20771: Computer Security Lecture 9: Windows 2000 II

1
20-771 Computer SecurityLecture 9 Windows 2000
II

• Robert Thibadeau
• School of Computer Science
• Carnegie Mellon University
• Institute for eCommerce, Fall 2002

2
Todays lecture

• Windows 2000 Access II

3
Whitehead-Russell Principia MathematicaTuring
MachineVon Neumann Machine

• Russell bio http//www-groups.dcs.st-and.ac.uk/h
  istory/Mathematicians/Russell.html
• Whitehead bio http//www-groups.dcs.st-and.ac.uk/
  history/Mathematicians/Whitehead.html
• Turing bio http//www.turing.org.uk/turing/bio/pa
  rt3.html
• Original Turing Paper http//www.abelard.org/turp
  ap2/tp2-ie.aspsection-1
• Von Neumann Bio http//ei.cs.vt.edu/history/VonN
  eumann.html
• Great demos http//cgi.student.nada.kth.se/cgi-b
  in/d95-aeh/get/umeng

4
W-R 1910 (vol1 1913 vol2-3)

•   WHITEHEAD RUSSELL Principia Mathematica. Vol
  1
• Cambridge University Press, 1910 Large 8vo, pp.
  xiii, 3, 666. Inner margin cracked at pp.
  432-433. Publisher's blue cloth, blind ruled
  sides, gilt on spine. Closed tear at top of
  spine. Ex libris bookplate of Cheltenham Ladies
  College. An excellent copy of a rare book. FIRST
  EDITION of a book that DNB claims is the
  'greatest single contribution to logic that has
  appeared in the two thousand years since
  Aristotle.' On a trip to Paris, Russell and
  Whitehead heard an account of the work of
  Guiseppe Peano of Turin who introduced the use of
  symbols to represent logical notions. Russell and
  Whitehead saw the potential this ideography had
  to settle questions relating to the foundations
  of mathematics, which Russell had attempted, but
  not completed in his earlier Principles of
  Mathematics. The Principia was the result of
  their investigations. Russell wrote most of this
  first volume and most of the explanatory
  philosophical material in the introduction. There
  were 750 copies printed of this first volume
  volumes II and III were not published until 1913
  and in editions of 500 copies each when the
  potential readership for such abstruse material
  was more realistically estimated. 'The
  publication of the Principia gave a marked
  impulse to the study of mathematical logic. The
  deft handling of complicated but precise
  symbolism encouraged workers to use this powerful
  technique and thus avoid the ambiguities lurking
  in the earlier employment of ordinary language'
  (DSB). Bookseller Inventory 81950
• Price  1500.00 (approx. United Kingdom
  US 2337.58)
• Presented by Simon Finch Rare Books, London

5
This Week

• Read WS 8,9
• Windows Homework
• Next two weeks.

6
Windows C-2 Security Model

• It must be possible to control access to a
  resource by granting or denying access to
  individual users or named groups of users.
• Memory must be protected so that its contents
  cannot be read after a process frees it.
  Similarly, a secure file system, such as NTFS,
  must protect deleted files from being read.
• Users must identify themselves in a unique
  manner, such as by password, when they log on.
  All auditable actions must identify the user
  performing the action.
• System administrators must be able to audit
  security-related events. However, access to the
  security-related events audit data must be
  limited to authorized administrators.
• The system must be protected from external
  interference or tampering, such as modification
  of the running system or of system files stored
  on disk.

7
Windows 2000 IPAAAA Model
8
Learning Windows 2000

• MSDN Subscription (Universal)
• Documentation Free at http//msdn.microsoft.com
• CMU Student about 700 yr. (all OSs SDKs)
• Corporate about 2500 yr.
• Check into the MSDN Library
• Infinitely better than TechNet which is
  generally worthless for learning how things work.
• Books
• MS Very useless for the manager
• Pop Press Not good at telling you what actually
  happens
• MSDN Library
• The RFCs of Microsoftland!
• A Better Understanding of what is really going on

9
Windows 2000 AccessAuthorization

• Much richer (more complicated) model
• Grown out of Unix
• Much more complicated ACL system, 32 Bit, not 12
  Bit
• Many more special user types with magic
  capabilities
• Intention more fine grained control
• Faulty Intention? less subject to error

Complexity Wins
Windows
Unix
10
Domain Security

• Each domain is a security boundary.
• This means that security policies and settings
  (such as administrative rights, security
  policies, and ACLs) do not cross from one domain
  to another.
• The administrator of a domain has absolute rights
  to set policies within that domain only.
• Trust is a magic MS word that means an explicit
  trust relation between a pair of Domains (Access
  Priviledge for a Trusted Domain).

