What's New for Operating System Hardening and Integrity for Windows Server 2008
Updated: March 12, 2010
Applies To: Windows Server 2008
Hardening and integrity enhancements are composed of various kernel and operating system features that provide a built-in level of safety and security in the Windows Server® 2008 operating system.
Windows Server 2008 and Windows Vista® include many kernel enhancements, including those to improve memory and heap management, management mechanisms, application support mechanisms, and power management. The following are security improvements to the kernel.
Kernel patch protection prevents unauthorized programs from patching the Windows kernel. Kernel patch protection detects changes to critical portions of kernel memory. If a change is made in an unsupported way (for example, if a user-mode application does not call the proper operating system functions), kernel patch protection creates a Stop error to halt the operating system. This prevents kernel-mode drivers from extending or replacing other kernel services and prevents non-Microsoft software from patching any part of the kernel.
Kernel patch protection prevents drivers from performing the following actions, except through authorized Microsoft updates:
Modifying the system services tables
Modifying the Interrupt Dispatch Table (IDT)
Modifying the Global Descriptor Table (GDT)
Using kernel stacks that are not allocated by the kernel
Patching any part of the kernel (detected on AMD64-based systems only)
Kernel patch protection was first implemented in x64–based versions of the Windows Server® 2003 Service Pack 1 (SP1) operating system and the Windows® XP Professional x64 Edition operating system. No significant changes have been made to kernel patch protection in the Windows Server 2008 and Windows Vista operating systems. However, because this security feature is still relatively new, it is discussed here to increase awareness of the feature and its potential impact on developers of drivers and applications.
Some of the security changes to the heap manager include block metadata encoding, integrity checks on block headers, and random head rebasing. In addition, the heap manager provides improved early detection of heap corruptions and the termination of applications when heap corruption occurs, thereby deterring brute-force attacks that exploit vulnerabilities.
Registry virtualization support enables applications that previously required administrator privileges to run in non-administrator accounts. Registry virtualization isolates write operations that have an impact on the entire registry to a per-user location. This redirection of write operations does not affect existing applications and is applicable only to operations on keys in the software hive (HKEY_LOCAL_MACHINE\Software). All other keys are unaffected by virtualization.
For Windows Server 2008 and Windows Vista, kernel-mode software must be digitally signed before it will run on x64-based computers. Certain configurations of x86 systems require kernel-mode software to have digital signatures to access high-definition content, such as HD-DVD and other formats protected under the Advanced Access Content System (AACS) standard, depending on content protection policy.
Code integrity enforces the mandatory code-signing policy for kernel-mode drivers on x64-based systems. Code integrity also verifies the integrity of all code that is loaded into a protected process. Images of the code that fail image validation are not loaded because such a failure indicates that they have been corrupted (either inadvertently or maliciously by a virus or intrusion). System catalogs are used to store image or page hashes that are used for validation.
The Windows Vista operating system introduces a new type of process, called a protected process. The protected process enhances support for digital rights management functionality in Windows Server 2008 and Windows Vista. These protected processes exist alongside typical processes.
The primary difference between a typical Windows process and a protected process is the level of access that other processes in the system can obtain to protected processes.
In versions of Windows operating systems earlier than Windows Vista, the process model allows a parent process to acquire a handle to and manipulate the state of any child process it creates. Similarly, processes that are created by users with sufficient privileges (that is, a system administrator) can access and manipulate the state of all processes on the system. This behavior remains unchanged for typical Windows processes. However, the level of access to protected processes and to threads within those processes is significantly more constrained in Windows Vista and Windows Server 2008.
With 64-bit versions of Windows Server 2008 and Windows Vista, digitally signed kernel-mode drivers are required.
Digital signatures allow an administrator or a user who is installing Windows-based software to know whether a legitimate publisher has provided the software package.
Drivers must be signed for devices that stream protected content. This includes audio drivers that use Protected User Mode Audio (PUMA) and Protected Audio Path (PAP), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands.
Unsigned kernel-mode software does not load and does not run on x64-based systems.
Even users with administrator privileges cannot load unsigned kernel-mode code on x64-based systems. This applies for any software module that loads in kernel mode, including device drivers, filter drivers, and kernel services.
