2017-01-28
Local and Domain Logon Windows XP evolved from Windows 2000 User accounts and groups Windows 10, 8, 7 and Vista evolved from XP Access tokens Similar security solution Objects and security descriptors Rich support for managing security The Register Standalone computers administered locally Some features in Windows 7 and Windows 8 Domains used for centralized administration Domain controller (DC) has information about users Acts as a trusted third party
EIT060 - Computer Security 1 EIT060 - Computer Security 2
Security was designed to meet requirements for C2 rating in Winlogon.exe handles the logon and responds to the Secure Attention Sequence Orange Book (SAS) ◦ CTRL+ALT+DEL ◦ Secure logon – users must be uniquely identified Winlogon uses libraries that authenticates the user ◦ Discretionary access control – Owner determines access ◦ Can be libraries for passwords, smartcards, biometric data etc ◦ Auditing – Record security related events in a logfile Local Security Authority (LSA) creates an access token ◦ Object reuse protection – Initialize all objects before giving access ◦ LSA is responsible for the local security policy (who can log in, password policies, to users privileges, what should be audited etc) ◦ Trusted path – Functionality to detect trojan horses at authentication Password hashes are stored in SAM time (called SAS in Windows) ◦ Security Accounts Manager ◦ Trusted facility management – Separate accounts for users and administrators Client Server Windows NT 3.5 SP3 was the first Windows version to earn Winlogon LSA LSA
C2 rating (1995) NTLM NTLM/Kerberos ◦ Windows NT 4 SP6a earned C2 rating in 1999 Library SAM SAM
Local logon
EIT060 - Computer Security 3 EIT060 - Computer Security 4
1 2017-01-28
Stores user account information Local accounts ◦ Username ◦ NTLM used as authentication protocol ◦ Full name Domain accounts ◦ Expiration date ◦ Password dates (date of last change, expiry, when it can be changed next ◦ Kerberos V5 used as authentication protocol time, if it can be changed) Mutual authentication ◦ Logon hours and workstations (thrown out a certain time or continue) This will be covered in detail later in the course ◦ Profile path and logon script name ◦ NTLM used in some cases ◦ Home directory Unilateral authentication ◦ Groups Locked while machine is running
EIT060 - Computer Security 5 EIT060 - Computer Security 6
Can you find problems here? Can you find problems here? Challenge response If wanted, both NTLM and LM response are used Server sends 8 byte random challenge ◦ This was default before Windows Vista Response calculated as: LM hash calculated as ◦ MD4(password) gives 16 byte result (NTLM hash stored in SAM database) ◦ Convert password to uppercase and pad to 14 bytes ◦ Pad with 5 zero bytes → 21 bytes ◦ Split into two parts of 7 byte each → two DES keys ◦ Split into 3 DES keys and encrypt challenge with each key ◦ Encrypt ”KGS!@#$%” with the two keys to get 16 bytes LM hash ◦ 24 byte response NTLM hash which is stored in the SAM database
password MD4 920a3bdfe12e5fa537d7e8b8c6a064fe LM response calculated same way as NTLM response
920a3bdfe12e5f 53454352455457 a5ef3810bf7aced4 KGS!@#$% DES 82745f14a56579af challenge DES SecreTWoRd SECRETWORD LM hash a537d7e8b8c6a0 910af3418cd8e9af response challenge DES 4f524400000000 fe52438160a64e6c KGS!@#$% DES 64fe0000000000 DES 72ad34ev019baf2d challenge
EIT060 - Computer Security 7 EIT060 - Computer Security 8
2 2017-01-28
NTLM hash is stored in the SAM file (local accounts) Security Reference Monitor (SRM) is responsible for ◦ Problem 1: MD4 is a very fast hash function determining access control ◦ Problem 2: No salt is used so time-memory tradeoff attacks Three parameters are considered (rainbow tables) can be used ◦ Identity of subject (SID) Possibly, also the LM hash is stored in the SAM file ◦ Type of access ◦ Problem 3: DES is a fast block cipher ◦ Object security settings (Security Descriptor) ◦ Problem 4: No salt here either… ◦ Problem 5: Passwords up to 14 characters are never better SID than passwords of 7 characters Access type Yes/No ◦ Problem 6: There are no lowercase characters in the effective SRM character set Security Descriptor
Generate Audit Message
EIT060 - Computer Security 9 EIT060 - Computer Security 10
After successful authentication LSA builds an access Token is either a primary access token or an token impersonation access token Processes which run as the user has a copy of the token Primary access token – access token of the user account associated with the process. When a process interacts with a securable object, token ◦ Every process has this determines authorization level Impersonation access token – allows a thread to execute in a different security context than the process owner. ◦ A thread may additionally have an impersonation access token Example: Database server runs with high privileges ◦ Threads handle concurrent user requests ◦ Thread get token of user → restricted access e.g., restricting SIDs
EIT060 - Computer Security 11 EIT060 - Computer Security 12
3 2017-01-28
