400 likes | 731 Vues
Windows Vista and “Longhorn” Server: Understanding, Enhancing and Extending Security End-to-end. FUN210 Avi Ben-Menahem Lead Program Manager Microsoft Corporation. Andrew Tucker Development Lead Microsoft Corporation. Agenda. Windows Vista and “Longhorn” Server Security Overview
 
                
                E N D
Windows Vista and “Longhorn” Server: Understanding, Enhancing and Extending Security End-to-end FUN210 Avi Ben-Menahem Lead Program Manager Microsoft Corporation Andrew Tucker Development Lead Microsoft Corporation
Agenda • Windows Vista and “Longhorn” Server Security Overview • Isolated Desktop • Crypto Next Generation (a.k.a CNG) • Base Smart Card CSP architecture • X.509 Enrollment classes • WinLogon Architecture • User Account Protection and You
Authentication Authorization Audit Access Control Secure Operating System Cryptography Services Vista Security OverviewAccess Control Credential Management End User Tools Policy exp. Identity Eventing Certificate Server Protocol RBAC Logging Lifecycle Management Logon Azman Common Criteria Credential Roaming 2 Factor AuthN App AuthZ FIPS Smart Cards X.509 Processing CAPI CNG Isolated Desktop Secure Startup
Session 3 Session 1 Session 2 Session 0 Application D Application J Application G Application A Service A Application E Application H Application K Application I Application L Application F Application B Service B Service C Application C Session 0 IsolationWindows XP behavior
Session 1 Session 2 Session 3 Application A Application D Application G Application E Application H Application B Application F Application C Application I Session 0 IsolationWindows Vista behavior Session 0 Service A Service B Service C
Session 0 IsolationTechnology Introduction • Separation of Services from User Sessions • Desktop is the security boundary for Windows user interfaces • Interactive Services are vulnerable to compromise through Windows Messaging • Currently users can not see or interact with interactive service UI from their session
Session 0 IsolationImplementation Guidelines • Services should NEVER open a window on the interactive desktop • Services which need user input can: • Use WTSSendMessage to pop up a simple message box on user’s desktop • Inject process into the target session by using CreateProcessAsUser API
Authentication Authorization Audit Access Control Secure Operating System Cryptography Services Vista Security OverviewAccess Control Credential Management End User Tools Policy exp. Identity Eventing Certificate Server Protocol RBAC Logging Lifecycle Management Logon Azman Common Criteria Credential Roaming 2 Factor AuthN App AuthZ FIPS Smart Cards X.509 Processing CAPI CNG Isolated Desktop Secure Startup
Crypto Next GenerationTechnology Overview • New crypto infrastructure to replace existing CAPI 1.0 APIs • CAPI will still be available in Vista but it will be deprecated in some future version • Customers can plug a new crypto algorithm into Windows or replace the implementation of an existing algorithm • New crypto algorithms can be plugged into OS protocols (e.g. SSL, S/MIME)
Crypto Next GenerationWhy replace CAPI? • Design is 10 years old and shows it • Plug-in model is monolithic, error prone and inflexible • Lacks centralized configuration system • Not available in kernel mode • Performance has much to be desired
Crypto Next GenerationFeature highlights • Crypto agility • Flexible configuration system that includes machine and enterprise level settings • Simple and granular plug-in model that supports both kernel and user mode • Support a super set of the algorithms in CAPI, including elliptic curve crypto (ECDH, ECDSA) and “Suite-B” compliance • Private key isolation for Common Criteria compliance • Improved performance
Crypto Next GenerationThree layers of plug-ins Protocol Providers Applications Symmetric Crypto Router Hash Router Asymmetric Crypto Router Signature Router Key Exchange Router RNG Router Key Storage Router Key Storage Providers Primitive Providers
Protocol Providers Applications Key Storage Providers Primitive Providers Crypto Next GenerationPrimitive Providers • Low level algorithm implementations • Six different types: • Symmetric encryption • Hash functions • Asymmetric encryption • Secret agreement • Signatures • Random number generation • No persistent keys or key isolation
Protocol Providers Applications Key Storage Providers Primitive Providers Crypto Next GenerationKey Storage Provider • Provides persistent key support for public/private keys • Isolates all private key usage to a secure process rather than the client process • Can be used to interface hardware such as HSMs, Smart Cards, etc.
