© Neeraj Suri EU-NSF ICT March 2006 Budapesti Műszaki és Gazdaságtudományi Egyetem Méréstechnika és Információs Rendszerek Tanszék Zoltán Micskei

Slides:



Advertisements
Similar presentations
Managing User, Computer and Group Accounts
Advertisements

Chapter Five Users, Groups, Profiles, and Policies.
©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation
© Neeraj Suri EU-NSF ICT March 2006 Budapesti Műszaki és Gazdaságtudományi Egyetem Méréstechnika és Információs Rendszerek Tanszék Zoltán Micskei
Windows Vista Security model and vulnerabilities.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Budapesti Műszaki és Gazdaságtudományi Egyetem Méréstechnika és Információs Rendszerek Tanszék Scheduling in Windows Zoltan Micskei
Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.
Windows Security Mechanisms Al Bento - University of Baltimore.
Access Control Lists and NTFS Permissions INFO333 – Lecture Mariusz Nowostawski Noria Foukia.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
Security features of Windows What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored.
Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Unit OS4: Scheduling and Dispatch 4.6. Demos.
W INDOWS BLUE SCREEN OF DEATH AFTER CRASH DEBUGGING Alex Mclean Amy Valley Derek Visch.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
®® Microsoft Windows 7 for Power Users Tutorial 8 Troubleshooting Windows 7.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
Operating System Security CS460 Cyber Security Spring 2010.
Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Chapter Six Windows XP Security and Access Controls.
With Windows XP, you can share files and documents with other users on your computer and with other users on a network. There is a new user interface.
7.3. Windows Security Descriptors
C HAPTER 6 NTFS PERMISSIONS & SECURITY SETTING. INTRODUCTION NTFS provides performance, security, reliability & advanced features that are not found in.
Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture Securing User Accounts Exploring Security Policies Hardening.
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
Module 7: Fundamentals of Administering Windows Server 2008.
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
Module 4 Managing Access to Resources in Active Directory ® Domain Services.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.
Windows Vista Inside Out Chapter 22 - Monitoring System Activities with Event Viewer Last modified am.
Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Implementing Group Policy. Overview What is Group Policy Introduction to Group Policy Group Policy Structure How Group Policy Settings Are Applied in.
Network Security. Need for security  Connecting to the Internet is quickly becoming a necessity for companies/ individuals  Understand the security.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Unit OS11: Performance Evaluation Lab Manual.
Unit OS A: Windows Networking A.4. Lab Manual. 2 Copyright Notice © David A. Solomon and Mark Russinovich These materials are part of the Windows.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
Unit OS12: Scripting Lab Manual. 2 Copyright Notice © David A. Solomon and Mark Russinovich These materials are part of the Windows Operating.
WCL310-R. Disabled by Default in Windows 7 and Vista Most Secure – Best Choice for IT Windows 7 and Vista - Default XP Default The Administrator The.
Page 1 User Accounts Lecture 3 Hassan Shuja 09/21/2004.
Managing Local Users & Groups. OVERVIEW Configure and manage user accounts Manage user account properties Manage user and group rights Configure user.
Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Unit OS7: Security 7.1. The Security Problem.
MA194Using WindowsNT1 Topics for the day… WindowsNT Security WindowsNT File System (NTFS) Viewing/Setting Document and Folder Permissions Access Control.
NetTech Solutions Supporting Local Users and Groups Lesson Three.
NetTech Solutions Security and Security Permissions Lesson Nine.
Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Unit OS7: Security 7.4. Lab Manual.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Chapter Objectives In this chapter, you will learn:
Unit OS7: Security 7.4. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze.
Unit OSC: Interoperability
Unit OS11: Performance Evaluation
Unit OS A: Windows Networking
Unit OS2: Operating System Principles
Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools
Florida State University
Unit OS5: Memory Management
Windows Vista Inside Out
Access Control and Audit
Presentation transcript:

© Neeraj Suri EU-NSF ICT March 2006 Budapesti Műszaki és Gazdaságtudományi Egyetem Méréstechnika és Információs Rendszerek Tanszék Zoltán Micskei S ECURITY S UBSYSTEM IN W INDOWS Operating Systems

Copyright Notice  These materials are part of the Windows Operating System Internals Curriculum Development Kit, developed by David A. Solomon and Mark E. Russinovich with Andreas Polze  Microsoft has licensed these materials from David Solomon Expert Seminars, Inc. for distribution to academic organizations solely for use in academic environments (and not for commercial use)   © David A. Solomon and Mark Russinovich 2

Questions SID BSOD HKLM 3

Security tasks in Windows  Authentication − Has / Knows / Is − E.g. logon screen, password popup  Authorization − Principle: Role based access control − E.g. access control lists  Auditing − Audit logging 4

Security tasks in Windows  Authentication − Has / Knows / Is − E.g. logon screen, password popup  Authorization − Principle: Role based access control − E.g. access control lists  Auditing − Audit logging 5

