Operating System, Linux & Windows

Security
 Prevention Strategies
• The 2010 Australian Signals Directorate (ASD) lists the “Top 35 Mitigation Strategies”.

• The top four strategies for prevention are:

o White-list approved applications
o Patch third-party applications and operating system vulnerabilities
o Restrict administrative privileges
o Create a defense-in-depth system

• Possible for a system to be compromised

during the installation process before it can
install the latest patches The purpose of the system, the
type of information stored, the
Who will administer the
system, and how they will Any additional security
applications and services

• Building and deploying a system should be

manage the system (via local or measures required on the
provided, and their security system, including the use of
remote access)
requirements host firewalls, anti-virus or
other malware protection
mechanisms, and logging

a planned process designed to counter this What access the system has to

threat
The categories of users of the
information stored on other
system, the privileges they
hosts, such as file or database
have, and the types of
servers, and how this is
information they can access
managed

• Process must:
o Assess risks and plan the system deployment How the users are
How access to the information
stored on the system is
o
authenticated
Secure the underlying OS and then the key applications managed

o Ensure any critical content is secured

o Ensure appropriate network protection mechanisms are used
o Ensure appropriate processes used to maintain security
 Operating Systems Hardening
• First critical step in securing a system is to secure the base operating system
• Basic steps
o Install and patch the operating system
o Harden and configure the operating system to adequately address the indentified security needs of the system by:
• Removing unnecessary services, applications, and protocols
• Configuring users, groups, and permissions
• Configuring resource controls
o Install and configure additional security controls, such as anti-virus, host-based firewalls, and intrusion detection
system (IDS)
o Test the security of the basic operating system to ensure that the steps taken adequately address its security needs

Should stage and

validate all
patches on the
System security Initial test systems
begins with the installation
should install
Overall boot before deploying
installation of the the minimum
process must
them in
operating system also be
necessary for secured production
the desired
system

Full installation and The integrity and Critical that the

Ideally new hardening process source of any system be kept up to
systems should be should occur before additional device date, with all critical
constructed on a the system is driver code must be security related
protected deployed to its carefully validated patches installed
network intended location
 Operating Systems Hardening
• Remove Unnecessary Services, Applications, Protocols as If fewer software packages
are available to run the risk is reduced

• When performing the initial installation the supplied defaults should not be
used
o Default configuration set to maximize ease of use & functionality rather than security

o If additional packages are needed later they can be installed when required
• System planning process should consider:
o Categories of users on the system

o Privileges they have

o Types of information they can access

o How and where they are defined and authenticated

• Default accounts included as part of the system installation should be secured

o Those that are not required should be either removed or disabled

o Policies that apply to authentication credentials configured

 Application Configuration
• May include:
o Creating and specifying appropriate data storage areas for application
o Making appropriate changes to the application or service default configuration details
• Some applications or services may include:
o Default data, Scripts and User accounts
• Of particular concern with remotely accessed services such as Web and file
transfer services
o Risk from this form of attack is reduced by ensuring that most of the files can only be read, but not
written, by the server

Encryption Technology
Is a key
enabling If secure network Cryptographic file
technology that services are systems are
Must be If secure network
may be used to provided using services are another use of
secure data both configured and
appropriate TLS or IPsec provided using SSH, encryption
in transit and suitable public and appropriate server
when stored cryptographic
private keys must and client keys must
keys created, be created
signed, and be generated for
secured each of them
 Security Maintenance
• Process of maintaining security is continuous
• Security maintenance includes:
o Monitoring and analyzing logging information
o Performing regular backups
o Recovering from security compromises
o Regularly testing system security
o Using appropriate software maintenance processes to patch and update all critical software,
and to monitor and revise configuration as needed

In the event of a system Key is to ensure you

Can only inform you breach or failure, system capture the correct data
about bad things that administrators can more and then appropriately
have already happened quickly identify what monitor and analyze Performing regular Backup Archive Needs and policy
backups of data is a relating to backup
happened this data critical control that and archive should
assists with be determined
maintaining the during the system
The process of making
integrity of the system copies of data at regular The process of retaining
copies of data over extended planning stage
and user data intervals
Generates significant periods of time in order to