Protocol Providers Applications Key Storage Providers Primitive Providers Crypto Next GenerationProtocol Providers • Crypto functionality that is specific to a protocol • SSL – add new cipher suites or replace implementations of existing cipher suites • S/MIME – plug in new algorithms for signing and encrypting email
Crypto Next Generation • CNG is expected to be an Open Cryptographic Interface (OCI) and will no longer require plug-ins to be signed by Microsoft • We are working to enable this under US export law • Eliminates one of the big headaches of CAPI CSPs
Implementing Symmetric Encryption Provider Implement, install and use a symmetric encryption primitive provider Open Algorithm Provider Get/Set Algorithm Property Create Key Get/Set Key Property Crypto Operation (s) Destroy Key Close Algorithm Provider
Authentication Authorization Audit Access Control Secure Operating System Cryptography Services Vista Security OverviewAccess Control Credential Management End User Tools Policy exp. Identity Eventing Certificate Server Protocol RBAC Logging Lifecycle Management Logon Azman Common Criteria Credential Roaming 2 Factor AuthN App AuthZ FIPS Smart Cards X.509 Processing CAPI CNG Isolated Desktop Secure Startup
WinLogon ArchitectureWindows XP Session 0 WinLogon LSA Profiles User GP SCM Machine GP MSGINA Shell Other Sessions WinLogon User GP MSGINA Shell
WinLogon ArchitectureVista Session 0 LSA RCM WinInit Profiles SCM Group Policy Other Sessions WinLogon LogonUI Credential Provider 1 Credential Provider 2 Credential Provider 3
Credential ProvidersTechnology Introduction • Credential Providers replace GINA • Credential Providers plug in to Logon UI • Logon UI can interact simultaneously with multiple credential providers • Credential Providers can be user selectedand/orevent driven • Inbox Credential Providers • Password • Smart Card • What Credential Providers cannot do • Replace the UI for the logon screen
Credential ProvidersValue Proposition • Easier to write a Credential Provider than it was to write a GINA • LogonUI and CredUI provide all UI • Winlogon handles LSALogonUser and Terminal Services support • Credential providers simply define credentials and use LogonUI to gather the data • Uses COM to interact with LogonUI and CredUI
Credential ProvidersPassword Example LSA WinLogon 1. Ctrl+Alt+Delete 9. LSALogonUser 2. Request Credential 8. Return Credential 5. Click on tile, type user name & password, click Go LogonUI 4. Display UI Credential Provider Interfaces 6. Go received 7. Get credential for logon 3. Get credential information Credential Provider 1 Credential Provider 2 Credential Provider 3
Smart Card SubsystemCurrent Crypto Applications (IE, Outlook) Non Crypto Applications CAPI SCard API Smart Card CSP #1 Smart Card CSP #2 Smart Card CSP #n Smart Card Resource Manager
Smart Card SubsystemVista and Beyond Crypto Applications (IE, Outlook) Non Crypto Applications CAPI SCard API CNG Smart Card CSP Base CSP Smart Card KSP ECC Card Module RSA/ECC Card Module RSA Card Module Smart Card Resource Manager
Smart Card Subsystem • Simplified Software Development • Common crypto operations handled in the platform • API for card manufacturers • Enhanced User Experience • Planned Certification and Testing Program for Smartcard middleware on Windows Update • PnP support for Smart Cards • Enhanced Smart Card Logon Scenarios • Root certificates propagation • Integrated Smart Card unblock
X.509 Enrollment ClassesWhat’s new • ActiveX controls Xenroll and ScrdEnrl are retired • New comprehensive COM classes (CertEnroll) for PKI operations • “Suite-B” algorithm support
