Windows Vista – Page 3 – Tales from the Crypto

Windows Vista

Vista’s Secret Windows Firewall hole

First, the good news – it’s not a flaw in the operation of Windows Firewall on Windows Vista. It’s a design feature, it makes sense, and it fits in with the principle that the firewall should keep out unsolicited traffic. It’s not really a hole, but I thought I’d grab your attention.


The symptom first came up in a Usenet posting (thanks, Jesper, for bringing me in) about Vista and a third-party FTP client:



When I do a directory listing, and a PORT command is issued, and the
server attempts to connect, it works, but at the same time a dialogue
appears telling me it’s blocked, and I can keep blocking or unblock.
I choose keep blocking but it doesn’t actually block it once.


Here’s how it looks.

First, if you haven’t got a third-party FTP client let’s fake it, by copying Microsoft’s command-line FTP client from the Windows System32 directory to another directory:


C:\users\MyMe> copy %windir%\system32\ftp.exe
1 file(s) copied.


The FTP client will not display prompts to you, but that’s a minor issue – if it upsets you, try downloading a third-party client and trying it.

Anyway, here we go – let’s try the issue in question:


  • Type ftp ftp.microsoft.com

  • After you see the “220” greeting message, enter ftp as the user – press enter.

  • Now you’re prompted for a password – enter anything and press enter.

  • Once you’re logged on, enter dir – again, press enter.

  • You’ll see the directory listing succeed, but you’ll also see a warning that a connection is being blocked:

image-0063


Wow – that’s freaky – at the same time you’re being told that the connection used for the file listing will be blocked, it allows the connection through!

What’s more, even if you specify Keep Blocking, and then go issue another dir command, that one succeeds.

Huh? And why on earth did you make me use a copy of FTP?

Let’s go look at the Windows Advanced Firewall Rules for Inbound, and see if this sheds any light:

[That means click the Start button, type Firewall into the search box, and right-click on Windows Firewall with Advanced Security – select Run as Administrator

and accept the elevation prompt from UAC. If you don’t have an elevation prompt, then you should really re-enable UAC. Now select Inbound Rules in the left-hand pane]


Me, I’ve got a few rules labeled File Transfer Program:


Image-0064


That first (and fourth) rule is set to block any listening ports opened by the File Transfer Program in C:\users\myme\ftp.exe, the second two seem to be allowing any listening ports created by the one in C:\windows\system32\ftp.exe.


Obviously, that’s why I asked you to copy ftp.exe to a new directory, so that any previous allowance by the firewall rules wouldn’t get in the way.


So what’s happening here? Is the “Allow” rule somehow overriding the “Block” rule, even though it’s not dealing with the same executable?


We can test that simply by deleting both sets of rules – go ahead and do that, I’ll wait for you.


Didn’t make a bit of difference, did it? It still allowed the traffic, then prompted you if you wanted to block it. Even if you selected to “Keep Blocking“, the next and subsequent transfers still worked, right?


Okay – let’s consult the Big Book of Knowledge (alright, what I can vaguely remember after mumbleteen years in the networking world). Some routers and firewalls use an Application Layer Gateway (ALG) to translate FTP commands, and open ports. Is that what’s going on here?


Let’s take a peek at the services on this machine (as an administrator, run services.msc):


Image-0065


Bingo – there it is, the Application Layer Gateway Service. And when you have Internet Connection Sharing running, that’s what translates IP addresses in FTP commands for you, and what opens up port mappings and holes in the NAT that ICS hosts.


Oh, but wait a moment – what’s that in the “Status” column?


That’s right, nothing. This service isn’t running.


Something must be happening to open this port up – it’s not just a case of “port left open”, nor is it an outbound port. Those ports are closed tight until the FTP client starts listening for incoming data connections, and then they’re opened up.


Here’s where I go into MVP-mode, and start searching in all the nooks and crannies of the web and whatever documentation it holds.


Net result – Windows Firewall in Windows Vista includes something called a “connection inspection engine”.


Sounds like something from “Schoolhouse Rock“.


