Windows Service Hardening
A new security feature called Windows Service Hardening prevents Windows services from doing operations on file systems, registry or networks[9] which they are not supposed to, thereby reducing the overall attack surface on the system and preventing entry of malware by exploiting system services. Services are now assigned a per-service Security identifier (SID), which allows controlling access to the service as per the access specified by the security identifier. A per-service SID may be assigned during the service installation via the ChangeServiceConfig2 API or by using the SC.EXE command with the sidtype verb. Services can also use access control lists (ACL) to prevent external access to resources private to itself.
Services in Windows Vista also run in a less privileged account such as Local Service or Network Service, instead of the System account. Previous versions of Windows ran system services in the same login session as the locally logged-in user (Session 0). In Windows Vista, Session 0 is now reserved for these services, and all interactive logins are done in other sessions.[10] This is intended to help mitigate a class of exploits of the Windows message-passing system, known as Shatter attacks. The process hosting a service has only the privileges specified in the RequiredPrivileges registry value under HKLM\System\CurrentControlSet\Services.
Services also need explicit write permissions to write to resources, on a per-service basis. By using a write-restricted access token, only those resources which have to be modified by a service are given write access, so trying to modify any other resource fails. Services will also have pre-configured firewall policy, which gives it only as much privilege as is needed for it to function properly. Independent software vendors can also use Windows Service Hardening to harden their own services.
Authentication and logon
Graphical identification and authentication (GINA), used for secure authentication and interactive logon has been replaced by Credential Providers. Combined with supporting hardware, Credential Providers can extend the operating system to enable users to log on through biometric devices (fingerprint, retinal, or voice recognition), passwords, PINs and smart card certificates, or any custom authentication package and schema third party developers wish to create. Smart card authentication is flexible as certificate requirements are relaxed. Enterprises may develop, deploy, and optionally enforce custom authentication mechanisms for all domain users. Credential Providers may be designed to support Single sign-on (SSO), authenticating users to a secure network access point (leveraging RADIUS and other technologies) as well as machine logon. Credential Providers are also designed to support application-specific credential gathering, and may be used for authentication to network resources, joining machines to a domain, or to provide administrator consent for User Account Control. Authentication is also supported using IPv6 or Web services. A new Security Service Provider, CredSSP is available through SSPI that enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP). The CredSSP is also used by Terminal Services to provide single sign-on.
Windows Vista can authenticate user accounts using Smart Cards or a combination of passwords and Smart Cards (Two-factor authentication). Windows Vista can also use smart cards to store EFS keys. This makes sure that encrypted files are accessible only as long as the smart card is physically available. If smart cards are used for logon, EFS operates in a single sign-on mode, where it uses the logon smart card for file encryption without further prompting for the PIN.
Fast User Switching which was limited to workgroup computers on Windows XP, can now also be enabled for computers joined to a domain, starting with Windows Vista. Windows Vista also includes authentication support for the Read-Only Domain Controllers introduced in Windows Server 2008.
Cryptography
Windows Vista features an update to the Crypto API known as Cryptography API: Next Generation (CNG). The CNG API is a user mode and kernel mode API that includes support for Elliptic Curve Cryptography (ECC) and a number of newer algorithms that are part of the National Security Agency (NSA) Suite B. It is extensible, featuring support for plugging in custom cryptographic APIs into the CNG runtime. It also integrates with the smart card subsystem by including a Base CSP module which implements all the standard backend cryptographic functions that developers and smart card manufacturers need, so that they do not have to write complex CSPs. The Microsoft Certificate Authority can issue ECC certificates and the certificate client can enroll and validate ECC and SHA-2 based certificates.
Revocation improvements include native support for the Online Certificate Status Protocol (OCSP) providing real-time certificate validity checking, CRL prefetching and CAPI2 Diagnostics. Certificate enrollment is wizard-based, allows users to input data during enrollment and provides clear information on failed enrollments and expired certificates. CertEnroll, a new COM-based enrollment API replaces the XEnroll library for flexible programmability. Credential roaming capabilities replicate Active Directory key pairs, certificates and credentials stored in Stored user names and passwords within the network.
