Went to an awesome session today by Steve Riley. It was Windows Vista System Integrity Technologies and covered everything you need to know about Vista in security protection changes. Of course he will be doing it again at TechEd Australia and NZ!
Heres the summary:
Code Integrity: Each piece of code has a hash computed and stored in a secure central location. Each time the system boots it re-computes the hash and compares against whats in the store to ensure that the code hasnt changed. This protects against malicious component replacement.
BitLocker: Similar to my previous post on BitLocker, he also covered some similar content but had some more titbits on the TPM process.
Service Profiling and Hardening: Each system service has been profiled to understand where it writes to. Each service has a token now that ensures that it can only write to those places and the target areas ACL’d with those service’s token SID’s. The firewall also gets involved and blocks any outbound port request except what the service has been profiled to communicate on
Mandatory Integrity Control (MIC): For the first time the ACL is not the only thing that controls access to how you interact with a process or object! Think like Bell-LaPadula…no read-up and no write-down. Modify that thought though as Bell-LaPadula deals with confidentiality not integrity. This is actually the BIBA model which essentially says you cant write to a higher level and you cant read down. Its essentially the reverse of Bell-LaPadula.
How is this applied? Each “user” object has a SID and a collection of groups that its a member of. It also now has an “authority level”. Think integrity levels etc but put it into levels of low, medium, high and system.
In Vista now, irrespective of whether you have local admin access you receive a “split token”. That means that around 15 core system functions are filtered out of your “main” token like SESystemTime Privilege and SeSecurity Privilege and you are changed back from a “high” level to a “medium” level. That means in order to access these higher privilege functions that run at “high” level (like SeSecurity Privilege) you need to elevate your access. Hence the UAP consent prompts, which gives you access to the rest of your token and elevates you to “high” for that function only.
Interestingly Internet Explorer runs as “low” level. Yes untrusted! Do you trust the internet? 🙂 That means in order for you to copy and paste from IE into the clipboard you need to elevate it. The clipboard runs at medium level….after all IE is running lower than the shell!
Kinda get it? I love it!
Theres more to come!
Addendum: Made some edits to the levels to make it easier to understand.