Security Identifier Generic groups and users Unique for each user or group S-1-1-0 Everyone, a group that includes all users Format: S-1-5-20 Network Service S-R-I-SA-SA-SA-N S-1-5-18 SYSTEM, local operating system S: The letter S (just means that the string is a SID) S-1-5-SA-SA-SA-500 Administrator R: revision number (1) S-1-5-SA-SA-SA-501 Guest account (no password I: Identifier authority (5 for user accounts) required) SA: subauthority (specifies domain or computer) S-1-5-SA-SA-SA-512 Domain Admins (global group) ◦ Can be up to 14 groups, but 3 is typical N: relative identifier, incremented for each new principal
EIT060 - Computer Security 13 EIT060 - Computer Security 14
The right to perform system related operations All resources are objects ◦ Shutting down ◦ Files, folders, printers, registry keys, processes, threads, access ◦ Change system time ◦ Backup files tokens, etc.. ◦ Generate audit Containers can hold other objects, e.g., folders Applies only to local computer. A user can have different privileges on Noncontainers can not hold other objects, e.g., files different machines in a domain. Privileges can be assigned to both users and groups Securable object – Any object that can be shared Access token is checked when user tries to perform privileged operation All securable objects can have a security descriptor Differs from access rights ◦ But it is not necessary ◦ Access to resources and tasks, not objects ◦ Stored with subject Object ◦ Admin assigns privileges Stored in access token produced at logon Security Descriptor
EIT060 - Computer Security 15 EIT060 - Computer Security 16
4 2017-01-28
Contains security information associated with an object Identifies who is allowed or denied access to an object If an object has no DACL, everyone has full control SID for the owner Object An empty DACL results in everyone is denied access A SID can be allowed or denied access. SID for the primary group Security Descriptor All ”deny” entries are stored in the beginning of the DACL Owner SID Contains a list of access control entries DACL (Discretionary Access Primary group SID Control List) specifying access rights (ACEs) DACL Owner SID SACL Principal SID: Alice SACL (System Access Control List) Primary group SID ACE 1 Deny: write specifying types of events that should DACL generate audit records Principal SID: Alice SACL ACE 2 Allow: read, write Security descriptor
EIT060 - Computer Security 17 EIT060 - Computer Security 18
Go through list of ACEs until all access requests are allowed Two processes (subjects) wants read access to an object or any access request is denied Process 1 Object Otherwise deny access Consequences Access Token Security Descriptor ◦ Deny has higher precedence than allow User SID: Alice Group SIDs: G1, G2 Owner SID: Charlie Privileges: Access allowed ◦ If user SID has read only access and user is member of group which SID Other info: Primary Group SID: G3 has read + write, then user has read + write access (Different from DACL Unix/Linux) ACE 1 Example, Alice is member of group ”Students” Process 2 Deny, Bob, Read Principal SID: Alice ACE 2 ACE 1 Allow, Alice, Read + Write Deny: write Result Access Token User SID: Bob ACE 3 • Read access allowed Allow, Group 3, Read Group SIDs: G3 Access denied → • Write access denied Privileges: Principal SID: Students Other info: ACE 2 • Read+Write access denied Allow: read, write SACL
EIT060 - Computer Security 19 EIT060 - Computer Security 20
5 2017-01-28
Since there are so many different types of objects Since there are many different types of objects, access rights look different for different types there are very many different types of access rights Standard access rights apply to (almost) all objects Generic access rights FILE_EXECUTE FILE_READ_ATTRIBUTES gives a mapping to GENERIC_EXECUTE ◦ DELETE – delete the object STANDARD_RIGHTS_EXECUTE ◦ READ_CONTROL – read info in security descriptor (owner, specific access rights SYNCHRONIZE group and DACL) for a type of objects FILE_READ_ATTRIBUTES FILE_READ_DATA ◦ WRITE_DAC – write access to the DACL GENERIC_READ FILE_READ_EA ◦ WRITE_OWNER – write access to the field ”owner” in the STANDARD_RIGHTS_READ SYNCHRONIZE security descriptor Example – Files and directories FILE_APPEND_DATA ◦ SYNCHRONIZE – The right to synchronize with the object FILE_WRITE_ATTRIBUTES FILE_WRITE_DATA GENERIC_WRITE FILE_WRITE_EA STANDARD_RIGHTS_WRITE SYNCHRONIZE
EIT060 - Computer Security 21 EIT060 - Computer Security 22
The access rights are given by a 32-bit integer Users must go through two ACL’s to access a file via a share ◦ ACL on the share Bits Access Right ◦ ACL on the file itself 0-15 Specific rights for the current object type ◦ User’s effective permission through a file share is determined by 16-22 Standard rights masking both sets of ACL’s together. 23 Access system security (e.g., SACL) Example 1: 24-27 reserved ◦ Client sets share permission to read only for everyone and file permission to 28 generic all read+write for everyone 29 generic execute ◦ Result: Users on client machine get read+write, network users get read 30 generic write Example 2: 31 generic read ◦ Client sets share permission to full control for everyone and file permission to read for everyone ◦ Result: Users on client machine get read access, network users get read access
EIT060 - Computer Security 23 EIT060 - Computer Security 24
6 2017-01-28
