocktheservicefromusingotherportsBlocktheservicefromusingotherportsNow,servicecanrunasLocalServiceorNow,servicecanrunasLocalServiceorNetworkServiceandstillreceiveadditionalaccessNetworkServiceandstillreceiveadditionalaccesswhennecessarywhennecessaryRestrictingservicesRestrictingservicesSCMcomputesSCMcomputesserviceSIDserviceSIDSCMaddstheSCMaddstheSIDtoserviceSIDtoserviceprocessprocess''stokenstokenSCMcreateswriteSCMcreateswrite--restrictedtokenrestrictedtokenSCMremovesSCMremovesunneededprivilegesunneededprivilegesfromprocesstokenfromprocesstokenServiceplacesACLonServiceplacesACLonresourceresource——onlyserviceonlyservicecanwritetoitcanwritetoitExample:eventlogExample:eventlogSysEvent.
evtSysEvent.
evtEventlogEventlogserviceserviceWriteWrite--restrictedrestrictedtokentokenACLACLEventlog:WEventlog:WRestrictingservices:knowthisRestrictingservices:knowthisArestrictableservicewillsettwoproperties(storedArestrictableservicewillsettwoproperties(storedintheregistry)intheregistry)——OnetoindicatethatitcanberestrictedOnetoindicatethatitcanberestrictedOnetoshowwhichprivilegesitrequiresOnetoshowwhichprivilegesitrequiresNote!
Note!
Thisisavoluntaryprocess.
TheserviceisThisisavoluntaryprocess.
Theserviceischoosingtorestrictitself.
Itchoosingtorestrictitself.
It''sgooddevelopmentsgooddevelopmentpracticebecauseitreducesthelikelihoodofaservicepracticebecauseitreducesthelikelihoodofaservicebeingabusedbymalware,butitisnbeingabusedbymalware,butitisn''tafulltafull--onsystemonsystem--widerestrictionmechanism.
Thirdwiderestrictionmechanism.
Third--partyservicescanpartyservicescanstillrunwildandfreestillrunwildandfree……NetworkenforcementscenariosNetworkenforcementscenariosNoportsNoportsServicesthatneitherlistennorconnectServicesthatneitherlistennorconnectFixedportsFixedportsServicesthatlistenorsendonknownfixedportsServicesthatlistenorsendonknownfixedportsshouldbeconstrainedtothoseportsonlyshouldbeconstrainedtothoseportsonlyConfigurableConfigurableportsportsAdministratorconfiguresportinserviceAdministratorconfiguresportinservice''ssadministrationUI;networkrulesandfirewalladministrationUI;networkrulesandfirewallautomaticallyupdatetheirownconfigurationsautomaticallyupdatetheirownconfigurationsDynamicDynamicportsportsServicesthatlistenorsendondynamicallyServicesthatlistenorsendondynamically--allocatedportsallocatedportsAuditingAuditingManagementeventsManagementeventsInitialrulesconfigurationInitialrulesconfigurationRulechangesRulechangesRuledeletionsRuledeletionsEnforcementeventsEnforcementeventsTrafficallowedTrafficallowedTrafficdeniedTrafficdeniedglobalvulnglobalvulnmitigationsandmitigationsandsystemlockdownssystemlockdownsnetworknetworkenforcementenforcementrulesrulesInteractionwithhostfirewallsInteractionwithhostfirewallsConfigurationchangesConfigurationchangesimplementedimmediatelyimplementedimmediatelyRulescanRulescan''tbedisabledbytbedisabledbyWForthirdWForthird--partypartyRulescanRulescan''tbestoppedtbestoppedwhileservicesarerunningwhileservicesarerunningFordynamicports,netenfFordynamicports,netenfpushesconfigurationtopushesconfigurationtoWFWFhosthostfirewallfirewallrulesrulesExamplerulesExamplerulesBlockanynetworkaccessforBFE"V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=bfe;Name=Blockanytraffictoandfrombfe;"AllowoutboundPolicyAgenttraffic"V2.
0;Action=Allow;Dir=Out;RPort=389;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=AllowPolicyAgenttcp/udpLDAPtraffictoAD;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=BlockanyothertraffictoandfromPolicyAgent;"Allowinbound/outboundtraffictoRpcss"V2.
0;Action=Allow;Dir=Out;RPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowoutboundrpcsstcp/udptraffic;""V2.
0;Action=Allow;Dir=in;LPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowinboundtcp/udprpcss;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Blockanyothertraffictoandfromrpcss;"ProtecttheOSandDatafromUnknownCodeThethreatsThethreatsAuserunknowinglyrunscodefromanunknownAuserunknowinglyrunscodefromanunknownsourcethatattemptstomodifyordeletefilessourcethatattemptstomodifyordeletefilesCoderunningasLUAattemptsalocalelevationofCoderunningasLUAattemptsalocalelevationofprivilegebyinjectingcodeintoaprocessrunningprivilegebyinjectingcodeintoaprocessrunningasadministratorasadministratorTrojansthatattempttoexecutewithfullTrojansthatattempttoexecutewithfulladministratorprivilegeadministratorprivilegeSystemcodereadsdatafromtheInternet(anSystemcodereadsdatafromtheInternet(anuntrustworthysource)thatcontainscorruptdatauntrustworthysource)thatcontainscorruptdatadesignedtoelevateprivilegebyexploitingabugdesignedtoelevateprivilegebyexploitingabugMandatoryintegritycontrolMandatoryintegritycontrolMethodtopreventlowMethodtopreventlow--integritycodefromintegritycodefrommodifyinghighmodifyinghigh--integritycodeintegritycodeProtectTCBfilesanddatafrommodificationbyProtectTCBfilesanddatafrommodificationbyprivilegedusersprivilegedusersProtectuserdatafrommodificationbyunknownProtectuserdatafrommodificationbyunknownmaliciouscodemaliciouscodeProtectprocessesrunningasprivilegeduserfromProtectprocessesrunningasprivilegeduserfrommodificationbyprocessesrunningasstandardusermodificationbyprocessesrunningasstandarduserunderthesameuserSIDunderthesameuserSIDClassicalcomputersecurityconceptknownsinceClassicalcomputersecurityconceptknownsincethe1970sthe1970sLotsofrecentworkinvariousoperatingsystemsLotsofrecentworkinvariousoperatingsystemsDonDon''tconfusewithcodeintegritytconfusewithcodeintegrityCICIVerifiescodeduringmoduleloadingVerifiescodeduringmoduleloadingMICMICImplementsatypeofinformationflowpolicyImplementsatypeofinformationflowpolicyImplementsanenforcementmechanismImplementsanenforcementmechanismIntegritylevelchangestriggerasecurityauditeventIntegritylevelchangestriggerasecurityauditeventMandatoryintegritycontrolpolicyisbasedonMandatoryintegritycontrolpolicyisbasedontrustworthinesstrustworthiness.
Subjectswith.
Subjectswithlowlowdegreesofdegreesoftrustworthinesscantrustworthinesscan''tchangedataofatchangedataofahigherhigherdegrees.
degrees.
SubjectswithSubjectswithhighhighdegreesoftrustworthinesscandegreesoftrustworthinesscan''tbetbeforcedtorelyondataofforcedtorelyondataoflowerlowerdegrees.
degrees.
ThelimitationsofDACLsThelimitationsofDACLsNoprotectionofsystemstabilityNoprotectionofsystemstabilityThirdThird--partyinstallersredistributesystembinariespartyinstallersredistributesystembinariesWanttostopthis,evenifrunbyadministratorWanttostopthis,evenifrunbyadministratorNoprotectionfromtrickysoftwareNoprotectionfromtrickysoftwareNonNon--savvyuserscanbeconvincedtoinstallmalwaresavvyuserscanbeconvincedtoinstallmalwareRunswithfullcapabilitiesofuserRunswithfullcapabilitiesofuserWeakenspowerofUACWeakenspowerofUACCanCan''tdistinguishlimitedversionfromfull(possiblytdistinguishlimitedversionfromfull(possiblyadministrator)versionofuseradministrator)versionofuserBothversionshavesameuserSIDBothversionshavesameuserSIDDefinedintegritylevelsDefinedintegritylevelsSystemSystemHighHighMediumMediumLowLowUntrustedUntrusted0x40000x40000x30000x30000x20000x20000x10000x100000LocalLocalSystemSystemLocalServiceLocalServiceNetworkNetworkServiceServiceElevatedElevated(full)user(full)usertokenstokensStandarduserStandardusertokenstokensAuthenticatedAuthenticatedUsersUsersWorldWorld(Everyone)(Everyone)AnonymousAnonymousShellrunshereShellrunshereMICexpressionMICexpressionAddanintegritySIDtoausertokenatlogonAddanintegritySIDtoausertokenatlogonSS--11--1616--AnnouncestheintegritylevelofthetokenAnnouncestheintegritylevelofthetokenDetermineslevelofaccessthetokencanachieveDetermineslevelofaccessthetokencanachievePossiblesecondSIDusedbySecureDesktoptoPossiblesecondSIDusedbySecureDesktoptodetermineprotectionringofanapplicationdetermineprotectionringofanapplicationStoreintegritySIDintheSACLofeveryobjectStoreintegritySIDintheSACLofeveryobject''sssecuritydescriptor(usersecuritydescriptor(user--createdandOS)createdandOS)SpecifiestheintegrityleveloftheobjectSpecifiestheintegrityleveloftheobjectCheckingMIClevelCheckingMIClevelDuringaccesscheck,verifytheuserpassesDuringaccesscheck,verifytheuserpassesintegritycheckagainstanobjectforwriteaccessintegritycheckagainstanobjectforwriteaccessHowever,canaddACEtoDACLtodenyreadaccesstoHowever,canaddACEtoDACLtodenyreadaccesstolowintegrityuserslowintegrityusers(moreonthislater)(moreonthislater)UsermustUsermustdominatedominateobjecttoobtainwriteaccessobjecttoobtainwriteaccessUser/processlevel>=objectlevelUser/processlevel>=objectlevelAlluserspassintegritycheckforreadingandexecutingAlluserspassintegritycheckforreadingandexecutingMICtrumpsDACLMICtrumpsDACLIftheDACLletsyouwrite,butyoudonIftheDACLletsyouwrite,butyoudon''tdominatethetdominatetheobject,yourwritefailsobject,yourwritefailsConsiderfourscenariosConsiderfourscenariosAnattachmentarrivesinmail.
