of 31
8/3/2019 Application Compatibility Versus Security
1/31
Click to edit Master subtitle style
Application Compatibility versus SecuApplication Compatibility AND Securit
Raphael (Raf) Cox
Senior Security Consultant CISSPMicrosoft Consulting Services - BeLux
8/3/2019 Application Compatibility Versus Security
2/31
Objectives
Understand what AppCompat
technologies/solutions are available for Wiand how they work
Understand what hardening tools are avail
Understand the impact of increasing secur
Application Compatibility
8/3/2019 Application Compatibility Versus Security
3/31
Intro
App-compat and Security: its a challenge
Examples:
Dont apply security baseline: it will break everythin
We just need to disable a couple of settings to get tworking
Its fixed: the app runs when the user is an admin Increasing security baseline need to test
Migration to new OS need to test all apps
So, why not increase security at the same timerolling out the new OS?
8/3/2019 Application Compatibility Versus Security
4/31
Click to edit Master subtitle style
The Application Compatibilityprocess
8/3/2019 Application Compatibility Versus Security
5/31
Rationalization PlanningA Simple Three-Phase Approach
Inventory
What do we have?
Rationalize
What do we need?
TeM
How do
D i i M d N D i th
8/3/2019 Application Compatibility Versus Security
6/31
Supporting Decisions from Budgeting ThroDeployment
Decisions Made Now Drive theto-End Project
8/3/2019 Application Compatibility Versus Security
7/31
u s an a yReduced with a Strong Up-Front
Triage Process List of commercial off the shsoftware analyzed
Over 20,000 applications
Reviewing the list, there appopportunity to reduce
Multiple versions of the sam
Driver support applicationsRedundant applications
Investigated ~1,000 applicatOne hour time limit
Removed applications basedknowledge
Significant cost savingsoveapplications discovered remopass review
Security: fewer apps less prequired, fewer vulnerabilitie
Prioritize
Categorize
Rationali
ze
Standardize
Discovered Applications
Application inventory withassigned priority
8/3/2019 Application Compatibility Versus Security
8/31
Fixing the bad apps
3rd party applications
Get the latest version from the vendors
Get official support statement from the vendor
Check alternatives
In house developed applications:
Have them fixed by the development team
Designed for Windows 7 Logo guides (http://msdn.microsoft.com/en-us/windows/dd203105.aspx)
Some apps can not be properly fixed for va
reasons: have to find secure work-arounds
http://msdn.microsoft.com/en-us/windows/dd203105.aspxhttp://msdn.microsoft.com/en-us/windows/dd203105.aspxhttp://msdn.microsoft.com/en-us/windows/dd203105.aspxhttp://msdn.microsoft.com/en-us/windows/dd203105.aspx8/3/2019 Application Compatibility Versus Security
9/31
AppCompat versus Security
8/3/2019 Application Compatibility Versus Security
10/31
User as admin
On XP:
Perfect for AppCompat
security nightmare!
On Windows 7:
Some legacy apps still breakDefault security is more strict
Memory access management is more strict
OS version changed
Default folders changed
Some APIs chan ed
ApplicationCompatibility
8/3/2019 Application Compatibility Versus Security
11/31
Windows 7 XP-Mode
Why not have both? XP-Mode!
VM with Windows XP SP3
Seamless apps on Win7 desktop
USB redirection supported
Security???
Twice the number of systems to maintain
High risk that virtual XP is not up-to-date with patchisignatures, etc
IE6 to be used in Virtual XP? Limit the use!
Risk: Users can now install their own VMs (with
8/3/2019 Application Compatibility Versus Security
12/31
MED-V: the better VirtualXP?Manageability? use MED-V!
MED-V is part of MDOP
Extra management capabilities
Security of MED-V
MED-V workspace will wake up the VM regularlinstall updates
IE (by default) is configured to prevent browsinother sites
IE Internet Security Zone: highest level
Still relies on Virtual PC: user can create
VMs!
8/3/2019 Application Compatibility Versus Security
13/31
LUA enforced
LUA = Least-Privilege User Accounts (user longer admin on the workstation)
User can not install programs (and also no machange system configuration, etc
On XP, user can e.g. not change his time-zone
(solved in W7 )Breaks several legacy apps on XP
Apps want to write data or temporary files to ec:\program files or HKLM registry
Auto-updaters are a security nightmare
ApplicationCompatibility
8/3/2019 Application Compatibility Versus Security
14/31
The problem: LUA bugs
LUA bug is:
Application or feature that works with administ(admin) privileges, and
Fails as normal (LUA) user, and
No technical or business need for admin privile
LUA bugs are often the #1 cause of app problems.
Some LUA Bugs can be fixed using SHIMS
8/3/2019 Application Compatibility Versus Security
15/31
The Solution s?
