Final day of this TechEd.
First-up a session with Mark Minasi on 2 of Vistas least understood security features, User Account Control (UAC) and Windows Integrity Levels (WIL)
Mark is another of the popular TechEd regulars and always gives a good show, he’s written many good books which I own 🙂
the key points for me were;
UAC – User Account Control
- much maligned but still a good protection tool, Mark did a good overview of how it works.
- Windows 95 is the root of all problems, the design principal that system/app configuration only went into HKEY_LOCAL_MACHINE and all per-user configuration should go into HKEY_CURRENT_USER was never adhered to by developers as there was no real requirements to do so, thus Windows has been lumbered with maintaining backward compatibility for generations so as not to upset the user experience.
- Interesting/geeky point for me was that when the screen grey’s for the UAC prompt it’s actually a terminal services based session that presents the UAC dialog and places a grey’d out screenshot of the users desktop as wallpaper.
- When running with UAC enabled, user accounts (even administrators) are run with least privelidge by splitting the authentication token in two, standard and administrative. this breaks some applications that need administrative access, so this is controlled by prompting for credentials (elevation) that run just that process with the required administrative credentials, this requires an application restart if it does not do it at start-up.
- you can manually specify which applications should run with Administrative rights, most built in Vista applications are provided with an compiled in manifest resource record that marks them as requiring UAC elevation.
- Your own or 3rd party apps that do not have this manifest available can be given the same functionality either by marking the file by looking at its compatability settings or using a corresponding .manifest file if you have to distribute the file (if you rename or move the .exe the former method stops applying).
- The built-in Administrator account never sees any UAC prompts regardless of how it’s configured.
WIL – Windows Integrity Levels (formerly Mandatory Integrity Controls)
- WIL was of much more interest to me – it is a core part of Vista protection and works on the basis of assigning integrity levels to files and processes, an integrity level overrides traditional ACL’s and permissions and is on the basis that you cannot change an integrity level unless you have an equal or higher integrity level.
- It was designed to prevent alteration of critical system components (and thus stability/security) even by inattentive administrators or malware that has tricked the user into running it with elevated permissions – it placed several hurdles that administrators must clear to make changes and discouraged casual/badly thought tinkering… which is one of my main bug-bears with Windows, the server OS looks too much like the desktop OS, familiarity breeds contempt in my book.
- It proved controversial/unpopular with the technical community during early betas and was removed at the RC stage; however as Mark put it “they took the sinks away but left the plumbing”, which means its still there and could be exploited by someone building root-kits/malware as it would be very hard to remove or detect without some expert knowledge.
- Mark hinted that he’s been flagging this with Microsoft security for a while and they’ve not made a satisfactory response or mitigation, so in the interest of no security through obscurity he’s giving an overview… positive sign that it made it onto the TechEd agenda I guess – but it’s “in the wild” now and Mark has already written a book covering this during the Vista beta phase.
- Process Explorer can show the Integrity level of a process and Mark Minasi’s tools here can manipulate & view settings
Next up was DS Geek notes from the field, this was a good technical session where Ulf ran through some interesting scenarios and issues he’s encountered working with Active Directory, I’ve seen a lot of these myself as well – but the key points for me were;
- 280 domain admins reduced to 3 with fully delegated model, always a difficult discussion to manage with customers and staff (I have scars to prove it!) his approach was to break each task out and ensure there is only 1 owner – this reduces ambiguity and ensures accountability – with the handy side-effect of demonstrating that 277 of those people didn’t really need to be domain admins to do their day-jobs
- If you accidentally change any properties of a site connection/replication object in AD Sites & Services it changes from being dynamically generated to static without a warning, 2008 now has a dialogue box warning of the change.
- You can change a static connection object back to dynamic by adjusting the “options” attribute for the object in ADSIEDIT from 0x4 (static) to 0x5 (dynamic) rather than deleting and re-creating.
- Virtual Machines are good for DS-Lag sites, where an AD site has one or more domain controllers but where the site replication connector is a day or so behind the rest of the AD, this allows for a simpler restore of deleted objects by marking the object as authorative on the lag site and forcing replication into the production AD – this will bring the object back.
- VM’s lend themselves to this as you can script enabling/disabling the NIC to avoid the situation where there is an accidental (or malicious) deletion followed by a forced replication across all sites.
- LDIFDE import/export can be used to bring back object attributes from a restored AD snapshot (nice functionality that Ulf discusses here).
- Ulf also had an interesting script based solution for a single site (and domain) DC restoration where there is a simple local PC infrastructure like a branch office; where rather than maintaining and copying over the WAN, large system state backups he leveraged LDIFDE in export mode to take a backup of AD and xcopy of files, restoring such a DC after failure can be end-end automated through an unattended OS onto new/replacement hardware and scripts to import and re-ACL the DS objects and file system and re-join machines to the new domain.
Next up was one of two further sessions with Mark Russinovitch, the case of the unexplained – as ever this was informative and he has good coverage of this on his blog which I’d encourage you to check out in hunting down bad/buggy 3rd party driver software which is at fault a large portion of the time, rather than core Windows itself – I have a number of thoughts on why this is the case and will blog those later.
- One useful tidbit that I didn’t know is that Process Monitor can show you what TCP/IP sessions a particular process is using – nice.
- and you can suspend individual threads whilst you investigate what they do or to see if that improves overall performance.
The 2nd of Marks sessions and the final session of TechEd 2008 was on Windows security boundaries; which Microsoft define as an access policy between code and data which describes what if anything is allowed to be shared between the two, anything that could allow access between the two is not a hard security boundary – it is capable of being exploited.
- Mark covered several of the technologies in Windows Vista and 2008 (PatchGuard, UAC, Protected mode IE etc.) and the conclusion is that the only real security boundaries are System & Java Virtual Machines, .NET Code Access Security (CAS) as they are deliberately architected not to allow communication between processes or users and data.
- Didn’t realise this but x64 PatchGuard can blacklist drivers from a list provided by Microsoft.
- As ever, it was an excellent technical session and Mark provided several demos of how the isolation technology works along with some exploits demonstrating why certain types of isolation technology are not hard security boundaries. There is a US version of his presentation which I would encourage you to check out here
All in, it was a good week at TechEd it does feel a bit scaled back from previous years but the technical content of sessions was better at the end of the week – I don’t know if that was deliberate.
One notable omission this year was an equivalent of Andrew Cheeseman’s session on how they built the TechEd infrastructure – this was always a fascinating and entertaining session, I note he has moved on since last year but an equivalent session would have got a good attendance.
As I’ve said many times over, it’s still excellent value for money and I would recommend it to anyone – if you want to know more about my experiences please comment away and I’ll try to answer whatever I can.
You may also want to visit Techhead as he has also been blogging extensively about the sessions this year as has Geert Baeke.
Hope you found these posts useful – feel free to feedback via the comments!