150 likes | 325 Views
Secure Operating Systems. Lesson E: Windows Security - Overview. Where are we?. We’ve discovered SELinux is moderately cool How does this compare to Windows? There’s a lot here, so we’ll just scratch the surface. Windows: History. So, Windows really does have a long history
E N D
Secure Operating Systems Lesson E: Windows Security - Overview
Where are we? • We’ve discovered SELinux is moderately cool • How does this compare to Windows? There’s a lot here, so we’ll just scratch the surface
Windows: History • So, Windows really does have a long history • DOS survived for a long time, until we moved on to the NT core • The current version of Windows 8 has finally started to move away from the backward compatibility that has dogged us
Bitlocker • Full hard drive encryption is actually pretty cool: Bitlocker • Can leverage the TPM, which is nice • Can provide remote attestation for hardware and software • Not only for disk encryption; has been used for DRM too • Can use in combination with a USB token
TPM Structure • Picture from Guillaume Piolle
Windows Integrity Control • Although we don’t think about them, Windows uses MACLs (Mandatory Access Control Lists) • Thus, the OS can make a security decision based on how trusted an object is • Let’s take a look with Process Explorer (from sysinternals)
SACLS and DACLS • SACLS beat DACLS • System Access Control List • Discretionary Access Control List • Thus, even if the DACL grants access, the SACL must alsogrant access for the operation to go through • This is all documented well by MS… http://msdn.microsoft.com/en-us/library/windows/desktop/bb648648(v=vs.85).aspx • Enables things like SYSTEM_MANDATORY_LABEL_NO_READ_UP
Of course, we need • Run As… administrator • icaclstemplow /setintegritylevel L for example • But of course, we never use this, except for using the defaults, which seems like a pity, eh? • There’s a philosophical point here
UAC (Woohoo!) • Everyone seems to hate UAC, but it does help in terms of users making mistakes • It’s certainly not bulletproof (cue Shaun) • The idea is the principle of least privilege • The problem is that we don’t read the popups very well • The basic idea: run with lower privileges, and then upgrade as you need it
Service Resource Isolation • What happens when a service gets broken in to? • Let’s look • sc query type= service | more • scshowsidAdobeActiveFileMonitor9.0 • psgetsid <sid> • Can create a *restricted* SID • Two checks: one on the enabled token, one on the restricted SID
Service Refactoring • Basically, run services with base least privilege • New service hosts (low to high): • LocalServiceNoNetwork • LocalServiceRestricted • LocalServiceNetworkRestricted • NetworkServiceRestricted • NetworkServiceNetworkRestricted • LocalSystemNetworkRestricted
Restricted Network Access • Network restriction policies can be applied to services too • Direction: ingress and egress • Protocol: what protocols should be allowed? • Principal: Rules apply to specific users • Interface: WLAN, Wireless, LAN etc.
Buffer Overflows • Let’s remind ourselves how buffer overflows work • The compiler now adds Cookies… let’s look at the code
Questions & Comments • What do you want to know?