Windows Server 2008 - Thoughts on security?

[rhyskidd at gmail.com (Rhys Kidd)]

Well with the first Release Candidate for Windows Server 2008 released, I
thought the builds were getting stable and close enough to a shipping
product to warrant some investigation.
Part of my poking and prodding so far has been in the security space, seeing
what changes have been made that would make reliable remote code execution
more difficult.

-Hardware DEP is on for all programs by default (and these days hardware
supporting NX is pretty ubiquitous).
-From MS comments, memory pages with DEP enabled are marked as invoilable (
MEM_EXECUTE_OPTION_PERMANENT); once it's set the kernel shouldn't let you do
a NtSetInformationProcess() again.
-ASLR is employed for every system library and executable I've seen.
-System components are compiled with stack canaries, and SafeSEH.

The Viridian technology (Microsoft's latest incarnation of virtualisation)
is also an area of relatively fresh code. Using Metasm to create hundreds of
executables with random opcodes should be fairly easy to do, and
Metasploit's psexec would let you start each executable on the target system
fairly efficiently.

I'm sure there's some on this list who've been "behind the wall" so to speak
at Microsoft helping secure Windows Server 2008, but have any who've taken
some time to look around the RC?

Rhys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20071105/0faa4a11/attachment.htm>