Transcript 4_Windows
Windows
Windows
1
Introduction
Old
black-and-white “Western” movie
o Gunslinger wants to quit fighting
o Some new young upstart wants to fight
o So the old guy fights one more time…
“Target-ability”
o Depends on popularity and reputation
o Windows is most hackers favorite target
Windows
2
Introduction
Windows
is the most popular OS
o May 2005: 390M Windows machines
o Over half of those running XP
Windows
is the obvious target
From attacker’s point of view
o Attacker’s “cost-benefit” analysis
o Attacker wants most “bang for the buck”
Windows
3
This Chapter
Brief
history of Windows
Consider core NT security features
Consider security in Windows 2000+
o That is, Windows 2000, XP, Server 2003
o Book does not cover Vista
Windows
4
History
History began in April 1993…
o Release of Windows NT
o NT == “New Technology”/“No Technology”
Before NT
o Microsoft Windows 3.0, 95, 98, Me
o No authentication, program isolation, logging, etc.
o “No security” prior to NT
Windows
5
Modern Windows OSs
NT,
Windows 2000, XP, Server 2003
o And Vista, but not covered in book
Windows
NT
o Based on technology developed at DEC
for their VMS operating system
o 1988: Microsoft hired David N. Cutler
o He came from DEC, with 20+ others
Windows
6
Windows NT
Originally,
Cutler was to build
successor to OS/2, called OS/2 NT
o Microsoft/IBM collaboration
With
success of Windows 3.0 in 1990
o Microsoft changed its mind
o Windows NT to be their UNIX-beater
Windows
7
Backwards Compatibility
What is backward compatibility?
o New-and-improved works with bad/old versions
NT tried to be backwards compatible
o Users complain if not backwards compatible
o But, creates many security compromises
o Continues to plague Windows (& others) today
o Damned if you do, damned if you don’t…
Windows
8
Windows History
After introduction of NT…
o Incremental changes: NT 3.1, 3.5, 3.51, 4.0
Major overhaul: Windows 2000
o In essence, Windows NT 5.0
Windows XP (“eXPerience”)
o Released in October 2001
o Refers to itself as “Windows 2002”
Windows Server 2003
Windows
9
Windows History
1993
to 2001, dual Windows lines
o Home users: Windows 3.0/3.1/95/98/Me
o Professional: NT 3.1/3.5/3.51/4.0/2000
Windows
XP
o Evolved from NT (“professional”) line
o For home and professional users
o Ended the dual Windows approach
Windows
10
BAD Old Days
Before Active Directory (BAD)…
Windows 2000: Active Directory
o Major shift in security
Active Directory: all-in-one service for
locating stuff
o Find printer in next cubicle
o Change pwd policy on machines in branch office
Windows
11
Active Directory
Active Directory
o
o
o
o
“Native mode” --- all Windows 2000+ environment
“Mixed mode” --- some pre-2k machines
Which is more common?
Backwards compatibility…
Necessary to understand what came before
Active Directory
More on Active Directory later
Windows
12
BAD Basics
Before Active Directory…
Domains (currently deprecated)
o Networked Windows computers that share an
authentication database
o Single sign-on for domain
Must have a “domain controller”
o For authentication to the domain
o Usually more than one controller
Windows
13
BAD Basics
Primary Domain Controller (PDC)
o First server in domain
o Updates authentication info in Security Accounts
Manager (SAM) database
Backup Domain Controller (BDC)
o Can access SAM, but not update
o Admin can temporarily “promote” BDC
Active Directory: all controllers authoritative
o More robust, but possibly less secure
Windows
14
BAD Basics
Domain
sets critical parameters
o Min pwd length
o Pwd expiration policy
o Restrictions on users, etc.
Workgroup
--- like domain but worse
o No control mechanisms
Windows
15
Shares
Share
o
o
o
o
Connection to network devices
Used with domains and Active Directory
Similar to NFS mounts in UNIX
Windows Explorer: My Network Places
Convenient
transparent way for users
to “reach across the network”
Windows
16
Windows Architecture
NT
architecture based on layers
Layers important to security
o Each layer restricts layer above
o “Security issues are nearly always a
result of some sort of compromise of
this layering.”
