Windows - PowerPoint PPT Presentation

About This Presentation
Title:

Windows

Description:

Windows 7. Windows NT. Originally, Cutler was to build successor to OS/2, called OS/2 NT ... Split into two 7-char strings. Convert to lower-case. Hash each ... – PowerPoint PPT presentation

Number of Views:141
Avg rating:3.0/5.0
Slides: 92
Provided by: marks9
Learn more at: http://www.cs.sjsu.edu
Category:
Tags: windows

less

Transcript and Presenter's Notes

Title: Windows


1
Windows
2
Introduction
  • Old black-and-white Western movie
  • Gunslinger wants to quit fighting
  • Some new young upstart wants to fight
  • So the old guy fights one more time
  • Target-ability
  • Depends on popularity and reputation
  • Windows is most hackers favorite target

3
Introduction
  • Windows is the most popular OS
  • May 2005 390M Windows machines
  • Over half of those running XP
  • Windows is the obvious target
  • From attackers point of view
  • Attackers cost-benefit analysis
  • Attacker wants most bang for the buck

4
This Chapter
  • Brief history of Windows
  • Consider core NT security features
  • Consider security in Windows 2000
  • That is, Windows 2000, XP, Server 2003
  • Book does not cover Vista

5
History
  • History began in April 1993
  • Release of Windows NT
  • NT New Technology/No Technology
  • Before NT
  • Microsoft Windows 3.0, 95, 98, Me
  • No authentication, program isolation, logging,
    etc.
  • No security prior to NT

6
Modern Windows OSs
  • NT, Windows 2000, XP, Server 2003
  • And Vista, but not covered in book
  • Windows NT
  • Based on technology developed at DEC for their
    VMS operating system
  • 1988 Microsoft hired David N. Cutler
  • He came from DEC, with 20 others

7
Windows NT
  • Originally, Cutler was to build successor to
    OS/2, called OS/2 NT
  • Microsoft/IBM collaboration
  • With success of Windows 3.0 in 1990
  • Microsoft changed its mind
  • Windows NT to be their UNIX-beater

8
Backwards Compatibility
  • What is backward compatibility?
  • New-and-improved works with bad/old versions
  • NT tried to be backwards compatible
  • Users complain if not backwards compatible
  • But, creates many security compromises
  • Continues to plague Windows ( others) today
  • Damned if you do, damned if you dont

9
Windows History
  • After introduction of NT
  • Incremental changes NT 3.1, 3.5, 3.51, 4.0
  • Major overhaul Windows 2000
  • In essence, Windows NT 5.0
  • Windows XP (eXPerience)
  • Released in October 2001
  • Refers to itself as Windows 2002
  • Windows Server 2003

10
Windows History
  • 1993 to 2001, dual Windows lines
  • Home users Windows 3.0/3.1/95/98/Me
  • Professional NT 3.1/3.5/3.51/4.0/2000
  • Windows XP
  • Evolved from NT (professional) line
  • For home and professional users
  • Ended the dual Windows approach

11
BAD Old Days
  • Before Active Directory (BAD)
  • Windows 2000 Active Directory
  • Major shift in security
  • Active Directory all-in-one service for locating
    stuff
  • Find printer in next cubicle
  • Change pwd policy on machines in branch office

12
Active Directory
  • Active Directory
  • Native mode --- all Windows 2000 environment
  • Mixed mode --- some pre-2k machines
  • Which is more common?
  • Backwards compatibility
  • Necessary to understand what came before Active
    Directory
  • More on Active Directory later

13
BAD Basics
  • Before Active Directory
  • Domains (currently deprecated)
  • Networked Windows computers that share an
    authentication database
  • Single sign-on for domain
  • Must have a domain controller
  • For authentication to the domain
  • Usually more than one controller

14
BAD Basics
  • Primary Domain Controller (PDC)
  • First server in domain
  • Updates authentication info in Security Accounts
    Manager (SAM) database
  • Backup Domain Controller (BDC)
  • Can access SAM, but not update
  • Admin can temporarily promote BDC
  • Active Directory all controllers authoritative
  • More robust, but possibly less secure

15
BAD Basics
  • Domain sets critical parameters
  • Min pwd length
  • Pwd expiration policy
  • Restrictions on users, etc.
  • Workgroup --- like domain but worse
  • No control mechanisms

