Boot-Time Security

Boot-up is a dangerous time for your systems, a time before security policies to protect them may be active. Avoid danger with persistent policies.

Though each operating system’s instructions may vary, there’s an explicit start-up routine followed by all Windows computers, and in this routine there’s a vulnerability an attacker can take advantage of.

This vulnerability doesn’t lie within the startup code; I’m not going to be revealing some new buffer overflow or programming error. The nature of this vulnerability goes to the heart of several security principals. It has to do with threat modeling, risk evaluation, defense in depth and securing information systems by role. Before you implement my proposed mitigation, you’re going to need to think about whether or not you need it—something you should be doing for every security option.

The Threat
To protect sensitive communications, you may have opted to create IPSec policies for specific systems on your network. You may be blocking telnet, encrypting remote administration tasks, or limiting SQL Server access to communications from a Web application. IPSec’s ability to prevent unnecessary traffic from entering or leaving a Windows system, or to protect data traveling between two devices on the network is, I hope, a key strategy in your network security architecture.

But there is a problem. IPSec policies can’t be enforced until both the IPSec driver and the IPSec policy agent service starts. Since network access to the computer is possible before the IPSec policy agent service starts, there is a possibility of a successful attack during this time. Fooey, you claim? Remember, today’s attacks aren’t generated by some mad, long-haired, smelly criminal who’s targeted your systems for entertainment and who hacks by entering keyboard-based commands one after another. Many automated attacks strike during the brief time period between the startup of network drivers and the full awareness of services. If someone really wants to own a specific box, or simply destroy your carefully constructed Web or wired communications protection, the capability to launch an attack that takes advantage of this vulnerability already exists.

To put it simply, the problem exists because any protected system isn’t protected when the protection is not in effect. Just as locks on doors don’t prevent entry until they’re engaged, an IPSec policy, like any security measure, can’t protect a system if not in effect. This can happen during boot, and it can also happen if Group Policy is used to implement the policy and, for some reason, Group Policy is unable to distribute the policy. Remember too, that by default, when a computer is started in Safe Mode with networking, the IPSec service doesn’t start, so no policy is in effect.

When a Windows XP, Windows 2000 Server or Windows Server 2003 computer starts, three distinct periods need to be considered and protected.

 First, after power on and until the IPSec driver is started, no network access is available. This is because the TCP/IP driver and the IPSec driver are started at the same time. No network communication protection is necessary since no network communication can occur.

 Second, during the time between the start of the IPSec driver, but before the IPSec Policy agent service starts, network traffic can be both received and sent. Set the IPSec Driver Startup Mode to protect this period. “More on this later.”

 Third, after the IPSec Policy Driver starts, but before it can apply the local- or domain-configured IPSec policy, the system is vulnerable. Before you consider the application of a solution to this dilemma, consider your entire network communications protection policy. Before applying the following solution, know that the netsh ipsec commands are only applicable to Windows 2003. Before giving up on XP and Win2K, however, consider the need for some defense, and consider your alternatives; you may find there’s a solution that fits your requirements.

Mitigation: Defense in Depth
Defense in depth is a simple principal that requires more than one layer to be built in the security model. It also assumes that more than one protective device or activity may be present in each layer. Should one part of the defensive strategy fail, many others still stand between the attacker and his goal. For communications protection, the model might include:

 Keeping intruders segmented from the communications areas of the network:

—Using firewalls and/or packet-filtering routers.

— Inspecting communications allowed to transit borders, including anti-virus software, anti-spy-ware, attachment blocking and packet inspection for adherence to application requirements (is it really a URL issuing a legitimate page request, or a doubly-encoded hexadecimal expression that might allow an attacker access to system folders? Is it data entry for a SQL query or a SQL injection attack?)

— Requiring authentication for network access.

 Protecting the communication itself:

— Requiring mutual authentication between devices before any data can be accessed or shared.

— Implementing integrity checks to ensure packets haven’t been captured and altered somewhere on their journey.

— Enforcing encryption to provide confidentiality, so captured packets don’t reveal their contents without serious brute force attacks on the encryption.

— Requiring packet signing to ensure those received actually came from the indicated computer.

— Protecting from data replay. Checking for time, packet number and/or other data that allows the system to recognize the information has been seen before and drop it.

