Windows Security Mechanisms

1
Windows Security Mechanisms
Al Bento - University of Baltimore
2
Authentication

• Challenge/response authentication protocol (CHAP)
• LAN Manager saves passwords as hashes
• as a 128-bit number, with passwords up to14
  digits, but with two 7 digits parts, not case
  sensitive, easier to break
• change possible combinations from 284 to 2 37
• uses old, easy to break DES encryption
• saved on SAM (Windows Security Accounts Manager)
  at systemroot\system32\config\SAM
• NTLM and NTLM2 improved LAN Manager
• NTLM -- MD4 encryption, case sensitive, password
  up to 127 characters, supports up 56 bit
  encryption.
• NTLM2 -- improves NTLM to authenticate by
  session, and supports up to 128-bit encryption
• Kerberos uses AES encryption and very secure.

3
Authentication (2)

• Defaults
• XP by default uses both LM NTLM
• Vista, Windows 7 defaults to NTML2
• Active Directory defaults to Kerberos, drops back
  as needed
• Security options
• See Microsoft long note on options
• Many different options store LAN Manager, Lan
  Manager authentication level, etc.
• Compatibility issues
• example of Windows 7 and Win 2k server
• example of Windows 7 and Win 2003 server
• of course all sort of issues with XP, 98, and
  other settings in NT, 2K, etc.
• More on authentication a black hat presentation.

4
Tokens

• What are tokens?
• A data structure that contains authentication and
  authorization information for a user.
• Windows creates the access token when the user
  logs on and the user's identity is confirmed.
• The access token contains the user's security ID
  (SID), the list of groups that the user is a
  member of, and the list of privileges held by
  that user.
• Each process or thread started for the user
  inherits a copy of the access token. In some
  cases a user may have more than one access token,
  with different levels of authority.
• What do they do?
• Provide the security context for processes and
  threads when accessing objects in the system
• Securable objects include files, directories,
  devices, registry keys, etc, and have specific
  user and group permissions.
• Some risks token kidnapping.

5
Access Control List

• What is an ACL?
• is a list of access control entries (ACE). Each
  ACE in an ACL identifies a trustee and specifies
  the access rights allowed, denied, or audited for
  that trustee. The security descriptor for a
  securable object can contain two types of ACLs a
  DACL and a SACL.
• DACL discretionary access control list (DACL)
  identifies the trustees that are allowed or
  denied access to a securable object. When a
  process tries to access a securable object, the
  system checks the ACEs in the object's DACL to
  determine whether to grant access to it.
• SACL A system access control list (SACL) enables
  administrators to log attempts to access a
  secured object. Each ACE specifies the types of
  access attempts by a specified trustee that cause
  the system to generate a record in the security
  event log.
• Tokens and ACL
• When a user logs in he/she is assigned a access
  token and securable objects have ACLs. When an
  user attempts to access a securable object the
  Windows security subsystem compare the
  information in the token access with the
  securable object and grant or deny access.