No, seriously, there’s a “connection inspection engine” for FTP – if you connect to port 21, the firewall monitors your communications on that channel, looking for PORT commands. When it finds one, it opens up a hole in the firewall for the incoming data connection.


So why the scary dialog warning that something’s going to block traffic?


Probably because the dialog pops up whenever an application starts listening, whereas the connection inspection engine only opens a hole when it sees a PORT command. And an FTP client can’t actually give the PORT command until it’s started listening.


So, the process goes something like this:



  • Start the FTP client.

  • Connect to the FTP server on port 21, waking up the connection inspection engine.

  • Log on, then type dir

  • The FTP client knows that it needs to open a data connection.

  • To start the data connection, the FTP client binds to port 0, and starts listening.

  • The firewall says “Oh no, an unknown program has started listening – better warn them that they won’t get any traffic.”

  • The FTP client checks what port it actually got, and sends a matching PORT command.

  • The connection inspection engine says “PORT command? That’s my cue!” and opens a hole in the firewall to incoming data connections.

Well, that’s easy, but what if I don’t ever want to do an FTP connection? How do I stop this from becoming a potential hacker tool?


Okay, apart from the obvious – that if a hacker could connect out to a server on port 21, nothing’s stopping that hacker from transferring data in – you might want to cripple this functionality.


No problem – just set the following DWORD registry value to 1:


HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ DisableStatefulFTP


The default setting for this value on Windows Vista is 0. [It remains to be seen what value will be the default on Windows Server 2008]


How could Microsoft make this better?



  • I’d really like to see this documented. Just so that it’s not a surprise to anyone.

  • I’d like to know how many other connection inspection engines there are (at least one, judging from the DisableStatefulPPTP value – but I don’t know enough about PPTP to know how that affects operation).

  • I’d like to know if I can add my own connection inspection engine to the firewall.

  • Above all, I’d like to do away with the rather confusing and clumsy “We’re going to block your incoming … wait, what just happened?” dialog. If the connection inspection engine is monitoring a command channel, and the process that owns the socket for that command channel starts listening, perhaps we could wait a quarter of a second for a PORT command before calling this a blocked connection?

Finally, is this a vulnerability, a hole, or anything outside the correct operation of a firewall?


No, because the firewall is documented as blocking unsolicited incoming connections – and by any reasonable definition, the data connection requested by a PORT command is solicited.

Waiting for Vista SP1?

In a previous article, I wrote about how to sound stupid by saying “let’s wait for Service Pack 1 before we deploy Windows Vista“.

Now here are a few ways to sound clever, by pointing to specific issues that will be fixed by Windows Vista SP1.

  • GPMC.MSC (the Group Policy Management Console) gets removed, and the Group Policy Editor will default to editing the local group policy only. Okay, that’s not really an advantage – but you will be able to download a newer group policy editor later.
  • Allows Remote Desktop Protocol (RDP) files to be signed. Complains when they aren’t (though this does cause a problem for Remote Web Workplace users in SBS land, because there’s no way to actually sign the RDP files!)
  • Improved cryptographic random number generator, leveraging the TPM if you have one on your computer. (Not sure there was that much wrong with the old one… but this one’s better, and more … cryptographicky)
  • BDE + TPM + USB + PIN – need I say more? Oh, okay then – for the truly security paranoid, you can use Bitlocker Drive Encryption with the Trusted Platform Module, and have it require a USB key and a PIN before the system will start.
  • Also with BitLocker, there is support for encryption of drives other than the main boot volume (which is the volume that has the system software on it, not the system drive, which is the one you boot from). Still can’t encrypt the system drive – because that would be just plain stupid.
  • Performance improvements – really, what’s not to like with an update that makes your computer go faster?
  • exFAT file system for flash memory storage – you probably haven’t exactly been drooling about this.
  • SSTP – allows VPN over HTTPS to Windows Server 2008 systems. Yeah, because if you’re holding off installing Vista until SP1 ships, you’ve got loads of those ready to use, right?

I don’t know – were any of those features worth waiting for? I know there’s performance and reliability improvements, but those are somewhat nebulous and indistinct.

