Software AG WebMethods Business Process Management Suite 8.2 SP2 Security Target
In-depth look @ client security enhancements in Windows XP SP2 Steve Lamb Technical Security Advisor...
-
date post
21-Dec-2015 -
Category
Documents
-
view
219 -
download
5
Transcript of In-depth look @ client security enhancements in Windows XP SP2 Steve Lamb Technical Security Advisor...
In-depth look @ client security enhancements in Windows XP SP2
Steve Lamb
Technical Security Advisor
http://blogs.msdn.com/steve_lamb
What is SP2?• All the usual stuff of course
– Post-SP1 hotfixes (more regression testing)
• New security technologies
Network protectionNetwork protectionMemory protectionMemory protectionSafer e-mail handlingSafer e-mail handlingMore secure browsingMore secure browsingImproved computer Improved computer maintenancemaintenanceSome updated featuresSome updated features
Yes, we broke our previous promise!
But it’s for your own good…
This is your pain
This is your pain gone
This is all you’ve gotten
Security goalsIncrease the security Increase the security resiliency and management of resiliency and management of Windows XPWindows XPDecrease end-user security Decrease end-user security burden: more secure out-of-burden: more secure out-of-the-boxthe-boxReduce damage of worms and Reduce damage of worms and virusesviruseseven if updates are not even if updates are not installedinstalled
Make attackers work harderMake attackers work harder
Defense in depth
Networks • Routers• Firewalls
• VLANs• Subnetting
Hosts • Access control lists
• IPsec
Applications and data
• Authentication• Authorization• Rights
management
• Access control lists
• Execution partitions
Users • Uhh…
Protection scenarios• Evolve from edge security to host security• Block attacks• Foil spyware• Stop mail worms and other malicious code• Reduce buffer overrun exploits• Cut confusing security dialog boxes• Configure secure default states• Simplify security updates• Do the right thing for users
Block attacksBlock attacks
The bad stuff
• Computers can do a lot, but are often used only for a few things
• Most users don’t know how to limit what can come into their computer
• Existing host-based firewalls can confuse users and often get disabled
• Computers with firewalls can be difficult or impossible to manage corporately
Windows Firewall enhancements• New and improved user interface• On by default for all network interfaces• Provides boot-time security• Global and per-interface configurations• Exceptions list (can be disallowed)• Local subnet restrictions• Command-line and better group policy management• Multiple profiles and RPC support• Unattended setup
Windows Firewall
Basic behaviorOutbound TCPOutbound TCPResponse from Response from target IP onlytarget IP only
Outbound UDPOutbound UDPResponse from any Response from any IP;IP;closed after 90 closed after 90 seconds of inactivityseconds of inactivity
OutboundOutboundb’cast and m’castb’cast and m’castOpen for 3 seconds Open for 3 seconds to permit reponse to permit reponse from same subnet from same subnet onlyonly
Unsolicited for appsUnsolicited for appsApplication must be Application must be on exception liston exception list
Unsolicited for Unsolicited for servicesservicesPort must be statically Port must be statically openedopened
Unsolicited RPCUnsolicited RPCFirewall must be Firewall must be configured to configured to permit inbound RPCpermit inbound RPC
Windows Firewall
New user interface
Windows Firewall
On by defaultWhatis it?
• WF on by default on all interfaces• New installations and upgrades• Enabled when new interfaces are added
Whydo it?
• Configuring WF proved to be too difficult• Default configuration provides good
protection against worms (eg., Blaster)
What’s different?
• Certain applications might require special WF settings
How doI fix it?
• Developer documentation WF API
Windows Firewall
Boot time securityWhatis it?
• New static filtering policy at boot time• Permits DNS, DHCP, Netlogon• WF policy applied after logon• Policy then stays in effect until after IP stack
is shut down
Whydo it?
• Closes hole that existed after boot but before policy application
What’s different?
• Nothing
How doI fix it?
• No need
Windows Firewall
Global and per-i/f configsWhatis it?
• Configuration changes apply to all interfaces (including new interfaces)
• Per-interface configuration still possible
Whydo it?
• Easier to synchronize policy across multiple interfaces
• New interfaces get a policy when created
What’s different?
• Global plus per-interface configurations• Applies to IPv4 and IPv6
How doI fix it?
• Developer documentation WF API
Windows Firewall
Per-interface configuration
Windows Firewall
Exceptions listWhatis it?
• Applications that need to open listening ports (that is, act like servers)
Whydo it?
• Allows application to run in lower security context
• Only local administrator can add to list• Ports remain open only while application is
running
What’s different?
• Any app that listens must be on the list
Windows Firewall
Exceptions listHow doI fix it?
