Windows Security

Operating System Security(CYB 0204).

Lecture#5
 Outline
1. Security Context & Security Principal
2. What is Access Token?
3. How to secure Accounts in Windows?
4. Rights and Permissions
5. How & where does Windows store passwords?
6. Trade Off in Windows Security
7. Duties of a Developer!
8. Countermeasure (Auditing)
Security Context

 One of the basic tenets of Windows

Security is that each process runs on
behalf of a user.
 So, each process running is associated
with a security context.
 security context is a bit of cached data
about a user, including her SID, group
SIDs, privileges.
Security Principal

 A security principal is an entity that can be positively identified and verified via a
technique known as authentication

 Security principals in Windows are assigned on a process-by-process basis, via a

little kernel object called a token.

 Each user, computer or group account is a security principal on the system

running Windows Server 2003, Windows 2000, and Windows XP.

 Security principal receive permissions to access resources such as files and

folders. User rights, such as interactive logons, are granted or denied to accounts
directly or by membership in a group. The accumulation of these permissions and
rights define what security principal can and cannot do.
 There are 3 types of Security Principals
1) User principals
2) Machine principal
3) Service principals
Security Identifier: (SID)

 Users reference their accounts by usernames but the Operating

system, internally, references accounts by their security
identifier.
 SID’s are unique in their scope (domain or local) and are
never reused. So, they are used to uniquely identify user and
group account in Windows.
 By default, the operating system
 SID contains of various parts
S <revision> <identifier authority> <subauthorities>
<relative identifiers>
Security Identifier: (SID) cont.

 Revision: This value indicates the version of the

SID structure used in a particular SID. For
Windows Server 2003, Windows 2000 and
Windows XP , it is currently 1.
 Identifier authority: This value identifies the
authority that can issue SID for this type of security
principal.
 Subauthority: The most important information in a
SID is contained in a series of one or more
subauthority values. All values except the last one
collectively identify the Domain and are called
Domain Identifier, and the last value represents the
Relative Identifier (RID).
Where is the SID located?

 When a users logs in for the first time,

the operating system makes chuckling
sounds. And explorer.exe starts running
after some time. This is because, the
operating system is creating a user
profile.
 The operating system dynamically loads
the subkeys under HKEY_USERS as
users log on and off interactively.
Access Token

 A token is a kernel object that caches part of a user's security

profile, including the user SID, group SIDs, and privileges.
 A token is created when ever a user successfully logs on to the
network. And a copy of this token is assigned to every process
and thread that executes on the user’s behalf.
 A token consists of the following components.
accountID, groupID, Rights, Owner, Primary group, Source,
Type, Impersonation level, statistics, Restricted SID’s,
SessionID
Account Security

User accounts are core unit of Network security.

InWin Server 2003 & Win2000, domain accounts are stored in
Active Directory directories databases, whereas in local accounts,
they are stored in Security Accounts Manager database.
The passwords for the accounts are stored and maintained by
System Key.
Though the accounts are secured by default, we can secure them
even further.
 Go to Administrative tools in control panel (only when you are
logged in as an admin) and click on “Local Security and
Settings.”
There you will find the Account policies.
 It contains, password policies and account lockout policies.
Account Lock out policies:

 Account lockout duration: Locks out the account

after a particular duration.( 1- 99,999 minutes).
This feature is only present is Win Ser 2003, Win
2000, but not in Windows XP.
 Account lockout threshold: Locks out the
account after a particular number of failure
attempts.( 1- 999 attempts). This feature is only
present is Win Ser 2003, Win 2000, but not in
Windows XP.
 Resent account lockout countdown after: reset
account lockout countdown after (1- 99,999
minutes) ). This feature is only present is Win Ser
2003, Win 2000, but not in Windows XP.
Password Policies
 Enforce password History: Enforces password history(0-24)
 Maximum password age: Set max password age(0-999)
 Minimum password age: Set min password age(0 to 999)
 Minimum password length: set min password length(0 to 14)
 Password must meet complexity requirements: forces user
to set complex alpha numeric passwords.
 Storing password using reversible encryption for users in
 the domain: We enable this if we want the password to be
decrypted and compared to pain text using methods like
Challenge Handshake Authentication Protocol (CHAP) or
Shiva password Authentication Protocol (SPAP)
Rights

Rights: Rights are actions or operations that an account can or cannot perform.
 User Rights are of two types:
Privileges: A right assigned to an account and specifying allowable actions on
the network. Ex: Right backup files and directories..
 LOGON rights : A right assigned to an account and specifying the ways in
which the account can log on to a system locally. Ex: Acess this computer
From Network.