My advice is still to test Vista as it shipped, test Vista with the Service Pack 1 Release Candidate – report bugs to Microsoft quickly, before they lock it down – and then when SP1 releases, and then test with Vista SP1 RTM when it comes out… and stop letting vendors get away with saying that “all you need to do to run our software on Vista is to disable UAC, or make all users administrator” – that’s just plain bad.

What do I wish was in SP1?

  • Some provision for solving the EFS incompatibility between XP and Vista (maybe XP SP3 will help, I don’t know)
  • The ability for a standard user to back up his own files, including EFS encrypted files, so that a user can export encrypted data to removable physical media (like a CD-R). Too much data still travels unencrypted, and it might help to have the ability to put encrypted files on CD-Rs using only what comes with the OS.
  • A server administration toolkit that allows me to administer Windows versions 2000, 2003 and 2008 from Vista.
  • An ability to switch sound output devices on already-running applications. When my wife comes into the office, I want to stop using the built-in speakers and start using the Bluetooth headset, so that she can’t hear me playing Halo.

So, tell me, what are you waiting for?

Why you don’t run as root

[… or administrator, or whatever]

I like Roger Grimes, he’s a nice guy, and he generally makes me think about what he has to say. That’s a good thing, because otherwise he’d either be part of the same choir as me, or he’d be the sort of guy whose ideas I dismiss with a wave of the paw and a barely audible “Pah.”

Today, though, I think he’s missing something fundamental – and perhaps you are too.

He writes in the InfoWorld Security Adviser column that “UAC will not work”, on the simple basis that malware can still do all the things it wants to do without having to execute under a privileged account.

That’s true, and it always will be – the day that a computer can see my attempt to “delete the Johnson account, and forward that instruction to the following addresses”, and determine whether it’s malicious or appropriate, is the day when the computer can do the whole job for me, by simply choosing all possible actions and seeing which are malicious and which are appropriate.

However, what I can rely on, if the malware has been held out of privileged accounts, is the integrity of the system, and (unless they were prone to activating the same malware) the other users on that system. [By system, I may mean one machine or several networked together to perform a function.]

So while it’s true that the old cross-platform virus “forward this message to everyone in your address book, then delete all your data” is still going to function if the user stays out of administrator roles, at least the operation of the system can be restored, as well as whatever data has been backed up.

You don’t run as a restricted user to prevent viruses from happening – you run as a restricted user to prevent viruses from happening to the people and systems with whom you work. You run as a restricted user, so that when some system falls over, you can say “it couldn’t possibly have been me”. You run as a restricted user because if there is a bug in the program you run, its effects will be limited to only that portion of the OS and its data to which you are restricted.

Sure, least privilege is somewhat of an artificial construct – but the alternative is that users get more privileges than they need. That quickly boils down to “everyone can do anything”.

I’ve been on that kind of a network before, and when we found one guy’s stash of truly offensive porn (this wasn’t the occasional Rubens painting) on the server, we had no way of finding out who it was, let alone punishing them by firing them. The company I worked for was fortunate that whoever found it didn’t sue for fostering the creation of a hostile workplace.

So, no, UAC won’t stop malware – but then that’s not its purpose. It’s purely a beneficial, incidental, and temporary side-effect that it will stop much of today’s malware.

Is a NAT a security device?

I’ve been working lately on a couple of IPv6-related projects. First, there’s a chapter for an upcoming book, and second, there’s the effort to make WFTPD and WFTPD Pro work on IPv6, since it’s enabled by default in Windows Vista and Windows Server 2008 [more on that in a future post].

A big argument to my mind, as an old-school Internet user, for enabling IPv6 is that every one of your hosts becomes a fully-fledged Internet participant, like it used to be with IPv4 back in the ’90s.

What do I mean by that?

I mean that every machine is reachable at its own address on every port that it chooses to open, rather than requiring someone to tinker with a NAT to open port mappings for specific applications.

IPv6 removes the need for a NAT at all.

Wow. To a security professional, that’s a shocking statement. It feels rather like saying that living in a tent removes the need for locks. How on earth do you protect your stuff without a NAT?

The answer is that a NAT was never intended to be a security device – it just happened, somewhat accidentally, that requiring address translation and port mapping to be statically configured created a security barrier.

