NT2k Security Overview

1
NT/2k Security Overview

• TSM 352

2
Introduction

• This series of lectures is intended to supplement
  the coverage by Cole
• Doesnt go beyond NT 4.0
• Is very limited in terms of principles
• Is outdated

3
W2k Security Sub-system

• Security Reference Monitor (SRM)
• Security Accounts Manager (SAM)
• Local Security Authority (LSA)
• Active Directory Service
• Kerberos
• MSV1_0 The authentication package for WinNT
  authentication used for backward compatibility
• Netlogon Service

4
Security Sub-System
5
Security Reference Monitor (SRM)

• A kernel mode component that prevents direct
  access to objects by an user or process.
• Validates all access to objects.
• Generates appropriate auditing messages.

6
Security Accounts Manager (SAM)

• A database of local users and groups.
• Used for login authentication of local users.
• Stored locally on all non-domain controller W2k
  machines.
• In a network environment, this database may exist
  on a number of machines known as Domain
  Controllers which share and update account
  information.

7
Local Security Authority (LSA)

• The central authentication and authorization
  component of each machine
• Generates access tokens
• Manages security policies on the local computer
• Provides authentication for user logons.

8
Active Directory Service

• Provides a database of user accounts and policies
  for the domain
• Replaces the SAM for Domains
• Can be distributed over several machines
• Is often duplicated to a number of servers

9
Kerberos

• Default authentication protocol.
• Used for all authentication between w2k machines
  that support Kerberos.
• Also provides the Kerberos Key Distributions
  Center (KDC) service, which provides
  ticket-granting services to the clients.

10
Backward-Compatibility

• MSV1_0 The authentication package for WinNT
  authentication used for backward compatibility
• Netlogon Service Used to pass user credentials
  to the domain controller and return the domain
  security identifiers for the user. It is for
  backward compatibility with NTLM.

11
Default W2k Security Features

• There are a number of security features that are
  automatically installed with W2k. These features
  are what distinguishes the W2k OS from Win9x and
  even NT4.0.
• It is important that you do a clean install,
  however, not an upgrade of NT4.0.

12
Windows 2000 Default Security

• There are a number of security features that are
  automatically installed with W2k.
• These features are what distinguishes the W2k OS
  from Win9x and even NT4.0.
• It is important that you do a clean install,
  however, not an upgrade of NT4.0.

13
Protected Memory

• W2k takes advantage of features in the Intel
  Pentium (and later) to implement some of its
  security features.
• Protected-memory features prevent any program
  from accessing the code or data used by another
  program or by the OS.
• Every program runs in its own protected memory.
• Unauthorized attempts by one program or process
  to access the memory of another program is denied
  by the OS.

14
User and Group Accounts
15
User Accounts

• Any user who wants to access a Win2k system must
  have a user account on that system.
• When a new user is created, Win2k assigns it a
  unique security identifier (SID).
• All internal processes use the SID to identify
  the user.
• The SID is unique for each account.
• When first installed, Win2k server or pro will
  create two accounts
• Administrator
• Guest.
• If other services are installed, other user
  accounts may be found also.
• User accounts contain information about users,
  such as name and password, location of home
  directory, information about when and how users
  can log on, personal desktop settings, etc.

16
The Guest Account

• Allows very restricted access to a system for
  people who do not have an account.
• Generally used for accessing information on
  public systems it should never have the ability
  to write or delete.
• Disabled by default on win2k
• If the guest account is enabled, unknown users
  can access any resource on a computer to which
  Guests and the Everyone group have access.
• Keep in mind that users who log on as Guest do
  not need to specify a username, so you have no
  idea who is using the Guest account.

17
Kerberos Account

• On Win2k DCs, an additional account is created
  krbtgt.
• This account is used for Kerberos authentication.
  
• It cannot be deleted or renamed.
• The password is automatically managed and should
  never be changed manually.

18
Some User Account Notes

• All code executes in the context of a user
  account. Even code that runs automatically before
  anyone logs on runs in the context of an account
  (usually referred to as a SYSTEM account).
• Obviously, a hacker's goal is to elevate himself
  to the highest user privilege as possible in
  order to be able to execute the highest code.
• In Windows, the highest account is the Local
  Administrator or System account.
• All other accounts are very limited, relatively
  speaking.
• Attaining the status of Administrator is the
  ultimate goal of a hacker.
• This has historically been dubbed 'attaining
  root' (from UNIX terminology, where the
  administrative account is known as the 'root
  account').

19
W2k Built-in Accounts
20
Groups

• Groups are collections of users.
• They exist to make user management easier.
• Whereas the concept of users and user accounts is
  prevalent in all security-conscious operating
  systems, groups are not.
• They are 'containers' for user accounts, and
  provide a convenient way to assign privileges to
  a group of users, rather than assigning these
  privileges individually.
• As already mentioned, the hacker can achieve
  elevated status by advancing his user rights. One
  way this can be achieved is by adding his user
  account to a group with elevated rights.

