AuditEnhanced Authentication in Kerberos

1
Audit-Enhanced Authentication in Kerberos

• Shuo Chen, Daniel R. Simon (mentor) (Shuos
  Internship Project in Microsoft Research)
• 9/15/2003 CRHC UIUC

2
Authentication Protocols of Windows

• Before Win2k, NTLM is the only authentication
  protocol provided by Windows.
• Starting from Win2k (including WinXP, Win2k3),
  NTLM and Kerberos are provided. Kerberos is the
  default one.
• We are using Kerberos almost every day.

3
Kerberos
Windows Domain Controller
Key Distribution Center (KDC)
request
Service ticket
Client
Server
Service ticket
4
Whats the Problem?
User 1
Im User 1.
Im IIS.
User 2
SQL Server
Internet Information Service (IIS)
Im IIS.
Im User 2.
Im IIS.
Im IIS.
Im User n.
User n

• SQL server is not able to make decisions (e.g.,
  accept or reject) for individual users.
• It is hard to audit security events, because
  each machine maintains its event log
  independently. No easy way to correlate events
  across machines.

5
Audit-Enhanced Authentication
User 1
Im IIS servicing transaction 312 on behalf of
User 1.
Im User 1. TID312
User 2
SQL Server
Im User 2. TID 23
Internet Information Service (IIS)
Im User n. TID 59
User n

• Key technique to provide a channel allowing the
  extra info to be passed through multiple tiers,
  so that all processes and threads involved in
  handling the transaction are aware of this extra
  info.
• This technique is transparent to applications,
  i.e., all work is done in authentication level
  and the kernel level, no modifications on
  application source code.

6
Design and Implementation

• Modification of WinNT kernel
• In WinNT, each process/thread is associated with
  an access token. We extend this data structure to
  store the extra info (A token is duplicated when
  a thread/process is created.)
• Provide kernel services allowing a thread/process
  to set and query the extra info on its own token.
• Modifications of Kerberos.dll
• When the client marshals a service ticket, get
  the extra info from the token and embed it in the
  ticket
• When the server unmarshals a service ticket, get
  the extra info from the ticket and set it in the
  token.

7
Modified Procedure of Kerberos
7
Client Process
Server Process
2
8
11
6
1
Kerberos
Kerberos
9
5
10
3
4
NT Kernel Security Subsystem
NT Kernel Security Subsystem
KDC
Primary Token
Impersonation Token
8
A Demo in COTS Applications

• After validating the technique with our toy
  application, we built a demo with a real setting.

SQL server
IE_Launcher.exe
Internet Information Service (IIS)
Stored procedureGetTokenInfo
Internet Explorer (IE)
ASP.NET web app
QueryMyToken.exe
Client Machine
Font-End
Back-End
CREATE PROCEDURE dbo.GetTokenInfo As exec
QueryMyToken.exe GO QueryMyToken ()
QueryTokenInfo (TokenExtraInfo,msg) printf
(msg)
IE_Launcher (char msg) SetTokenInfo(TokenE
xtraInfo,msg) CreateProcess(IEXPLORER)
9
It works!
10
Other Impacts

• Besides audit-enhanced authentication, our
  technique may be useful in other areas, such as
  event tracing for performance evaluation and
  trouble-shooting of distributed applications.
• The research team of Strider trouble-shooting
  tool is using our technique to pass transaction
  ID to correlate event log entries for
  trouble-shooting purposes.
• A product team (NT Base Performance Team) asked
  me to give a demo. They are working on
  event-tracing.