11
NT/2000 Domains

• Introduced with NT (Win 2000 essentially NT)
• Organizes Access Control across Local Machines
• Centralized User Accounts
• Centralized Group Accounts
• Primary Domain Controller (PDC)
• Multiple Backup Domain Controllers (BDCs)
• Because access is centrally controlled
  everything is controlled -gt software
  configuration
• W2000 Server can be a Domain Controller
• W2000 Professional can be only when Local Domain

12
Universe domain trees

• You can combine multiple domains into structures
  called domain trees.
• The first domain in a tree is called the root of
  the tree, and
• additional domains in the same tree are called
  child domains.
• A domain immediately above another domain in the
  same tree is referred to as the parent of the
  child domain.
• All domains within a single domain tree share a
  hierarchical naming structure.
• Domains that share a common root share a
  contiguous namespace.
• Domains in a tree are joined together through
  two-way, transitive trust relationships.
• These trust relationships are two-way and
  transitive, therefore, a domain joining a tree
  immediately has trust relationships established
  with every domain in the tree.
• A set of domain trees can be also managed as a
  single forest in an active directory

13
Domain Trees
Domain Controller
Prof
Domain Controller
Domain Controller
Domain Controller
Domain Controller
Prof
Prof
Prof
Prof
User Accounts
Prof
Prof
Prof
14
What Is the Active Directory?

• The Active Directory is THE directory service
  included with Windows Server (like the File
  System on Unix or Andrew).
• It extends the features of previous Windows-based
  directory services and adds entirely new
  features.
• The Active Directory is secure, distributed,
  partitioned, and replicated.
• It is designed to work well in any size
  installation, from a single server with a few
  hundred objects to thousands of servers and
  millions of objects.
• The Active Directory adds many new features that
  make it easy to navigate and manage large amounts
  of information, generating time savings for both
  administrators and end users.

15
Objects, Containers, Trees

• Object
• An object is a distinct, named set of attributes
  that represents something concrete, such as a
  file, user, a printer, or an application. The
  attributes hold data describing the subject that
  is identified by the directory object. Attributes
  of a user might include the user's given name,
  surname, and e-mail address.
• Container
• A container is like an object in that it has
  attributes and is part of the Active Directory
  namespace. However, unlike an object, it does not
  represent something concrete. It is a container
  for a group of objects and other containers.
• A simple directory is a container.
• A computer network or domain is also a container.
  
• Tree
• Tree is used to describe a hierarchy of objects
  and containers. Endpoints on the tree are usually
  objects. Nodes in the tree (points at which the
  tree branches) are containers. A tree shows how
  objects are connected or the path from one object
  to another.
• A contiguous subtree is any unbroken path in the
  tree, including all members of any container in
  that path.

16
Example AD for company reskit.com
17
Some Hierarchies
18
Object Naming

• An object has exactly one name, the distinguished
  name (DN).
• The DN uniquely identifies the object and
  contains sufficient information for a client to
  retrieve the object from the directory. The DN of
  an object may be quite long and difficult to
  remember. Moreover, the DN of an object may
  change. Since the DN of an object is composed of
  the RDN of the object and its ancestors, a rename
  of the object itself or any ancestor will change
  the DN.
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/netdir/adschema/w2k/A_name.asp
• Object globally unique identifier (GUID)
• A 128-bit number, guaranteed to be unique.
  Objects have a GUID assigned when they are
  created. The GUID is never changed, even if the
  object is moved or renamed. Applications can
  store the GUID of an object and be assured of
  retrieving that object no matter what the current
  DN is.
• User Principal NameSecurity Principals (users
  and groups) each have a "friendly" name, the User
  Principal Name (UPN), which is shorter than the
  DN and easier to remember.
• The User Principal Name is composed of a
  "shorthand" name for the user and the DNS name of
  the domain tree where the user object resides.
  For example, user James Smith in the
  microsoft.com tree might have a UPN of
  "JamesS_at_Microsoft.com."