 Protecting the host:

— Blocking unnecessary communications at the host by blocking ports or refusing passage, preventing the egress (sending) and ingress (receipt) of packets.

— Requiring and providing host-level protection whenever network communications may be possible. If there are gaps, fill them.

Your threat modeling exercises should help identify weaknesses in all these layers, and you should seek mitigation. If you use IPSec, you must also consider the operating system boot process and layer protection for it, as well.

Group Policy Issues

Group Policy is an excellent way to distribute an IPSec policy to many computers in a standard and efficient manner. The security problem lies not with the design of Group Policy, but in the nature of things. If a Group Policy has been applied to a member computer, it doesn’t matter if the computer can’t access a domain controller and refresh policy during boot—the IPSec policies are cached in the local Registry and can be used when a DC isn’t available at boot. The problem is that any change to Group Policy can’t be implemented if there’s a problem with the distribution of Group Policy. If that change is a new IPSec policy, then the new policy won’t be in effect until the Group Policy problem is resolved. A similar problem might occur if for some reason the locally-cached Group Policy is corrupted or can’t be applied. The answer to this dilemma—how to ensure that Group Policy problems don’t interfere with IPSec-based protection—is the same as the solution to the boot issue explained in the article.

—Roberta Bragg

Use IPSec Driver Startup Mode
There are three IPSec driver modes: startup, operational and diagnostic. Implementation of the first two are straightforward: the driver is loaded in startup mode during boot and changes to operational mode at the direction of the IPSec Policy agent service. The netsh command can be used to invoke IPSec driver diagnostic mode (netsh ipsec commands are defined in the Windows 2003 product documentation).

During startup mode, three possible communication options are available:

 Permit. IPSec doesn’t process any IP packets. This is the default driver startup mode when no IPSec policy has been assigned, or if the IPSec policy agent is disabled or set to Manual.

 Block. Only DHCP packets or those that match filters configured to be used during Block mode are allowed. All other inbound and outbound packets are dropped.

 Stateful. Outbound traffic is permitted. Inbound traffic is dropped (including unicast, broadcast and multicast traffic) unless in response to outbound traffic. If IPSec policy is assigned, and the IPSec Policy Agent Service is set to automatic startup, the startup mode will be Stateful. Stateful mode can protect communications during startup, but only if startup mode filters are appropriately set.

To properly secure network communications during startup mode, set the startup mode to Block or Stateful and create startup mode filters. To set the startup mode:

 Modify the startup mode by assigning an IPSec policy and setting the IPSec Policy Agent Service to automatic. This will set the startup mode to Stateful.

 Modify the startup mode using the following netsh ipsec command:

Netsh ipsec dynamic set config bootmode value={stateful | block | permit}

 Modify the startup mode by adding and setting the DWORD value OperationMode under the key below. Use a value of 0 to set Permit mode, 1 for Block mode and 3 for Stateful mode.

HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\IPSEC

To set startup filters that can be used in block or stateful mode, use:

Netsh ipsec dynamic set config boot exemptions

Persistent Policies
Persistent IPSec policies can be used to add, modify and maintain IPSec policies permanently. Persistent polices, which are stored in the local machine’s Registry and loaded by the IPSec driver, are in effect whether or not Group Policy policies can be used. Persistent policies can be used to protect computers during startup, override local or Active Directory-based IPSec policies, and provide a smooth transition from startup to operational mode. Appropriate uses for persistent policies include providing unique protection for specific computers when a Group Policy-based policy provides blanket protection for a large number of computers, or providing protection for times when the Group Policy-based policy is not, or cannot, be applied. Persistent policies are the only type of additional policy that can be applied to a Windows computer that already has an IPSec policy assigned. Remember, in general only one IPSec policy can be assigned per computer; a persistent policy is the exception to this rule.

When the IPSec Policy Agent service starts, it sets the IPSec driver to operational mode. If startup mode filters are in use, they’re discarded. Operational mode can’t be modified through commands. Three operational modes exist:

 Secure. IPSec filters defined in the assigned IPSec policy are enforced. The IPSec Policy agent applies any persistent policies first, then any assigned Active Directory IPSec policy or assigned Local IPSec policy is applied. (If no persistent policy is applied, no protection from IPSec is available until the assigned policy can be applied. This means that even if the threat of an attack during the brief boot process isn’t considered a valid risk, a successful attack is possible if there’s a problem with Group Policy operation.)