Unfortunately, NATs also killed a lot of protocols (H.323 for webcams, FTP for file transfers – particularly when secured, IPsec) that quote IP addresses in their traffic.

To some extent this was fixed with ALGs – Application Layer Gateways – but never very satisfactorily (particularly in the case of secured FTP). What would be far better is to have a device that had the blocking advantages of a NAT, but didn’t require IP addresses and ports to be altered in transit.

There’s a name for such a device:

A firewall.

[Only if the firewall is configured by default to list all ports as “closed”. An open-by-default firewall is not a firewall, it’s a router.]

And a firewall is a far simpler program than a NAT (even if it’s in hardware, it’s the program’s simplicity that matters most). If it matches incoming traffic to ports that are opened, it allows that traffic in. If outgoing traffic occurs on a port that was closed, the firewall usually opens that port for the reverse traffic, so that clients on the inside of the firewall can get a response.

So, when the time comes that your network is required to transition to IPv6, don’t beg for an IPv6 NAT. I actually hope such a device doesn’t actually exist, and that nobody’s stupid enough to develop one. What you should insist on is an IPv6 firewall.

“But what about the problem that the layout of my network inside of the firewall will be revealed?” you might ask.

It won’t, because IPv6 addresses are sparsely allocated.

“How about machines that won’t ever need to be accessed by, or access out to, anything outside my company? What’s the IPv6 equivalent of an RFC 1918 address?”

No problem – there’s a standard for link-local and site-local (Unique Local Unicast, technically) addressing, which will never be routed outside of your site.

Any other reasons you’re clinging to the idea that a NAT is a security device?

Why complain about UAC prompts?

Jesper’s article in TechNet Magazine on the purpose and future of UAC in Windows Vista and beyond reminded me that there’s a whole slew of behaviours more annoying than UAC’s prompting (which, as Jesper points out, is only the most visible portion of a system-wide and company-wide approach to the future of Windows development), and which users apparently don’t hate enough for vendors and IT departments to cry for changes.


UAC elevation prompts from tools that shouldn’t need elevation.


Seriously, this is just a sign that the developer was an administrator, and the tester was an administrator, and nobody bothered to make the program work for non-administrators by removing requests for privileges that aren’t actually needed.


So, instead of fixing the product to remove the demands for administrative rights, the developers simply added a manifest to make the software insist on elevation.


If you’ve got non-administrative software that prompts for elevation as soon as it starts up, you should be asking your vendor whether this is their long-term fix, or whether this is just a temporary workaround while they engage in what can be a long process of removing elevation.


UAC elevation prompts for administrators running administrative tools


While performing their administration function, these users should be in an administrator session, and should have enabled silent elevation through Group Policy; while not performing their administration function, they should not be in an administrator session, and elevation should be disabled.


While that may have been awkward and cumbersome in Windows XP and before (although “runas” goes a long way towards providing this sort of separation), in Windows Vista, Fast User Switching is enabled for even domain-joined computers, allowing you to choose whether to be in a restricted user session or an administrative user session.


Spending most of your time as a non-admin means that when someone comes looking for the admin user who infected the company with an Outlook worm, you can point to the fact that your admin account isn’t set up to run Outlook, so it couldn’t possibly be you – phew!


Requests to re-identify myself


This is the big one for me, though – why aren’t people complaining the same way about applications that ask the users to authenticate themselves again?


Why haven’t these applications been fixed to use other methods of authentication?


When I fill in my time-sheet, I’m required to provide my user name and password. Again.


When I connect to the company training web page, I’m required to provide my user name and password. Again.


Every place I’ve worked, it’s the same thing – there’s a pile of applications that are necessary to, or related to your work – whether it’s training, time-sheets, benefits checking, prescription filling under the company-provided insurance plan, or whatever – they’ve all required that I identify myself to them – again – even though I’ve already identified myself to the domain on this computer.


Maybe this is acceptable and appropriate for those operations where you want to make sure that somebody hasn’t stepped in to the user’s cube while the user was away – but those operations should generally be limited to unlocking the locked workstation, changing the user’s password, starting up an elevated process – not routine operational work.