19
More on Names

• Uniqueness of Names
• Distinguished names are guaranteed to be unique.
  The Active Directory does not permit two objects
  with the same RDN under the same parent. DNs are
  composed of RDNs and are therefore unique. GUIDs
  are unique by definition an algorithm that
  ensures uniqueness generates GUIDs. Uniqueness is
  not enforced for any other attributes.
• Access to the Active Directory
• Access to the Active Directory is via wire
  protocols. Wire protocols define the formats of
  messages and interactions of client and server.
  Various application-programming interfaces (APIs)
  give developers access to these protocols.
• Protocol Support
• LDAPThe Active Directory core protocol is the
  Lightweight Directory Access Protocol (LDAP).
  LDAP version 2 and version 3 are supported.
• Also MAPI (homework if you want to find out..)
• NOT OSI!

20
Registry Lingo

• registry
• A database in which Windows NT internal
  configuration information and computer- and
  user-specific settings are stored.
• It is a tree
• registry hive
• A section of the registry that is saved as a
  file. The registry subtree is divided into hives.
  A hive is a discrete body of keys, subkeys, and
  values.

21
Object Protection

• All objects in the Active Directory are protected
  by Access Control Lists (ACLs).
• ACLs determine who can see the object and what
  actions each user can perform on the object. The
  existence of an object is never revealed to a
  user who is not allowed to see it.
• An ACL is a list of Access Control Entries
• (ACEs) stored with the object it protects.
• In Windows, an ACL is stored as a binary value
  called a Security Descriptor. Each ACE contains a
  Security Identifier (SID), which identifies the
  principal (user or group) to whom the ACE applies
  and information on what type of access the ACE
  grants or denies.
• ACLs on directory objects contain ACEs that apply
  to the object as a whole and ACEs that apply to
  the individual attributes of the object.
• This allows an administrator to control not just
  which users can see an object, but what
  properties those users can see. For example, all
  users might be granted read access to the e-mail
  and telephone number attributes for all other
  users, but security properties of users might be
  denied to all but members of a special security
  administrators group. Individual users might be
  granted write access to personal attributes such
  as the telephone and mailing addresses on their
  own user objects.

22
Windows Access Control ModelCompares SID to
Security Descriptor
OBJECT Security Descriptor Access Control List
(ACL) MANY 32 Bits RIGHTS
YOU! SID Security ID
ACE
User a
User
permissions
More Aces ...
Group a
ACE
Group
permissions
Group b..
Local (System)
Rights User Group Local Domain Universe
Object Permissions Differ By Object Type
Domain
Universe
23
Object Security Descriptor
OBJECT (or Container) -- Just a set of attributes
including the content
Descretionary Access Control List (DACL)

ACE
ACE
ACE
ACE
Who can do what?
System Access Control List (SACL)
ACE
ACE
ACE
ACE

Audit Trail
ACE gt Access Control Entry (sic)
24
security descriptor

• A set of access control information attached to
  every container and object on the network.
• A security descriptor controls the type of
  access allowed to users and groups.
• Administrators assign security descriptors to
  objects stored in the Active Directory to control
  access to resources or objects on the network.
• A security descriptor
• lists the users and groups that are granted
  access to an object (a file, printer, or service,
  for example), and
• the specific permissions assigned to those users
  and groups.
• See also discretionary access control list (DACL)
  and system access (audit) control list (SACL).