• Application can programmatically add itself to the exceptions list– App must be running as local administrator
• Use a notification during TCP/UDP bind– Firewall checks list; opens port if app is present– WF prompts user if not (only if local admin)– User must be running as local administrator;
application can run in lower context
• Configure manually– Scan Start Menu or browse
Windows Firewall
Adding programs or ports
Windows Firewall
Exceptions can be disallowed
Windows Firewall
Local subnet restrictionWhatis it?
• Can restrict port opening to local subnet address range
• Is the default for file sharing and UPnP
Whydo it?
• More granularity—allows local subnet communication but not to/from Internet
What’s different?
• Enabling “file and printer sharing” auto-applies restriction to 137/udp, 138/udp, 139/tcp, 445/udp, 445/tcp
• Enabling UPnP auto-applies restriction to 1900/udp, 2869/tcp
How doI fix it?
• Developer documentation WF API if application can’t work with restriction
Windows Firewall
Restricting subnets
Windows Firewall
Command-line supportWhatis it?
• Add WF configuration to NETSH utility• Default state, open ports, global or per-
interface, subnet restrictions, logging options, ICMP handling, application permissions
Whydo it?
• Best method for logon scripts and remote management
What’s different?
• Nothing—new functionality
How doI fix it?
• No need
Windows Firewall
Group policy supportWhatis it?
• More objects for better control• Operational mode, allowed programs, static
opened ports, ICMP settings, enable RPC and DCOM, enable file and printer sharing
Whydo it?
• Better management between corporate and standard profiles
• Allows corporate profile to reflect needs
What’s different?
• IPv4 only (IPv6 still just on/off)• Final GPOs might change
How doI fix it?
• No need
Windows Firewall
Group policy settings
Windows Firewall
Multiple profilesWhatis it?
• Two profiles: one when connected to a corporate network, another when connected to the Internet
• Uses NLA (network location awareness)
Whydo it?
• Can have a more relaxed profile when corp-attached and a more restrictive profile when traveling
What’s different?
• Computer must be domain-joined• Listening applications might need to be on
both profiles
How doI fix it?
• No need
Windows Firewall
RPC supportWhatis it?
• WF watches as RPC apps register ports• Allows incoming requests only if service is
running as Local System, Network Service, or Local Service
Whydo it?
• Can control which RPC services are exposed to the network
• Better than granting permissions to SVCHOST.EXE
What’s different?
• Must do this for RPC—WF blocks all RPC by default
How doI fix it?
• Developer documentation WF API to automate
Windows Firewall
Unattended setupWhatis it?
• Can pre-configure several options for unattended build scripts
• Operational mode, allowed programs, static opened ports, ICMP settings, logging
Whydo it?
• Can customize firewall configuration for your enterprise
What’s different?
• Nothing—new functionality
How doI fix it?
• No need
Foil spywareFoil spyware
Are you sick of “sick of”?
The bad stuff• It’s easy to trick people into installing unknown
software• Unrestricted “chromeless” windows cover
important UI elements and deceive users• ActiveX publisher verification is confusing—or
often ignored• No way to control which add-ons are running—
and nontrivial to disable
Internet Explorer
Window restrictionsWhatis it?
• Scripts can’t position or resize windows with title and status bars offscreen
• Scripts can’t turn off status bar• Script windows:
– Must fit between top and bottom of parent– Overlap parent horizontally– Move with parent– Appear above parent so that other windows (like
dialog boxes) can’t be hidden
Whydo it?
• Eliminates windows that try to spoof desktop objects
• Allows users to always see security zone• Prevents overlaying of address bar
Internet Explorer
Window restrictionsWhat’s different?
• Title and status bars will always be visible• Scripts can’t (although users can):
– Move windows offscreen– Open windows in kiosk mode
• Pop-up windows that rely on such spoofing will be truncated
How doI fix it?
• Must change code that will break
Internet Explorer
Pop-up managerWhatis it?
• Blocks automatic and background pop-up windows activated by:– window.open()– window.external.navigateAndFind()– showHelp()
• Doesn’t affect windows opened by:– Mouse click– Locally-running software– ActiveX controls on a web site– Trusted sites or local intranet zones
• INewWindowManager API for you to useWhydo it?
• Pop-ups suck!
Internet Explorer
Pop-up managerWhat’s different?
• Allowed windows that open outside viewable screen are positioned onto viewable area
• Allowed windows that open larger than the viewable screen are resized to the viewable area
• Does not affect sites in Trusted Sites or Local Intranet zones
How doI fix it?