Whilesaving,fileiswrittenAnattachmentarrivesinmail.
Whilesaving,fileiswrittenwithwithlowlowintegrity.
Whenexecuted,itrunsatintegrity.
Whenexecuted,itrunsatlowlowintegrityintegrityandcanandcan''twritetousertwritetouser''sdata.
sdata.
MICpreventsprocessfromMICpreventsprocessfromperformingcapabilitiesatuserperformingcapabilitiesatuser''slevel.
slevel.
IEdownloadsfilefromsiteinInternetzone.
IEprocessthatIEdownloadsfilefromsiteinInternetzone.
IEprocessthatwritesfiletoTIFrunsatwritesfiletoTIFrunsatlowlowintegrity;thusfileisreceivesintegrity;thusfileisreceiveslowlowintegrity.
integrity.
MICdoesnMICdoesn''ttrustcontentorcodefromtheInternet.
ttrustcontentorcodefromtheInternet.
AmaliciousprogramisrunningatAmaliciousprogramisrunningatstandardstandarduserXanduserXandattemptstoopenprocessrunningasattemptstoopenprocessrunningasprivilegedprivilegeduserXforuserXforwrite,tobypassUACandexecutecodewillfullprivileges.
write,tobypassUACandexecutecodewillfullprivileges.
MICstopsthisbecausedesiredaccessiswrite.
MICstopsthisbecausedesiredaccessiswrite.
Admin(IL=Admin(IL=highhigh)runsdownloadedprogram.
Processrunsas)runsdownloadedprogram.
Processrunsasstandardstandardadmin(IL=admin(IL=mediummedium).
).
MICpreventsprocessesfromMICpreventsprocessesfromwritewrite--accessingresourcesACLedfortheadministrator.
accessingresourcesACLedfortheadministrator.
ProcessesalsoaffectedProcessesalsoaffectedWhenuserlaunches.
EXE,processreceiveslowerofWhenuserlaunches.
EXE,processreceiveslowerofuseruser''sorfilesorfile''sintegritylevel(ifithasone)sintegritylevel(ifithasone)Processneverrunshigherthanfile,regardlessofILofProcessneverrunshigherthanfile,regardlessofILofuserwhostartedituserwhostarteditProtectsevenadministratorsfrommaliciousactionsofProtectsevenadministratorsfrommaliciousactionsofdownloadedcodedownloadedcodeAlsoprotectsanyuserdata,whoselevelistypicallythatAlsoprotectsanyuserdata,whoselevelistypicallythatoftheuseroftheuser——itit''shigherthanthecodeshigherthanthecodeControlledbyAIS(appinstallerservice)ControlledbyAIS(appinstallerservice)CheckILsofuserandfileCheckILsofuserandfileAdjustprocessILaccordinglyAdjustprocessILaccordinglyImpersonateuserwithcorrectILandcontinuecreationImpersonateuserwithcorrectILandcontinuecreationModifyingintegritylevelsModifyingintegritylevelsTokencanloweritsownlevelTokencanloweritsownlevelNotreversibleNotreversibleOnlyaTCBcallercanraiseOnlyaTCBcallercanraiseSecureInputSecureInputDefault:UIringSID=objectintegritySIDDefault:UIringSID=objectintegritySIDTCBcallercanelevatetokenUIringTCBcallercanelevatetokenUIringTypicallynecessaryforaccessibilityutilitiesTypicallynecessaryforaccessibilityutilities——cannowcannowcontrolUIbutnotbypassMICcontrolofobjectaccesscontrolUIbutnotbypassMICcontrolofobjectaccessButIwanttoadministermybox!
ButIwanttoadministermybox!
Fullprivilegetokens,includingmembersoftheFullprivilegetokens,includingmembersofthelocalAdministratorsgroup,arecontrolledbyMIClocalAdministratorsgroup,arecontrolledbyMICCanCan''tdeletefilesiftheirlevelissystemtdeletefilesiftheirlevelissystemCanCan''tlowerthelevelofobjectsorfilestlowerthelevelofobjectsorfilesBuiltBuilt--inin""AdministratorAdministrator""accounthasanadditionalaccounthasanadditionalprivilegeprivilegeGrantscalleraccesstoobjectGrantscalleraccesstoobjectCouldgranttootherusers,butbecareful!
Couldgranttootherusers,butbecareful!
GrantinganduseofprivilegeisauditedGrantinganduseofprivilegeisauditedDenyingreadaccessDenyingreadaccessCanusedenyACEtopreventlowerlevelprincipalsCanusedenyACEtopreventlowerlevelprincipalsfromreadingorexecutinghigherlevelobjectsfromreadingorexecutinghigherlevelobjectsGoodforadministratorprogramsGoodforadministratorprogramsSetILtohighSetILtohighAdddenyACEforanythingwithalowerILAdddenyACEforanythingwithalowerILPreventsmalwarerunningatlowerlevelfromPreventsmalwarerunningatlowerlevelfromattemptingtocalladmintoolsattemptingtocalladmintoolsUnlabeledobjectsUnlabeledobjectsSystemassumesdefaultMICofmediumduringSystemassumesdefaultMICofmediumduringaccesscheckaccesscheckPreventsuntrustworthycoderunningatlowfromPreventsuntrustworthycoderunningatlowfrommodifyingunlabeledobjectsmodifyingunlabeledobjectsRegardlessofDACLRegardlessofDACLOSfilesareunlabeledOSfilesareunlabeledProtectedfrommodificationwithanACLProtectedfrommodificationwithanACLObjectswithoutaSIDhavenoMICconsiderationObjectswithoutaSIDhavenoMICconsiderationNonNon--goalsgoalsProvideforconfidentialityofdataProvideforconfidentialityofdataThisistheBellThisistheBell--LaPadulamodelLaPadulamodelAlthoughwithnoAlthoughwithno--readread--upACEs,youcanuseMICtoupACEs,youcanuseMICtoachievesimilarbehaviorachievesimilarbehaviorPreventhighILprocessesfromreadingdataataPreventhighILprocessesfromreadingdataatalowerILifthepolicyallowsthatlowerILifthepolicyallowsthatImplementdynamicintegrityImplementdynamicintegrityPreventofflineattacksthroughmodificationsofILsPreventofflineattacksthroughmodificationsofILsonfilesonfilesButBitLockercouldhelphereButBitLockercouldhelphere……ProtecttheOSfromtheInternetThethreatsThethreatsAlas,mostWindowsusersstillrunasadminAlas,mostWindowsusersstillrunasadminMeaning:theInternetrunsasadminonyourPC!
Meaning:theInternetrunsasadminonyourPC!
