520 likes | 1.58k Views
Windows Security. By, Omkar Sravan Kasinadhuni. Agenda Security Context & Security Principal What is Access Token? How to secure Accounts in Windows? Rights and Permissions How & where does Windows store passwords? Trade Off in Windows Security
E N D
Windows Security By, Omkar Sravan Kasinadhuni
Agenda • Security Context & Security Principal • What is Access Token? • How to secure Accounts in Windows? • Rights and Permissions • How & where does Windows store passwords? • Trade Off in Windows Security • Duties of a Developer! • Countermeasure (Auditing)
Security Context • One of the basic tenets of Windows Security is that each process runs on behalf of a user. • So, each process running is associated with a security context. • security context is a bit of cached data about a user, including her SID, group SIDs, privileges. Security Principal • A security principal is an entity that can be positively identified and verified via a technique known as authentication • Security principals in Windows are assigned on a process-by-process basis, via a little kernel object called a token. • Each user, computer or group account is a security principal on the system running Windows Server 2003, Windows 2000, and Windows XP. • Security principal receive permissions to access resources such as files and folders. User rights, such as interactive logons, are granted or denied to accounts directly or by membership in a group. The accumulation of these permissions and rights define what security principal can and cannot do.
There are 3 types of Security Principals 1) User principals 2) Machine principal 3) Service principals
Security Identifier: (SID) • Users reference their accounts by usernames but the Operating system, internally, references accounts by their security identifier. • SID’s are unique in their scope (domain or local) and are never reused. So, they are used to uniquely identify user and group account in Windows. • By default the operating system • SID contains of various parts S <revision> <identifier authority> <subauthorities> <relative identifiers>
Revision: This value indicates the version of the SID structure used in a particular SID. For Windows Server 2003, Windows 2000 and Windows XP , it is currently 1. • Identifier authority: This value identifies the authority that can issue SID for this particular type of security principal. • Subauthority: The most important information in a SID is contained in a series of one or more subauthority values. All values except the last one conllectivly identify the Domain and are called Domain Identifier and the last value represents the Relative Identifier (RID).
Where is the SID located? • When a users logs in for the first time, the operating system makes chuckling sounds. And explorer.exe starts running after some time. This is because, the operating system is creating a user profile. • The operating system dynamically loads the subkeys under HKEY_USERS as users log on and off interactively. • To see this, open registry (type “regedit” at startmenu-run),type “runas /u: user-account cmd” at the command prompt, give the password. Now, a new window will open. Refresh the registry(F5) at HKEY_USERS to see the dynamically loaded SID’s. • The files NTUSER.DAT and NTUSER.DAT.LOG (which are present in the account profile c:/Documents and settings/your-account) , make up the registry hive for the user profile.
Access Token • A token is a kernel object that caches part of a user's security profile, including the user SID, group SIDs, and privileges. • A token is created when ever a user successfully logs on to the network. And a copy of this token is assigned to every process and thread that executes on the user’s behalf. • A token consists of the following components. accountID, groupID, Rights, Owner, Primary group, Source, Type, Impersonation level, statistics, Restricted SID’s, SessionID
Account Security • User accounts are core unit of Network security. • In Win Server 2003 & Win2000, domain accounts are stored in Active Directory directories databases, where as in local accounts, they are stored in Security Accounts Manager database. • The passwords for the accounts are stored and maintained by System Key. • Though the accounts are secured by default, we can secure them even further. • Go to Administrative tools in control panel (only when you are logged in as an admin) and click on “Local Security and Settings.” • There you will find the Account policies. • It contains, password policies and account lockout policies.
Account Lock out policies: • Account lockout duration: Locks out the account after a particular duration.( 1- 99,999 minutes). This feature is only present is Win Ser 2003, Win 2000, but not in Windows XP. • Account lockout threshold: Locks out the account after a particular number of failure attempts.( 1- 999 attempts). This feature is only present is Win Ser 2003, Win 2000, but not in Windows XP. • Resent account lockout countdown after: reset account lockout countdown after (1- 99,999 minutes) ). This feature is only present is Win Ser 2003, Win 2000, but not in Windows XP.
