Transcript 4_Windows

Windows
Windows
1
Introduction
 Old
black-and-white “Western” movie
o Gunslinger wants to quit fighting
o Some new young upstart wants to fight
o So the old guy fights one more time…
 “Target-ability”
o Depends on popularity and reputation
o Windows is most hackers favorite target
Windows
2
Introduction
 Windows
is the most popular OS
o May 2005: 390M Windows machines
o Over half of those running XP
 Windows
is the obvious target
 From attacker’s point of view
o Attacker’s “cost-benefit” analysis
o Attacker wants most “bang for the buck”
Windows
3
This Chapter
 Brief
history of Windows
 Consider core NT security features
 Consider security in Windows 2000+
o That is, Windows 2000, XP, Server 2003
o Book does not cover Vista
Windows
4
History

History began in April 1993…
o Release of Windows NT
o NT == “New Technology”/“No Technology”

Before NT
o Microsoft Windows 3.0, 95, 98, Me
o No authentication, program isolation, logging, etc.
o “No security” prior to NT
Windows
5
Modern Windows OSs
 NT,
Windows 2000, XP, Server 2003
o And Vista, but not covered in book
 Windows
NT
o Based on technology developed at DEC
for their VMS operating system
o 1988: Microsoft hired David N. Cutler
o He came from DEC, with 20+ others
Windows
6
Windows NT
 Originally,
Cutler was to build
successor to OS/2, called OS/2 NT
o Microsoft/IBM collaboration
 With
success of Windows 3.0 in 1990
o Microsoft changed its mind
o Windows NT to be their UNIX-beater
Windows
7
Backwards Compatibility

What is backward compatibility?
o New-and-improved works with bad/old versions

NT tried to be backwards compatible
o Users complain if not backwards compatible
o But, creates many security compromises
o Continues to plague Windows (& others) today
o Damned if you do, damned if you don’t…
Windows
8
Windows History

After introduction of NT…
o Incremental changes: NT 3.1, 3.5, 3.51, 4.0

Major overhaul: Windows 2000
o In essence, Windows NT 5.0

Windows XP (“eXPerience”)
o Released in October 2001
o Refers to itself as “Windows 2002”

Windows Server 2003
Windows
9
Windows History
 1993
to 2001, dual Windows lines
o Home users: Windows 3.0/3.1/95/98/Me
o Professional: NT 3.1/3.5/3.51/4.0/2000
 Windows
XP
o Evolved from NT (“professional”) line
o For home and professional users
o Ended the dual Windows approach
Windows
10
BAD Old Days
Before Active Directory (BAD)…
 Windows 2000: Active Directory

o Major shift in security

Active Directory: all-in-one service for
locating stuff
o Find printer in next cubicle
o Change pwd policy on machines in branch office
Windows
11
Active Directory

Active Directory
o
o
o
o
“Native mode” --- all Windows 2000+ environment
“Mixed mode” --- some pre-2k machines
Which is more common?
Backwards compatibility…
Necessary to understand what came before
Active Directory
 More on Active Directory later

Windows
12
BAD Basics
Before Active Directory…
 Domains (currently deprecated)

o Networked Windows computers that share an
authentication database
o Single sign-on for domain

Must have a “domain controller”
o For authentication to the domain
o Usually more than one controller
Windows
13
BAD Basics

Primary Domain Controller (PDC)
o First server in domain
o Updates authentication info in Security Accounts
Manager (SAM) database

Backup Domain Controller (BDC)
o Can access SAM, but not update
o Admin can temporarily “promote” BDC

Active Directory: all controllers authoritative
o More robust, but possibly less secure
Windows
14
BAD Basics
 Domain
sets critical parameters
o Min pwd length
o Pwd expiration policy
o Restrictions on users, etc.
 Workgroup
--- like domain but worse
o No control mechanisms
Windows
15
Shares
 Share
o
o
o
o
Connection to network devices
Used with domains and Active Directory
Similar to NFS mounts in UNIX
Windows Explorer: My Network Places
 Convenient
transparent way for users
to “reach across the network”
Windows
16
Windows Architecture
 NT
architecture based on layers
 Layers important to security
o Each layer restricts layer above
o “Security issues are nearly always a
result of some sort of compromise of
this layering.”
 Two
Windows
“modes”: user mode, kernel mode
17
Windows Architecture
Windows
18
User Mode
Part of OS that users interacts with
 User mode is “go between”

o Between user and kernel
o Strict communication rules…
o …Application Program Interfaces (APIs)

