Title: 20771: Computer Security Lecture 9: Windows 2000 II
120-771 Computer SecurityLecture 9 Windows 2000
II
- Robert Thibadeau
- School of Computer Science
- Carnegie Mellon University
- Institute for eCommerce, Fall 2002
2Todays lecture
3Whitehead-Russell Principia MathematicaTuring
MachineVon Neumann Machine
- Russell bio http//www-groups.dcs.st-and.ac.uk/h
istory/Mathematicians/Russell.html - Whitehead bio http//www-groups.dcs.st-and.ac.uk/
history/Mathematicians/Whitehead.html - Turing bio http//www.turing.org.uk/turing/bio/pa
rt3.html - Original Turing Paper http//www.abelard.org/turp
ap2/tp2-ie.aspsection-1 - Von Neumann Bio http//ei.cs.vt.edu/history/VonN
eumann.html - Great demos http//cgi.student.nada.kth.se/cgi-b
in/d95-aeh/get/umeng
4W-R 1910 (vol1 1913 vol2-3)
- WHITEHEAD RUSSELL Principia Mathematica. Vol
1 - Cambridge University Press, 1910 Large 8vo, pp.
xiii, 3, 666. Inner margin cracked at pp.
432-433. Publisher's blue cloth, blind ruled
sides, gilt on spine. Closed tear at top of
spine. Ex libris bookplate of Cheltenham Ladies
College. An excellent copy of a rare book. FIRST
EDITION of a book that DNB claims is the
'greatest single contribution to logic that has
appeared in the two thousand years since
Aristotle.' On a trip to Paris, Russell and
Whitehead heard an account of the work of
Guiseppe Peano of Turin who introduced the use of
symbols to represent logical notions. Russell and
Whitehead saw the potential this ideography had
to settle questions relating to the foundations
of mathematics, which Russell had attempted, but
not completed in his earlier Principles of
Mathematics. The Principia was the result of
their investigations. Russell wrote most of this
first volume and most of the explanatory
philosophical material in the introduction. There
were 750 copies printed of this first volume
volumes II and III were not published until 1913
and in editions of 500 copies each when the
potential readership for such abstruse material
was more realistically estimated. 'The
publication of the Principia gave a marked
impulse to the study of mathematical logic. The
deft handling of complicated but precise
symbolism encouraged workers to use this powerful
technique and thus avoid the ambiguities lurking
in the earlier employment of ordinary language'
(DSB). Bookseller Inventory 81950 - Price 1500.00 (approx. United Kingdom
US 2337.58) - Presented by Simon Finch Rare Books, London
5This Week
- Read WS 8,9
- Windows Homework
- Next two weeks.
6Windows C-2 Security Model
- It must be possible to control access to a
resource by granting or denying access to
individual users or named groups of users. - Memory must be protected so that its contents
cannot be read after a process frees it.
Similarly, a secure file system, such as NTFS,
must protect deleted files from being read. - Users must identify themselves in a unique
manner, such as by password, when they log on.
All auditable actions must identify the user
performing the action. - System administrators must be able to audit
security-related events. However, access to the
security-related events audit data must be
limited to authorized administrators. - The system must be protected from external
interference or tampering, such as modification
of the running system or of system files stored
on disk.
7Windows 2000 IPAAAA Model
8Learning Windows 2000
- MSDN Subscription (Universal)
- Documentation Free at http//msdn.microsoft.com
- CMU Student about 700 yr. (all OSs SDKs)
- Corporate about 2500 yr.
- Check into the MSDN Library
- Infinitely better than TechNet which is
generally worthless for learning how things work. - Books
- MS Very useless for the manager
- Pop Press Not good at telling you what actually
happens - MSDN Library
- The RFCs of Microsoftland!
- A Better Understanding of what is really going on
9Windows 2000 AccessAuthorization
- Much richer (more complicated) model
- Grown out of Unix
- Much more complicated ACL system, 32 Bit, not 12
Bit - Many more special user types with magic
capabilities - Intention more fine grained control
- Faulty Intention? less subject to error
Complexity Wins
Windows
Unix
10Domain Security
- Each domain is a security boundary.
