Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 JMH Associates © 2004, All rights reserved Chapter 15 Windows System Security.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 JMH Associates © 2004, All rights reserved Chapter 15 Windows System Security."— Presentation transcript:

1 1 JMH Associates © 2004, All rights reserved Chapter 15 Windows System Security

2 2 JMH Associates © 2004, All rights reserved OBJECTIVESOBJECTIVES Upon completion of this chapter, you will be able to:  Describe Windows NT/2000 security and its components  Access Control Lists  Security Descriptors  Security Identifiers, and more  Describe the differences between privileges and rights  Create programs to manage security for NTFS files  Be ready to apply security to other NT objects

3 3 JMH Associates © 2004, All rights reserved OVERVIEW (1 of 2)  Windows NT/2000 supports security; Windows 9x does not  Every (sharable) NT object is securable  Security applies to NTFS files  Not to FAT or other file systems  NT security is C2 compliant  (NSA “Orange Book” for single systems)

4 4 JMH Associates © 2004, All rights reserved OVERVIEW (2 of 2)  NT security supports the required Discretionary Access Control Lists (DACLs) and System ACLs (SACLs, for auditing)  Specific allow and deny entries for users and groups for different types of access  Security programming is difficult  Probably the most difficult in the Windows API

5 5 JMH Associates © 2004, All rights reserved CONSTRUCTING A SECURITY DESCRIPTOR

6 6 JMH Associates © 2004, All rights reserved 1)InitializeSecurityDescriptor 2)SetSecurityDescriptorOwner 3)SetSecurityDescriptorGroup 4)InitializeAcl 5)AddAccessDeniedAce · · · 6)AddAccessAllowedAce · · · 7)SetSecurityDescriptorDacl Process Object Owner SID Group SID User SID Group SID Access Token Access Control Entry (Denied) " Access Control Entry (Allowed) · · · Discretionary ACL Security Descriptor

7 7 JMH Associates © 2004, All rights reserved SECURITY ATTRIBUTES TYPEDEF struct _SECURITY_ATTRIBUTES { DWORD nLength; LPVOID lpSecurityDescriptor; BOOL bInheritHandle; } SECURITY_ATTRIBUTES; nLength  Should be set to sizeof (SECURITY_ATTRIBUTES) bInheritHandle  Should be FALSE for now

8 8 JMH Associates © 2004, All rights reserved SECURITY DESCRIPTOR (1 of 2) BOOL InitializeSecurityDescriptor( PSECURITY_DESCRIPTOR psd, DWORD dwRevision) psd  Should be set to address of a SECURITY_DESCRIPTOR dwRevision  Set to SECURITY_DESCRIPTOR_REVISION, which contains:  Owner Security Identifier (SID)  Group SID  Discretionary Access Control List (DACL)  System ACL (SACL)

9 9 JMH Associates © 2004, All rights reserved SECURITY DESCRIPTOR (2 of 2) SetSecurityDescriptorOwner and SetSecurityDescriptorGroup  Associate SIDs with descriptors ACLs  Initialized using InitializeAcl  Associated with a security descriptor using SetSecurityDescriptorDacl or SetSecurityDescriptorSacl Security descriptors  Classified as either absolute or self relative

10 10 JMH Associates © 2004, All rights reserved ACCESS CONTROL LISTS  Each ACL is a set of Access Control Entries (ACE)  Two types of ACE:  Access allowed and access denied  Initialize an ACL with InitializeAcl  Then add ACEs to discretionary ACLs:  AddAccessAllowedAce  AddAccessDeniedAce  AddAuditAccessAce is for adding to a SACL  Remove ACEs with DeleteAce  Retrieve them with GetAce

11 11 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (1 of 7) BOOL LookupAccountName (LPCTSTR lpSystem, LPCTSTR lpAccount, PSID psid, LPDWORD lpcbSid, LPTSTR lpReferencedDomain, LPDWORD lpcchReferencedDomain, PSID_NAME_USE psnu) lpSystem  Points to the system name (is often NULL ) lpAccount  Points to the account name

12 12 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (2 of 7) psid  Returned information of size *lpcbSid lpcbSid  The DWORD should be initialized to the size of your SID structure ( psid )  On return, you get the actual size lpReferencedDomain  String of length *lpcchReferencedDomain  Should be initialized to the buffer size

13 13 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (3 of 7) psnu  Points to a SID_NAME_USE (enumerated type) variable  Can be tested for values such as: SidTypeUser SidTypeGroup SidTypeWellKnownGroup

