1 / 42

Unintended Consequences of Security Lockdowns

SIM304. Unintended Consequences of Security Lockdowns. Aaron Margosis Principal Consultant Microsoft Services. Session Objectives and Takeaways. Session Objective(s): Understand and explain tradeoffs of security and usability Diagnose common problems arising from security lockdowns

espen
Download Presentation

Unintended Consequences of Security Lockdowns

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIM304 Unintended Consequences ofSecurity Lockdowns Aaron Margosis Principal Consultant Microsoft Services

  2. Session Objectives and Takeaways • Session Objective(s): • Understand and explain tradeoffs of security and usability • Diagnose common problems arising from security lockdowns • Key Takeaway: • “Tightening” a security setting doesn’talways lead to better security!

  3. Agenda • Brief history of security guidance • Settings and Side Effects • Remove the “Debug” privilege from Administrators • Turn off Automatic Root Certificates Update • Hide mechanisms to remove zone information • Require trusted path for credential entry • Do not process the legacy Run list • NtfsDisable8dot3NameCreation

  4. Security Guidance • Some release dates: • Windows NT 4 released in the year 6 BTC • Windows 2000 released in the year 3 BTC • (“BTC” = Before Trustworthy Computing) • NSA and others stepped in • Windows Server 2003, year 1 of the TWC era • NSA says: “What they said” • Windows XP SP2 in year 2 TC • NSA’s guidance didn’t catch up • KB 885409 and Consensus Settings

  5. Security Guidance • US Federal Government guidance • US DOD STIGs (Security Technical Implementation Guides) • US Air Force, Standard Desktop Configuration (SDC) • Standardized locked-down configuration (XP SP2) • Everyone runs as standard user • Federal Desktop Core Configuration (FDCC) • Now the US Government Configuration Baseline (USGCB) • Microsoft security guidance • Now encapsulated in the Security Compliance Manager (SCM)

  6. The “Debug Programs” privilege

  7. What is “Debug programs”? • Allows user to take control of any process • Bypasses the process’ security descriptor – grants Full Control • Read/write process memory • Break in with a debugger; control execution paths • Terminate the process • Needed to debug other users’ processes (or the kernel) • Needed by some diagnostic/troubleshooting tools • “Admin-equivalent” • Granted to Administrators by default • Should never be granted to non-admins

  8. Revoking “Debug programs” privilege • Purported benefit: • Prevents attacker with an admin account from taking over Lsass.exe or other System processes • Actual benefit: • None – trivial to bypass • Drawbacks: • Breaks legitimate developer scenarios • Limits capabilities of Task Manager, Process Explorer, Kill.exe, etc., when used by legitimate admins • Breaks installation of SQL Server / SQL Express

  9. Trivial to Bypass • Admin can configure anything to run as SYSTEM • Sc.exe create TakeOverAnywaybinpath= ... • PsExec -sid cmd.exe • Admin can take ownership and change process permissions • Bottom line: restricting admins is futile • Good news: • Recently removed from MS guidance and USGCB.

  10. Revoking “Debug programs” demo

  11. Turn off Automatic Root Certificates Update

  12. Trusted Authorities • Windows Root Certificate Program • Default trusted CAs baked into Windows • Can be updated via Windows Update

  13. Trusted Authorities in Vista and Newer • Starting in Windows Vista, “in the box” changed • Very few CAs in the Trusted Root CAs store • Intent: improve performance, reduce resource demand • But roots can be added silently as needed… • …even if offline! • CTLs and Root Certs baked into Crypt32.dll • … unless Automatic Root Certificates Update is turned off!

  14. Why turn off automatic root cert update? • Blocks “phone home” • All “phone home” is blocked by most government config guides • Note: This has never been part of Microsoft’s guidance • Gives administrators absolute control over cert stores

  15. Impact of this setting • Many fewer default trusted root CAs on a USGCB-compliant system • Lots of files/programs will be treated as “unsigned” • Lots of HTTPS web sites will show “invalid cert” • What you need to do: • Manage your root CAs even more carefully • Or… remove this setting • More good news: • USGCB no longer requires this setting for Windows 7

  16. Turning Off Automatic Root Certificates Update demo

  17. Hide mechanisms to remove zone info

  18. Ever see this? • Or this? • Cause: Security Zone info attached to file

  19. Zone Information • Windows tags files with source-zone metadata • Uses Internet Explorer security zones • Stored in NTFS alternate data stream • After download, shell still handles file as from that zone • By default, users can remove zone info via Properties dialog or checkbox • Some security guidance hides those interfaces

  20. Mechanisms that get hidden

  21. And this is good why? • Beats me. • Annoying “security” dialog that provides no info • Doesn’t stop the user from running the program • Trains users to expect and ignore warnings • OK, one benefit: blocks execution of code in a malicious CHM • Worth it?