• Enabled by default; no workaround needed
Internet Explorer
Pop-up controls• Notification and sound, with choices:
– Show blocked pop-up– Allow pop-ups from this site– Block pop-ups– Open pop-up management options
• Configuration choices– Allow list– Block all, including clicked pop-ups– Override key for above– Sound– Zones
Internet Explorer
Managing pop-ups
Internet Explorer
Pre-SP2 IE ActiveX warning
Internet Explorer
Untrusted publishers mitigationsWhatis it?
• Block all signed content from a publisher• Block invalid signatures• One prompt per control per page• Display ellipsis if text is longer than box
Whydo it?
• Eliminate repeated prompts• Stop code modified after being signed from
running
What’s different?
• New functionality• Reduces social engineering tricks
How doI fix it?
• Can revert to allowing unsigned code to run if necessary
Internet Explorer
New IE ActiveX notice
Internet Explorer
Add-on managementWhatis it?
• View and control all IE add-ons, including ones previously difficult to detect– Browser helper objects– ActiveX controls– Toolbar extensions– Browser extensions
• Status bar and balloon notifications
Whydo it?
• Error reporting data shows add-ons create significant instability
• Many pose security risks
Internet Explorer
Add-on managementWhat’s different?
• Disabled add-ons not removed; IE simply won’t instantiate them
• Applies only to IEXPLORE.EXE and EXPLORER.EXE
• Other programs based on IE components won’t respect disabled state
How doI fix it?
• Use “Manage Add-ons” to restore broken functionality
• Restart IE
Internet Explorer
Controlling add-ons
Internet Explorer
Add-on crash detection• Crash detection program
launches when IE crashes; collects:– List of DLLs that are loaded– Value of instruction pointer
CPU register (EIP)
• Finds DLL whose memory range the EIP lies within; DLL must be:– Non-system– A COM server for an IE add-
on
• Displays dialog to manage and disable
RAMRAM
DLLDLL
DLLDLL
DLLDLL
DLLDLL
EIPEIP9825:43520989825:4352098
33
Internet Explorer
Add-on admin control• Can alter user control of add-ons through registry
key (apply with GPO)– Normal: user has full control (default)– AllowList: admin specifies which add-ons are allowed;
users can’t change– DenyList: admin specifies which add-ons are denied;
users can run others
• Can also enable/disable crash detection and user management interface
Stop mail worms and Stop mail worms and other malicious codeother malicious code
The bad stuff
• People keep opening attachments• Dialogs weren’t useful or informative• Instant messengers becoming popular second
avenue for attack• HTML headers can deliver malicious code—no
attachments needed• IE zone elevation and local computer exploitation
are very popular
Attachment Execution Service
Whatis it?
• OE includes new API for applications to use to check files; also used by Windows Messenger
Whydo it?
• Provides consistent user experience across multiple applications
What’s different?
• New dialogs• Windows Messenger blocks transfer of
“potentially unsafe” files from those not on your contact list
How doI fix it?
• See whitepapers for API info
Outlook Express
Blocking attachments
Outlook Express
Plain text modeWhatis it?
• Forces all mail to be read in plain text rather than HTML
Whydo it?
• Stops malicious code delivered in HTML header scripts
What’s different?
• HTML messages won’t render correctly• Not possible to change text size• New read options setting
How doI fix it?
• Can switch displayed mail to HTML if known to be safe
Outlook Express
Reading plain and HTML
Outlook Express
No external HTML contentWhatis it?
• Much spam contains “web bugs,” links to single-pixel images; retrieving them indicates you read the mail
Whydo it?
• Increases privacy: doesn’t confirm your email address is valid
What’s different?
• Images in HTML mail won’t load from servers in Internet and Restricted Sites
• Placeholder indicates image’s location
How doI fix it?
• Click information bar to download images
Outlook Express
Blocking images
Internet Explorer
Zone elevation blocksWhatis it?
• IE prevents the security context for any link from switching to a less-restrictive zone than the context of the current page
Whydo it?
• Stop scripts from navigating to lower security zone
What’s different?
• Web pages that try to call more privileged pages will fail
• Only a user-clicked link can go to higher privilege
How doI fix it?
• Fix apps to require user initiation
Internet Explorer
Local machine zone lockdownWhatis it?
• A non-displayed security zone that runs all local HTML pages on a computer
Whydo it?
• Helps stop malicious local code from elevating privilege
What’s different?
• Enabled for IE processes• Not enabled for non-IE processes
How doI fix it?
• Can save HTML as .HTA (dangerous: full privileges)
• Use “mark of the web” comments to load file into another security zone
Internet Explorer
Local machine zone lockdown• Disallowed URL actions
– Run scripts– Download unsigned ActiveX– Run ActiveX– Override ActiveX safety– Prompt for client certificate– Run binary behaviors– Java permissions
Internet Explorer
MIME handling enforcementWhatis it?