""DriveDrive--byby""installsofspywareandviruscodeinstallsofspywareandviruscodeExploitsofvulnerabilitiesgiveattackersfullremoteExploitsofvulnerabilitiesgiveattackersfullremoteaccessaccessEvennonEvennon--adminsstillvulnerabletomaliciousadminsstillvulnerabletomaliciousdestructionofpersonaldatadestructionofpersonaldataInternetExplorerprotectedmodeInternetExplorerprotectedmodeBuiltonmandatoryintegritycontrolBuiltonmandatoryintegritycontrolInternetExplorerrunsatlowintegritylevelInternetExplorerrunsatlowintegritylevelReducetheseverityofthreatstoIEaddReducetheseverityofthreatstoIEadd--onsonsEliminatethesilentinstallofmaliciouscodeEliminatethesilentinstallofmaliciouscodethroughsoftwarevulnerabilitiesthroughsoftwarevulnerabilitiesPreservecompatibilitywheneverpossiblePreservecompatibilitywheneverpossibleProvidethecapabilityandguidanceforaddProvidethecapabilityandguidanceforadd--onstoonstorestorefunctionalityrestorefunctionalityMinimizerequireduserinvolvementMinimizerequireduserinvolvementSometimescalledSometimescalled""lowlow--rightsIErightsIE""ProtectedmodesummaryProtectedmodesummaryRestrictsIEfromwritingoutsideoftheTemporaryRestrictsIEfromwritingoutsideoftheTemporaryInternetFiles(TIF)folderInternetFiles(TIF)folderIEIE''sprocesshaslowerwriteprivilegesthanLUAsprocesshaslowerwriteprivilegesthanLUAItbuildsontheMandatoryIntegrityControl(MIC)whichItbuildsontheMandatoryIntegrityControl(MIC)whichrestrictswritestohigherintegrityfoldersrestrictswritestohigherintegrityfoldersProtectedmodeusesCOMtocalltwonewbrokerProtectedmodeusesCOMtocalltwonewbrokerprocesseswhichallowIEtowriteoutsideoftheTIFprocesseswhichallowIEtowriteoutsideoftheTIFAcompatibilitylayerallowsaddAcompatibilitylayerallowsadd--onstoelevateonstoelevateThisisnotaThisisnota""sandboxingsandboxing""technology.
IEisrefactoredintoatechnology.
IEisrefactoredintoamultimulti--processapplication,withvaryingILsforeachprocess.
processapplication,withvaryingILsforeachprocess.
RefactoringIERefactoringIELPIELPIEIEUserIEUserIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseLPIELPIEInternetZoneInternetZoneIL=lowIL=lowIntranet/TrustedZoneIntranet/TrustedZoneIL=mediumIL=mediumSeparateTIFSeparateTIFIEPolicyIEPolicyIL=highIL=highAgain:theprincipleofleastprivilegeAgain:theprincipleofleastprivilegeRefactoringattheprocesslevelRefactoringattheprocesslevel——moreefficientmoreefficientandlessexpensivethanavirtualmachineandlessexpensivethanavirtualmachineComponentsandzonesComponentsandzonesOperationOperationRequirementsRequirementsProcessProcessURLnavigationandHTMLrenderingURLnavigationandHTMLrenderingLeastprivilegeLeastprivilegeLowintegrityLowintegrityLPIELPIEManaginguserManaginguser--controlledsettingscontrolledsettingsLeastprivilegeLeastprivilegeMediumintegrityMediumintegrityIEUserIEUserEnforcingpolicyindownloadedcodeEnforcingpolicyindownloadedcodeInitiatingexecutionInitiatingexecutionFullprivilegeFullprivilegeHighintegrityHighintegrityIEPolicyIEPolicy(service)(service)OperationOperationLPIElowLPIElowLPIEmediumLPIEmediumFilesdownloadedinzoneFilesdownloadedinzoneLowILLowILMediumILMediumILModifyoutsideTIFModifyoutsideTIFNoNoYesYesInteractwithotherappsondesktopInteractwithotherappsondesktopNoNoYesYesInjectDLLandcreateremotethreadInjectDLLandcreateremotethreadNoNoYesYesRendersHTMLfilesinlocalzoneRendersHTMLfilesinlocalzoneYesYesYesYesInstallingfromtheWebInstallingfromtheWebLPIELPIEIEPolicyIEPolicyRunRungreatstuff.
comgreatstuff.
com……\\TIFTIF\\greatstuff.
exegreatstuff.
exeTrustTrustGreatStuffGreatStuffIL=lowIL=low……\\MyDocsMyDocs\\greatstuff.
exegreatstuff.
exeIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseAISAISRunwithRunwithfullprivsfullprivsgreatstuff.
exegreatstuff.
exe\\ProgsProgs\\GSGS\\stuff.
exestuff.
exestuff.
dllstuff.
dllIL=highIL=highfullprivfullprivInIn--proccompatibilitylayerproccompatibilitylayerRedirectsfileandregistrykeywritestonewlowRedirectsfileandregistrykeywritestonewlowintegritylocationsintegritylocations——HKCUHKCU\\SoftwareSoftware\\MicrosoftMicrosoft\\InternetExplorerInternetExplorer\\LowLowRightsRights\\VirtualVirtualDocumentsandSettingsDocumentsandSettings\\%userprofile%%userprofile%\\LocalLocalSettingsSettings\\TemporaryInternetFilesTemporaryInternetFiles\\VirtualVirtualAddedtothelocationIEistryingAddedtothelocationIEistryingIfIEtriestowritehereIfIEtriestowritehere…………itgetsredirectedhereitgetsredirectedhereHKCUHKCU\\SoftwareSoftware\\FooBarFooBarHKCUHKCU\Software\MS\IE\LowRights\Virtual\\SoftwareSoftware\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%user%userprofile%profile%\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%userprofile%%userprofile%\LocalSettings\TemporaryInternetFiles\Virtual\\FooBarFooBarSteveRileySteveRileysteve.
riley@microsoft.
comsteve.
riley@microsoft.
comhttp://blogs.
technet.
com/sterileyhttp://blogs.
technet.
com/sterileywww.
protectyourwindowsnetwork.
comwww.
protectyourwindowsnetwork.
comThanksverymuch!
Thanksverymuch!
2006MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,WindowsVistaandotherproductnamesareormayberegisteredtrademarksand/ortrademarksintheU.
S.
and/orothercountries.
TheinformationhereinisforinformationalpurposesonlyandrepresentsthecurrentviewofMicrosoftCorporationasofthedateofthispresentation.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationprovidedafterthedateofthispresentation.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISPRESENTATION.
Thebadguysareeverywhere!
TheyliterallywanttodoyouharmTheyliterallywanttodoyouharmThreatsexistintwointerestingplacesThreatsexistintwointerestingplaces——Online:systemstartedandshowsaloginscreenorauserisOnline:systemstartedandshowsaloginscreenorauserisloggedinloggedinOffline:systemispowereddownorinhibernationOffline:systemispowereddownorinhibernationPoliciesmustaddressbothPoliciesmustaddressbothCoolstuff!
Coolstuff!
Codeintegrity:protectionagainstonlineattackCodeintegrity:protectionagainstonlineattackBitLocker(securestartup):protectionagainstBitLocker(securestartup):protectionagainstofflineattackofflineattackWindowsservicehardeningWindowsservicehardeningMandatoryintegritycontrolMandatoryintegritycontrolInternetExplorerprotectedmodeInternetExplorerprotectedmodeProtecttheOSWhenRunningThethreatsThethreatsTrojanthatreplacesasystemfiletoinstallarootkitTrojanthatreplacesasystemfiletoinstallarootkitandtakecontrolofthecomputer(e.
g.
FunLoveorandtakecontrolofthecomputer(e.
g.
FunLoveorothersthatuserootkits)othersthatuserootkits)OfflineattackcausedbybootinganalternateOfflineattackcausedbybootinganalternateoperatingsystemandattemptingtocorruptoroperatingsystemandattemptingtocorruptormodifyWindowskernelfilesmodifyWindowskernelfilesThirdThird--partykerneldriversthatarenotsecurepartykerneldriversthatarenotsecureRogueadministratorwhochangeskernelmodeRogueadministratorwhochangeskernelmodecodetohideotheractscodetohideotheractsCodeintegrityCodeintegrityValidatestheintegrityofcertainOSfilesValidatestheintegrityofcertainOSfilesImplementedasafilesystemfilterdriverImplementedasafilesystemfilterdriverHashesstoredinsystemcatalogorinX.
509certificateHashesstoredinsystemcatalogorinX.
