Transcript Jåånas Karjalainen management Problem järjestelmänvalvoja …and my favorite single Finnish word: Ratsumestarittarettako* *Cavalry Master without his wife?

Jåånas Karjalainen
management
Problem
järjestelmänvalvoja
…and my favorite single Finnish word:
Ratsumestarittarettako*
*Cavalry Master without his wife?
http://www.microsoft.com/emet
http://support2.microsoft.com/kb/2458544
Recommended by various
security frameworks and
governing policies
Proven Track record of
being an effective
mitigation tool
• SANS 20 Critical Controls CSC 5-6 Quick
Win
• US DoD DISA STIG’s
• AUS DSD Top 35 Mitigations vs Cyber
Attacks (ranked #7 in 2014 up from #21)
• IAD’s Top 10 Information Assurance
Mitigation Strategies
• www.nsa.gov (multiple docs)
• 4 out of 5 MS Security Advisories in 2012
• 4 IE Vulns, 2 Office Vulns, and 3 Adobe
Vulns mitigated in 2013
• So far in 2014 the 2 biggest MS Exploits a 0day in IE and 0-day RTF vuln were both
mitigated by the use of EMET
http://www.microsoft.com/security/sir/default.aspx
Global (EMEA)
Implementations
• SCCM
• GPO / XML
• Event Forwarders (e.g. SCOM)
• “SSLF Workstations”
• Admin Workstations
From XP to Windows 8.1
From 1 to 12.000 machines.
Part of “Securing Lateral Movement”
What is EMET? Why you should use it?
• Specific solution to mitigate vulnerabilities exploitation
• Not anti-malware, or Antivirus!
• Set of behavioral-based mitigations
• Not signature-based, no need for regular updates
• Effective against memory corruption vulnerabilities
• … like buffer overflows, double free, use after free, etc.
• Not against Cross Site Scripting, SQL Injection or design-type issues
• Brings new mitigations to older operating systems
• It allows users to apply modern security mitigations that are available only on newer
versions of Windows
• EMET is “must” with XP!!!
Enterprise FAQ from the field
• Q: Is there Centralized GUI mgmt. tool?
A: No, most mitigations can be managed by GPOs
• Q:Is there centralized reporting in EMET?
A:Not directly – Use SCOM or Event Forwarding
• Q: What happens if there is a conflict between GUI and GPO setting?
A: Settings are merged. If conflict, GPO wins.
• Q:Why I can’t see the mitigations I just set with GPO?
A:You used GPO and they can’t be seen in GUI. Use Emet_conf --list
A2:Also All settings can’t yet be set by GPOs – like Certificate Trusts. Use XML files
Capabilities overview
12 Memory Corruption
Mitigations
• Core protections of EMET
• Protects user mode applications with a
number of anti-exploit techniques
System Wide Mitigations
• Via EMET allows modifying configuration
of built into the OS System Wide
Mitigation Techniques
Attack Surface Reduction
Certificate Trust
• Generic plugin blocker that allows
blocking plugin based on zones in IE or
plugins in general in Office products
• Adds further Certificate verification
protection to high value web sites
GUI Component
• EMET Registry Keys - Local
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET
GPO Component
• EMET Registry Keys - Policy
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET
• Merging between local and GPO, if conflict the GPO wins
• Three policies
• AppSettings – Individually configured applications
• Defaults – Default sets of applications (IE, Recommended, Popular)
• SysSettings – Overall Client configuration
• NO Certificate trust and some other settings
System Wide Mitigations – Notes and Cautions
• Different Operating Systems have different default settings. DEP + SEHOP
for example are Opt-In by default on Windows 7, however Opt-Out on
Windows Server 2008 R2
• On a BitLockered system, the changing of DEP settings will cause a prompt
for the recovery key at next boot
Suspension of BitLocker prior to reboot will prevent the prompt for BitLocker recovery key.
Administrator privileges are required to perform volume suspend action.
• Enabling ASLR to “Always On” can lead to system instability
There are known issues with certain video drivers that will cause a system to Blue Screen Of
Death (BSOD) during the boot process.
Question:
how many system developers we have here ?
EMET Mitigations
Data Execution Prevention
Address space layout randomization
Mitigates buffer overflow attempts.
Randomizes the location of function entry points
to make the location unreliable.
Memory areas marked with “No Execute”
flag on the Page Table Entry.
Feature of the operating system since Windows
Vista/2008.
Requires hardware support.
Supported by AMD64 and x86 when
running PAE mode.
Introduced by OS in Windows XP SP2 and
Server 2003 SP1
Can be enabled/disabled in the OS:
•
Registry
EMET allows system-wide setting to be
configured: Disabled or Application Opt-In
Binaries and executables are randomized by
ASLR when compiled with /DYNAMICBASE flag.