 Permit. IPSec doesn’t process packets and therefore no IPSec protection is provided. If the IPSec Policy Agent service is manually stopped, the operational mode is Permit.

 Block. No inbound or outbound traffic is allowed. All packets are dropped. Any filters, even those applied for startup mode, are not applied. If a persistent policy is configured, but can’t be applied, Block mode is applied.

To use operational modes to protect communications, you can rely on the correct operation of the IPSec Policy Agent service and Group Policy to set the mode to Secure, or you can set a persistent policy. Not only will you gain protection while the system is loading the IPSec policy assigned by Group Policy, but if the persistent policy can’t be applied, no communications will occur. If an attacker, IPSec Group Policy misconfiguration, Group Policy failure or system error voids your carefully designed communication protection, there will be no communication.

To apply a persistent policy, use the netsh ipsec command to create a policy and assign the policy. Next, use the netsh store command to make the policy persistent. If, for example, you wish to ensure telnet is blocked, do the following:

1. Enter IPSec static mode with the command:

netsh ipsec static

2. Create the policy using netsh. The commands are listed in Table 1.

3. Assign the policy using netsh:

Set policy name="telnet" assign=yes

4. Make the policy persistent:

Set store location=persistent

Table 1. Commands to Create a Policy to Block Telnet
Step Code
Enter IPSec Static mode Netsh ipsec static
Add the policy name and description Add policy name=”telnet” description=”block all telnet”CSP Selection
Add the filter Add filter filterlist=”telnet block” scraddr=Any dstaddr=Me description =”block telnet” protocol= TCP mirrored=yes srcmask=24 dstmask=24 srcport=Any dstport=23
Add the filter action Add filteraction name=”block it” inpass=yes action=block
Add the rule Add rule name=”telnet” policy=”telnet” “telnet filterlist=block” filteraction=” block it” description= “this rule blocks telnet”

Determining if Threat=Risk
I can tell you the steps you’ll need to take to provide protection during startup. You’re going to have to decide whether or not to use them and on which computers to use them and carry out the implementation plan. My personal preference would be to apply this additional protection to any computer to which you’ve already applied an IPSec policy. I’d also recommend taking a couple of test machines and learning how to do so. The ease with which you can accomplish it may help in making the decision and in preventing an error in application—or omission—from occurring.

One of the best ways I know to determine the applicability of any security recommendation is to think about the risk. When communications are involved, it’s all about thinking differently about what you’re trying to protect and dividing computers into groups of high, medium and low risk of attack. In this case, you might decide that some startup protection is a good idea for two types of computers:

 All computers that exist on the edge of your network or in perimeter zones you’ve established. Your firewall, for example, is perimeter defense. What’s protecting it during boot? Computers within the DMZ are also at higher risk. Should an attacker compromise the firewall, or find a way around it, these systems are the next logical targets.

 Laptops are highly vulnerable to these types of attacks, as their users plug them into hotel, partner, conference or miscellaneous wireless hotspots.

Finally, are systems often moved out of, then back into, production use? A system not up to date with its patches may be more vulnerable to attack. Regardless of your policy requiring re-purposed or idle machines updating off the network, you may need to find some technical control to enforce that. Wouldn’t it be great if you could block their communications with your network until they were brought up to date?

I’m not advising you to implement the procedures above for every system—at least not without careful analysis of where the system risk lies and not before evaluating your options. But I’m also not suggesting that you ignore the implications of startup issues on your communications security defense. I’m simply asking you to:

 Follow proper procedures.

 Understand the threat.

 Evaluate the risk to your systems.

 Evaluate the cost of applying the solution.

 Determine which—if any—systems should be protected.

And apply the proper solution. Don’t forget to test the application of IPSec policies by using the IP Security Monitor, or by using the netsh ipsec dynamic show command.

Another, Simpler, Solution
Your network can benefit from a security policy that requires any systems needing protection from network communications during boot to get a persistent policy. Other at-risk systems, though, can be easily protected without using a scripting solution. The best approach for XP computers, especially those that connect directly to the Internet or other untrusted networks (hotels, partners, hotspots) is to enable the built-in Windows firewall. When the firewall’s enabled, it applies startup protection. There’s no difference between this protection and a persistent policy.

Featured