Information can be Range of data acquired

meet legal and operational
requirements to access past
volumes of information data
generated by the system, should be determined
and it is important that
network and during the system
sufficient space is May be legal or Kept online or offline
applications planning stage operational requirements
allocated for them for the retention of data

Stored locally or
transported to a
Automated analysis is remote siite

Logging preferred
Backup & archive
 Linux/Unix Security
• Patch management
• Keeping security patches up to date is a widely recognized and critical control for maintaining security

• Application and service configuration

• Most commonly implemented using separate text files for each application and service
• Generally located either in the /etc directory or in the installation tree for a specific application
• Individual user configurations that can override the system defaults are located in hidden “dot” files in each user’s
home directory
• Most important changes needed to improve system security are to disable services and applications that are not
required

• Users, groups, and permissions

• Access is specified as granting read, write, and execute permissions to each of owner, group, and others for each
resource
• Guides recommend changing the access permissions for critical directories and files
• Local exploit - Software vulnerability that can be exploited by an attacker to gain elevated privileges
• Remote exploit - Software vulnerability in a network server that could be triggered by a remote attacker

• chroot jail
• Restricts the server’s view of the file system to just a specified portion
• Uses chroot system call to confine a process by mapping the root of the filesystem to some other
directory
• File directories outside the chroot jail aren’t visible or reachable
• Main disadvantage is added complexity
 Windows Security
Patch management
“Windows Update” and “Windows Server Update Service” assist with regular maintenance and should be
used
Third party applications also provide automatic update support

Users administration and access controls

Systems implement discretionary access controls resources
Vista and later systems include mandatory integrity controls
Objects are labeled as being of low, medium, high, or system integrity level
System ensures the subject’s integrity is equal or higher than the object’s level
Implements a form of the Biba Integrity model

Windows systems also define
privileges Combination of share and
NTFS permissions may be
• System wide and granted to user
used to provide additional
accounts
security and granularity when
accessing files on a shared
resource
User Account Control (UAC)
• Provided in Vista and later Assists
with ensuring users with admin
rights only use them when
required, otherwise accesses system
as normal user
Low Privilege Service
Accounts
• Used for long-lived service
processes such as file, print, and
DNS services
 Windows Security
Other security controls

• Essential that anti-virus, anti-spyware, personal firewall, and other malware and attack detection and
handling software packages are installed and configured
• Current generation Windows systems include basic firewall and malware countermeasure capabilities
• Important to ensure the set of products in use are compatible

Windows systems also support a range of cryptographic functions:

• Encrypting files and directories using the Encrypting File System (EFS)
• Full-disk encryption with AES using BitLocker

“Microsoft Baseline Security Analyzer”

• Free, easy to use tool that checks for compliance with Microsoft’s security recommendations

Much of the configuration information is centralized in the Registry

Forms a database of keys & values that may be queried and interpreted by applications

Registry keys can be directly modified using the “Registry Editor”

More useful for making bulk changes
 Virtualization
• A technology that provides an abstraction of the resources used by some software which runs in a
simulated environment called a virtual machine (VM)
• Benefits include better efficiency in the use of the physical system resources
• Provides support for multiple distinct operating systems and associated applications on one physical
system
• Raises additional security concerns

Application virtualization

Full virtualization

Allows
applications
written for
one Multiple Virtual machine monitor
environment
to execute on
full
operating
(VMM)
some other
operating system
system instances Coordinates access
execute in between each of the
Hypervisor guests and the actual
parallel physical hardware
resources
 Virtualization Security Issues
• Security concerns include:
o Guest OS isolation
• Ensuring that programs executing within a guest OS may only access & use resources allocated to it
o Guest OS monitoring by the hypervisor
• Which has privileged access to the programs and data in each guest OS
o Virtualized environment security
• Particularly image and snapshot management which attackers may attempt to view or modify
o Organizations using virtualization should:
• Carefully plan the security of the virtualized system
• Secure all elements of a full virtualization solution and maintain their security
• Ensure that the hypervisor is properly secured
• Restrict and protect administrator access to the virtualization solution

• Should be
o Secured using a process similar to securing an operating system, Installed in an isolated environment, Configured so that it is updated
automatically, Monitored for any signs of compromise & Accessed only by authorized administration

• May support both local and remote administration so must be configured appropriately