User mode: 2 types of services
o Integral subsystem: native to Windows
o Environment services: support for other OSs
Windows
19
User Mode
 Integral
subsystem
o Provide APIs used by Win32 apps
o For OS functions such as files, windows,
process mgmt, virtual memory, I/O, etc.
 DLLs
translate (documented) API calls
into (undocumented) calls into kernel
o User mode  Kernel Executive
subsystem
Windows
20
LSASS

Local Security Authority Subsystem Service
o User mode subsystem
o Determines if login is valid
o Sends login data to SAM database

For each account, SAM has 2 entries
o NT pwd hash, LM/LanMan pwd hash --- Why???
o Backwards compatibility, of course!
Windows
21
Windows Passwords
 NT
hash used in NT and beyond
 LM hash used in Windows 95 & 98
 SAM entries not stored in ASCII
o Different from UNIX
o Pwdump3 converts to readable form
 How
Windows
are pwd hashes derived?
22
Windows Passwords
 LM
o
o
o
o
o
o
o
pwd hashes
Assume pwd is 14 characters or less
Pad password to 14 characters
Split into two 7-char strings
Convert to lower-case
Hash each half independently
Use DES block cipher (string is the key)
No salt is used
Windows
23
Windows Passwords
 NT
password hash
o Hash entire pwd using MD4, no salt used
o Note: MD4 not a strong hash
 Which
o
o
o
o
is better, NT or LM?
Spse 64 choices/character, 14 char pwd
NT: try 283, LM: try 242
LM is 2,000,000,000,000+ times easier
LM is even worse than that…
Windows
24
Windows Password
 By
default, both LM and NT hashes
 What will attacker do?
o
o
o
o
Attack LM pwd, of course
May need to convert to upper case
Still much easier than NT pwd
Both types unsalted (dictionary attacks)
 Disable
Windows
LM if possible
25
Kernel Mode

Fundamental OS issues
o Memory mgmt, deal with hardware, etc.
More secure than user mode
 Security Reference Monitor

o
o
o
o
Part of Executive subsystem
Checks attempts to access kernel mode
Checks attempts to access files, etc.
Checks permissions, gather audit data, etc.
Windows
26
Kernel Mode
 Object
o
o
o
o
Manager
Manages info about files, directories, etc.
Objects get Object Identifier (OID)
OIDs used by Object Manager
Object Manager aware of some
inheritance relationships (e.g., subfolders)
Windows
27
Kernel Mode

Hardware Abstraction Layer (HAL)
o Deals with hardware in a high-level way
o Low level details left to device drivers
o Makes life easier for Windows…
o …but not for hardware manufacturers
o Bad drivers can cause serious problems like
crashing the whole system
o Windows used to support multiple processors
Windows
28
Service Packs and Updates
When bugs and problems are found…
 Patches come in 2 flavors

o Hotfixes/patches --- specific issue
o Service packs --- major bundle of fixes, once
per 6 months to year
o Automatically (Windows Update service)
o Fixes to OS and to other MS products

Patching is a big deal for companies
Windows
29
Accounts
Default accounts: Administrator, Guest
 Administrator account

o Administrator has highest privilege
o Administrator acct cannot be locked or deleted
o Can only be disabled if another admin exists
o If one Admin acct, unlimited pwd guessing
o Good idea to have more than one Admin acct
Windows
30
Accounts
 Guest
account
o Anyone can log on to guest acct
o Limited in what it can do, but still…
o Guest is generally a bad idea
o Disabled by default on modern Windows
Windows
31
Accounts
User accts, application accts, etc.
 How to secure accounts?

o
o
o
o

Give all admin accts “neutral” names
Change acct description(s) too
Create decoy acct named “Administrator”
Disable Guest, give it a strong pwd
 “Belt and suspenders principle”
Security by obscurity? Is it worth it?
Windows
32
Groups
 Used
to control access/privilege
 Why not users accounts?
 Easier to manage (fewer) groups
instead of (many) users
 Before Active Directory (Win 2K)
o Two types of groups
o Global groups, local groups
Windows
33
Groups