Two
Windows
“modes”: user mode, kernel mode
17
Windows Architecture
Windows
18
User Mode
Part of OS that users interacts with
User mode is “go between”
o Between user and kernel
o Strict communication rules…
o …Application Program Interfaces (APIs)
User mode: 2 types of services
o Integral subsystem: native to Windows
o Environment services: support for other OSs
Windows
19
User Mode
Integral
subsystem
o Provide APIs used by Win32 apps
o For OS functions such as files, windows,
process mgmt, virtual memory, I/O, etc.
DLLs
translate (documented) API calls
into (undocumented) calls into kernel
o User mode Kernel Executive
subsystem
Windows
20
LSASS
Local Security Authority Subsystem Service
o User mode subsystem
o Determines if login is valid
o Sends login data to SAM database
For each account, SAM has 2 entries
o NT pwd hash, LM/LanMan pwd hash --- Why???
o Backwards compatibility, of course!
Windows
21
Windows Passwords
NT
hash used in NT and beyond
LM hash used in Windows 95 & 98
SAM entries not stored in ASCII
o Different from UNIX
o Pwdump3 converts to readable form
How
Windows
are pwd hashes derived?
22
Windows Passwords
LM
o
o
o
o
o
o
o
pwd hashes
Assume pwd is 14 characters or less
Pad password to 14 characters
Split into two 7-char strings
Convert to lower-case
Hash each half independently
Use DES block cipher (string is the key)
No salt is used
Windows
23
Windows Passwords
NT
password hash
o Hash entire pwd using MD4, no salt used
o Note: MD4 not a strong hash
Which
o
o
o
o
is better, NT or LM?
Spse 64 choices/character, 14 char pwd
NT: try 283, LM: try 242
LM is 2,000,000,000,000+ times easier
LM is even worse than that…
Windows
24
Windows Password
By
default, both LM and NT hashes
What will attacker do?
o
o
o
o
Attack LM pwd, of course
May need to convert to upper case
Still much easier than NT pwd
Both types unsalted (dictionary attacks)
Disable
Windows
LM if possible
25
Kernel Mode
Fundamental OS issues
o Memory mgmt, deal with hardware, etc.
More secure than user mode
Security Reference Monitor
o
o
o
o
Part of Executive subsystem
Checks attempts to access kernel mode
Checks attempts to access files, etc.
Checks permissions, gather audit data, etc.
Windows
26
Kernel Mode
Object
o
o
o
o
Manager
Manages info about files, directories, etc.
Objects get Object Identifier (OID)
OIDs used by Object Manager
Object Manager aware of some
inheritance relationships (e.g., subfolders)
Windows
27
Kernel Mode
Hardware Abstraction Layer (HAL)
o Deals with hardware in a high-level way
o Low level details left to device drivers
o Makes life easier for Windows…
o …but not for hardware manufacturers
o Bad drivers can cause serious problems like
crashing the whole system
o Windows used to support multiple processors
Windows
28
Service Packs and Updates
When bugs and problems are found…
Patches come in 2 flavors
o Hotfixes/patches --- specific issue
o Service packs --- major bundle of fixes, once
per 6 months to year
o Automatically (Windows Update service)
o Fixes to OS and to other MS products
Patching is a big deal for companies
Windows
29
Accounts
Default accounts: Administrator, Guest
Administrator account
o Administrator has highest privilege
o Administrator acct cannot be locked or deleted
o Can only be disabled if another admin exists
o If one Admin acct, unlimited pwd guessing
o Good idea to have more than one Admin acct
Windows
30
Accounts
Guest
account
o Anyone can log on to guest acct
o Limited in what it can do, but still…
o Guest is generally a bad idea
o Disabled by default on modern Windows
Windows
31
Accounts
User accts, application accts, etc.
How to secure accounts?
o
o
o
o
Give all admin accts “neutral” names
Change acct description(s) too
Create decoy acct named “Administrator”
Disable Guest, give it a strong pwd
“Belt and suspenders principle”
Security by obscurity? Is it worth it?
Windows
32
Groups
Used
to control access/privilege
Why not users accounts?