509certificateembeddedinfileembeddedinfileAlsovalidatestheintegrityofthebootprocessAlsovalidatestheintegrityofthebootprocessChecksthekernel,theHAL,bootChecksthekernel,theHAL,boot--startdriversstartdriversIfvalidationfails,imagewonIfvalidationfails,imagewon''tloadtloadWhatdoesitcheckWhatdoesitcheckAllkernelmodecode(Allkernelmodecode(x64onlyx64only))AllcodeloadedintoaprotectedprocessAllcodeloadedintoaprotectedprocessModulesimplementingcryptographicfunctionsModulesimplementingcryptographicfunctionsModulesloadedintothesoftwarelicensingserviceModulesloadedintothesoftwarelicensingserviceMoreonkernelmodecodeMoreonkernelmodecodex64x64AllkernelmodecodemustbesignedoritwonAllkernelmodecodemustbesignedoritwon''tloadtloadThirdThird--partycodemustbeWHQLpartycodemustbeWHQL--certifiedorcontainacertifiedorcontainacertificatefromaMicrosoftCAcertificatefromaMicrosoftCANoexceptions,periodNoexceptions,periodAppliestodrivers,utilities,anythinginthekernelAppliestodrivers,utilities,anythinginthekernelx32x32SigningappliesonlytodriversshippedwithWindowsSigningappliesonlytodriversshippedwithWindowsCancontrolbypolicywhattodowiththirdCancontrolbypolicywhattodowiththird--partypartyOtherunsignedkernelmodecodewillloadOtherunsignedkernelmodecodewillloadMoreonprotectedprocessesMoreonprotectedprocessesOnlyonerightnow:MediaFoundationOnlyonerightnow:MediaFoundationLoadedbinariesarecodecsLoadedbinariesarecodecsMicrosoftMicrosoft--supplied:signedbyMicrosoftsupplied:signedbyMicrosoftThirdThird--party:signedbyaWindowsMediaDRMparty:signedbyaWindowsMediaDRMcertificatecertificateAffectspotentialplaybackofnextAffectspotentialplaybackofnext--generationhighgenerationhighdefinitionprotectedcontentdefinitionprotectedcontentContentand/orplaybackappcontrolwhattodoinContentand/orplaybackappcontrolwhattodoinpresenceofunsignedkernelmodedriverspresenceofunsignedkernelmodedriversCodeintegritynonCodeintegritynon--goalsgoalsProtectingfromattackerswithphysicalaccessProtectingfromattackerswithphysicalaccessVerifyingtheintegrityofNTLDRVerifyingtheintegrityofNTLDRRequiressecurestartuponTPMRequiressecurestartuponTPM--enabledmachinesenabledmachinesRequiresreadRequiresread--onlyfixedmediaotherwiseonlyfixedmediaotherwiseSupportingrebindingorhotpatchingSupportingrebindingorhotpatchingThesechangetheonThesechangetheon--diskimagediskimageCIwillworkifpatchincludesupdatedhashCIwillworkifpatchincludesupdatedhashOnlinechecksatbootOnlinechecksatboot--timeforrevocationliststimeforrevocationlistsRevocationlistupdatedafterbootandstoredlocallyRevocationlistupdatedafterbootandstoredlocallyProtecttheOSWhenNotRunningThethreatsThethreatsComputerislostorstolenComputerislostorstolenTheftorcompromiseofdataTheftorcompromiseofdataAttackagainstcorporatenetworkAttackagainstcorporatenetworkDamagetoOSifattackerinstallsalternateOSDamagetoOSifattackerinstallsalternateOSDifficultandtimeDifficultandtime--consumingtotrulyeraseconsumingtotrulyerasedecommissioneddisksdecommissioneddisksExistingwaystomitigatethesethreatsaretooeasyExistingwaystomitigatethesethreatsaretooeasyforusertocircumventforusertocircumventSecurestartup(Securestartup(""BitLockerBitLocker""))EnsurebootEnsurebootintegrityintegrityResilientResilientagainstattackagainstattackProtectsystemfromofflineProtectsystemfromofflinesoftwaresoftware--basedattacksbasedattacksLocktamperedLocktamperedsystemssystemsPreventbootifmonitoredfilesPreventbootifmonitoredfileshavebeenalteredhavebeenalteredProtectdataProtectdatawhenofflinewhenofflineEncryptuserEncryptuserdataanddataandsystemfilessystemfilesAlldataonthevolumeisAlldataonthevolumeisencrypted:user,system,page,encrypted:user,system,page,hibernation,temp,crashdumphibernation,temp,crashdumpUmbrellaUmbrellaprotectionprotectionThirdThird--partyappsbenefitwhenpartyappsbenefitwheninstalledonencryptedvolumeinstalledonencryptedvolumeEaseEaseequipmentequipmentrecyclingrecyclingSimplifySimplifyrecyclingrecyclingRenderdatauselessbydeletingRenderdatauselessbydeletingTPMkeystoreTPMkeystoreSpeeddataSpeeddatadeletiondeletionDecommissioningtakesseconds,Decommissioningtakesseconds,nothoursnothoursWonWon''tEFSprotectmetEFSprotectmeYesYes——forthosewhoknowwhattheyforthosewhoknowwhatthey''redoingredoingUsersoftenstoredataonthedesktopUsersoftenstoredataonthedesktop——isitEFSedisitEFSedEFSdoesnEFSdoesn''tprotecttheoperatingsystemtprotecttheoperatingsystemEFSisverystrongagainstattacksEFSisverystrongagainstattacksFourlevelsofkeyprotectionFourlevelsofkeyprotectionProperlyconfigured,EFSiscomputationallyinfeasibletoProperlyconfigured,EFSiscomputationallyinfeasibletocrackcrackEncryptionscenariosEncryptionscenariosBitLockerBitLockerEFSEFSRMSRMSLaptopsLaptopsBranchofficeserversBranchofficeserversLocalsingleuserfileprotection(Windowspartitiononly)Localsingleuserfileprotection(Windowspartitiononly)LocalmultiLocalmulti--userfileprotectionuserfileprotectionRemotefileprotectionRemotefileprotectionUntrustedadministratorUntrustedadministratorRemotedocumentpolicyenforcementRemotedocumentpolicyenforcementOScoOSco--existenceexistenceBitLockerencryptsBitLockerencryptsWindowsvolumeonlyWindowsvolumeonlyYouwonYouwon''tbeabletodualtbeabletodual--bootanotherOSonthebootanotherOSonthesamevolumesamevolumeOSesonothervolumeswillworkfineOSesonothervolumeswillworkfineDataonprotectedvolumeisunavailableoutsideDataonprotectedvolumeisunavailableoutsidetheOStheOSAttemptstomodifytheprotectedWindowsAttemptstomodifytheprotectedWindowsvolumewillrenderitunbootablevolumewillrenderitunbootableEnablingBitLockerEnablingBitLockerCreatea1.
5GBactivepartitionCreatea1.
5GBactivepartitionThisbecomesyourThisbecomesyour""systemsystem""partitionpartition——whereOSbootswhereOSbootsTheTPMbootmanagerusesonly50MBTheTPMbootmanagerusesonly50MBWindowsrunsfromonyourWindowsrunsfromonyour""bootboot""partitionpartition——wherethewherethesystemlivessystemlivesInitializeTPMchipifyouInitializeTPMchipifyou''reusingitreusingitInmanagementconsoleorBIOSInmanagementconsoleorBIOSEnableBitLockerinSecurityCenterEnableBitLockerinSecurityCenterUpdateharddiskMBRUpdateharddiskMBREncryptWindowsEncryptWindows""bootboot""partitionpartitionRecoveryoptionsRecoveryoptionsUsefulincaseofsomekindofhardwarefailureUsefulincaseofsomekindofhardwarefailureItIt''sapassword;storedindifferentwayssapassword;storedindifferentways——RemovablemediaRemovablemediaPrintedPrintedActiveDirectoryActiveDirectoryAlso,servicepacksanddriverupgradestriggeraAlso,servicepacksanddriverupgradestriggeraloaderthatrecomputesandresealsTPMsecretsloaderthatrecomputesandresealsTPMsecretsCanuseTPM1.
2chipCanuseTPM1.
