Transcript Presentation Title
Coming to Your Network Soon! Windows 7
John Brumley Lowell Furman Brent Moberly Sheryl Swinson
6/27/2009
Presentation Agenda
• The User Interface – Sheryl Swinson • Performance Enhancements – John Brumley • Security – Dr. Brent Moberly • Networking – Lowell Furman • Questions at the presentation's end, except for Networking; Interruptions are encouraged in Networking.
Coming to Your Network Soon! Windows 7
The User Interface
Sheryl Swinson – Indiana University
Task Bar
• Hmmm… This looks pretty familiar…
Task Bar
• Relocate • Hover • Jumplists
System Tray
• The “mystery meat” is gone • The foggy little appendix (we’ll come back to it later)
Desktop and Window Management
• Peeking • Gadgets • Gestures
Coming to Your Network Soon! Windows 7
Performance Enhancements
John Brumley – Indiana University
Performance Enhancements
• Power-Management • Processing Enhancements • Graphic Enhancements • Solid-State Drive Optimization • Media distribution / HomeGroup • New Gadgets, Programs and Abilities
Power-Management
• Reduced power consumption • Idle resource utilization by Timer Coalescing API
Power-Management Continued
• Device power management -Adaptive Display brightness -Low-power audio -Bluetooth & network power improvements
Processing Enhancements
- Processor Power-Management (PPM) driver support - Hyper-threading Utilization - HT works with multi-core CPUs - Timer-Coalescing API
Graphic Enhancements
- New algorithms for 3D graphics and for Desktop performance - GDI concurrency - Reduced memory footprint - Optimized for multi-core CPUs
Solid-state Drive Optimization
- Reduce frequency of writes and flushes - Disk defragmentation disabled for SSD - Supports Trim - Disables Superfetch, ReadyBoost, as well as boot and application prefetching.
- Bitlocker encryption is optimized for SSD
Media Distribution / HomeGroup
- Supports Network Media Devices (NMDs) following Digital Living Network Alliance (DLNA) standard.
Based on the “family-home” concept “Play To” ability
Media Distribution / HomeGroup
6/27/2009
Media Distribution / HomeGroup
- Internet access to home media using @Live account - New NAT traversal technology - Media format conversion for unsupported codecs - Printers install across all HomeGroup PCs.
New Gadgets, Programs & Abilities
- Improved calculator - Problem Steps Recorder - Built-in ISO burner utility - Math Input Panel - Sticky Notes - PowerShell 2.0
Coming to Your Network Soon! Windows 7
Security
Dr. Brent Moberly – Indiana University
Security Outline
• Compatibility • Security – background • We will not debate Mac vs. PC slide – there is only one slide for this discussion • User Access Controls • Mandatory Integrity Control (MIC) • AppLocker • Future Reading List
Compatibility Tab
• Windows 7 compatibility tab fools programs into thinking they are running under earlier versions of Widows.
Windows XP Mode
• Windows XP mode is a virtual machine running a fully-licensed version of Windows XP.
• Demo
Windows XP Mode - Download
• • Windows XP Mode is not included by default.
• Users will have to download it from Microsoft.
http://www.microsoft.com/windows/virtual -pc/download.aspx
Security Intro, UAC, and Fun Programs
First Year of Vulnerabilities XP vs. Vista
From “Windows Vista Security One Year Later,”
Windows Security Blog
( http://blogs.msdn.com/windowsvistasecurity/archive/2008/01/23/windows-vista-security-one-year-later.aspx
)
Infected Machines: June – December 2007
“In fact, from June – December 2007, using proportionate numbers, the MSRT found and cleaned malware from 60.5% fewer Windows Vista-based computers than from computers running Windows XP with Service Pack 2 installed. How about Windows 2000? Using proportionate numbers, MSRT found and cleaned malware from 44% fewer Windows Vista-based computers than Windows 2000 SP4 computers and 77% fewer than from computers running Windows 2000 SP3.” From “Windows Vista and Malware,”
Windows Security Blog
( http://blogs.msdn.com/windowsvistasecurity/archive/2008/05/09/windows-vista-windows-2000-and malware.aspx
)
Infection Rates - all Windows Versions: July-Dec. 2008.
From “The Latest Microsoft Security Intelligence Report,”
Microsoft Malware Protection Center
(
http://www.microsoft.com/security/portal/sir.aspx
)
Detected Infections @IU Aug 2008 – Present
30 20 10 0 60 50 40 XP 53 22 Vista XP Vista
Buts we Roxors teh OS X….
“It's quite easy to write an exploit for Firefox on OS X compared to Firefox on Vista….” “… It's getting pretty hard to do a lot of this stuff on Windows Vista and Windows 7," Nils said. "Especially when a lot of people who stayed with [Windows XP] switch to Windows 7 because they didn't want Vista, the bad guys may start to figure out they can more easily exploit these bugs more reliably on a Mac.