Network Access Protection
Windows Vista introduces Network Access Protection (NAP), which makes sure that computers connecting to a network or communicating over a network conform to a required level of system health as has been set by the administrator of the network. Depending on the policy set by the administrator, the computers which do not meet the requirements will either be warned and granted access or allowed a limited access to network resources or completely denied access. NAP can also optionally provide software updates to a non-compliant computer to upgrade itself to the level as required to access the network, using a Remediation Server. A conforming client is given a Health Certificate, which it then uses to access protected resources on the network.
A Network Policy Server, running Windows Server 2008 acts as health policy server and clients need to use Windows Vista or newer. A VPN server, RADIUS server or DHCP server can also act as the health policy server.
Other TCP/IP stack security features
* The interfaces for TCP/IP security (filtering for local host traffic), the firewall hook, the filter hook, and the storage of packet filter information has been replaced with a new framework known as the Windows Filtering Platform (WFP). WFP provides filtering capability at all layers of the TCP/IP protocol stack. WFP is integrated in the stack, and is easier for developers to build drivers, services, and applications that must filter, analyze, or modify TCP/IP traffic.
* In order to provide better security when transferring data over a network, Windows Vista provides enhancements to the cryptographic algorithms used to obfuscate data. Support for 256-bit and 384-bit Diffie-Hellman (DH) algorithms, as well as for 128-bit, 192-bit and 256-bit Advanced Encryption Standard (AES) is included in the network stack itself and in the Kerberos protocol and GSS messages. Direct support for SSL and TLS connections in new Winsock API allows socket applications to directly control security of their traffic over a network (such as providing security policy and requirements for traffic, querying security settings) rather than having to add extra code to support a secure connection. Computers running Windows Vista can be a part of logically isolated networks within an Active Directory domain. Only the computers which are in the same logical network partition will be able to access the resources in the domain. Even though other systems may be physically on the same network, unless they are in the same logical partition, they wont be able to access partitioned resources. A system may be part of multiple network partitions. The Schannel SSP includes new cipher suites that support Elliptic curve cryptography, so ECC cipher suites can be negotiated as part of the standard TLS handshake. The Schannel interface is pluggable so advanced combinations of cipher suites can substitute a higher level of functionality.
* IPsec is now fully integrated with Windows Firewall and offers simplified configuration and improved authentication. IPsec supports IPv6, including support for Internet key exchange (IKE), AuthIP and data encryption, client-to-DC protection, integration with Network Access Protection and Network Diagnostics Framework support. To increase security and deployability of IPsec VPNs, Windows Vista includes AuthIP which extends the IKE cryptographic protocol to add features like authentication with multiple credentials, alternate method negotiation and asymmetric authentication. [11]
* Security for wireless networks is being improved with improved support for newer wireless standards like 802.11i (WPA2). EAP Transport Layer Security (EAP-TLS) is the default authentication mode. Connections are made at the most secure connection level supported by the wireless access point. WPA2 can be used even in ad-hoc mode. Windows Vista enhances security when joining a domain over a wireless network. It can use Single Sign On to use the same credentials to join a wireless network as well as the domain housed within the network. [12] In this case, the same RADIUS server is used for both PEAP authentication for joining the network and MS-CHAP v2 authentication to log in to the domain. A bootstrap wireless profile can also be created on the wireless client, which first authenticates the computer to the wireless network and joins the network. At this stage, the machine still does not have any access to the domain resources. The machine will run a script, stored either on the system or on USB thumb drive, which authenticates it to the domain. Authentication can be done wither by using username and password combination or security certificates from a Public key infrastructure (PKI) vendor such as VeriSign.
* Windows Vista also includes an Extensible Authentication Protocol Host (EAPHost) framework that provides extensibility for authentication methods for commonly used protected network access technologies such as 802.1X and PPP.[13] It allows networking vendors to develop and easily install new authentication methods known as EAP methods.
* Windows Vista Service Pack 1 includes Secure Socket Tunneling Protocol, a new Microsoft proprietary VPN protocol which provides a mechanism to transport Point-to-Point Protocol (PPP) traffic (including IPv6 traffic) through an SSL channel.
x86-64 -specific features
* 64-bit versions of Windows Vista enforce hardware-based Data Execution Prevention (DEP), with no fallback software emulation. This ensures that the less effective software-enforced DEP (which is only safe exception handling and unrelated to the NX bit) is not used. Also, DEP, by default is enforced for all 64-bit applications and services on x86-64 versions and those 32-bit applications that opt-in. In contrast, in 32-bit versions, software-enforced DEP is an available option and by default, is enabled only for essential system components.
