Windows server 2008 and Vista licensing model

Microsoft has made some major changes in how the enterprise can license their machines. Particularly the idea of using a Key Management server to dynamically validate windows licenses makes it very easy for IT staff to update or replace faulty hardware without having to go through the hassle of re-licensing windows due to hardware changes. There are two types of licensing models available for Windows Vista and windows 2008 (w2k8). This is also known as Volume Licensing 2.0 by Microsoft.


These are:
1. Using a KMS (Key Management Server): this is automatic and requires minimal user intervention. However, network access is required between KMS and the client host.

2. Using MAK (Multiple Activation Key): this requires the key to be entered manually by the engineer. As MAK does not require any traffic flow between networks, it is a more secure option than KMS. This option won’t be discussed further here.

The traffic flow for using a KMS is as follows:

1. The host that requires licensing, contacts the DNS server for a KMS record to get the IP address for the KMS server.
2. After receiving the IP address of the KMS server, it sends a RPC request on port 1688/tcp (default) to the KMS host to get the licensing keys.
3. The KMS host replies back on a random port to the requesting server using the RPC protocol.

It should be noted that the KMS service is usually installed on the same server as the Domain Controller. The KMS service uses minimal resources and espicially if you want to authenticate your clients and make sure they are part of the domain before validating them, it would make sense to install this on top of the Domain Controller

Security Considerations

There are four main security considerations associated with this:

1. Application layer protocol is Microsoft RPC: This protocol is very complex and has a history of vulnerabilities. There are active exploits for this protocol that target various services built on top of RPC such as SMB, CIFS e.t.c . A recent prominent malware that uses the RPC protocol is the Conficker/Downandup worm.


2. No mature MS-RPC proxyies on firewalls: At present there is no MS-RPC traffic proxy on current generation of Firewalls. Only Microsfot ISA Server has a MS-RPC proxy. Therefore, a generic proxy will have to be used which will only do basic application and TCP/IP layer checks but will not have the ability to inspect MSRPC traffic.


3. Domain Controller vulnerability: If KMS service is on a domain controller, then DCs (as well as the KMS) are both exposed to malicious dmz traffic. Moreover, internal DNS server will also be exposed by the DMZs as licensing traffic requires traffic to be initiated from the requesting host i.e. from the DMZ.


4. Enumerations due to anonymous connections: MS RPC access to the servers might accepts anonymous connections by default. Even if anonymous logons are not allowed, these connections might enumerate user accounts and shares on the KMS host. This can be even more risk if KMS is hosted on a domain controller.

It is probably best to useKMS be used for licensing internal secure LAN workstations and servers only. The MAK method should be used for w2k8 machines in firewalled zones.

Mitigations to be used:

If KMS has to be implemented across the network, the following can help reduce the risk associated:

1. Allow KMS to zones that are considered equally secure or more secure than internal networks (e.g. out-of-band management networks). Use proxy MAK activation for less secure/internet facing dmz.
2. Have KMS service on a separate virtual server so that compromise of KMS will not compromise Domain Controllers.
3. See if the IP address of the KMS server can be hardcoded in the initial install so that access to internal DNS server is not necessary to resolve KMS server IP address.
4. Allow only authenticated hosts in the domain to request for licenses. Disallow anonymous connections as this can be used to enumerate shares and accounts. This might require additional traffic such as Kerberos to traverse the firewall.
5. Firewalls should allow only specific IPs to access the KMS server from the network zones. Where available use the management interface of the server instead of production networks for licensing traffic.


Do you have any comments on how the new licensing mode works? let us know!
You can get more information from the microsoft website here.