Local Security and Permissions

Local Security and Permissions

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com | LOCAL SECURITY AND PERMISSIONS Outline . Generic Terminology . NTFS Permissions . Registry Permissions . LDAP Permissions . File Sharing . Disk Quotas . Windows Management Instrumentation . Other Permission Settings . Windows Firewall . Service Accounts and Impersonation . Physical Security . BitLocker . Dynamic Access Control Advanced Windows Security GENERIC TERMINOLOGY Security Descriptor . Objects are protected with permissions files, folders, registry keys, LDAP objects, printers, windows, desktops, ... ACE – Access Control Entry one item in the permissions list Deny, Allow . ACL – Access Control List permission list . SACL – System Access Control List auditing ACL . Owner Object Owner . Members of Administrators group owner is Administrators group instead of the user . Can always change permissions even if explicitly denied . Take Ownership user right that allows taking ownership . CREATOR OWNER identity used as a placeholder to express the current owner of the file ACL Processing vs. ACE Order . ACEs are ordered Note: it is contrary to a common statement that Deny ACEs are always stronger the correct order must be maintained by applications when they modify ACL . ACEs are evaluated in the order present like with firewall rules Lab: Investigate Incorrect ACE Order . Log on to GPS-WKS as Kamil . Start REGEDIT . Right-click on SYSTEM/CurrentControlSet/Services/{anyGUID}/ Parametes/Tcpip and select Permissions . Note the text: The permissions on the object are incorrectly ordered, which may cause some entries to be ineffective . Click Cancel to see the incorrect order, click Advanced note that the Full Control permissions are lower than expected Auditing . Object Access auditing category general switch to turn auditing on/off . ACEs in SACL of objects be carefull to audit only preciselly required ACEs applications generate extreme number of access attempts Advanced Windows Security NTFS PERMISSIONS NTFS Permissions Common Permissions Common permission Real permissions Read data Read attributes Read Read extended attributes Read permissions (Read control) List folder Read + Write Modify Delete (not Delete subfolders) Modify Full Control Change permissions (Write DAC) Take ownership NTFS Permissions Dynamic Access Control (DAC) NTFS Inheritance . Newly created folders and files inherit from parent by default . Explicit permissions can be granted in addition . Inheritance can be blocked NTFS Copying vs. Moving Single Volume Between Volumes Move keeps inherits new keeps inherited! Copy inherits new inherits new . note: moving of a file/folder keeps inherited permissions although they may not be inherited from the new parent (displayed also in gray) Lab: Common Documents . Log on to server GPS-DATA . Create F:\FS folder permissions inheritance: disable (remove all) Allow, Administrators, Full Control, All objects . Create F:\FS\Doc permissions inheritance: inheriting from parent Allow, Employees, Read&Ex+CreateFolders, This folder only Allow, Employees, Modify, Subfolders and files only Allow, BIKES\Bikers, Read&Execute, All objects Lab: User Home Folders . Log on to server GPS-DATA . Create F:\FS\Homes permissions inheritance: inheriting from parent Allow, Employees, Read&Execute, This folder only Allow, Employees, Create folders, This folder only Allow, Domain Computers, Read&Execute, This folder only Roaming Profiles GPOs Default Volume Permissions . SYSTEM, full control to be able to create page file . Administrators, full control . Users, read and execute . Users, create subfolders . CREATOR OWNER, full control users can create subfolders, in them, they can do anything Lab: Default Volume Root and Profile Permissions . Log on to server GPS-DATA . Verify C:\ root folder permissions . Log on to GPS-WKS as GPS\Kamil . Verify C:\Users\Jitka folder permissions Lab: Inherited Deny Can be Overridden . Log on to server GPS-DATA . Create a new file F:\FS\Doc\people.txt . Add the following ACE onto the F:\FS\Doc folder Deny, Kamil, Delete . Open properties of the file F:\FS\Doc\people.txt and add the following ACE onto the file Allow, Kamil, Full control . Navigate into the Advanced Security properites and verify that the Allow ACE is higher in the list than the inherited Deny ACE Tools for NTFS Permissions . CACLS limited, built into Windows XP . XCACLS limited, built into Windows Resource Kit . ICACLS full functionality, Windows Vista/2008+ . PowerShell Get-Acl, Set-Acl . ROBOCOPY /COPYALL . AccessEnum NTFS auditing subcategories Auditing DELETE (open only) Auditing DELETE (another open) Auditing DELETE (final delete) Note: Permissions and size metering . Incorrect folder sizes as a result of inaccessible