• Remote administration access should be considered and secured in the design of any network firewall and IDS
capability in use

• Ideally administration traffic should use a separate network with very limited access provided from outside the
organization
Linux Security
 Linux
• Created in 1991 by Linus Torvalds
• Has evolved into one of the world's most popular operating systems
o Free, Open-sourced
o Available in a wide variety of distributions targeted at almost every usage scenario imaginable

The traditional Linux security model can be summed up quite succinctly:

People or processes with “root” privileges can do anything; other accounts
can do much less

From the attacker’s perspective the challenge in cracking a Linux system is

gaining root privileges

Once an attacker gains root privileges they can:

• Erase or edit logs & hide their processes, files, and directories
• Basically redefine the reality of the system as experienced by its administrators and users

Thus, Linux security (and UNIX security in general) is a game of “root takes
all”
 Discretionary Access Controls (DAC)

In the Linux DAC Each object has three sets

system there are of permissions:
• Users: each of which Users read, write, and • User-owner Permissions are
belongs to one or more execute the objects • Group-owner
Linux’s security model enforced by the Linux
groups based on the object’s • Other (everyone else) kernel
• Objects: files and permissions
directories

Prior to being executed a program’s file-permissions restrict who can execute, access, or
change it

When running, a process normally runs as the identity of the user and group of the
person or process that executed it

If a running process attempts to read, write, or execute some other object the
kernel will first evaluate that object’s permissions against the process’s user and
group identity

Whoever owns an object can set or change its permissions

The system superuser account has the ability to both take ownership and change the
permissions of all objects in the system

Permissions
 DAC
Linux treats everything as a file.
Although we think of a directory as a container of files, in UNIX a directory is actually itself a file
containing a list of other files.

Similarly, the CD-ROM drive attached to your system seems tangible enough, but to the Linux kernel,
it too is a file: the "special" device-file /dev/cdrom.

To send data from or write data to the CD-ROM drive, the Linux kernel actually reads to and writes
from this special file.

Other special files, such as named pipes, act as input/output (I/O) "conduits," allowing one process or
program to pass data to another.

These examples illustrate how in Linux/UNIX, nearly everything is represented by a file. Once you
understand this, it's much easier to understand why file-system security is such a big deal (and how it
works).
 Users, Groups, and Permissions
• There are two things on a UNIX system that aren’t represented by files:
o User accounts
o Group accounts

• User account
o Represents someone or something capable of using files
o Can be associated with both actual human beings and processes
• Group account
o A list of user accounts
o Each user account is defined with a main group membership, but may belong to as many groups as you
need it to

• maestro:x:200:100:Maestro Edward Hizzersands:/home/maestro:/bin/bash

• Listing 25-1: An /etc/password Entry For the User "maestro”

• conductors:x:100:
• pianists:x:102:maestro,volodya

• Listing 25-2: Two /etc/group Entries

 Simple File Permissions
• Each file on a UNIX system has two owners (a user and a
group)
• Each user and group has its own set of permissions that
specify what the user or group may do with the file (read it,
write to it, delete it, execute it)
• Other
o User accounts that don’t own the file or belong to the group that owns it
• Listing 25-3 shows a long file-listing for the file
/home/maestro/baton_dealers.txt

-rw-rw-r-- 1 maestro conductors 35414 Mar 25 01:38 baton_dealers.txt

Listing 25-3: File-Listing Showing Permissions

 The Sticky Bit
• In older UNIX operating systems the sticky bit was used to write a file (program) to
memory so it would load more quickly when invoked
• The sticky bit is used to allow someone with “write” permissions to create new files in
the directory but not delete any files
• On Linux when you set the sticky bit on a directory, it limits users’ ability to delete
things in that directory
o To delete a given file in the directory you must either own that file or own the directory, even if you belong to the group that
owns the directory and group-write permissions are set on it
• To set the sticky bit, issue the command: chmod +t directory_name

Attempting Deletion With Sticky-bit Set

(user input in boldface)

crash@localhost:/extreme_casseroles> rm pineapple_mushroom_suprise.txt
rm: cannot remove `pineapple_mushroom_suprise.txt': Operation not permitted
 Setuid and Setgid

