Skip to main content
Department of Information Technology

Window security

  • Security features
    • ACLs and capabilities
    • Distributed access control management (domains)
    • Audit
  • Still poor security in practice: why?

Parts

  • SRM - security reference monitor (access control; kernel mode)
  • LSA - local security authority (authentication, creates capabilities; user mode)
  • SAM - security account manager (account database, authentication; user mode)
  • Login process
  • Device drivers (also third-party) are running in kernel mode

Central database: The Registry, stores user/group database, local security policy, etc

  • Tree-structured:
    • HKEY_CLASSES_ROOT - file extension mappings (e.g. ".doc" -> "Word document", run MSWord)
    • HKEY_CURRENT_USER - config info for the currently logged on user
    • HKEY_LOCAL_MACHINE - config for the local machine
      • HKEY_LOCAL_MACHINE\SAM - account database
      • HKEY_LOCAL_MACHINE\Security - security config
      • HKEY_LOCAL_MACHINE\Software - software config
    • HKEY_USERS - all actively loaded user profiles on the system
      • HKEY_USERS\DEFAULT - default settings
    • HKEY_CURRENT_CONFIG - config for the hardware profile currently used by the local computer

Identification and authentication

2.1. Passwords

Local: one- or two-way encrypted; possible strength checking; MD4 hashing
Distributed: two-way encrypted, DES block mode (two blocks) - consequences

Uses an incompatible proprietary version of Kerberos (orig. Unix). Specs available under the condition that you're not making a compatible implementation.

2.2. Login

LSA calls SAM, gets SID: Security ID; returns SAT: System Access Token.
SAT a capability containing user id (SID), rights, and group SIDs etc

Users and groups defined locally and/or in domain servers (cf Unix/NIS).

Login/password controls definable e.g. for

  • password expiration
  • login hours
  • etc

Access control

SAT can contain rights (privileges) or restrictions

ACLs can specify positive (Access Allowed) and negative permissions (No Access), and in addition SystemAudit (to log the access).

Subject (user) wants a set of permissions, e.g. read+write:

  • Traverse the ACL entries:
    • First check for negative permissions,
    • then collect positive permissions until you have all you need.
  • No ACL: access granted
  • Empty ACL: access denied
  • Owner can always change ACL
3.1. ACLs: NTFS

To see, disable "Simple sharing" (under Folder properties(?))

Directory/File permissions:

  • traverse folder/execute file
  • list folder/read data
  • create file/write data
  • create folder/append data
  • read attributes
  • read extended attributes
  • write attributes
  • write extended additional
  • delete subfolder + files
  • delete
  • read permissions
  • change permissions
  • take ownership

Abstractions:

  • full control (all permissions)
  • modify
  • read and execute
  • list contents
  • read
  • write

Permissions are normally inherited (copied) from parent directory, unless there is no ACL: everyone gets Full Control. Inheritance can also specified for only container objects, non-container objects, only first level under a container...

3.2. Privileges

Privileges are special rights which control access to system resources, e.g.

  • backup files and directories (bypassing normal access control)
  • generate security audits, manage audit logs
  • take ownership of files/objects
  • bypass traverse checking
    Note: traverse folder permission required to go "down" the hierarchy, unless the user has bypass traverse checking (default: everyone has)
  • shut down system

Access Control Management

Global groups: defined for domain centrally, contains users and global groups; basis for ACLs on domain level
Local groups: defined for workstation, contains local users and groups (local or global)

[figure 7.2 p 115]

Groups used both for file and resource access.

4.1. Examples
  • Administrators: special rights, can install programs, modify registry etc
    • Backup operators
    • Account operators
    • Print operators
    • Server operators
  • Users: normal users, can not install programs, run "legacy programs" etc,
  • Power users: like users, but can also run "legacy programs"
  • Everyone: all users (incl Guest)
  • Interactive: local interactive logons (cf. role)
  • Network: users logged in over network
  • System: OS processes

(latter ones "dynamic", role-like)

Audit

Audit logs can be enabled, logging e.g.

  • login (attempts or valid),
  • accessing resources (e.g. creating/deleting/opening file)

Viewed by Event Viewer (Admin. tool), settings in Local Policies.

Interesting setting: audit log size. Note relevance to auditing (keeping a trail of security events)

  • overwrite as needed
  • overwrite older than N days
  • don't overwrite

If full, crash or not.

Attacks

DLL spoofing: In Windows 2000/NT, DLLs (dynamically linked libraries) were searched in

  • program directory
  • system directory
  • current directory

DLL hooks: attach a user/program-specified function to handle an event, e.g. when the user presses a key, moves the mouse, etc.

Simplifies for trojans, spyware, viruses.

6.1. General problems
  • Poor defaults (e.g. all Admins, no file protection)
  • Legacy needs (e.g. copy protection of games) requires Admin rights
  • Complexity, "creeping featurism", feature interactions
    • e.g. executable emails, opening by default
  • Security difficult to manage
  • Security by obscurity: propriterary formats, possibly patented

Updated  2006-10-03 11:46:34 by Björn Victor.