Security entities in Windows 6

Security Identifier (SID)  Unique identifier  E.g. SID of a machine: S  Users, groups: − - − RID: relative identifier  Well-known SIDs − Everyone: S − Administrator: S-1-5-domain-500  Vista: services also get their own SIDs 7

DEMO  psgetsid.exe machineName  psgetsid.exe administrator  psgetsid.exe Security identifier (SID)

Authentication  Login − Through Winlogon’s own desktop − Secure Attention Sequence: Ctrl + Alt + Del − Windows 8: Microsoft account, picture password  Storing passwords: − Hash in the registry  Network authentication − NTLM: NT LAN Manager − Kerberos: since Windows 2000, in domain environment 9

Authentication – Access token  Impersonation 10

DEMO  registry − HKEY_LOCAL_MACHINE\SAM  viewing: psexec –s –i regedit.exe Security Account Manager DB

Security tasks in Windows  Authentication − Has / Knows / Is − E.g. logon screen, password popup  Authorization − Principle: Role based access control − E.g. access control lists  Auditing − Audit logging 12

Categorizing authorization (see prev. lecture) 13 Authorization categories CompulsorinessMandatoryDiscretionaryLevelSystem levelResource levelTypes Integrity control Access control lists

Authorization - Compulsoriness  Classical concepts (US DoD standard)  Mandatory − Only central access control − Users cannot change the policy  Discretionary − authorized users can change policies 14

Authorization – Level  System level − Privilege − Account right  Resource level − Integrity level − Access control list 15

Authorization – Types  Integrity control − Labeling objects ● low, medium, high… − Check: ● user with a lower integrity label cannot read up/write up  Access control list − Object → ( SID, permissions) ● Permission: write data, read attribute… 16

Authorization methods in Windows  Mandatory Integrity Control  System level privileges and rights  Discretionary Access Control 17

DEMO  Vista feature  icacls /setintegritylevel H|M|L  Trying „No write up” − psexec –l cmd.exe : starts with low integrity  e.g. Internet Explorer uses MIC Mandatory Integrity Control

Authorization methods in Windows  Mandatory Integrity Control  System level privileges and rights  Discretionary Access Control 19

System level authorization  Privilege − operating system level − E.g.: shutdown machine, load device driver − Name: SeShutdownPrivilege, SeLoadDriverPrivilege  Account right − who / how can or cannot login − E.g.: interactive, network logon… 20

DEMO  Privileges − whomai /priv − Local Policy: User rights  Local Security Policy − Password policy − Account locking − Security options Privileges Local Security Policy

Authorization methods in Windows  Mandatory Integrity Control  System level privileges and rights  Discretionary Access Control 22

Access control lists 23

Access control lists Windows object E.g. file, registry key, pipe… Windows object E.g. file, registry key, pipe… 24

Access control lists High level structure 25

Access control lists Can change the object’s permissions even if no access is defined 26

Access control lists Discretionary Access Control List Access control Discretionary Access Control List Access control 27

Access control lists System Access Control List Security auditing System Access Control List Security auditing 28

Access control lists Type allow, deny, audit Flag E.g. inheritance SID who to apply Mask execute | delete | write owner… Type allow, deny, audit Flag E.g. inheritance SID who to apply Mask execute | delete | write owner… 29

Access control lists - Example Object C:\temp Descriptor Owner: Administrator DACL ACE1: allow, inherits, Administrators, list folders | create files ACE2: allow, not inherited, Users, list folders | read attributes SACL 30

Access control lists  Inheritance flag − For container type objects (e.g. folder) − Child object inherits the ACE  Evaluation method − Several ACE can apply to a given SID − UNION of all the permission from the ACEs − Exception: deny ACE, it overcomes everything 31

DEMO  Basic permissions  Inheritance − Limiting inheritance  Take ownership  Effective permissions − Union, except − Deny ACE  Debugging: Process Monitor Authorization – Access control lists

Security tasks in Windows  Authentication − Has / Knows / Is − E.g. logon screen, password popup  Authorization − Principle: Role based access control − E.g. access control lists  Auditing − Audit logging 33

Eventlog  System, application, security events  Event: − Type, time, source, ID, description  Overwrite events: − Never, x day older, circular 34

DEMO  Auditing policy  Content of the security log  Use of permissions Auditing

DEMO  Dangers of running as Administrator  Working limited user − Windows XP: Run as… and runas command − Showing Run as..: left SHIFT + right click  Vista solution: UAC User Account Control, Runas

DEMO  Computer settings − Security options − System componets, e.g. Windows Update  User settings − Applications − Windows interface  Templates  Administrative templates  ~2500 settings Group Policy

Troubleshooting

DEMO  If there is no other choice…  Don’t hate the messenger  KeBugCheckEx function, Bugcheck.h  Error reporting  Creating memory dump  Analyzing minidump in WinDgb Blue Screen of Death (BSOD)

DEMO  Event log errors: − Help & Support − EventID.net − Knowledge Base articles Problem solving

Special startup modes  Hit F8 before the Windows logo 41

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.