After all, if you start requiring the user to enter their password everywhere, you’re teaching the user that he should be blasĂ© about repeatedly entering his password several times during the work day – then when the phishing email comes along, with a request to log on to an external web site, that user will happily give up his user account and password (which will most likely be the same as his password on every other system he’s used).


There are good alternatives.


A couple of obvious approaches for web-based applications are Windows Integrated Authentication (which, admittedly, does require IE and IIS), and SSL client certificates.


Thick-client applications are also usable, as long as they aren’t against your company’s religion.

Let’s just wait for Service Pack 1

Every so often, I’ll hear it said, and frequently not in jest, “let’s wait until Service Pack 1 before we deploy Vista”, or sometimes “Server 2008”.

While it’s true that Microsoft has indeed announced plans to test, and then release, Windows Vista SP1 early in 2008, I have to say that I don’t find this thinking any smarter than the old “let’s buy IBM” idea, based on the “Nobody Ever Got Fired For Buying IBM” principle.

Even if it were true, someone’s eventually going to realise that if it’s your job to specify what the IT budget gets spent on, and you say things like “we’ll deploy it after Service Pack 1”, you’re just not acting as if you’re doing your job.

Somebody, one day, will call your bluff, and say “Why? What bug is a showstopper for deploying Vista RTM, and why do you believe it’s fixed by SP1? Why didn’t you find that bug out while you were beta testing the operating system? Weren’t you beta testing the operating system?”

And you’re going to look foolish, because you don’t have anything in particular to point to (UAC? That’s a bit generic – you have to say what you don’t like about UAC, and why you think SP1 will make it all better) in order to defend your mindless parroting of “let’s wait for SP1”.

For the record, there are reasons to anticipate SP1 – it adds an SSL-based VPN capability, through the SSTP, and it allows you to encrypt multiple drives using BitLocker through the UI (you can use manage-bde.wsf to encrypt multiple drives using BitLocker from the command prompt).

There are other features in SP1, and you should definitely consider whether you can use those features. But there really isn’t any break-fix that makes it important for you to stop testing and planning to deploy Vista RTM while you wait for SP1.

diskpart ‘shrink’ needs a little work…

I’m playing with BitLocker a little, and I need a small temporary partition to encrypt and decrypt on a frequent basis.

No problem, right? I can just open up Computer Management, select Storage, Disk Management, and then shrink a volume that has lots of space. [I can do the same with “diskpart” from the command line, if I choose to]

Apparently, I can't shrink my drive

Oh, now, that’s just perfect – I can’t shrink my partition, and even if I do, I’ll end up wiping out the existing partition?

Okay, so I realise that it’s not likely to be quite that severe, but there’s a little work needs to be put into the disk partition shrink mechanism in Windows Vista.

First, obviously, edge cases like the one above need to be handled properly.

Second, there needs to be an option that informs the administrator as specifically as possible what limited the shrink operation – which immovable file is sitting on the boundary of the maximum shrink area. That way, I can decide what the problem is – it’s not the hibernation file (because I’ve deleted that), and it’s not the pagefile (again, deleted); it’s not even volume shadow copies, because I’ve disabled System Restore.

Wireless PC Lock – part 2

Over the last several days, I’ve been getting more and more requests for my updated Wireless PC Lock software that I described way back last year.

Possibly, it’s because of stories like this one:

At New York-based Big Four accounting firm Ernst & Young, the security department confiscates laptops if they are unlocked when not in use, say employees (who wish to remain anonymous). To reclaim the confiscated PCs, workers must explain why they forgot to lock their machines and then they get a quick refresher course in security. These employees say they dread that walk to IT, so many have gotten better at remembering to lock them.

Well, that’s a really amusing story, and I will confess that at my workplace, any workstation found unlocked tends to be used to invite the rest of the team out for lunch – you don’t forget to lock your workstation too often [whether that’s because lunch for a whole team is expensive, or because you just don’t want to have to spend an hour with your colleagues, is beyond me].

