how-to block ads
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
1 edit | MVP Summit: Friday notes
OK, after a good night's rest it's time to get cracking again. We've got a full day of technical sessions: Rights Management System, MS Antispyware, IPSec, and other things.
First is the Windows Rights Management Services, and this is not quite what you think it is. Though everybody thinks about the RIAA or Disney telling what you can do with music you bought, that's not really what this is. Here we're talking about an enterprise preventing information leakage.
Example: you're an investment banking firm doing a big super-secret merger, you really want to insure that this information doesn't leak.
Example: You're the CEO of a company and send some highly sensitive information to other executives, and you include strict "DO NOT FORWARD" instructions. You have no real way to enforce that (and in practice it's often not honored)./
RMS allows for definition of templates for varying policies, and it includes encryption and protects during delivery. Information can be tracked over its lifecycle, and it can even require smartcard authentication.
The server runs on Server 2003, uses SQL Server, and integrates into Active Directory for user/group permissions and membership.
To make this work, and author does a one-time request for a "client licensor certificate", which is used for future rights-management requests.
An author uses (say) PowerPoint and defines a set of usage rights for the file: who can do stuff ("All Security MVPs"), what they can do ("print but not forward"), and timelines on each.
PowerPoint takes this whole bundle of information, encrypts the data stream and creates a "Publish License" on the client. PowerPoint still owns the content, and saves everything into the .PPT file. The author distributes the file via email or fileserver or whatever.
Recipient tries to open the file, and the RMS-enabled application (PowerPoint) recognizes that it's a rights-protected file, and it sends the user credential and the Publish License up to the RMS server. The user is validated and a "Use License" is returned to the application. The app then renders (decrypts) the file and enforces rights ("view but not print", etc.).
It's up to the application to actually enforce this: if the user has no edit capability, it might disable the paste function - the app is in charge here.
The RMS client actually validates the application to make sure that I don't write my own application that pretends to be Powerpoint, get the Use License, and save the cleartext to the file. Apparently they go to some pretty good lengths to protect this from even determined attackers, though of course if you control everything on the machine, you can beat it eventually. Somehow I fixated on this part 
We got a demo of do-not-forward as enforced by Outlook: you can set it so that a message can be read, but not printed or saved or forwarded or copy-to-clipboard. If some other mail client gets the message, it simply can't open the document at all (it's encrypted).
The RMS server uses SOAP, which is RPC/XML over HTTP, so this can work over the internet. If you want to send a CAD drawing to a manufacturer, you can define them in your active directory so *they* can work and play with protected document and not forward to a competitor.
This is not 100%, absolutely bulletproof: they disable printscreen, but they can't catch all third-party applications that do the same thing (SnagIT, SmartCapture, etc.)
You can't prevent somebody from taking a photograph of a monitor, from calling your buddy on the phone with the news ("Hey! Big supersecret merger next week"), or from printing to a non-printing printer (print to file). But it looks like they've done a pretty good job of really protecting content that an owner insists should be protected.
This is apparently quite popular with financial-services companies, or those in countries with very strict personal-information privacy laws. The whole post-Enron Sarbanes-Oxley laws drive this too.
Longhorn/Vista will have the RMS client built in, though of course it doesn't get in the way until it sees a right-smanaged document. I think it's an add-on for XP now, and there are some add-ons for IE that allow readonly access (kinda like a standalone viewer).
The server itself is free with Windows Server, but you pay for client access licenses.
Info is available at »www.microsoft.com/RMS
This was a really excellent presentation by a guy who totally knew his stuff.
Some notes:
•Microsoft sells the software, but they are entirely out of the loop on any particular document. The enterprise sets up everything and manages all access: it's not like your desktop phones home to Microsoft every time you open a document.
•The author of content calls the shots on who gets to do what - it's perfectly possible to create "just a Word file" that has nothing to do with rights management (in fact, "no rights crap" is the default). If the boss is allowed to tell you "don't circulate a document", he's allowed to enforce it with software.
•None of this applies in any way if there is no rights management server in the enterprise, and it certainly doesn't apply to home users.
--
Previous notes:
Wednesday »Off to Microsoft MVP Summit
Thursday »MVP Summit Notes - Thursday
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Agenda for today:
- Rights Management Services (previous post)
- Security Features in IE7 (next)
- Windows AntiSpyware
- IPSec
- MVP Party
I think there's a gathering at the Hyatt in Bellvue for BBR folks - I'll go if I can stay awake
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
Security Features in IE7
Presenter: Program Manager of the Trustworthy Browsing team. He spoke *really* fast and this was a challenge to keep up.
