Welcome!

This course is an overview of the larger security changes in Windows 7 and Windows Server

2008-R2. The goal of the talk is to give an executive summary of the security enhancements in

Windows 7/2008-R2 to help IT engineers and managers make more-informed decisions about

deployment, the relative value of Windows 7 over XP/Vista, and to help guide further

independent research.

This talk will not be pro-Microsoft propaganda or a sales pitch, but it does discuss many new

things in Windows 7 and Server 2008-R2 which are good. The author does not work for

Microsoft, though the author does specialize in Windows security as a consultant, and, for the

SANS Institute, is the author of the week-long Securing Windows track (SEC505) for the

GCWN certification.

Windows Security at SANS

The six-day Securing Windows course at SANS (course number SEC505) is intended for those

specializing in Microsoft Windows security and is fully updated for Windows 7 and Windows

Server 2008-R2. The course author’s blog is at http://blogs.sans.org/windows-security/,

where you can also download the PowerShell scripts related to the course.

[Windows, Windows Server, Windows XP, Windows 7, Windows Vista, Internet Explorer, InPrivate, SmartFilter, DirectAccess, BitLocker, AppLocker, BranchCache and other terms in

this document are products and/or trademarks of Microsoft Corporation in the United States and other countries.]

1

If, like 90% of other organizations, you skipped over Vista entirely and kept XP, then "What's

new for security in Windows 7?" includes a lot. For XP administrators, Windows 7 will be very

different. Similarly, if your servers are running Windows Server 2000/2003, then moving to

Server 2008-R2 will require some adjustment.

If you are migrating from Vista and Server 2008, on the other hand, then you'll find Windows 7

to be familiar (and a blessing) and 2008-R2 will be a breeze.

So this talk aims to make both groups happy. Since 90% of you skipped over Vista completely,

the talk will include material which was first new in Vista, but today is still new to you. For the

Vista administrators, special emphasis will be placed on changes that are new versus Vista.

Similarly for the contrast between Server 2008-R2 and Server 2000/2003/2008.

2

Windows 7 is what Vista was supposed to be. Windows 7 is really Vista-R2, but for marketing

reasons Microsoft changed the name. There are few fundamentally new things in Windows 7

over Vista (unlike when we went from XP to Vista, which introduced many important changes),

but what we do get is a noticeable overall improvement in speed, responsiveness, backwards

compatibility, and device driver support. Windows 7 also reduces the number of User Account

Control (UAC) prompts in comparison to Vista. And the minimum realistic hardware

requirements to run Vista/7 are now just off-the-shelf typical desktop/laptop hardware, hence,

even in a recession the good-enough hardware is easy to afford. None of these things are

especially eye-popping or make you yell "Wow!", but they were also the main reasons some

90% of organizations skipped over Vista. Windows XP is getting quite old now, so the pent-up

demand to migrate to Windows 7 should be substantial – at least, that's what Microsoft is

betting.

But there are some things in 7 which might make you say "Wow", even if you don't yell it. New

things like DirectAccess, BranchCache, Windows XP Mode, and booting from a VHD file are

very interesting at least, and we'll talk about them here. You might even be surprised to find that

7 runs fairly well on Atom-based netbooks with only 1GB of RAM and, on the high end, scales

up to 256 CPUs and can even harness the GPUs in some newer video cards.

In Server 2008-R2 the biggest changes are again in things like DirectAccess and BranchCache.

But the same organizations which skipped over Vista might have also skipped over Server 2008,

so, for them, the switch from 2003 to 2008-R2 will be dramatic. This presentation, however,

assumes you've already got 2008-R1, so it only discusses what's new in 2008-R2.

3

User Account Control (UAC) is the feature in Vista designed to annoy users to death with pop-

up prompts. Actually, it's designed to motivate software developers to avoid writing

applications which unnecessarily require UAC approval, which makes it easier for us to remove

users from their local Administrators groups.

Nonetheless, UAC is still annoying, but now it's less annoying in Windows 7. There are fewer

changes that require UAC prompt approval in Windows 7, and many of the changes which still

require UAC approval now only pop-up a single confirmation prompt instead of multiple

prompts, e.g., reading a file's properties and moving it to another folder.

In Control Panel, you can go to either the Action Center or User Accounts applet to click a link

to manage UAC settings. The new UAC management interface is more fine-grained and easier

to understand, and the same options exist in Group Policy for distributed management too.

UAC options range from 1) Always notify, 2) Notify only when programs try to make changes

to the computer, but not to Windows settings, 3) Same as option number two, but don't dim the

desktop when prompting, and 4) Never notify.

