Windows Vista Security Windows Vista Security TidbitsTidbits

Steve LambTechnical Security Evangelist @ Microsoft Ltd

Stephen.lamb@microsoft.comhttp://blogs.technet.com/steve_lamb

OverviewOverview

User And Group ChangesUser And Group ChangesAdmin accountAdmin accountNew/Missing SIDsNew/Missing SIDsNew/Missing Users and GroupsNew/Missing Users and GroupsCached credentialsCached credentials

Kernel ChangesKernel ChangesBuffer overflow protectionBuffer overflow protection

ACL ChangesACL ChangesEncryption changesEncryption changes

Suite BSuite BTS SSOTS SSOEFS with Smart CardsEFS with Smart Cards

Audit changesAudit changesUser rightsUser rightsNew and changed security optionsNew and changed security optionsFirewallFirewall

Auth IPAuth IP

SMBv2SMBv2

User and Group ChangesUser and Group Changes

Administrator Account StatusAdministrator Account Status

Administrator Account StatusAdministrator Account Status

Power Users Are Not AnymorePower Users Are Not Anymore

The Support and Help AccountsThe Support and Help Accounts

New GroupsNew Groups

Some Additional SIDsSome Additional SIDs

And A Few More SIDsAnd A Few More SIDs

The Trusted Installer

A Service

INTERNET USER

High integrity SID

Low integrity SIDMedium

integrity SID

System integrity SID

Integrity Levels in TokenIntegrity Levels in Token

ACL ChangesACL Changes

ACL ModificationsACL Modifications

Old ACL UIOld ACL UI

New ACL UINew ACL UI

Owner Needs Explicit PermsOwner Needs Explicit Perms

Kernel ChangesKernel Changes

Better Buffer Overflow ProtectionBetter Buffer Overflow Protection

Second cookie protects exception handlersSecond cookie protects exception handlers

Safer CRT exception handlersSafer CRT exception handlers

No more executable pages outside imagesNo more executable pages outside imagesEnforced by better development practices and Enforced by better development practices and code scanning toolscode scanning tools

/NXCOMPAT linker flag in build tools/NXCOMPAT linker flag in build toolsIf all binaries in a process are marked NX is If all binaries in a process are marked NX is automatically enabled for the processautomatically enabled for the process

Heap protectionHeap protection

Signed kernel code (x64 only)Signed kernel code (x64 only)

Crypto ChangesCrypto Changes

Offline Files Encrypted Per UserOffline Files Encrypted Per User

Encrypted PagefileEncrypted Pagefile

Suite-B CryptoSuite-B Crypto

Software and Smart Card Key Storage ProvidersSoftware and Smart Card Key Storage Providers

Cryptographic configurationCryptographic configuration

NIST ECC Prime Curves support (smart cards NIST ECC Prime Curves support (smart cards too)too)

AESAES

SHA-2SHA-2

IPsec support for AES and ECDHIPsec support for AES and ECDH

ECC cipher suites in SSLECC cipher suites in SSL

EFS with smart cardsEFS with smart cards

Cached Credentials Much TougherCached Credentials Much Tougher

Improved AuditingImproved Auditing

Granular Audit Granular Audit PolicyPolicy

Object Access AuditingObject Access Auditing

Object Access Attempt:Object Server: %1Handle ID: %2Object Type: %3Process ID: %4Image File Name: %5Access Mask: %6

Object Access AuditingObject Access Auditing

An operation was performed on an object.Subject :                                                                 Security ID: %1                Account Name: %2                         Account Domain: %3                Logon ID: %4          Object:                Object Server: %5                Object Type: %6                Object Name: %7                Handle ID: %9Operation:                Operation Type: %8                Accesses: %10                Access Mask: %11                Properties: %12                Additional Info: %13                Additional Info2: %14

Added Auditing ForAdded Auditing For

Registry value change audit events (old+new values)Registry value change audit events (old+new values)

AD change audit events (old+new values)AD change audit events (old+new values)

Improved operation-based auditImproved operation-based audit

Audit events for UACAudit events for UAC

Improved IPSec audit events including support for Improved IPSec audit events including support for AuthIPAuthIP

RPC Call audit eventsRPC Call audit events

Share Access audit eventsShare Access audit events

Share Management eventsShare Management events

Cryptographic function audit eventsCryptographic function audit events

NAP audit events (server only)NAP audit events (server only)

IAS (RADIUS) audit events (server only)IAS (RADIUS) audit events (server only)

