Application Compatibility Versus Security

8/3/2019 Application Compatibility Versus Security

1/31

Click to edit Master subtitle style

Application Compatibility versus SecuApplication Compatibility AND Securit

Raphael (Raf) Cox

Senior Security Consultant CISSPMicrosoft Consulting Services - BeLux


2/31

Objectives

Understand what AppCompat

technologies/solutions are available for Wiand how they work

Understand what hardening tools are avail

Understand the impact of increasing secur

Application Compatibility


3/31

Intro

App-compat and Security: its a challenge

Examples:

Dont apply security baseline: it will break everythin

We just need to disable a couple of settings to get tworking

Its fixed: the app runs when the user is an admin Increasing security baseline need to test

Migration to new OS need to test all apps

So, why not increase security at the same timerolling out the new OS?


4/31

Click to edit Master subtitle style

The Application Compatibilityprocess


5/31

Rationalization PlanningA Simple Three-Phase Approach

Inventory

What do we have?

Rationalize

What do we need?

TeM

How do

D i i M d N D i th


6/31

Supporting Decisions from Budgeting ThroDeployment

Decisions Made Now Drive theto-End Project


7/31

u s an a yReduced with a Strong Up-Front

Triage Process List of commercial off the shsoftware analyzed

Over 20,000 applications

Reviewing the list, there appopportunity to reduce

Multiple versions of the sam

Driver support applicationsRedundant applications

Investigated ~1,000 applicatOne hour time limit

Removed applications basedknowledge

Significant cost savingsoveapplications discovered remopass review

Security: fewer apps less prequired, fewer vulnerabilitie

Prioritize

Categorize

Rationali

ze

Standardize

Discovered Applications

Application inventory withassigned priority


8/31

Fixing the bad apps

3rd party applications

Get the latest version from the vendors

Get official support statement from the vendor

Check alternatives

In house developed applications:

Have them fixed by the development team

Designed for Windows 7 Logo guides (http://msdn.microsoft.com/en-us/windows/dd203105.aspx)

Some apps can not be properly fixed for va

reasons: have to find secure work-arounds
http://msdn.microsoft.com/en-us/windows/dd203105.aspxhttp://msdn.microsoft.com/en-us/windows/dd203105.aspxhttp://msdn.microsoft.com/en-us/windows/dd203105.aspxhttp://msdn.microsoft.com/en-us/windows/dd203105.aspx


9/31

AppCompat versus Security


10/31

User as admin

On XP:

Perfect for AppCompat

security nightmare!

On Windows 7:

Some legacy apps still breakDefault security is more strict

Memory access management is more strict

OS version changed

Default folders changed

Some APIs chan ed

ApplicationCompatibility


11/31

Windows 7 XP-Mode

Why not have both? XP-Mode!

VM with Windows XP SP3

Seamless apps on Win7 desktop

USB redirection supported

Security???

Twice the number of systems to maintain

High risk that virtual XP is not up-to-date with patchisignatures, etc

IE6 to be used in Virtual XP? Limit the use!

Risk: Users can now install their own VMs (with


12/31

MED-V: the better VirtualXP?Manageability? use MED-V!

MED-V is part of MDOP

Extra management capabilities

Security of MED-V

MED-V workspace will wake up the VM regularlinstall updates

IE (by default) is configured to prevent browsinother sites

IE Internet Security Zone: highest level

Still relies on Virtual PC: user can create

VMs!


13/31

LUA enforced

LUA = Least-Privilege User Accounts (user longer admin on the workstation)

User can not install programs (and also no machange system configuration, etc

On XP, user can e.g. not change his time-zone

(solved in W7 )Breaks several legacy apps on XP

Apps want to write data or temporary files to ec:\program files or HKLM registry

Auto-updaters are a security nightmare



14/31

The problem: LUA bugs

LUA bug is:

Application or feature that works with administ(admin) privileges, and

Fails as normal (LUA) user, and

No technical or business need for admin privile

LUA bugs are often the #1 cause of app problems.

Some LUA Bugs can be fixed using SHIMS


15/31

The Solution s?

