Security Improvements

In addition to networking enhancements, Windows Server 2008 also includes a number of security improvements beyond those included in the Windows Vista platform. Again, I won’t be able to describe all these in detail, so I’ll just let our experts at Microsoft fill us in.

Let’s start with BitLocker Drive Encryption, a data protection feature available in Windows Vista Enterprise and Windows Vista Ultimate for client computers and also available in Windows Server 2008. BitLocker provides enhanced protection against data theft and exposure for computers that are lost or stolen, and it provides more secure data deletion when BitLocker-protected computers are decommissioned. BitLocker helps mitigate such unauthorized data access on lost or stolen computers through two major data-protection features: by encrypting the entire Windows operating system volume on the hard disk (including the swap and hibernation files), and by checking the integrity of early boot components and boot configuration data on computers that support Trusted Platform Module (TPM) version 1.2.

The main difference between BitLocker on Windows Server 2008 and its implementation on Windows Vista is the inclusion of support for data volumes. Other changes include EFI support and a new multifactor authenticator. Let’s now hear from one of our experts at Microsoft concerning each of these improvements:

BitLocker Drive Encryption (BDE) on Windows Server 2008 is an optional component that needs to be installed using Server Manager. BDE on Windows Server 2008 now supports the following:

• Data volumes: any number of volumes other than the OS or system volume

• A new authenticator: TPM+USB+PIN

• EFI support

  Data Volumes

  This new feature extends BitLocker encryption support to volumes other than bootable volumes in the Windows Vista client (Enterprise and Ultimate SKUs). These volumes are called data volumes. A data volume is any locally created internal volume exposed by Plug and Play in the context of a booted operating system that isn’t the volume that was booted. Any nonactive volume exposed by Plug and Play that contains only data or a different instance of an OS other than the currently booted/running OS is considered a data volume. An encrypted volume the user wants to access that is not already unlocked by the BitLocker code that is executed in the boot manager is considered a data volume.

  New Authenticator

  This authenticator was added in response to numerous requests from partners to improve the level of security. An additional multifactor authentication method is offered that combines a key protected by the TPM with a Startup Key (SK) stored on a USB storage device and a user-generated personal identification number (PIN). This allows customers to implement a simpler security policy and the development team believes that this will lead to a higher rate of adoption of BitLocker in governmental organizations.

  EFI

  Today most computers rely on the PC/AT (or INT 19 style) BIOS architecture. However, a replacement technology is under way: the Extensible Firmware Interface (EFI). The Trusted Computing Group (TCG, the industry-standard group defining the TPM and related technologies) and Intel are working to provide firmware feature parity with PC/AT trusted platform BIOSs. This new feature provides associated feature support in the Windows Vista loader to use this functionality and provide feature parity (including PPI) with BIOS-based machines.

  –Tony Ureche

  Program Manager, Windows Security, Core Operating Systems Division

Crypto Next Generation (CNG), which was first introduced in Windows Vista, has also been enhanced in Windows Server 2008. The CNG API is the long-term replacement for the CryptoAPI of previous Windows platforms and is designed to be extensible at many levels and cryptography-agnostic in its behavior. Let’s hear from another of our experts concerning the improvements to CNG in Windows Server 2008:

Within Microsoft, specific support for the SSL protocol was first added to Internet Explorer 2.0 in 1995. Along with this, development began on a general-purpose application programming interface (API) for symmetric and public-key cryptography. This API, called CryptoAPI or CAPI1, provided a common interface abstraction, in user mode, for cryptographic algorithms (sometimes called the “pluggable” provider model) for Microsoft and third-party applications.

CNG is Microsoft’s new core cryptographic API, first shipping in Windows Vista. CNG is positioned to replace existing uses of CryptoAPI throughout the Microsoft software stack. Third-party developers will find lots of new features in CNG, including the following ones:

• A new crypto configuration system, supporting better crypto agility

• Finer-grained abstraction for key storage (and separation of storage from algorithm operations)

• Process isolation for operations with long-term keys

• Pluggable random number generators

• Relief from export-signing restrictions

• Thread safety throughout the stack

• Kernel-mode cryptographic API

  In addition, CNG includes support for all required Suite-B algorithms, including ECC. The existing CAPI (CryptoAPI) programs will continue to work as CNG becomes available. CNG Microsoft-provider and legacy CAPI1 CSPs are in the FIPS 140-2 process at target level 1.

  –Tolga Acar

  Senior Program Manager, Cryptography, Windows Core Security

Another new Windows Vista feature that will see extended use in Windows Server 2008 deployments is called Owner Access Restriction. This is a new feature in the ACL model that helps in diverse scenarios, including compliance, service hardening, and Active Directory management. Let’s hear from another of our experts describing what this is all about:

In Windows Vista and Windows Server 2008, the ACL model provides a new mechanism that gives administrators more control over the rights of a resource’s owner. Administrators can use a new feature in the ACL model called Owner Access Restriction (OAR) for this purpose. Using a new well-known SID, OwnerRights (S-1-3-4), the DACL can now contain ACEs that limit the rights of the owner. There are several scenarios where OAR might be useful, and they span service hardening, file management, and system file protection. Here is a walkthrough of a typical scenario-the group removal scenario:

1. A user, as a member of a group, has the right to create a resource within a container (for example, a file within a folder).