- This means that security policies and settings
(such as administrative rights, security
policies, and ACLs) do not cross from one domain
to another. - The administrator of a domain has absolute rights
to set policies within that domain only. - Trust is a magic MS word that means an explicit
trust relation between a pair of Domains (Access
Priviledge for a Trusted Domain).
11NT/2000 Domains
- Introduced with NT (Win 2000 essentially NT)
- Organizes Access Control across Local Machines
- Centralized User Accounts
- Centralized Group Accounts
- Primary Domain Controller (PDC)
- Multiple Backup Domain Controllers (BDCs)
- Because access is centrally controlled
everything is controlled -gt software
configuration - W2000 Server can be a Domain Controller
- W2000 Professional can be only when Local Domain
12Universe domain trees
- You can combine multiple domains into structures
called domain trees. - The first domain in a tree is called the root of
the tree, and - additional domains in the same tree are called
child domains. - A domain immediately above another domain in the
same tree is referred to as the parent of the
child domain. - All domains within a single domain tree share a
hierarchical naming structure. - Domains that share a common root share a
contiguous namespace. - Domains in a tree are joined together through
two-way, transitive trust relationships. - These trust relationships are two-way and
transitive, therefore, a domain joining a tree
immediately has trust relationships established
with every domain in the tree. - A set of domain trees can be also managed as a
single forest in an active directory
13Domain Trees
Domain Controller
Prof
Domain Controller
Domain Controller
Domain Controller
Domain Controller
Prof
Prof
Prof
Prof
User Accounts
Prof
Prof
Prof
14What Is the Active Directory?
- The Active Directory is THE directory service
included with Windows Server (like the File
System on Unix or Andrew). - It extends the features of previous Windows-based
directory services and adds entirely new
features. - The Active Directory is secure, distributed,
partitioned, and replicated. - It is designed to work well in any size
installation, from a single server with a few
hundred objects to thousands of servers and
millions of objects. - The Active Directory adds many new features that
make it easy to navigate and manage large amounts
of information, generating time savings for both
administrators and end users.
15Objects, Containers, Trees
- Object
- An object is a distinct, named set of attributes
that represents something concrete, such as a
file, user, a printer, or an application. The
attributes hold data describing the subject that
is identified by the directory object. Attributes
of a user might include the user's given name,
surname, and e-mail address. - Container
- A container is like an object in that it has
attributes and is part of the Active Directory
namespace. However, unlike an object, it does not
represent something concrete. It is a container
for a group of objects and other containers. - A simple directory is a container.
- A computer network or domain is also a container.
- Tree
- Tree is used to describe a hierarchy of objects
and containers. Endpoints on the tree are usually
objects. Nodes in the tree (points at which the
tree branches) are containers. A tree shows how
objects are connected or the path from one object
to another. - A contiguous subtree is any unbroken path in the
tree, including all members of any container in
that path.
16Example AD for company reskit.com
17Some Hierarchies
18Object Naming
- An object has exactly one name, the distinguished
name (DN). - The DN uniquely identifies the object and
contains sufficient information for a client to
retrieve the object from the directory. The DN of
an object may be quite long and difficult to
remember. Moreover, the DN of an object may
change. Since the DN of an object is composed of
the RDN of the object and its ancestors, a rename
of the object itself or any ancestor will change
the DN. - http//msdn.microsoft.com/library/default.asp?url
/library/en-us/netdir/adschema/w2k/A_name.asp - Object globally unique identifier (GUID)
- A 128-bit number, guaranteed to be unique.
Objects have a GUID assigned when they are
created. The GUID is never changed, even if the
object is moved or renamed. Applications can
store the GUID of an object and be assured of
retrieving that object no matter what the current
DN is. - User Principal NameSecurity Principals (users
and groups) each have a "friendly" name, the User
Principal Name (UPN), which is shorter than the
DN and easier to remember. - The User Principal Name is composed of a
"shorthand" name for the user and the DNS name of
the domain tree where the user object resides.
