how not to piss off an itpro aka how to build better ...€¦ · #8 hating appx / msix. application...
TRANSCRIPT
How NOT to piss off an ITPro aka
How to Build Better Software for Windows
Sami Laiho
Senior Technical Fellow, MVP
@samilaiho [email protected]#DevSum19
Sami LaihoSenior Technical Fellowadminize.com / Sulava• IT Admin since 1996
• MCT since 2001
• MVP in Windows OS since 2011
• Specializes in and trains:• Troubleshooting
• Windows Internals
• Security, Social Engineering, Auditing
• Centralized Management, Active Directory
• Trophies:• Ignite 2018 – Session #1 and #2 (out of 1708) !
• Best Speaker at NIC, Oslo 2016, 2017 and 2019
• Best External Speaker at Ignite 2017
• TechDays Sweden 2016, 2018 – Best Speaker
• TechEd Europe and North America 2014 - Best session, Best speaker
• TechEd Australia 2013 - Best session, Best speaker
• TechEd Europe 2013 - Best Session by an external speaker
I got Certs
1,2 kg of them
@samilaihoIf you are not on Twitter – get on Twitter!
70 Best hackers in the world invited (#36)
• Super proud to be included in this book
• All profits go to charity!
• https://www.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189
10 Deadly Sins of App Design
By the Book - RTFMhttps://docs.microsoft.com/fi-fi/windows/desktop/win_cert/certification-requirements-for-windows-desktop-apps
#1 Wrong use of Filesystem
Executable Code and User Data should not be in the samelocation
Mandatory Integrity Control
PROCESS RESOURCE
WRITE-OPERATIONS
SHARE
NTFSMIC
SYSTEM
HIGH
MEDIUM
LOW
SYSTEM
HIGH
MEDIUM
LOW
Location for code and data
• Binary goes to• 64bit app → C:\Program Files
• 32bit app → C:\Program Files (x86)
• Data goes to:• All Users (Shared) → C:\ProgramData
• Single user• Roaming data → C:\Users\”UserName”\AppData\Roaming
• Not roaming, Medium integrity data → C:\Users\”UserName”\AppData\Local
• Not roaming, Low integrity data → C:\Users\”UserName”\AppData\Local\Low
Case of Windows Defender
#2 Wrong use of Registry
Registry
• Computer wide: HKLM\Software
• User specific: HKCU\Software
• NOT HKLM\System !
#3 Wrong use of Services
Service accounts and user rights
• He/She can use three built in accounts
20
Avoid Custom Service AccountServices have SIDs as well
#4 Software Requires Admin Rights – NO IT DOES NOT!No excuses!
NT 3.1 Security Guide
• States that local admins have full access to computer.
• It also says: ”in Windows there is no security if you run as admin”
• Analysis of Microsoft “Patch Tuesday” Security Bulletins from 2015 • 85% of Critical Microsoft
vulnerabilities would be mitigated by removing admin rights
• 52% increase in the total volume of vulnerabilities compared to 2014
• Windows Server vulnerabilities• 429 vulnerabilities (304 in
2014)• 85% were found to be
mitigated by the removal of admin rights
2016 Microsoft Vulnerabilities Study
Key findings
• Of the 189 vulnerabilities in 2016 with a Critical rating, 94% were concluded to be mitigated by removing administrator rights
• 66% of all Microsoft vulnerabilities reported in 2016 could be mitigated by removing admin rights
• 100% of vulnerabilities impacting Microsoft’s latest browser Edge
could be mitigated
• 100% of vulnerabilities in IE and Chrome could be mitigated by removing admin rights
• 99% of vulnerabilities affecting Microsoft Office could be mitigated by removing admin rights
• 93% Critical vulnerabilities affecting Windows 10 could be mitigated by removing admin rights
Microsoft Vulnerabilities Report 2017
The 2017 report highlights the following key findings: • Removing admin rights would mitigate 80% of all Critical Microsoft
vulnerabilities in 2017.
• 95% of Critical vulnerabilities in Microsoft browsers can be mitigated by removing administrator rights.
• Almost two thirds of all Critical vulnerabilities in Microsoft Office products are mitigated by removing admin rights.
• Removing admin rights would mitigate almost 80% of Critical vulnerabilities in Windows 10 in 2017.
• 88% of all Critical vulnerabilities reported by Microsoft over the last five years would have been mitigated by removing admin rights.
Case of Shit-O-Meter
#5 Not having an MSIWe don’t care about anything but MSI or MSIX
#6 Bad UninstallerNot cleaning up properly
Visual Studio 2015 adds 110000 registry entries
#7 Incorrect use of Multimedia Processes
For maximum battery life the current timer interval (which
can be changed with timeBeginPeriod,
or NtSetTimerResolution) should be 15.6 ms
Case of PDF Creator / Google
#8 Hating APPX / MSIX
Application Isolation
• Starting from Windows 8 the modern (later in Windows 10 called universal) apps are packaged in APPX-packages that allow the use of AppContainers
LOW INTEGRITY
APPCONTAINER
C
A
P
A
B
I
L
I
T
I
E
S
APPCONTAINER
APPCONTAINER
ACL
ACL
Quote from Microsoft
• “As you folks know my team owns *all* the deployment technologies at Microsoft. We are being quite clear – all investments are going into MSIX. This is why you saw MSIX AppAttach announced this week to enable WVD/RDP/VDI scenarios. AppAttach is there to make app distribution in a VDI environment significantly better but it is also there to be the replacement for App-V streaming in a VDI environment. Our goal is for there to be no reason not to move to MSIX from your current deployment tech. Of course Rome wasn’t built in a day so it’s a journey but it’s very important to let your customers know that MSIX is the future of app deployment and while App-V provides them tremendous value today there is no roadmap for App-V that doesn’t end up in MSIX.
#9 Management Tools misunderstood
39
https://cloudblogs.microsoft.com/windowsserver/2019/04/
29/its-time-to-update-your-windows-management-
strategy/
Future of Management
• Windows Admin Center https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/overview• No MMC
• No GUI on the server• Server 1809 →• Nano server
• PowerShell is the only required management interface• But it’s nice to have a GUI as well as long as it’s remote ☺
• Admins need to manage from Privileged Access Workstations (PAW)• RDP is for “emergency use only”• https://blog.win-fu.com/2014/07/why-you-need-to-manage-your-gpos-from.html
#10 Not Ready For Whitelisting
Whitelisting
• Do not change ACL’s on Program Files and Windows – DO NOT!
• Don’t install in • the root of C:\
• C:\Users
• C:\ProgramData
• Anywhere outside of Program Files and Program Files (x86)
• All binary needs to be signed, including DLLs• If you use scripts, those as well
• Even more if you update your own binaries
• Signing with a trusted cert!
Whitelisting
• Case of Teams or Slack• It is not an excuse to say that the provider of the platform hasn’t signed – You
are responsible!
• Don’t create binaries to Temp-folders – especially if they are not signed!
Case of TeamViewer or Slack/Teams
KIITOS JA ANTEEKSI! Thank you and I’m Sorry
And….Last but not least
– don’t forget to evaluate thissession in the DevSum app!
#DevSum19
WANT MORE?
• Come to my courses https://win-fu.com/ilt/!
• Check out my videos at PluralSight!• Send me an email for a free pass!
• Check out my personal video library at https://win-fu.com/dojo
• Follow me on Twitter: @samilaiho
• Blog, Slack: https://win-fu.com/
• Consulting? Email me at [email protected]