2. He creates such a resource within the container.

3. The application does not want him to be able to write to or delete the resource after he is removed from the group.

4. But he can perform these functions because he is the owner of the resource, regardless of the ACL on the resource

   Or in other words:

   ALLOW OWNER_RIGHTS READ_CONTROL CONTAINER_INHERIT, OBJECT_INHERIT

   In step 2, the inheritable ACE propagates to the newly created container. Consequently, step 4 is no longer possible–the owner cannot write the resource.

   This is an important scenario for Active Directory, where the user is the owner of the Computer object when he joins a machine to a domain. With OAR, Active Directory can ensure that the owner of the Computer object has a necessarily limited set of rights.

   –Satyajit Nath

   Program Manager, Windows Core Operating System Security

Windows Auditing is another area in which there have been significant improvements in Windows Server 2008. When auditing is enabled on a Windows computer, Success or Failure events can be logged in the Security log to provide a trail for forensic analysis and archival purposes. Implementing an audit policy is an important facet of overall security, as monitoring the creation or modification of objects gives you a way to track potential security problems. It also helps to ensure user accountability and provides evidence in the event of a security breach. Let’s hear about the auditing improvements in Windows Server 2008 from another of our experts at Microsoft:

In Windows Server 2008, the auditing feature has been improved to provide an audit trail that is both more comprehensive and easier to interpret. The event records in the security event log have been reformatted to make them easier to understand and to include more relevant information. Also, many new events have been added.

Some highlights of the enhancements are listed here:

• New events have been added for Directory Service changes, indicating old and new values of changed attributes.

• Registry changes now include old and new values.

• There are events for changes to security descriptors (permissions) on objects.

• There are new events for IPSec.

• There are events for access to shares and RPC interfaces.

  Audit policy has been dramatically improved as well, and it now includes the ability to turn sets of events on and off at a very granular level. To use this feature, you have to use the command-line tool auditpol.exe.

  Here are a few examples:

  auditpol.exe -list -subcategory:* auditpol.exe -set -subcategory:"Account Lockout" -success:enable

  To use the new granular audit policy feature with Group Policy, you must use it in a script. Microsoft Knowledge Base article 921469 discusses how to accomplish this; the article can be found at http://support.microsoft.com/kb/921469.

  There are also many new Security events in Windows Server 2008-in fact, 340 such events in total. Here is the prototype for the new event when you move an AD object to a new place in the directory:

  A directory service object was moved.    Subject User SID: <security ID of the user that moved the object>    Subject User Name: <sAMAccountName of the user that moved the object>    Subject Domain: <domain name of the user that moved the object>    Subject Logon ID: <logon ID of the user that moved the object>    Directory Service Name: <Active Directory domain name>    Directory Service Type: <type of AD installation>    Old Object DN: <original distinguished name of the object before the move>    New Object DN: <new DN of the object after the move>    Object Type: <schema class name of the object>

  Here is a sample registry value change audit:

  Log Name:      Security Source:        Microsoft-Windows-Security-Auditing Date:  3/23/2007 5:49:06 PM Event ID:      4657 Task Category: Registry Level:         Information Keywords:      Audit Success User:          N/A Computer:      erics-workstation.microsoft.com  Description:   A registry value was modified.  Subject:                 Security ID: MICROSOFT\ericf                 Account Name: ericf                 Account Domain: MICROSOFT                 Logon ID: 0x2e454cd  Object:                 Object Name:        \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run                 Object Value Name:  Malware                 Handle ID: 0x124                 Operation Type: Existing registry value modified  Process Information:                 Process ID: 0x550                 Process Name: C:\Windows\regedit.exe  Change Information:                 Old Value Type: REG_SZ                 Old Value:                  New Value Type: REG_SZ                 New Value: virus.exe

  In this case, Old Value is blank because there wasn’t originally a value-I created it.

  Events are also available to applications as XML. Here is the text of the second event written as XML:

  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">    <System>    <Provider Name="Microsoft-Windows-Security-Auditing" Gu />    <EventID>4657</EventID>    <Version>0</Version>    <Level>0</Level>    <Task>12801</Task>    <Opcode>0</Opcode>    <Keywords>0x8020000000000000</Keywords>    <TimeCreated SystemTime="2007-03-24T00:49:06.763Z" />    <EventRecordID>945778</EventRecordID>    <Correlation />    <Execution Process Thread />    <Channel>Security</Channel>    <Computer> erics-workstation.microsoft.com</Computer>    <Security />    </System>    <EventData>    <Data Name="SubjectUserSid">S-1-5-21-390000000-620000000-180000000-290000</  Data>    <Data Name="SubjectUserName">ericf</Data>    <Data Name="SubjectDomainName">NTDEV</Data>    <Data Name="SubjectLogonId">0x2e454cd</Data>    <Data Name="ObjectName">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n </Data>    <Data Name="ObjectValueName">Malware</Data>    <Data Name="HandleId">0x124</Data>    <Data Name="OperationType">%%1905</Data>    <Data Name="OldValueType">%%1873</Data>    <Data Name="OldValue">    </Data>    <Data Name="NewValueType">%%1873</Data>    <Data Name="NewValue">virus.exe</Data>    <Data Name="ProcessId">0x550</Data>    <Data Name="ProcessName">C:\Windows\regedit.exe</Data>    </EventData> </Event>

  –Eric Fitzgerald

  Senior Program Manager, Windows Core Operating System Security

For additional information concerning security enhancements in Windows Vista and Windows Server 2008, see the “Security and Protection” section in the Windows Vista TechCenter Library found on Microsoft TechNet at http://technet.microsoft.com/en-us/windowsvista/aa905062.aspx .