Priority 0: "Ship the world's most trustworthy browser"
Priority 2: everything else
The threat environment ranges from an internal intranet where you want to enable a lot of stuff to support the enterprise, to visiting the seedier side of the internet where you want IE to have access to nearly nothing. This is a very wide panorama of threat models.
A goal is "Secure by default" - they did this with Server 2003, and believe it was absolutely the right thing to do. When features are disabled, they can't be exploited.
Another goal is "Defense in depth" - this sure seems like the only sane way to do this: if something fails or is exploited, something else can backstop it.
Third goal: Defend against current and future threats. It's straightforward enough to fix/patch things that were broken, but they want to build an infrastructure that resists future, unknown attacks.
Protected Mode - "User Account Protection" (run with least privilege) has been the case with Unix for years, but it only protects the *machine*, not *your account*. Malware can easily trash your login settings.
IE7 extends this even more: the main goal of the browser is to render content, and if we can (say) remove access to the filesystem other than temporary internet file
Writes to the user's profile will be automatically redirected to a subdirectory of Temporary Internet Files: this virtualizes the settings, and it applies to things like a Quicktime plugin. No way to delete My Documents from a bogus plugin.
They do allow exceptions (say, saving a Word Template to your templates directory), but it prompts the user. This is handled by brokers that do the elevated-priv stuff, and it guards access carefully.
There is a whole Integrity Control layer that sits between IE and the system, and it looks really well thought out - it's very comprehensive.
The Protected Mode requires Vista.
Consolidated URL (CURL) class -- they found that an awful lot of their security issues were due to parsing of URLs. These are complicated because they include so much information, and there are all kinds of games you can play.
Remember the old days where you saw www.good.com@bad.com, it was treated as going to bad.com because the part before the @ is a password. Then there are games with % encoding and the like.
To idea is that when they get a URL, they have one place where it's parsed into the various parts, and you avoid the whole area of passing strings around where they have to be re-parsed. If the security manager says that your URL is in the internet zone, but the download manager thinks that it's a different zone, you get security surprises
This strikes me as a huge architectural win with no downside. It makes the code much more reliable because you don't have every plugin doing its own URL parsing (which it can't ever get right all the time), and it also makes the code smaller.
Big win in every conceivable way.
ActiveX Opt-In
I'm not very strong with the whole plugin control thing, but there are constantly surprises here. They make a distinction between controls that should run in a browser, and others which are not.
They now prompt for permission for ActiveX controls, and they had a lot more clever+sophisticated stuff than I can report here.
They have added a mode where IE starts with none of the extensions: no ActiveX, no BHO, etc. This lets you recover from a dorked configuration with some prayer of success. It will include the Windows Update control, though: otherwise you're in a chicken-and-egg situation.
They've done a lot to protect against cross-domain scripting and more secure zones. The Intranet zone is now off by default. I'm very weak with the whole zone thing, so I can't really describe this in better detail.
The above was about protecting the platform, which is actually the easier problem - it's strictly about technology.
Pointing the gun away from the foot
Now we're talking about protecting the users from doing something stupid, which is clearly harder. Ultimately, users have to make trust decisions because Microsoft can't call the shots.
They have a new anti-Phishing service which looks really promising. Yes, you have to send data to a server as you browse, but I'm not sure there are technical solutions that don't involve this.
They have heuristics, such as "post to an IP address" which suggests something is dodgy: there's confirmation for this and other issues. They don't tell about all the heuristics because they don't want the bad guys to know how to tailor their phishing sites.
Communications with the server is done over SSL (those in the middle can't figure out where you are going), and they pass the hostname and path only - not the query parameters. They have a whitelist of known-good sites (amazon, ebay, etc.) so we don't have to query an MS server for those popular sites. The client-side whitelist is heavily protected.
They're shuffling around the SSL lock location, and giving less geeky certificate information. Certificate errors will be showed in a much more end-user-friendly way. Generally speaking, they've removed most of the modal dialogs from the SSL experience and do the secure thing by default. I hate those damn SSL modal dialogs.
