SEC317 Steve Riley

Views:
 
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

Windows Vista Security Tidbits: 

Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation steve.riley@microsoft.com http://blogs.technet.com/steriley

Overview: 

Overview User And Group Changes Admin account New/Missing SIDs New/Missing Users and Groups Cached credentials Kernel Changes Buffer overflow protection ACL Changes Encryption changes Suite B TS SSO EFS with Smart Cards Audit changes User rights New and changed security options Firewall Auth IP SMBv2

User and Group Changes: 

User and Group Changes

Administrator Account Status: 

Administrator Account Status

Built-in “Administrator”: 

Built-in 'Administrator' Safe mode created a hole: reboot and login without a password! New behavior: Non-domain: if you have a local admin, safe mode prohibits use of BA Domain: BA can never be used

Power Users Are Not Anymore: 

Power Users Are Not Anymore

New Groups: 

New Groups

Some Additional SIDs: 

Some Additional SIDs

And A Few More SIDs: 

And A Few More SIDs The Trusted Installer A Service INTERNET USER High integrity SID Low integrity SID Medium integrity SID System integrity SID

Integrity Levels in Token: 

Integrity Levels in Token

ACL Changes: 

ACL Changes

ACL Modifications: 

ACL Modifications

Old ACL UI: 

Old ACL UI

New ACL UI: 

New ACL UI

Owner Needs Explicit Perms: 

Owner Needs Explicit Perms

Kernel Changes: 

Kernel Changes

Better Buffer Overflow Protection: 

Better Buffer Overflow Protection Second cookie protects exception handlers Safer CRT exception handlers No more executable pages outside images Enforced by better development practices and code scanning tools /NXCOMPAT linker flag in build tools If all binaries in a process are marked NX is automatically enabled for the process Heap protection Signed kernel code (x64 only)

Crypto Changes: 

Crypto Changes

Offline Files Encrypted Per User: 

Offline Files Encrypted Per User

Encrypted Pagefile: 

Encrypted Pagefile

Suite-B Crypto: 

Suite-B Crypto Software and Smart Card Key Storage Providers Cryptographic configuration NIST ECC Prime Curves support (smart cards too) AES SHA-2 IPsec support for AES and ECDH ECC cipher suites in SSL EFS with smart cards

Cached Credentials Much Tougher: 

Cached Credentials Much Tougher

Improved Auditing: 

Improved Auditing

Granular Audit Policy: 

Granular Audit Policy

Object Access Auditing: 

Object Access Auditing Object Access Attempt: Object Server: %1 Handle ID: %2 Object Type: %3 Process ID: %4 Image File Name: %5 Access Mask: %6

Object Access Auditing: 

Object Access Auditing An operation was performed on an object. Subject :                                                                 Security ID: %1                 Account Name: %2                          Account Domain: %3                 Logon ID: %4          Object:                 Object Server: %5                 Object Type: %6                 Object Name: %7                 Handle ID: %9 Operation:                 Operation Type: %8                 Accesses: %10                 Access Mask: %11                 Properties: %12                 Additional Info: %13                 Additional Info2: %14

Added Auditing For: 

Added Auditing For Registry value change audit events (old+new values) AD change audit events (old+new values) Improved operation-based audit Audit events for UAC Improved IPSec audit events including support for AuthIP RPC Call audit events Share Access audit events Share Management events Cryptographic function audit events NAP audit events (server only) IAS (RADIUS) audit events (server only)

More Info In Event Log UI: 

More Info In Event Log UI

XML Events: 

XML Events

New Event Numbers: 

New Event Numbers

New and Modified User Rights: 

New and Modified User Rights

Changes to User Rights: 

Changes to User Rights All rights for Power Users removed Create global objects does not have INTERACTIVE SE_IMPERSONATE has added IIS_IUSRS and removed ASPNET Logon as a service is now empty by default

New User Rights: 

New User Rights Access credential manager as a trusted caller Winlogon uses for credential manager backup/restore Change time zone user right Create symbolic links Modify an object’s integrity label Synchronize directory service data Increase a process working set

Security Options With Modified Defaults: 

Security Options With Modified Defaults

Anonymous Named Pipes: 

Anonymous Named Pipes

Anonymous Named Pipes: 

Anonymous Named Pipes

Network access: remotely accessible registry paths: 

Network access: remotely accessible registry paths

Network access: remotely accessible registry paths: 

Network access: remotely accessible registry paths

Network access: shares that can be accessed anonymously: 

Network access: shares that can be accessed anonymously

Network access: shares that can be accessed anonymously: 

Network access: shares that can be accessed anonymously

Network Security: Do not store LAN Manager hash value on next password change: 

Network Security: Do not store LAN Manager hash value on next password change

Network Security: Do not store LAN Manager hash value on next password change: 

Network Security: Do not store LAN Manager hash value on next password change

Network security: LAN Manager authentication level: 

Network security: LAN Manager authentication level

Network security: LAN Manager authentication level: 

Network security: LAN Manager authentication level

Devices: Allowed to format and eject removable media: 

Devices: Allowed to format and eject removable media

Devices: Allowed to format and eject removable media: 

Devices: Allowed to format and eject removable media

Devices: Restrict CD-ROM/Floppy access to locally logged on user only: 

Devices: Restrict CD-ROM/Floppy access to locally logged on user only

Devices: Restrict CD-ROM/Floppy access to locally logged on user only: 

Devices: Restrict CD-ROM/Floppy access to locally logged on user only

Devices: Unsigned driver installation behavior: 

Devices: Unsigned driver installation behavior

Devices: Unsigned driver installation behavior: 

Devices: Unsigned driver installation behavior

Why Change It?: 

Why Change It?

Devices and Drivers: 

Devices and Drivers

Allowing users to install drivers: 

Allowing users to install drivers

Installing devices: 

Installing devices

Configuring device restrictions: 

Configuring device restrictions

New Security Options: 

New Security Options

Network access: Restrict anonymous access to named pipes and shares: 

Network access: Restrict anonymous access to named pipes and shares

System settings: Optional subsystems: 

System settings: Optional subsystems

System settings: Use certificate rules on windows executables for software restriction policies: 

System settings: Use certificate rules on windows executables for software restriction policies

Lots and lots and lots of GP changes: 

Lots and lots and lots of GP changes

Last Logon Display: 

Last Logon Display

Trusted Path Credential Entry: 

Trusted Path Credential Entry

Smart Card Policies: 

Smart Card Policies

RDP: 

RDP

New RDP Control: 

New RDP Control

New RDP Control: 

New RDP Control

Timeless Security Advice!: 

Timeless Security Advice! Order online: http://www.protectyourwindowsnetwork.com steve.riley@microsoft.com http://blogs.technet.com/steriley

authorStream Live Help