Florida State University Windows servers The NT security model Breno de Medeiros Florida State University Fall 2005
Florida State University NT networks Networked NT machines can be: Primary Domain controller Centralizes user database/authentication Backup Domain controller Domain member Non-domain member Trusted domains Trusting resources Large networks may be segmented in multiple domains for administrative reasons. The existence of trust relationships enables users in one domain to access resources in a different domain. Breno de Medeiros Florida State University Fall 2005
Florida State University Architecture Modular OS interface (system calls) are available at: Integral subsystems Environment subsystems Both run in the “user mode” protection space An important feature is the use of two modes of operation, user mode and kernel mode. Important functions related to the OS behavior and interface are located in the user mode space. The part of the operating system related to the operation of system resources, and the Security Reference Monitor, which makes access control decisions, run in the protected Kernel mode. The Object manager intermediates all access to system resources. All resources are therefore abstracted as Objects. I/O manager: Manages the I/O system calls of applications and services in the user space, intermediating between them and the I/O device drivers. IPC manager: (Interprocess Communication Manager): Manages communication between the environment subsystems and servers running in the Executive. Virtual Memory Manager: Similar to other operating systems, enables the use of disk caches as system memory. Process Manager: Handles process and thread creation and termination. PnP manager: Handles plug and play features---i.e., hardware support, mostly at boot time, or when a new device is added to the system. Power Manager: Controls power-related events and interrupts. Source: http://en.wikipedia.org/wiki/Image:Windows_2000_architecture.PNG Breno de Medeiros Florida State University Fall 2005
Florida State University Security viewpoint Four main components: Executive (kernel mode) Protected Servers (user mode) Network Subsystem (both kernel and user modes) Administrator tools (user mode) Windows NT comes both in a server and workstation configurations. The server has more administrative tools, and more services installed by default. Breno de Medeiros Florida State University Fall 2005
Florida State University Handle tables Each process has a table of “object handles” which enable the process to access those resources Maintained by object manager Each handle describes the type of access the process has to the object (read, write, etc) The object manager ensures that access is only granted if compatible with the handle When a process requests a new resource for the first time, the Object Manager asks the Security Reference Monitor to decide if the process may acquire the handle. Subsequent accesses to the same resource will not involve the Security Reference Monitor, because a handle granting the access type will be already available in the process Handle table. Processes are themselves objects in the system. A process essentially contains a Handle table containing all objects it has access to, a virtual, private address space, an associated space in the physical memory, and a list of threads. Processes, being objects, can be accessed directly (if a handle to them is available). A process can have no threads, in which case it cannot run. Each thread has an execution context, including registers and stack pointers. Breno de Medeiros Florida State University Fall 2005
File system protection Windows NT systems support many file systems, including: File Allocation Table (FAT) FS NTFS CD-ROM FS (CDFS) Named Pipe File System (NPFS) Mailslot File System (MSFS) Only the NTFS is protected by the access control system. Use FAT only in diskettes The reason of so many file system types is that NT uses abstraction layers for device drivers, and the highest view of a storage or network device is a file system. Breno de Medeiros Florida State University Fall 2005
Configuration Manager Keeps the configuration registry Stores system configuration information, including the password database (SAM), hardware and initialization information, and OS configuration information Entries in the registry are called keys Breno de Medeiros Florida State University Fall 2005
Security-related servers Winlogon Session Manager Local Security Authority Security Accounts Manager (SAM) Service Controller Event Logger Breno de Medeiros Florida State University Fall 2005
Local Security Authority Local Security Authority Subsystem Service (LSASS) Invoked at login time, it verifies the user authentication and grants the system access token (SAT), which is used to start the initial shell and is inherited by all programs spawned during this login session Performs audit functions Operates in user mode Is it safe to have a process that performs critical security checks to run in user mode? The answer is, it could be, if there are executive-level requirements to edit it or change its functionality. In other words, the operational integrity of this program needs to be provided by executive-level access control to it. Breno de Medeiros Florida State University Fall 2005
Security Account Manager (SAM) User mode component Maintains the user account database required by the LSA Therefore the login sequence requires the following intermediation by security-related services: Winlogon LSA SAM Breno de Medeiros Florida State University Fall 2005