25
discretionary access control list (DACL)

• A part of the security descriptor that specifies
  the groups or users that can access an object,
• as well as the types of access (permissions)
  granted to those groups or users.
• With Explicit ACCESS ALLOWED and DENIAL
• Order of ACEs is IMPORTANT

26
Windows Authorization
27
Windows Default ACE order

• Denial ACEs first then Allow ACEs
• Within this, Specific to Object then non Specific

28
First Time Manager Mistake

• Something doesnt work
• You make yourself everything
• Still doesnt work.
• Problem NT/2000 Security looks at you and makes
  you the MINIMUM capable of your groups
• A Users group is pretty powerless
• Select your groups very carefully to have the
  power you need

29
Remember in Unix the Special Bits?

• 4 Set User ID causes an executable file (a
  program) to go into the access permissions of the
  owner of the file (note, group or OTHER could
  execute it!) not the person executing it.
• 2 Set Group ID causes a new file that is being
  created in a directory to have the group ID of
  the directory, not the person (User) that is
  creating the file.
• 1 Sticky Bit Causes a new file that is being
  created in a directory to not be deletable by
  just anybody in that directory but by the user
  who created the file. The file is sticky
  because not-just-anybody can delete it.

30
PermissionsThink a LOT OF SPECIAL BITS

• 32 to be precise
• Meaning depends on kind of Object
• E.g., are you a file or a directory?
• ACL (Every Object has an Access Control List)
• Every ACL has many ACEs
• Typical Access Control Entries
• Read
• Write
• Execute

31
Permissions

• For a directory
• Allow (User Or Group Member) What Apply-To
  Where
• What
• Full Control
• Modify
• Read Execute
• List Folder Contents
• Read
• Write
• Where
• This folder
• Subfolders
• Files

32
Fine Grained Permissions

• Give meaning to full, modify, etc.
• Built-ins
• Traverse folder/ execute file
• List folder/ read data
• Read attributes
• Read extended attributes
• Create files/ write data
• Create folders/ append data
• Write attributes
• Write extended attributes
• Delete subfolders and files
• Delete
• Read permissions
• Change permissions
• Take ownership

33
Special Identities

• System (only the OS of Local) restricted root
  for SUID type actions.
• Creator Owner (like self group in unix only a
  directory!)
• Users get permissions of CreatorOwner (like
  Special Bits)
• Everyone (an automatic group assignment for all
  users including guests)
• Network (an automatic group assignment for
  users/guests that are not Local and who have been
  granted remote access)
• Interactive (Local users/guests who have been
  granted access)

34
Example of Rights ComplexityPower User

• rwdx his own files/directories
• rwdx new system applications but not system
  services (rx)
• rm system settings such as shares, printers,
  system time, and power management
• rwd new user accounts (except administrators)
• rwd new group accounts
• W98/2000Prof By default any user is a power
  user

35
Standard 2000 Groups

• Local (incl. Local Domain)
• Global (Domain)
• Universal (Nesting Domains)

• Local
• Administrators (same as root in unix)
• Backup Operators
• Replicator
• Power Users
• Users

• Domain (adds)
• Account Operators
• Server Operators
• Print Operators

36
Types of Aces
Type Description Access-denied ACE Used in a
DACL to deny access rights to a
trustee. Access-allowed ACE Used in a DACL to
allow access rights to a trustee. System-audit
ACE Used in a SACL to generate an audit record
when the trustee
attempts to exercise the
specified access rights.
37
Group Policy Settings(special bits)

• Registry-based policies
• Includes Group Policy for the Windows operating
  system and its components and for applications.
  To manage these settings, use the Administrative
  Templates node of the Group Policy snap-in.
• Security options
• Includes options for local computer, domain, and
  network security settings.
• Software installation and maintenance options
• Used to centrally manage application
  installation, updates, and removal.
• Script options
• Includes scripts for computer startup and
  shutdown and user logon and logoff.
• Folder redirection options
• Allows administrators to redirect users' special
  folders to the network.

38
system access (audit) control list (SACL)

• Part of a security descriptor that specifies
  which user accounts or groups to audit when
• accessing an object,
• the access events to be audited for each group or
  user, and
• a Success or Failure attribute for each access
  event, based on the permissions granted in the
  object's DACL
• ACEs success or failure

39
Default Auditing Policy
What policy settings are in the Default Domain
Controllers Policy GPO? The following tables list
the policy settings in the Default Domain
Controllers Policy GPO.
 