For example, user James Smith in the
microsoft.com tree might have a UPN of
"JamesS_at_Microsoft.com."
19More on Names
- Uniqueness of Names
- Distinguished names are guaranteed to be unique.
The Active Directory does not permit two objects
with the same RDN under the same parent. DNs are
composed of RDNs and are therefore unique. GUIDs
are unique by definition an algorithm that
ensures uniqueness generates GUIDs. Uniqueness is
not enforced for any other attributes. - Access to the Active Directory
- Access to the Active Directory is via wire
protocols. Wire protocols define the formats of
messages and interactions of client and server.
Various application-programming interfaces (APIs)
give developers access to these protocols. - Protocol Support
- LDAPThe Active Directory core protocol is the
Lightweight Directory Access Protocol (LDAP).
LDAP version 2 and version 3 are supported. - Also MAPI (homework if you want to find out..)
- NOT OSI!
20Registry Lingo
- registry
- A database in which Windows NT internal
configuration information and computer- and
user-specific settings are stored. - It is a tree
- registry hive
- A section of the registry that is saved as a
file. The registry subtree is divided into hives.
A hive is a discrete body of keys, subkeys, and
values.
21Object Protection
- All objects in the Active Directory are protected
by Access Control Lists (ACLs). - ACLs determine who can see the object and what
actions each user can perform on the object. The
existence of an object is never revealed to a
user who is not allowed to see it. - An ACL is a list of Access Control Entries
- (ACEs) stored with the object it protects.
- In Windows, an ACL is stored as a binary value
called a Security Descriptor. Each ACE contains a
Security Identifier (SID), which identifies the
principal (user or group) to whom the ACE applies
and information on what type of access the ACE
grants or denies. - ACLs on directory objects contain ACEs that apply
to the object as a whole and ACEs that apply to
the individual attributes of the object. - This allows an administrator to control not just
which users can see an object, but what
properties those users can see. For example, all
users might be granted read access to the e-mail
and telephone number attributes for all other
users, but security properties of users might be
denied to all but members of a special security
administrators group. Individual users might be
granted write access to personal attributes such
as the telephone and mailing addresses on their
own user objects.
22Windows Access Control ModelCompares SID to
Security Descriptor
OBJECT Security Descriptor Access Control List
(ACL) MANY 32 Bits RIGHTS
YOU! SID Security ID
ACE
User a
User
permissions
More Aces ...
Group a
ACE
Group
permissions
Group b..
Local (System)
Rights User Group Local Domain Universe
Object Permissions Differ By Object Type
Domain
Universe
23Object Security Descriptor
OBJECT (or Container) -- Just a set of attributes
including the content
Descretionary Access Control List (DACL)
ACE
ACE
ACE
ACE
Who can do what?
System Access Control List (SACL)
ACE
ACE
ACE
ACE
Audit Trail
ACE gt Access Control Entry (sic)
24security descriptor
- A set of access control information attached to
every container and object on the network. - A security descriptor controls the type of
access allowed to users and groups. - Administrators assign security descriptors to
objects stored in the Active Directory to control
access to resources or objects on the network. - A security descriptor
- lists the users and groups that are granted
access to an object (a file, printer, or service,
for example), and - the specific permissions assigned to those users
and groups. - See also discretionary access control list (DACL)
and system access (audit) control list (SACL).
25discretionary access control list (DACL)
- A part of the security descriptor that specifies
the groups or users that can access an object, - as well as the types of access (permissions)
granted to those groups or users. - With Explicit ACCESS ALLOWED and DENIAL
- Order of ACEs is IMPORTANT
26Windows Authorization
27Windows Default ACE order
- Denial ACEs first then Allow ACEs
- Within this, Specific to Object then non Specific
28First Time Manager Mistake
- Something doesnt work
- You make yourself everything
- Still doesnt work.