Standard User Analyzer


16/31

Standard User Analyzer

Based on AppVerifier LUAPriv

Predicts whether API calls fail for standard

Predictive (elevated)

Diagnostic (non-elevated)

Offers mitigations for selected issues using

Security? SHIMS executed in the user-co(no extra privileges can be granted throug

Some fixes (e.g. OpenDirectoryACL fix) can cACLs on a directory during installation (elevate

context)


17/31

SUA API Coverage

File system access

Registry access

INI WriteProfile

Token checking

PrivilegeNamespace

Other securable objects

Process creation


18/31

SUA Architecture

Application

Windows

AppVerifier Logs XLuaPriv


19/31

4/23/12 Micros

SUAdemo

A


20/31

Security hardening(the soft way)

But that will break everythingChanging security hardening requires extra tes

Difficult to change in a production environmen

Build security in the system from day 1

Create hardening policies before deploying a n

Ensure that AppCompat testing includes hardepolicies

Relaxed security hardening on W7 = enfor

secure defaults low risk on AppCompat


S i C li M


21/31

Automatic security baseline updatesCentralized baseline library: unified experience frsecurity baseline deployment to compliance chec

Baseline customization, exporting & managemen

Monitor and report security baseline compliance System Center DCM

Security Compliance Manager

S it C li M


22/31

MS Baselines

BestPractices

Settings

Security Compliance Manager

MS SecurityCompliance

Manager

ActiveDirectory

Import

Import

ACustomi

zeBaseline

s DCM

Pack

Creat

e

System CenterConfig Manager

Impo

rt

SCAP

Create

SCAP ScannerImport

Creat

eGPO Backup


23/31

d


24/31

Click to edit Mastersubtitle style

Security Compliance Manage

demo

S it h d iAp


25/31

Security hardening(the strict way)

Use SCM!

Start strict, relax later

Attention points:

Privileges: might break apps that use local servSQL express

Network security: be aware of 3rd party SMB s(e.g. SAMBA) or LDAP clients (e.g. VPN devices

AppLocker is a great functionality to block drivdownloads and other malware

plicationCompatibility

S it h d i


26/31

Security hardening

Top 7 settings that have impact on AppCom

Log on as a service (set to no one in the W7 settings!)

Do not process legacy run key (enabled in SS

Enable the computer to stop generating 8.3 stfilenames (enabled in SSLF)

Use FIPS compliant algorithms for encryption, signing (enabled in SSLF)

Enable Admin Shares (set to not defined in S

DCOM Permissions (set to not defined in SSL

CD-ROM Access to locally logged-on user only

Ad anced hardening

App


27/31

Advanced hardening

Use advanced tools to mitigate exploit tec

EMET = Enhanced Mitigation Experience ToAdds an additional protection layer against 0-dexploits

Relies on build-in security features: DEP, ASLR

Extends these features, e.g. by making them m(e.g. Mandatory ASLR)

Adds other techniques such as EAF (EAF (ExtenAddress Table) Access Filtering)

Blocks typical behavior of ShellCode (exploit code)

plicationCompatibility

What are exploit mitigations?


28/31

What are exploit mitigations?

Softwarevulnerabilit

y

Attacker Arbitracode

execut

Exploit

Software

Update

ExploitMitigation

ObjectiveMake it impossible or very costly to exploitvulnerabilitiesApproach

Break or reduce the reliability of exploitatio

demo


29/31

Click to edit Mastersubtitle style

EMET Demo

demo

References


30/31

References

Unintended Consequences ofSecurity Loc

, Aaron Margosis, TechEd 2011The AppCompat Guy, http://blogs.msdn.com/b/cjacks/, Chris Jackson

Security Compliance Manager: http://

technet.microsoft.com/en-us/solutionaccelApplication Compatibility Toolkit (ACT): httwww.microsoft.com/download/en/details.a

EMET V2.1: http://www.microsoft.com/download/en/details.a
http://media.ch9.ms/teched/na/2011/ppt/SIM304.pptxhttp://media.ch9.ms/teched/na/2011/ppt/SIM304.pptxhttp://blogs.msdn.com/b/cjacks/http://blogs.msdn.com/b/cjacks/http://blogs.msdn.com/b/cjacks/http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspxhttp://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspxhttp://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7352http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7352http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7352http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7352http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspxhttp://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspxhttp://blogs.msdn.com/b/cjacks/http://blogs.msdn.com/b/cjacks/http://blogs.msdn.com/b/cjacks/http://media.ch9.ms/teched/na/2011/ppt/SIM304.pptxhttp://media.ch9.ms/teched/na/2011/ppt/SIM304.pptx


31/31

2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market cond

commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?id=1677http://www.microsoft.com/download/en/details.aspx?id=1677

Application Compatibility Versus Security

Documents