SAM and authentication It is possible to configure a special computer called a domain controller to consolidate the SAM database in a single server. Secure Attention Sequence: <CTRL> + <ALT> + <DEL> cannot be captured by user-level programs The system invokes Winlogon, which starts a graphical application (GINA), to handle local and remote connection requests (via the LSA and SAM) Breno de Medeiros Florida State University Fall 2005
Protection (Access Control) Windows NT and later provide discretionary access control (DAC). The unit of control is called an ACE (access control entry). The format of ACEs is as follows: ACE Field Description Inheritance Control Flags (Boolean flags) OBJECT_INHERIT ACE CONTAINER_INHERIT_ACE NO_PROPAGATE_INHERIT_ACE INHERIT_ONLY_ACE ACE Type ACCESS_ALLOWED_ACE ACCESS_DENIED_ACE SYSTEM_AUDIT_ACE ACE Type-Specific SUCCESSFUL_ACCESS_ACE_FLAG FAILED_ACCESS_ACE_FLAG Access Mask SID First, note that the Windows operating system assumes that objects are one of two types: 1) Containers, e.g. directories, may contain other objects. 2) Non-containers, such as files, cannot contain other objects. If certain ACE flags for a container are set, the masks are inherited by the contained objects. Since Windows has both ‘grant’ and ‘deny’ access entries, it becomes important to understand also the algorithm that evaluates the final, effective rights. (By contrast, in UNIX there are only ‘grant’ access permissions so the algorithm for evaluation of access privileges is immediate.) Boolean flags used to control inheritance characteristics of the ACE. � OBJECT_INHERIT_ACE – inherited by sub-objects of a container object. � CONTAINER_INHERIT_ACE – inherited by sub-containers of a container object. � NO_PROPAGATE_INHERIT_ACE – inheritance control flags are not propagated in ACEs inherited by sub-containers. � INHERIT_ONLY_ACE – ACE is not to be used in validating access attempts to the corresponding object, but will be applied to sub-objects as they are created. The following flags apply if this ACE is of type SYSTEM_AUDIT_ACE SUCCESSFUL_ACCESS_ACE_FLAG – audit messages should be generated for successful accesses. FAILED_ACCESS_ACE_FLAG – audit messages should be generated for failed accesses. The Masks have different meanings, according to the type: ACCESS_ALLOWED_ACE – access mask indicating which accesses are granted to the specified SID. ACCESS_DENIED_ACE - access mask indicating which accesses are denied to the specified SID. SID -- System ID to which this ACE applies. Each subject in Windows has an associated SID Breno de Medeiros Florida State University Fall 2005
Florida State University Overview of the security infrastructure: Windows has support for centralized policy database, audit log, and SAM database. The various user mode services are conceptually protected because changes to them are managed through the security reference monitor. Picture from Final Evaluation of Windows NT Workstations by Science Applications International Corp./ Ctr. for Information Security Breno de Medeiros Florida State University Fall 2005
Florida State University Windows passwords Password policies can be established using the UserManager administration tool, which supports the following: Password aging Minimum password length Password uniqueness Account lockout features Number of failed logon attempts How long to lockout an account Better password protection is offered through passfilt.dll: Passwords must be at least six characters long Passwords must contain at least three of the following four classes of characters: Upper case letters Lower case letters Numbers Non-alphanumeric characters (punctuation symbols) Passwords can not match your username or part of your full name listed for the account. Breno de Medeiros Florida State University Fall 2005
Florida State University Windows passwords The original Windows password hashing scheme (LM): Up to 14-character long passwords (all uppercase). Computed as two independent hashes on 7-character values Highly vulnerable to dictionary based attacks, such as L0phtrack NTLM uses 14 characters for a single hash LM hash still exported by default for compatibility with older machines in same network (i.e., placed in the SAM). NTLMv2 accepts longer than 14 characters, and in that case the exported values for LanManager are incorrect (backward incompatibility). Encrypts password hashes before storing them in the SAM Enforce 15 characters as minimum password length and disable LAM authentication For instance, if the system had a minimum 8-character password length, and a user chose an 9-character password, one LM hash would correspond to the first 7 characters, the second for the last two characters. Much of Windows secure configuration involves editing registry files to enforce various settings. Breno de Medeiros Florida State University Fall 2005
Password hash challenge-and-response Windows machines use hash-based challenge and response mechanisms This implies that while passwords are required for local login, password hashes can be used for remote authentication It also means that, by eavesdropping the network and capturing challenge/response pairs, an adversary can collect information to perform dictionary and/or brute-force attacks on the password. Breno de Medeiros Florida State University Fall 2005