Transcript Matt Heller Aaron Margosis Microsoft Corporation CLI 314 Overview New Security Features (15 min) New Privacy Features (15 min) Managing & Configuring Security Features (35 min) Q&A (10 min)

Matt Heller
Aaron Margosis
Microsoft Corporation
CLI 314
Overview
New Security Features
(15 min)
New Privacy Features
(15 min)
Managing & Configuring Security Features
(35 min)
Q&A (10 min)
Threat Vectors
Increasing Severity & Ways of Risk
2006
2005
2003
Social
Engineering
Malware
2008 +
Blended Threats
Web 2.0
IE 7 & Phishing Site Exploits
Protection
Browser
Exploits in
the wild
Blended threats shifting from the browser to sites
Impact to data governance & regulations
Rapid pace of threat innovation
Consumer & employee data at risk
Web 2.0 - Challenge or Opportunity?
Efficiency, Economics & Expectations
Syndicated content and ad business model enables
sites and business
Growth in ecommerce depends on consumer trust
Trust may be undermined by less than transparent
collection of data and inadequate protection of privacy
Unknown accountability -1st party & 3rd parties
Potential backlash & heightened consumer concerns
Internet Explorer 8 Trustworthy Browsing
Social Engineering &
Privacy
Browser
Vulnerabilities
Web Server &
Applications
IE 8
Confidently bank, communicate & shop
Extended Validation (EV) SSL Certificates
SmartScreen® Filter – Blocks Phishing & Malware
Domain Highlighting
Enhanced Delete Browsing History
InPrivate™ Browsing & Filtering
Build on a secure foundation
Security Development Lifecycle (SDL)
Protected Mode
ActiveX Controls
DEP - Data Execution Prevention
Extends browser protection to the web server
Http only cookies
Group Policies
XDomainRequest - Cross Domain Requests
XDM - Cross Domain Messaging
XSS Filter - Cross Site Scripting
Anti-ClickJacking
Domain Highlighting
More accurately ascertain the domain of the visiting
The domain is black, vs. other characters which are gray.
Social Engineering
Emerging threat vector & diversification
Address concerns of Users and Site owners
SmartScreen® Filter
Integrated Phishing & Malware download protection
Examines URL string, preempting evolving threats
Blocks 1 million+ weekly attempts to visit phish sites
Significant malware site detection volumes ~10 x traffic as
compared to phishing, (IE8 beta users).
Group Policy support – Key IT requirement
24 x 7support processes and feedback mechanisms
SmartScreen Filter
.Web Server &
Applications
IE 8 XSS Filter
Identifies & neuters the attack
Blocks the malicious script from executing
Cross Site Scripting Filter
Granular level control provides
ultimate control & flexibility
Who?
Installs to user
account
Can it be
used?
Before it can
be used
(IE7 feature)
Where?
Users can restrict
where controls
run
Domain Administrators have full
control over approved ActiveX lists
Exploit Controls
Pre IE 8
Can be requested
by site owner
Per-User ActiveX Controls
Per-Site ActiveX Controls
Per-User
ActiveX Conversion Toolkit
http://www.codeplex.com/pact
Protected Mode
Limits Access to File system and Registry
Reduces Escalation of Privilege Attacks
Application Compatibility Impacts
Shims
Read/Write Failures
Broker Process
Internet Explorer 7 Process Model
Internet Explorer 8 Process Model (LCIE)
Security vs. Privacy
Security
Core engineering issues
Protection from harm
Protection from fraud
Privacy
Control over preferences
Control over how information is
shared
Privacy is all about being in control
Control == Notice + Consent
Does Privacy Exist?
Having records online, using surveillance
cameras – not necessarily illegal
It’s because “contextual integrity” is violated
Information is transferred in context
A context has a set of norms
When information is transferred from one context
to another without notice and consent, contextual
integrity is violated.
Web Privacy Issues Today – some examples
Internet Explorer 8 Privacy Goals
Put the user in control of the web browser
Shared PC
Delete Browsing History
InPrivate™ Browsing
On the Web
InPrivate™ Filtering
Build, useful, convenient features to make it
easy to stay in control
Leap ahead of the competition
InPrivate Filtering
Preserve Favorites data
Delete Browsing History
Preserve data from Favorites sites
Keep the useful stuff, delete the no-so-useful stuff
Convenient
Checkboxes!
Delete Browsing History on Exit!
Group Policy!