21
W2K Built-in Groups
22
Authentication
23
The Logon Process

• Anyone wanting to gain access to W2k resources
  must type a username and password.
• This information is checked against a user
  account database, usually using Kerberos and the
  AD.
• If the information matches the user is
  authenticated.
• The authentication can also happen locally, by
  comparing the entered information to the local
  database.

24
Local versus Remote

• Local logons are fairly straight-forward. Network
  logons are a bit more complex.
• When you access a remote Windows-based resource
  from the computer you have logged on to, you are
  not required to provide any additional
  authentication information (unless your current
  credentials do not match those necessary for
  access).
• Instead, the LSA on your workstation requests a
  Kerberos session ticket for the desired server
  from a domain controller in the servers domain.
• Once the LSA gets the session ticket, it will
  establish a session with the server

25
Logon Components

• There are two vital components in the logon
  process that are not part of the security
  sub-system
• Winlogon
• Graphical Identification and Authentication
  (GINA).
• The logon process uses the security sub-system,
  the GINA, and Winlogon to authenticate the user.

26
Authentication Protocols

• Win2k has considerable flexibility in the way it
  can authenticate.
• It uses Kerberos by default for authenticating
  other Win2k machines (and other machines that are
  Kerberos-capable).
• However, this default will not cover all
  situations, and in many cases, even more security
  is required. Win2k comes with support for
• Smartcard authentication
• Public key authentication
• Backward-compatible NTLM.

27
The Security ID (SID)

• A SID is a globally unique value that identifies
  a user, group, or computer account.
• Each user, group and computer is assigned a
  unique SID when the account is first created
• The SID is used for all authorization decisions.

28
Authorization
29
Authorization

• Authorization is the process which the OS gives
  access to an object. This is done via two
  methods
• User Rights
• Discretionary Access Control Lists (DACLs).
• Every object can be secured individually or as a
  group.
• The groups of objects can have different types of
  rights and permissions that are used to grant or
  deny access to them.
• For example, files objects can have Read, Write,
  and Execute permissions, while print queues have
  permissions such as Manage Documents and Print.

30
The Security Descriptor

• All objects have a security descriptor that
  describes their security attributes. These
  descriptors include
• The SID of the user who owns the object (usually
  the one who created it)
• The DACL, which holds information about which
  users and groups can access the object
• A System Access Control List (SACL), which
  defines the auditing on an object
• A group security ID that is used by the POSIX
  sub-system. This is to allow inter-compatibility
  with nix type systems.

31
Rights versus Access

• Keep in mind that there are two different aspects
  of the Win2k security system
• Rights
• Rights deal with general types of actions such
  as debug a process.
• Associated with users and groups
• Used to control access at the local level
• Can be grouped into
• Logon Rights
• Privileges
• Access
• Access deals with how a user can access an
  object. This will become more clear as we look at
  specifics.
• Associated with objects

32
Some Logon Rights and Privileges

• Logon Rights
• Access this computer from the network
• Log on locally
• Deny access to this computer from the network
• Privileges
• Back up files and directories
• Change the system time
• Debug programs
• Force shutdown from a remote system
• Manage auditing and security log
• Shut down the system
• Take ownership of objects

33
Authorization Notes

• Win2k has some predefined groups that have
  specific sets of rights.
• Users added to groups obtain all the rights and
  permissions of the group. For example, a member
  of the Backup Operators group has rights to log
  on locally, shut down the system, back up files
  and directories, and restore files and
  directories.
• Be careful some privileges override object
  permissions.
• For example, the Backup right will take
  precedence over all file and directory
  permissions.
• The Debug Program right is very powerful it can
  be used to attach to any system process and
  examine or modify its state. This right can
  easily be used to elevate to administrative
  privileges.

34
Group Policies
35
Group Policies Defined

• Group policies are used to define configurations
  for users and computers.
• You can configure things such as desktop
  settings, registry-based policies, security
  settings, software installation, scripts, and
  folder redirection.

36
Group Policy Categories

• Accounts
• Includes Kerberos policy, password policy, and
  account lockout policy. These are especially
  relevant. You set account policies for all user
  accounts at the same time on individual computers
  or in domains.
• Local Computer
• Includes audit policy, user rights policy, and
  security options (registry settings)
• Event Log
• Sets log size, rotation methods, and length of
  time logs are kept
• Restricted Groups
• tracks and manages membership of groups
• Systems Services
• Specifies startup options, service rights and
  permissions, and service auditing
• Registry Sets access options and auditing
• File System Sets access options and auditing
• Active Directory Objects Sets access options and
  auditing

37
File Systems
38
About NTFS

• NTFS is carried forth from previous NT systems,
  and is the recommended file system for windows
  2k.
• While NTFS provides a high level of security, it
  is important to understand that this security is
  available only when the Win2k OS is up and
  running.
• Someone who steals your system or hard drive
  could use low-level byte editors to scan the
  drive and read or change its contents.
• NTFS provides a way to control access to files
  and directories with permissions, but those
  permissions do no good if the OS is not available
  to control access.
• Your security must also include physical security
  measures,
• You might want to install encryption utilities to
  protect the stored data.