If set on an Setuid has no effect on

Two of the most executable binary file directories but setgid
dangerous the setuid bit causes does
permissions bits in that program to run as
UNIX its owner no matter
who executes it
• This is useful if users
Setting a directory’s on your system tend to
setgid bit causes any file belong to secondary
groups and routinely
created in that directory create files that need to
to inherit the directory’s be shared with other
group-owner members of those
If set on an groups
executable the setgid
Very dangerous if set
bit causes that
on any file owned by
program to run as a If the directory isn’t
root or any other group-writable the
member of the group
privileged account or setgid bit will have no
that owns it
group effect because group
regardless of who members won’t be able
executes it to create files inside it
 Numeric Modes
• Internally Linux uses numbers to represent permissions
• Consists of four digits
o As you read left to right these represent special permissions, user permissions, group permissions, and other permissions

• Each permission has a numeric value and the permissions in each digit-place are
additive
o The digit represents the sum of all permission-bits you wish to set

• Basic numeric values are 4 for read, 2 for write, and 1 for execute
o These values represent bits in a binary stream and are therefore all powers of 2
o If user permissions are set to “7” this represents 4(value for read) plus 2 (the value for write and 1 (the value for execute)

• 4 stands for setuid,

• 2 stands for setgid,
• 1 stands for sticky-bit

• For example, the numeric mode 3000

translates to

• "setgid set, sticky-bit set, no other

permissions set"
 Linux Vulnerabilities
• Some common vulnerabilities in default Linux installations (unpatched and
unsecured) have been:
o Buffer overflows
o Race conditions
o Abuse of programs run “setuid root”
o Denial of service (DoS)
o Web application vulnerabilities
o Rootkit attacks

• Kernel Space • User Space

• Refers to memory used by the Linux • Refers to memory
kernel and its loadable modules used by all other
o e.g., device drivers processes
• Because the kernel enforces the Linux
DAC it is extremely important to isolate
kernel space from user space
o For this reason kernel space is never swapped to hard disk
o It is also the reason that only root may load and unload
 Rootkit Attacks
Rootkits began as collections of “hacked
This attack, which allows an attacker A loadable kernel module (LKM) rootkit covers
replacements” for common UNIX commands that
to cover their tracks, typically occurs the tracks of attackers in kernel space ---
behaved like the legitimate commands they
after root compromise intercepting system calls pertaining to any user’s
replaced --- except for hiding an attacker’s files,
attempts to view the intruder’s resources
directories and processes

Besides operating at a lower, more global level, another advantage of

the LKM rootkit over traditional rootkits is that system integrity- Many traditional and LKM rootkits can be detected with the
checking tools such as Tripwire won’t generate alerts from system script chkrootkit
commands being replaced

Abuse of Programs Run “setuid root

A setuid root program is a root-owned program with its setuid bit set --- a program that runs as root no matter who executes it

If a setuid root program can be exploited or abused in some way, then otherwise unprivileged users may be able to use that program to
wield unauthorized root privileges --- possibly opening a root shell (a command-line session running with root privileges

Running setuid root is necessary for programs that need to be run by unprivileged users yet must provide such users with access to
privileged functions --- for example, changing their password, which requires changes to protected system files

A root-owned program should only have its setuid bit set if absolutely necessary
 OS Installation: Software Selection and Initial Setup

• Linux system security begins at operating system installation time

• Here is a list of software packages that should seldom, if ever, be installed on
hardened servers, especially Internet-facing servers:
o X Windows System, RPC Services, inetd, SMIP Daemons, Telnet & cleartext-logon services

There will always be

All the server
software
Carefully selecting applications you do
vulnerabilities that Unpatchable
what gets installed on install must be
attackers are able to vulnerabilities are
a Linux system is an configured securely
exploit for some know as zero-day
important first step in and they must also be
period of time before vulnerabilities
securing it kept up to date with
vendors issue patches
security patches
for them

