Windows NT Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - - PowerPoint PPT Presentation

windows nt security
SMART_READER_LITE
LIVE PREVIEW

Windows NT Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - - PowerPoint PPT Presentation

Jul 27, 2023 746 likes •1.28k views

Windows NT Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - COMP4631 - L20 1 Agenda Brief information about Windows NT Security architecture Identification and authentication Access control Administration C. Ding -

slide-1
SLIDE 1

Windows NT Security

Cunsheng Ding HKUST, Hong Kong, CHINA

  • C. Ding - COMP4631 - L20

1

slide-2
SLIDE 2

Agenda

  • Brief information about Windows NT
  • Security architecture
  • Identification and authentication
  • Access control
  • Administration
  • C. Ding - COMP4631 - L20

2

slide-3
SLIDE 3

Security Architecture

  • C. Ding - COMP4631 - L20

4

slide-4
SLIDE 4

Security Architecture

  • The core operating system service is the

Windows NT executive.

  • User programs make application program

interface (API) calls to invoke operating system services.

  • Two modes: user and kernel modes

– User programs (user mode) – Operating system services (kernel mode)

  • C. Ding - COMP4631 - L20

5

slide-5
SLIDE 5
  • C. Ding - COMP4631 - L20

6

Windows NT : kernel vs user mode

Cache Manager Device drivers Virtual Memory Processes & Threads Security

PnP/Power

Manager I/O Manager

Hardware interfaces (read/write port, timers, clocks, cache control, etc.) Alerter WinLogon

User Application Subsystem DLLs OS/2

Services Applications

File systems Object management / Executive RTL Kernel Hardware Abstraction Layer (HAL)

User Mode System Threads Kernel Mode

Executive API Win32 NTDLL.DLL (NT Layer DLL that control NT system functions )

System Processes

Subsystems

slide-6
SLIDE 6

Security Subsystems

  • Security Reference Monitor (SRM):

– in charge of access control, – an executive component running in “kernel mode”.

  • Local Security Authority (LSA):

– a user mode component involved at login when it checks the user account and creates a system access token (SAT). – the LSA is also responsible for auditing functions.

  • C. Ding - COMP4631 - L20

7

slide-7
SLIDE 7

Security Subsystems ctd.

  • Security Account Manager (SAM):

– A user mode component that maintains the user account database used by the LSA – It provides user authentication for the LSA.

  • C. Ding - COMP4631 - L20

8

Winlogon LSA SAM

account

data base

slide-8
SLIDE 8

The Registry

  • It is the central database for Windows NT

configuration data.

  • Entries in the registry are called keys (not be

confused with cryptographic keys).

  • It is a hierarchical database. At the top level,

the registry is structured into four sections called hives (or root keys). Hives contains keys (directories) which in turn contain subkeys (subdirectories) or data items

  • C. Ding - COMP4631 - L20

9

slide-9
SLIDE 9

Protection of the Registry

  • The registry is stored in a proprietary format.
  • Only the operating system tool Registry

Editor can modify the registry.

  • Protection: remove the Registry Editor from

all machines NOT used for system management.

  • C. Ding - COMP4631 - L20

10

slide-10
SLIDE 10

Registry File Permissions

  • Defining access permissions:

– use access control lists for hives and keys.

  • Possible access permissions:

– read only: not allowed to make any changes. – full control: edit, create, delete, take away

  • wnership of a key.

– special access: users can be granted permissions according to a specified list, i.e., discretionary ACLs.

  • C. Ding - COMP4631 - L20

11

slide-11
SLIDE 11

A List of Special Access (1)

  • Create subkey: create a new subkey within an

exiting key

  • Enumerate keys: identify all subkeys within a

key

  • Notify: receive audit notification generated

by the key

  • C. Ding - COMP4631 - L20

12

slide-12
SLIDE 12
  • C. Ding - COMP4631 - L20

13

A List of Special Access (2)

  • Delete: delete a key
  • Wr

Write DAC: modify the access control list for the key

  • Write owner: take ownership
  • Read control: read security information

from within the key

slide-13
SLIDE 13

The Registry in Summary

  • Hardware configuration
  • Account data
  • Software, servers, services
  • Network configuration, host name, IP address
  • Description of user’s desktop
  • Critical to security