2chipMicrocontrolleraffixedtomotherboardMicrocontrolleraffixedtomotherboardStoreskeysanddigitalcertificatesStoreskeysanddigitalcertificatesForBitLocker,TPMstoresstoragerootkeyForBitLocker,TPMstoresstoragerootkeySRKdecryptsvolumeencryptionkeySRKdecryptsvolumeencryptionkeyonlywhensystemonlywhensystembootsnormally;bootsnormally;compareseachbootprocessagainstcompareseachbootprocessagainstpreviouslystoredmeasurementspreviouslystoredmeasurementsNouserinteractionorvisibility(unlessyourequireaPINNouserinteractionorvisibility(unlessyourequireaPINoradditionalstartoradditionalstart--upkey)upkey)RecoverykeycanbearchivedinActiveDirectoryfortheRecoverykeycanbearchivedinActiveDirectoryfortheinevitableinevitable""omgomg""momentmomentProhibitsmeaningfuluseofsoftwaredebuggersduringProhibitsmeaningfuluseofsoftwaredebuggersduringbootbootTPMarchitectureTPMarchitectureResetallregisters,transferexecutiontoResetallregisters,transferexecutiontoCoreRootofTrustMeasurementCoreRootofTrustMeasurementMeasurenextstageoffirmwareintoPCR[0]MeasurenextstageoffirmwareintoPCR[0]anddataintoPCR[1]anddataintoPCR[1]HardwaretestandconfigurationHardwaretestandconfigurationCodealwaysmeasuredfirst,thenexecutedCodealwaysmeasuredfirst,thenexecutedNewPCRvalueisSHANewPCRvalueisSHA--1hashedthen1hashedthenconcatenatedwithprevioushash;concatenatedwithprevioushash;permanentlywrittentoPCRpermanentlywrittentoPCROptionROMsanddataintoPCR[2]and[3]OptionROMsanddataintoPCR[2]and[3]MBRintoPCR[4],partitiontableinPCR[5]MBRintoPCR[4],partitiontableinPCR[5]PCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureMBRtakesover;loadsfirstsectorofactiveMBRtakesover;loadsfirstsectorofactivebootpartitionintomemory;measuresfirstbootpartitionintomemory;measuresfirst512bytesintoPCR[8]512bytesintoPCR[8]Bootsectorloads;measuresremainderintoBootsectorloads;measuresremainderintoPCR[9]andtransfersexecutionPCR[9]andtransfersexecutionBootcodemeasuresBOOTMGRintoBootcodemeasuresBOOTMGRintoPCR[10]andtransfersexecutionPCR[10]andtransfersexecutionAnyadditionalbootapplicationsmustloadAnyadditionalbootapplicationsmustloadonlyfromBitLockervolumeonlyfromBitLockervolumeBitLockerkeysareinPCR[11]BitLockerkeysareinPCR[11]Finally,BOOTMGRtransferscontroltoFinally,BOOTMGRtransferscontroltooperatingsystem;OSchecksintegrityofalloperatingsystem;OSchecksintegrityofallexecutablesloadedexecutablesloadedPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersTPMarchitectureTPMarchitectureTPMmeasuresallcodeandreportsresultsTPMmeasuresallcodeandreportsresultsDefaultBitLockerconsumption:4,8,9,10,11DefaultBitLockerconsumption:4,8,9,10,11Youcanaddothers,withcaveatsYoucanaddothers,withcaveatsOptionROMsin2,3OptionROMsin2,3AnychangeinvalidatesthePCRsAnychangeinvalidatesthePCRsIncludesinsertingsmartcardreaderorUSBdriveIncludesinsertingsmartcardreaderorUSBdriveBIOSROMsin0,1BIOSROMsin0,1ReflashingBIOSinvalidatesthePCRsReflashingBIOSinvalidatesthePCRsPCR[0]PCR[0]PCR[1]PCR[1]PCR[2]PCR[2]PCR[3]PCR[3]PCR[4]PCR[4]PCR[5]PCR[5]PCR[6]PCR[6]PCR[7]PCR[7]PCR[8]PCR[8]PCR[9]PCR[9]PCR[10]PCR[10]PCR[11]PCR[11]PCR[12]PCR[12]PCR[13]PCR[13]PCR[14]PCR[14]PCR[15]PCR[15]PlatformConfigurationRegistersPlatformConfigurationRegistersBitLockercanBitLockercan''tstopeverythingtstopeverythingHardwaredebuggersHardwaredebuggersOnlineattacksOnlineattacks——BitLockerisconcernedonlywithBitLockerisconcernedonlywiththesystemthesystem''sstartupprocesssstartupprocessPostlogonattacksPostlogonattacksSabotagebyadministratorsSabotagebyadministratorsPoorsecuritymaintenancePoorsecuritymaintenanceDeploymentconsiderationsDeploymentconsiderationsRequireshardwareandsoftwareupgradesRequireshardwareandsoftwareupgradesPhasein,startwithhighprioritycomputersPhasein,startwithhighprioritycomputersMostlyafeatureforlaptopsMostlyafeatureforlaptopsAlsoconsiderfordesktopcomputersininsecureAlsoconsiderfordesktopcomputersininsecureenvironments(factoryfloor,kiosk,environments(factoryfloor,kiosk,……))EnterprisekeymanagementEnterprisekeymanagementProtectServicesFromExploitThethreatsThethreatsRememberBlasterRememberBlasterTookoverRPCSSTookoverRPCSS——madeitwritemsblast.
exetofilemadeitwritemsblast.
exetofilesystemandaddedrunkeystotheregistrysystemandaddedrunkeystotheregistryNosoftwareisperfect;someonestillmightfindaNosoftwareisperfect;someonestillmightfindavulnerabilityinaservicevulnerabilityinaserviceMalwareoftenlookstoexploitsuchvulnerabilitiesMalwareoftenlookstoexploitsuchvulnerabilitiesServicesareattractiveServicesareattractiveRunwithoutuserinteractionRunwithoutuserinteractionManyservicesoftenhavefreereignoverthesystemManyservicesoftenhavefreereignoverthesystem——toomuchaccesstoomuchaccessMostservicescancommunicateoveranyportMostservicescancommunicateoveranyportServicehardeningServicehardeningServiceServicerefactoringrefactoringMoveservicefromLocalSystemtosomethinglessMoveservicefromLocalSystemtosomethinglessprivilegedprivilegedIfnecessary,splitservicesothatonlythepartIfnecessary,splitservicesothatonlythepartrequiringLocalSystemreceivesthatrequiringLocalSystemreceivesthatServiceServiceprofilingprofilingEnablesservicetorestrictitsbehaviorEnablesservicetorestrictitsbehaviorResourcescanhaveACLsthatallowtheserviceResourcescanhaveACLsthatallowtheservice''ssIDtoaccessonlywhatitneedsIDtoaccessonlywhatitneedsAlsoincludesrulesforspecifyingrequiredAlsoincludesrulesforspecifyingrequirednetworkbehaviornetworkbehaviorItIt''sabouttheprincipleofleastprivilegesabouttheprincipleofleastprivilege——itit''sgoodforpeople,anditsgoodforpeople,andit''sgoodforservicessgoodforservicesMemoryMemoryRefactoringRefactoringIdeally,removetheserviceoutofLocalSystemIdeally,removetheserviceoutofLocalSystemIfitdoesnIfitdoesn''tperformprivilegedoperationstperformprivilegedoperationsMakeACLchangestoregistrykeysanddriverobjectsMakeACLchangestoregistrykeysanddriverobjectsOtherwise,splitintotwopiecesOtherwise,splitintotwopiecesThemainserviceThemainserviceThebitsthatperformprivilegedoperationsThebitsthatperformprivilegedoperationsAuthenticatethecallbetweenthemAuthenticatethecallbetweenthemMainserviceMainservicerunsasLocalServicerunsasLocalServicePrivilegedPrivilegedLocalSystemLocalSystemSVCHOSTgrouprefactoringSVCHOSTgrouprefactoringWindowsXPServicePack2WindowsXPServicePack2LocalSystemLocalSystemWirelessConfigurationWirelessConfigurationSystemEventSystemEventNotificationNotificationNetworkConnectionsNetworkConnectionsCOM+EventSystemCOM+EventSystemNLANLARasautoRasautoShellHardwareShellHardwareDetectionDetectionThemesThemesTelephonyTelephonyWindowsAudioWindowsAudioErrorReportingErrorReportingWorkstationWorkstationICSICSBITSBITSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanBrowserBrowser6to46to4HelpandSupportHelpandSupportTaskSchedulerTaskSchedulerTrkWksTrkWksCryptographicCryptographicServicesServicesRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonNetworkNetworkServiceServiceDNSClientDNSClientLocalLocalServiceServiceSSDPSSDPWebClientWebClientTCP/IPNetBIOShelperTCP/IPNetBIOShelperRemoteRegistryRemoteRegistryWindowsVistaWindowsVistaLocalSystemLocalSystemNetworkrestrictedNetworkrestrictedRemovableStorageRemovableStorageWMIPerfAdapterWMIPerfAdapterAutomaticupdatesAutomaticupdatesTrkWksTrkWksWMIWMIAppManagementAppManagementSecondaryLogonSecondaryLogonLocalSystemLocalSystemDemandstartedDemandstartedBITSBITSNetworkServiceNetworkServiceRestrictedRestrictedDNSClientDNSClientICSICSRemoteAccessRemoteAccessDHCPClientDHCPClientW32timeW32timeRasmanRasmanNLANLABrowserBrowser6to46to4TaskschedulerTaskschedulerIPSECServicesIPSECServicesServerServerCryptographicCryptographicServicesServicesLocalServiceLocalServiceRestrictedRestrictedNonetworkaccessNonetworkaccessWirelessWirelessConfigurationConfigurationSystemEventSystemEventNotificationNotificationShellHardwareShellHardwareDetectionDetectionNetworkNetworkConnectionsConnectionsRasautoRasautoThemesThemesCOM+EventCOM+EventSystemSystemLocalServiceLocalServiceRestrictedRestrictedTelephonyTelephonyWindowsAudioWindowsAudioTCP/IPNetBIOSTCP/IPNetBIOShelperhelperWebClientWebClientErrorReportingErrorReportingEventLogEventLogWorkstationWorkstationRemoteRegistryRemoteRegistrySSDPSSDPProfilingProfilingEveryservicehasauniqueserviceidentifiercalledEveryservicehasauniqueserviceidentifiercalledaa""serviceSIDserviceSID""SS--11--8080--1hashoflogicalservicename>AA""serviceprofileserviceprofile""isasetofACLsthatisasetofACLsthat——AllowaservicetousearesourceAllowaservicetousearesourceConstraintheservicetotheresourcesitneedsConstraintheservicetotheresourcesitneedsDefinewhichnetworkportsaservicecanuseDefinewhichnetworkportsaservicecanuseBlocktheservicefromusingotherportsBlocktheservicefromusingotherportsNow,servicecanrunasLocalServiceorNow,servicecanrunasLocalServiceorNetworkServiceandstillreceiveadditionalaccessNetworkServiceandstillreceiveadditionalaccesswhennecessarywhennecessaryRestrictingservicesRestrictingservicesSCMcomputesSCMcomputesserviceSIDserviceSIDSCMaddstheSCMaddstheSIDtoserviceSIDtoserviceprocessprocess''stokenstokenSCMcreateswriteSCMcreateswrite--restrictedtokenrestrictedtokenSCMremovesSCMremovesunneededprivilegesunneededprivilegesfromprocesstokenfromprocesstokenServiceplacesACLonServiceplacesACLonresourceresource——onlyserviceonlyservicecanwritetoitcanwritetoitExample:eventlogExample:eventlogSysEvent.