X.509 Enrollment ClassesValue Proposition • Xenroll • Difficult to use monolithic interfaces • High cost of maintenance for... • Microsoft to support Xenroll • Customers and Third Party CAs if and when Xenroll is updated • CertEnroll • Easy to use modular interfaces • No download required
X.509 Enrollment ClassesArchitectural Block Diagram 3rd Party Applications Web Enrollment Services Auto-Enrollment Provider, Certificate Management MMC, CertReq.exe Public Enrollment Classes Internal Enrollment Classes CAPI, CNG and Win32 API Aero Wizard & Direct UI
X.509 Enrollment Classes Class diagram overview Request Classes Crypto Classes Attribute Classes IDispatch IDispatch IDispatch IX509Attribute ICspAlgorithm IX509CertificateRequest ICspAlgorithms IX509Extension IX509CertificateRequestPkcs10 IX509ExtensionKeyUsage ICspInformation IX509CertificateRequestCertificate IX509ExtensionEnhancedKeyUsage ICspInformations IX509CertificateRequestPkcs7 IX509ExtensionTemplateName IcspStatus IX509CertificateRequestCmc IX509ExtensionTemplate ICspStatuses Enrollment Classes IX509Attributes IDispatch IX509PublicKey IX509AttributeExtensions IX509Enrollment IX509PrivateKey ICryptAttribute IX509Enrollments ICryptAttributes IX509EnrollmentStatus
Service HardeningMotivation • Services are attractive targets for malware • Run without user interaction • Number of critical vulnerabilities in services • Large number of services run as “System” • Worms target services • Sasser, Blaster, CodeRed, Slammer, etc…
Service HardeningDeveloper Guidance • Move to a least privileged account • Use “Local Service” or “Network Service” • Remove privileges that are not needed • Grant Service Sid access via ACLs on service specific resources • Use Service-SID, ACLs and “write-restricted token” to isolate services • Supply network firewall rules
User Account Protection • Previously known as “LUA” • Users will logon as non-administrator by default • Protects the system from the user • Enables the system to protect the user • Consent UI allows elevation to administrator • Applications and administrator tools should be UAP aware • Differentiate capabilities based on UAP • Apply correct security checks to product features • Start testing your software in LH Beta1 and LH Beta2 with UAP
User Account ProtectionAdditional Information • Where can I find more information? • Come get Whitepaper from FUNdamentals Cabana! • FUN406 - Windows Vista: User Account Protection ”Securing Your Application with Least Privilege Administration • Contact info? • Darren Canavor – darrenc@Microsoft.com
CNGAdditional Information • CNG Documentation available for review • API documentation - currently only available with signed NDA and EULA • Contacts • Tomas Palmer - tomasp@Microsoft.com • Tolga Acar - tolga@Microsoft.com
Smart Card SubsystemAdditional Information • Where can I find more information? • Base CSP and Card Module specifications have been published to over 20 card vendors – ask if your card vendor has a card module • Card module developer kit including card module spec, Base CSP binary, test suite, etc. is currently only available with signed NDA and EULA • Card module developer information will be made public via MSDN in the coming months • A whitepaper on the new smart card infrastructure will be released at the same time as the Base CSP • Contact info • Derek Adam (DerekA@microsoft.com)
X.509 Enrollment ClassesAdditional Information • Where can I find more information? • Libraries included in Vista Beta 1 • Specifications are currently only available with signed NDA and EULA • Contact info? • Anand Abhyankar • Anand.Abhyankar@Microsoft.com
Service HardeningAdditional Information • Related Sessions • FUNHOL019 – “Best Practices for writing Vista Services” • Contacts • Windows Service Hardening - wsh@Microsoft.com
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.