- Problem NT/2000 Security looks at you and makes
you the MINIMUM capable of your groups - A Users group is pretty powerless
- Select your groups very carefully to have the
power you need
29Remember in Unix the Special Bits?
- 4 Set User ID causes an executable file (a
program) to go into the access permissions of the
owner of the file (note, group or OTHER could
execute it!) not the person executing it. - 2 Set Group ID causes a new file that is being
created in a directory to have the group ID of
the directory, not the person (User) that is
creating the file. - 1 Sticky Bit Causes a new file that is being
created in a directory to not be deletable by
just anybody in that directory but by the user
who created the file. The file is sticky
because not-just-anybody can delete it.
30PermissionsThink a LOT OF SPECIAL BITS
- 32 to be precise
- Meaning depends on kind of Object
- E.g., are you a file or a directory?
- ACL (Every Object has an Access Control List)
- Every ACL has many ACEs
- Typical Access Control Entries
- Read
- Write
- Execute
31Permissions
- For a directory
- Allow (User Or Group Member) What Apply-To
Where - What
- Full Control
- Modify
- Read Execute
- List Folder Contents
- Read
- Write
- Where
- This folder
- Subfolders
- Files
32Fine Grained Permissions
- Give meaning to full, modify, etc.
- Built-ins
- Traverse folder/ execute file
- List folder/ read data
- Read attributes
- Read extended attributes
- Create files/ write data
- Create folders/ append data
- Write attributes
- Write extended attributes
- Delete subfolders and files
- Delete
- Read permissions
- Change permissions
- Take ownership
33Special Identities
- System (only the OS of Local) restricted root
for SUID type actions. - Creator Owner (like self group in unix only a
directory!) - Users get permissions of CreatorOwner (like
Special Bits) - Everyone (an automatic group assignment for all
users including guests) - Network (an automatic group assignment for
users/guests that are not Local and who have been
granted remote access) - Interactive (Local users/guests who have been
granted access)
34Example of Rights ComplexityPower User
- rwdx his own files/directories
- rwdx new system applications but not system
services (rx) - rm system settings such as shares, printers,
system time, and power management - rwd new user accounts (except administrators)
- rwd new group accounts
- W98/2000Prof By default any user is a power
user
35Standard 2000 Groups
- Local (incl. Local Domain)
- Global (Domain)
- Universal (Nesting Domains)
- Local
- Administrators (same as root in unix)
- Backup Operators
- Replicator
- Power Users
- Users
- Domain (adds)
- Account Operators
- Server Operators
- Print Operators
36Types of Aces
Type Description Access-denied ACE Used in a
DACL to deny access rights to a
trustee. Access-allowed ACE Used in a DACL to
allow access rights to a trustee. System-audit
ACE Used in a SACL to generate an audit record
when the trustee
attempts to exercise the
specified access rights.
37Group Policy Settings(special bits)
- Registry-based policies
- Includes Group Policy for the Windows operating
system and its components and for applications.
To manage these settings, use the Administrative
Templates node of the Group Policy snap-in. - Security options
- Includes options for local computer, domain, and
network security settings. - Software installation and maintenance options
- Used to centrally manage application
installation, updates, and removal. - Script options
- Includes scripts for computer startup and
shutdown and user logon and logoff. - Folder redirection options
- Allows administrators to redirect users' special
folders to the network.
38system access (audit) control list (SACL)
- Part of a security descriptor that specifies
which user accounts or groups to audit when - accessing an object,
- the access events to be audited for each group or
user, and - a Success or Failure attribute for each access
event, based on the permissions granted in the
object's DACL - ACEs success or failure
39Default Auditing Policy
What policy settings are in the Default Domain
Controllers Policy GPO? The following tables list
the policy settings in the Default Domain
Controllers Policy GPO.
40Demonstration
- run -gt mmc /a
- control -gt administration tools, system
management security policy - right click on object and go advanced
- Event viewer
41Break!
