FUN210 - Enhancing the Vista Security Platform
Download
Report
Transcript FUN210 - Enhancing the Vista Security Platform
Windows Vista and “Longhorn” Server:
Understanding, Enhancing and
Extending Security End-to-end
FUN210
Avi Ben-Menahem
Andrew Tucker
Lead Program Manager Development Lead
Microsoft Corporation
Microsoft Corporation
1
Agenda
Windows Vista and “Longhorn” Server
Security Overview
Isolated Desktop
Crypto Next Generation (a.k.a CNG)
Base Smart Card CSP architecture
X.509 Enrollment classes
WinLogon Architecture
User Account Protection and You
2
Vista Security Overview
Access Control
Authentication
Authorization
End User Tools
Audit
Credential Management
Identity
Policy exp.
Eventing
Certificate Server
Protocol
RBAC
Logging
Lifecycle Management
Logon
Azman
Common
Criteria
Credential Roaming
2 Factor
AuthN
App AuthZ
FIPS
Smart Cards
Access Control
CAPI
CNG
X.509 Processing
Cryptography Services
Secure Startup
Isolated Desktop
Secure Operating System
3
Session 0 Isolation
Windows XP behavior
Session 1
Session 0
Application
D
Application
Service A
Application AE
Application
F
Service B
Application B
Session 2
Session 3
Application
J
Application
G
Application
K
Application
H
Service C
Application
L
Application C
Application
I
4
Session 0 Isolation
Windows Vista behavior
Session 1
Session 0
Service A
Application
A
Service B
Application
B
Service C
Application
C
Session 2
Session 3
Application
G
Application
D
Application
H
Application
E
Application
I
Application
F
5
Session 0 Isolation
Technology Introduction
Separation of Services from User Sessions
Desktop is the security boundary for Windows
user interfaces
Interactive Services are vulnerable to
compromise through Windows Messaging
Currently users can not see or interact with
interactive service UI from their session
6
Session 0 Isolation
Implementation Guidelines
Services should NEVER open a window on
the interactive desktop
Services which need user input can:
Use WTSSendMessage to pop up a simple
message box on user’s desktop
Inject process into the target session by using
CreateProcessAsUser API
7
Vista Security Overview
Access Control
Authentication
Authorization
End User Tools
Audit
Credential Management
Identity
Policy exp.
Eventing
Certificate Server
Protocol
RBAC
Logging
Lifecycle Management
Logon
Azman
Common
Criteria
Credential Roaming
2 Factor
AuthN
App AuthZ
FIPS
Smart Cards
Access Control
CAPI
CNG
X.509 Processing
Cryptography Services
Secure Startup
Isolated Desktop
Secure Operating System
8
Crypto Next Generation
Technology Overview
New crypto infrastructure to replace
existing CAPI 1.0 APIs
CAPI will still be available in Vista but it will
be deprecated in some future version
Customers can plug a new crypto
algorithm into Windows or replace the
implementation of an existing algorithm
New crypto algorithms can be plugged into
OS protocols (e.g. SSL, S/MIME)
9
Crypto Next Generation
Why replace CAPI?
Design is 10 years old and shows it
Plug-in model is monolithic, error prone
and inflexible
Lacks centralized configuration system
Not available in kernel mode
Performance has much to be desired
10
Crypto Next Generation
Feature highlights
Crypto agility
Flexible configuration system that includes
machine and enterprise level settings
Simple and granular plug-in model that supports
both kernel and user mode
Support a super set of the algorithms in CAPI,
including elliptic curve crypto (ECDH, ECDSA)
and “Suite-B” compliance
Private key isolation for Common
Criteria compliance
Improved performance
11
Crypto Next Generation
Three layers of plug-ins
Applications
Symmetric
Crypto
Router
Hash
Router
Primitive
Providers
Asymmetric
Crypto
Router
Protocol
Providers
Signature
Router
Key
Exchange
Router
RNG
Router
Key
Storage
Router
Key Storage
Providers
12
Crypto Next Generation
Primitive Providers
Low level
algorithm implementations
Six different types:
Symmetric encryption
Hash functions
Asymmetric encryption
Secret agreement
Signatures
Random number generation
No persistent keys or
key isolation
Application
s
Primitive
Providers
Protocol
Providers
Key
Storage
Providers
13
Crypto Next Generation
Key Storage Provider
Provides persistent key support for
public/private keys
Isolates all private key usage to a secure
process rather than the client process
Can be used to interface hardware such as
HSMs, Smart Cards, etc.