Clear My Tracks
This is the "FBI is at the door, clear my browser history" feature, and this time they claim it really really does it right. Clears history, temp files, cookies, etc. They claim you cannot find fragments after the fact.
International Domain Name support
When a domain name contains funky foreign characters that look just like Roman letters, people can get spoofed into going to the wrong site. They have a lot of support to mitigate this, though this is always going to be a hard problem.
Misc stuff
Just some tidbits:
•Prompt on scripted reads of the clipboard
•New search box permits non-binary extensibility
•Warnings for insecure Inet control panel settings
•Block status bar updates from script (avoids spoofing of hover-over-link)
•Dialogs show address bar
--
This was a very fast-paced presentation, but it sure looked like these guys have a handle on what's required to secure the browser. Being a developer, the consoldated URL class looks the most promising to me: avoiding the nightmare situation of everybody parsing a URL a different way is fantastic.
There was a question about why there's no way to turn off sending of referrals: they simply don't have this now. Referrers are sent by the browser to a website saying where the page was clicked from. This is great for the website to find out where traffic came from, but it's sometimes considered a privacy leak. Some sites won't work without them, and other products have them: I guess we'll have to use add-ons to manage this.
There was some complaining about how much work is required to change proxy settings - it's nothing like one-click as it is on other browsers. "We'll get to that sometime".
I think it's lunchtime!
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
justin
Australian
join:1999-05-28
Brooklyn, NY | reply to Steve
Re: MVP Summit: Friday notes
Does the rights management stuff encrypt the XLS,PPT,DOC files etc, or introduce a secret file format, so they can no longer be read (and possibly have the rights subverted) by openoffice or other non microsoft programs? | |
Tuulilapsi
Kenosis
join:2002-07-29
Finland
|  reply to Steve
Re: Security Features in IE7
said by Steve  :Protected Mode - "User Account Protection" (run with least privilege) has been the case with Unix for years, but it only protects the *machine*, not *your account*. Malware can easily trash your login settings. IE7 extends this even more: the main goal of the browser is to render content, and if we can (say) remove access to the filesystem other than temporary internet file Writes to the user's profile will be automatically redirected to a subdirectory of Temporary Internet Files: this virtualizes the settings, and it applies to things like a Quicktime plugin. No way to delete My Documents from a bogus plugin. They do allow exceptions (say, saving a Word Template to your templates directory), but it prompts the user. This is handled by brokers that do the elevated-priv stuff, and it guards access carefully. There is a whole Integrity Control layer that sits between IE and the system, and it looks really well thought out - it's very comprehensive. Now this sounds interesting, and promising.
Thank you for posting this. Very, very interesting stuff.
--
And lead me not into temptation - for I can find my way there myself easily enough. | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to justin
Re: MVP Summit: Friday notes
said by justin :Does the rights management stuff encrypt the XLS,PPT,DOC files etc Rights Management itself doesn't know anything about file formats, it only knows about content streams - it's up to the application to deal with the file formats and save the crypted content how it likes.
My understanding is that it's put back in the XLS,PPT,DOC format, but since it's crypted nobody else will be able to do anything with it whether it's OpenOffice or Notepad.
One of the questions I asked was what stops me from writing my own app that "looks like" Word but doesn't enforce any of the restrictions (allowing me to save in cleartext, etc.). The answer is "a contract".
In order to get a certificate required to sign a manifest identifying an application, one has to promise not to do things like this.
It never occurred to me to ask about open-source type integrations (which would have been a killer good question), but since they use SOAP, it seems like it's probably possible to figure out how to make this kind of request via sniffing and/or reverse engineering.
Off the top of my head - and I have to be clear that I don't know anything about this beyond what I learned this morning - the certificate would be a sticking point. There's just now way any app could get an "I'm MS Word" cert because it would be a trivial tool for subversion of rights. But I dunno.
I've posted a question to our presenter and will report what I hear.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
dave
Premium,MVM
join:2000-05-04
not in ohio | reply to Steve
RMS = Rights Management System.
An amusing choice of a three-letter abbreviation.