The distinction between "making changes to the computer" and "making changes to Windows

settings" isn't completely clear cut, but at least Microsoft is trying to draw a line between

settings that don't really matter for security and changes to the file system and other locations

which are rare and potentially destructive. In any case, fewer prompts is usually better,

especially if the alternative is to disable UAC entirely.

4

Software Restriction Policies (SRP) have been around for a long time, ever since Windows XP

first came out. SRP can be used to allow or block processes based on the MD5 hash of the

binary, the code signing certificate of the binary, the local or network path of the binary, or IE

zone. SRP settings are managed through Group Policy for mass distribution.

AppLocker is an updated version of SRP for Windows 7, Server 2008-R2 and later. AppLocker

requires at least one domain controller in the forest to be running Server 2008-R2 or later too.

AppLocker is more precise with respect to digitally-signed binaries, can be assigned to

individual users or groups, and, most importantly, supports an audit-only mode which can be

used for testing and debugging prior to flipping the switch (and triggering a flood of user

complaints). In audit-only mode, nothing is blocked, but information about programs that

would be blocked is written to the event logs for analysis and fine-tuning of rules.

For more information, Google on "site:microsoft.com applocker".

5

To create a BitLocker To Go removable drive you must have Windows 7 Enterprise or Ultimate

Edition (not Professional), but to read and write to that drive afterwards you can use any version

of Windows 7 or later, even Starter Edition. You can also get read-only access to that drive on

Windows XP/Vista using a special reader program automatically installed onto the BitLocker To

Go removable drive when it is created. BitLocker To Go removable drives do not have to be

formatted with NTFS anymore, you can use FAT, FAT32 or ExFAT instead.

Enabling BitLocker To Go on a removable drive is easy: simply right-click that drive in

Windows Explorer and select "Turn On BitLocker". Access to the BitLocker To Go drive is

controlled either by a passphrase or a smart card. After you create the BitLocker USB drive you

also have the option to enable auto-unlock for just that one drive on just that one computer,

hence, you don't have to enter the passphrase again every single time you log onto that machine.

Simply log on, insert the drive, and the drive is mounted and available immediately.

Once a removable drive is encrypted, if you right-click that drive again in Windows Explorer

you'll have a new option to "Manage BitLocker".

BitLocker To Go has the same recovery key backup options as regular fixed-disk BitLocker,

e.g., saving a recovery key to Active Directory, saving a recovery file, printing a recovery

number, etc.

6

A .VHD file is the virtual drive-in-a-file format used by Virtual PC, Virtual Server, Data

Protection Manager and Windows Server Backup. Windows 7 and Server 2008-R2 can boot

from a local VHD file without a host operating system, virtual machine software or a hypervisor

(XP/2003/Vista are not supported; the VHD must be on a local non-removable drive; the VHD

can be fixed, dynamic or differencing). This includes support for all the hardware on the

computer since the device drivers are running from within the VHD. There is no special

requirements for the BIOS of the computer, the VHD file is mounted by the Windows boot

manager after the BIOS hands control of the computer to it, hence, the boot manager files must

be installed on the host drive, but this is not the full OS.

The steps necessary to boot from VHD are too long to list here, but it involves using

BCDEDIT.EXE to mark the VHD file as a bootable partition (Google on "windows 7 boot from

vhd how to"). For mass deployment, obtain Microsoft's free Windows Automated Installation

Kit (WAIK). Note that you cannot use hibernation with VHD boot.

Note that you can also create and/or mount a VHD file as a drive using either DISKPART.EXE

or the Disk Management snap-in in Windows 7/2008-R2. In Windows 7, open the Computer

Management console in Administrative Tools > Storage > right-click Disk Management >

Create/Attach VHD.

You can also use BitLocker To Go to encrypt the interior contents of a VHD file, just mount the

VHD, then right-click the new drive letter and select Encrypt With BitLocker. Note that you

cannot boot from a VHD and also use BitLocker on the physical volume hosting the VHD file at

7

the same time.

7

It's important to understand that BitLocker To Go is not intended to be used just by itself in

isolation from other security policies. Virtually every type of interaction with removable drives

can be regulated through various Group Policy settings. For example, you can deny write

access to unencrypted drives, but allow read access; you can set the minimum length and

complexity requirements for the passphrase used to secure access to BitLocker To Go drives;

you can configure various recovery options for BitLocker drives of any type so that the data can

always be recovered even if the passphrase/PIN is forgotten, the TPM chip is damaged or the

user otherwise cannot access their keys.

The main BitLocker-related settings in a GPO are located under Computer Configuration >

Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption.

You can find more GPO settings related to removable devices in general here: Computer

Configuration > Policies > Administrative Templates > System > Device Installation.

