SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication...
Transcript of SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication...
![Page 1: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/1.jpg)
© Neeraj Suri
EU-NSF ICT March 2006
Budapesti Műszaki és Gazdaságtudományi Egyetem
Méréstechnika és Információs Rendszerek Tanszék
Zoltán Micskei
http://www.mit.bme.hu/~micskeiz
SECURITY SUBSYSTEM IN WINDOWS
Operating Systems
![Page 2: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/2.jpg)
Copyright Notice
These materials are part of the Windows Operating System Internals Curriculum Development Kit, developed by David A. Solomon and Mark E. Russinovich with Andreas Polze
Microsoft has licensed these materials from David Solomon Expert Seminars, Inc. for distribution to academic organizations solely for use in academic environments (and not for commercial use)
http://www.academicresourcecenter.net/curriculum/pfv.aspx?ID=6191
© 2000-2005 David A. Solomon and Mark Russinovich
2
![Page 3: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/3.jpg)
Questions
SID
BSOD
HKLM
3
![Page 4: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/4.jpg)
Security tasks in Windows
Authentication
− Has / Knows / Is
− E.g. logon screen, password popup
Authorization
− Principle: Role based access control
− E.g. access control lists
Auditing
− Audit logging
4
![Page 5: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/5.jpg)
Security tasks in Windows
Authentication
− Has / Knows / Is
− E.g. logon screen, password popup
Authorization
− Principle: Role based access control
− E.g. access control lists
Auditing
− Audit logging
5
![Page 6: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/6.jpg)
Security entities in Windows
6
![Page 7: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/7.jpg)
Security Identifier (SID)
Unique identifier
E.g. SID of a machine: S-1-5-21-2052111302-1677128483-839522115
Users, groups:
− <Machine SID>-<RID>
− RID: relative identifier
Well-known SIDs
− Everyone: S-1-1-0
− Administrator: S-1-5-domain-500
Vista: services also get their own SIDs
7
![Page 8: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/8.jpg)
DEMO
psgetsid.exe machineName
psgetsid.exe administrator
psgetsid.exe <user>
Security identifier (SID)
![Page 9: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/9.jpg)
Authentication
Login
− Through Winlogon’s own desktop
− Secure Attention Sequence: Ctrl + Alt + Del
− Windows 8: Microsoft account, picture password
Storing passwords:
− Hash in the registry
Network authentication
− NTLM: NT LAN Manager
− Kerberos: since Windows 2000, in domain environment
9
![Page 10: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/10.jpg)
Authentication – Access token
Impersonation
10
![Page 11: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/11.jpg)
Security tasks in Windows
Authentication
− Has / Knows / Is
− E.g. logon screen, password popup
Authorization
− Principle: Role based access control
− E.g. access control lists
Auditing
− Audit logging
12
![Page 12: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/12.jpg)
Categorizing authorization (see prev. lecture)
13
Authorization categories
Compulsoriness
Mandatory
Discretionary
Level
System level
Resource level
Types
Integrity control
Access control lists
![Page 13: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/13.jpg)
Authorization methods in Windows
Mandatory Integrity Control
System level privileges and rights
Discretionary Access Control
17
![Page 14: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/14.jpg)
DEMO
Vista feature
icacls /setintegritylevel H|M|L
Trying „No write up”
− psexec –l cmd.exe: starts with low integrity
e.g. Internet Explorer uses MIC
Mandatory Integrity Control
![Page 15: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/15.jpg)
Authorization methods in Windows
Mandatory Integrity Control
System level privileges and rights
Discretionary Access Control
19
![Page 16: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/16.jpg)
System level authorization
Privilege
− operating system level
− E.g.: shutdown machine, load device driver
− Name: SeShutdownPrivilege, SeLoadDriverPrivilege
Account right
− who / how can or cannot login
− E.g.: interactive, network logon…
20
![Page 17: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/17.jpg)
DEMO
Privileges
− whomai /priv
− Local Policy: User rights
Local Security Policy
− Password policy
− Account locking
− Security options
Privileges
Local Security Policy
![Page 18: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/18.jpg)
Authorization methods in Windows
Mandatory Integrity Control
System level privileges and rights
Discretionary Access Control
22
![Page 19: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/19.jpg)
Access control lists
23
![Page 20: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/20.jpg)
Access control lists
Windows object E.g. file, registry key, pipe…
24
![Page 21: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/21.jpg)
Access control lists
High level structure
25
![Page 22: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/22.jpg)
Access control lists
Can change the object’s permissions even if no access is defined
26
![Page 23: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/23.jpg)
Access control lists
Discretionary Access Control List Access control
27
![Page 24: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/24.jpg)
Access control lists
System Access Control List Security auditing
28
![Page 25: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/25.jpg)
Access control lists
Type allow, deny, audit
Flag E.g. inheritance
SID who to apply
Mask execute | delete | write owner…
29
![Page 26: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/26.jpg)
Access control lists - Example
Object C:\temp
Descriptor
Owner: Administrator
DACL
ACE1: allow, inherits, Administrators, list folders | create files
ACE2: allow, not inherited, Users, list folders | read attributes
SACL
30
![Page 27: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/27.jpg)
Access control lists
Inheritance flag
− For container type objects (e.g. folder)
− Child object inherits the ACE
Evaluation method
− Several ACE can apply to a given SID
− UNION of all the permission from the ACEs
− Exception: deny ACE, it overcomes everything
31
![Page 28: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/28.jpg)
DEMO
Basic permissions
Inheritance
− Limiting inheritance
Take ownership
Effective permissions
− Union, except
− Deny ACE
Debugging: Process Monitor
Authorization –
Access control lists
![Page 29: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/29.jpg)
Security tasks in Windows
Authentication
− Has / Knows / Is
− E.g. logon screen, password popup
Authorization
− Principle: Role based access control
− E.g. access control lists
Auditing
− Audit logging
33
![Page 30: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/30.jpg)
Eventlog
System, application, security events
Event:
− Type, time, source, ID, description
Overwrite events:
− Never, x day older, circular
34
![Page 31: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/31.jpg)
DEMO
Auditing policy
Content of the security log
Use of permissions
Auditing
![Page 32: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/32.jpg)
DEMO
Dangers of running as Administrator
Working limited user
− Windows XP: Run as… and runas command
− Showing Run as..: left SHIFT + right click
Vista solution: UAC
User Account Control, Runas
![Page 33: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/33.jpg)
DEMO
Computer settings
− Security options
− System componets, e.g. Windows Update
User settings
− Applications
− Windows interface
Templates
Administrative templates
~2500 settings
Group Policy
![Page 34: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/34.jpg)
Troubleshooting
![Page 35: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/35.jpg)
DEMO
If there is no other choice…
Don’t hate the messenger
KeBugCheckEx function, Bugcheck.h
Error reporting
Creating memory dump
Analyzing minidump in WinDgb
Blue Screen of Death (BSOD)
![Page 36: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/36.jpg)
DEMO
Event log errors:
− Help & Support
− EventID.net
− Knowledge Base articles
Problem solving
![Page 37: SECURITY SUBSYSTEM IN WINDOWS - … −Audit logging 4 Security tasks in Windows Authentication −Has / Knows / Is −E.g. logon screen, password popup Authorization ...](https://reader033.fdocuments.net/reader033/viewer/2022051600/5aa3b1b07f8b9a46238ead28/html5/thumbnails/37.jpg)
Special startup modes
Hit F8 before the Windows logo
41