EMET Mitigations
Structured Exception Handling Overwrite Protection
Export Address Filtering / EAF+
Mandatory ASLR
The Export Address Table (EAT) publishes a modules
exported functions
Enforces ASLR on modules which were not
compiled for ASLR (/DYNAMICBASE)
Controlled by EMET as a per-application setting
Randomizes dynamically linked modules, not core
process or static modules
Does this by simulating a DLL address space
collision
Supported in Vista and upward
(http://support2.microsoft.com/kb/956607)
EAF mitigation protects the EAT of important modules
NTDLL and KERNEL32
Uses debug registers to breakpoint and control
access to the EAT
Can be incompatible with certain software, including:
Debuggers, Anti-Debugging techniques, DRM
techniques…
EAF+ - New in 5.0 expands EAF protection to
kernelbase.dll (in addition to ntdll and kernel32 which
EAF protects)
EMET Mitigations
HEAP SPRAY
NULL PAGE ALLOCATION
Used by attackers to place shellcode at various
locations in the heap
Like heap spray: Allocates the first page in the
process virtual address space
Bad if DEP can be disabled/bypassed
Prevents potential null dereference issues in user
mode
The HeapSpray mitigation pre-allocates some
known heap spray targets
There is no “known way” to exploit null dereference
Only breaks some heap spray attacks which were
known at EMET release
Does not protect against future heap spray
targets
Controlled as a per-application mitigation
Return-Oriented Programming (ROP) Overview
Load Library Checks
Memory Protection Checks
Caller Checks
Simulate Execution Flow
Stack Pivot
ROP
Memory Protection Checks
Load Library Checks
The VirtualProtect() function could be
used to bypass DEP by changing
memory protection flag
ROP chains may be used to load shell
code from remote compromised
locations
Could mark pages with
PAGE_EXECUTE_READWRITE and
execute stack overflow
Load Library Checks hooks LoadLibrary()
function and validates the library load
This mitigation checks VirtualProtect() is
not changing execution policy of stack
area
Validates that parameter is not a UNC
path (E.g. \\server\share\badmodule.dll)
ROP
Caller Checks
Simulate Execution Flow
Generally a subroutine is entered with a
call instruction, storing a return pointer
on the stack for resumption of caller code
• Simulates the forward execution of
code
ret instruction transfers execution back to
return point location
Certain critical functions are protected by
Caller Checks mitigation
Validates that function was entered by a
call and not a ret
• Validates that the return pointers on
the stack point are addresses which
follow call instructions
• Aims prevent chaining of ROP gadgets
ROP
Stack Pivot
On entering critical functions detects if
stack has been “pivoted”
Determines that the stack pointer
references a valid region
Advanced
Mitigations
Overview
24
Advanced Mitigations Overview
Banned Functions
• Presently blocks only the function LdrHotPatchRoutine
• This function could be misused as a DEP bypass
• LdrHotPatchRoutine could be leveraged to load arbitrary DLLs
• MS13-063 addresses an ASLR bypass which makes it easier to exploit this function
• Banned functions makes it impossible to ever use the function
Advanced Mitigations Overview
• Improves effectiveness of ROP mitigations
• Critical functions are hooked at low level APIs
• Example:
• Without Deep Hooks EMET only protects kernel32!VirtualAlloc
• With Deep Hooks EMET also protects lower level functions
kernelbase!VirtualAlloc and ntdll!NtAllocateVirtualMemory which also
manipulate memory but at a lower level
Advanced Mitigations Overview
Anti Detours*
• EMET hooks critical functions – Knowledge of this could allow bypass of the hook
• Anti Detours adds additional checks to prevent hook detour techniques
• Anti Detours mitigation is not applied per-process, but to all protected apps
* http://research.microsoft.com/en-us/projects/detours/
The Impact of Security Science in Protecting Customers
From SIR Worldwide Threat Assessment
From SIR Volume 16
Root CA
Root
Certificate
Intermediate CA
Subject
Intermediate
Certificate
End
Certificate
End
Certificate
Intermediate
Certificate
End
Certificate
PKI Overview
HTTP and SSL/TLS are protocols designed to allow secure Internet communications, utilizing
public key cryptography and PKI
Web browsers perform certificate validation against certificates issued by websites.
Validity period  Subject Name matches FQDN 
Not revoked  Valid key usage 
Certificate trust path chains back to any trusted root certificate authority 
29
Certificate trust settings
Microsoft Confidential
Other tricks
to secure your
environment
2012 R2 Core Server Installation
Plain text e-mail!!!
Pass the hash whitepaper
Applocker
Sysmon (sysinternals)
Security Compliance Manager
Latest OS !!!
Security Configuration Wizard
Policies & commitment
SLAM & ESAE (Microsoft
Services)
IPSec
Attack Surface Analyzer
http://technet.microsoft.com/library/dn765472.aspx
http://technet.microsoft.com/en-us/library/hh546785.aspx
http://www.microsoft.com/en-us/server-cloud/products/
windows-azure-pack
http://azure.microsoft.com/en-us/