1 / 35

Case Study of the Evolution of Windows Security

Case Study of the Evolution of Windows Security. by Steve Tallau, Anthony Macri, Steve Wilson. Real Mode. Real mode is characterized by a 20 bit segmented memory address space Only 1 MB of memory can be addressed

foy
Download Presentation

Case Study of the Evolution of Windows Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Case Study of the Evolution of Windows Security by Steve Tallau, Anthony Macri, Steve Wilson

  2. Real Mode • Real mode is characterized by a 20 bit segmented memory address space • Only 1 MB of memory can be addressed • x86 CPUs in the 80286 series and later start up in real mode at power-on, then are switched to protected mode by the operating system

  3. Protected Mode • Operational mode of x86-compatible CPUs of the 80286 series or later • New features designed to enhance multitasking and system stability, such as memory protection, a paging system, and hardware support for virtual memory

  4. Protected Mode cont. • Prevent an erroneous program from damaging the memory "owned" by another task or by the operating system kernel • Hardware support for interrupting a running program and shifting execution context to another, enabling pre-emptive multitasking.

  5. MS-DOS • The DOS operating systems (MS-DOS, DR-DOS, etc.) operate in real mode • Direct software access to BIOS routines and peripheral hardware • No concept of memory protection or multitasking at the hardware level

  6. Windows 1.0 and 2.0 • Essentially just graphical user interface shells running on top of DOS, and not actually operating systems • Still used the real-mode memory model, which confined it to a maximum of 1 megabyte of memory

  7. Windows/286 and Windows/386 (2.1) • Took advantage of the HMA (High Memory Area) to increase the memory available • It introduced a protected mode kernel; above which the GUI and applications were running as a virtual 8086 mode task

  8. Windows 3.0 • Was the first version to run Windows programs in protected mode • Could run in either real or protected mode • Run in two "flavors" of protected mode - "standard mode” and "386-enhanced mode“

  9. Windows 3.0 cont. • The last version of Windows that could run in real mode • Still no file system security • Introduction of virtual memory

  10. Windows 3.1 and 3.11 • Primarily consisted of bug fixes and multimedia support • Removed support for real-mode • Lacked most of the important features of OS/2, such as long file names, a desktop, or protection of the system against misbehaving applications

  11. Windows 95 • First Windows not to “launch” from MS-DOS • Protected Memory (prevents one process from corrupting the memory of another process running on the same computer at the same time)

  12. Windows 95 cont. • 32-bit Disk Access meant that PC BIOS wasn't used for managing hard disks (no real-mode file access, protected mode file access) • Preemptively-multitasked protected-mode 32-bit applications

  13. Windows 98 • Windows 98 was essentially an upgraded version of 95 that integrated IE web browser with the OS (Active Desktop). • Many security features comparable to Win95. Upgrades were mostly fixes and updates of known security flaws in Windows 98. • Included better AGP support, support for USB, multiple monitors, and WebTV. • Substantially larger and slower than 95, and had a number of compatibility and stability issues.

  14. Windows 98 Networking • Security flaw in networking exposes various network services to the internet. • Enables attackers to access LAN designated resources across the internet. • Known exposed ports include POP3 (110), IMAP (143), NetBIOS (137-139), Remote Procedure Call Services (135) • NetBIOS services are not restricted to trusted networks only. • Do not directly connect 98 system to internet. Minimize network shares. Do not serve information to the internet (such as web site hosting)

  15. Windows 98 Known Issues • Web pages or HTML emails containing very long URL or UNC strings cause the OS to hang or run unexpected commands. • Caused by buffer overflow in 95/98 networking software that supports access to local and remote files. • If UNC string is specially formed, it can cause the computer to run arbitrary code that could disclose, modify, or destroy data on the computer. • Microsoft’s Resolution: “Obtain and run the appropriate File"

  16. Windows 98 Known Issues • Security vulnerability could allow malicious users to programmatically obtain file share access without knowing the entire password. • Caused by implementation of share-level access control password feature in Windows 98. Malicious users can use a special client utility to gain access to a share without the full password. • Microsoft released a HotFix patch to correct this specific issue.

  17. User-Level vs. Shared-Level Access • Share-level security provides a password controlled gate to protected resources. It allows granting access to a large number of people with little effort. It is not very secure since the password is widely distributed and there is no personal accountability. • Only share-level security suffers from the previous vulnerability, since only share-level security uses passwords as a mechanism for protecting the share.

  18. User-Level vs. Shared-Level Access • User-level access is based on granting access to individuals, each of whom has an account. This allows for fine-grained control over per-user access and allows for individual accountability. • The disadvantage is that you must create a user account for each user and must grant that user the specific access. • Window’s NT security paradigm is based on user-level access. • User-level access permissions are only available on Windows 9x and ME machines when they are part of a Windows NT domain.

  19. Windows 98 Known Issues • Vulnerability in Telnet client could allow a web page to run arbitrary code • Allows web page to do anything that the user could do, including creating, modifying, and deleting files, reformatting the hard drive, etc. • Telnet client has an unchecked buffer in part of the code that processes program arguments. If a specially-formatted argument is provided, it could overflow the buffer and be used to execute arbitrary malicious code • The version of IE shipped with Windows 98SE prevents the malformed argument from being passed to Telnet. Windows 98 users must download the specific patch from Microsoft.