Let's hope it makes it into the product. | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by dave :An amusing choice of a three-letter abbreviation. Well, I'm sure he thinks he's always right, so maybe it's a good fit after all
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Tuulilapsi
Re: Security Features in IE7
said by Tuulilapsi :Now this sounds interesting, and promising. Thank you for posting this. Very, very interesting stuff. It is...in case anyone is interested in more overview words, here are several online:
»msdn.microsoft.com/library/en-us···ista.asp
--
Feedback? e-mail: stuff@lupwa.org | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
Microsoft Antispyware
Well all of us have been waiting for this. Microsoft AntiSpyware was released in beta last December right after the acquisition, and it's been in beta since then. Apparently it's been one of the most popular downloads they've ever had.
There has been a large clammor for an enterprise version which would allow IT system admins to manage MSAS on the desktops throughout an enterprise. Right now I manage ~25 desktops at a customer, and it's an entirely manual process. They've said they're going to do a for-pay enterprise version, but every time we ask "when?", they start squirming like they have ants in their pants. It's really been frustrating: how hard could it be?
Well I guess it's hard: making something "from Microsoft" is a pretty high bar compared to something written by a small shop: think about the kinds of things you need. Has to run on language variants, everything has to be translated into 2^10 different languages, getting product support trained, and thinking about whatever enterprise features they have in mind. I'm sure that Microsoft-izing the EULA was its own effort
Our speaker was the product manager for MS AntiSpyware, and we started with a good backgrounder. Antispyware is part of threat and vulnerability mitigation: antivirus, antispyware, firewalls, automatic updates, etc.
And the term "malware" is really poorly defined: maybe you think that iWon.com or Weatherbug is spyware, but maybe I'm totally happy to trade off whatever "bad behavior" they exhibit in return for what they offer. Only in the most extreme cases - CoolWebSearch - is there essentially universal agreement on what's bad.
Virus and spyware are getting linked: when viruses install badware, it's not so clear that antivirus or antispyware really ought to do just one job. Some AV cleans spyware, but most AS don't clean viruses.
All of this means you really have to spend a lot of time defining all the terms and behaviors - this is a lot of variables, and it's just not possible to categorize everything into (say) just four categories with the words "wanted software", "malware", "adware" and "spyware". It's naive to say that everything can fit one of those categories.
We saw a long list of definitions of different kinds of malware: "spyware", for instance, is "software that may subvert computer operations without appropriate consent or notification", but even this admits of many options.
So "what does Antivirus remove" and "what does AntiSpyware remove"? We see a huge spectrum of behavior, each of which has positive and negative aspects.
•innocuous: no potential harm (notepad)
•advertising: positive=ad-supported software; negative=unauthorized popups
•data collection: positive=authorized search toolbar; negative=surreptituious data collector
•configuration changes: positive=tweak tool; negative=browser hijacking
•monitoring: positive=parental controls; negative=keyloggers
•dialing: postiive=ISP software; negative=porn dialer
•remote resource: positive=pcAnywhere; negative=remote=control trojan
and at the bottom there is clearly bad software with no upside. The key difference seems to be about consent and notification.
MS Antispyware doesn't detect innocuous software, detects all the rest except the clearly bad stuff. The latter is handled by the Malicious Software Removal Tool which you can get from Windows Update.
There are all kinds of issues about who is or is not detected by such and such a tool: I guess there was a brouhaha about Claria. The rationale here is that unless something is clearly malicious, what matters is that the behavior matches the consent and notification.
If an application does really sucky stuff, but the vendor is very clear: "We will do sucky stuff", then they have satisfied their disclosure requirements.
There seems to be some who believe that MSAS (and others) should actually forbid software that does sucky stuff whether they disclose or not, but I think this puts the vendor in a much trickier position.
There's a long list of criteria that goes into the evaluation process: consent, disclosure, even industry/consumer opinion counts. Details at »www.microsoft.com/athome/securit···sis.mspx
Malicious Software Removal
The Malicious Software Removal keeps getting expanded to include more threats, and I learned that it's not a realtime protection so it runs really quickly. If it sees evidence of something in memory, it cleans it, but it doesn't scan the hard drive. This makes it really fast and easy to put in a login script.
I need to really look into this to deploy during login time for customers: if it's really that fast, I want it run all the time. There's gotta be a way to do all of this with Group Policy.
Anti-malware industry efforts
There was talk about industry efforts (anti-spyware coalition), both in terms of agreeing on common definitions for both terms and of naming the badware, as well as efforts towards information sharing of signatures and the like. I don't really follow this aspect very much.
Cookies
We talked about cookies too, and how there is so much hysteria by the tinfoil-hat crowd (my term). Mostly they are innocuous, and even in many cases helpful. Your BBR login information is referenced by a cookie, and most of us would prefer not to login every time.