More Info In Event Log UIMore Info In Event Log UI

XML EventsXML Events

New Event NumbersNew Event Numbers

New and Modified User New and Modified User RightsRights

Changes to User RightsChanges to User Rights

All rights for Power Users removedAll rights for Power Users removed

Create global objects does not have INTERACTIVECreate global objects does not have INTERACTIVE

SE_IMPERSONATE has added IIS_IUSRS and SE_IMPERSONATE has added IIS_IUSRS and removed ASPNETremoved ASPNET

Logon as a service is now empty by defaultLogon as a service is now empty by default

New User RightsNew User Rights

Access credential manager as a trusted caller Access credential manager as a trusted caller

Change time zone user right Change time zone user right

Create symbolic links Create symbolic links

Modify an object label Modify an object label

Synchronize directory service data Synchronize directory service data

Increase a process working setIncrease a process working set

Security Options With Modified Security Options With Modified DefaultsDefaults

Anonymous Named PipesAnonymous Named Pipes

Anonymous Named PipesAnonymous Named Pipes

Network access: remotely accessible Network access: remotely accessible registry pathsregistry paths

Network access: remotely accessible Network access: remotely accessible registry pathsregistry paths

Network access: shares that can be Network access: shares that can be accessed anonymouslyaccessed anonymously

Network access: shares that can be Network access: shares that can be accessed anonymouslyaccessed anonymously

Network Security: Do not store LAN Network Security: Do not store LAN Manager hash value on next password Manager hash value on next password changechange

Network Security: Do not store LAN Network Security: Do not store LAN Manager hash value on next password Manager hash value on next password changechange

Network security: LAN Manager Network security: LAN Manager authentication levelauthentication level

Network security: LAN Manager Network security: LAN Manager authentication levelauthentication level

Devices: Allowed to format and eject Devices: Allowed to format and eject removable mediaremovable media

Devices: Allowed to format and eject Devices: Allowed to format and eject removable mediaremovable media

Devices: Restrict CD-ROM/Floppy access Devices: Restrict CD-ROM/Floppy access to locally logged on user onlyto locally logged on user only

Devices: Restrict CD-ROM/Floppy access Devices: Restrict CD-ROM/Floppy access to locally logged on user onlyto locally logged on user only

Devices: Unsigned driver installation Devices: Unsigned driver installation behaviorbehavior

Devices: Unsigned driver installation Devices: Unsigned driver installation behaviorbehavior

Why Change It?Why Change It?

Interactive logon: Require smart cardInteractive logon: Require smart card

Interactive logon: Require smart cardInteractive logon: Require smart card

New Security OptionsNew Security Options

Network access: remotely accessible Network access: remotely accessible registry paths and sub-pathsregistry paths and sub-paths

Network access: Restrict anonymous Network access: Restrict anonymous access to named pipes and sharesaccess to named pipes and shares

System settings: Optional subsystemsSystem settings: Optional subsystems

System settings: Use certificate rules on System settings: Use certificate rules on windows executables for software windows executables for software restriction policiesrestriction policies

Lots and lots and lots of GP changesLots and lots and lots of GP changes

Last Logon DisplayLast Logon Display

Trusted Path Credential EntryTrusted Path Credential Entry

Smart Card PoliciesSmart Card Policies

SMBv2SMBv2

What’s New In SMBv2 What’s New In SMBv2 (in 30 seconds)(in 30 seconds)

Only 16 commands (80 in SMBv1)Only 16 commands (80 in SMBv1)

Implicit sequence number speeds up hashingImplicit sequence number speeds up hashing

SHA-256 signatures (MD-5 in SMBv1)SHA-256 signatures (MD-5 in SMBv1)

Handles reconnections more reliablyHandles reconnections more reliably

Client-side file encryption (yay!!!)Client-side file encryption (yay!!!)

Symbolic links across shares (disabled by Symbolic links across shares (disabled by default)default)

Better load balancing mitigates DOS attacksBetter load balancing mitigates DOS attacks

MiscellanyMiscellany

New RDP ControlNew RDP Control

New RDP ControlNew RDP Control

Timeless Security Advice!Timeless Security Advice!

Order online:Order online:http://www.protectyourwindowsnetwohttp://www.protectyourwindowsnetwork.comrk.com

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Steve LambTechnical Security Evangelist @ Microsoft Ltd

Stephen.lamb@microsoft.comhttp://blogs.technet.com/steve_lamb

Thanks to Jesper M. Johansson, Ph.D. for creating the slidesThanks to Jesper M. Johansson, Ph.D. for creating the slides