Securing Windows Networks

Microsoft completely re-wrote the TCP/IP stack from scratch and is increasingly focusing on the idea of domain isolation and more secure networking components. Windows Firewall has been more tightly integrated with IPsec and given outbound blocking ability. Microsoft also introduces many new features that are sure to come under scrutiny by attackers.

Enhanced Network Location Awareness

Windows Vista's networking often focuses on three predefined network domain profiles:

• Domain

• Public

• Private

The Domain profile refers to the network configuration settings while the computer can reach an Active Directory domain controller.

All other network connections are automatically classified as Public until the user (if the user is an administrator) elects to change that classification. Public includes all networks that the computer might be connected to while traveling (such as airport, hotel, café WiFi, and so on), public access networks, open wireless access points at the neighbor's house, and so on.

A network can be configured to be Private by the computer's operator or administrator. These three network profiles allow Windows Vista users to quickly define different network and security policies for all three domains, allowing quick "switch-on-the-fly" flexibility.

The Network Location Awareness service attempts to notice when a Windows host changes network locations (for example, roving laptop) or a significant network topology change has occurred (for example, down router, VPN, and so on). Changes in network location can affect many Windows components, including group policy, DHCP settings, and router tables. The algorithms used to detect a network change have been improved. Slow link detection, used in group policy and other features, no longer uses just ICMP.

Network Map

Microsoft has included a great network mapping tool that graphically represents the physical/logical TCP/IP components between the Windows Vista host and a target destination, plus the other devices on the local network. It's a great network troubleshooting tool, and might prove useful when diagnosing a malicious re-direction attack. To do this, Microsoft created a new network protocol, Link-Layer Topology Discovery, and a new service, Link-Layer Topology Discovery Responder.

The Rebuilt TCP/IP Stack with IPv6

Along with rebuilding the entire TCP/IP stack, Microsoft has added stronger support for the long awaited IP version 6 (IPv6), performance self tuning, new APIs for packet inspection (called the Windows Filtering Platform), and a bevy of diagnostic tools. IPv6 has significant security improvements built into the protocol. Finally, after a decade of waiting, IPv6 is starting to gain increased usage, with some countries running the Internet and their own infrastructures entirely on IPv6. Windows Vista can run both IPv4 and IPv6 protocols at the same time, as well as tunnel IPv6 traffic within IPv4 traffic.

Not everyone is happy that Microsoft rebuilt the Windows TCP/IP stack from the ground up. Windows Vista beta testers have found simple, old, network stack vulnerabilities in the beta code (http://www.securityresponse.symantec.com/avcenter/reference/ATR-VistaAttackSurface.pdf). Most of the found vulnerabilities were fixed before release, but critics, particularly those with a vested interest in Microsoft not entirely succeeding in security, pointed out the simple vulnerabilities found (for example, LAND attack) as evidence of an overall lack of maturity in the Windows Vista TCP/IP stack.

Routing Compartmentalization

Host-based routing has become more compartmentalized. An administrator can define separate routing tables for different users or different network locations. For instance, if the PC connects to a VPN, one router table can be created for all VPN-related traffic, and an entirely different router table used for other network connections and locations.

Windows Firewall

Microsoft's enabling Windows Firewall by default in XP SP2 led to an immediate and measurable decrease in the spread of malicious code. Windows Firewall in Windows Vista has been completely rewritten, and includes outbound blocking. The improved Windows Firewall comes with pre-configured exceptions (predefined allowed connections) for many common applications, although the majority are not enabled by default. Exceptions can be configured by source and destination IP addresses, TCP and UDP port numbers, by interface, groups, network domain, and by service account. For more information on the changes in Windows Firewall, see Chapter 11.

Domain Isolation

Microsoft is focusing on network domain isolation. A domain is any predefined network address scope that requires its own access control permissions. Traditional domains represented on the standard network firewall are internal network, DMZ, and external network. Domain isolation just extends to the whole security domain concept to any set of hosts or network devices the administrator wants to define. For example, the marketing and IT computer resources can be kept from communicating with each other. Or the back-end database server can be configured to accept only inbound connections on port TCP 1433 (the SQL Server port, from the DMZ web server). This latter restriction would actually be something called "server isolation," which is a variant on domain isolation. We will discuss domain isolation further in Chapter 12.

Microsoft is pushing administrators to better define their network domains using a least privilege policy, to prevent unauthorized access and malicious behavior. Administrators can use any Windows access control mechanism available, but in most cases Microsoft domain isolation refers to Windows Firewall, IPsec, and, optionally, Network Access Protection (NAP).

NAP requires one or more Windows servers and attempts to restrict attaching network hosts to a limited subset of network resources until they are examined, queried, and approved (for example, is the Windows Firewall turned on, are client patches up-to-date, is client computer running an up-to-date antivirus scanner, and so on). Once approved, they can connect to either the entire network or isolated to particular domains. Microsoft has significantly improved domain isolation and NAP in Windows Vista, and in the forthcoming Longhorn server product.

Improved Wireless Security

Wireless connectivity has been moved into the main TCP/IP stack. Previously, wireless connectivity was a separate client and a separate stack, which meant that many normal networking features did not integrate as well into wireless connections. Windows Vista supports the latest wireless open standards, including 802.1x, WPA, WPA2, PEAP-TLS, and 802.11i. Wireless connections can now get logon scripts and GPO updates, prior to the user logging in successfully (something that did not occur in XP). Wireless security is covered in detail in Chapter 13.

New Peer-to-Peer Networking

Windows Vista contains more peer-to-peer (P2P) and collaborative networking components, including a new Peer Name Resolution Protocol (PNRP). Windows Shared View is a new collaboration program that allows up to ten people to share sessions, applications, and data. From a security standpoint, P2P applications and components, especially the seamless type that Microsoft is promoting, are often avenues for malicious attack.

SMB 2.0

The Server Message Block (SMB) protocol is used for Windows networking. SMB is often associated with folder and printer sharing, but it used throughout Windows for many things, including logging on to a domain, group policy distribution, and remote management. Windows Vista includes a new version of the SMB protocol, SMB 2.0, which improves on both performance and security over SMB 1.0.

SMB 2.0 is more resistant to many attacks, including anonymous connections and MitM attacks. Windows Vista and Longhorn Server will use SMB 2.0 when talking to Windows Vista and Longhorn servers and clients. When talking to down-level clients, they will use SMB 1.0.

One of my favorite new default settings is that Windows Vista no longer looks for and enumerates all local network shares when it boots up. By default, XP Pro, using the browser service will enumerate all shares and printers on the local network when it starts. Although this feature could be turned off, because it is a default setting, it leads to lots of shares being unnecessarily revealed to non-admin users.