Most Linux system

Historically Linux hasn’t
been nearly so vulnerable tended to rely on keeping
to viruses as other
operating systems
As Linux’s popularity
administrators have Worms have historically Viruses typically abuse
continues to grow we can
been a much bigger threat the privileges of whatever
expect Linux viruses to
up to date with security against Linux systems user unwittingly executes
become much more
patches for protection than viruses them
common
against malware
 User Management
• The guiding principles in Linux user account security are:
o Be very careful when setting file and directory permissions
o Use group memberships to differentiate between different roles on your system
o Be extremely careful in granting and using root privileges
• Command review:
o chmod command sets and changes permissions for objects belonging to existing user and groups
o useradd, usermod, and userdel are used to create, modify, and delete user accounts
o groupadd, groupmod, and groupdel commands are used to create, modify, and delete group accounts

Root Delegation: su and sudo

• The fundamental problem with Linux security is that permissions & authority on a given
system boil down to “root can do anything, users can’t do much of anything”
• su
o Provided you know the root password, you can use the su command to promote yourself to root from whatever user you logged
in as
• sudo
o Short for “superuser do”
o Standard package on most Linux distributions
o Allows users to execute specified commands as root without actually needing to know the root password
 Logging
• Logging is not a proactive control – it can only tell you about bad
things that have already happened

• Helps ensure that in the event of a system breach or failure, system

administrators can more quickly and accurately identify what
happened

• On Linux systems system logs are handled either by the Berkeley

Syslog daemon in conjunction with the kernel log daemon or by the
Syslog-NG

• System log daemons receive log data from a variety of sources, sort by
facility and severity, and then write the log messages to log files

• Both syslogd and Syslog-NG install with default settings for what gets logged and
where
o You should decide what combination of local and remote logging to perform
o If logs remain local to the system that generates them they may be tampered with by an attacker
o If some or all log data are transmitted over the network to some central log-server audit trails can be more
effectively preserved but log data may also be exposed to network eavesdroppers
 Other System Security Tools
Bastille Tripwire Snort Nessus
A utility that maintains
A powerful free A modular security
A comprehensive a database of
Intrusion Detection scanner that probes for
system-hardening characteristics of crucial
System (IDS) that common system and
utility that educates as system files and reports
detects common application
it secures all changes made to
network-based attacks vulnerabilities
them

Running as an Unprivileged User/Group

One of most important security features a daemon can have is the ability to run as a non-privileged user or group

It’s possible for a service’s parent process to run as root in order to bind to a privileged port and then spawn a new child process that
runs as an unprivileged user each time an incoming connection is made

Ideally the unprivileged users and groups used by a given network daemon should be dedicated for that purpose

Running in a chroot Jail

• The chroot system call confines a process to some subset of /
• It maps a virtual “/” to some other directory (e.g.,/srv/ftp/public)
• The directory to which we restrict the daemon is called a chroot jail
• To the chrooted daemon everything in the chroot jail appears to actually be in /
• Things in directories outside the chroot jail aren’t visible or reachable at all
 Mandatory Access Controls (MAC)
A user who creates a
file on a MAC
A computer with
system generally
MAC has a global superuser account is
may not set access
security policy that
controls on that file
all users of the
that are weaker than
system are subject
the controls dictated
to
by the system
security policy
Day-to-day system
The only thing the As a result it’s
administration is
impossible to
performed using
used for is compromise the
accounts that lack
maintaining the entire system by
the authority to
global security attacking any one
change the global
policy process
security policy

Case Study - Security Contexts: Users, Roles, Domains

• Every individual subject & object controlled by SELinux is governed by a security
context, each consisting of a user, a role & a domain (also called a type)
• User
o An individual user whether human or daemon
o SELinux maintains its own list of users separate from the Linux DAC system
• Role
o A role may be assumed by any of a number of preauthorized users, each of whom may be authorized to assume different roles at
different times
o In SELinux a user may only assume one role at a time and may only switch roles if and when authorized to do so
• Domain
o A combination of subjects and objects that may interact with each other. In SELinux domain and type are synonymous
Windows Security
Fundamental Security Architecture
The Security Reference Monitor (SRM)

• This kernel-mode component performs access checks, generates audit log entries, and manipulates user rights (also
called privileges)
• Ultimately every permission check is performed by the SRM
• Most modern Oss include SRM type functionality that performs privileged permission checks
• SRMs tend to be small in size so their correctness can be verified

The Local Security Authority (LSA)

• Resides in a user-mode process named lsass.exe and is responsible for enforcing local security policy
• It also issues security tokens to accounts so they log on to the system
• Security policy: Password & Auditing & Privilege settings - which accounts can perform privileged operations