• IE checks received files in four ways:– File name extension, registered ProgID handler– MIME Content-Type in HTTP header and ProgID– MIME Content-Disposition in HTTP header– MIME sniff
Whydo it?
• Eliminates improper handling of mis-reported files (eg., .EXE assumed as text)
What’s different?
• If MIME sniff results in different type, IE changes file extension in cache
• Never elevates to a more dangerous type
How doI fix it?
• Report your MIME types correctly!
Internet Explorer
Object cachingWhatis it?
• New security context on all scripted objects
• Access to cached objects is blocked– Reference no longer accessible after context
invalidation caused by navigation
Whydo it?
• Single MSHTML instance across navigations; cached objects available
• Eliminate current cross-domain hole– Say, scripts in one frame from one domain that listen for
events in other frames from different domains
What’s different?
• Four more bytes added to cached markup
How doI fix it?
• Recache object before accessing it with a script
Reduce bufferReduce bufferoverrun exploitsoverrun exploits
The bad stuff
• Buffer overruns can be eliminated from good code, but it takes time
• Attackers will continue to exploit them• Might even deliver purposefully-broken code to
then exploit later• RPC not originally engineered to operate in
today’s hostile networked world
Data execution prevention• Prevents code execution in data pages:
– Default heap– Various stacks– Memory pools
• Both user and kernel modes• Requires developers to explicitly mark pages as
executable
Data execution prevention
NX—“no execute”• OS feature that relies on processor hardware to
mark memory• Functions on a per-VM page basis
– Common: change a bit in the page table entry to mark the page
• Affects apps that:– Perform just-in-time code generation– Execute memory from default process stack or heap
Data execution prevention
NX—“no execute”• Hardware implementation varies by processor• Processor must raise exception when code
executes from disallowed page• Current processor support
– AMD K8 (32-bit Windows)– Intel Itanium (64-bit Windows)
Data execution prevention
64-bit WindowsWhatis it?
• Applications expected to function with NX enabled by default!
• Protected areas– Stack– Paged pool– Session pool– Default process heap
• Can’t be disabled• To allocate virtual memory—
– Call VirtualAlloc() with one of the PAGE_EXECUTE_* attributes
Data execution prevention
32-bit WindowsWhatis it?
• User mode– AMD processors with “physical address
extension” mode enabled– Can be selectively disabled per-application– Result: unhandled exception (process termination)
with STATUS_ACCESS_VIOLATION (0xc000005)
• Kernel mode– Only to the stack by default– Can’t be enabled/disabled– Result: bugcheck 0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY
Data execution prevention
All versionsWhydo it?
• Many worms and viruses execute code in data pages• NX reduces impact—can’t spread now• Encourages good software engineering
What’s different?
• Dynamic code execution apps might break• Drivers that expect 64-bit addressing or >4 GB RAM
in PAE mode might break• Drivers that do DMA transfers
How doI fix it?
• Mark generated code with an execute permission• Update apps that execute from stack, default process
heap, or dedicated heap• DMA transfers are double-buffered• Systemwide control with BOOT.INI switches
Data execution prevention
End-user experience
RPC restrictions• Restrict remote clients
• Require authentication to endpoint mapper (135/tcp)
• New interface registration flags
RPC restrictions
Restricting remote clientsWhatis it?
• RestrictRemoteClients registry key to enforce authentication
• Remote anonymous calls to RPC interfaces now rejected by default
Whydo it?
• Useful mitigation against worms that rely on exploitable buffer overruns invoked through anonymous connections
What’s different?
• Apps that expect anonymous calls might be affected
How doI fix it?
• Require clients to use RPC security• Exempt interface from authentication using
exemption flag
RPC restrictions
Endpoint mapper authNWhatis it?
• Clients always contact EP mapper anonymously
• If client restrictions are set, clients also won’t be able to contact EP mapper
Whydo it?
• Setting EnableAuthEpResolution key tells RPC client to use NTLM authentication to EP mapper
What’s different?
• Both peers will need XP SP2
How doI fix it?
• No need
OK, so what’s next?OK, so what’s next?
More resiliency• Increase protection and security of Windows XP
– Even if updates haven’t been installed
• Implications for users and developers• The next step of trustworthy computing
• It’s a victory for the security guys!
• Learn more about Service Pack 2http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx
• Changes to functionality—always updatedhttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx
• Deploying Service Pack 2http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx
• Developer resources—including traininghttp://msdn.microsoft.com/security/productinfo/xpsp2/default.aspx
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Thanks to Steve Riley(Microsoft Corp) for the original slides