Windows-Vista-Security--West-Virginia-UniversityWindows-Vista的安全-PPT课件.ppt

1、Windows Vista SecurityBy:Chris ReberApril 22,2019AgendanVista Security OverviewnUser Account ControlnAuthenticationnFirewall EnhancementnWindows Service HardeningnData ProtectionVista Security EnhancementsnWindows Vista is hailed as the most secure Windows version yet.nMicrosoft utilized a secure de

2、velopmental lifecycle to create the system.nThey hardened the services and added enhancements for 64-bit computing.nThere are new User,Network,and Application Security Options.nNew Data Protection Options.nAdded security options in IE7.User Account ControlsnAllows users to be productive and change c

3、ommon settings while running as a standard user,without requiring administrative privileges.nPrevents users from making potentially dangerous changes to their computers,without limiting their ability to run applications.AuthenticationnIncludes new authentication architecture that is easier for third

4、-party developers to extend.nThis will lead to a wider choice of smart cards,fingerprint scanners,and other forms of strong authentication.Firewall EnhancementsnThe new outbound filtering in the firewall provides administrative control over peer-to-peer sharing applications and other similar applica

5、tions that businesses want to restrict.Windows Service HardeningnLimits the damage attackers can do in the unlikely event that they are able to successfully compromise a service.nIncreased to Six Service Accounts.nThe risk of attackers making permanent changes to the Windows Vista client or attackin

6、g other computers on the network is reduced.Data ProtectionnBitLocker nHelps prevent unauthorized access to data on lost or stolen computers by combining two major data-protection procedures.nEncrypting the entire Windows operating system volume on the hard disk.nVerifying the integrity of early boo

7、t components and boot configuration data.BitLocker RequirementsnTwo NTFS-formatted volumes:nA boot volume with a minimum size of 1.5GB,where the OS boots from.nAnd the system volume which contains the operating system.nTrusted Platform Module(TPM v1.2).nTrusted Computing Group(TCG)-compliant BIOS fo

8、r use with TPM.BitLocker ModesnTransparent Operation ModenUser Authentication ModenUSB Key ModeTransparent Operation ModenThis mode exploits the capabilities of the TPM 1.2 hardware to provide for a transparent user experience.nThe user logs onto Windows Vista as normal.nThe key used for the disk en

9、cryption is sealed(encrypted)by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified.User Authentication ModenThis mode requires that the user provide some authentication to the pre-boot environment in order to be able to boot the OS.nTwo authe

10、ntication modes are supported:na pre-boot PIN entered by the user nor a USB key.USB Key ModenThe user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS.nNote that this mode requires that the BIOS on the protected machine supports the reading o

11、f USB devices in the pre-OS environment.Combinations of ModesnThe following combination of the modes are supported:nTPM nTPM+PIN nTPM+PIN+USB Key nTPM+USB Key nUSB Key BitLocker Key RelationshipsBitLocker RelationshipsBitLocker RelationshipsBitLocker EncryptionnAES-CBC+Elephant DiffusernThere are fo

12、ur separate operations in each encryption.The plaintext is exclusive-orred(xorred)with a sector key,then run through two(unkeyed)diffusers,and finally encrypted with AES in CBC mode.AES-CBC+diffuserSector Key CreationnWhere E()is the AES encryption function,Ksec is the 128 or 256-bit key for this co

13、mponent.ne()is the encoding function used in the AES-CBC layer,and e(s)is the same as e(s)except that the last byte of the result has the value 128.nThe sector key Ks is repeated as many times as necessary to get a key the size of the block,and the result is xorred into the plaintext.Diffuser A(Encr

14、yption)nThe value i is a loop counter that goes around the data array Acycles=5 times.(Remember that all indices are modulo n,so the wrap-around is automatic.)The addition is modulo 232,is the rotate-left operator,and R(a):=9;0;13;0 is an array of 4 constants that specify the rotation amounts.Diffus

15、er B(Encryption)nDiffuser B is very similar to Diffuser A,however,the R(b):=0;10;0;25 and the Bcycles is only 3.AES-CBC nThe AES key KAES is either 128 bits or 256 bits,depending on the selected version.The block size is a always a multiple of 16 bytes,so no padding is necessary.nE()is the AES encry

16、ption function,and e()is an encoding function that maps each sector number s into a unique 16-byte value.nNote that IVs depends on the key and the sector number,but not on the data.AES-CBC+diffuserCurrent LimitationsnBitlocker only available on Windows Vista Ultimate,Enterprise and Server 2019.nVist

17、a can only encrypt the system volume,further capability to be added with SP1.Security ConcernsnNo Back Door for Law EnforcementnWhen operating in“Transparent Operation Mode”or“User Authentication Mode”the system is vulnerable to“Cold Boot Attacks”nWhen in USB Key-only mode a piece of software could

18、read and record the key for later use to exploit the machine.AgendanVista Security OverviewnUser Account ControlnAuthenticationnFirewall EnhancementnWindows Service HardeningnData ProtectionnQuestionsQuestionsReferencesntechnet2.microsoft/WindowsVista/en/library/ba1a3800-ce29-4f09-89ef-65bce923cdb51

19、033.mspx?mfr=truen207.46.196.114/windowsserver2019/en/library/2d130e11-a796-43b7-98ed-d389cad285f51033.mspx?mfr=truenen.wikipedia.org/wiki/BitLocker_Drive_Encryptionn“AES-CBC+Elephant diffuser A Disk Encryption Algorithm for Windows Vista”,Niels Ferguson,Microsoft,August 2019n“Security Enhancements in Windows Vista”,Microsoft Corp,May 2019.microsoft/presspass/newsroom/security/VistaSecurity.mspx