The Security Account Manager (SAM)

• Is a database that stores accounts data and relevant security information about local principals and local groups
• When a user logs on to a computer using a local account the SAM process takes the logon information and performs a lookup against
the SAM database
• If the credentials match the user can log on to the system
• The SAM file is binary rather than text, and passwords are stored using the MD4 hash algorithm
• On Windows Vista and later, the SAM stores password information using a password-based key derivation function (PBKCS) which
is substantially more robust against password guessing attacks than MD4

Active Directory (AD)

• Microsoft’s LDAP directory included with Windows Server 2000 and later
• All currently supported client versions of Windows, including Windows XP and Windows 7, can communicate with AD to
perform security operations including account logon
• A Windows client will authenticate using AD when the user logs on to the computer using a domain account rather than a
local account
 Using PowerShell for Security Administration
Windows versions since 7 include an incredibly flexible scripting language named PowerShell. PowerShell provides
rich access to Windows computers, and that includes access to security settings. Using PowerShell it is possible to
create bespoke management tools for your organization.

1) PowerShell is based on .NET. If you can do it in C# or VB.NET, you can do it in a PowerShell.

2) Commands in PowerShell are called cmdlets, and have a consistent verb-noun syntax.

3) Like all scripting environments, PowerShell supports piping output from one command to another. But unlike other
scripting environments, PowerShell pipes objects not text. This allows for very rich data processing, filtering and
analysis.

Windows Security Basics – End-to-End Domain Example

After the administrator

Before a user can log on has entered this
SIDs are unique within a
to a Windows network a information Windows Each user account is
domain and every
domain admin must add creates an account for the uniquely represented by
account gets a different
the user’s account user in the domain a Security ID (SID)
SID
information to the system controller running Active
Directory
 Security ID (SID) & Usernames
A user account’s SID is of the following form: S-1-5-21-AAA-BBB-CCC-RRR.

• S simple means SID

• 1 is the SID version number
• 5 is the identifier authority (in this example, 5 is SECURITY_NT_AUTHORITY)
• 21 means “not unique,” which just means there is no guarantee of uniqueness, however, a SID is unique within a
domain
• AAA-BBB-CCC is a unique number representing the domain
• RRR is called a relative ID (RID) – it’s a number that increments by 1 as each new account is created. RIDs are
never repeated, thus making each SID unique

In Windows, a username can be in one of two formats. The first, named the SAM format, is supported by all versions of
Windows and is of the form DOMAIN\Username. The second is called User Principal Name (UPN) and looks more like
an RFC822 e-mail address: [email protected].

If the user enters just a username, then the domain in which the machine resides is pre-pended to the user name. So if
Blake’s PC is in the Development domain, and he enters ‘Blake’ as his logon account, he is actually logging on using
Development\Blake if SAM accounts are used, or [email protected] if UPN names are used.

Assuming the user logs on correctly, a token is generated by the operating system and assigned to the user. A token
contains the user’s SID, group membership information, and privileges. Groups are also represented using SIDs.

The user’s token is assigned to every process run by the user. It is used to perform access checks,
discussed subsequently.
 Privileges in Windows
• Privileges are system-wide permissions assigned to user accounts
• Some privileges are deemed “dangerous”, which means a malicious account that is granted
such a privilege can cause damage
• Examples of dangerous privileges include:
o Act as part of operating system privilege
• This is the most dangerous privilege in Windows and is granted only the Local System account; even administrators are not
granted this privilege
o Debug programs privilege
• This privilege basically means a user can run any code he or she wants in any running process
o Backup files and directories privilege
• Any process running with this privilege will bypass all access control list checks

Windows has two forms of ACL:

• Discretionary ACL (DACL)
• Usually what most people mean
when they say ACL
• Grants or denies access to protected
resources in Windows such as files,
shared memory, named pipes, etc.
• System ACL (SACL)
• Used for auditing
• In Windows Vista used to enforce
mandatory integrity policy
Two important things to keep in
mind about access control in
Windows:
• There is no implied access
• When a Windows application
accesses an object, it must request
the type of access the application
requires
Objects that require protection
are assigned a DACL (and
possibly a SACL) which includes
the SID of the object owner
(usually the object creator) as
well as a list of ACEs
ACEs
• Access control entries
• Each ACE in the DACL
determines access; and an ACE
can be an allow ACE or a deny
ACE
• Includes a SID and an access
mask (an access mask could
include the ability to read, write,
create, delete, modify)
 Windows Vulnerabilities
• After 2001 Microsoft decided to change its software development process to better
accommodate secure design, coding, testing, and maintenance requirements with the
goal of reducing the number of vulnerabilities in all Microsoft products
• Security Development Lifecycle core requirements
o Mandatory security education - Secure design requirements - Threat modeling - Attack surface analysis and reduction - Secure
coding requirements and tools -Secure testing requirements and tools - Security push - Final security review - Security
response

The process of
Account defenses One of the Windows
hardening is the
simplest and Server 2003 is a
The defenses process of 80/20 rule – if
effective ways server and not a
shoring up the feature is
with Windows Network defenses defenses, not used by 80%
to reduce attack client platform,
can be grouped This process is surface is to the Web
reducing the of the
called Attack replace browser
into four broad amount of
Surface
population then
anonymous Internet
categories Memory corruption functionality
Reduction
the feature
networking Explorer was
defenses exposed to should be
protocols with stripped of all
untrusted users, disabled by
authenticated mobile code
and disabling default
networking support by
Browser defenses less-used
protocols default
features

Windows Security Defenses

Windows Hardening
Account Defenses
Principle of least privilege dictates that users
should operate with just enough privilege to
get the tasks done, and no more
Windows XP and Windows Server 2003 add
a feature named “Secondary Logon” which
allows a user account to right click an
application, select “run as….”, and then enter
another user account and password to run
the application
Restricted token is a thread token with
privileges removed and/or SIDs marked as
deny-only SIDs
User Account Control (UAC)
• When a user wants to perform a privileged
operation, the user is prompted to enter an
administrator’s account name and password
• If the user is an administrator, the user is
prompted to consent to the operation
Low Privilege Accounts
• The Local Service account and the
Network service account allow a
service local or network access, but
processes running with these
accounts operate at a much lower
privilege level
o Neither of these accounts are members of the local
administrator's group
Another useful defense is to strip
privileges from an account when the
application starts and should be
performed very early in the
application startup code
(AdjustTokenPrivileges)
Windows Vista and later also add a
function to define the set of
privileges required by a service to
run correctly (ChangeServiceConfig2)
 Network Defenses – IPSec, IPv6 7 Firewalls
• The reason distributed denial-of-service (DDoS) attacks occur is because IPv4 is an
unauthenticated protocol
• UDP is one of the worst offenders because it’s a connectionless protocol
• Even with TCP the initial SYN packet is unauthenticated and a set of attack servers could
easily incapacitate a vulnerable server on the Internet by sending millions of bogus TCP
SYN packets
• IPSec and IPv6 both support authenticated network packets

• All versions of Windows since XP have included a built-in software firewall

• The version included with XP was limited in that:
o It was not enabled by default
o Its configuration was limited to blocking only inbound connections on specific ports
• Changes in XP SP2
o Option to open a port to the Internet --- but only on the local subnet --- in order for users with multiple
computers in the home to share files and print documents
o The firewall is enabled by default
• Changes in Vista and later
o The firewall is a fully integrated component of the rewritten TCP/IP networking stack
o The firewall supports optionally blocking outbound connections
 Memory Corruption Defenses
Normally a function’s stack looks like Figure 26.2a.

Note the stacks EBP (extended base pointer) and EIP (extended instruction
pointer). When the function returns, it must continue execution at the next
instruction after the instruction that called this function.

The CPU does this by taking the values off stack & populating the EBP &
EIP registers.

If the attacker can overflow the buffer on the stack, they can overrun the
data used to populate the EBP & EIP registers with values & change the
application’s execution flow.

The source code for Windows XP SP2 is compiled with a special compiler switch /GS, once the code is compiled with
this option, the stack is laid out as shown in Figure 26.2b

A cookie has been inserted between stack data and function return address. This random value is checked when the
function exits, and if the cookie is corrupted, the application is halted.

