securing your windows platform n.
Skip this Video
Loading SlideShow in 5 Seconds..
Securing Your Windows Platform PowerPoint Presentation
Download Presentation
Securing Your Windows Platform

Loading in 2 Seconds...

play fullscreen
1 / 87

Securing Your Windows Platform - PowerPoint PPT Presentation

  • Uploaded on

SIM307. Securing Your Windows Platform. Mark Simos , William Dixon Microsoft Consulting Services. Solomon Lukie Trustworthy Computing. Securing your Windows Platform Objectives. Demonstrate how to create a secure and usable administrative desktop using SCM, EMET, Applocker, and ASA

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Securing Your Windows Platform' - perrin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
securing your windows platform

Securing Your Windows Platform

Mark Simos, William Dixon

Microsoft Consulting Services

Solomon Lukie

Trustworthy Computing

securing your windows platform objectives
Securing your Windows PlatformObjectives
  • Demonstrate how to create a secure and usable administrative desktop using SCM, EMET, Applocker, and ASA
  • How to adapt the configuration to protect enterprise workstations
  • Awareness of Cybersecurity threats, motivations, and trends
securing your windows platform agenda
Securing your Windows PlatformAgenda
  • Cybersecurity perspectives
  • Tools and technology
    • Enhanced Mitigation Experience Toolkit (EMET)
    • Applocker
    • Security Compliance Manager (SCM)
    • Attack Surface Analyzer (ASA)
      • Group Policy - User account least/lesser privilege
  • All Technology in presentation free download or included in Windows 7
why lock down administrative desktops
Why lock down administrative desktops?
  • Active Directory compromise is bad!
    • 100% cleanup assurance is difficult
    • Rebuild is expensive, embarrassing for IT (& for Organization)
  • Malware is a profit driven industry, increasing sophistication
    • Sophisticated techniques getting more efficient (toolkits)
    • Compromise and obfuscation techniques constantly evolving
    • Symantec reported 286 million variants just in 2010
what attackers want
What Attackers Want
  • Ingress
  • Gain Beachhead
    • Install User Malware
    • Escalation of Privilege
  • Expand Presence
    • Redundant administrative access
  • Ongoing Surreptitious Remote Access
  • Implement Goals
    • Data Exfiltration
    • Other nefarious actions
cybersecurity economics
Cybersecurity Economics

Goal: Make Defenses cheaper/easier to achieve

Threat: Attacker tools always getting cheaper, more sophisticated

Commercial Reasonability

Due Diligence

Goal: Better defenses require attacks to be sophisticated (expensive and difficult) to be effective

  • Defender Benefit(Db)


  • Defender Cost (Dc)
fighting back due diligence
Fighting Back (Due Diligence)
  • Least Privilege
    • Limit Domain Admin privileges (use lesser admin roles!)
    • Limit Local Administrator (even on admin workstations!)
  • Reduce Risky Behavior
    • Don't allow email or Internet browsing from admin workstations!
  • Hardened Client
    • Run 64-bit version of latest operating systems
    • Patching, AV, anti-malware, and firewall
  • Security Compliance Manager (SCM) – Apply high security baseline for OS and Application security settings
fighting back commercial reasonability
Fighting Back (Commercial Reasonability)
  • Require 2 factor authentication for administrators
    • Smartcards
    • RSA Tokens
    • Other solutions
  • EMET– Protect against exploits by unknown malware
  • Applocker– Whitelist applications that can launch
  • ASA - Identify and reduce attack surface
microsoft cybersecurity team approach
Microsoft Cybersecurity Team Approach






trusted virtual machine client
Trusted Virtual Machine Client
  • Goals:
    • Avoid/minimize risk
    • Prevent infection
    • Limiting damage
    • Easy to use !
  • Dedicated VM for management
    • Windows 7 running as Virtual PC (x32)
    • Windows 7 or Server 2008 R2 x64 running as Hyper V VM
  • Ease of use tradeoff: joined to domain which is being managed
  • Member of “hardened workstations” OU
  • SSLF - Specialized Security, Limited Functionality
server admin accounts limit risk
Server Admin Accounts – Limit Risk
  • Server Admin accounts
    • Not domain admin
    • Not local admin of client
    • Log onto management client only, privileges to perform job
  • Administrative Workstations
    • Browser limited to intranet browsing only
    • Only server administrators can login to workstation
    • 2 factor authentication ideal
  • Regular User Workstations
    • Only regular users can login (no server or domain admins allowed)
demo scm getting started
Demo: SCM Getting Started

demo scm policy edit informed decisions
Demo: SCM Policy Edit, Informed decisions

Ooops, did not realize a value of 0 disabled password history enforcement ! Hmmmm….

demo deployment steps summary
Demo: Deployment Steps Summary
  • Duplicate, review, edit security baseline if needed
  • Create GPO backup of baseline
  • Duplicate, review, edit additional GP settings in “Settings Pack”
  • Create GPO backup of settings pack
  • Move GPO backup files to admin workstation 
  • Start GPMC
  • Create GPO in domain for Hardened Workstations OU
  • Import GPO from {guid} file location
  • Gpupdate on client to apply
  • Test !