sub-items Note: Alternative NTFS streams . ECHO ahoj > test.txt:SevecekHiddenData . MORE < test.txt:SevecekHiddenData . Summary Informtation on Windows XP/2003 only . .URL link favicon . .EXE files downloaded from internet/network . DIR /R (since 8/2012) Advanced Windows Security REGISTRY PERMISSIONS Registry Permissions . Mainly like NTFS permissions . Applies permissions to keys only values cannot be secured Registry Permissions User Profile Permissions User Profiles and Registry . User profiles C:\Documents and Settings\%username% C:\Users\%username% . User registry hive %USERPROFILE%\NTUSER.DAT . Copying profiles use System – Advanced – User Profiles tool for Default User USMT!!! Lab: Copying User Profiles . Log on to GPS-DC and start ADUC . Create a new user account name: Klara options: Password never expires . Log on to GPS-WKS as Kamil start control panel System – Advanced – User Profiles copy Judit’s profile to C:\Users\Klara and prepare it for Klara . Start REGEDIT – File – Load Hive and load C:\Users\Klara\NTUSER.DAT hive into HKLM\Klara . Verify registry permissions on the user’s registry hive Advanced Windows Security LDAP PERMISSIONS Active Directory Permissions . Enable Security tab in ADUC –View – Advanced Features . Inheritance same as with NTFS . Some other differences against NTFS moving objects newly created objects . SELF identity Default Security Descriptor . Newly created objects inherit from parent (the same as with NTFS) receive explicit ACEs from Default Security Descriptor . Default Security Descriptor defined in AD Schema modified occasionally by schema extensions Lab: Default Security Descriptor . Log on to GPS-DC and start ADUC . Open Properties of Kamil user account . Open Security – Advanced and verify that it contains number of non-inherited ACEs . Run REGSVR32 SCHMMGMT.DLL . Run MMC and import Active Directory Schema snap-in . Find user class and open its properties . Verify the Default Security is in order with the previously seen Kamil’s ACEs Lab: Join computer permissions $ou = 'OU=Workstations,OU=Computers,OU=Company,DC=gopas,DC=virtual' $who = 'GPS\WKS Admins' dsacls $ou /T /S dsacls $ou /Grant "$($who):CC;computer" dsacls $ou /I:S /Grant "$($who):CA;Reset Password;computer" dsacls $ou /I:S /Grant "$($who):RPWP;pwdLastSet;computer" dsacls $ou /I:S /Grant "$($who):RPWP;servicePrincipalName;computer" dsacls $ou /I:S /Grant "$($who):RPWP;dNSHostName;computer" dsacls $ou /I:S /Grant "$($who):RPWP;msDS- AdditionalDnsHostName;computer" dsacls $ou /I:S /Grant "$($who):RPWP;Account Restrictions;computer“ # really needed on top of userAccountControl in order to disable the account when dis-joining the domain dsacls $ou /I:S /Grant "$($who):RPWP;member;group" NETDOM JOIN script must use Kerberos UPN @gopas.virtual because of Protected Users group Lab: Move computer permissions $ouSrc = 'OU=Computers,OU=Company,DC=gopas,DC=virtual' $ouTgt = 'OU=Workstations,OU=Company,DC=gopas,DC=virtual' $who = 'GPS\WKS Admins' # on the target OU dsacls $ouTgt /Grant "$($who):CC;computer" # on the objects in the source OU dsacls $ouSrc /I:S /Grant "$($who):SD;;computer" dsacls $ouSrc /I:S /Grant "$($who):WP;distinguishedName;computer" dsacls $ouSrc /I:S /Grant "$($who):WP;name;computer" dsacls $ouSrc /I:S /Grant "$($who):WP;cn;computer" Inheritance and Moving Objects . Contrary to NTFS, inherited permissions are lost after move . Moved objects inherit new permissions from their target parent Tools for LDAP Permissions . DSACLS very recommended to use instead of GUI . Delegation of Control Wizard can be modified in order to add new permission templates LDAP Auditing . Directory Services Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication Directory Service Access . DS Changes auditing records individual attribute values before and after the change AD Console Custom Views Lab: LDAP Permissions . Start CMD on GPS-DC a domain-admin . Grant Kamil permissions to modify users mail address in the People OU dsacls ou=people,ou=company,dc=gopas,dc=virtual /I:S /G “gps\kamil:RPWP;mail;user” . Start MMC on GPS-WKS and add and customize Active Directory Users and Computers console . Verify that Kamil can modify only user’s email address Advanced Windows Security FILE SHARING File Sharing . SMB – Server Message Block protocol sometimes refered to as CIFS (Common Internet File System) TCP 445, or NetBIOS for backward compatibility with NT4.0/98- . SMB versions v1 - uninstall since 2012 (required only by XP/2003-) v2 - since Vista/2008 v3 - since 2012/8 . Its own level of permissions by default Read only not usually used – Everyone = Full Control used in the past with FAT or on Terminal Servers

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    98 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us