Easier to manage (fewer) groups
instead of (many) users
Before Active Directory (Win 2K)
o Two types of groups
o Global groups, local groups
Windows
33
Groups
Local groups give access to resources
o Global groups cannot grant access
Typically, users included in global groups
o Global groups then included in local groups
o Access given to those in local group (including
those in included global groups)
o Global groups cannot be included in global groups
o Local groups cannot be included in local groups
Windows
34
Groups
Huh?
For
example, suppose a new hire
o Include user in global groups
o Then automatically included in
appropriate local groups
o Otherwise, have to make config changes
to individual local machines
Windows
35
Default Groups
Local:
Administrators, Account
Operators, Power Users, Server
Operators, Backup Operators, Print
Operators, Replicator, Users, Guests
Global: Domain Administrators,
Domain Users
Windows
36
Special Groups
Special since cannot add or delete users
o But can change group rights/privileges
Special groups are local groups
EVERYONE --- for about anything
SYSTEM --- “holy grail”
o
o
o
o
Nothing has higher privilege
Not a login ID
Some processes run with SYSTEM privilege
Compromise one of these and you “own” system
Windows
37
Special Groups
Other special groups
o INTERACTIVE --- currently logged in locally
o NETWORK --- currently logged in non-locally
o CREATOR OWNER --- owner of a given object
(confusing name…)
These are not as special as SYSTEM…
Windows
38
Privilege
Privilege --- capacity to access and
manipulate things
Rights --- things users can do; can be
added/modified (accts and groups)
Abilities --- built-in capabilities
Administrator --- highest privilege
o Operator groups --- like bits and pieces of admin
Power user --- next highest
o Then users followed by guest
Windows
39
Privilege Control
“…advanced rights control internal functions
within Windows system”
o Example: “Act as Part of Operating System”
o Gives right to reach into kernel mode
o Attacker has got to love this…
Principle of least privilege
o Give least privilege needed to do job
o “Putting this into practice is one of the most
fundamental steps to making Windows (or any
operating system, for that matter) more secure.”
Windows
40
User Rights Assignments
Windows
41
Policies
Admin
can create “policies”
o Can affect local machine
o Or entire domain
Account
Policy --- most basic policy
o Applies to all accounts in a domain
o Max pwd age, pwd history, lockout, etc.
o See next 2 slides…
Windows
42
Account Policies: Passwords
Windows
43
Account Policies: Lockout
Windows
44
User Properties Settings
User Properties
o Technically, not Policies, but serve similar
purpose
Like Policies, but set for individual accts
o E.g., User Must Change Password at Next Login,
User Cannot Change Password, etc.
Windows
45
User
Property
Settings
Windows
46
Trust
Extends
“login” across domains
o Like single sign-on to trusting domains
o One (or more) global group in trusted
domain must be included in one (or more)
local groups in trusting domain
o Can limit access via local group(s)
Windows
47
Windows Trust Models
No trust --- most secure, most inconvenient
Complete trust --- every domain trusts
every other domain
Master domain --- user accounts in central
account domain
o Gives central control for mapping users to
resources (via groups)
Multiple master domains --- like a
distributed master domain
Windows
48
Windows Trust
Based
on password authentication
Better than UNIX r-commands
o Btw, what is authentication based on in
UNIX r-commands?
Active
Directory uses Kerberos
(Windows 2000+)
Windows
49
Auditing
Can
only audit what you log
Types of logging/audit
o System
o Security (or just “auditing”) --- logons,
logoffs, file access, use of rights, etc.
o Application
Windows
50
Auditing
By
default, detailed auditing is off
o And not available in XP home edition
Not
easy to decide what to log
Some important data not logged
o Source/destination IP address, whether
system reinstall occurred, etc.