NOTE: unapplying registry policy does not reset registry

enhanced mitigation experience toolkit emet

Enhanced Mitigation Experience Toolkit (EMET)

Mitigate applications against exploit techniques

emet benefits
  • Protects against unknown vulnerabilities
  • Blocks exploit techniques against applications
    • New and old applications
    • Microsoft and third party software
    • Line of business applications
  • No source code requirements
    • GUI Configuration of OS Mitigation features
  • Free Download
emet mitigating vulnerabilities
EMETMitigating Vulnerabilities
  • Mar 17 - Blocking Exploit Attempts of the Recent Flash 0-Day
  • Mar 14 – Adobe Bulletin CVE-2011-0609
  • Dec 22 – New Internet Explorer vulnerability affecting all versions of IE
  • Nov 3 – DEP, EMET protect against attacks on the latest Internet Explorer vulnerability
  • Sep 10 – Adobe Reader/Acrobat 0-day exploit
emet notes
  • Limited info on what EMET did
    • Event 1001 in Application Log (EMET.DLL as faulting)
    • Some OS protections crash on STATUS_ACCESS_VIOLATION
    • Disable/Enable EMET to troubleshoot user issues
  • Enterprise Management Challenges
    • No centralized control or status of EMET
    • No native reporting of EMET actions/events
  • OS Mitigations support varies with pre-Windows 7 clients
emet scenarios and use cases
EMETScenarios and Use Cases
  • Admin and Enterprise Workstations
    • Command-line installation & configuration
    • Test applications for compatibility first (issues are rare)
    • Configure Error Reporting to Desktop Error Monitoring (MDOP) or Application Exception Monitoring (SCOM)
  • Personal Laptop/Desktop (geeks like us!)
    • Add *.exe from C:\Program Files\ & C:\Program Files (x86)\
    • Set system settings to maximum


Whitelist Launch of Windows Applications

applocker benefits
  • Whitelisting of software launch
    • Only known-good applications can launch
    • Unknown applications blocked (Good and bad)
  • Publishing rules simplify use!
  • Windows 7 feature managed by Group Policy





Mark Simos


applocker scenarios and use cases
ApplockerScenarios and Use Cases
  • Administrative Workstations
    • Allow Administrative applications only
  • Enterprise Workstations
    • Basic - Allow all users to run any application in ruleset
    • Advanced - Restrict applications by user/group
      • Exceptions for Administrators & PC Techs
applocker notes
  • Applockeronly controls application launch
  • Understand application portfolio (small for admin workstation)
  • Test your rule set prior to deployment
  • Plan how to handle ‘emergencies’
    • RDP to servers
    • Change GPO
  • Create a process to handle AppLocker policy maintenance
    • New tools/applications coming online
attack surface analyzer

Attack Surface Analyzer

Identify the changes in system state, runtime parameters, and securable objects on the Windows operating system.

useful for
Useful for
  • IT Professionals / System Administrators
  • IT department development teams
  • Independent software vendors (ISVs)
  • IT Security Auditors
  • IT Security Incident Responders
microsoft security development lifecycle sdl
Microsoft Security Development Lifecycle (SDL)

The industry-leading software security assurance processCombining a holistic and practical approach, the SDL introduces security and privacy throughout all phases of the development process.

Download the Simplified Implementation of the Microsoft SDL to learn more about the Security Development Lifecycle process and practices.

attack surface
Attack Surface

Code within a computer system that can be run by unauthenticated users.

Attack surface reduction reduces security risk by giving attackers less opportunity to exploit a potential weakness or vulnerability: DID

attack surface analyzer1
Attack Surface Analyzer

It’s FREE and a unique industry leading tool

  • Enables you to really improve security of systems
  • 5+ years of real world use within Microsoft
  • Trusted and robust: used on all Microsoft products
  • Saves you time – a manual attack surface audit would take hours and require numerous tools / utilities
securable objects
Securable objects

An object is securable if it can have unique security permissions associated with it.

The security permissions of a securable object can be unique or can be inherited from a parent.

All non-securable objects inherit the security permissions of their parent.