The mandatory kernel-mode code signing policy applies to all kernel-mode software on x64-based systems that are running Windows Server 2008 and Windows Vista. Kernel-mode driver signatures are not mandatory for 32-bit systems. However, publishers should digitally sign all software, including device drivers for both 32-bit and 64-bit platforms. Windows Server 2008 and Windows Vista perform kernel-mode signature verification on x86-based systems to support protected media content.
Data Execution Prevention (DEP) can help protect your computer by monitoring your programs to ensure that they use system memory safely. If DEP detects a program on your computer using memory incorrectly, it closes the program and notifies you. The 32-bit versions of Windows Server 2008 and Windows Vista include a software implementation of DEP that can prevent memory that is not marked for execution from running. The 64-bit versions of Windows Server 2008 and Windows Vista work with the 64-bit processor's built-in DEP capabilities to enforce this security at the hardware layer, where it would be very difficult for an attacker to circumvent. DEP is enabled by default in both 32-bit and 64-bit versions of Windows Server 2008 and Windows Vista.
Address Space Layout Randomization (ASLR) is designed to restrict malicious code in exploiting a system function. When a computer running Windows Server 2008 and Windows Vista is started, ASLR randomly assigns executable images (which are the .dll and .exe files) included as part of the operating system to one of 256 possible locations in memory. This makes it more difficult for exploit code to locate and take advantage of functionality inside the executable images.
Windows Resource Protection (WRP) prevents the replacement of essential system files, folders, and registry keys that are installed as part of Windows Server 2008 and Windows Vista. Applications should not overwrite these resources because they are used by the system and other applications. Protecting these resources prevents application and operating system failures. WRP is the new name for Windows File Protection (WFP).
Windows service hardening restricts critical Windows services from performing abnormally, which would allow malware to install itself or attack other computers in the file system, registry, network, or other resources. For example, the remote procedure call (RPC) service can be restricted from replacing system files or modifying the registry.
Windows Server 2008 and Windows Vista limit the number of services that are running and operational by default. In Windows versions prior to Windows Server 2008 and Windows Vista, many system and non-Microsoft services run in the LocalSystem account, where any breach could cause damage to the local computer—including disk formatting, user data access, or driver installation.
Windows service hardening reduces the damage potential of a compromised service by:
Adding the per-service security identifier (SID). This enables per-service identity, which subsequently allows access control partitioning through the existing Windows access control model for all objects and resource managers that use access control lists (ACLs). Services can now apply explicit ACLs to resources that are private to the service, which prevents other services as well as the user from accessing the resource.
Moving services from LocalSystem to a lesser privileged account such as LocalService or NetworkService. This reduces the overall privilege level of the service, which is similar to the benefits derived from User Account Control (UAC).
Removing unnecessary Windows privileges on a per-service basis.
Applying a write-restricted access token to the service process. This access token can be used when the service that writes to the set of objects is bounded and can be configured. Write attempts to resources that do not explicitly grant the Service SID access will fail.
Services are assigned network firewall policy, which prevents network access outside the normal bounds of the service program. The firewall policy is linked directly to the per-service SID.
In Windows Server 2003, Windows XP, and earlier versions of the Windows operating system, all services run in the same session as the first user who logs on to the computer. This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and therefore are targets for malicious agents who are seeking to elevate their own privilege level.
The Windows Server 2008 and Windows Vista operating systems mitigate this security risk by isolating services in Session 0 and making Session 0 non-interactive. Only system processes and services run in Session 0. The first user logs on to Session 1, and subsequent users log on to subsequent sessions. This means that services never run in the same session as users' applications and are therefore protected from attacks that originate in application code.
In Windows Server 2008 and Windows Vista, many services are running under accounts with privileges less than LocalSystem, such as NetworkService and LocalService. Service hardening improves the compartmentalization between the services so if one service is compromised, that service cannot be easily used to attack other services on the system. Windows Server 2008 and Windows Vista harden the named pipes used by RPC servers to prevent other processes from being able to take control of them.
The Windows Integrity Mechanism is the new security model in Windows Server 2008 and Windows Vista that provides a security barrier around elevated processes. Mandatory Integrity Control (MIC) and User Interface Privilege Isolation (UIPI) are part of this model. The most notable effect of MIC is the display of UAC when current privileges are insufficient to perform an operation.