– Repository for local security data – Access control built in

  • C. Ding - COMP4631 - L20

14

slide-14
SLIDE 14

Identification and Authentication

  • C. Ding - COMP4631 - L20

15

slide-15
SLIDE 15

Identification and Authentication

  • Authentication: user name + password

– Windows NT 5.0 uses Kerberos for authentication

  • Implementation: towards networks of servers

and workstations

  • C. Ding - COMP4631 - L20

16

slide-16
SLIDE 16

Logging on to Windows NT 4.0

  • Security Attention Sequence (SAS) -

CTRL+ALT+DEL

– Eliminates the possibility of Trojan Horses – Handled by WinLogon, which loads GINA to authenticate user – Authentication against local SAM or domain controller’s SAM

  • GINA: a remotely controllable Logon

Graphical User Interface

  • C. Ding - COMP4631 - L20

17

slide-17
SLIDE 17

Interactive logon to the machine

Winlogon in Windows NT 4.0

  • C. Ding - COMP4631 - L20

18

Winlogon GINA

  • 1. CTRL + ALT + DEL

Win32 LSA

Shell

2. 4. 3. 5. 6.

Account DB

Access token

SAM

slide-18
SLIDE 18

Windows NT Password Scheme

  • Passwords are stored in encrypted form.
  • Two encrypted passwords are computed, one for the

Microsoft LAN Manager, the other one for Windows NT.

  • To prevent users adopting weak passwords, a

password filtering dynamically linked library (DLL) can be installed.

  • The password filter forces the password to have at

least six characters.

  • C. Ding - COMP4631 - L20

19

slide-19
SLIDE 19

Windows NT Password Scheme

  • Passwords must contain at least three of

the following four data types: upper case letter, lower case letter, Arabic numerical, and non-alphanumeric character.

  • Passwords cannot contain parts of the

username.

  • The encrypted passwords are stored in the

user accounts which are held in the SAM

  • database. The SAM database is part of the

registry.

  • C. Ding - COMP4631 - L20

20

slide-20
SLIDE 20

The LAN Manager Password

  • It is encrypted and can be retrieved

from the ciphertext stored in the SAM database.

– Detailed encryption algorithm is not given here.

  • Passwords can be up to 14 characters

long.

  • C. Ding - COMP4631 - L20

21

slide-21
SLIDE 21

The Windows NT Password

  • It is hashed using a one-way function

(MD4).

  • It cannot be retrieved from the hash

value stored in the SAM database.

  • C. Ding - COMP4631 - L20

22

slide-22
SLIDE 22

Access Control to Objects

  • C. Ding - COMP4631 - L20

23

slide-23
SLIDE 23
  • C. Ding - COMP4631 - L20

24

Domain

  • Domain: a collection of machines sharing a

common user accounts database, and security policy.

  • Advantage: you do not need an account in

every workstation.

  • Windows NT uses domains to facilitate

single sign-on and coordinated security administration.

slide-24
SLIDE 24

Domain Controller

  • A domain controller (DC) is a server computer

that responds to security authentication requests within a computer domain.

  • It is a server on a network that is responsible

for allowing host access to domain resources.

  • It authenticates users, stores user account

information and enforces security policy for a domain.

  • C. Ding - COMP4631 - L20

25

slide-25
SLIDE 25

User Accounts

  • Each user needs a user account in a domain.

– The master copy of the user accounts database for the domain is held on a server called the primary domain controller (PDC). – Copies of it are held on a backup domain controller (BDC).

  • Access to any network resource is solely

based on the user account.

  • C. Ding - COMP4631 - L20

26

slide-26
SLIDE 26
  • C. Ding - COMP4631 - L20

27

Fields in a User Account

  • user name (login)
  • full name
  • password:

– up to 14 characters long. – You can force users to change their password at the next login. – You can prevent them from changing their passwords. – You can set an expiry date on passwords.

slide-27
SLIDE 27
  • C. Ding - COMP4631 - L20

28

Fields in a User Account ctd.

  • User profile path:

– the profile defines the user’s desktop environment, i.e., program group, network connections, screen colors, etc.

  • Home directory:

– you can specify whether the home directory is

  • n the local machine or on a network server.
  • Expiration date:

– by default, accounts do not have an expiration date.

slide-28
SLIDE 28

Security Identifiers

  • Every user, group, and machine account has a unique

security identification number (SID), which is used for discretionary access control.

  • The SID is constructed when the account is created,

and is fixed for life time.