40
Demonstration

• run -gt mmc /a
• control -gt administration tools, system
  management security policy
• right click on object and go advanced
• Event viewer

41
Break!
42
MSDN Links

• How DACLs work http//msdn.microsoft.com/library/d
  efault.asp?url/library/en-us/security/security/ho
  w_dacls_control_access_to_an_object.asp
• File Directory http//msdn.microsoft.com/library
  /default.asp?url/library/en-us/fileio/base/file_s
  ecurity_and_access_rights.asp
• String for ACE http//msdn.microsoft.com/library/d
  efault.asp?url/library/en-us/security/security/ac
  e_strings.asp
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/security/security/access_mask.asp

43
Features of Win 2000

• Multiple methods of authenticating internal and
  external users
• Protection of files through easy to use
  encryption
• Protection across network through transparent
  encryption
• Per-property access control for objects (many
  more detailed uses than read, write, and execute)
• Smart card support for authentication and hiding
  private keys
• Transitive trust relationships between domains
• Public Key Infrastructure (PKI Certs handled
  transparently).
• Code itself is routinely authenticated as to its
  source using PKI.

44
Bad News Good News

• Complex
• Many Hierarchies
• Lots of How-To
• Learn only MS
• Use only MS 2000

• Simple underlying model
• MMC/ Active Directory / ACLs
• Hierarchies are easy to browse/search
• Only ONE way to configure
• Good online docs, good HCI

45
What is your recommendation?

• Machines have to be 128 megabytes
• Think domain trees.
• Inheritance
• Build a root
• Build a department
• Add in other departments
• Web Servers
• Build a root
• Build a web server
• Add in other departments

46
Build a root?

• The root should include
• A top-level domain controller
• A top-level certificate server
• A top-level kerberos server
• Possibly, a top-level SQL Server
• Possibly, an exchange server (mail)
• Possibly, a DNS server
• If Intranetting an IIS server
• These servers dont have to be big-time machines
  but do have to be reliable
• Disk mirroring is built into NT/2000
• Offsite backup replication (IPSec)
• These machines should be under major lock and
  key.
• Entry should be local console although remote is
  supported in Windows 2000.

47
Windows 2000 IPAAA Model
File Encrypt
48
Encrypting File

• Think like SSL and others uses RSA for
  authentication/authorization and Private Session
  Key for actual encryption/decryption
• This means system has private key that it can use
  for decryption
• Encrypted Data Recovery Policy (EDRP)
• Workgroup (LOCAL Domain) this is local
• In Domain, it is only with the Domain
  Administrator

49
One DESX Key, Many Certs
FILE OR DIRECTORY
Administrator CERT /Public Key M
Symmetric/Private/DESX/Encrypt/Decrypt Key A
UserQ CERT /Public Key Q
Symmetric/Private/DESX/Encrypt/Decrypt Key A
UserR CERT /Public Key R
Symmetric/Private/DESX/Encrypt/Decrypt Key A
Some can be certs in Data Decryption Field or
Data Recover Field
50
File Encryption / Recovery Certificate

• The symmetric encrypting key is encrypted using
  the public key derived from your EFS certificate.
  
• The resulting encrypted data, along with your
  display name and a hash of the certificate, is
  stored in a named stream in the file that
  contains EFS metadata.
• When EFS decrypts a file, it uses your private
  key to decrypt the symmetric encrypting key. EFS
  then uses the symmetric key to decrypt the data.

51
File Encryption is DES

• Actually DESX but the idea is the same it
  operates like XOR the number of bits is the
  number of tries needed to guess the key brute
  force (without studied cryptoanalysis).
• 40 bits for International
• 56 bits for US
• 128 bits can be downloaded from MS Support
• File Encryption Key Uses a Random (40, 56 or 128
  bit) Number (randomness is probably very good,
  but not cypher quality)
• You can bet somebody somewhere has characterized
  the non-randomness already (havent seen a
  publication)
• This means WHAT? You should know the answer to
  this!