16
Shares
  • Share
  • Connection to network devices
  • Used with domains and Active Directory
  • Similar to NFS mounts in UNIX
  • Windows Explorer My Network Places
  • Convenient transparent way for users to reach
    across the network

17
Windows Architecture
  • NT architecture based on layers
  • Layers important to security
  • Each layer restricts layer above
  • Security issues are nearly always a result of
    some sort of compromise of this layering.
  • Two modes user mode, kernel mode

18
Windows Architecture
19
User Mode
  • Part of OS that users interacts with
  • User mode is go between
  • Between user and kernel
  • Strict communication rules
  • Application Program Interfaces (APIs)
  • User mode 2 types of services
  • Integral subsystem native to Windows
  • Environment services support for other OSs

20
User Mode
  • Integral subsystem
  • Provide APIs used by Win32 apps
  • For OS functions such as files, windows, process
    mgmt, virtual memory, I/O, etc.
  • DLLs translate (documented) API calls into
    (undocumented) calls into kernel
  • User mode ? Kernel Executive subsystem

21
LSASS
  • Local Security Authority Subsystem Service
  • User mode subsystem
  • Determines if login is valid
  • Sends login data to SAM database
  • For each account, SAM has 2 entries
  • NT pwd hash, LM/LanMan pwd hash --- Why???
  • Backwards compatibility, of course!

22
Windows Passwords
  • NT hash used in NT and beyond
  • LM hash used in Windows 95 98
  • SAM entries not stored in ASCII
  • Different from UNIX
  • Pwdump3 converts to readable form
  • How are pwd hashes derived?

23
Windows Passwords
  • LM pwd hashes
  • Assume pwd is 14 characters or less
  • Pad password to 14 characters
  • Split into two 7-char strings
  • Convert to lower-case
  • Hash each half independently
  • Use DES block cipher (string is the key)
  • No salt is used

24
Windows Passwords
  • NT password hash
  • Hash entire pwd using MD4, no salt used
  • Note MD4 not a strong hash
  • Which is better, NT or LM?
  • Spse 64 choices/character, 14 char pwd
  • NT try 283, LM try 242
  • LM is 2,000,000,000,000 times easier
  • LM is even worse than that

25
Windows Password
  • By default, both LM and NT hashes
  • What will attacker do?
  • Attack LM pwd, of course
  • May need to convert to upper case
  • Still much easier than NT pwd
  • Both types unsalted (dictionary attacks)
  • Disable LM if possible

26
Kernel Mode
  • Fundamental OS issues
  • Memory mgmt, deal with hardware, etc.
  • More secure than user mode
  • Security Reference Monitor
  • Part of Executive subsystem
  • Checks attempts to access kernel mode
  • Checks attempts to access files, etc.
  • Checks permissions, gather audit data, etc.

27
Kernel Mode
  • Object Manager
  • Manages info about files, directories, etc.
  • Objects get Object Identifier (OID)
  • OIDs used by Object Manager
  • Object Manager aware of some inheritance
    relationships (e.g., subfolders)

28
Kernel Mode
  • Hardware Abstraction Layer (HAL)
  • Deals with hardware in a high-level way
  • Low level details left to device drivers
  • Makes life easier for Windows
  • but not for hardware manufacturers
  • Bad drivers can cause serious problems like
    crashing the whole system
  • Windows used to support multiple processors

29
Service Packs and Updates
  • When bugs and problems are found
  • Patches come in 2 flavors
  • Hotfixes/patches --- specific issue
  • Service packs --- major bundle of fixes, once per
    6 months to year
  • Automatically (Windows Update service)
  • Fixes to OS and to other MS products
  • Patching is a big deal for companies

30
Accounts
  • Default accounts Administrator, Guest
  • Administrator account
  • Administrator has highest privilege
  • Administrator acct cannot be locked or deleted
  • Can only be disabled if another admin exists
  • If one Admin acct, unlimited pwd guessing
  • Good idea to have more than one Admin acct

31
Accounts
  • Guest account
  • Anyone can log on to guest acct
  • Limited in what it can do, but still
  • Guest is generally a bad idea
  • Disabled by default on modern Windows

32
Accounts
  • User accts, application accts, etc.
  • How to secure accounts?
  • Give all admin accts neutral names
  • Change acct description(s) too
  • Create decoy acct named Administrator
  • Disable Guest, give it a strong pwd
  • Belt and suspenders principle
  • Security by obscurity? Is it worth it?