evtSysEvent.
evtEventlogEventlogserviceserviceWriteWrite--restrictedrestrictedtokentokenACLACLEventlog:WEventlog:WRestrictingservices:knowthisRestrictingservices:knowthisArestrictableservicewillsettwoproperties(storedArestrictableservicewillsettwoproperties(storedintheregistry)intheregistry)——OnetoindicatethatitcanberestrictedOnetoindicatethatitcanberestrictedOnetoshowwhichprivilegesitrequiresOnetoshowwhichprivilegesitrequiresNote!
Note!
Thisisavoluntaryprocess.
TheserviceisThisisavoluntaryprocess.
Theserviceischoosingtorestrictitself.
Itchoosingtorestrictitself.
It''sgooddevelopmentsgooddevelopmentpracticebecauseitreducesthelikelihoodofaservicepracticebecauseitreducesthelikelihoodofaservicebeingabusedbymalware,butitisnbeingabusedbymalware,butitisn''tafulltafull--onsystemonsystem--widerestrictionmechanism.
Thirdwiderestrictionmechanism.
Third--partyservicescanpartyservicescanstillrunwildandfreestillrunwildandfree……NetworkenforcementscenariosNetworkenforcementscenariosNoportsNoportsServicesthatneitherlistennorconnectServicesthatneitherlistennorconnectFixedportsFixedportsServicesthatlistenorsendonknownfixedportsServicesthatlistenorsendonknownfixedportsshouldbeconstrainedtothoseportsonlyshouldbeconstrainedtothoseportsonlyConfigurableConfigurableportsportsAdministratorconfiguresportinserviceAdministratorconfiguresportinservice''ssadministrationUI;networkrulesandfirewalladministrationUI;networkrulesandfirewallautomaticallyupdatetheirownconfigurationsautomaticallyupdatetheirownconfigurationsDynamicDynamicportsportsServicesthatlistenorsendondynamicallyServicesthatlistenorsendondynamically--allocatedportsallocatedportsAuditingAuditingManagementeventsManagementeventsInitialrulesconfigurationInitialrulesconfigurationRulechangesRulechangesRuledeletionsRuledeletionsEnforcementeventsEnforcementeventsTrafficallowedTrafficallowedTrafficdeniedTrafficdeniedglobalvulnglobalvulnmitigationsandmitigationsandsystemlockdownssystemlockdownsnetworknetworkenforcementenforcementrulesrulesInteractionwithhostfirewallsInteractionwithhostfirewallsConfigurationchangesConfigurationchangesimplementedimmediatelyimplementedimmediatelyRulescanRulescan''tbedisabledbytbedisabledbyWForthirdWForthird--partypartyRulescanRulescan''tbestoppedtbestoppedwhileservicesarerunningwhileservicesarerunningFordynamicports,netenfFordynamicports,netenfpushesconfigurationtopushesconfigurationtoWFWFhosthostfirewallfirewallrulesrulesExamplerulesExamplerulesBlockanynetworkaccessforBFE"V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=bfe;Name=Blockanytraffictoandfrombfe;"AllowoutboundPolicyAgenttraffic"V2.
0;Action=Allow;Dir=Out;RPort=389;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=AllowPolicyAgenttcp/udpLDAPtraffictoAD;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=PolicyAgent;Name=BlockanyothertraffictoandfromPolicyAgent;"Allowinbound/outboundtraffictoRpcss"V2.
0;Action=Allow;Dir=Out;RPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowoutboundrpcsstcp/udptraffic;""V2.
0;Action=Allow;Dir=in;LPort=135;Protocol=tcp;Protocol=udp;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Allowinboundtcp/udprpcss;""V2.
0;Action=Block;App=%windir%\System32\svchost.
exe;Svc=rpcss;Name=Blockanyothertraffictoandfromrpcss;"ProtecttheOSandDatafromUnknownCodeThethreatsThethreatsAuserunknowinglyrunscodefromanunknownAuserunknowinglyrunscodefromanunknownsourcethatattemptstomodifyordeletefilessourcethatattemptstomodifyordeletefilesCoderunningasLUAattemptsalocalelevationofCoderunningasLUAattemptsalocalelevationofprivilegebyinjectingcodeintoaprocessrunningprivilegebyinjectingcodeintoaprocessrunningasadministratorasadministratorTrojansthatattempttoexecutewithfullTrojansthatattempttoexecutewithfulladministratorprivilegeadministratorprivilegeSystemcodereadsdatafromtheInternet(anSystemcodereadsdatafromtheInternet(anuntrustworthysource)thatcontainscorruptdatauntrustworthysource)thatcontainscorruptdatadesignedtoelevateprivilegebyexploitingabugdesignedtoelevateprivilegebyexploitingabugMandatoryintegritycontrolMandatoryintegritycontrolMethodtopreventlowMethodtopreventlow--integritycodefromintegritycodefrommodifyinghighmodifyinghigh--integritycodeintegritycodeProtectTCBfilesanddatafrommodificationbyProtectTCBfilesanddatafrommodificationbyprivilegedusersprivilegedusersProtectuserdatafrommodificationbyunknownProtectuserdatafrommodificationbyunknownmaliciouscodemaliciouscodeProtectprocessesrunningasprivilegeduserfromProtectprocessesrunningasprivilegeduserfrommodificationbyprocessesrunningasstandardusermodificationbyprocessesrunningasstandarduserunderthesameuserSIDunderthesameuserSIDClassicalcomputersecurityconceptknownsinceClassicalcomputersecurityconceptknownsincethe1970sthe1970sLotsofrecentworkinvariousoperatingsystemsLotsofrecentworkinvariousoperatingsystemsDonDon''tconfusewithcodeintegritytconfusewithcodeintegrityCICIVerifiescodeduringmoduleloadingVerifiescodeduringmoduleloadingMICMICImplementsatypeofinformationflowpolicyImplementsatypeofinformationflowpolicyImplementsanenforcementmechanismImplementsanenforcementmechanismIntegritylevelchangestriggerasecurityauditeventIntegritylevelchangestriggerasecurityauditeventMandatoryintegritycontrolpolicyisbasedonMandatoryintegritycontrolpolicyisbasedontrustworthinesstrustworthiness.
Subjectswith.
Subjectswithlowlowdegreesofdegreesoftrustworthinesscantrustworthinesscan''tchangedataofatchangedataofahigherhigherdegrees.
degrees.
SubjectswithSubjectswithhighhighdegreesoftrustworthinesscandegreesoftrustworthinesscan''tbetbeforcedtorelyondataofforcedtorelyondataoflowerlowerdegrees.
degrees.