Even if one thinks that cookies can be used for bad stuff - sure, why not? - there is no way they're in the same category as the real badware. When Ad-Aware says that something found "574 pieces of spyware", and they're all cookies, this waters down the term almost down to meaninglessness.
I guess there's a standard for websites to publlish privacy policies in a machine-readable way:
»msdn.microsoft.com/library/defau···licy.asp
IE knows how to ask a website about this and can integrate it with policies and security zones. I need to look into this to publish policies on my own website if only to be compatible with "don't connect with sites that don't have a policy" settings. I have only looked at this superficially.
MS AntiSpyware Beta 2
Microsoft has said that they'll have a Beta 2 out by the end of the year, and I guess that means within the next 92 days we'll hear something about it. I hope so - there's lots of stuff that's really annoying about Beta 1 (so much so that I more or less gave up with it at a customer).
This was a good session, though I really wish that CalamityJane were here: I am not all that involved in this area, but she sure is. I'm looking forward to whatever they come up with.
Up next: IPSec.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| said by Steve :This was a good session, though I really wish that CalamityJane were here: I am not all that involved in this area, but she sure is. I'm looking forward to whatever they come up with. Steve While not be there in person, I have been very much in contact with Microsoft on spyware issues throughout the entire year via email, Livemeeting, in person, and even telephone (Yes, they can call me at home or I can call them if they need my feedback, and they do!) I also had the opportunity to spend a week with the MSAS team and other Microsofties at Tech-Ed in Orlando in June. I "worked" the Antispyware booth all week (even have the MS-blue staff shirt to prove it ). Indeed the enterprise version was a hot topic and the need for it quite evident. I'm well aware of the problems in getting a quality product out there but they are determined to do it. So, yes, progress is slow, but you pointed out very well some of the logjam they have to overcome to make it useful for all enterprise environments and I very much am active with Microsoft regarding spyware issues. I continue to be impressed with their commitment to wage war on spyware on both the enterprise level and for the home users.
I normally represent the home users, but the interaction with some of the IT folks in the enterprise environment at Tech-Ed was an eye opener as to how prevalent the problem is and solutions needed. I worked with one IT Admin faced with 44,000 computers and most infected with the very difficult Look2me pest.  The Boss likes their free style working environment and thinks everybody should be allowed to download anything they want. Ack! Poor IT Admn 
I'm still convinced on how committed they are in this fight on all levels and there are many others out here who are new Security MVPs helping in the antispyware effort. Did you find Suzi? suzi She's big on the enforcement front and at SpywareWarrior and also now a very active MS MVP who is there at the Summit and probably working some of her new contacts now as we speak 
The MS Malicious Software Removal tool is becoming more and more useful. It is important to note that it now includes some rootkits detection/removal which the bad guys have decided to hit us with in a big way to hide their installs of Spyware/Adware.
P.S. Thank you again for your excellent reporting posts. We're eating this up Great stuff! Keep it up!
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
IPsec
Well I was looking forward to this a lot: I've been working IPSec of late, including my An Illustrated Guide to IPsec, though I haven't used it how they do (I only do regular old VPNs).
This presentation is about IPsec improvements in Vista, and I'm looking to educate myself on the non-VPN scenarios. IPsec has many great scenarios that I simply don't understand. Note that this is of essentially zero interest to the home user (our MVPs who deal only with spyware cleanup on end-user desktops could have taken a nap
Right now, most networks achieve separation with physical means: VLANs, different segements, etc. but this doesn't really allow for the kind of fine-grained control that many enterprises could use. Instead, we'd rather see logical separation that provides better granularity.
IPsec focus of Windows Vista:•Remote Access/VPN
•Server isolation
•Domain isolation
•Network Access Protection Enforcement
The latter was interesting because I had assumed that VLANs were used for NAP, but I guess it's done with IPsec. Very cool.
A lot of this doesn't involve, surprisingly enough, encryption. Using ESP (encapsulated Security Payload) with NULL encryption, one can essentially authenticate the converations on the network, rejecting connections from rogue, unauthorized devices.
No matter how good your VLANs and DMZs are, it's hard to keep J. Random Laptop from plugging into an Ethernet jack and running all over your network. This really points to the need for logical separation, not physical.