33
Groups
  • Used to control access/privilege
  • Why not users accounts?
  • Easier to manage (fewer) groups instead of (many)
    users
  • Before Active Directory (Win 2K)
  • Two types of groups
  • Global groups, local groups

34
Groups
  • Local groups give access to resources
  • Global groups cannot grant access
  • Typically, users included in global groups
  • Global groups then included in local groups
  • Access given to those in local group (including
    those in included global groups)
  • Global groups cannot be included in global groups
  • Local groups cannot be included in local groups

35
Groups
  • Huh?
  • For example, suppose a new hire
  • Include user in global groups
  • Then automatically included in appropriate local
    groups
  • Otherwise, have to make config changes to
    individual local machines

36
Default Groups
  • Local Administrators, Account Operators, Power
    Users, Server Operators, Backup Operators, Print
    Operators, Replicator, Users, Guests
  • Global Domain Administrators, Domain Users

37
Special Groups
  • Special since cannot add or delete users
  • But can change group rights/privileges
  • Special groups are local groups
  • EVERYONE --- for about anything
  • SYSTEM --- holy grail
  • Nothing has higher privilege
  • Not a login ID
  • Some processes run with SYSTEM privilege
  • Compromise one of these and you own system

38
Special Groups
  • Other special groups
  • INTERACTIVE --- currently logged in locally
  • NETWORK --- currently logged in non-locally
  • CREATOR OWNER --- owner of a given object
    (confusing name)
  • These are not as special as SYSTEM

39
Privilege
  • Privilege --- capacity to access and manipulate
    things
  • Rights --- things users can do can be
    added/modified (accts and groups)
  • Abilities --- built-in capabilities
  • Administrator --- highest privilege
  • Operator groups --- like bits and pieces of admin
  • Power user --- next highest
  • Then users followed by guest

40
Privilege Control
  • advanced rights control internal functions
    within Windows system
  • Example Act as Part of Operating System
  • Gives right to reach into kernel mode
  • Attacker has got to love this
  • Principle of least privilege
  • Give least privilege needed to do job
  • Putting this into practice is one of the most
    fundamental steps to making Windows (or any
    operating system, for that matter) more secure.

41
User Rights Assignments
42
Policies
  • Admin can create policies
  • Can affect local machine
  • Or entire domain
  • Account Policy --- most basic policy
  • Applies to all accounts in a domain
  • Max pwd age, pwd history, lockout, etc.
  • See next 2 slides

43
Account Policies Passwords
44
Account Policies Lockout
45
User Properties Settings
  • User Properties
  • Technically, not Policies, but serve similar
    purpose
  • Like Policies, but set for individual accts
  • E.g., User Must Change Password at Next Login,
    User Cannot Change Password, etc.

46
User Property Settings
47
Trust
  • Extends login across domains
  • Like single sign-on to trusting domains
  • One (or more) global group in trusted domain must
    be included in one (or more) local groups in
    trusting domain
  • Can limit access via local group(s)

48
Windows Trust Models
  • No trust --- most secure, most inconvenient
  • Complete trust --- every domain trusts every
    other domain
  • Master domain --- user accounts in central
    account domain
  • Gives central control for mapping users to
    resources (via groups)
  • Multiple master domains --- like a distributed
    master domain

49
Windows Trust
  • Based on password authentication
  • Better than UNIX r-commands
  • Btw, what is authentication based on in UNIX
    r-commands?
  • Active Directory uses Kerberos (Windows 2000)

50
Auditing
  • Can only audit what you log
  • Types of logging/audit
  • System
  • Security (or just auditing) --- logons,
    logoffs, file access, use of rights, etc.
  • Application

51
Auditing
  • By default, detailed auditing is off
  • And not available in XP home edition
  • Not easy to decide what to log
  • Some important data not logged
  • Source/destination IP address, whether system
    reinstall occurred, etc.