I work in a physically-secured building, where RFID cards have to be used to get in and out, but the problem of locked workstations is still an important one to us – the data that I can access is quite different from the data that can be accessed by the people across the hall, or by the people in other buildings. And if any inappropriate data access occurs from my workstation under my account, it’ll be my job that’s on the line – nobody’s going to try dusting for fingerprints to check that it wasn’t me.

So, I like to have an ‘insurance policy’ against forgetting that simple Windows-L keystroke. My insurance policy is the Wireless PC Lock, which detects when I get up and walk out of range, locking my computer if I haven’t already done so.

The crap software that comes with the Wireless PC Lock is a problem, though. It requires to be installed, which I don’t want (because I’m a restricted user); it doesn’t really lock the workstation (it puts up a full-screen bitmap of dolphins); it unlocks the workstation when you get back in range (even when it’s on the other side of a wall); etc, etc.

So, I decided it would be handy to have some replacement software that could be installed / used on a per-user basis. For the first release, this is strictly personal software – there’s no install. You copy the EXE into place, and run it from startup.

Insert the USB stick into your system and away we go. Right-click the new icon in your system tray (it looks a little like the transmitter fob on my unit – yours may be different), and choose to register with your fob.

The program will ask you to turn the fob off and then on again, so that it knows whose fob to lock against; once you have this set, that may be all the configuration you need to do – but of course, I have added configuration for the timeouts.

And, if you go and visit your Windows sound schemes, you’ll find there are additional sounds for the Wireless PC Lock, allowing you to hear when you’re about to get locked out by an absence of wireless fob.

Obviously, this is a real lock of your workstation that’s going to happen, so you will, yes, have to type in your password every time you come back to your workstation – your fob carries a two-byte code, which is not nearly difficult enough to hack to make it a valid logon protector. Sorry.

If you lose your fob, or your fob loses batteries, don’t worry – you can use your password to unlock, as usual, and then once you’re unlocked, the Wireless PC Lock software won’t activate again until it registers the presence of your fob again. Just remember that the Wireless PC Lock is a convenience measure, and is a “backup” against you forgetting to press Windows-L to lock up your machine when you’re walking away from it.

I’ve attached a zip file containing the Wireless PC Lock application – please let me know what you think of it!

Context menus not working in Vista?

commandprompt I spent a while the other day trying to figure this one out.

Under “Start”, I have a ‘pinned’ Command Prompt item.

I can’t get a context menu (aka “right-click menu”) to appear when I right-click on this Command Prompt.

I can right-click on the Command Prompt choices that appear if I search for Command, or navigate under Accessories, so I know that right-clicking is available in general.

The answer is a simple setting, as it so often is, and certain people should feel ashamed that they didn’t think of suggesting it.

Right-click the “Start Orb”startorb, select “Properties”, and then on the “Start menu” tab, next to the “Start menu” radio button, click “Customize…”

Under “Customize Start Menu”, if you scroll down a page, you’ll see the setting “Enable context menus and dragging and dropping”. If this is unchecked, then the pinned items will not work with a right-click.

customizestart

Which raises the question … why was I able to right-click (context menu) on the items in the start menu when this feature was unchecked? It really doesn’t seem a terribly useful feature if I can get around it by navigating through the “All Programs” option in order to get to the Command Prompt and load up the context menus that you’ve told me I can’t have.

Technorati tags: , ,

Public, Home and Work networks

Here I am at TechEd, and I want to connect back home.

No problem – I can use a VPN, because I have one set up on my server back at home.

[Perhaps that’s not normal, but I’m a geek]

Now I want to browse my home network, partly because I want to see what’s on my Media Centre back at home.

Here’s what I get:

So, I want to turn on Network Discovery and File Sharing, yes?

No.

Although all of the traffic I initiate to my home network, and all of the traffic it sends back to me, is encrypted, the key to remember about turning on Network Discovery is that it not only allows you to browse other servers at home, to discover them, but it also allows you to browse other servers on the local network, and does not give you a way to distinguish between them.

So, if I browse looking for servers at home, I may accidentally locate someone’s laptop down the hall from me, which happens to be running a server OS, or simply sharing out its files.

I think, though, that it would be handy to be able to turn on network discovery and file sharing over the VPN connection, rather than for all connections at the same time.