  20. Windows 98 SE • Windows 98 Second Edition was an upgrade to Windows 98 that included fixes for many minor issues and bugs in Windows 98. • Internet Connection Sharing was introduced, which allowed multiple users on a LAN to share one internet connection. • Debuted Windows Update, which allowed a user to manually connect to Microsoft’s web site to check for minor and critical updates. • Kept many of the same security implementations as Windows 98.

  21. Windows ME • System Restore introduced, which largely replaces 98’s MS Backup. • ME takes concept of Windows Update to the next level with Auto Update, which automatically monitors the Windows Update site for applicable updates. • Networking more reliable than 95/98. New TCP/IP stack makes ME perform better while networking and improves stability. A new PPTP stack delivers more security for Virtual Private Networks.

  22. Windows ME cont. • No longer included real-mode MS-DOS. Unlike 95/98, did not load DOS before loading a Windows GUI shell. • A consumer version of Windows that incorporated Windows File Protection, which was introduced in Windows 2000. WFP aimed to protect system files from modification and corruption silently and automatically. • Microsoft recently announced that effective July 11, 2006, Windows 98/SE/ME will transition to a non-supported state. After this date, MS will no longer provided support of security updates.

  23. Windows NT • First Windows operating system to require user log on (eliminated the default user) • Implemented the concept of groups (set of users having identical permissions) • Administrator • Other users

  24. Windows NT cont. • New Technology File System (NTFS) • Able to allow or deny access to files based on the specified user • For each file, NTFS maintains a list of users allowed to access the file

  25. Windows NT cont. • Authentication • Checks the Access Control List (ACL) at log on • Authorization • Windows Access Control List (ACL) • Web Server Permissions • URL Authorization • Principal Objects

  26. Windows 2000 • NTFS5 • Quota Support • Can assign a warning (soft limit) and a maximum (hard limit), or no limit to each user • Encryption File System (EFS) • Applied on file/folder rather than partition • Randomly-generated file encryption key (FEK) of 128 bits used to encrypt data

  27. Windows 2000 cont. • User Authentication • Active Directory Service (ADS) • Utilizes the Lightweight Directory Access Protocol (LDAP) • Allows for sharing between various LDAP directories • Allows administrators to: • assign enterprise-wide policies • deploy programs to many computers • apply critical updates to an entire organization

  28. Windows 2000 cont. • Kerberos Protocol (Network Security) • Allows individuals communicating over an insecure network to prove their identity to one another in a secure manner. • Prevents eavesdropping or replay attacks, and ensures the integrity of the data. • Builds on symmetric key cryptography and requires a trusted third party.

  29. Windows 2000 cont. • Windows File Protection (WFP) • Prevents programs from replacing critical Windows system files • Protects critical system files that are installed as part of Windows • Uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions

  30. Windows 2000 Security Flaws • Code Red & Code Red II (2001) • Exploited vulnerabilities of the indexing service of Windows 2000's Internet Information Services (IIS) • Sobig Worm & Blaster worm (August 2003) • Attacked millions of Microsoft Windows computers, resulting in the largest down-time and clean-up cost ever

  31. Windows XP • Windows XP has been criticized for its susceptibility to malware, viruses, trojan horses and worms. • Security holes are often invisible until they are exploited, making preemptive action difficult. • Microsoft states that the release of patches to fix security holes is often what causes the spread of exploits against those very same holes, as crackers figured out what problems the patches fixed, and then launch attacks against unpatched systems

  32. Windows XP cont. • A default administrator account that provides unrestricted access to the system (if the account is broken into, the PC can be comprised). • Software Restriction Policy • Prevents hostile code from running • Regulates which ActiveX controls can be run • Enforce that only approved software is installed on system computers

  33. Windows XP Security “Flaw” • Using a Windows 2000 CD to boot up a Windows XP system it is possible to gain access to all files and folders without any password requirements. • The flaw works by booting a Windows XP system using a Windows 2000 CD and going into the Windows 2000 Recovery Console mode. • This technique grants the user unrestricted access to the computer. The user can access any of the files and folders on the local system and copy them to the floppy drive or other removable media.

  34. Windows XP SP2 • 1st version of Windows with important security features enabled by default • Included advanced memory protection that takes advantage of the NX instruction (No eXecute) that is incorporated into newer processors to stop buffer overflow attacks • Removal of raw socket support (decreased incidents of infected computers that can be used remotely to launch denial of service attacks) • Security Center • Built-in Windows Firewall • Windows Updates • Virus Protection API

  35. Sources / More Information • Wikipedia [http://en.wikipedia.org/wiki/Windows_history] • Microsoft Database [www.microsoft.com] • Express Computer [http://www.expresscomputeronline.com/20030609/techspace2.shtml] • Win. Guides [http://www.winguides.com/security/category.php/1/] • Windows Supersite [http://www.winsupersite.com/reviews/millennium_b3.asp]

More Related