  • When a workstation or server joins a domain, it

receives a SID that including the domain’s SID. Machines need their SID to check whether they are in the same domain.

  • C. Ding - COMP4631 - L20

29

slide-29
SLIDE 29
  • C. Ding - COMP4631 - L20

30

NT Executive – object oriented

  • Object is anything that needs naming, sharing,

protecting w.r.t. user-mode processes. Object Types (Example)

  • Process
  • File
  • Access token
  • (Registry) Key
  • Memory section

Object Types (Example)

  • Devices
  • Network shares
  • NT services
  • Printers
  • timers
  • Events
slide-30
SLIDE 30

Security Descriptor of Each Object

It contains:

  • the security ID of the owner of the object
  • a group security ID
  • a discretionary access control list, its entry

may be:

– AccessDenied, AccessAllowed, SystemAudit

  • a system access control list, what to write to

security audit trial

  • C. Ding - COMP4631 - L20

31

slide-31
SLIDE 31
  • C. Ding - COMP4631 - L20

32

Access to Windows NT Objects

Security ID:S-1-5-21-146... User Name: MichaelW Group IDs: Employees Scientists EVERYONE LOCAL INTERACTIVE Other Information: Security Descriptor Deny MichaelW All Allow Employees Read, Write Allow Scientists Execute Access Token File Object Access Control List

. . . . . .

Read

slide-32
SLIDE 32

Administration (Security Management)

  • C. Ding - COMP4631 - L20

33

slide-33
SLIDE 33

Local and Global Groups

  • Group: A group is a collection of user

accounts.

  • User rights and permissions: inherit from

those given to the group.

  • Why do we need groups? Intermediate

layer of control.

  • How to deal with special cases?

Permissions given to a group can be withdrawn from individual member of group

  • C. Ding - COMP4631 - L20

34

slide-34
SLIDE 34
  • C. Ding - COMP4631 - L20

35

Local and Global Groups ctd.

  • Remark: Within a domain, groups can be defined

globally for the entire domain or locally for an individual workstation.

  • Global groups: defined for the domain; contains
  • nly user accounts and no other group account.
  • Local groups: defined for a workstation; contains

both user accounts and global groups.

  • Why? Place two layers of control between

subjects and objects. See next slide!

slide-35
SLIDE 35
  • C. Ding - COMP4631 - L20

36

Local and Global Groups ctd.

North Seals South Penguins RWXD RW X No access RWX RW No access Bob Alice Adelie Humboldt Magellan Bear Elephant Lion GLOBAL GROUPS LOCAL GROUPS

slide-36
SLIDE 36

User Rights

  • Definition: They specify what a user is

allowed to do on the system.

– E.g., auditing, backup, shutting down the system

  • Remark: There exist user rights that allow

the holder to bypass access control.

– E.g., the right to take ownership.

  • C. Ding - COMP4631 - L20

37

slide-37
SLIDE 37

Built-in Groups

  • Definition: Built-in groups and accounts have

predefined user rights and permissions.

  • Global built-in groups: Domain Admins,

Domain Users, and Domain Guest.

  • Local built-in groups: Administrators, Backup

Operators, Users or Guests.

  • C. Ding - COMP4631 - L20

38

slide-38
SLIDE 38

Suggestions for System Manager

  • System managers are advised

– to stick to the built-in groups when implementing their security policies; and – to define groups with different permission patterns ONLY IF there are strong reasons for doing so.

  • C. Ding - COMP4631 - L20

39

slide-39
SLIDE 39

Setting up the Built-in Account “Administrator User Account”

  • This account is created when Windows NT is installed.
  • It is the account you use when you first set up a new

domain controller, member server, or workstation.

  • You use this account before you create an account

for yourself.

  • It is a member of the Administrators local group on a

domain controller, workstation, or member server.

  • It cannot be removed or disabled from the

Administrators local group.

  • C. Ding - COMP4631 - L20

40

slide-40
SLIDE 40

Who does the Systems Administration in Windows NT

  • It is performed by users assigned to the built-in local

Administrators, such as, Server Operators, Backup Operators, Account Operators, and Printer

  • perators.
  • The rights of these groups are limited to match their

tasks.

  • The power user account on a workstation can manage

local resources like printers or local accounts.

– In my PC, I have a power user account, and I can manage local resources in my PC.