Windows
51
Audit Settings
Windows
52
Access Control and Permissions
How
to control access to objects
Ownership
o Each object has owner (OWNER CREATOR)
o Owner can always change permissions
File
Allocation Table (FAT)
o No access control --- the reason why
Windows 95, 98, Me cannot be secure
Windows
53
Access Control and Permissions
NTFS
(NT File System)
o Good performance, recoverability, etc.
o Reasonable set of permissions
o “One of the most effective parts of
Windows security”
Number
Windows
of permissions is “bewildering”
54
Example NTFS Permissions
No
access --- what it says
Read --- read and execute
Change --- read, execute, write, delete
Full Control --- Change plus change
permissions and take ownership
These are actually combinations of
more granular permissions
Windows
55
Share Permissions
Recall shares are kind of like NFS mounts
Permissions on components of file system
o For example, a shared folder
Remote access depends on both NTFS and
share permissions
o Least access wins
Local login --- only NTFS permissions apply
o Potentially a security issue
Windows
56
Weak Default Permissions
Many
default permissions “faulty”
o E.g., default permission on \Windows
(\winnt) directory allows Power Users to
get copy of SAM database
System
should be hardened
o Entire books written on this subject
Windows
57
Network Security
Protocols
and APIs
SMB/CIFS
o Server Message Block protocol --- MS
implementation is called Common
Internet File System
o “Weak authentication” --- many attacks
o No details at this point in book…
Windows
58
Network Security
NetBEUI/NetBIOS
--- older
(deprecated) network environment
o DoS and other attacks
Microsoft
Internet Information
Service (IIS) --- built-in Web server
o Attackers love IIS
Windows
59
Summary of BAD Old Days
Before
Active Directory (BAD)
o That is, before Windows 2000+
We
discussed…
History
o Windows 3.0/95/98 (no security)
o Windows NT
Backwards
Windows
compatibility
60
Summary of BAD Old Days
Domains --- SSO to networked machines
Shares --- analogous to NFS mounts
Modes --- User Mode, Kernel Mode
Service packs/updates
Accounts
Groups --- local and global
Privilege --- rights and abilities
Windows
61
Summary of BAD Old Days
Policies --- apply to all accts in domain
Properties --- individual accounts
Trust --- across domains
Auditing/Logging
Access control/permissions
o FAT --- no security
o NTFS --- good level of security
Network security/protocols
Windows
62
Windows 2000+
What
is Windows 2000+?
o Windows 2000, XP, Server 2003
o Vista not covered in text
Much
of BAD stuff lives on…
But some important changes
o Including many new security features
Windows
63
Windows 2000+
“Windows
2000+ offers a multitude
of features and represents a huge
increase in the growth of operating
system size, resource consumption,
and complexity…”
According to Paul Kocher, “complexity
is the enemy of security”
Windows
64
Windows 2000+
New
non-security features
o Power management, built-in terminal
services, Microsoft Management Console,
Microsoft Recovery Console, Plug-andPlay (Plug-and-Pray?)
But
Windows
we’re interested in security…
65
Windows 2000+
New security features
MS implementation of Kerberos
SSPI --- supports new authentication mechanisms
MS implementation of IPSec
L2TP --- Layer Two Tunneling Protocol, for
security on the LAN
o Active Directory --- “central nervous system”
o Support for smart cards
o Encrypting File System (EFS)
o
o
o
o
Windows
66
Native vs Mixed Mode
Native Mode --- all domain controllers 2000+
o Backward compatibility issues go away
o Can take full advantage of 2k+ security
o Remainder of chapter deals with Native mode
Mixed Mode --- some older domain controllers
o 1st part of chapter applies to Mixed mode
Windows
67
Domains Deemphasized
NT
domains “got in the way”
o Boundary between resources & services
o NT browsing services costly
Domains
exist in 2000+…
o But not as important as in NT
Active
Directory --- simplifies way to
find and administer resources
Windows
68
Domains in Windows 2000+
Not
for network organization…
Instead, for common policy settings
Domains deployed in trees or forests
o Link trusted domains together
o Trees have “contiguous” name space
(easier to find resources)
o Forests: “noncontiguous” name space
Windows
69
Domains
In
Windows
tree form
70
Domains
In
o
o
o
o
o
o
Win 2000+
No distinction between PDCs and BDCs
All domain controllers authoritative
I.e., all can propagate pwd changes
Good for robustness…
…questionable for security
Multiple single points of failure
Windows
71
Active Directory
Active Directory
o “All of your eggs in one basket”
o Based on LDAP
o Find resources on network
Security-wise…
o Acts a s “massive data repository”
o Accounts, security policies, files, etc., etc.
