2020-01-30

Windows Security

• Windows XP evolved from Windows 2000 (Datasäkerhet) EITA25 • Windows 10, 8, 7 and Vista evolved from XP Windows Security • Similar security solution

PAUL STANKOVSKI WAGNER, EIT, 2020-01-30 – Things have been added, but ideas are the same

• Standalone computers administered locally Rich support for • Domains used for centralized administration managing security – Domain controller (DC) has information about users » Acts as a trusted third party

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 2

Design Motivation Networked Computers, Domains and Workgroups

• Security was designed to meet requirements for C2 rating in Orange Book Workgroup – Secure logon – users must be uniquely identified • All accounts are local – Discretionary access control – Owner determines access • Resources can be shared but are managed locally • Peer-to-peer – Auditing – Record security related events in a logfile • No computer in charge – Object reuse protection – Initialize all objects before giving access to users • Typically at most 20 computers – Trusted path – Functionality to detect spoofing attacks at authentication time (called SAS in Windows) – Trusted facility management – Separate accounts for users and administrators Domain Domain Controller • Windows NT 3.5 SP3 was the first Windows version to earn C2 rating (1995) • Both local and domain accounts – Windows NT 4 SP6a earned C2 rating in 1999 • Login to domain account from any computer • Centralized administration • Can be thousands of computers

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 3 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 4

1 2020-01-30

Windows Logon (somewhat simplified) Security Accounts Manager (SAM)

• Winlogon.exe handles logon and responds to the Secure Attention Sequence (SAS) • Stores user account information – CTRL+ALT+DEL – Username • Winlogon uses libraries that authenticate the user – Full name – Can be libraries for passwords, smartcards, biometric data, etc. – Expiration date • Local Security Authority (LSA) creates an – Password dates (date of last change, expiry, when it can be changed next time, if – LSA is responsible for the local security policy (who can log in, password policies, privileges, what should be audited, etc.) it can be changed) – Logon hours and workstations (thrown out a certain time or continue) • Password hashes are stored in SAM Client Server – Security Accounts Manager Winlogon LSA AD – Profile path and logon script name

NTLM NTLM/Kerberos – Home directory Library SAM – Groups

Local logon • Locked while machine is running Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 5 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 6

Local Accounts vs. Domain Accounts NTLM Hash and Protocol Can you find problems here? • Local accounts • Challenge response • Server sends 8 byte random challenge – NTLM used as authentication protocol • Response calculated as: – MD4(password) gives 16 byte result (NTLM hash stored in SAM database) • Domain accounts – Pad with 5 zero bytes → 21 bytes – Kerberos V5 used as authentication protocol – Split into 3 DES keys and encrypt challenge with each key NTLM hash – 24 byte response »Mutual authentication password MD4 920a3bdfe12e5fa537d7e8b8c6a064fe »This will be covered in detail later in the course 920a3bdfe12e5f DES – NTLM used in some cases challenge a5ef3810bf7aced4

a537d7e8b8c6a0 DES 910af3418cd8e9af response »Unilateral authentication challenge

64fe0000000000 DES challenge 72ad34ev019baf2d Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 7 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 8

2 2020-01-30

NTLM Hash, Problems LM Hash Can you find problems here? • Problem 1: MD4 is a very fast hash function • If wanted, both NTLM and LM response are used – This was default before Windows Vista • LM hash calculated as • Problem 2: No salt is used so time-memory tradeoff attacks (rainbow – Convert password to uppercase and pad to 14 bytes tables) can be used – Split into two parts of 7 byte each → two DES keys – Encrypt ”KGS!@#$%” with the two keys to get 16 bytes LM hash stored in the SAM database • LM response calculated same way as NTLM response

53454352455457 DES KGS!@#$% 82745f14a56579af SecreTWoRd SECRETWORD LM hash 4f524400000000 DES fe52438160a64e6c KGS!@#$%

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 9 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 10

LM Hash, Problems Access Control

• Problem 1: DES is a fast block cipher • Security Reference Monitor (SRM) responsible for access control • Three parameters are considered • Problem 2: No salt here either… – Identity of subject (SID) – Type of access – Object security settings (Security Descriptor) • Problem 3: Passwords up to 14 characters are never better than passwords of 7 characters SID Access type Yes/No SRM • Problem 4: No lowercase characters in the effective character set Security Descriptor

Generate Audit Message

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 11 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 12

3 2020-01-30

SID Known SIDs

• SID = • Generic groups and users • Unique for each user or group • S-1-1-0 Everyone, a group that includes all users • Format: • S-1-5-20 Network Service S-R-I-SA-SA-SA-N • S-1-5-18 SYSTEM, local operating system • S: The letter S (just means that the string is a SID) • S-1-5-SA-SA-SA-500 Administrator • R: revision number (1) • S-1-5-SA-SA-SA-501 Guest account (no password required) • I: Identifier authority (5 for user accounts) • S-1-5-SA-SA-SA-512 Domain Admins (global group) • SA: subauthority (specifies domain or computer) – Can be up to 14 groups, but 3 is typical • N: relative identifier, incremented for each new principal