  • C. Ding - COMP4631 - L20

41

slide-41
SLIDE 41

Administrator’s Power and Limitation

  • Unlike in Unix, Administrators do not

automatically have a superuser privilege.

  • Permissions on files can be set so that

Administrators do not have automatic access.

  • However, Administrators may be able to

bypass access control.

– For example, an administrator may take away the

  • wnership of file, and then bypass the access

control defined for the file.

  • C. Ding - COMP4631 - L20

42

slide-42
SLIDE 42

Further Built-in Groups

  • Everyone: contains all local and remote users,

including Guest; this group can be used to grant or deny permissions to all users.

  • Interactive: contains all users logged on locally.
  • Network: contains all users logged on over the

network.

  • System: the operating system.
  • Creator Owner: the creator or owner of a file or

resource.

  • C. Ding - COMP4631 - L20

43

slide-43
SLIDE 43

Auditing with audit log

  • Tracks success/failure of the following events:

– Logon and logoff – File and object access – Use of user rights – User and group management – Security policy changes – Restart, shutdown, and system security – Process tracking

  • C. Ding - COMP4631 - L20

44

slide-44
SLIDE 44

Further Reading

  • D. Gollmann, Computer Security, Wiley,

1999.

  • S.A. Sutton, Windows NT Security Guide,

Addison Wesley, Developers Press, 1996.

  • L. Hadfield, D. Hatter, and D. Bixler,

Windows NT Server 4 Security Handbook, Que Corporation, 1997.

  • T. Sheldon, Windows NT Security

Handbook, McGraw-Hill, 1997.

  • C. Ding - COMP4631 - L20

45

slide-45
SLIDE 45

Index

  • SRM: Security Reference Monitor.
  • LSA: Local Security Authority.
  • SAM: Security Account Manager.
  • PDC: Primary Domain Controller.
  • BDC: Backup Domain Controller.
  • SID:

security identification number.

  • A dynamic link library (DLL) is a collection of small

programs, any of which can be called when needed by a larger program that is running in the computer.

  • C. Ding - COMP4631 - L20

46

slide-46
SLIDE 46

Appendix

New Technology File System

  • C. Ding - COMP4631 - L20

47

slide-47
SLIDE 47
  • C. Ding - COMP4631 - L20

48

New Technology File System (NTFS) Basic Permissions

  • Access permissions

are defined by the

  • wner of the file

for

– other users, and – groups

  • Read (R)
  • Write (W)
  • Execute (X)
  • Delete (D)
  • Change access

permission (P)

  • Take ownership (O)
slide-48
SLIDE 48
  • C. Ding - COMP4631 - L20

49

Access Permissions for Files

  • NoAccess: not allowed.
  • Read (RX): read and execute access only
  • Change (WRXD): read, write, execute,

delete

  • Full Control (all): R + W + X + D, change

access permissions, take ownership.

  • Special Access: any combination of the 6

permissions in the Full Control.

slide-49
SLIDE 49
  • C. Ding - COMP4631 - L20

50

Access Permission for Directory (1)

  • NoAccess: not allowed.
  • List (RX): list the files in a directory and

its subdirectories

  • Read (RX): list and open the files in a

directory and its subdirectories, move into a subdirectory, and execute files.

slide-50
SLIDE 50
  • C. Ding - COMP4631 - L20

51

Access Permission for Directory (2)

  • Add (WX): add files to a directory, but

cannot view the contents of the directory.

  • Add and Read (RWX): view and open

files, execute application files, add files and subdirectories.

  • Change (RWXD): read, write, execute,

delete, add files and subdirectories.

slide-51
SLIDE 51
  • C. Ding - COMP4631 - L20

52

Access Permission for Directory (3)

  • Full Control (all): full access over the

directory, including the permission to delete files and empty subdirectories regardless of their ACLs.

  • Special Directory Access: any combination
  • f directory permissions.
slide-52
SLIDE 52
  • C. Ding - COMP4631 - L20

53

Access Permission for Files ctd

  • When a new file is created and NTFS permissions

apply to the parent directory, then the file inherits the access permissions from the parent directory.

  • When a file is moved between directories, it keeps

its NTFS permissions.

  • If a file is copied, it receives the permissions of

the destination directory.

  • The administrator can decide to audit any subset
  • f the events: R, W, X, D, change access

permission, and take ownership.