Date post: | 15-Jan-2016 |
Category: |
Documents |
View: | 219 times |
Download: | 0 times |
Security & Reliability with Windows Vista
Martin ParryDeveloper & Platform Group, Microsoft [email protected]://martinparry.com
Agenda
• Reliability– Restart and Recovery– Transactional NTFS and Registry
• Security– User Account Control– Windows CardSpace
Restart and Recovery
• Applications sometimes fail• Windows Vista can detect more
failures– Crash, hang, memory leak
• Windows Vista can: -– Restart your app automatically– Give the dying process a “last
chance” to save data
Restart and Recovery
Restart Manager
• Controlled restart during s/w installation
• Two sides…– Processes use Restart APIs as before– Setup scripts use new APIs
• Shutdown is more controlled: -– WM_QUERYENDSESSION
• Setup can use Windows Installer 4
Transactions
• System.Transactions• Transactional File System & Registry
– Isolation Level: Read Committed– Lock Granularity: File Handle, Registry
Key
• New APIs– CreateFileTransacted– RegCreateKeyTransacted– etc...
Transactional File System
Where are we?
• Reliability– Restart and Recovery– Transactional NTFS and Registry
• Security– User Account Control– Windows CardSpace
User Account Control
• We are at risk from malware when running as administrator
• TCO benefits with “standard user” managed desktops
• Running without admin privilege can be difficult
• UAC makes everyone a “standard user”• Explicit consent required for elevation
UAC Standard User RightsStandard User Rights
Administrative RightsAdministrative Rights
Admin logonAdmin logon
““Standard User” TokenStandard User” Token
Admin TokenAdmin Token
User ProcessUser Process
• Change Time Change Time
ZoneZone
• Run IT Run IT
Approved Approved
ApplicationsApplications
• Install FontsInstall Fonts
• Install PrintersInstall Printers
• ……
Admin PrivilegeAdmin Privilege
Admin PrivilegeAdmin Privilege
Admin PrivilegeAdmin Privilege
Standard User Standard User PrivilegePrivilege
UserUser
ComputerComputer
Shield UI
Consent Dialog - Windows
Consent Dialog – Signed App
Consent Dialog – Unsigned App
Elevation
• Starting a process with the “full” token
• Embed a manifest• Installer detection• Application-compatibility shim• Right-click...
User Account Control
Virtualization
• Some existing apps write to admin locations– HKLM\Software; %SystemDrive%\Program Files
…
• Virtualization removes need for elevation– Writes to system areas redirected to per-user
areas– Copy-on-write
• Avoids security exceptions, but…!• This is for apps that don’t know about
UAC…!
Windows CardSpace
• .NET Fx V3.0• V2.0 Compilers• V2.0 CLR• VS 2005
• Windows Vista,XP SP2, Server 2003 SP1
Identity on the Internet
• Identity on the Internet poses problems– Identity theft– I want multiple identities to choose from– Complexity of identity information
• We built an identity system a while ago– Microsoft Passport– Working very well for access to our sites– There were some trust issues
A New Approach
• www.identityblog.com– The seven laws of identity
• We have interoperable WS-* specs• We have standard format for
credentials– SAML tokens
• We have all the pieces for a cross-platform identity metasystem
Identity Metasystem
Relying PartiesRelying PartiesRequire identitiesRequire identities
SubjectsSubjectsIndividuals and other Individuals and other entities about whom entities about whom
claims are madeclaims are made
Identity ProvidersIdentity ProvidersIssue identitiesIssue identities
Windows CardSpace
• The Identity Selector for Windows• Grounded in real-world metaphor of
physical cards– Credit card, driving licence, etc.– Personal cards & managed cards
• Implemented as secure subsystem– Protected UI– Anti-spoofing techniques
Windows CardSpace
Requesting a Card
<form id="form1" method="post" action="login1.aspx"><div> <button type="submit">Click here to sign in</button> <object type="application/x-informationcard" name="xmlToken"> <param name="tokenType"
value="urn:oasis:names:tc:SAML:1.0:assertion"/> <param name="issuer"
value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self"/>
<param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" />
</object></div></form>
Partner: Experian
Joe PygallIT Business Consultant
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
ExperianIdentity Management
Joe PygallIT Business Consultant
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does Experian do?
