sim304. location security settings | local policies | user rights assignment setting namedebug...

42
Unintended Consequences of Security Lockdowns Aaron Margosis Principal Consultant Microsoft Services SIM304

Upload: annabella-chapman

Post on 04-Jan-2016

219 views

Category:

Documents


1 download

TRANSCRIPT

Unintended Consequences of Security Lockdowns

Aaron MargosisPrincipal ConsultantMicrosoft Services

SIM304

Session Objectives and Takeaways

Session Objective(s): Understand and explain tradeoffs of security and usabilityDiagnose common problems arising from security lockdowns

Key Takeaway:“Tightening” a security setting doesn’talways lead to better security!

Agenda

Brief history of security guidanceSettings and Side Effects

Remove the “Debug” privilege from AdministratorsTurn off Automatic Root Certificates UpdateHide mechanisms to remove zone informationRequire trusted path for credential entryDo not process the legacy Run listNtfsDisable8dot3NameCreation

Security Guidance

Some release dates:Windows NT 4 released in the year 6 BTCWindows 2000 released in the year 3 BTC

(“BTC” = Before Trustworthy Computing)

NSA and others stepped inWindows Server 2003, year 1 of the TWC era

NSA says: “What they said”

Windows XP SP2 in year 2 TCNSA’s guidance didn’t catch up

KB 885409 and Consensus Settings

Security Guidance

US Federal Government guidanceUS DOD STIGs (Security Technical Implementation Guides)US Air Force, Standard Desktop Configuration (SDC)

Standardized locked-down configuration (XP SP2)Everyone runs as standard user

Federal Desktop Core Configuration (FDCC)Now the US Government Configuration Baseline (USGCB)

Microsoft security guidanceNow encapsulated in the Security Compliance Manager (SCM)

The “Debug Programs” privilege

Location Security Settings | Local Policies | User Rights Assignment

Setting name Debug programs

Default Administrators

(Mis)guidance [no one]

What is “Debug programs”?

Allows user to take control of any processBypasses the process’ security descriptor – grants Full ControlRead/write process memoryBreak in with a debugger; control execution pathsTerminate the process

Needed to debug other users’ processes (or the kernel)Needed by some diagnostic/troubleshooting tools“Admin-equivalent”

Granted to Administrators by defaultShould never be granted to non-admins

Revoking “Debug programs” privilege

Purported benefit:Prevents attacker with an admin account from taking over Lsass.exe or other System processes

Actual benefit:None – trivial to bypass

Drawbacks:Breaks legitimate developer scenariosLimits capabilities of Task Manager, Process Explorer, Kill.exe, etc., when used by legitimate adminsBreaks installation of SQL Server / SQL Express

Trivial to Bypass

Admin can configure anything to run as SYSTEMSc.exe create TakeOverAnyway binpath= ...PsExec -sid cmd.exe

Admin can take ownership and change process permissionsBottom line: restricting admins is futileGood news:Recently removed from MS guidance and USGCB.

demo

Revoking “Debug programs”

Turn off Automatic Root Certificates Update

Location

Computer Configuration | Administrative Templates | System | Internet Communication Management | Internet Communication settings

Setting name Turn off Automatic Root Certificates Update

Default Not configured (equivalent to Disabled)

(Mis)guidance? Enabled

Trusted Authorities

Windows Root Certificate ProgramDefault trusted CAs baked into WindowsCan be updated via Windows Update

Trusted Authorities in Vista and Newer

Starting in Windows Vista, “in the box” changedVery few CAs in the Trusted Root CAs store

Intent: improve performance, reduce resource demand

But roots can be added silently as needed……even if offline!CTLs and Root Certs baked into Crypt32.dll

… unless Automatic Root Certificates Update is turned off!

Why turn off automatic root cert update?

Blocks “phone home”All “phone home” is blocked by most government config guidesNote: This has never been part of Microsoft’s guidance

Gives administrators absolute control over cert stores

Impact of this setting

Many fewer default trusted root CAs on a USGCB-compliant systemLots of files/programs will be treated as “unsigned”Lots of HTTPS web sites will show “invalid cert”What you need to do:

Manage your root CAs even more carefullyOr… remove this setting

More good news:USGCB no longer requires this setting for Windows 7

demo

Turning Off Automatic Root Certificates Update

Hide mechanisms to remove zone info

Location User Configuration | Administrative Templates | Windows Components | Attachment Manager

Setting name Hide mechanisms to remove zone information

Default Not configured (equivalent to Disabled)

(Mis)guidance Enabled

Ever see this?

Or this?

Cause: Security Zone info attached to file

Zone Information

Windows tags files with source-zone metadataUses Internet Explorer security zonesStored in NTFS alternate data stream

After download, shell still handles file as from that zoneBy default, users can remove zone info via Properties dialog or checkboxSome security guidance hides those interfaces

Mechanisms that get hidden

And this is good why?