ThelimitationsofDACLsThelimitationsofDACLsNoprotectionofsystemstabilityNoprotectionofsystemstabilityThirdThird--partyinstallersredistributesystembinariespartyinstallersredistributesystembinariesWanttostopthis,evenifrunbyadministratorWanttostopthis,evenifrunbyadministratorNoprotectionfromtrickysoftwareNoprotectionfromtrickysoftwareNonNon--savvyuserscanbeconvincedtoinstallmalwaresavvyuserscanbeconvincedtoinstallmalwareRunswithfullcapabilitiesofuserRunswithfullcapabilitiesofuserWeakenspowerofUACWeakenspowerofUACCanCan''tdistinguishlimitedversionfromfull(possiblytdistinguishlimitedversionfromfull(possiblyadministrator)versionofuseradministrator)versionofuserBothversionshavesameuserSIDBothversionshavesameuserSIDDefinedintegritylevelsDefinedintegritylevelsSystemSystemHighHighMediumMediumLowLowUntrustedUntrusted0x40000x40000x30000x30000x20000x20000x10000x100000LocalLocalSystemSystemLocalServiceLocalServiceNetworkNetworkServiceServiceElevatedElevated(full)user(full)usertokenstokensStandarduserStandardusertokenstokensAuthenticatedAuthenticatedUsersUsersWorldWorld(Everyone)(Everyone)AnonymousAnonymousShellrunshereShellrunshereMICexpressionMICexpressionAddanintegritySIDtoausertokenatlogonAddanintegritySIDtoausertokenatlogonSS--11--1616--AnnouncestheintegritylevelofthetokenAnnouncestheintegritylevelofthetokenDetermineslevelofaccessthetokencanachieveDetermineslevelofaccessthetokencanachievePossiblesecondSIDusedbySecureDesktoptoPossiblesecondSIDusedbySecureDesktoptodetermineprotectionringofanapplicationdetermineprotectionringofanapplicationStoreintegritySIDintheSACLofeveryobjectStoreintegritySIDintheSACLofeveryobject''sssecuritydescriptor(usersecuritydescriptor(user--createdandOS)createdandOS)SpecifiestheintegrityleveloftheobjectSpecifiestheintegrityleveloftheobjectCheckingMIClevelCheckingMIClevelDuringaccesscheck,verifytheuserpassesDuringaccesscheck,verifytheuserpassesintegritycheckagainstanobjectforwriteaccessintegritycheckagainstanobjectforwriteaccessHowever,canaddACEtoDACLtodenyreadaccesstoHowever,canaddACEtoDACLtodenyreadaccesstolowintegrityuserslowintegrityusers(moreonthislater)(moreonthislater)UsermustUsermustdominatedominateobjecttoobtainwriteaccessobjecttoobtainwriteaccessUser/processlevel>=objectlevelUser/processlevel>=objectlevelAlluserspassintegritycheckforreadingandexecutingAlluserspassintegritycheckforreadingandexecutingMICtrumpsDACLMICtrumpsDACLIftheDACLletsyouwrite,butyoudonIftheDACLletsyouwrite,butyoudon''tdominatethetdominatetheobject,yourwritefailsobject,yourwritefailsConsiderfourscenariosConsiderfourscenariosAnattachmentarrivesinmail.
Whilesaving,fileiswrittenAnattachmentarrivesinmail.
Whilesaving,fileiswrittenwithwithlowlowintegrity.
Whenexecuted,itrunsatintegrity.
Whenexecuted,itrunsatlowlowintegrityintegrityandcanandcan''twritetousertwritetouser''sdata.
sdata.
MICpreventsprocessfromMICpreventsprocessfromperformingcapabilitiesatuserperformingcapabilitiesatuser''slevel.
slevel.
IEdownloadsfilefromsiteinInternetzone.
IEprocessthatIEdownloadsfilefromsiteinInternetzone.
IEprocessthatwritesfiletoTIFrunsatwritesfiletoTIFrunsatlowlowintegrity;thusfileisreceivesintegrity;thusfileisreceiveslowlowintegrity.
integrity.
MICdoesnMICdoesn''ttrustcontentorcodefromtheInternet.
ttrustcontentorcodefromtheInternet.
AmaliciousprogramisrunningatAmaliciousprogramisrunningatstandardstandarduserXanduserXandattemptstoopenprocessrunningasattemptstoopenprocessrunningasprivilegedprivilegeduserXforuserXforwrite,tobypassUACandexecutecodewillfullprivileges.
write,tobypassUACandexecutecodewillfullprivileges.
MICstopsthisbecausedesiredaccessiswrite.
MICstopsthisbecausedesiredaccessiswrite.
Admin(IL=Admin(IL=highhigh)runsdownloadedprogram.
Processrunsas)runsdownloadedprogram.
Processrunsasstandardstandardadmin(IL=admin(IL=mediummedium).
).
MICpreventsprocessesfromMICpreventsprocessesfromwritewrite--accessingresourcesACLedfortheadministrator.
accessingresourcesACLedfortheadministrator.
ProcessesalsoaffectedProcessesalsoaffectedWhenuserlaunches.
EXE,processreceiveslowerofWhenuserlaunches.
EXE,processreceiveslowerofuseruser''sorfilesorfile''sintegritylevel(ifithasone)sintegritylevel(ifithasone)Processneverrunshigherthanfile,regardlessofILofProcessneverrunshigherthanfile,regardlessofILofuserwhostartedituserwhostarteditProtectsevenadministratorsfrommaliciousactionsofProtectsevenadministratorsfrommaliciousactionsofdownloadedcodedownloadedcodeAlsoprotectsanyuserdata,whoselevelistypicallythatAlsoprotectsanyuserdata,whoselevelistypicallythatoftheuseroftheuser——itit''shigherthanthecodeshigherthanthecodeControlledbyAIS(appinstallerservice)ControlledbyAIS(appinstallerservice)CheckILsofuserandfileCheckILsofuserandfileAdjustprocessILaccordinglyAdjustprocessILaccordinglyImpersonateuserwithcorrectILandcontinuecreationImpersonateuserwithcorrectILandcontinuecreationModifyingintegritylevelsModifyingintegritylevelsTokencanloweritsownlevelTokencanloweritsownlevelNotreversibleNotreversibleOnlyaTCBcallercanraiseOnlyaTCBcallercanraiseSecureInputSecureInputDefault:UIringSID=objectintegritySIDDefault:UIringSID=objectintegritySIDTCBcallercanelevatetokenUIringTCBcallercanelevatetokenUIringTypicallynecessaryforaccessibilityutilitiesTypicallynecessaryforaccessibilityutilities——cannowcannowcontrolUIbutnotbypassMICcontrolofobjectaccesscontrolUIbutnotbypassMICcontrolofobjectaccessButIwanttoadministermybox!
ButIwanttoadministermybox!
Fullprivilegetokens,includingmembersoftheFullprivilegetokens,includingmembersofthelocalAdministratorsgroup,arecontrolledbyMIClocalAdministratorsgroup,arecontrolledbyMICCanCan''tdeletefilesiftheirlevelissystemtdeletefilesiftheirlevelissystemCanCan''tlowerthelevelofobjectsorfilestlowerthelevelofobjectsorfilesBuiltBuilt--inin""AdministratorAdministrator""accounthasanadditionalaccounthasanadditionalprivilegeprivilegeGrantscalleraccesstoobjectGrantscalleraccesstoobjectCouldgranttootherusers,butbecareful!
Couldgranttootherusers,butbecareful!
GrantinganduseofprivilegeisauditedGrantinganduseofprivilegeisauditedDenyingreadaccessDenyingreadaccessCanusedenyACEtopreventlowerlevelprincipalsCanusedenyACEtopreventlowerlevelprincipalsfromreadingorexecutinghigherlevelobjectsfromreadingorexecutinghigherlevelobjectsGoodforadministratorprogramsGoodforadministratorprogramsSetILtohighSetILtohighAdddenyACEforanythingwithalowerILAdddenyACEforanythingwithalowerILPreventsmalwarerunningatlowerlevelfromPreventsmalwarerunningatlowerlevelfromattemptingtocalladmintoolsattemptingtocalladmintoolsUnlabeledobjectsUnlabeledobjectsSystemassumesdefaultMICofmediumduringSystemassumesdefaultMICofmediumduringaccesscheckaccesscheckPreventsuntrustworthycoderunningatlowfromPreventsuntrustworthycoderunningatlowfrommodifyingunlabeledobjectsmodifyingunlabeledobjectsRegardlessofDACLRegardlessofDACLOSfilesareunlabeledOSfilesareunlabeledProtectedfrommodificationwithanACLProtectedfrommodificationwithanACLObjectswithoutaSIDhavenoMICconsiderationObjectswithoutaSIDhavenoMICconsiderationNonNon--goalsgoalsProvideforconfidentialityofdataProvideforconfidentialityofdataThisistheBellThisistheBell--LaPadulamodelLaPadulamodelAlthoughwithnoAlthoughwithno--readread--upACEs,youcanuseMICtoupACEs,youcanuseMICtoachievesimilarbehaviorachievesimilarbehaviorPreventhighILprocessesfromreadingdataataPreventhighILprocessesfromreadingdataatalowerILifthepolicyallowsthatlowerILifthepolicyallowsthatImplementdynamicintegrityImplementdynamicintegrityPreventofflineattacksthroughmodificationsofILsPreventofflineattacksthroughmodificationsofILsonfilesonfilesButBitLockercouldhelphereButBitLockercouldhelphere……ProtecttheOSfromtheInternetThethreatsThethreatsAlas,mostWindowsusersstillrunasadminAlas,mostWindowsusersstillrunasadminMeaning:theInternetrunsasadminonyourPC!
Meaning:theInternetrunsasadminonyourPC!