* An upgraded Kernel Patch Protection, also referred to as PatchGuard, prevents third-party software, including kernel-mode drivers from modifying the kernel, or any data structure used by the kernel, in any way; if any modification is detected, the system is shutdown. This mitigates a common tactic used by rootkits to hide themselves from user-mode applications.[14] PatchGuard was first introduced in the x64 edition of Windows Server 2003 Service Pack 1, and was included in Windows XP Professional x64 edition.
* Kernel-mode drivers on 64-bit versions of Windows Vista must be digitally signed; even administrators will not be able to install unsigned kernel-mode drivers[15]. A boot-time option is available to disable this check for a single session of Windows. 64-bit user-mode drivers are not required to be digitally signed.
* Code Integrity check-sums signed code. Before loading system binaries, it is verified against the check-sum to ensure it has not modified. The binaries are verified by looking up their signatures in the system catalogs. The Windows Vista boot loader checks the integrity of the kernel, the Hardware Abstraction Layer (HAL), and the boot-start drivers. Aside from the kernel memory space, Code Integrity verifies binaries loaded into a protected process and system installed dynamic libraries that implement core cryptographic functions.
Other features and changes
A number of specific security and reliability changes have been made:
* Software Restriction Policies introduced in Windows XP have been improved in Windows Vista. [16] A new Basic user level has been added to the Security level. The default hash rule algorithm has been upgraded from MD5 to the stronger SHA256. Certificate rules can now be enabled through the Enforcement Property dialog box from within the Software Restriction Policies snap-in extension.
* Additional EFS settings allow configuring when encryption policies are updated, whether files moved to encrypted folders are encrypted, Offline Files cache files encryption and whether encrypted items can be indexed by Windows Search.
* The Stored User Names and Passwords (Credentials Manager) feature includes a new wizard to backup user names and passwords to a file and restore them on systems running Windows Vista or later operating systems.
* A new policy setting in Group Policy enables the display of the date and time of the last successful interactive logon, and the number of failed logon attempts since the last successful logon with the same user name. This will enable a user to determine if the account was used without his or her knowledge. The policy can be enabled for local users as well as computers joined to a functional-level domain.
* Windows Resource Protection prevents potentially damaging system configuration changes,[17] by preventing changes to system files and settings by any process other than Windows Installer. Also, changes to the registry by unauthorized software are blocked.
* Protected-Mode Internet Explorer: Internet Explorer 7 and later introduce several security changes such as phishing filter, ActiveX opt-in, URL handling protection, protection against cross-domain scripting attacks and status-bar spoofing. They run as a low integrity process on Windows Vista, can write only to the Temporary Internet Files folder, and cannot gain write access to files and registry keys in a user's profile, protecting the user from malicious content and security vulnerabilities, even in ActiveX controls. Also, Internet Explorer 7 and later use the more secure Data Protection API (DPAPI) to store their credentials such as passwords instead of the less secure Protected Storage (PStore).
* Network Location Awareness integration with the Windows Firewall. All newly connected networks get defaulted to "Public Location" which locks down listening ports and services. If a network is marked as trusted, Windows remembers that setting for the future connections to that network.
* User-Mode Driver Framework prevents drivers from directly accessing the kernel but instead access it through a dedicated API. This new feature is important because a majority of system crashes can be traced to improperly installed third-party device drivers.[18]
* Windows Security Center has been upgraded to detect and report the presence of anti-malware software as well as monitor and restore several Internet Explorer security settings and User Account Control. For anti-virus software that integrates with the Security Center, it presents the solution to fix any problems in its own user interface. Also, some Windows API calls have been added to let applications retrieve the aggregate health status from the Windows Security Center, and to receive notifications when the health status changes.
* Protected Storage (PStore) has been deprecated and therefore made read-only in Windows Vista. Microsoft recommends using DPAPI to add new PStore data items or manage existing ones. [19] Internet Explorer 7 and later also use DPAPI instead of PStore to store their credentials.
* The built-in administrator account is disabled by default on a clean installation of Windows Vista. It cannot be accessed from safe mode too as long as there is at least one additional local administrator account.
This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.
|