Each securable object has its security permissions set by its ACL and other security metadata.

security privileges
Security privileges


  • The right of a user to perform system-related operations, such as debugging the system. A user's authorization context specifies what privileges are held by that user.
  • The capability of a security principal to perform a type of operation on a computer system regardless of restrictions placed by discretionary access control.
asa supported p latforms
ASA Supported Platforms
  • Windows 7 & Server 2008 R2
    • Collection and analysis

(analysis requires .Net 3.5)

  • Windows Vista & Server 2008
    • Command line / collection only
  • Newer versions of Windows will require the next version
using attack surface analyzer
Using Attack Surface Analyzer
  • Snapshot (baseline)
  • Install product(s)
  • Snapshot (product)
  • Optionally, install additional components or features and take additional snapshots
  • Generate Attack Surface Report

Command line capability to;

  • integrate with build environments
  • capitalize on existing system management tools (e.g. SCCM)
  • enable scheduled snapshots on high value assets
asa for incident response
ASA For Incident Response
  • Initial “Known Good” baseline required
  • Schedule task periodic snapshots
adding autorun collection
Adding autorun collection
  • Download autorunsc.exe from
    • Copy .\autorunsc.exe “c:\program files\attack surface analyzer\lib\*.*” /v
your changes
Your changes
  • Install your product(s) and customizations
using the attack surface report
Using the Attack Surface Report
  • Targets for additional testing
getting support
Getting Support
  • First: Check SDL Tools Forum
  • Second: Attack Surface Analyzer questions, feedback, suggestions
  • Third: establish internal security experts group, wiki
  • Microsoft Customer Support Services (AD, OS, Office, IE…)
  • Microsoft Consulting Services (how to…)
  • Report security bugs responsibly to Microsoft MSRC
    • Be patient, many reports to triage
did we meet the objectives
Did we meet the objectives?
  • Demonstrate how to create a secure and usable administrative desktop using SCM, EMET, Applocker, and ASA
  • Discuss how to adapt the configuration to protect enterprise workstations
  • Discuss Cybersecurity threats, motivations, and trends
tool download locations
Tool download locations
  • SCM Download
  • EMET Download
  • ASA Download
more information on asa
More information on ASA
  • SDDLParse

  • SubinACLs
  • Microsoft Security Development Lifecycle

  • Getting help with Attack Surface Analyzer

  • Reporting security bugs to Microsoft : MSRC

additional resources
Additional Resources
  • IT Threat Modeling Guide,

  • Smart Card Logon Information
  • How to set up a smartcard enrollment station
statistics references
Statistics References
related content 1
Related Content (1)
  • SIM308 | The Enhanced Mitigation Experience Toolkit
  • SIM305 | Implementing a Security Baseline in Your Environment
  • SIM304 | Unintended Consequences of Security Lockdowns
  • SIM391-HOL | Windows 7 AppLocker
  • SIM306 | Unmasking Administrator's Evil
  • SIM303 | Conficker - "Taming the Threat"
related content 2
Related Content (2)

SIM302 Lessons from Hackwarts Vol 1: Defense against the Dark Arts 2011

  • SIM327 | Rethinking Cyber Threats: Experts Panel
  • SIM404 | Hey, You! Get Off My Network!
  • SIM471-INT | The Real World: Designing and Deploying a PKI

Trustworthy Computing

Safety and Security Center

Security Development Lifecycle

Security Intelligence Report

End to End Trust

  • Connect. Share. Discuss.


  • Sessions On-Demand & Community
  • Microsoft Certification & Training Resources

  • Resources for IT Professionals
  • Resources for Developers


© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

newer is better
Newer is Better
  • From Microsoft SIR vol. 9
applocker additional info

AppLocker Additional Info

Reference slides on Enterprise Deployment

applocker notes1
Applocker Notes
  • Publisher rules require files to be signed
  • Enabling Applocker on Win7 disable SRP rules
  • Issue with running MSIs in system context (Pre-SP1)
    • Workaround is to add rule for system to run in all paths
  • Signed EXEs with unsigned DLLs - add rules for DLLs
  • Does not protect against process injection / takeover
  • Exceptions need to be made for all applicable rules
identifying the application portfolio
Identifying The Application Portfolio


  • AppLocker in audit mode
    • Event collection & event forwarding on AppLocker warnings
  • Application Compatibility Toolkit (ACT) 5.5
  • MDOP Asset Inventory Service
  • ConfigMgr 2007 hardware inventory
  • Identify Per-User Requirements
applocker implementation
Applocker Implementation

Application Portfolio

Planning & Process

  • Establish your ‘Application Portfolio’
  • Select the rules to create and define policy structure

Create a process for managing rules






  • Test your rule-set and update as needed
  • Deploy to production environment
  • Maintain the policy and support processes




applocker sample rule management
Applocker - Sample Rule Management





End user calls into Helpdesk

Helpdesk responds to issue

Helpdesk escalates application to ITPro / Tier 3

ITPro/ Tier 3determines if a global rule is needed





ITProescalates to Group Policy Admin

New rule is deployed globally via Group Policy

Rule remains local for that user only