To regulate users' read/write access to drives of various types, removable or not, open the GPO

and go to User Configuration > Policies > Administrative Templates > System > Removable

Storage Access.

Windows 7 and Server 2008-R2 also have built-in support IEEE 1667 security for USB drives,

and this too is Group Policy manageable.

8

With a Server 2008-R2 or later DirectAccess server, Windows 7 clients can use IPSec to tunnel

IPv6 packets over the Internet in order to maintain continuous connectivity to corporate LAN

servers and the rest of the Internet at the same time. To the end user, it doesn't matter if they are

"inside" the corporate LAN or "outside" on the Internet since resources from either location will

always be accessed in the same way.

The IPSec connection to the DirectAccess server is established even before the user logs on,

assuming their computer is connected to the Internet, which allows single sign-on to Active

Directory, Group Policy processing and Network Access Protection (NAP) enforcement. After

logging on, the user does not have to initiate or manage any special DirectAccess connections or

applications; it all just works in the background. The client will use IPv6-over-IPv4 tunneling,

Teredo or IP-over-HTTPS as necessary in order to establish contact with the DirectAccess

gateway.

In Server 2008-R2, the DirectAccess Management Console is installed as a Feature using Server

Manager, but note that the server must be a domain member or domain controller first. This

console is mainly a wizard for walking you through the configuration process. DirectAccess has

many prerequisites which cannot be discussed here (for more information, see

http://www.microsoft.com/directaccess/).

Though Microsoft goes to great pains to contrast DirectAccess with VPNs, DirectAccess is

essentially the combination of an IPSec VPN with many other network security technologies to

make it more secure and as transparent to the end user as possible. Much of this was available

9

piecemeal in Vista/2008, but it wasn't packaged to simplify deployment.

9

BranchCache is for peer-to-peer ("distributed") or central server ("hosted") cache acceleration of

HTTP and SMB file requests, presumably at a branch office with slow WAN links to other

offices. In distributed mode, clients use WS-Discovery (multicast UDP/3702 of SOAP

messages) to locate each other and the desired file segments, then HTTP is used to download the

file segments. In hosted mode, clients query a designated server over HTTPS for the desired

file segments, then HTTP is used for file download.

Only Windows 7/2008-R2 are supported, but it's disabled by default. On IIS servers, install the

"BranchCache" feature using Server Manager. On file servers, install the "BranchCache for

Remote Files" role service using Server Manager when installing the File Services role, then use

the "File and Storage Management" console in Administrative Tools to configure shared folders.

Client configuration is done through Group Policy or NETSH.EXE commands. The use of

BranchCache acceleration is transparent to users.

The downloaded files are encrypted using a "custom encryption scheme based on AES128"

(??!) based on a random seed that can actually be set, exported or imported with NETSH.EXE.

This same seed is also used (in HMAC fashion?) when BranchCache-enabled HTTP/SMB

servers compute hash values for file segments. Timestamps and hashes are used together to

identify the correct and most recent file segments.

For more information, download the BranchCache Early Adopters Guide from Microsoft.

10

Windows Server 2008-R2 and later supports Domain Name System Security Extensions (DNSSEC) as specified in RFC 4033, 4034 and 4035. DNSSEC allows authentication and integrity verification of DNS response data in order to combat spoofing and man-in-the-middle attacks against DNS traffic. This is accomplished, in part, by signing zone data (RSA public key encryption of SHA-1 hashes, using 512- to 4096-bit RSA keys) using the DNSCMD.EXE command-line tool.

Keep in mind, though, that DNSSEC and dynamic updates are incompatible.

Only Windows 7, Server 2008-R2 and later are DNSSEC-aware. Windows 2000/XP/2003/Vista/2008 systems ignore DNSSEC-related options.

Even when a Windows DNS client (i.e., a stub resolver, not a DNS server) is DNSSEC compatible, like Windows 7, the client does not itself validate any DNSSEC records or responses. DNS clients simply rely upon a flag being set in the response from the DNS server to indicate that the information was validated by the DNS server. To authenticate the DNS server and its responses, clients must use IPSec.

DNSSEC will most likely be deployed only on your public DNS servers which host the DNS records of your Internet-exposed servers and which handle forwarded queries from your internal DNS servers.

If you would like more information about DNSSEC, please download Microsoft's how-to whitepaper: Domain Name System Security Extensions (best to Google for it, the URL may have changed).

11

One of the best free releases from Microsoft in the past few years has been the PowerShell

scripting language and interpretive command shell. PowerShell is the future of Windows

scripting and replaces the old piece-o-junk CMD.EXE shell (don't worry, the CMD.EXE shell

will still be included in Windows for many years for backwards compatibility).