52
Audit Settings
53
Access Control and Permissions
  • How to control access to objects
  • Ownership
  • Each object has owner (OWNER CREATOR)
  • Owner can always change permissions
  • File Allocation Table (FAT)
  • No access control --- the reason why Windows 95,
    98, Me cannot be secure

54
Access Control and Permissions
  • NTFS (NT File System)
  • Good performance, recoverability, etc.
  • Reasonable set of permissions
  • One of the most effective parts of Windows
    security
  • Number of permissions is bewildering

55
Example NTFS Permissions
  • No access --- what it says
  • Read --- read and execute
  • Change --- read, execute, write, delete
  • Full Control --- Change plus change permissions
    and take ownership
  • These are actually combinations of more granular
    permissions

56
Share Permissions
  • Recall shares are kind of like NFS mounts
  • Permissions on components of file system
  • For example, a shared folder
  • Remote access depends on both NTFS and share
    permissions
  • Least access wins
  • Local login --- only NTFS permissions apply
  • Potentially a security issue

57
Weak Default Permissions
  • Many default permissions faulty
  • E.g., default permission on \Windows (\winnt)
    directory allows Power Users to get copy of SAM
    database
  • System should be hardened
  • Entire books written on this subject

58
Network Security
  • Protocols and APIs
  • SMB/CIFS
  • Server Message Block protocol --- MS
    implementation is called Common Internet File
    System
  • Weak authentication --- many attacks
  • No details at this point in book

59
Network Security
  • NetBEUI/NetBIOS --- older (deprecated) network
    environment
  • DoS and other attacks
  • Microsoft Internet Information Service (IIS) ---
    built-in Web server
  • Attackers love IIS

60
Summary of BAD Old Days
  • Before Active Directory (BAD)
  • That is, before Windows 2000
  • We discussed
  • History
  • Windows 3.0/95/98 (no security)
  • Windows NT
  • Backwards compatibility

61
Summary of BAD Old Days
  • Domains --- SSO to networked machines
  • Shares --- analogous to NFS mounts
  • Modes --- User Mode, Kernel Mode
  • Service packs/updates
  • Accounts
  • Groups --- local and global
  • Privilege --- rights and abilities

62
Summary of BAD Old Days
  • Policies --- apply to all accts in domain
  • Properties --- individual accounts
  • Trust --- across domains
  • Auditing/Logging
  • Access control/permissions
  • FAT --- no security
  • NTFS --- good level of security
  • Network security/protocols

63
Windows 2000
  • What is Windows 2000?
  • Windows 2000, XP, Server 2003
  • Vista not covered in text
  • Much of BAD stuff lives on
  • But some important changes
  • Including many new security features

64
Windows 2000
  • Windows 2000 offers a multitude of features and
    represents a huge increase in the growth of
    operating system size, resource consumption, and
    complexity
  • According to Paul Kocher, complexity is the
    enemy of security

65
Windows 2000
  • New non-security features
  • Power management, built-in terminal services,
    Microsoft Management Console, Microsoft Recovery
    Console, Plug-and-Play (Plug-and-Pray?)
  • But were interested in security

66
Windows 2000
  • New security features
  • MS implementation of Kerberos
  • SSPI --- supports new authentication mechanisms
  • MS implementation of IPSec
  • L2TP --- Layer Two Tunneling Protocol, for
    security on the LAN
  • Active Directory --- central nervous system
  • Support for smart cards
  • Encrypting File System (EFS)

67
Native vs Mixed Mode
  • Native Mode --- all domain controllers 2000
  • Backward compatibility issues go away
  • Can take full advantage of 2k security
  • Remainder of chapter deals with Native mode
  • Mixed Mode --- some older domain controllers
  • 1st part of chapter applies to Mixed mode

68
Domains Deemphasized
  • NT domains got in the way
  • Boundary between resources services
  • NT browsing services costly
  • Domains exist in 2000
  • But not as important as in NT
  • Active Directory --- simplifies way to find and
    administer resources

69
Domains in Windows 2000
  • Not for network organization
  • Instead, for common policy settings
  • Domains deployed in trees or forests
  • Link trusted domains together
  • Trees have contiguous name space (easier to
    find resources)
  • Forests noncontiguous name space

70
Domains
  • In tree form

71
Domains
  • In Win 2000
  • No distinction between PDCs and BDCs
  • All domain controllers authoritative
  • I.e., all can propagate pwd changes
  • Good for robustness
  • questionable for security
  • Multiple single points of failure

72
Active Directory
  • Active Directory
  • All of your eggs in one basket
  • Based on LDAP
  • Find resources on network
  • Security-wise
  • Acts a s massive data repository
  • Accounts, security policies, files, etc., etc.
  • Depends heavily on DNS
  • Uses Dynamic DNS (DDNS) to find stuff

