A Behind-the-Scenes Look at Windows Security
Over the years, the types of system attacks have risen and there is no ceiling in sight. Microsoft and others have attempted to counter these attacks by reducing the surface area of attacks (meaning they develop software with fewer attack points) and by hardening the areas of attack that must remain exposed. They have even strengthened the user OS itself by providing User Account Control settings which, although not always appreciated, prevent malicious software from executing on your system without your explicit permission to do so (and without you having the right as an administrator for that software to execute as well).
Under the hood, however, is where the real defense is being added. This article provides insight into some examples of security enhancements you might (or might not) be aware of.
Address Space Layout Randomization (ASLR)
A return-to-libc attack tries to run a system function based upon a standard location for that function in memory. These attackers need to locate the code to be executed while other attackers try to execute “shellcode” within a stack, but need to find that stack first.
ASLR provides defense against this type of attack by moving the system functions around in memory so that they cannot be predicted. So, attackers can only guess at the location and they aren't likely to find it. In the event of a false guess, the application usually crashes without hindering security. This type of randomization makes the attacker’s life harder.
This brings us to rootkits. Rootkits are processes that spoof their way into memory that is protected and then run in stealth with full privileges, communicating with a host system out on the Internet through unprotected ports. For a rootkits to work properly, they have to locate themselves in your memory. With ASLR, there is no longer a haphazard way of processes locating themselves in memory. There is a table of registers that keeps track of where things are located. A rootkit can't place itself in memory without registering on that list. Once the rootkit registers, it’s no longer a stealth process. You can see again that even though ASLR is a behind-the-scenes feature, it's one we should appreciate.
This is a feature that has been added to the Windows 7 kernel, the part that allocates and deallocates chunks of memory. Safe unlinking performs a series of checks before entries are removed to make sure attackers aren't trying to exploit the operating system using what's known as a pool overrun. That isn’t to say it blocks all pool overruns, but it does block the most common techniques.
Data Execution Prevention (DEP)
I can remember a few years back telling folks to turn this feature off! DEP is actually a security feature that helps prevent virus and other security attacks by monitoring programs to ensure memory is being used correctly. If a program attempts to use memory in an incorrect way, DEP closes the program. Learn more about it here: http://www.winvistaclub.com/f33.html.
This security feature's goal is to make sure many background processes are removed from direct access, are run with the lowest possible privileges, and are isolated from one another.
How does it try to stop these compromises? There is a per-service security ID that means each service has its own ID with permissions that can be specific between the service and the resources being accessed. In addition, services are given a network firewall policy that prevents that service from being accessed from outside the standard boundaries of the service.
The benefit is that attacks to the file system, registry, network, and other resources are hindered because malware cannot use system services to attack. In previous versions, a service would run with the Local System account (high privileges); now many run with the Local Service or Network Service, which reduces the overall authority of the service itself.
What Windows Service Hardening cannot do is prevent the attack if your system is vulnerable. There are other services, such as Windows Firewall, whose job is to take care of that. But Windows Service Hardening can limit damage by not allowing attackers to exploit services.
Kernel Patch Protection
This feature, also known as PatchGuard, is specific to the 64-bit versions of Windows and is designed to prevent all changes to the kernel, which is especially a protection against rootkits and other third-party intervention of the OS core.
Learn more about Kernel Patch Protection at http://windowsitpro.com/article/articleid/94219/what-you-need-to-know-about-kernel-patch-protection.html.
Integrity Levels (ILs)
With ILs, items such as files, folders, processes, threads, registry keys, and so forth not only have Access Control List (ACLs) settings, they have Integrity Levels as well.
There are four levels: low, medium, high, and system. Standard users receive medium ILs and elevated users receive high ILs. Processes that you (as a user) start receive the integrity you are running (medium or high). But this isn’t the case if the file already has a setting of low on it. System services receive the highest level System rating.
How does this work? Well, let’s say you are running IE8 in protected mode (so it’s running with a level of low integrity) and something from the Internet wants to interject a virus. When the virus attempts to execute, the attack fails because. The virus tried to access and harm an object with a higher integrity level, so it was stopped.
Objects that don’t have integrity codes are treated as medium so lower-level integrity processes cannot harm them.
It All Comes Together
It is important to know that while Microsoft has provided solid user tools for protecting the surface of a system (for example, Windows Defender, Windows Firewall, User Account Control, BitLocker, and BL2Go), you should be happy to know that things are also happening under the hood to protect you.