PowerShell 1.0 is available for Windows XP/2003/Vista and is built into Server 2008.

PowerShell 2.0 is built into Windows 7/2008-R2 and later by default.

PowerShell 2.0 includes important new enhancements, such as WS-Management remoting,

which allows execution of PowerShell commands and scripts on remote systems without using

telnet, ssh or Remote Desktop Protocol. Version 2.0 includes over 100 new cmdlets for

managing Active Directory, Group Policy Objects, and many other things. Just as with bash on

Linux, PowerShell 2.0 can launch background jobs, including jobs on multiple remote systems.

A graphical editor and debugger is also included now, but it's still not as good as, for example,

Sapien's PrimalCode or some other IDEs for PowerShell.

For more information, see http://www.microsoft.com/powershell/. PowerShell training is also a

part of the SANS Securing Windows track (SEC505) and as a standalone course (SEC533). Get

the instructor's scripts from http://blogs.sans.org/windows-security/.

12

The IE SmartScreen Filter (previously known as the "Phishing Filter") compares each visited URL

against a list of known-bad URLs maintained by Microsoft and is accessed via a web service. Bad sites

include both known phishing sites and malware download URLs. SmartScreen also looks for phishy

pheatures in web pages (what these characteristics are exactly is not well known) and is integrated into

the IE9 Download Manager. Similarly, the Cross Site Scripting (XSS) Filter also examines the flow of

data back-and-forth between browser and web server(s) to detect and thwart XSS attacks.

SmartScreen in IE8/IE9 can check each site automatically or can be invoked manually by the user by

pulling down the Safety menu > SmartScreen Filter > Check This Website. Known-good or known-bad

sites can be submitted to Microsoft for review and inclusion/exclusion from the list. You can suggest to

Microsoft that they review a website for phishiness by pulling down the Safety menu > SmartScreen

Filter > Report Unsafe Website.

IE8/IE9 also includes the InPrivate Filter, which is for maintaining privacy against attempts to track users

across multiple sites. To manage InPrivate options, pull down the Safety menu > InPrivate Filtering

Settings.

An architectural change is that each tab in IE8/IE9 corresponds to a separate IEXPLORE.EXE process,

hence, if one tab locks up, it hopefully only affects that one process and does not cause other tabs or

browser as a whole to lock up. Each tab/process can also run at a different Protected Mode level for each

zone (Tools menu > Internet Options > Security tab > (un)check the Protected Mode box for each zone as

desired). You can see the Protected Mode state in the status bar for the current tab.

The most noticeable change in IE9 is GPU-assisted hardware acceleration and faster script execution.

Much faster than in IE8! Time will tell how it stacks up against Firefox and Chrome…

13

NTLMv1 and NTLMv2 authentication is slower, less scalable and less secure than Kerberos

authentication. And while NTLM is faster than certificate-based authentication, the later is

much more secure, especially when combined with smart cards and HSMs. So, just as we are

slowly giving up NetBIOS, WINS and LanManager, so in the long run we'll want to migrate

away from NTLM in favor of Kerberos and certificate-based authentication too.

Starting with Windows 7 and Server 2008-R2, you can 1) audit which systems are using NTLM,

2) block inbound and/or outbound NTLM authentication, and 3) allow the inevitable exceptions

which still require NTLM while you are in the 12-month process of eliminating it.

Exceptions to allow NTLM are defined by the NetBIOS name and/or fully-qualified domain

name (FQDN) of the permitted systems. A wildcard ("*") may be used at the beginning or end

of each name in the list of permitted exceptions.

You can find the options to audit and restrict NTML in a GPO here: Computer Configuration >

Policies > Windows Settings > Security Settings > Local Policies > Security Options. Look for

the options that begin with "Network Security: Restrict NTLM".

For more information, see: http://blogs.technet.com/askds/archive/2009/10/08/ntlm-blocking-

and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx

14

If you are migrating from IIS 6.0 on Server 2003 to IIS 7.5 on Server 2008-R2, you're in for a bit of a (good) shock. The metabase is gone, the management GUI has changed drastically, the architecture of the product is now extremely modular (right down to which DLLs are loaded into worker processes) and some very nice security enhancements have been added too.

For example, when hosting many sites on behalf of other groups, it was difficult in the past to allow secure over-the-Internet remote administration. You don't have to grant RDP access anymore. Over an SSL channel remote webmasters can use the IIS Manager console just like they would locally, and you can precisely define which configuration settings can be seen or edited in each site.