Standard User Analyzer
8/3/2019 Application Compatibility Versus Security
16/31
Standard User Analyzer
Based on AppVerifier LUAPriv
Predicts whether API calls fail for standard
Predictive (elevated)
Diagnostic (non-elevated)
Offers mitigations for selected issues using
Security? SHIMS executed in the user-co(no extra privileges can be granted throug
Some fixes (e.g. OpenDirectoryACL fix) can cACLs on a directory during installation (elevate
context)
8/3/2019 Application Compatibility Versus Security
17/31
SUA API Coverage
File system access
Registry access
INI WriteProfile
Token checking
PrivilegeNamespace
Other securable objects
Process creation
8/3/2019 Application Compatibility Versus Security
18/31
SUA Architecture
Application
Windows
AppVerifier Logs XLuaPriv
8/3/2019 Application Compatibility Versus Security
19/31
4/23/12 Micros
SUAdemo
A
8/3/2019 Application Compatibility Versus Security
20/31
Security hardening(the soft way)
But that will break everythingChanging security hardening requires extra tes
Difficult to change in a production environmen
Build security in the system from day 1
Create hardening policies before deploying a n
Ensure that AppCompat testing includes hardepolicies
Relaxed security hardening on W7 = enfor
secure defaults low risk on AppCompat
ApplicationCompatibility
S i C li M
8/3/2019 Application Compatibility Versus Security
21/31
Automatic security baseline updatesCentralized baseline library: unified experience frsecurity baseline deployment to compliance chec
Baseline customization, exporting & managemen
Monitor and report security baseline compliance System Center DCM
Security Compliance Manager
S it C li M
8/3/2019 Application Compatibility Versus Security
22/31
MS Baselines
BestPractices
Settings
Security Compliance Manager
MS SecurityCompliance
Manager
ActiveDirectory
Import
Import
ACustomi
zeBaseline
s DCM
Pack
Creat
e
System CenterConfig Manager
Impo
rt
SCAP
Create
SCAP ScannerImport
Creat
eGPO Backup
8/3/2019 Application Compatibility Versus Security
23/31
d
8/3/2019 Application Compatibility Versus Security
24/31
Click to edit Mastersubtitle style
Security Compliance Manage
demo
S it h d iAp
8/3/2019 Application Compatibility Versus Security
25/31
Security hardening(the strict way)
Use SCM!
Start strict, relax later
Attention points:
Privileges: might break apps that use local servSQL express
Network security: be aware of 3rd party SMB s(e.g. SAMBA) or LDAP clients (e.g. VPN devices
AppLocker is a great functionality to block drivdownloads and other malware
plicationCompatibility
S it h d i
8/3/2019 Application Compatibility Versus Security
26/31
Security hardening
Top 7 settings that have impact on AppCom
Log on as a service (set to no one in the W7 settings!)
Do not process legacy run key (enabled in SS
Enable the computer to stop generating 8.3 stfilenames (enabled in SSLF)
Use FIPS compliant algorithms for encryption, signing (enabled in SSLF)
Enable Admin Shares (set to not defined in S
DCOM Permissions (set to not defined in SSL
CD-ROM Access to locally logged-on user only
Ad anced hardening
App
8/3/2019 Application Compatibility Versus Security
27/31
Advanced hardening
Use advanced tools to mitigate exploit tec
EMET = Enhanced Mitigation Experience ToAdds an additional protection layer against 0-dexploits
Relies on build-in security features: DEP, ASLR
Extends these features, e.g. by making them m(e.g. Mandatory ASLR)
Adds other techniques such as EAF (EAF (ExtenAddress Table) Access Filtering)
Blocks typical behavior of ShellCode (exploit code)
plicationCompatibility
What are exploit mitigations?
8/3/2019 Application Compatibility Versus Security
28/31
What are exploit mitigations?
Softwarevulnerabilit
y
Attacker Arbitracode
execut
Exploit
Software
Update
ExploitMitigation
ObjectiveMake it impossible or very costly to exploitvulnerabilitiesApproach
Break or reduce the reliability of exploitatio
demo
8/3/2019 Application Compatibility Versus Security
29/31
Click to edit Mastersubtitle style
EMET Demo
demo
References
8/3/2019 Application Compatibility Versus Security
30/31
References
Unintended Consequences ofSecurity Loc
, Aaron Margosis, TechEd 2011The AppCompat Guy, http://blogs.msdn.com/b/cjacks/, Chris Jackson
Security Compliance Manager: http://
technet.microsoft.com/en-us/solutionaccelApplication Compatibility Toolkit (ACT): httwww.microsoft.com/download/en/details.a
EMET V2.1: http://www.microsoft.com/download/en/details.a
http://media.ch9.ms/teched/na/2011/ppt/SIM304.pptxhttp://media.ch9.ms/teched/na/2011/ppt/SIM304.pptxhttp://blogs.msdn.com/b/cjacks/http://blogs.msdn.com/b/cjacks/http://blogs.msdn.com/b/cjacks/http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspxhttp://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspxhttp://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7352http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7352http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7352http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7352http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspxhttp://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspxhttp://blogs.msdn.com/b/cjacks/http://blogs.msdn.com/b/cjacks/http://blogs.msdn.com/b/cjacks/http://media.ch9.ms/teched/na/2011/ppt/SIM304.pptxhttp://media.ch9.ms/teched/na/2011/ppt/SIM304.pptx8/3/2019 Application Compatibility Versus Security
31/31
2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market cond
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?id=1677