Application
s
Primitive
Providers
Protocol
Providers
Key
Storage
Providers
14
Crypto Next Generation
Protocol Providers
Crypto functionality that is specific to
a protocol
SSL – add new cipher suites or replace
implementations of existing cipher suites
S/MIME – plug in new algorithms for signing
and encrypting email
Application
s
Primitive
Providers
Protocol
Providers
Key
Storage
Providers
15
Crypto Next Generation
CNG is expected to be an Open
Cryptographic Interface (OCI) and will no
longer require plug-ins to be signed
by Microsoft
We are working to enable this under US
export law
Eliminates one of the big headaches of
CAPI CSPs
16
Implementing Symmetric
Encryption Provider
Implement, install and use a symmetric
encryption primitive provider
Open
Algorithm
Provider
Get/Set
Algorithm
Property
Create Key
Get/Set
Key
Property
Crypto
Operation
(s)
Destroy
Key
Close
Algorithm
Provider
17
Vista Security Overview
Access Control
Authentication
Authorization
End User Tools
Audit
Credential Management
Identity
Policy exp.
Eventing
Certificate Server
Protocol
RBAC
Logging
Lifecycle Management
Logon
Azman
Common
Criteria
Credential Roaming
2 Factor
AuthN
App AuthZ
FIPS
Smart Cards
Access Control
CAPI
CNG
X.509 Processing
Cryptography Services
Secure Startup
Isolated Desktop
Secure Operating System
18
WinLogon Architecture
Windows XP
Session 0
WinLogon
User GP
LSA
Profiles
SCM
Machine
GP
MSGINA
Shell
Other Sessions
WinLogon
User GP
MSGINA
Shell
19
WinLogon Architecture
Vista
Session 0
LSA
WinInit
SCM
RCM
Profiles
Group
Policy
Other Sessions
WinLogon
LogonUI
Credential Credential Credential
Provider 1 Provider 2 Provider 3
20
Credential Providers
Technology Introduction
Credential Providers replace GINA
Credential Providers plug in to Logon UI
Logon UI can interact simultaneously with
multiple credential providers
Credential Providers can be user selected
and/or event driven
Inbox Credential Providers
Password
Smart Card
What Credential Providers cannot do
Replace the UI for the logon screen
21
Credential Providers
Value Proposition
Easier to write a Credential Provider than it
was to write a GINA
LogonUI and CredUI provide all UI
Winlogon handles LSALogonUser and
Terminal Services support
Credential providers simply define credentials
and use LogonUI to gather the data
Uses COM to interact with LogonUI and
CredUI
22
Credential Providers
Password Example
1. Ctrl+Alt+Delete
9. LSALogonUser
WinLogon
5. Click on tile, type user
name & password, click Go
2. Request
Credential
8. Return
Credential
4. Display UI
LogonUI
6. Go received
Credential Provider
Interfaces
3. Get credential information
Credential
Provider 1
LSA
Credential
Provider 2
7. Get credential
for logon
Credential
Provider 3
23
Smart Card Subsystem
Current
Crypto Applications
(IE, Outlook)
Non Crypto
Applications
CAPI
Smart Card
CSP #1
Smart Card
CSP #2
SCard API
Smart Card
CSP #n
Smart Card Resource Manager
Card Reader #1
Card Reader #2
Card Reader #3
24
Smart Card Subsystem
Vista and Beyond
Crypto Applications
(IE, Outlook)
CAPI
CNG
Base CSP
Smart Card KSP
ECC Card
Module
Non Crypto
Applications
RSA/ECC
Card Module
RSA Card
Module
SCard API
Smart
Card
CSP
Smart Card Resource Manager
Card Reader #1
Card Reader #2
Card Reader #3
25
Smart Card Subsystem
Simplified Software Development
Common crypto operations handled in
the platform
API for card manufacturers
Enhanced User Experience
Planned Certification and Testing Program for
Smartcard middleware on Windows Update
PnP support for Smart Cards
Enhanced Smart Card Logon Scenarios
Root certificates propagation
Integrated Smart Card unblock
26
X.509 Enrollment Classes
What’s new
ActiveX controls Xenroll and ScrdEnrl
are retired
New comprehensive COM classes
(CertEnroll) for PKI operations
“Suite-B” algorithm support
27
X.509 Enrollment Classes
Value Proposition
Xenroll
Difficult to use monolithic interfaces
High cost of maintenance for...
