Window security
- Security features
- ACLs and capabilities
- Distributed access control management (domains)
- Audit
- Still poor security in practice: why?
Parts
- SRM - security reference monitor (access control; kernel mode)
- LSA - local security authority (authentication, creates capabilities; user mode)
- SAM - security account manager (account database, authentication; user mode)
- Login process
- Device drivers (also third-party) are running in kernel mode
Central database: The Registry, stores user/group database, local security policy, etc
- Tree-structured:
- HKEY_CLASSES_ROOT - file extension mappings (e.g. ".doc" -> "Word document", run MSWord)
- HKEY_CURRENT_USER - config info for the currently logged on user
- HKEY_LOCAL_MACHINE - config for the local machine
- HKEY_LOCAL_MACHINE\SAM - account database
- HKEY_LOCAL_MACHINE\Security - security config
- HKEY_LOCAL_MACHINE\Software - software config
- HKEY_USERS - all actively loaded user profiles on the system
- HKEY_USERS\DEFAULT - default settings
- HKEY_CURRENT_CONFIG - config for the hardware profile currently used by the local computer
Identification and authentication
Local: one- or two-way encrypted; possible strength checking; MD4 hashing
Distributed: two-way encrypted, DES block mode (two blocks) - consequences
Uses an incompatible proprietary version of Kerberos (orig. Unix). Specs available under the condition that you're not making a compatible implementation.
LSA calls SAM, gets SID: Security ID; returns SAT: System Access Token.
SAT a capability containing user id (SID), rights, and group SIDs etc
Users and groups defined locally and/or in domain servers (cf Unix/NIS).
Login/password controls definable e.g. for
- password expiration
- login hours
- etc
Access control
SAT can contain rights (privileges) or restrictions
ACLs can specify positive (Access Allowed) and negative permissions (No Access), and in addition SystemAudit (to log the access).
Subject (user) wants a set of permissions, e.g. read+write:
- Traverse the ACL entries:
- First check for negative permissions,
- then collect positive permissions until you have all you need.
- No ACL: access granted
- Empty ACL: access denied
- Owner can always change ACL
To see, disable "Simple sharing" (under Folder properties(?))
Directory/File permissions:
- traverse folder/execute file
- list folder/read data
- create file/write data
- create folder/append data
- read attributes
- read extended attributes
- write attributes
- write extended additional
- delete subfolder + files
- delete
- read permissions
- change permissions
- take ownership
Abstractions:
- full control (all permissions)
- modify
- read and execute
- list contents
- read
- write
Permissions are normally inherited (copied) from parent directory, unless there is no ACL: everyone gets Full Control. Inheritance can also specified for only container objects, non-container objects, only first level under a container...
Privileges are special rights which control access to system resources, e.g.
- backup files and directories (bypassing normal access control)
- generate security audits, manage audit logs
- take ownership of files/objects
- bypass traverse checking
- Note: traverse folder permission required to go "down" the hierarchy, unless the user has bypass traverse checking (default: everyone has)
- shut down system
Access Control Management
Global groups: defined for domain centrally, contains users and global groups; basis for ACLs on domain level
Local groups: defined for workstation, contains local users and groups (local or global)
[figure 7.2 p 115]
Groups used both for file and resource access.
- Administrators: special rights, can install programs, modify registry etc
- Backup operators
- Account operators
- Print operators
- Server operators
- Users: normal users, can not install programs, run "legacy programs" etc,
- Power users: like users, but can also run "legacy programs"
- Everyone: all users (incl Guest)
- Interactive: local interactive logons (cf. role)
- Network: users logged in over network
- System: OS processes
(latter ones "dynamic", role-like)
Audit
Audit logs can be enabled, logging e.g.
- login (attempts or valid),
- accessing resources (e.g. creating/deleting/opening file)
Viewed by Event Viewer (Admin. tool), settings in Local Policies.
Interesting setting: audit log size. Note relevance to auditing (keeping a trail of security events)
- overwrite as needed
- overwrite older than N days
- don't overwrite
If full, crash or not.
Attacks
DLL spoofing: In Windows 2000/NT, DLLs (dynamically linked libraries) were searched in
- program directory
- system directory
- current directory
DLL hooks: attach a user/program-specified function to handle an event, e.g. when the user presses a key, moves the mouse, etc.
Simplifies for trojans, spyware, viruses.
- Poor defaults (e.g. all Admins, no file protection)
- Legacy needs (e.g. copy protection of games) requires Admin rights
- Complexity, "creeping featurism", feature interactions
- e.g. executable emails, opening by default
- Security difficult to manage
- Security by obscurity: propriterary formats, possibly patented