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 13 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 14

Access Token Privileges

• After successful authentication LSA builds an access token • The right to perform system related operations • Processes which run as the user has a copy of the token – Shutting down – Change system time • When a process interacts with a securable object, token determines authorization level – Backup files – Generate audit • Applies only to local computer. A user can have different privileges on different machines in a domain. • Privileges can be assigned to both users and groups • Access token is checked when user tries to perform privileged operation • Differs from access rights – Access to resources and tasks, not objects – Stored with subject – Admin assigns privileges e.g., restricting SIDs • Stored in access token produced at logon

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 15 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 16

4 2020-01-30

Two Kinds of Access Tokens Objects

• Token is either a • All resources are objects – primary access token or an – Files, folders, printers, registry keys, processes, threads, access tokens, etc.. – impersonation access token • Containers can hold other objects, e.g., folders • Primary access token – access token of the user account associated with the process. • Non-containers can not hold other objects, e.g., files – Every process has this • Impersonation access token – allows a thread to execute in a different security context than • Securable object – Any object that can be shared

the process owner. primary primary • All securable objects can have a security descriptor – A thread may additionally have an impersonation access token Token Token – But it is not necessary • Example: File server runs with high privileges and can access any files Object – Threads handle concurrent user requests Service – Thread gets token of user → access based on user’s token • Ability to create access token is a privilege impersonation Token Security Descriptor – SeImpersonatePrivilege

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 17 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 18

Security Descriptor DACL

• Contains security information associated with an object • Identifies who is allowed or denied access to an object Owner SID Object • If an object has no DACL, everyone has full control Primary group SID • SID for the owner • An empty DACL results in everyone is denied access DACL • A SID can be allowed or denied access. SACL • SID for the primary group Security Descriptor • All ”deny” entries are stored in the beginning of the DACL Security descriptor Owner SID • Contains a list of access control entries (ACEs) • DACL (Discretionary Access Control List) specifying access rights Primary group SID User SID: Alice ACE 1 Deny: write • SACL (System Access Control List) DACL User SID: Alice specifying types of events that should ACE 2 Allow: read, write generate audit records SACL

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 19 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 20

5 2020-01-30

Searching the DACL Example: Accessing Object

• Rule: • Two processes (subjects) wants read access to an object – Go through list of ACEs until all access requests are allowed or any request is denied Process 1 Object – Otherwise deny access

• Consequences Access Token Security Descriptor User SID: Alice – Deny has higher precedence than allow Group SIDs: G1, G2 Owner SID: Charlie Privileges: Access allowed – If user SID has read only access and user is member of group which SID has read + Other info: Primary Group SID: G3 write, then user has read + write access (Different from Unix/Linux) DACL

• Example, Alice is member of group ”Students” ACE 1 Process 2 Deny, Bob, Read User SID: Alice ACE 1 ACE 2 Deny: write Result Allow, Alice, Read + Write Access Token • Read access allowed User SID: Bob ACE 3 Allow, Group 3, Read → • Write access denied Group SIDs: G3 Access denied User SID: Students Privileges: • Read+Write access denied ACE 2 Allow: read, write Other info: SACL Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 21 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 22

Access Control, Network Shares Access Control Matrix Implementation

• Users must go through two ACL’s to access a file via a share • Recall the two variants – ACL on the share – In Windows a combination is used – ACL on the file itself Two alternatives – User’s effective permission through a file share is determined by masking both sets of ACL’s together.

• Example 1: Access Control List Capability tickets Store access rights with – Client sets share permission to read only for everyone and file permission to read+write for Store access rights objects everyone with subjects – Result: Users on client machine get read+write, network users get read • Example 2: Access rights to objects Privileges However, – Client sets share permission to full control for everyone and file permission to read for everyone privileges do not – Result: Users on client machine get read access, network users get read access control access to objects.