An ESP packet in tunnel mode puts a small ESP header, has a blank space for the encryption, and adds a small authentication spot at the end (a hash or digital signature), so the actual packet itself is sent in cleartext, but you know where it came from. When it arrives at the server, it can tell if it's part of a known, authorized connection or not.
Server & Domain Isolation
Server Isolation is meant to protect high-value servers, such as your HR database or financial systems. One must restrict connectivity to the server with IPsec, and it can be done based on user or device. Encryption is optional, but not uncommon to protect high-value data from sniffing and the like.
There is a non-trivial amount of overhead involved here: CPU usage for encryption, the packets get a little bigger to carry the IPsec headers & authentication data, plus handshaking for the key exchange required. But it's possible to get IPsec support in the NIC card to offload the crypto, but I think you need to be a lot bigger than I deal with to care about that.
Domain Isolation protects managed hosts from unmanaged clients. This keeps the random machine that wandered in the building from running all over the network, and this is the only way to really protect a large enterprise unless you post security guards by all the Ether jacks.
This is all very abstract until you see a real case:
Let's say that I want access to the Microsoft source code: obviously the server is physically protected, and there are ACLs all over the place, but a defense in depth seems prudent. When the sourcecode server requires an IPsec connection, all IP attempts must be encapsulated, and they permit only users who are in a "Developers" group.
This permit/deny is done at the IP connectivity level, not the filesystem or application ACL level, so the server never really sees a client who's not allowed. Nothing to brute-force, and you don't tie access to certain IP addresses. Mobile users who have valid credentials get to see the goodies. Nobody else does.
Apparently there were a lot of complaints that configuration was a nightmare, and from what I understand this was the case. I have never set this up, but everybody hated the UI. They say they've really fixed it.
Previously, the domain controller was exempt (partially?) from IPsec because it needed to allow initial setup of clients (say, joining a new machine to the domain), but this left a really important machine unprotected. They somehow figured it out, so IPsec can be in play from start to finish. I don't understand enough to really get the details, but the enterprise guys applauded.
There are a lot of other improvements, but mostly this is distant from my own experience and I can't really elaborate on it much.
There is a good doc on Microsoft.com about how Microsoft IT itself uses IPsec for domain isolation and the like.
»www.microsoft.com/technet/itsolu···lwp.mspx
This got very technical, very interesting, and I'm looking forward to digging into this.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
MVPUser
@wabb.us
| reply to Steve
Re: MVP Summit: Friday notes
Those of us in the Networking track get a pretty good IPSec session tomorrow.
Today was pretty good with plenty of information about NAP (Network Access Protection) and how it integrates with 802.1x and IPSEC... | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by MVPUser :
Those of us in the Networking track get a pretty good IPSec session tomorrow. Those of you in the Networking track will see my smiling face tomorrow morning: I'm going to that session rather than the Antigen session as part of the security track. I'm just not that much of a desktop guy.
A few minutes ago I got in from the evening's festivities: we took over Paul Allen's Experience Music Project, which is a beautiful venue but entirely uninteresting to me. My interest in music is strictly superficial, and the Bob Dylan or Jimi Hendrix or whatever exhibits are just entirely lost on me.
And the visit to the Sci Fi Museum is four minutes I'll never get back. Just not my thing.
But the food was good, hospitality was professional, and the networking was fantastic. I come to Summits to meet my MVP and Microsoft colleagues, and this - my fifth trip to Redmond - I'm kinda getting it down.
It's late and I'm beat: gonna hit the sack now. We have technical sessions in the morning, then the MVP BBQ, then on the plane home. It's been a great trip.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
Ok, I'm back home from Summit and can recap yesterday.
The first was on Antigen, but I'll be more use to the community by diving deeper into IPsec, so I headed off to building 40 for essentially the same IPsec presentation we had yesterday, but with a bit more detail. Let me note carefully that I still don't have my arms fully around it, so I'm doing lots of hand-waving and skipping stuff that's probably important. But I think the big picture is at least in the right direction.
IPSec
The more I look at IPsec, the more I'm intrigued by it. Previously I'd always thought to use VLANs or isolated segments to protect things, but this is not very granular.
Scenario: customer's whole enterprise is built around processing of sensitive data (say, a payroll service bureau), and you want to prevent a vendor or visitor from plugging in a laptop to an open RJ45 jack and being able to wander around the network (Of course, there is clearly a physical security issue here - let's put that aside for the moment: the larger the enterprise, the harder this is to get right).