MIC provides a mechanism for controlling access to securable objects. This mechanism is in addition to discretionary access control and evaluates access by using integrity levels before access checks against an object's discretionary access control list (DACL) are evaluated. Security principals and securable objects are assigned integrity levels that determine their level of protection or access. An example of this is Internet Explorer® 7 running in Internet Explorer protected mode.
UIPI is the process-isolation mechanism and is displayed as the Windows shield for window messages. Because a process is unable to send messages to a higher-integrity object, UIPI prevents privilege-escalation exploits based on code injection to different processes in the same session.
Windows Internet Explorer 7 includes the following security improvements from the previous version, which integrate into the security improvements in Windows Vista and Windows Server 2008.
Protected mode helps reduce the severity of threats to Internet Explorer 7 and its extensions by eliminating the silent installation of malicious software through software vulnerabilities. In Windows Server 2008, protected mode runs in isolation from other applications in the operating system. It restricts exploits and malicious software from writing to any location beyond Temporary Internet Files without explicit user consent. Protected mode uses the integrity mechanisms of Windows Server 2008 and Windows Vista, which restrict access to processes, files, and registry keys with higher integrity levels. Protected mode allows you to install ActiveX® controls or add-ons when you are logged on as an administrator. Protected mode is turned on by default in the Internet, Local intranet, and Restricted sites zones, and an icon appears on the status bar to indicate that it is running.
Internet Explorer 7 recognizes Extended Validation (EV) Secure Sockets Layer (SSL) certificates, which provide online users with an increased identity awareness and trust of Web sites. These new certificates require businesses to complete a thorough documentation process and verify current business licensing and incorporation paperwork, in addition to verifying that the entity named in the EV certificate has authorized the issuance of the EV SSL certificate. Internet Explorer 7 recognizes EV SSL certificates for businesses that have completed this process and visually represents the certificates in the Address Bar.
Internet Explorer Administration Kit (IEAK) 7 can be used to help deploy and manage Web sites. New features include:
The ability to use the Internet Explorer 7 Customization Wizard or Profile Manager to customize Web feeds, multiple home pages, search providers, and corporate installation options.
The ability to specify whether your users can manage the new anti-phishing filter in Internet Explorer.
Improved Internet Explorer 7 Customization Wizard pages and text.
Improved access to autocomplete and feeds discovery settings.
A simplified Automatic Version Synchronization page in the Internet Explorer 7 Customization Wizard.
With Windows Server 2008 and Windows Vista, developers can provide custom authentication methods by creating new credential providers. The new architecture also enables credential providers to be event-driven and integrated throughout the user experience. The Windows logon user interface can use multiple credential providers simultaneously, which provides more flexibility for environments that might have different authentication requirements for different users.
Cryptography Next Generation (CNG) in Windows Server 2008 provides a flexible cryptographic development platform that allows IT professionals to create, update, and use custom cryptography algorithms in cryptography-related applications such as Active Directory® Certificate Services (AD CS), SSL, and Internet Protocol security (IPsec). CNG implements the U.S. government's Suite B cryptographic algorithms, which include algorithms for encryption, digital signatures, key exchange, and hashing.
The implementation of the Kerberos version 5 (v5) protocol in Windows Server 2008 and Windows Vista supports the Advanced Encryption Standard (AES) ciphers. Microsoft's implementation uses the CNG implementation of these ciphers, which is validated to the U.S. government's Federal Information Processing Standards (FIPS 140-2). For more information about Windows and FIPS 140 validation, see Microsoft's publication of FIPS 140 Evaluation.
|The FIPS certification module validation list for Microsoft is available on the National Institute of Standards and Technology Web site (http://go.microsoft.com/fwlink/?LinkID=116489).|
In addition, security for the Key Distribution Centers (KDCs) located on branch office domain controllers is improved.
The Kerberos protocol in Windows Server 2008 is compatible with earlier versions of Windows but adds improved cryptographic security only for computers that comply with the AES.
New Transport Layer Security (TLS) extensions have been added that enable support of both AES and new elliptic curve cryptography (ECC) cipher suites. In addition, cryptographic mechanisms can now be implemented and used with Schannel, which is the Windows implementation of TLS/SSL, as custom cipher suites.