Password Policies: Enforce password History: Enforces password history(0-24) Maximum password age: Set max password age(0-999) Minimum password age: Set min password age(0 to 999) Minimum password length: set min password length(0 to 14) Password must meet complexity requirements: forces user to set complex alpha numeric passwords. Storing password using reversible encryption for users in the domain: We enable this if we want the password to be decrypted and compared to pain text using methods like Challenge Handshake Authentication Protocol (CHAP) or Shiva password Authentication Protocol (SPAP)
Rights: Rights are actions or operations that an account can or cannot perform. • User Rights are of two types: Privileges: A right assigned to an account and specifying allowable actions on the network. Ex: Right backup files and directories.. • LOGON rights : A right assigned to an account and specifying the ways in which the account can log on to a system locally. Ex: Acess this computer From Network. • Permissions: define which resources accounts can access and the level of access they have. • Right click on any file, under properties, go to security tab and set permissions.
Where are the passwords stored on the system? • The system stores the passwords at machine’s password strash, i.e., under HKLM/Secuirty/Policy/Secretes. • Type at 9:23am /interactive regedit.exe, substituting whatever time is appropriate: Make it one minute in the future.) Once regedit fires up, carefully look at the subkeys under HKLM/Security/Policy/Secrets. You're looking at the machine's password stash, more formally known as the LSA private data store • The operating system also,by default ,caches (store locally), the last 10 passwords.
There are registry settings to turn this feature off or restrict the number of accounts cached. • For the following registry entry, change the default value.. Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\ Type: REG_SZ Key: CachedLogonsCount Default Value 10 Recommended value : 0-50 depending on your secuirty needs.
But how secret is the LSA secrete Data store? • There is a tool available on net named LSADUMP2.exe which when run retrieves the admin passwords of the system. • LSAdump2 uses DLL injection to bypass the normal access control on security information stored by the Local Security Authority (LSA). D:\dnload\lsadump2>lsadump2 RasCredentials!S-1-5-21-459157917-1707938598-1849977318-500#0 39 00 39 00 30 00 36 00 32 00 00 00 31 00 36 00 9.9.0.6.2...1.6. 30 00 30 00 00 00 35 00 00 00 00 00 00 00 77 00 0.0...5.......w. 6D 00 61 00 70 00 6C 00 65 00 73 00 00 00 00 00 m.a.p.l.e.s..... 00 00 30 00 00 00 00 00 ..0..... RasDialParams!S-1-5-21-459157917-1707938598-1849977318-500#0 39 00 39 00 30 00 36 00 32 00 00 00 31 00 36 00 9.9.0.6.2...1.6. 30 00 30 00 00 00 36 00 33 00 00 00 00 00 2A 00 0.0...6.3.....*. 00 00 77 00 6D 00 61 00 70 00 6C 00 65 00 73 00 ..w.m.a.p.l.e.s. 00 00 77 00 77 00 77 00 77 00 77 00 77 00 77 00 ..w.w.w.w.w.w.w. 31 00 00 00 00 00 31 00 00 00 00 00 1.....1..... SAC 02 00 00 00 .... SAI 02 00 00 00 .... _SC_ClipSrv 74 00 65 00 73 00 74 00 t.e.s.t.
There is another tool named Crain&Abel. • It is recommended not to use it with Service Pack 2 installed. It is prone to cause serious damage to the system.
System key is a machine key which will encrypt the password and then, passwords cannot to retrieved in Clear text. • Type “Syskey” on command prompt and press OK to enable System key.
Trade Off • There is always a tradeoff between countermeasures and convenience. • Security and ease of you are like two corners of a long scale. • Users other than admins are denied from installing softwares because they don’t have access to program files. satisfaction Security Ease of you
Developer’s Duty • That is because, there may be trojens taking control of winword.exe in program files. • A good programmer is a one who developers applications which can be run by all the users of the system. • The applications should be running smoothly even with all the security features of windows enabled.
Windows is getting better and better in protection but it is weak in countermeasures. • The only counter measure it provides is Auditing. • We can audit every file on the system. • Right click the file and in properties, go to auditing and set auditing.
References • Microsoft security Resource Kit By, Ben Smith and Brian Komar with Microsoft Security tream • The .NET Developer's Guide to Windows SecurityBy Keith Brown • http://www.windowsnetworking.com/nt/registry/rtips320.shtml • http://www.windowsecurity.com/articles/Group-Policy-Changes-Vista.html