Local groups give access to resources
o Global groups cannot grant access

Typically, users included in global groups
o Global groups then included in local groups
o Access given to those in local group (including
those in included global groups)
o Global groups cannot be included in global groups
o Local groups cannot be included in local groups
Windows
34
Groups
 Huh?
 For
example, suppose a new hire
o Include user in global groups
o Then automatically included in
appropriate local groups
o Otherwise, have to make config changes
to individual local machines
Windows
35
Default Groups
 Local:
Administrators, Account
Operators, Power Users, Server
Operators, Backup Operators, Print
Operators, Replicator, Users, Guests
 Global: Domain Administrators,
Domain Users
Windows
36
Special Groups

Special since cannot add or delete users
o But can change group rights/privileges
Special groups are local groups
 EVERYONE --- for about anything
 SYSTEM --- “holy grail”

o
o
o
o
Nothing has higher privilege
Not a login ID
Some processes run with SYSTEM privilege
Compromise one of these and you “own” system
Windows
37
Special Groups

Other special groups
o INTERACTIVE --- currently logged in locally
o NETWORK --- currently logged in non-locally
o CREATOR OWNER --- owner of a given object
(confusing name…)

These are not as special as SYSTEM…
Windows
38
Privilege
Privilege --- capacity to access and
manipulate things
 Rights --- things users can do; can be
added/modified (accts and groups)
 Abilities --- built-in capabilities
 Administrator --- highest privilege

o Operator groups --- like bits and pieces of admin

Power user --- next highest
o Then users followed by guest
Windows
39
Privilege Control

“…advanced rights control internal functions
within Windows system”
o Example: “Act as Part of Operating System”
o Gives right to reach into kernel mode
o Attacker has got to love this…

Principle of least privilege
o Give least privilege needed to do job
o “Putting this into practice is one of the most
fundamental steps to making Windows (or any
operating system, for that matter) more secure.”
Windows
40
User Rights Assignments
Windows
41
Policies
 Admin
can create “policies”
o Can affect local machine
o Or entire domain
 Account
Policy --- most basic policy
o Applies to all accounts in a domain
o Max pwd age, pwd history, lockout, etc.
o See next 2 slides…
Windows
42
Account Policies: Passwords
Windows
43
Account Policies: Lockout
Windows
44
User Properties Settings

User Properties
o Technically, not Policies, but serve similar
purpose

Like Policies, but set for individual accts
o E.g., User Must Change Password at Next Login,
User Cannot Change Password, etc.
Windows
45
User
Property
Settings
Windows
46
Trust
 Extends
“login” across domains
o Like single sign-on to trusting domains
o One (or more) global group in trusted
domain must be included in one (or more)
local groups in trusting domain
o Can limit access via local group(s)
Windows
47
Windows Trust Models
No trust --- most secure, most inconvenient
 Complete trust --- every domain trusts
every other domain
 Master domain --- user accounts in central
account domain

o Gives central control for mapping users to
resources (via groups)

Multiple master domains --- like a
distributed master domain
Windows
48
Windows Trust
 Based
on password authentication
 Better than UNIX r-commands
o Btw, what is authentication based on in
UNIX r-commands?
 Active
Directory uses Kerberos
(Windows 2000+)
Windows
49
Auditing
 Can
only audit what you log
 Types of logging/audit
o System
o Security (or just “auditing”) --- logons,
logoffs, file access, use of rights, etc.
o Application
Windows
50
Auditing
 By
default, detailed auditing is off
o And not available in XP home edition
 Not
easy to decide what to log
 Some important data not logged
o Source/destination IP address, whether
system reinstall occurred, etc.
Windows
51
Audit Settings
Windows
52
Access Control and Permissions
 How
to control access to objects
 Ownership
o Each object has owner (OWNER CREATOR)
o Owner can always change permissions
 File
Allocation Table (FAT)
o No access control --- the reason why
Windows 95, 98, Me cannot be secure
Windows
53
Access Control and Permissions
 NTFS
(NT File System)
o Good performance, recoverability, etc.
o Reasonable set of permissions
o “One of the most effective parts of
Windows security”
 Number
Windows
of permissions is “bewildering”
54
Example NTFS Permissions
 No
access --- what it says
 Read --- read and execute
 Change --- read, execute, write, delete
 Full Control --- Change plus change
permissions and take ownership
 These are actually combinations of
more granular permissions
Windows
55
Share Permissions
Recall shares are kind of like NFS mounts
 Permissions on components of file system

