Security boundaries in Windows
Cordoned Off
Security architects are familiar with breaking down infrastructure into different levels. The unauthorized transition of a user from one area to another is considered a security breach. Windows offers various protection mechanisms against remote and local attackers. Microsoft first differentiates between different border areas, or security boundaries, and defines separate protection goals for each of these areas. These protection goals not only determine the security of the rolled-out Windows instances but also how the criticality of security vulnerabilities is assessed.
Consider a simple real-world data center example in which a physical area outside the data center is an area for visitors, another area is for customers, and two different areas are for employees, depending on their tasks. If a person enters the visitor area, for example, a transition to the first security zone takes place. As long as this access takes place during normal visiting hours, this action is not problematic. Outside visiting hours (i.e., when the doors are locked), this is obviously a security incident.
If the person is a customer or employee, they can enter the customer area after successful authentication by the gatekeeper. Once in the customer area, access to other areas usually relies on technical security systems.
Customers and employees use a chip card with a PIN for authentication that allows them to enter individual rooms. Support staff can also enter the general staff area in addition to the customer areas. Network administrators are also allowed to enter the rooms with the switches and routers in the data center.
What works in the real world can also be applied to securing operating systems. Microsoft defines nine different security boundaries for its own operating systems, active services, and devices in use, although they are not all hierarchically structured like the security areas in the example above. An associated document in the Microsoft Security Response Center (MSRC) [1] is updated continuously.
Network
The transition from the network to a computer is the outermost boundary of that computer. Non-authorized network users cannot access or manipulate the code and data of users on the computer. A malfunction in the corresponding protection mechanisms, such that unauthorized access is possible, is considered a security breach. Of course, retrieving web pages from the Internet Information Services (IIS) or shared files from file and printer sharing is not a vulnerability as long as this unauthorized access is intentional. The component that separates the network from the computer is the firewall.
Kernel and Processes
Computers also have security zones. Programs and services that do not run under an administrator account cannot access data or code in the operating system kernel area. Even in this case, of course, explicitly intended paths, such as using the operating system functions to request memory and file reads and writes or to open network connections are not a security vulnerability. Microsoft considers any access by programs that were started with administrator rights to be basically unproblematic, even if they execute malware. The administrator kernel has no separate limit.
Processes can run in user mode or kernel mode (i.e., with administrator privileges). The processes started in user mode basically do not get access to the code or data of other running processes, even if the same user started them. Even this case has intended exceptions (e.g., shared memory allocated by the operating system) that are not considered to be security problems. Processes in kernel mode are not affected by this restriction.
AppContainer Sandbox
In Windows 8, Microsoft introduced a sandbox mechanism known as the AppContainer for applications from the Microsoft Store. Different types of isolation can be defined for each sandbox, such as device, filesystem, or network isolation. A sandbox implementation that has an error allowing access to the local network despite network isolation is a security vulnerability. However, if this network access is not restricted for a sandbox – and you can distinguish between intranet, Internet, and server functionality – the application can access the network as desired.
Buy this article as PDF
(incl. VAT)