Microsoft to support Xenroll
Customers and Third Party CAs if and when
Xenroll is updated
CertEnroll
Easy to use modular interfaces
No download required
28
X.509 Enrollment Classes
Architectural Block Diagram
3rd
Party Applications
Auto-Enrollment
Provider, Certificate
Management MMC,
CertReq.exe
Web Enrollment
Services
Public Enrollment Classes
Internal Enrollment Classes
CAPI, CNG and Win32 API
Aero Wizard & Direct UI
29
X.509 Enrollment Classes
Class diagram overview
Request Classes
Crypto Classes
IDispatch
IDispatch
IX509CertificateReque
st
IX509CertificateRequestPkcs10
IX509CertificateRequestCertificat
e
IX509CertificateRequestPkc
s7
IX509CertificateRequestCmc
Enrollment Classes
IDispatch
IX509Enrollment
ICspAlgorithm
ICspAlgorithms
Attribute Classes
IDispatch
IX509Attribute
IX509Extension
ICspInformatio
n
IX509ExtensionKeyUsag
e
ICspInformations
IX509ExtensionEnhancedKeyUsa
ge
IcspStatus
ICspStatuses
IX509PublicKey
IX509PrivateKe
y
IX509ExtensionTemplateNam
e
IX509ExtensionTemplate
IX509Attributes
IX509AttributeExtensions
IX509Enrollments
ICryptAttribute
IX509EnrollmentStatus
ICryptAttribute
s
30
X.509 Enrollment Walkthrough
31
Service Hardening
Motivation
Services are attractive targets for malware
Run without user interaction
Number of critical vulnerabilities in services
Large number of services run as “System”
Worms target services
Sasser, Blaster, CodeRed, Slammer, etc…
32
Service Hardening
Developer Guidance
Move to a least privileged account
Use “Local Service” or “Network Service”
Remove privileges that are not needed
Grant Service Sid access via ACLs on
service specific resources
Use Service-SID, ACLs and “writerestricted token” to isolate services
Supply network firewall rules
33
User Account Protection
Previously known as “LUA”
Users will logon as non-administrator by default
Protects the system from the user
Enables the system to protect the user
Consent UI allows elevation to administrator
Applications and administrator tools should be
UAP aware
Differentiate capabilities based on UAP
Apply correct security checks to product features
Start testing your software in LH Beta1 and LH
Beta2 with UAP
34
User Account Protection
Additional Information
Where can I find more information?
Come get Whitepaper from
FUNdamentals Cabana!
FUN406 - Windows Vista: User Account
Protection ”Securing Your Application with
Least Privilege Administration
Contact info?
Darren Canavor – [email protected]
35
CNG
Additional Information
CNG Documentation available for review
API documentation - currently only available
with signed NDA and EULA
Contacts
Tomas Palmer - [email protected]
Tolga Acar - [email protected]
36
Smart Card Subsystem
Additional Information
Where can I find more information?
Base CSP and Card Module specifications have been
published to over 20 card vendors – ask if your card
vendor has a card module
Card module developer kit including card module
spec, Base CSP binary, test suite, etc. is currently only
available with signed NDA and EULA
Card module developer information will be made
public via MSDN in the coming months
A whitepaper on the new smart card infrastructure will
be released at the same time as the Base CSP
Contact info
Derek Adam ([email protected])
37
X.509 Enrollment Classes
Additional Information
Where can I find more information?
Libraries included in Vista Beta 1
Specifications are currently only available with
signed NDA and EULA
Contact info?
Anand Abhyankar
[email protected]
38
Service Hardening
Additional Information
Related Sessions
FUNHOL019 – “Best Practices for writing
Vista Services”
Contacts
Windows Service Hardening [email protected]
39
© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
40