Beats me.Annoying “security” dialog that provides no infoDoesn’t stop the user from running the programTrains users to expect and ignore warningsOK, one benefit: blocks execution of code in a malicious CHMWorth it?

Mechanisms that remain…

Or just overwrite the stream; e.g.,echo. > procmon.chm:Zone.Identifier

demo

No! UAC elevation is not a security boundary!

WTF???Show me!

UAC elevation is safe if you have to enter a password, isn’t it?

Ctrl + Alt + Del

“Secure Attention Sequence” (SAS)Handled directly by the OS

Cannot be intercepted by other software

Ensures that control transferred to Secure DesktopA.k.a., “Winlogon” desktopAccessible only to software running as SYSTEM

Ensures that UI cannot be spoofedEnsures that credentials cannot be interceptedNote: UAC elevation switches to Winlogon without SAS

Require Trusted Path for Credential Entry

Location

Computer Configuration | Administrative Templates | Windows Components | Credential User Interface

Setting name Require trusted path for credential entry

Default Not configured (equivalent to Disabled)

Ex-guidance Enabled (USGCB “Alpha” – removed for final)

What is “Trusted path for credential entry”?

GUI credential entry (via CredUI) requires Ctrl+Alt+DelPolicy enforced by:

UAC elevationRemote Desktop clientExplorer: Map network drive with different credentials

This last one in Windows 7, but not in Vista

Is it more secure?

Prevents some credential prompt spoofing and stealing… if you notice a prompt without Ctrl+Alt+Del

…before you enter the creds!

Is it worth it?More steps neededYour users will hate you, and they will let you know it!Also applied to same-user, consent-only elevation (WTF?)

Do Not Process the Legacy Run List

Location Computer Configuration | Administrative Templates | System | Logon

Setting name Do not process the legacy run list

Default Not configured (equivalent to Disabled)

(Mis)guidance Enabled

The “Run” keys under HKLM

HKLM\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Command lines executed by Explorer during logonRun with the rights of the logged-on userUsed by legitimate programs and by malwareAdding, modifying or deleting entries requires admin rightsNote: there is also a per-user (HKCU) counterpart

(For some reason, HKCU never touched by security guidance)

Benefits?

On well-managed systems: no benefitAdding/modifying requires admin rightsAttacker with admin has tons of other ASEPsWhat is typically there?

HKLM “Run” key settings…

NtfsDisable8dot3NameCreation

Location Security Settings | Local Policies | Security Options

Setting nameMSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)

Default Disabled (configured per-volume)

(Mis)guidance Enabled

NtfsDisable8dot3NameCreation

Vulnerability (try to keep a straight face)“If you allow 8.3 style file names, an attacker only needs eight characters to refer to a file that may be 20 characters long. [...]Attackers could use short file names to access data files and applications with long file names that would normally be difficult to locate. An attacker who has gained access to the file system could access data or execute applications.”

StatusRemoved from USGCBRemoved from MS guidance for Server 2008 R2 (SSLF)

Blog Posts and KB Articles

Security configuration guidance support (KB 885409)http://support.microsoft.com/kb/885409

Sticking with Well-Known and Proven Solutionshttp://blogs.technet.com/b/fdcc/archive/2010/10/06/sticking-with-well-known-and-proven-solutions.aspx

Disabling User Account Control (UAC) on Windows Serverhttp://blogs.msdn.com/b/aaron_margosis/archive/2011/03/04/disabling-user-account-control-uac-on-windows-server.aspx and just posted to http://support.microsoft.com/kb/2526083

Problems with FDCC’s XP File Permissionshttp://blogs.technet.com/b/fdcc/archive/2009/12/03/problems-with-fdcc-s-xp-file-permissions.aspx

The Case of the Unexplained Installation Failure (and an ill-advised registry hack)http://blogs.technet.com/b/fdcc/archive/2009/09/28/the-case-of-the-unexplained-installation-failure-and-an-ill-advised-registry-hack.aspx

Resources

Security Compliance Manager (SCM)http://technet.microsoft.com/en-us/library/cc677002.aspx

Links to SCM webcasts and demoshttp://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Aaron’s Local Group Policy management toolshttp://blogs.technet.com/b/fdcc/archive/2008/05/07/lgpo-utilities.aspxWebcast: http://www.msteched.com/2010/Europe/WCL324

Related Content

Breakout SessionsSIM305 – Implementing a Security Baseline in Your EnvironmentSIM307 – Securing Your Windows PlatformWSV325 – Security Configurations Simplified with the Microsoft Security Compliance Manager

Hands-On LabsWCL384-HOL – Establishing Security Baselines for Windows Internet Explorer

Safety and Security Centerhttp://www.microsoft.com/security

Security Development Lifecyclehttp://www.microsoft.com/sdl

Security Intelligence Reporthttp://www.microsoft.com/sir

End to End Trusthttp://www.microsoft.com/endtoendtrust

Trustworthy Computing

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.