  22. Mechanisms that remain… • Or just overwrite the stream; e.g.,echo. > procmon.chm:Zone.Identifier

  23. UAC elevation is safe if you have to enter a password, isn’t it? No! UAC elevation is not a security boundary! WTF??? Show me! demo

  24. Ctrl + Alt + Del • “Secure Attention Sequence” (SAS) • Handled directly by the OS • Cannot be intercepted by other software • Ensures that control transferred to Secure Desktop • A.k.a., “Winlogon” desktop • Accessible only to software running as SYSTEM • Ensures that UI cannot be spoofed • Ensures that credentials cannot be intercepted • Note: UAC elevation switches to Winlogon without SAS

  25. Require Trusted Path for Credential Entry

  26. What is “Trusted path for credential entry”? • GUI credential entry (via CredUI) requires Ctrl+Alt+Del • Policy enforced by: • UAC elevation • Remote Desktop client • Explorer: Map network drive with different credentials • This last one in Windows 7, but not in Vista

  27. Is it more secure? • Prevents some credential prompt spoofing and stealing • … if you notice a prompt without Ctrl+Alt+Del • …before you enter the creds! • Is it worth it? • More steps needed • Your users will hate you, and they will let you know it! • Also applied to same-user, consent-only elevation (WTF?)

  28. Do Not Process the Legacy Run List

  29. The “Run” keys under HKLM HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run • Command lines executed by Explorer during logon • Run with the rights of the logged-on user • Used by legitimate programs and by malware • Adding, modifying or deleting entries requires admin rights • Note: there is also a per-user (HKCU) counterpart • (For some reason, HKCU never touched by security guidance)

  30. Benefits? • On well-managed systems: no benefit • Adding/modifying requires admin rights • Attacker with admin has tons of other ASEPs • What is typically there?

  31. HKLM “Run” key settings…

  32. NtfsDisable8dot3NameCreation

  33. NtfsDisable8dot3NameCreation • Vulnerability (try to keep a straight face) “If you allow 8.3 style file names, an attacker only needs eight characters to refer to a file that may be 20 characters long. [...] Attackers could use short file names to access data files and applications with long file names that would normally be difficult to locate. An attacker who has gained access to the file system could access data or execute applications.” • Status • Removed from USGCB • Removed from MS guidance for Server 2008 R2 (SSLF)

  34. Blog Posts and KB Articles • Security configuration guidance support (KB 885409)http://support.microsoft.com/kb/885409 • Sticking with Well-Known and Proven Solutionshttp://blogs.technet.com/b/fdcc/archive/2010/10/06/sticking-with-well-known-and-proven-solutions.aspx • Disabling User Account Control (UAC) on Windows Serverhttp://blogs.msdn.com/b/aaron_margosis/archive/2011/03/04/disabling-user-account-control-uac-on-windows-server.aspx and just posted to http://support.microsoft.com/kb/2526083 • Problems with FDCC’s XP File Permissionshttp://blogs.technet.com/b/fdcc/archive/2009/12/03/problems-with-fdcc-s-xp-file-permissions.aspx • The Case of the Unexplained Installation Failure (and an ill-advised registry hack)http://blogs.technet.com/b/fdcc/archive/2009/09/28/the-case-of-the-unexplained-installation-failure-and-an-ill-advised-registry-hack.aspx

  35. Resources • Security Compliance Manager (SCM) • http://technet.microsoft.com/en-us/library/cc677002.aspx • Links to SCM webcasts and demos • http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx • Aaron’s Local Group Policy management tools • http://blogs.technet.com/b/fdcc/archive/2008/05/07/lgpo-utilities.aspx • Webcast: http://www.msteched.com/2010/Europe/WCL324

  36. Related Content • Breakout Sessions • SIM305 – Implementing a Security Baseline in Your Environment • SIM307 – Securing Your Windows Platform • WSV325 – Security Configurations Simplified with the Microsoft Security Compliance Manager • Hands-On Labs • WCL384-HOL– Establishing Security Baselines for Windows Internet Explorer

  37. Trustworthy Computing Safety and Security Center http://www.microsoft.com/security Security Development Lifecycle http://www.microsoft.com/sdl Security Intelligence Report http://www.microsoft.com/sir End to End Trust http://www.microsoft.com/endtoendtrust

  38. Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn

  39. Complete an evaluation on CommNet and enter to win!

  40. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related