73
Security in Windows 2000
  • Greater complexity requires more careful
    configuration
  • Protect Active Directory by
  • Limited admin privilege
  • Beware of mixed mode attacks
  • Install in its own partition (out of the way of
    way of IIS, other dangerous stuff)

74
Physical Security
  • Kerberos
  • Recall Key Distribution Center (KDC)
  • Access to KDC gives access to tickets
  • KDC lives on a server
  • Client machines cache important info
  • Credentials encrypted with KDC key
  • So, access to client credentials not a big deal
  • But, access to KDC key breaks entire system

75
Templates
  • For setting security parameters
  • Include many pre-packaged recommended settings
  • Easy to develop custom templates
  • Center for Internet Security provides security
    templates

76
Windows 2000 Architecture
  • As before, user mode, kernel mode
  • Kernel mode now includes
  • Plug and Play Manager
  • Power Manager
  • Window Manager, etc.

77
Accounts and Groups
  • Accounts almost same as pre-2000
  • Power Users group is potential problem
  • Reducing privilege may break things
  • Three security groups
  • Domain local, global, universal
  • Universal every domain in a forest
  • In native mode, global can include global groups

78
Organizational Units
  • OUs are hierarchical groups of users
  • Can inherit properties (within domain)
  • Important for privilege control
  • Supports delegation of privilege
  • Children OU can never have more rights than
    parent OU
  • Good way to limit privilege

79
Organizational Units
  • Downside to OUs
  • Only recognized within domain
  • 3 levels is practical max (performance)

80
Privilege Control
  • Rights more granular than in NT
  • Multiple ways to accomplish same thing
  • No abilities

81
RunAs
  • Run with different privilege
  • E.g., Admin execute with lower privilege

82
Policies
  • Group Policy Objects (GPOs)
  • Password policy, IPSec, Kerberos, etc.
  • Granularity! (e.g., the appearance of IE)
  • GPOs allow for different polices for
  • Different users
  • Different OUs
  • Different computers, domains, etc.

83
GPOs
84
Trust
  • In NT, MS-specific authentication
  • In 2000, Kerberos
  • Plug a domain into tree (or forest)
  • Automatically trusts (and trusted by) all other
    domains in tree (or forest)
  • Any domain can trust any other
  • Problem, if not managed carefully
  • Attackers like orphan domains

85
Auditing
  • Similar to NT
  • Security Log
  • 9 (instead of 7) categories
  • Account Logon Events, Account Management,
    Directory Service Access, Logon Events, Object
    Access, Policy Change, Privilege Use, Process
    Tracking, System Events

86
Access Control
  • Similar to NT
  • NT uses NTFS-4
  • Windows 2000 uses NTFS-5
  • Standard permissions
  • Full Control
  • Modify
  • Read and Execute
  • Read
  • Write

87
Access Control
  • NTFS-5 basic permissions
  • Traverse Folder/Execute File
  • List Folder/Read Data
  • Read Attributes
  • Read Extended Attributes (e.g., encryption)
  • Create Files/Write Data
  • Create Folders/Append Data
  • Write Attributes
  • Write Extended Attributes
  • Read Permissions
  • Change Permissions
  • Delete Subfolders and Files
  • Delete
  • Take Ownership
  • Synchronize (make contents of one file identical
    to another)

88
Encrypting File System
  • EFS automatically and transparently
    encrypts/decrypts files
  • DES, 3DES, or AES
  • Does not encrypt files on network
  • Only one user per file allowed
  • Slight performance issue
  • Critical to back up EFS key!

89
Conclusion
  • Securing Windows not a trivial matter
  • Windows a target-rich environment
  • Weak default settings
  • Backward compatibility
  • Complexity

90
Summary
  • History
  • Pre-2000
  • Domains, service packs, user mode, kernel mode,
    SAM passwords, Security Reference Monitor,
    accounts, groups, rights, abilities, trust,
    logging/audit, NTFS/access control/permissions,
    shares, network security

91
Summary
  • 2000
  • Active Directory
  • Kerberos, IPSec, etc.
  • Lesser modifications domains deemphasized,
    accounts/groups, OUs, rights, RunAs,
    Policies/GPOs, Trust, Access control/NTFS-5, EFS
Write a Comment
User Comments (0)
About PowerShow.com