sim304. location security settings | local policies | user rights assignment setting namedebug...
TRANSCRIPT
Unintended Consequences of Security Lockdowns
Aaron MargosisPrincipal ConsultantMicrosoft Services
SIM304
Session Objectives and Takeaways
Session Objective(s): Understand and explain tradeoffs of security and usabilityDiagnose common problems arising from security lockdowns
Key Takeaway:“Tightening” a security setting doesn’talways lead to better security!
Agenda
Brief history of security guidanceSettings and Side Effects
Remove the “Debug” privilege from AdministratorsTurn off Automatic Root Certificates UpdateHide mechanisms to remove zone informationRequire trusted path for credential entryDo not process the legacy Run listNtfsDisable8dot3NameCreation
Security Guidance
Some release dates:Windows NT 4 released in the year 6 BTCWindows 2000 released in the year 3 BTC
(“BTC” = Before Trustworthy Computing)
NSA and others stepped inWindows Server 2003, year 1 of the TWC era
NSA says: “What they said”
Windows XP SP2 in year 2 TCNSA’s guidance didn’t catch up
KB 885409 and Consensus Settings
Security Guidance
US Federal Government guidanceUS DOD STIGs (Security Technical Implementation Guides)US Air Force, Standard Desktop Configuration (SDC)
Standardized locked-down configuration (XP SP2)Everyone runs as standard user
Federal Desktop Core Configuration (FDCC)Now the US Government Configuration Baseline (USGCB)
Microsoft security guidanceNow encapsulated in the Security Compliance Manager (SCM)
The “Debug Programs” privilege
Location Security Settings | Local Policies | User Rights Assignment
Setting name Debug programs
Default Administrators
(Mis)guidance [no one]
What is “Debug programs”?
Allows user to take control of any processBypasses the process’ security descriptor – grants Full ControlRead/write process memoryBreak in with a debugger; control execution pathsTerminate the process
Needed to debug other users’ processes (or the kernel)Needed by some diagnostic/troubleshooting tools“Admin-equivalent”
Granted to Administrators by defaultShould never be granted to non-admins
Revoking “Debug programs” privilege
Purported benefit:Prevents attacker with an admin account from taking over Lsass.exe or other System processes
Actual benefit:None – trivial to bypass
Drawbacks:Breaks legitimate developer scenariosLimits capabilities of Task Manager, Process Explorer, Kill.exe, etc., when used by legitimate adminsBreaks installation of SQL Server / SQL Express
Trivial to Bypass
Admin can configure anything to run as SYSTEMSc.exe create TakeOverAnyway binpath= ...PsExec -sid cmd.exe
Admin can take ownership and change process permissionsBottom line: restricting admins is futileGood news:Recently removed from MS guidance and USGCB.
Turn off Automatic Root Certificates Update
Location
Computer Configuration | Administrative Templates | System | Internet Communication Management | Internet Communication settings
Setting name Turn off Automatic Root Certificates Update
Default Not configured (equivalent to Disabled)
(Mis)guidance? Enabled
Trusted Authorities
Windows Root Certificate ProgramDefault trusted CAs baked into WindowsCan be updated via Windows Update
Trusted Authorities in Vista and Newer
Starting in Windows Vista, “in the box” changedVery few CAs in the Trusted Root CAs store
Intent: improve performance, reduce resource demand
But roots can be added silently as needed……even if offline!CTLs and Root Certs baked into Crypt32.dll
… unless Automatic Root Certificates Update is turned off!
Why turn off automatic root cert update?
Blocks “phone home”All “phone home” is blocked by most government config guidesNote: This has never been part of Microsoft’s guidance
Gives administrators absolute control over cert stores
Impact of this setting
Many fewer default trusted root CAs on a USGCB-compliant systemLots of files/programs will be treated as “unsigned”Lots of HTTPS web sites will show “invalid cert”What you need to do:
Manage your root CAs even more carefullyOr… remove this setting
More good news:USGCB no longer requires this setting for Windows 7
Hide mechanisms to remove zone info
Location User Configuration | Administrative Templates | Windows Components | Attachment Manager
Setting name Hide mechanisms to remove zone information
Default Not configured (equivalent to Disabled)
(Mis)guidance Enabled
Zone Information
Windows tags files with source-zone metadataUses Internet Explorer security zonesStored in NTFS alternate data stream
After download, shell still handles file as from that zoneBy default, users can remove zone info via Properties dialog or checkboxSome security guidance hides those interfaces
And this is good why?
Beats me.Annoying “security” dialog that provides no infoDoesn’t stop the user from running the programTrains users to expect and ignore warningsOK, one benefit: blocks execution of code in a malicious CHMWorth it?
demo
No! UAC elevation is not a security boundary!