A simple approach is to have separate networks -- internal and external -- on separate VLANs and with a separate set of Ether jacks. This probably works ok when you can physically isolate the network (e.g., waiting rooms, lobbies, cafeterias are all on the "external" network, everything else is internal), but this really falls apart when you deal with a conference room.
You want a vendor to be able to plug in and phone home to get a proposal or whatever, but you also do internal training there. What: two jacks, with a "only authorized users use the one on the left" sign?
IPsec solves this problem. When a computer who's authorized to join the domain signs on, it does the usual credentials dance, and users logging in are able to fetch policies from the domain controller. These policies include IPsec stuff, including the rules on how you talk with other members in the domain.
The payroll server, which has the most sensitive data around, is configured to accept only IPsec-protected connections, and the rules include which credentials it will accept (perhaps the receptionist is a valid domain users, but with no rights to the payroll server).
So if I at my workstation make a "regular" TCP connect() operation, the server sees no IPsec header and simply drops it: the machine is not on the network as far as I am concerned.
Note - I got conflicting information on this point: either the non-protected packet is dropped entirely, or some kind of "IPsec required" response is sent which tells the client to try again. I believe it's the former but am not certain.
This means that the vendor who's plugged into the network doesn't even see the highly secure server and gets nowhere even if he somehow had the Administrator password.
It doesn't have to be (and rarely will be) all-or-nothing. That highly secure server might say "it's IPsec or it's nothing", but other parts of the network will be configured to either not require IPsec at all, to allow it if presented, or to only require it for certain features.
I'd imagine that one would allow DHCP and DNS servers to use unprotected connections - how else would the vendor even get an IP address? - but the fileserver might require it.
Remember that using simple firewalls or hosts.allow doesn't solve this problem that well: if most of your enterprise uses DHCP, then everybody pulls from common pools unless you start doing reservations. This is hard to manage.
It seems clear to me that this requires a great deal of thought to set up in an enterprise, and though I have a payroll service bureau I'd like to do this with, there's no way to "just turn it on" - I'm sure I would just break everything
An interesting tidbit: at Microsoft IT, they had apparently announced that they were going to use IPsec internal for most stuff, and would be turning it on as of a certain date. Just before this was to happen, the staff making it so got sidetracked on something unrelated, so they never pulled the trigger: but they still got tons of phone calls: "IPsec broke my blah blah blah".
Uh huh, sure it did
Some days later, when they actually turned it on quietly, they got no calls.
I think this is probably much more of a testament to the planning and testing ahead of time than it is to the underlying technology, but nevertheless it's encouraging.
IPsec in Vista has a lot of improvements, the most important of which (from my really limited experience) being much better configuration GUIs. I'd seen the IPsec dialogs before and it looked really daunting, but the new stuff is much better. What's particularly nice is that firewall and IPsec are integrated - this avoids having to do a lot of confusing duplicate configuration.
It looks like I have to deploy it at home first, which will give me experience not only with the non-VPN mode, but will let me learn something about interoperability: I have Linux machines in the mix and wonder how this all works and plays well together. It strikes me that Samba might have to get involved in order to fetch policy from the server.
Next: rootkits
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
Rootkits
I was looking for this, because Lee Yan is a fantastic presenter, and top-notch nice guy to boot. He's talked with us at the last three Summits, and each time it gets more interesting - what an arms race out there.
I didn't really take any notes because the material was highly detail-oriented, and I couldn't have possibly captured it all. It would have also been really hard to actually follow along had I been transcribing. I started coming down with a cold yesterday morning, and this has (and still is) slowed me down some.
Bottom line: if the trusted computing base is no longer trusted, the game is over, and ultimately if people install rootkits, there won't ever be guaranteed reliable ways to find them (in spite of what has been claimed here in the past). But that doesn't mean that the rootkit-writers are the only smart guys around.
Like all malware, rootkits do "bad stuff", but take extra steps to cover their tracks: By diving into kernel mode, they can do some very effective hiding.
For instance, if rootkit.exe is the badware which injects the kit into the kernel, it can intercept the list-files API to simply omit itself from a listing. So doing a DIR won't show the file if the rootkit is running. Likewise, it can intercept requests to show all running processes to omit itself.
