Win9X/ME
- No user or security infrasturcture (largely obsolete)
WinNT
- Highly buggy RPC libraries make owning RPC services easy — RPC data structures are not verified by default the way they are in Win2K, so almost any bad data will make them crash.
- Doesn’t support some NTLMv2 and other authentication options, making sniffing nicer.
- IIS 4.0 runs entirely as system and doesn’t restart after it crashes.
Win2K
- NTLMv2 makes headway among entirely Win2K installation bases.
- RPC libraries much less buggy that NT 4.0 (which isn’t saying much).
- SP4 — Exception registers are cleared.
- IIS 5.0 runs as system, but most URL handlers don’t run as system (with the exception of FrontPage, WebDav, and the like).
WinXP
- Addition of Vectored Exception Handling makes things easier for heap overflows.
- SP1–Exception registers are cleared.
- IIS 5.1–URLs are limited to a reasonable size.
- SP2 introduces firewall, heavily modifies RPC, introduces Data Execution Prevention (DEP), SafeSEH makes exploiting exception handlers harder, various other miscellaneous security improvements.
Windows 2003 Server
- Entire OS compiled with stack canary, including kernel.
- Parts of IIS moved into the kernel.
- IIS 6.0 still written in C++, now runs under an entirely different setup with a management process and a bunch of managed processes, each of which can serve port 80/443 from particular URLs and virtual hosts.
- Can finally detach from a process without it crashing. In previous versions of Win32, if you attached to a process with the debugger, detaching would forcefully kill it. This was useful sometimes, but mostly just annoying.
Windows Vista
- Everything compiled with a modified, better version of the / GS stack canary.
- ASLR (Address Space Layout Randomisation) makes most exploits slightly harder; can be serious difficulty when combined with DEP.
- Firewall now filters outbound traffic.
Source: The Shellcoder’s Handbook 2nd Edition.
0 Responses to “A Windows Family Tree: Security Profile”