Microsoft Security Summit West, Day 1

I’m attending a Microsoft Security event in Redmond and actually finding that a lot of good, useful, nonbiased information is being offered. For those who are interested, and for personal archival purposes, I’ve posted my notes here. Beware: it’s quite a lengthy tome.


Keynote by Dave “Awk” Aucsmith

  • MS believes the next hacking target after OS will be application services, e.g. SQL injection
  • Vulnerabilities: “early disclosure” vs. “responsible disclosure”
  • Most attacks occur between patch shipment and customer deployment
    • Disassembly of patches and targeting based on gleaned information
    • Easy to reverse-engineer individual patched DLLs (automated tools to do so now)
    • Changed patch release strategy to include more fixes at once and combat the above problem
  • Testing is the issue limiting speed of response
  • Days between patch availability and exploit
    • 331 (nimda) -> 180 (slammer) -> 151 (nachi) -> 25 (blaster) -> 14 (sasser)
    • 9 days til reverse-engineered
  • Internet provides criminals today with anonymity and mobility
  • Legacy compatibility creates security issues (open protocols leftover from Win95)
  • WinNT security kernel written before WWW and before TCP/IP was dominant protocol
  • 66% of all spam generated by backdoors on user PCs
    • Bots can be rented to spammers
    • Also used to scan for SSNs and CCs, DDOS and software piracy
  • Often, users consent to a bot/spyware license agreement without reading it
    • Makes removal “illegal”
  • Technology + deterrance

Windows XP SP2 Impacts

  • General approach to security
    • Old approach: patch specific services
    • New approach: isolate all services, i.e. block at “point of entry”
  • Release RC2 during June 2004, then final release later this summer
  • SP2 upgrades all editions of XP including Home, Professional, Tablet, Media Center
  • Also incorporated into Win2003 SP1, and later into Win2000
  • Vector #1: Network/Port-Based Attacks
    • ICF is on by default on all interfaces and on IPv4, IPv6
    • Stateful firewall restricts inbound traffic
    • By default, operate in “On” mode which allows users to create exceptions for apps
    • Other modes are “Don’t Allow Exceptions” and “Off”
    • Provides high level of security during boot until run-time policy is applied
    • Per machine configuration rather than per interface
    • With SP2 application, folder sharing and such will be automatically opened in firewall if needed
    • New log (separate from Event Log) for firewall activity
    • Can be deployed using netfw.inf or GPOs
    • RPC architecture improved, e.g. unauthenticated calls blocked
    • Third-party firewalls may break as ICF is enabled regardless of their presence
  • Vector #2: Email Attachments
    • New public API used by third-party software as well as MS OE, Messenger, IE
    • Static list of dangerous attachment types, including zip archives and the files within
    • Files are marked by AES API when saved by email client onto NTFS
    • Windows Explorer also reads these markings to further block/prompt
  • Vector #3: System Memory/Buffer Overruns
    • Visual C++ .Net complier uses “/GS” switch, and binaries should be recomiled with this enabled
    • “/GS” adds random length to stack variable which makes it difficult to reliably exploit
    • Execution halts if “cookie” is overwritten
    • Also, NX (hardware no-execution) supported on 64-bit platforms; AMD supported already
    • Some DRM, JIT techniques are faulted but apps can be added to exception list
  • Vector #4: Web Browsing
    • IE Information Bar replaces dialog boxes (which can be easily faked)
    • More web control downloads are blocked by default, e.g. unsigned software
    • Option to block all controls from specific publisher
    • File extensions are renamed when they do not match MIME type
    • Pop-up blocker is on by default except for “trusted” sites
    • Script-initiated windows cannot be placed outside main IE window area or cover dialogs
  • Will prompt to enable Automatic Updates after installation of SP2
  • WUS (previously SUS) queries patch state on system
  • Bluetooth client, updated wireless support
  • To download preview versions of SP2, http://www.microsoft.com/sp2preview

IPv6

  • Includes various security features in IP stack, e.g. keys and IPSec
  • U.S. DoD announced migration to IPv6 by 2008
  • Network hardware currently available which supports IPv4 and IPv6
  • MS operating system support in Win2003, XP SP1 + Advanced Networking Support, Pocket, Embedded
  • Can use .NET development tools to migrate apps to IPv6

Patch Management Best Practices

  • Identify with MBSA 1.2
    • Run on admin system
    • Contacts client systems and checks DLL versions; produces report
  • Idenfity and deploy with Windows Update Services (new version of SUS)
    • Free
    • Administrative control is better than in Windows Update
    • Simple status reporting
    • Determines available bandwidth at NIC and scales patch download rate
    • Can restart failed or stopped downloads
  • Do everything with SMS 2003
    • SMS site server retrieves updates from Microsoft
    • SMS distribution points within organization
    • Uses SMC snap-in console
    • Can deploy packages using MSI, as well as target patch installs by OS, etc.
    • Complete patch management system: identify, deploy, report
    • Partnered with Dell for vendor-specific patches
    • To download the beta, http://www.microsoft.com/sms
    • Use of Vintele Management Extensions to patch Solaris, HP-UX, AIX, Mac OS X, Linux
  • MS goals for short term are 75% decrease in patch file sizes, 10% decrease in reboot frequency
  • Dynamic Systems Initiative = management built-in to apps

Domain Isolation at Microsoft Using IPSec

  • What is IPSec
    • IP-based packet filtering (permit vs. block)
    • Negotiated security between hosts (Kerberos, auth keys, encryption)
  • IPSec policies consist of rules each of which define a filter and an action
  • “Request security” allows incoming/outgoing requests in clear text but attempts encryption
  • IPSec administration priviledges delegated to a group of admin users
  • To improve processing time, policies refresh every 60 minutes
  • “Me” filters vs. “Any” filters
    • “Any” filters behave the same on all Win versions
    • “Me” filters perform poorly on Win2000 because filter lists are expanded for all local IPs
  • Example of Microsoft base IPSec policy
    • Any <-> Secure Subnets, Negotiate (require Kerberos auth)
    • Any <-> Exempt Subnets, Permit (all traffic)
    • Any <-> NLB Virtual IPs, Permit (all traffic)
    • Any <-> DCs, Permit (all traffic)
    • Any <-> DNS, WINS, DHCP Servers, Permit (all traffic)
    • Me <-> Any, Permit (permit ICMP protocol)
    • Me <-> Any, Block (block port/protocol as needed)
  • Best practices
    • Permit the ICMP protocol to separate IPSec from network connectivity troubleshooting
    • Minimize securing by port/protocol for simplicity
    • Any <-> Any filters do not work on Win2000
    • Don’t use Default Response Rule for ICMP or security negotiation rules
  • For non-domain machines, use command-line utils (e.g. IPSECPOL) or VPN connections
    • Consider not supporting them
  • Issues
    • Memory consumption ~5KB per SA
    • Network overhead 1-3% increase in utilization from ESP headers
    • In MS tests, up to 1000 (500 mirrored) filters should not affect server performance

Leave a Reply