o For example, a shared folder

Remote access depends on both NTFS and
share permissions
o Least access wins

Local login --- only NTFS permissions apply
o Potentially a security issue
Windows
56
Weak Default Permissions
 Many
default permissions “faulty”
o E.g., default permission on \Windows
(\winnt) directory allows Power Users to
get copy of SAM database
 System
should be hardened
o Entire books written on this subject
Windows
57
Network Security
 Protocols
and APIs
 SMB/CIFS
o Server Message Block protocol --- MS
implementation is called Common
Internet File System
o “Weak authentication” --- many attacks
o No details at this point in book…
Windows
58
Network Security
 NetBEUI/NetBIOS
--- older
(deprecated) network environment
o DoS and other attacks
 Microsoft
Internet Information
Service (IIS) --- built-in Web server
o Attackers love IIS
Windows
59
Summary of BAD Old Days
 Before
Active Directory (BAD)
o That is, before Windows 2000+
 We
discussed…
 History
o Windows 3.0/95/98 (no security)
o Windows NT
 Backwards
Windows
compatibility
60
Summary of BAD Old Days
Domains --- SSO to networked machines
 Shares --- analogous to NFS mounts
 Modes --- User Mode, Kernel Mode
 Service packs/updates
 Accounts
 Groups --- local and global
 Privilege --- rights and abilities

Windows
61
Summary of BAD Old Days
Policies --- apply to all accts in domain
 Properties --- individual accounts
 Trust --- across domains
 Auditing/Logging
 Access control/permissions

o FAT --- no security
o NTFS --- good level of security

Network security/protocols
Windows
62
Windows 2000+
 What
is Windows 2000+?
o Windows 2000, XP, Server 2003
o Vista not covered in text
 Much
of BAD stuff lives on…
 But some important changes
o Including many new security features
Windows
63
Windows 2000+
 “Windows
2000+ offers a multitude
of features and represents a huge
increase in the growth of operating
system size, resource consumption,
and complexity…”
 According to Paul Kocher, “complexity
is the enemy of security”
Windows
64
Windows 2000+
 New
non-security features
o Power management, built-in terminal
services, Microsoft Management Console,
Microsoft Recovery Console, Plug-andPlay (Plug-and-Pray?)
 But
Windows
we’re interested in security…
65
Windows 2000+

New security features
MS implementation of Kerberos
SSPI --- supports new authentication mechanisms
MS implementation of IPSec
L2TP --- Layer Two Tunneling Protocol, for
security on the LAN
o Active Directory --- “central nervous system”
o Support for smart cards
o Encrypting File System (EFS)
o
o
o
o
Windows
66
Native vs Mixed Mode

Native Mode --- all domain controllers 2000+
o Backward compatibility issues go away
o Can take full advantage of 2k+ security
o Remainder of chapter deals with Native mode

Mixed Mode --- some older domain controllers
o 1st part of chapter applies to Mixed mode
Windows
67
Domains Deemphasized
 NT
domains “got in the way”
o Boundary between resources & services
o NT browsing services costly
 Domains
exist in 2000+…
o But not as important as in NT
 Active
Directory --- simplifies way to
find and administer resources
Windows
68
Domains in Windows 2000+
 Not
for network organization…
 Instead, for common policy settings
 Domains deployed in trees or forests
o Link trusted domains together
o Trees have “contiguous” name space
(easier to find resources)
o Forests: “noncontiguous” name space
Windows
69
Domains
 In
Windows
tree form
70
Domains
 In
o
o
o
o
o
o
Win 2000+
No distinction between PDCs and BDCs
All domain controllers authoritative
I.e., all can propagate pwd changes
Good for robustness…
…questionable for security
Multiple single points of failure
Windows
71
Active Directory

Active Directory
o “All of your eggs in one basket”
o Based on LDAP
o Find resources on network

Security-wise…
o Acts a s “massive data repository”
o Accounts, security policies, files, etc., etc.