Recall the two variants Central database for Windows configuration data ◦ In Windows a combination is used Just files on the harddisk Entries are called keys and values Two alternatives A registry Hive is a group of keys, subkeys, and values in the registry stored in a file Capabilities Access Control List ◦ “Registreringsdatafil” in swedish Store access rights Store access rights with with subjects objects Protecting the integrity of registry data is important ◦ Example: The search path is set in registry, if an attacker can modify it, malicious software can be inserted/executed. Privileges Access rights to objects Proprietary format: registry editor (Regedit.exe)
EIT060 - Computer Security 25 EIT060 - Computer Security 26
5 root keys (none is a hive) HKEY_LOCAL_MACHINE\hardware Merge of HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES ◦ Hardware is detected when system starts HKEY_CLASSES_ROOT and HKEY_USERS\’SID’_Classes Contains file extension associations. HKEY_LOCAL_MACHINE\system\clone HKEY_CURRENT_USER Symbolic link to key under HKEY_USERS that represents the user that is logged in ◦ Built during startup, saved as Not symbolic Contains several hives that store information HKEY_LOCAL_MACHINE links about the local computer HKEY_LOCAL_MACHINE\SYSTEM\Select\LastKnownGood { HKEY_USERS Contains all active user profiles on the system. Control Set if startup is successful Symbolic link to HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont ◦ If there is a problem to start (e.g., if an installed driver has HKEY_CURRENT_CONFIG rolSet\Hardware Profiles\Current. damaged the system), then LastKnownGood configuration can be Information about the hardware profile. Used when system starts up. used by copying this to CurrentControlSet Some hives Path to registry hive Path to file hive HKEY_LOCAL_MACHINE\SYSTEM \WINDOWS\system32\config\system HKEY_LOCAL_MACHINE\SAM \WINDOWS\system32\config\sam HKEY_LOCAL_MACHINE\SECURITY \WINDOWS\system32\config\security HKEY_LOCAL_MACHINE\SOFTWARE \WINDOWS\system32\config\software
EIT060 - Computer Security 27 EIT060 - Computer Security 28
7 2017-01-28
Application can start process with restricted token 1. Let group SIDs be used for deny only Restricted Token Process can start process or thread with restricted token 2. Add restricted SID User SID Alice ◦ Can be either primary token or impersonation token → Two access checks are done Group SIDs Admin (deny only) Both must allow access, otherwise Users Example 1: Untrusted webpages can be displayed with Restricted SIDs SID_Restr access is denied restrictions Privileges none ... Example 2: Email attachments can be opened with restrictions Example: Process with restricted token require read access Restrict by (one or more of): a) Principal SID: Alice b) Principal SID: Admin Allow: read, write Allow: read 1. Remove privileges 2. Set deny-only attribute to SIDs Principal SID: SID_Restr Principal SID: SID_Restr c) Principal SID: Alice Allow: read Allow: read Allow: read, write 3. Specify restricting SID Access granted Access denied Access denied
EIT060 - Computer Security 29 EIT060 - Computer Security 30
Introduced in Windows Vista Windows Vista and later include mandatory access Administrators get two access tokens when logging in control ◦ One administrator token ◦ Called Integrity Control ◦ One standard user token Access tokens have an integrity level Standard user token used unless administrator ◦ Untrusted (Processes started by group Anonymous) privileges are needed ◦ Low integrity (e.g., IE in protected mode) ◦ User has to actively acknowledge use of administrator token ◦ Medium integrity (Used by normal applications when UAC is enabled) ◦ High integrity (Admin applications started through UAC, normal Windows 7+ uses UAC, but not all programs ask for applications if UAC is disabled) explicit permission ◦ System integrity (Used by some system processes)
EIT060 - Computer Security 31 EIT060 - Computer Security 32
8 2017-01-28
Each object can also have an integrity level stored in the Internet Explorer 7 can run in Protected Mode SACL ◦ Will run with ”low integrity” access token Default for newly created objects: Can not be forced to make changes to operating system ◦ If access token is lower than medium, integrity level of object is same as in access token files, registry, etc ◦ If access token is medium or higher, integrity level of object is medium ◦ However, it can read all this data Can write to history, cookies etc. Partial ordering: Subject has label S, object has label O ◦ Write access granted if O ≤ S
This can be compared to the Biba security model Subjects integrity level must dominate object’s integrity level in write operations ◦ Checked before DACL
EIT060 - Computer Security 33 EIT060 - Computer Security 34
UEFI (Unified Extensible Firmware Interface) provides support for Secure Complex solution with many options Boot ◦ OEMs providing Windows 8 must support it Users can easily get the exact functionality they want Only trusted boot loader can be loaded Relatively difficult to get high assurance db is a database with known good CAs, hashed ◦ Includes Microsoft Windows CA Boot Loader dbx is a database with known bad specific generic CAs and hashes Measure/check db complex simple Databases are signed focus on users focus on data with a Microsoft key Verify UEFI dbx
man machine Idea: It will not be possible to install other Boot loaders than those trusted oriented oriented
Protects against certain rootkits
EIT060 - Computer Security 35 EIT060 - Computer Security 36
9