Depends heavily on DNS
o Uses Dynamic DNS (DDNS) to find stuff
Windows
72
Security in Windows 2000+
Greater
complexity requires more
careful configuration
Protect Active Directory by…
o Limited admin privilege
o Beware of “mixed mode” attacks
o Install in its own partition (out of the way
of way of IIS, other dangerous stuff)
Windows
73
Physical Security
Kerberos
o
o
o
o
Recall Key Distribution Center (KDC)
Access to KDC gives access to “tickets”
KDC lives on a server
Client machines cache important info
“Credentials” encrypted with KDC key
o So, access to client credentials not a big deal
o But, access to KDC key breaks entire system
Windows
74
Templates
For
setting security parameters
Include many pre-packaged
recommended settings
Easy to develop custom templates
Center for Internet Security
provides security templates
Windows
75
Windows 2000+ Architecture
As
before, user mode, kernel mode
Kernel mode now includes
o Plug and Play Manager
o Power Manager
o Window Manager, etc.
Windows
76
Accounts and Groups
Accounts almost same as pre-2000
Power Users group is potential problem
o Reducing privilege may break things
Three security groups
o Domain local, global, universal
o Universal == every domain in a forest
o In native mode, global can include global groups
Windows
77
Organizational Units
OUs
are hierarchical groups of users
Can inherit properties (within domain)
Important for privilege control
Supports delegation of privilege
“Children” OU can never have more
rights than “parent” OU
o Good way to limit privilege
o
o
o
o
Windows
78
Organizational Units
Downside to
OUs
o Only
recognized
within domain
o 3 levels is
practical max
(performance)
Windows
79
Privilege
Control
“Rights” more
granular than
in NT
o Multiple
ways to
accomplish
same thing
No “abilities”
Windows
80
RunAs
Run
with
different
privilege
o E.g., Admin
execute
with lower
privilege
Windows
81
Policies
Group
Policy Objects (GPOs)
o Password policy, IPSec, Kerberos, etc.
o Granularity! (e.g., the appearance of IE)
GPOs
allow for different polices for…
o Different users
o Different OUs
o Different computers, domains, etc.
Windows
82
GPOs
Windows
83
Trust
In NT, MS-specific authentication
In 2000+, Kerberos
Plug a domain into tree (or forest)
o Automatically trusts (and trusted by) all other
domains in tree (or forest)
Any domain can trust any other
o Problem, if not managed carefully
o Attackers like “orphan domains”
Windows
84
Auditing
Similar
to NT
Security Log
o 9 (instead of 7) categories
o Account Logon Events, Account
Management, Directory Service Access,
Logon Events, Object Access, Policy
Change, Privilege Use, Process Tracking,
System Events
Windows
85
Access Control
Similar to NT
NT uses NTFS-4
Windows 2000+ uses NTFS-5
Standard permissions
o
o
o
o
o
Full Control
Modify
Read and Execute
Read
Write
Windows
86
NTFS-5 basic permissions
o
o
o
o
o
o
o
o
o
o
o
o
o
o
Access Control
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes (e.g., encryption)
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Read Permissions
Change Permissions
Delete Subfolders and Files
Delete
Take Ownership
Synchronize (make contents of one file identical to another)
Windows
87
Encrypting File System
EFS automatically and transparently
encrypts/decrypts files
o DES, 3DES, or AES
Does not encrypt files on network
Only one user per file allowed
Slight performance issue
Critical to back up EFS key!
Windows
88
Conclusion
Securing
Windows not a trivial matter
Windows a target-rich environment
Weak default settings
Backward compatibility
Complexity
Windows
89
Summary
History
Pre-2000
o Domains, service packs, user mode,
kernel mode, SAM & passwords, Security
Reference Monitor, accounts, groups,
rights, abilities, trust, logging/audit,
NTFS/access control/permissions,
shares, network security
Windows
90
Summary
2000+
o Active Directory
o Kerberos, IPSec, etc.
o Lesser modifications: domains
deemphasized, accounts/groups, OUs,
rights, RunAs, Policies/GPOs, Trust,
Access control/NTFS-5, EFS
Windows
91