Depends heavily on DNS
o Uses Dynamic DNS (DDNS) to find stuff
Windows
72
Security in Windows 2000+
 Greater
complexity requires more
careful configuration
 Protect Active Directory by…
o Limited admin privilege
o Beware of “mixed mode” attacks
o Install in its own partition (out of the way
of way of IIS, other dangerous stuff)
Windows
73
Physical Security

Kerberos
o
o
o
o

Recall Key Distribution Center (KDC)
Access to KDC gives access to “tickets”
KDC lives on a server
Client machines cache important info
“Credentials” encrypted with KDC key
o So, access to client credentials not a big deal
o But, access to KDC key breaks entire system
Windows
74
Templates
 For
setting security parameters
 Include many pre-packaged
recommended settings
 Easy to develop custom templates
 Center for Internet Security
provides security templates
Windows
75
Windows 2000+ Architecture
 As
before, user mode, kernel mode
 Kernel mode now includes
o Plug and Play Manager
o Power Manager
o Window Manager, etc.
Windows
76
Accounts and Groups
Accounts almost same as pre-2000
 Power Users group is potential problem

o Reducing privilege may break things

Three security groups
o Domain local, global, universal
o Universal == every domain in a forest
o In native mode, global can include global groups
Windows
77
Organizational Units
 OUs
are hierarchical groups of users
Can inherit properties (within domain)
Important for privilege control
Supports delegation of privilege
“Children” OU can never have more
rights than “parent” OU
o Good way to limit privilege
o
o
o
o
Windows
78
Organizational Units

Downside to
OUs
o Only
recognized
within domain
o 3 levels is
practical max
(performance)
Windows
79
Privilege
Control

“Rights” more
granular than
in NT
o Multiple
ways to
accomplish
same thing

No “abilities”
Windows
80
RunAs
 Run
with
different
privilege
o E.g., Admin
execute
with lower
privilege
Windows
81
Policies
 Group
Policy Objects (GPOs)
o Password policy, IPSec, Kerberos, etc.
o Granularity! (e.g., the appearance of IE)
 GPOs
allow for different polices for…
o Different users
o Different OUs
o Different computers, domains, etc.
Windows
82
GPOs
Windows
83
Trust
In NT, MS-specific authentication
 In 2000+, Kerberos
 Plug a domain into tree (or forest)

o Automatically trusts (and trusted by) all other
domains in tree (or forest)

Any domain can trust any other
o Problem, if not managed carefully
o Attackers like “orphan domains”
Windows
84
Auditing
 Similar
to NT
 Security Log
o 9 (instead of 7) categories
o Account Logon Events, Account
Management, Directory Service Access,
Logon Events, Object Access, Policy
Change, Privilege Use, Process Tracking,
System Events
Windows
85
Access Control
Similar to NT
 NT uses NTFS-4
 Windows 2000+ uses NTFS-5
 Standard permissions

o
o
o
o
o
Full Control
Modify
Read and Execute
Read
Write
Windows
86

NTFS-5 basic permissions
o
o
o
o
o
o
o
o
o
o
o
o
o
o
Access Control
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes (e.g., encryption)
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Read Permissions
Change Permissions
Delete Subfolders and Files
Delete
Take Ownership
Synchronize (make contents of one file identical to another)
Windows
87
Encrypting File System

EFS automatically and transparently
encrypts/decrypts files
o DES, 3DES, or AES
Does not encrypt files on network
 Only one user per file allowed
 Slight performance issue
 Critical to back up EFS key!

Windows
88
Conclusion
 Securing
Windows not a trivial matter
 Windows a target-rich environment
 Weak default settings
 Backward compatibility
 Complexity
Windows
89
Summary
 History
 Pre-2000
o Domains, service packs, user mode,
kernel mode, SAM & passwords, Security
Reference Monitor, accounts, groups,
rights, abilities, trust, logging/audit,
NTFS/access control/permissions,
shares, network security
Windows
90
Summary
 2000+
o Active Directory
o Kerberos, IPSec, etc.
o Lesser modifications: domains
deemphasized, accounts/groups, OUs,
rights, RunAs, Policies/GPOs, Trust,
Access control/NTFS-5, EFS
Windows
91