• Experian is a Global leader in providing information solutions• Headquartered in Nottingham and Costa Mesa, California• 12,500 employees worldwide• Global FTSE 100 company operating in over 60 countries
• One of our capabilities is validating that people are who they say they are:
– Identity Authentication• Millions of transactions per year• At the start of the new business relationship and throughout• Our UK Data Centres are secure; your identities are safe
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What did we decide to do?
• Objective – to reduce fraud through the introduction of trusted consumer identities
• How are we going to do this?
– By being involved in every transaction between a consumer and their chosen organisation we will be able to verify that users are who they say they are
– As a step towards this objective, we embarked on a Proof of Concept with Microsoft
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What did we do?
• Engaged with our customers to assess their identity issues
• Produced a working prototype with .Net 3.0, CardSpace and Vista
• Developed software in Visual Studio 2005, using C#
• Created applications based on web services, SOAP and XML
• Utilised the Microsoft Technology Centre (Reading)
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?
Identity Provider
1) Enrolment
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?What does it look like?`
Identity Identity ProviderProvider
1) Enrolment1) Enrolment
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?
Identity Provider
1) Enrolment
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?`
Identity Provider
1) Enrolment
2) Accepting a Card
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?`
Identity Provider
1) Enrolment
2) Accepting a Card
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?`
Identity Provider
1) Enrolment
Relying Parties
3) Accessing a Website
2) Accepting a Card
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?`
Identity Provider
1) Enrolment
2) Accepting a Card
Relying Parties
3) Accessing a Website
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?`
Identity Provider
1) Enrolment
Relying Parties
3) Accessing a Website
2) Accepting a Card
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?`
Identity Provider
1) Enrolment
2) Accepting a Card
Relying Parties
3) Accessing a Website
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?`
Identity Provider
1) Enrolment
Relying Parties
3) Accessing a Website
2) Accepting a Card
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?`
Identity Provider
1) Enrolment
Relying Parties
3) Accessing a Website
2) Accepting a Card
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?`
Identity Provider
1) Enrolment
Relying Parties
3) Accessing a Website
4) Successful Authentication & Logon
2) Accepting a Card
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?`
Identity Provider
1) Enrolment
2) Accepting a Card
Relying Parties
3) Accessing a Website
4) Successful Authentication & Logon
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does it look like?`
Identity Provider
1) Enrolment
Relying Parties
3) Accessing a Website
4) Successful Authentication & Logon
2) Accepting a Card
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What does this mean for you?
Relying Parties (e.g. Banks, Retailers):• No longer need to manage user credentials• Do not need to provide a mechanism for authentication• No longer need to have authentication infrastructure• Can process identities from multiple ID providers in a standard way• Can be more confident in the identity of a customer
Consumers (i.e. all of us):• Will have the option to have a single trusted identity that can be
reused• Resulting in a consistent experience with every relying party
`
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
What needs to happen?
• Relying parties will need to partner with a reputable identity provider e.g. Experian
• Identity providers will need to be able to verify individuals identity effectively
Technically - what do CardSpace adopters have to do?
• Implement standards like WS-* and SAML• Implement card selector object tags• Concept can be applied through standards to non Microsoft
implementations e.g. Safari, Firefox
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
Summary
• Technology is proven – it works
• Experian is already a key player in the identity provider arena
• Experian can offer an Identity Management solution to businesses that need one
• The PoC forms part of a much bigger IDM solution within Experian
• We are looking at other methods to complement this e.g. biometrics and conventional authentication
Use the MomentUse the Moment ®®
Consumer intelligence that delivers results at the speed of lifeConsumer intelligence that delivers results at the speed of life
Summary
Experian and Microsoft are leading the way in providing
online digital identities to consumers, ensuring that the
internet is a safer place to transact business for both
consumers and retailers
Summary
• Confidence = Reliability + Security• Reliability
– Restart & Recovery– Transactional NTFS & Registry– Etc.
• Security– User Account Control– Windows CardSpace– Etc.
Useful Resources
•http://www.microsoft.com/uk/launch2007/dev/useful.mspx
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the
date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.