Delete Browsing History
InPrivate Browsing
Creates a new browsing window that does not
record browsing history
Some things that are turned off
History
Cookies (accepted, but downgraded to session-only)
Suggested Sites
Form data saving
Things that are deleted when you exit
Temporary Internet Files
Compatibility View list
ActiveX Opt-In list
InPrivate™ Browsing
InPrivate Browsing FAQ
Parental Controls
Disables InPrivate Browsing
IT Scenarios
InPrivate Browsing can be disabled via GP
Does not interfere with proxy servers
Proxy servers will record sites browsed
Does not provide anonymization
Add-ons
UI Toolbars, BHOs - not loaded by default
APIs are available for ActiveX Controls
Suggested sites feature is turned off
Third Party Content Serving
Over time, users’ history and profiles can unknowingly be
aggregated
Any third-party content can be used like a tracking cookie
There is little end-user notification or control today
Syndicated photos, weather, stocks, news articles; local analytics, etc….
Unclear accountability with third party security & privacy policies
msn.com
nytimes.com
amazon.com
ebay.com
cnet.com
cnn.com
msnbc.com
User Visits
Unique Sites
Prosware-sol.com
3rd party Syndicator
Web server
about.com
InPrivate Filtering
Helps give you control over which 3rd-party
content providers have a line of sight into your
web browsing
Keeps a table of 3rd-party content and the 1st-party
sites the content was loaded from
Allows you to block content that passes a
configurable threshold (10 1st-party sites by
default)
InPrivate Filtering
InPrivate Filtering FAQ (short list)
If I have a website, what do I do? Will my
website break?
IE8 includes a javascript-accessible API (bool
InPrivateFilteringEnabled()) that lets website
owners detect when InPrivate Filtering is enabled
Not an ad blocker
Some advertisements may be blocked
InPrivate Filtering is a privacy tool
It can only block content that has a “line of sight”
into your browsing history
3rdParty.html
Understanding Security Zones
Security Zones
Settings: Policies and Preferences
Templates
Some Things To Know
Security Zones
0. Computer zone, a.k.a., Local Machine Zone
1. Local Intranet
2. Trusted Sites
3. Internet
4. Restricted Sites
Security Zone Settings
User Preferences and Machine Preferences
User Policies and Machine Policies
Precedence Order for Each Setting
Machine Policies
User Policies
User Preferences
Machine Preferences
“Use Only Machine Settings”
Machine Policies
User Policies
User Preferences
Machine Preferences
Templates
Pre-defined sets of settings:
High
Medium-High
Medium
Medium-Low
Low
Can be copied into Preferences for a zone
Click “Default level” button in IE Properties
Not used by Group Policy
Some Things To Know
Local Intranet vs. Trusted Sites
In IE 6 and earlier:
Local Intranet  Medium-Low template
Trusted Sites  Low template
In IE 7 and 8:
Local Intranet  Medium-Low template
Trusted Sites  Medium template
Some Things To Know
Local Intranet vs. Trusted Sites
Mapping Sites to Zones
Default mappings
Site to Zone Assignment List
Computer Configuration | Windows Components |
Internet Explorer | Internet Control Panel |
Security Page
Proxy Bypass List
Some Things To Know
The “Lockdown Zones”
Local Machine Lockdown Zone
The only interesting one
Introduced in Windows XP SP2
Makes LMZ very restrictive until user approves
Some Things To Know
Viewing Settings on a policy-controlled system
IEZoneAnalyzer
http://blogs.technet.com/fdcc
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
Related Content
WCL20 – HOL Deploying Internet Explorer 8 In the Enterprise
WCL21 – HOL Preparing for Windows Internet Explorer 8: Application Compatibility
WCL22 – HOL Using Accelerators and WebSlices in the Enterprise
WCL25 – Internet Explorer 8: Build Your Own Search Suggestions Provider
WCL26 – Internet Explorer 8: Building Web Slices
WCL27 – Internet Explorer 8: Managing Security Settings in the Enterprise
WCL28 – Managing Internet Explorer 8 In the Enterprise
References and Resources
Security Zones
IE blog posts on the FDCC blog
Series of posts explaining security zones and some effects
of strict policies
IEZoneAnalyzer utility
The Local Intranet Zone and Proxies
Security Zone registry entries (KB 182569)
IE blogs
http://blogs.msdn.com/ie
http://blogs.msdn.com/ieinternals (Eric Lawrence)
Internet Explorer Resources
Internet Explorer Site
www.microsoft.com/ie8
Engineering Blog
blogs.msdn.com/ie
Internet Explorer TechNet Site
technet.microsoft.com/ie
Group Policy Settings for IE8
www.microsoft.com/downloads/details.aspx?familyid=AB4655F2-0A3C-42EB974D-24B2790BF592&displaylang=en
Desktop Security Guide
http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad4bf0-b92b-a8e545573a3e&displaylang=en
Complete an evaluation
on CommNet and enter to
win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.