WTF???Show me!
UAC elevation is safe if you have to enter a password, isn’t it?
Ctrl + Alt + Del
“Secure Attention Sequence” (SAS)Handled directly by the OS
Cannot be intercepted by other software
Ensures that control transferred to Secure DesktopA.k.a., “Winlogon” desktopAccessible only to software running as SYSTEM
Ensures that UI cannot be spoofedEnsures that credentials cannot be interceptedNote: UAC elevation switches to Winlogon without SAS
Require Trusted Path for Credential Entry
Location
Computer Configuration | Administrative Templates | Windows Components | Credential User Interface
Setting name Require trusted path for credential entry
Default Not configured (equivalent to Disabled)
Ex-guidance Enabled (USGCB “Alpha” – removed for final)
What is “Trusted path for credential entry”?
GUI credential entry (via CredUI) requires Ctrl+Alt+DelPolicy enforced by:
UAC elevationRemote Desktop clientExplorer: Map network drive with different credentials
This last one in Windows 7, but not in Vista
Is it more secure?
Prevents some credential prompt spoofing and stealing… if you notice a prompt without Ctrl+Alt+Del
…before you enter the creds!
Is it worth it?More steps neededYour users will hate you, and they will let you know it!Also applied to same-user, consent-only elevation (WTF?)
Do Not Process the Legacy Run List
Location Computer Configuration | Administrative Templates | System | Logon
Setting name Do not process the legacy run list
Default Not configured (equivalent to Disabled)
(Mis)guidance Enabled
The “Run” keys under HKLM
HKLM\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Command lines executed by Explorer during logonRun with the rights of the logged-on userUsed by legitimate programs and by malwareAdding, modifying or deleting entries requires admin rightsNote: there is also a per-user (HKCU) counterpart
(For some reason, HKCU never touched by security guidance)
Benefits?
On well-managed systems: no benefitAdding/modifying requires admin rightsAttacker with admin has tons of other ASEPsWhat is typically there?
NtfsDisable8dot3NameCreation
Location Security Settings | Local Policies | Security Options
Setting nameMSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)
Default Disabled (configured per-volume)
(Mis)guidance Enabled
NtfsDisable8dot3NameCreation
Vulnerability (try to keep a straight face)“If you allow 8.3 style file names, an attacker only needs eight characters to refer to a file that may be 20 characters long. [...]Attackers could use short file names to access data files and applications with long file names that would normally be difficult to locate. An attacker who has gained access to the file system could access data or execute applications.”
StatusRemoved from USGCBRemoved from MS guidance for Server 2008 R2 (SSLF)
Blog Posts and KB Articles
Security configuration guidance support (KB 885409)http://support.microsoft.com/kb/885409
Sticking with Well-Known and Proven Solutionshttp://blogs.technet.com/b/fdcc/archive/2010/10/06/sticking-with-well-known-and-proven-solutions.aspx
Disabling User Account Control (UAC) on Windows Serverhttp://blogs.msdn.com/b/aaron_margosis/archive/2011/03/04/disabling-user-account-control-uac-on-windows-server.aspx and just posted to http://support.microsoft.com/kb/2526083
Problems with FDCC’s XP File Permissionshttp://blogs.technet.com/b/fdcc/archive/2009/12/03/problems-with-fdcc-s-xp-file-permissions.aspx
The Case of the Unexplained Installation Failure (and an ill-advised registry hack)http://blogs.technet.com/b/fdcc/archive/2009/09/28/the-case-of-the-unexplained-installation-failure-and-an-ill-advised-registry-hack.aspx
Resources
Security Compliance Manager (SCM)http://technet.microsoft.com/en-us/library/cc677002.aspx
Links to SCM webcasts and demoshttp://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx
Aaron’s Local Group Policy management toolshttp://blogs.technet.com/b/fdcc/archive/2008/05/07/lgpo-utilities.aspxWebcast: http://www.msteched.com/2010/Europe/WCL324
Related Content
Breakout SessionsSIM305 – Implementing a Security Baseline in Your EnvironmentSIM307 – Securing Your Windows PlatformWSV325 – Security Configurations Simplified with the Microsoft Security Compliance Manager
Hands-On LabsWCL384-HOL – Establishing Security Baselines for Windows Internet Explorer
Safety and Security Centerhttp://www.microsoft.com/security
Security Development Lifecyclehttp://www.microsoft.com/sdl
Security Intelligence Reporthttp://www.microsoft.com/sir
End to End Trusthttp://www.microsoft.com/endtoendtrust
Trustworthy Computing
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.