42MSDN Links
- How DACLs work http//msdn.microsoft.com/library/d
efault.asp?url/library/en-us/security/security/ho
w_dacls_control_access_to_an_object.asp - File Directory http//msdn.microsoft.com/library
/default.asp?url/library/en-us/fileio/base/file_s
ecurity_and_access_rights.asp - String for ACE http//msdn.microsoft.com/library/d
efault.asp?url/library/en-us/security/security/ac
e_strings.asp - http//msdn.microsoft.com/library/default.asp?url
/library/en-us/security/security/access_mask.asp
43Features of Win 2000
- Multiple methods of authenticating internal and
external users - Protection of files through easy to use
encryption - Protection across network through transparent
encryption - Per-property access control for objects (many
more detailed uses than read, write, and execute) - Smart card support for authentication and hiding
private keys - Transitive trust relationships between domains
- Public Key Infrastructure (PKI Certs handled
transparently). - Code itself is routinely authenticated as to its
source using PKI.
44Bad News Good News
- Complex
- Many Hierarchies
- Lots of How-To
- Learn only MS
- Use only MS 2000
- Simple underlying model
- MMC/ Active Directory / ACLs
- Hierarchies are easy to browse/search
- Only ONE way to configure
- Good online docs, good HCI
45What is your recommendation?
- Machines have to be 128 megabytes
- Think domain trees.
- Inheritance
- Build a root
- Build a department
- Add in other departments
- Web Servers
- Build a root
- Build a web server
- Add in other departments
46Build a root?
- The root should include
- A top-level domain controller
- A top-level certificate server
- A top-level kerberos server
- Possibly, a top-level SQL Server
- Possibly, an exchange server (mail)
- Possibly, a DNS server
- If Intranetting an IIS server
- These servers dont have to be big-time machines
but do have to be reliable - Disk mirroring is built into NT/2000
- Offsite backup replication (IPSec)
- These machines should be under major lock and
key. - Entry should be local console although remote is
supported in Windows 2000.
47Windows 2000 IPAAA Model
File Encrypt
48Encrypting File
- Think like SSL and others uses RSA for
authentication/authorization and Private Session
Key for actual encryption/decryption - This means system has private key that it can use
for decryption - Encrypted Data Recovery Policy (EDRP)
- Workgroup (LOCAL Domain) this is local
- In Domain, it is only with the Domain
Administrator
49One DESX Key, Many Certs
FILE OR DIRECTORY
Administrator CERT /Public Key M
Symmetric/Private/DESX/Encrypt/Decrypt Key A
UserQ CERT /Public Key Q
Symmetric/Private/DESX/Encrypt/Decrypt Key A
UserR CERT /Public Key R
Symmetric/Private/DESX/Encrypt/Decrypt Key A
Some can be certs in Data Decryption Field or
Data Recover Field
50File Encryption / Recovery Certificate
- The symmetric encrypting key is encrypted using
the public key derived from your EFS certificate.
- The resulting encrypted data, along with your
display name and a hash of the certificate, is
stored in a named stream in the file that
contains EFS metadata. - When EFS decrypts a file, it uses your private
key to decrypt the symmetric encrypting key. EFS
then uses the symmetric key to decrypt the data.
51File Encryption is DES
- Actually DESX but the idea is the same it
operates like XOR the number of bits is the
number of tries needed to guess the key brute
force (without studied cryptoanalysis). - 40 bits for International
- 56 bits for US
- 128 bits can be downloaded from MS Support
- File Encryption Key Uses a Random (40, 56 or 128
bit) Number (randomness is probably very good,
but not cypher quality) - You can bet somebody somewhere has characterized
the non-randomness already (havent seen a
publication) - This means WHAT? You should know the answer to
this!
52Sidebar 3000 bit encryption
- Answer Yes, but.
- It wont hurt but it probably doesnt matter.
128 bit is - 1.70141183460469e38
- 1 in 170,141,834,604,690,000,000,000,000,000,000,0
00,000 tries - Slightly better than 6 in 9999 (your PIN on your
bank account) - 86,400 seconds in a day, 31,500,000 in a year.