39
Encrypting File System

• The EFS is an addon package that has been
  integrated as a feature in W2k NTFS (NTFSv5).
• Provides an integrated method of encrypting NTFS
  data on disk.
• Uses public key technology and is an integrated
  service in Win2k.
• Fairly transparent to the user, other than the
  performance hit which is experienced in all
  encryption.

40
Sharing Resources

• There are two aspects to file system security.
• Restricting access to information on a local
  computer
• Restricting access to remote users.
• To make information on a Windows system available
  to other users on a network, you share the
  folder.
• When you share the folder, all the files and the
  subfolders in it are shared as well.
• You can then change the access permissions on any
  file or folder if you need to control them more
  granularly.

41
Setting Permissions

• Permissions are set by administrators or owners
  of an object.
• There are standard permissions, and
  individual permissions. The individual
  permissions are used in combination to make up
  the standard permissions.
• The standard permissions are designed to provide
  a set of permissions appropriate for the most
  common user requirements.
• Of course, you can create your own special
  access permissions at any time to fit a custom
  need.

42
Getting Permissions

• Users may get permission to access objects from a
  number of sources.
• For example, they might have Read permissions
  through their user account and Change permissions
  because they are a member of a group.
• The highest-level permission applies and the
  permissions are cumulative, so that permission
  assignments from different sources are combined.
• However, a No Access permission from any source
  denies access to the object, no matter what other
  permissions are granted.

43
Auditing
44
W2K Auditing

• The Win2k auditing system collects information
  about how objects are used, stores the
  information in log files, and lets you review
  those events to identify security breaches or
  performance problems.
• If a security breach is discovered, the audit
  logs help you determine the extent of the damage
  so you can restore your system and lock out
  future intrusions.

45
Auditing Setup

• You control the extent to which the auditing
  system tracks events.
• Too much auditing can slow a system and use
  tremendous amounts of disk space.
• Determining how much (and what type of) auditing
  to perform is an issue that must be carefully
  considered.
• When you suspect unauthorized activities,
  probably the best approach is to audit these
  types of events
• Failed logon attempts
• Attempts to access sensitive data
• Changes to security settings

46
Using Event Viewer

• You can use the Event Viewer to view the
  following security events
• User and group management events, such as
  creating a new user or changing the membership of
  a group
• Subject tracking, which tracks the activities of
  users, such as when they start a program or
  access objects
• Logon and logoff events on the local system of
  for the network
• Object access, both successful and unsuccessful
• Change to security policies, such as change to
  privileges and logon capabilities.
• Attempts to use privileges
• System events that affect the security of the
  entire system or audit log

47
Win2k Cryptography Features
48
W2k Cryptography

• A CryptoAPI which provides access to a number of
  cryptographic algorithms for programs, so that
  they do not need to re-invent the wheel.
• Built-in VPN capabilities
• Public Key Infrastructure support for both the
  server and the client
• Device Driver signing
• Windows File protection

49
Security Tools
50
Win2k Security Tools

• There are two primary tools that are used
  extensively for security-related operations of a
  W2k system
• The Microsoft Management Console (MMC)
• The Security Configuration Tool Set

51
The MMC

• The MMC is an extensible framework for managing
  applications.
• It allows you to design modules, called
  snap-ins, which perform some type of management
  function.
• The overall purpose of the MMC is to provide a
  single location from which all management occurs.
  
• The idea is that the vendors will provide
  snap-ins for the MMC to manage their
  applications.
• Win2k comes with a number of pre-built snap-ins.

52
The Security Configuration Tool Set

• This tool set is actually a whole suite of MMC
  snap-ins, designed to provide a central location
  for all security-related tasks. It allows you to
  configure and analyze all of the following
• Account Policies Set access, password, account
  lockout, and domain Kerberos policy
• Local Policies Set audit, user rights
  assignment, and other security options
• Restricted Group Assign group memberships for
  built-in groups. This should be used to
  validate/control membership of groups that have
  elevated privileges
• System Services Set startup options and access
  control on these services
• File or Folder Sharing Configure settings for
  NTFS and file sharing
• System Registry Set security on registry keys
• System Store Set the security for local file
  volumes and directory trees
• Directory Security Mange the security on objects
  in the AD

53
Win2k Security Features Summary

• Protected Memory
• User/Group Accounts
• Authentication
• Authorization
• Group Policies
• File Systems
• Auditing
• Cryptography
• Security Tools