Buffers on the stack are placed in higher memory than nonbuffers, such as function pointers, C++ objects, and scalar
values to make it harder for some attacks to succeed.

By switching the order around, the attacker must take advantage of a buffer underrun, which is rarer, to successfully
corrupt the function pointer. There are variants of the buffer overrun that will still corrupt a function pointer, such as
corrupting a stack frame in higher memory.
 No EXecute
• Named NX by Advanced Micro Devices (AMD), Data Execution Prevention (DEP) by Microsoft,
and eXecution Disable (XD) by Intel,
• Requires CPU support that helps prevent code from executing in data segments. Most modern Intel
CPUs support this capability today, and all current AMD CPUs support NX. ARM-based CPUs also
support NX.
• DEP support was first introduced in Windows XP SP2 and is a critically important defense in
Windows, especially when used with address space layout randomization (ASLR).
• The goal of NX is to prevent data executing. Most buffer overrun exploits enter a computer system
as data, and then those data are executed.

• The stack randomization defense is where Windows randomizes the stack base address by 0-31
pages for a thread.
• Normally, a page is 4k bytes in size. Once the page is chosen, a random offset is chosen within the
page, and the stack starts from that spot.
• The purpose of randomization is to remove some of the predictability from the attacker.
• Attackers love predictability because it makes it more likely that an attack will be successful.
 Heap-Based Buffer Overrun Detection
• Heap-based buffer overruns are exploitable and can lead to code execution
• The first heap defense, added to XP SP2, is to add a random value to each heap block and
detect that this cookie has not been tampered with
o If the cookie has changed the heap has been corrupted and the application could be forced to crash
o Note: the application crash is not due to instability in the application caused by data corruption, rather the heap manager detects
the corruption and fails the application
o The process of shutting down an application in this manner is often called “failstop”
• The second defense is heap integrity checking
o When heap blocks are freed, metadata in the heap data structures are checked for validity, and if the data are compromised, either
the heap block is leaked or the application crashes

Heap Image Service restart

randomization
Designed to take some of the
predictability away from the attacker
When a heap is created the start of
the heap is offset by 0-4 MB
This feature is new to Windows Vista
randomization
When the operating system boots, it
starts up in one of 256 configurations
(in other words, the entire operating
system is shifted up or down in
memory when it is booted)
This makes the operating system less
predictable for attackers and makes
it less likely that an exploit will
succeed
policy
Microsoft set some of the critical
services to restart only twice, after
which the service will not restart
unless the administrator manually
restarts the service
This gives the attacker only two
attempts to get the attack to work
 Encrypting File System (EFS) & Bitlocker
• EFS allows files and directories to be encrypted and decrypted transparently for authorized users. All versions of
Windows since Windows 2000 support EFS. On the surface, EFS is very simple; a user or administrator marks a
directory to use EFS, and from that point on, any file created in that directory is encrypted. It is possible to
encrypt single files, but this is problematic because it is common for applications to create temporary files while
manipulating the file in question. But if the target file is marked for encryption, the temporary files are not
encrypted, and if the temporary files contain sensitive data, the data are not protected. The way to fix this is to
encrypt the entire directory.

• At a very high level, EFS works by generating a random file encryption Key (FEK) and storing that key,
encrypted using the user’s encryption key. This key is protected using the Data Protection API (DPAPI) in
Windows, and the key used by DPAPI is derived from the user’s password.

• BitLocker Drive Encryption helps mitigate is data disclosure on stolen laptops. BitLocker encrypts the entire
volume with using AES, and the encryption key is stored either on a USB drive or within a Trusted Platform
Module (TPM) chip on the computer motherboard.

• When booting a system that requires the USB device, the device must be present so the keys can be read by the
computer, after which BitLocker decrypts the hard drive on the fly, with no perceptible performance degradation.
The downside to using a USB device is that if the device is lost, the user loses the encryption keys and cannot
decrypt. Thankfully, BitLocker can integrate with Active Directory to store the encryption keys, and BitLocker
also supports key recovery.

• Perhaps the most important aspect of BitLocker is that, like most security settings in Windows, BitLocker policy
can be set as a policy for a single computer and that policy ‘pushed’ to computers that use Active Directory.
BitLocker is the first technology in Windows to use a TPM chip