3,150,000,000 in 100 years. - Need 54,000, 000,000, 000,000, 000,000,000,000
Guesses a Second (div by 2) - 54 billion trillion operations per second with
the expectation that in 50 years youll get it. - On the other hand, feel free.
53Process
- You right click and set property to encrypt a
file/directory - If you dont have a user public/private keypair
one is automatically generated in the
background in your domain - Done once, you are done forever.
- You can have others need management
- The private/public key pair gains access to the
session key for the file.
54When it wont work
- System bit set (system files cant be encrypted)
- Compressed files (files marked compressed).
- Read-Only files (this is because the file has to
be written, temporarily, to be read). - FAT32 or any other FS than NTFS
- Copy should be checked
- Works because the file owner is always the file
owner.
55Cipher utility
- Why would you want to encrypt an encrypted file?
Try being administrator and user. - Data Decryption Field (certs), and Data Recovery
Field (certs) - Encrypt a file as a user, and see if you can
decrypt it as somebody else (who is the default
recovery manager). - Note efsrecvr.exe as the Encrypted File System
RECoVeR program you can use. You can also do this
by right clicking and the security properties,
owner.
56Cert (X.509) EFS Solution
- Many certs can hide the SAME private/ symmetric/
session FEK (file encryption/decryption key) for
a file. - These certs are SPECIAL FILE ENCRYPTION CERTS
(using the users private/public key) - http//support.microsoft.com/support/kb/articles/Q
273/8/56.ASP - The file can have several depending on the CERT
which is user Data Decryption Field - The file can have several recovery agents can
have several depending on the CERT which is the
recovery agent user.
57User and Kernel Mode
- MS has decided to keep encryption/decryption in
Kernel Mode - This requires careful user Mode handling (NTFS
calls EFS in complete privacy) - Cryptographic Provider (right now, the Microsoft
Base defined for cryptoAPI. Could be smart
card or external code/box). - There is another secret mode (SMI) that MS
doesnt use.
58CryptoAPI EFS Components
User Mode
USER APPLICATION
CryptoProvider RSA Private Key STORE
CryptoAPI
Encrypts Communication
NTFS
EFS
Msdn.microsoft.com search KSecDD Inside
Encrypting File System
Kernel Mode
59CryptoAPI EFS Components
User Mode
BIOS Real Mode Phoenix Technologies Device
Responsibility
USER APPLICATION
CryptoProvider RSA Private Key STORE
CryptoAPI
Encrypts Communication
NTFS
EFS
Msdn.microsoft.com search KSecDD Inside
Encrypting File System
Kernel (Real) Mode
60Problems with File Encryption System
- There is no integrity checking on files (PAAA
only)? - WRONG There is, I, but only for the encryption
header not the files themselves - The symmetric key is not necessarily just yours
- You and anybody else allowed
- Recovery cert owner.
- Note, the EFS symmetric key in your local X.509
is not yours but is the file or directorys
the containers. (Uses special hidden certs) - But! A private key is used to open the certs
encrypted with the public key. You have to steal
a private key of an RSA pair. - Many attacks
- Clear text file may exist (not deleted)
- Crypto-API is in the clear (NOT kernel)
- You cant revoke the File Encryption Certificate
61File Encryption Experience
- Ease of use
- Is there a way to have truly private files here?
62Encrypting File System (EFS)
- Think like SSL and others uses RSA for
authentication/authorization and Private Session
Key for actual encryption/decryption
63Features of Win 2000
- Multiple methods of authenticating internal and
external users - Protection of files through easy to use
encryption - Protection across network through transparent
encryption - Per-property access control for objects (many
more detailed uses than read, write, and execute) - Smart card support for authentication and hiding
private keys - Transitive trust relationships between domains
- Public Key Infrastructure (PKI Certs handled
transparently). - Code itself is routinely authenticated as to its
source using PKI.
64Windows Core Security