""DriveDrive--byby""installsofspywareandviruscodeinstallsofspywareandviruscodeExploitsofvulnerabilitiesgiveattackersfullremoteExploitsofvulnerabilitiesgiveattackersfullremoteaccessaccessEvennonEvennon--adminsstillvulnerabletomaliciousadminsstillvulnerabletomaliciousdestructionofpersonaldatadestructionofpersonaldataInternetExplorerprotectedmodeInternetExplorerprotectedmodeBuiltonmandatoryintegritycontrolBuiltonmandatoryintegritycontrolInternetExplorerrunsatlowintegritylevelInternetExplorerrunsatlowintegritylevelReducetheseverityofthreatstoIEaddReducetheseverityofthreatstoIEadd--onsonsEliminatethesilentinstallofmaliciouscodeEliminatethesilentinstallofmaliciouscodethroughsoftwarevulnerabilitiesthroughsoftwarevulnerabilitiesPreservecompatibilitywheneverpossiblePreservecompatibilitywheneverpossibleProvidethecapabilityandguidanceforaddProvidethecapabilityandguidanceforadd--onstoonstorestorefunctionalityrestorefunctionalityMinimizerequireduserinvolvementMinimizerequireduserinvolvementSometimescalledSometimescalled""lowlow--rightsIErightsIE""ProtectedmodesummaryProtectedmodesummaryRestrictsIEfromwritingoutsideoftheTemporaryRestrictsIEfromwritingoutsideoftheTemporaryInternetFiles(TIF)folderInternetFiles(TIF)folderIEIE''sprocesshaslowerwriteprivilegesthanLUAsprocesshaslowerwriteprivilegesthanLUAItbuildsontheMandatoryIntegrityControl(MIC)whichItbuildsontheMandatoryIntegrityControl(MIC)whichrestrictswritestohigherintegrityfoldersrestrictswritestohigherintegrityfoldersProtectedmodeusesCOMtocalltwonewbrokerProtectedmodeusesCOMtocalltwonewbrokerprocesseswhichallowIEtowriteoutsideoftheTIFprocesseswhichallowIEtowriteoutsideoftheTIFAcompatibilitylayerallowsaddAcompatibilitylayerallowsadd--onstoelevateonstoelevateThisisnotaThisisnota""sandboxingsandboxing""technology.
IEisrefactoredintoatechnology.
IEisrefactoredintoamultimulti--processapplication,withvaryingILsforeachprocess.
processapplication,withvaryingILsforeachprocess.
RefactoringIERefactoringIELPIELPIEIEUserIEUserIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseLPIELPIEInternetZoneInternetZoneIL=lowIL=lowIntranet/TrustedZoneIntranet/TrustedZoneIL=mediumIL=mediumSeparateTIFSeparateTIFIEPolicyIEPolicyIL=highIL=highAgain:theprincipleofleastprivilegeAgain:theprincipleofleastprivilegeRefactoringattheprocesslevelRefactoringattheprocesslevel——moreefficientmoreefficientandlessexpensivethanavirtualmachineandlessexpensivethanavirtualmachineComponentsandzonesComponentsandzonesOperationOperationRequirementsRequirementsProcessProcessURLnavigationandHTMLrenderingURLnavigationandHTMLrenderingLeastprivilegeLeastprivilegeLowintegrityLowintegrityLPIELPIEManaginguserManaginguser--controlledsettingscontrolledsettingsLeastprivilegeLeastprivilegeMediumintegrityMediumintegrityIEUserIEUserEnforcingpolicyindownloadedcodeEnforcingpolicyindownloadedcodeInitiatingexecutionInitiatingexecutionFullprivilegeFullprivilegeHighintegrityHighintegrityIEPolicyIEPolicy(service)(service)OperationOperationLPIElowLPIElowLPIEmediumLPIEmediumFilesdownloadedinzoneFilesdownloadedinzoneLowILLowILMediumILMediumILModifyoutsideTIFModifyoutsideTIFNoNoYesYesInteractwithotherappsondesktopInteractwithotherappsondesktopNoNoYesYesInjectDLLandcreateremotethreadInjectDLLandcreateremotethreadNoNoYesYesRendersHTMLfilesinlocalzoneRendersHTMLfilesinlocalzoneYesYesYesYesInstallingfromtheWebInstallingfromtheWebLPIELPIEIEPolicyIEPolicyRunRungreatstuff.
comgreatstuff.
com……\\TIFTIF\\greatstuff.
exegreatstuff.
exeTrustTrustGreatStuffGreatStuffIL=lowIL=low……\\MyDocsMyDocs\\greatstuff.
exegreatstuff.
exeIL=highifadminIL=highifadminIL=mediumotherwiseIL=mediumotherwiseAISAISRunwithRunwithfullprivsfullprivsgreatstuff.
exegreatstuff.
exe\\ProgsProgs\\GSGS\\stuff.
exestuff.
exestuff.
dllstuff.
dllIL=highIL=highfullprivfullprivInIn--proccompatibilitylayerproccompatibilitylayerRedirectsfileandregistrykeywritestonewlowRedirectsfileandregistrykeywritestonewlowintegritylocationsintegritylocations——HKCUHKCU\\SoftwareSoftware\\MicrosoftMicrosoft\\InternetExplorerInternetExplorer\\LowLowRightsRights\\VirtualVirtualDocumentsandSettingsDocumentsandSettings\\%userprofile%%userprofile%\\LocalLocalSettingsSettings\\TemporaryInternetFilesTemporaryInternetFiles\\VirtualVirtualAddedtothelocationIEistryingAddedtothelocationIEistryingIfIEtriestowritehereIfIEtriestowritehere…………itgetsredirectedhereitgetsredirectedhereHKCUHKCU\\SoftwareSoftware\\FooBarFooBarHKCUHKCU\Software\MS\IE\LowRights\Virtual\\SoftwareSoftware\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%user%userprofile%profile%\\FooBarFooBarC:C:\\DocumentsandDocumentsandSettingsSettings\\%userprofile%%userprofile%\LocalSettings\TemporaryInternetFiles\Virtual\\FooBarFooBarSteveRileySteveRileysteve.
riley@microsoft.
comsteve.
riley@microsoft.
comhttp://blogs.
technet.
com/sterileyhttp://blogs.
technet.
com/sterileywww.
protectyourwindowsnetwork.
comwww.
protectyourwindowsnetwork.
comThanksverymuch!
Thanksverymuch!
2006MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,WindowsVistaandotherproductnamesareormayberegisteredtrademarksand/ortrademarksintheU.
S.
and/orothercountries.
TheinformationhereinisforinformationalpurposesonlyandrepresentsthecurrentviewofMicrosoftCorporationasofthedateofthispresentation.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationprovidedafterthedateofthispresentation.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISPRESENTATION.
- additionalsecondarylogon相关文档
- settingsecondarylogon
- Logoffstatusmessagessecondarylogon
- POSIXsecondarylogon
- Levelsecondarylogon
- secondarylogon魔兽世界下载器不动Secondary Logon 在哪?
- secondarylogonSecondary Logon 等等是什么意思?
香港2GB内存DIYVM2核(¥50月)香港沙田CN2云服务器
DiyVM 香港沙田机房,也是采用的CN2优化线路,目前也有入手且在使用中,我个人感觉如果中文业务需要用到的话虽然日本机房也是CN2,但是线路的稳定性不如香港机房,所以我们在这篇文章中亲测看看香港机房,然后对比之前看到的日本机房。香港机房的配置信息。CPU内存 硬盘带宽IP价格购买地址2核2G50G2M1¥50/月选择方案4核4G60G3M1¥100/月选择方案4核8G70G3M4¥200/月选择...
HostKvm开年促销:香港国际/美国洛杉矶VPS七折,其他机房八折
HostKvm也发布了开年促销方案,针对香港国际和美国洛杉矶两个机房的VPS主机提供7折优惠码,其他机房业务提供8折优惠码。商家成立于2013年,提供基于KVM架构的VPS主机,可选数据中心包括日本、新加坡、韩国、美国、中国香港等多个地区机房,均为国内直连或优化线路,延迟较低,适合建站或者远程办公等。下面列出几款主机配置信息。美国洛杉矶套餐:美国 US-Plan1CPU:1core内存:2GB硬盘...
RackNerd:特价美国服务器促销,高配低价,美国多机房可选择,双E526**+AMD3700+NVMe
racknerd怎么样?racknerd今天发布了几款美国特价独立服务器的促销,本次商家主推高配置的服务器,各个配置给的都比较高,有Intel和AMD两种,硬盘也有NVMe和SSD等多咱组合可以选择,机房目前有夏洛特、洛杉矶、犹他州可以选择,性价比很高,有需要独服的朋友可以看看。点击进入:racknerd官方网站RackNerd暑假独服促销:CPU:双E5-2680v3 (24核心,48线程)内存...
secondarylogon为你推荐
-
迅雷不能登录为什么我的迅雷不能登陆?还说我网络没连接上,可我明明连上了的易pc华硕易PC这款本本值不值的买勒?刷网站权重怎么才能提升网站百度权重呢快速美白好方法快速美白的好点子!?(不是晒黑的)镜像文件是什么镜像文件是什么意思?iphone越狱后怎么恢复苹果越狱后怎么恢复出厂设置腾讯文章腾讯新闻的精选微信里面收藏的文章在哪里神雕侠侣礼包大全神雕侠侣手游版四重大礼包怎么得到啊?qq空间打扮QQ空间怎么打扮如何打扮创维云电视功能创维新出的4K超高清健康云电视有谁用过,功能效果怎么样?