14 14 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (4 of 7) To convert a SID to an account name: BOOL LookupAccountSid ( LPCTSTR lpSystem, PSID psid, LPTSTR lpAccount, LPDWORD lpcchName, LPTSTR lpReferencedDomain, LPDWORD lpcchReferencedDomain, PSID_NAME_USe psnu)

15 15 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (5 of 7) BOOL GetUserName (LPTSTR lpBuffer, LPDWORD lpcchBuffer) Other functions:  InitializeSid  AllocateAndInitializeSid

16 16 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (6 of 7) BOOL SetSecurityDescriptorOwner ( PSECURITY_DESCRIPTOR psd, PSID psidOwner BOOL fOwnerDefaulted) BOOLSetSecurityDescriptorGroup ( PSECURITY_DESCRIPTOR psd, PSID psidGroup, BOOL fGroupDefaulted) Return: The SID from a security descriptor  Owner or group

17 17 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (7 of 7) Parameters psd  Points to the appropriate security descriptor psidOwner or psidGroup  The address of the owner’s (group’s) SID fOwnerDefaulted or fGroupDefaulted  Use default information

18 18 JMH Associates © 2004, All rights reserved INITIALIZING ACLs BOOL InitializeAcl (PACL pAcl, DWORD cbAcl, DWORD dwAclRevision Pacl  Address of a programmer-supplied buffer of cbAcl bytes dwAclRevision  Should be ACL_REVISION

19 19 JMH Associates © 2004, All rights reserved ADDING ACEs (1 of 2) BOOL AddAccessAllowedAce (PACL pAcl, DWORD dwAclRevision DWORD dwAccessMask, PSID pSid) BOOL AddAccessDeniedAce (PACL pAcl, DWORD dwAclRevision, DWORD dwAccessMask, PSID pSid) pAcl  Points to ACL structure initialized with InitializeAcl

20 20 JMH Associates © 2004, All rights reserved ADDING ACEs (2 of 2) dwAclRevision  Use ACL_REVISION pSid  Points to a SID  Might be obtained from LookupAccountName Access Mask typical values: GENERIC_READ GENERIC_WRITE GENERIC_EXECUTE

21 21 JMH Associates © 2004, All rights reserved ACL WITH SECURITY DESCRIPTOR BOOL SetSecurityDesciptorDacl ( PSECURITY_DESCRIPTOR psd, bool fDaclPresent, PACL pAcl, BOOL fDaclDefaulted) fDaclPresent  If TRUE, you have an ACL in the pAcl structure  If FALSE, the function ignores anything already in pAcl fDaclDefaulted  If FALSE, indicates an ACL generated by the programmer  If TRUE, it was obtained by a default mechanism

22 22 JMH Associates © 2004, All rights reserved SECURITY DESCRIPTOR BOOL GetFileSecurity (LPCTSTR lpFileName, SECURITY_INFORMATION secInfo, PSECURITY_DESCRIPTOR psd, DWORD cbSd, LPDWORD lpcbLengthNeeded) BOOL SetFileSecurity (LPCTSTR lpFileName, SECURITY_INFORMATION secInfo, PSECURITY_DESCRIPTOR psd)

23 23 JMH Associates © 2004, All rights reserved SECURITY DESCRIPTOR secInfo  An enumerated type  Takes on values such as: OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION DACL_SECURITY_INFORMATION SACL_SECURITY_INFORMATION (which can be combined with the bitwise OR)

24 24 JMH Associates © 2004, All rights reserved SECURITY DESCRIPTOR To find the GetFileSecurity return buffer size  Call it twice  The first call uses 0 as the cbSd value  After allocating a buffer, call the function a second time  You must have the correct permissions on the file

25 25 JMH Associates © 2004, All rights reserved OBTAIN AN ACL BOOL GetSecurityDescriptorDacl ( PSECURITY_DESCRIPTOR psd, LPBOOL fDaclPresent, PACL *pAcl, LPBOOL lpfDaclDefaulted) The parameters are nearly identical to SetSecurityDescriptorDacl

26 26 JMH Associates © 2004, All rights reserved HOW MANY ACEs IN AN ACL (1 of 2) BOOL GetAclInformation (PACL pAcl, LPVOID pAclInformation, DWORD cbAclInfo, ACL_INFORMATION_CLASS dwAclInfoClass dwAclInfoClass  Use AclSizeInformation in most cases