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 26 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 27

6 2020-01-30

SACL Compare with Context

• System Access Control List Owner SID Authorization • Controls which events should be audited Primary group SID database • Contains a set of ACEs that define DACL Administrator – Who it applies to SACL – What type of access should be logged Security Security descriptor Descriptor – Which access result should be logged Access Authentication Control User SID: Everyone Function ACE Failure: read, write User Reference monitor

Based on SACL • Also holds mandatory label (more later) Auditing

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 28 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 29

The Registry The Registry

• Central database for Windows configuration data 5 root keys (none is a hive) Merge of • Just files on the hard disk HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES HKEY_CLASSES_ROOT and HKEY_USERS\’SID’_Classes • Entries are called keys and values Contains file extension associations. Symbolic link to key under HKEY_USERS that HKEY_CURRENT_USER • A registry Hive is a group of keys, subkeys, and values in the registry stored in a file represents the user that is logged in Not symbolic Contains several hives that store information HKEY_LOCAL_MACHINE – “Registreringsdatafil” in swedish links about the local computer Contains all active user profiles on the system. • Protecting the integrity of registry data is important { HKEY_USERS Symbolic link to – Example: The search path is set in registry, if an attacker can modify it, malicious software can be HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont HKEY_CURRENT_CONFIG rolSet\Hardware Profiles\Current. inserted/executed. Information about the hardware profile. Used when system starts up. • Proprietary format: registry editor (Regedit.exe) Some hives • Can be used by applications to store configurations Path to registry hive Path to file hive HKEY_LOCAL_MACHINE\SYSTEM \WINDOWS\system32\config\system HKEY_LOCAL_MACHINE\SAM \WINDOWS\system32\config\sam HKEY_LOCAL_MACHINE\SECURITY \WINDOWS\system32\config\security HKEY_LOCAL_MACHINE\SOFTWARE \WINDOWS\system32\config\software

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 30 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 31

7 2020-01-30

Temporary Hives Restricted Context

• HKEY_LOCAL_MACHINE\hardware • Application can start process with restricted token – Hardware is detected when system starts • Process can start process or thread with restricted token • HKEY_LOCAL_MACHINE\system\clone – Can be either primary token or impersonation token – Built during startup, saved as • Example 1: Untrusted webpages can be displayed with restrictions HKEY_LOCAL_MACHINE\SYSTEM\Select\LastKnownGood Control Set if startup is • Example 2: Email attachments can be opened with restrictions successful • Restrict by (one or more of): – If there is a problem to start (e.g., if an installed driver has damaged the system), then 1. Remove privileges LastKnownGood configuration can be used by copying this to CurrentControlSet 2. Set deny-only attribute to SIDs 3. Specify restricting SID

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 32 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 33

How To Restrict a Token User Account Control (UAC)

1. Let group SIDs be used for deny only Restricted Token • Introduced in Windows Vista User SID Alice 2. Add restricted SID • Administrators get two access tokens when logging in Group SIDs Admin (deny only) → Two access checks are done Users – One administrator token Both must allow access, otherwise Restricted SIDs SID_Restr – One standard user token access is denied Privileges none ... • Standard user token used unless administrator privileges are needed – User has to actively acknowledge use of administrator token Example: Process with restricted token require read access

a) Principal SID: Alice b) Principal SID: Admin • Windows 7+ uses UAC, but not all programs ask for explicit permission Allow: read, write Allow: read

Principal SID: Principal SID: c) Principal SID: Alice SID_Restr SID_Restr Allow: read, write Allow: read Allow: read Access granted Access denied Access denied

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 34 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 35

8 2020-01-30

Mandatory Access Control Mandatory Access Control

• Windows Vista and later include Mandatory Access Control (MAC) • Each object can also have an integrity level stored in the Security Decriptor’s SACL – Called Integrity Control System • Default for newly created objects: • Access tokens have an integrity level – If access token is lower than medium, integrity level of object is same as in access token High – If access token is medium or higher, integrity level of object is medium – Untrusted (Processes started by group Anonymous) – Low integrity (e.g., IE in protected mode) Medium • Subject has label S, object has label O – Medium integrity (Used by normal applications when UAC is enabled) • Policy defined by (total) ordering: – High integrity (Admin applications started through UAC, normal applications Object Low – Write access granted if O ≤ S if UAC is disabled) Read Write – System integrity (Used by some system processes) • Subjects integrity level must dominate object’s integrity level in write Untrusted Subject operations Read – Checked before DACL Write Object

Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 36 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 37

Example, Use of MAC (or MIC) Secure Boot in Windows 8 and 10

• Internet Explorer 7 can run in Protected Mode • UEFI (Unified Extensible Firmware Interface) provides support for Secure Boot – Will run with ”low integrity” access token – OEMs providing Windows 8 must support it • Can not be forced to make changes to operating system files, registry, etc • Only trusted boot loader can be loaded – However, it can read all this data • db is a database with known good CAs, hashed  Can write to history, cookies etc. – Includes Microsoft Windows CA Boot Loader • This can be compared to the Biba security model • dbx is a database with known bad high CAs and hashes Measure/check db • Databases are signed Regular files medium with a Microsoft key Verify UEFI Read dbx Write

IE Read History, cookies low Write Idea: It will not be possible to install other Boot loaders than those trusted untrusted Protects against certain rootkits Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 38 Paul Stankovski Wagner EITA25 Computer Security 2020-01-30 39

9 2020-01-30

10