I believe that most rootkit detectors operate by finding cases where the rootkit performs incomplete hiding, and by asking for the same data in different ways, discrepancies point to suspicious behavior.
There are several ways to get file listings: at the Win32 API level, the NT API level, and others as well. One grabs the lists, does a diff, and it points to to funny business. So the goal is to find as many sneaky ways to ask these questions in ways that the rootkits haven't figure out how to lie about. They get much better over time.
The approach taken by Rootkit Revealer is to walk the filesystem with all the usual API function, and then to open the disk volume directly and decode the NTFS itself. Remember: the file has to actually be on the disk somewhere, so examining the volume directly is a sure way to see it, right?
Yes, but... The point is not so much seeing the file, but finding the diffs.
If the NTFS walk sees the file and the APIs don't agree, it points to a problem, but if they produce the same result then all appears well. This means that the rootkit can lie if DIR is asking but tell the truth of RootkitRevealer is asking. If you rename the scanner, the rootkits will figure it out by the file header or other signature.
Selective-lying makes for some amusing circumstance. The rootkit's configuration file can be told which file patterns are to be excluded from a listing (the main exe, support files, the trojan, etc.), and once in a while a customer reports that they create a file which suddenly disappears.
This is because the customer filename just happens to match a hide-from-the-user pattern, and it's a dead giveaway that there's a rootkit on the system. Seeing this behavior would surely qualify as "very strange".
The discussion got pretty technical - which I really liked - and strategies for tracking them down.
It seems to me that this is the single biggest reason to run as a limited user - admin is required to install a rootkit - though there was sadly very little "walk the walk" at Microsoft on this front. I run as a non-admin user.
This ended the technical sessions, and next was the MVP barbecue. Due to rain it was held indoors, but it was a nice time to network with our fellow MVPs and Microsoft staff.
I felt a cold coming on so left early to catch an earlier flight, and thankfully got in last night before it got too late. I'm typing this with a very stuffy head (only slightly less coherent than usual
MVP Summit was fantastic, and we got exceptionally relevant sessions. A little bit of marketing - that's to be expected - but hugely valuable takeaway.
Looking forward to next year already!
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| This thread needs a huge thumbsup.
I believe MS should market limited user much more aggressively. That would be good for both their users' security and the reputation of NT as a secure operating system. It's bloody amazing how many "professionals" don't know about limited user on Windows.
--
And lead me not into temptation - for I can find my way there myself easily enough. | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by Tuulilapsi :I believe MS should market limited user much more aggressively. They should use it first.
I asked nearly every presenter about this, and nearly every one of them was admin on his or her own desktop. Personally, I get zero benefit from running as non-admin on my own system, and neither would these security-savvy users, but this is about "dogfooding" your own security best practices.
Apparently there is a large campaign to actually do this, but with the push to get Longhorn/Vista out the door (which is quite a bit better ont his front), I dunno how far it's going to go.
I like to think of myself as walking the walk: not sure I can say the same for Microsoft.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| Hell, I won't argue against you on that.  Leading by example, that should be self-evident. Frankly, I don't know why so many people who know of limited user do not run as limited. I like to think of myself as a power user, yet I can do pretty much anything I need to do frequently without an admin account. If it takes two seconds to use Run As a couple of times a week, I can live with that. Maybe I'm just not busy enough.
--
And lead me not into temptation - for I can find my way there myself easily enough. | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by Tuulilapsi :Frankly, I don't know why so many people who know of limited user do not run as limited. Because the difficulty involved depends on the mix of programs you use, and RunAs doesn't always really deal with it properly. I run as non-admin and it positively sucks: too much software just doesn't do the right thing, and fighring out how to Make It Work can be a real challenge.
Quickbooks, for instance, requires opening up HKEY_CLASSES_ROOT at the very top level, which removes much of the benefit of running as non-admin.
Note: if you temporarily elevate yourself to admin so you can install software and then remove yourself from the Administrators group, you're not getting any real protection (hint: CREATOR/OWNER). Likewise with Power User - escalation to Admin is not really that difficult.
The only way this will ever happen is if users demand ot from their vendors and vote with their wallets. I think this is a very tough row to hoe: "running as a limited user" is not even on the top 10 things that people care about when evaluating (say) an accounting package, so the folks at Intuit don't ever hear about this except from a a couple of whiney Microsoft MVPs. We're not customers, so they could hardly care less.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
|