27 27 JMH Associates © 2004, All rights reserved HOW MANY ACEs IN AN ACL (2 of 2) pAclInformation  A structure of type ACL_SIZE_INFORMATION  Has three members: AceCount — How many entries are on the list AclBytesInUse AclBytesFree

28 28 JMH Associates © 2004, All rights reserved OBTAIN ACEs BOOL GetAce (PACL pAcl, DWORD dwAceIndex, LPVOID *pAce) pAce  Points to an Ace structure  Ace structure has a member called “Header”  Header has an AceType member which can be tested for: ACCESS_ALLOWED_ACE ACCESS_DENIED_ACE

29 29 JMH Associates © 2004, All rights reserved SECURITY SUMMARY  Remove ACEs with DeleteAce function  For kernel security descriptors, use: GetKernelObjectSecurity SetKernelObjectSecurity  Associate security descriptors with programmer-generated objects: GetUserObjectSecurity SetUserObjectSecurity  Note difference between absolute and self-relative security descriptors  System administrators can manage system ACLs

30 30 JMH Associates © 2004, All rights reserved LAB D–A (1 of 2) The functions in InitUnFp.c create and manage a SECURITY_ATTRIBUTES structure  With (Read, Write, and Execute) permissions  For (User, Group, and Other)  Similar to UNIX file permissions  You will need these functions in the two lab exercises

31 31 JMH Associates © 2004, All rights reserved LAB D–A (2 of 2) 1. Write a program, chmod, to create a new file with specified permissions  Expressed as a 9-bit UNIX-style file permission 2. Write an enhancement of the ls program, lsFP, to find the existing permissions on a specified file  Assume that the permissions were created with chmod

Download ppt "1 JMH Associates © 2004, All rights reserved Chapter 15 Windows System Security."

Similar presentations

NT Net Lib Roteiro da apresentação: diagrama de fluxo de chamadas da API Win32 explicação das chamadas apresentação da classe Uma mini-biblioteca com as.

NT Net Lib Roteiro da apresentação: diagrama de fluxo de chamadas da API Win32 explicação das chamadas apresentação da classe Uma mini-biblioteca com as.
Microsoft Windows NT File System (NTFS) “Providing a false sense of file security for Windows users since 1993”

Microsoft Windows NT File System (NTFS) “Providing a false sense of file security for Windows users since 1993”
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
6/2/2015B.Ramamurthy1 Security B.Ramamurthy. 6/2/2015B.Ramamurthy2 Computer Security Collection of tools designed to thwart hackers Became necessary with.

6/2/2015B.Ramamurthy1 Security B.Ramamurthy. 6/2/2015B.Ramamurthy2 Computer Security Collection of tools designed to thwart hackers Became necessary with.
1 JMH Associates © 2004, All rights reserved Chapter 6 Process Management.

1 JMH Associates © 2004, All rights reserved Chapter 6 Process Management.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
7-1 JMH Associates © 2003, All rights reserved Designing and Developing Reliable, Scaleable Multithreaded Windows Applications Chapter 10 Supplement Advanced.

7-1 JMH Associates © 2003, All rights reserved Designing and Developing Reliable, Scaleable Multithreaded Windows Applications Chapter 10 Supplement Advanced.
8-1 JMH Associates © 2004, All rights reserved Windows Application Development Chapter 10 - Supplement Introduction to Pthreads for Application Portability.

8-1 JMH Associates © 2004, All rights reserved Windows Application Development Chapter 10 - Supplement Introduction to Pthreads for Application Portability.
1 Security and Protection Chapter 9. 2 The Security Environment Threats Security goals and threats.

1 Security and Protection Chapter 9. 2 The Security Environment Threats Security goals and threats.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
1 JMH Associates © 2004, All rights reserved Chapter 4 Structured Exception Handling.

1 JMH Associates © 2004, All rights reserved Chapter 4 Structured Exception Handling.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
1 JMH Associates © 2004, All rights reserved Chapter 2-3 Supplement Registry Programming.

1 JMH Associates © 2004, All rights reserved Chapter 2-3 Supplement Registry Programming.
Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 

Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 
1 JMH Associates © 2004, All rights reserved Chapter 1 Getting Started with Win32/64.

1 JMH Associates © 2004, All rights reserved Chapter 1 Getting Started with Win32/64.
BR1 Protection and Security B. Ramamurthy Chapters 18 and 19.

BR1 Protection and Security B. Ramamurthy Chapters 18 and 19.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

Similar presentations

Ads by Google