 Permissions: define which resources accounts can access and the level of
access they have.
 Right click on any file, under properties, go to security tab and set
permissions.
Where are the
passwords stored on
the

system?
The system stores the passwords at machine’s password strash,
i.e., under HKLM/Secuirty/Policy/Secretes.
 Type at 9:23am /interactive regedit.exe, substituting whatever
time is appropriate: Make it one minute in the future.) Once
regedit fires up, carefully look at the subkeys under
HKLM/Security/Policy/Secrets. You're looking at the
machine's password stash, more formally known as the LSA
private data store
 The operating system also,by default ,caches (store locally),
the last 10 passwords.
 There are registry settings to turn this feature off or
restrict the number of accounts cached.
 For the following registry entry, change the default
value..
Location: HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows NT\Current Version\Winlogon\
Type: REG_SZ
Key: CachedLogonsCount
Default Value 10
Recommended value : 0-50 depending on your secuirty
needs.
But how secret is the LSA
secrete Data store?
 There is a tool available on net named
LSADUMP2.exe which when run retrieves
the admin passwords of the system.

 LSAdump2 uses DLL injection to bypass

the normal access control on security
information stored by the Local Security
Authority (LSA).
D:\dnload\lsadump2>lsadump2 RasCredentials!S-1-5-21-459157917-
1707938598-1849977318-500#0 39 00 39 00 30 00 36 00 32 00 00 00 31
00 36 00 9.9.0.6.2...1.6. 30 00 30 00 00 00 35 00 00 00 00 00 00 00 77 00
0.0...5.......w. 6D 00 61 00 70 00 6C 00 65 00 73 00 00 00 00 00
m.a.p.l.e.s..... 00 00 30 00 00 00 00 00 ..0..... RasDialParams!S-1-5-21-
459157917-1707938598-1849977318-500#0 39 00 39 00 30 00 36 00 32
00 00 00 31 00 36 00 9.9.0.6.2...1.6. 30 00 30 00 00 00 36 00 33 00 00 00
00 00 2A 00 0.0...6.3.....*. 00 00 77 00 6D 00 61 00 70 00 6C 00 65 00 73
00 ..w.m.a.p.l.e.s. 00 00 77 00 77 00 77 00 77 00 77 00 77 00 77
00 ..w.w.w.w.w.w.w. 31 00 00 00 00 00 31 00 00 00 00 00 1.....1..... SAC 02
00 00 00 .... SAI 02 00 00 00 .... _SC_ClipSrv 74 00 65 00 73 00 74 00
t.e.s.t.
 There is another tool named
Crain&Abel.
 It is recommended not to use it
with Service Pack 2 installed. It
is prone to cause serious
damage to the system.
 System key is a machine key which will encrypt the password and
then, passwords cannot to retrieved in Clear text.
 Type “Syskey” on command prompt and press OK to enable System
key.
Trade Off

 There is always a tradeoff between countermeasures and

convenience.
 Security and ease of you are like two corners of a long scale.

Securi satisfac Ease of

ty tion you

 Users other than admins are denied from installing software's

because they don’t have access to program files.
Developer’s Duty

 That is because, there may be trojans taking

control of winword.exe in program files.
 A good programmer is a one who
developers applications which can be run by
all the users of the system.
 The applications should be running smoothly
even with all the security features of
windows enabled.
 Windows is getting better and better in protection, but it is
weak in countermeasures.
 The only counter measure it provides is Auditing.
 We can audit every file on the system.
 Right click the file and in properties, go to auditing and set
auditing.
 References
 Microsoft security Resource Kit By,
Ben Smith and Brian Komar with Microsoft Security tream
 The .NET Developer's Guide to Windows SecurityBy Keith Brown
 http://www.windowsnetworking.com/nt/registry/rtips320.shtml
 http://www.windowsecurity.com/articles/Group-Policy-Changes-Vista.ht
ml