52
Sidebar 3000 bit encryption

• Answer Yes, but.
• It wont hurt but it probably doesnt matter.
  128 bit is
• 1.70141183460469e38
• 1 in 170,141,834,604,690,000,000,000,000,000,000,0
  00,000 tries
• Slightly better than 6 in 9999 (your PIN on your
  bank account)
• 86,400 seconds in a day, 31,500,000 in a year.
  3,150,000,000 in 100 years.
• Need 54,000, 000,000, 000,000, 000,000,000,000
  Guesses a Second (div by 2)
• 54 billion trillion operations per second with
  the expectation that in 50 years youll get it.
• On the other hand, feel free.

53
Process

• You right click and set property to encrypt a
  file/directory
• If you dont have a user public/private keypair
  one is automatically generated in the
  background in your domain
• Done once, you are done forever.
• You can have others need management
• The private/public key pair gains access to the
  session key for the file.

54
When it wont work

• System bit set (system files cant be encrypted)
• Compressed files (files marked compressed).
• Read-Only files (this is because the file has to
  be written, temporarily, to be read).
• FAT32 or any other FS than NTFS
• Copy should be checked
• Works because the file owner is always the file
  owner.

55
Cipher utility

• Why would you want to encrypt an encrypted file?
  Try being administrator and user.
• Data Decryption Field (certs), and Data Recovery
  Field (certs)
• Encrypt a file as a user, and see if you can
  decrypt it as somebody else (who is the default
  recovery manager).
• Note efsrecvr.exe as the Encrypted File System
  RECoVeR program you can use. You can also do this
  by right clicking and the security properties,
  owner.

56
Cert (X.509) EFS Solution

• Many certs can hide the SAME private/ symmetric/
  session FEK (file encryption/decryption key) for
  a file.
• These certs are SPECIAL FILE ENCRYPTION CERTS
  (using the users private/public key)
• http//support.microsoft.com/support/kb/articles/Q
  273/8/56.ASP
• The file can have several depending on the CERT
  which is user Data Decryption Field
• The file can have several recovery agents can
  have several depending on the CERT which is the
  recovery agent user.

57
User and Kernel Mode

• MS has decided to keep encryption/decryption in
  Kernel Mode
• This requires careful user Mode handling (NTFS
  calls EFS in complete privacy)
• Cryptographic Provider (right now, the Microsoft
  Base defined for cryptoAPI. Could be smart
  card or external code/box).
• There is another secret mode (SMI) that MS
  doesnt use.

58
CryptoAPI EFS Components
User Mode
USER APPLICATION
CryptoProvider RSA Private Key STORE
CryptoAPI
Encrypts Communication
NTFS
EFS
Msdn.microsoft.com search KSecDD Inside
Encrypting File System
Kernel Mode
59
CryptoAPI EFS Components
User Mode
BIOS Real Mode Phoenix Technologies Device
Responsibility
USER APPLICATION
CryptoProvider RSA Private Key STORE
CryptoAPI
Encrypts Communication
NTFS
EFS
Msdn.microsoft.com search KSecDD Inside
Encrypting File System
Kernel (Real) Mode
60
Problems with File Encryption System

• There is no integrity checking on files (PAAA
  only)?
• WRONG There is, I, but only for the encryption
  header not the files themselves
• The symmetric key is not necessarily just yours
• You and anybody else allowed
• Recovery cert owner.
• Note, the EFS symmetric key in your local X.509
  is not yours but is the file or directorys
  the containers. (Uses special hidden certs)
• But! A private key is used to open the certs
  encrypted with the public key. You have to steal
  a private key of an RSA pair.
• Many attacks
• Clear text file may exist (not deleted)
• Crypto-API is in the clear (NOT kernel)
• You cant revoke the File Encryption Certificate

61
File Encryption Experience

• Ease of use
• Is there a way to have truly private files here?

62
Encrypting File System (EFS)

• Think like SSL and others uses RSA for
  authentication/authorization and Private Session
  Key for actual encryption/decryption

63
Features of Win 2000

• Multiple methods of authenticating internal and
  external users
• Protection of files through easy to use
  encryption
• Protection across network through transparent
  encryption
• Per-property access control for objects (many
  more detailed uses than read, write, and execute)
• Smart card support for authentication and hiding
  private keys
• Transitive trust relationships between domains
• Public Key Infrastructure (PKI Certs handled
  transparently).
• Code itself is routinely authenticated as to its
  source using PKI.

64
Windows Core Security