” From “Mac OS X Top Target in Browser Beatdown,”
Security Fix Blog
( http://voices.washingtonpost.com/securityfix/2009/03/mac_os_x_top_target_in_browser.html
)
Least User Access (LUA)
• Underlying principle behind Win 7 (and Vista) security is that of least privilege or Least User Access (LUA).
• Namely, users should run under the minimum set of privileges required to perform a given task and elevate only if they require additional privileges.
Windows 7 User Modes
• Standard User • Administrator • Administrator-Approval
User Access Control (UAC) Windows 7 UAC Control Panel (4 options) Windows Vista UAC Control Panel (1 option)
User Access Control (UAC)
• Standard Users cannot auto-elevate
User Access Control Prompts Windows 7 Unsigned Application Windows Vista Unsigned Application
User Access Control Prompts Windows 7 Signed Application Windows Vista Signed Application
Setting and auditing UAC Programmatically
• HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Policies\ System
Setting UAC via Security Policies
• Security Settings > Local Policies > Security Options
UAC Under the Hood
Q: How does Windows know when to elevate?
A: Three main factors 1) Mandatory Integrity Control (MIC) 2) DACLS (to some extent) 3) Manifests
Manifests
• Manifests allow applications to request specific privileges.
• Ideally, manifests are embedded into an application’s resource tree.
• But they can also be added as stand alone files in an application’s directory.
Sample Manifest File
RequestedExecutionLevel
• asInvoker – runs with the same access token as the parent process.
• highestAvailable – runs with the highest privileges the current user can obtain.
• requireAdministrator - runs only for administrators; requires application to be launched with the full access token of an administrator .
UIAccess
• False – the program does not need to drive input to other applications on the desktop • True – the program drives input to other applications on the desktop.* * This setting requires that the application be signed with an Authenticode Cert and that the application must reside in a protected location in the file system.
Select Windows Utilities
• Utilities like taskmgr.exe include “
Legacy Applications
• • Applications without manifests are consider “unmarked” and are
virtualized
.
Virtualized
means that they run against a temporary version of the windows registry, etc.
• Demo: Old Yeller
UAC Caveats
• Standard user mode is more secure than admin-approval mode.
• In admin-approval mode, always-prompt mode is more secure than auto-elevate.
• Not running a program is more secure than running a program, even if you don’t elevate the program.
• Once you elevate a program, that program can do almost anything it wants.
Mandatory Integrity Control (MIC)
• Restricts less trustworthy processes and applications in the same user context • Works in addition to (and before) Discretionary Access Control Lists (DACLS)
MIC Levels
• Low • Medium (default) • High • System
MIC Rules
• No write-up: objects with lower security levels cannot modify those with higher security levels • Medium = default: if an object does not have an explicit integrity level, its level is medium
MIC Demos
• Using Sysinternal’s Process Explorer to view MIC levels.
• Using icacls.exe to modify MIC levels • Internet Explorer 8
AppLocker
• “White list” of programs allowed to run • New to Windows 7 • Targets enterprise deployment (uses GPO).
• Demo: Gremlins
Further Reading - UAC
• • • • Understanding and Configuring User Account Control in Windows Vista Engineering Windows 7: User Account Control Inside Windows 7 User Account Control UAC in Windows 7 still broken, Microsoft won’t/can’t fix code-injection vulnerability
Further Reading - MIC
• • • • • Mandatory integrity control in Windows Vista Windows Vista Integrity Mechanism Technical Reference Securing Mozilla Firefox with Windows Vista Mandatory Integrity Control chml and regil: Utilities To Manage Windows Integrity Levels SysInternal’s Process Explorer
Further Reading AppLocker
• • The Lazy Admin: AppLocker Windows PowerShell Blog: Getting Started with AppLocker ...
Coming to Your Network Soon! Windows 7
Networking
Lowell Furman – Indiana University
Windows 7 Networking
• Internet Options • Network and Sharing Center – left menu & lower menu • Command Prompt change • View Available Network (VAN) • Server & Rumors
Internet Options = Internet Properties
Change Adaptor Settings
Local Area Connection
Changing Network Settings
Troubleshooting Window
Command Prompt
• One major change = • “ipconfig” commands does not need to be elevated like in Vista – (run as Administrator)
View Available Network (VAN)
Customize footer: View menu/Header and Footer April 24, 2020
Server and Rumors
• Windows Server 2008 – firewalls for individual locations/adaptors, etc.
• Rumors
Coming to Your Network Soon! Windows 7
Questions?
ResNet 2009 Evaluation Link
• Please take a few minutes
NOW
to visit and complete an evaluation on this presentation. • Link = http://www.resnetsymposium.org/rspm/evaluation/ • Bribe = We may have free candy for anyone that submits an evaluation in the first 10 minutes after this presentation.
Presenters' Email Addresses
• Sheryl Swinson [email protected]
• John Brumley [email protected]
• Dr. Brent Moberly [email protected]
• Lowell Furman – [email protected]
6/27/2009