WebDAV allows users to map drive letters over HTTPS to folders on the IIS server, and if these folders have been mapped to the UNC paths of shared folders inside the LAN (such as to a user's home share), then users can always get authenticated and encrypted access to their files. Through NTFS permissions, share permissions and WebDAV authorization rules, you can precisely define who can access what.

The URL Rewrite module (similar to Apache's mod_rewrite) can examine incoming HTTP requests, search them for matches to one or more boolean-connected regular expression patterns, then allow or deny the request. In short, URL Rewrite can be used as a web application-layer firewall (similar but better than URLSCAN). The URL Rewrite module can also perform on-the-fly search and replace within request bodies or server responses.

And FTP gets a second lease on life with support for SSL encryption. Just like with WebDAV, an SSL-encrypted FTP folder can be mapped to the UNC path of an internal shared folder. Rather humorously, though, Windows 7 does not include an FTPS client, so you'll have to get something like FileZilla in the meantime (filezilla-project.org).

15

So little time, so many things to talk about…

PKU2U certificate-based authentication (and its SSP for SSPI):

http://technet.microsoft.com/en-us/library/dd560634(WS.10).aspx

BitLocker Recovery Agent Certificate (similar to how EFS does it):

http://technet.microsoft.com/en-us/library/dd630628(WS.10).aspx

Restricting NTLM Authentication Through Group Policy:

http://technet.microsoft.com/en-us/library/dd560653(WS.10).aspx

Managed Service Accounts (using PowerShell):

http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx

Enhanced Storage Access (IEEE 1667 security for USB drives):

http://technet.microsoft.com/en-us/library/dd560657(WS.10).aspx

EFS Now Supports Elliptic Curve Cryptography (ECC) Public Keys:

http://technet.microsoft.com/en-us/library/dd630631(WS.10).aspx

Authentication Mechanism Assurance (modify groups in SAT based on authentication type):

http://technet.microsoft.com/en-us/library/dd378897(WS.10).aspx

Active Directory Recycle Bin (to undelete accidental deletions):

http://technet.microsoft.com/en-us/library/dd391916(WS.10).aspx

And an improved Resource Monitor (launch from within Task Manager), but it’s still not as good as Process Explorer.

16

At this point, there is very little solid information about the version of desktop Windows to

follow Windows 7. This next version is often called "Windows 8", but that is unlikely to be the

name under which it ships.

One thing we know for sure, Steve Ballmer says Windows 8 will run on ARM hardware,

including system-on-a-chip (SoC) platforms. This is clearly aimed at tablet/slate computers, but

also low-power special-purpose computers, such as in cars, handheld devices, household

appliances, entertainment consoles, etc. This also continues a trend in which Windows is

becoming less monolithic and more modular or layered in its architecture; it's the payoff from

projects like "MinWin", the "Vista reset" which teased out and simplified the dependency layers

in the OS, Server Core, Windows Embedded, and so on.

We can also reasonably expect more cloud-integration features, especially with HotMail,

SkyDrive, Live Mesh, Xbox and Windows Phone. This might go as far as something like

roaming user profiles and data, but hosted on Internet-accessible servers, and may include

roaming applications which are streamed to one's various computers as needed.

There will certainly be more optimization for solid state drive (SSD) technologies, USB 3.0 and

probably Light Peak.

17

When laptops come with hypervisors (tablets too?), Windows 8 may be designed to run

primarily as a VM (Windows 7 can already boot and run from a VHD file), with the ability to

switch to different concurrent VMs for different applications, or perhaps a "revert to factory

default" option will restore the default VM while keeping the user's data and applications.

Just as Server 2008 was the last 32-bit sever OS, so Windows 8 might be the first client OS to

only come in a 64-bit flavor (except for ARM).

There is a rumor of an alternative desktop for tablets which has the look-and-feel of Windows

Media Center or Windows Phone.

There is a rumor of Kinect integration features, similar to the GUI interface from the movie

Minority Report, which would probably work best (or work only with) a desktop patterned after

Windows Media Center or the tiles on Windows Phone.

A slimmed-down version of the .NET Framwork (codenamed "Redhawk") optimized for low-

power, multi-core devices. It may also represent a taste of a new OS or subsystem, similar to

the "Midori" project.

18

Thank You for attending!

For more information about Windows 7 and Server 2008-R2, begin at the following URLs or

simply go to Google and add "site:microsoft.com" to your keywords:

http://www.microsoft.com/windows7/

http://www.microsoft.com/windowsserver2008/

http://www.microsoft.com/directaccess/

http://technet.microsoft.com

For the SANS Windows Security blog, please visit:

http://blogs.sans.org/windows-security/

19