Download presentation
Presentation is loading. Please wait.
2
Windows 1 Windows
3
Windows 2 Introduction Old black-and-white “Western” movie o Gunslinger wants to quit fighting o Some new young upstart wants to fight o So the old guy fights one more time… “Target-ability” o Depends on popularity and reputation o Windows is most hackers favorite target
4
Windows 3 Introduction Windows is the most popular OS o May 2005: 390M Windows machines o Over half of those running XP Windows is the obvious target From attacker’s point of view o Attacker’s “cost-benefit” analysis o Attacker wants most “bang for the buck”
5
Windows 4 This Chapter Brief history of Windows Consider core NT security features Consider security in Windows 2000+ o That is, Windows 2000, XP, Server 2003 o Book does not cover Vista
6
Windows 5 History History began in April 1993… o Release of Windows NT o NT == “New Technology”/“No Technology” Before NT o Microsoft Windows 3.0, 95, 98, Me o No authentication, program isolation, logging, etc. o “No security” prior to NT
7
Windows 6 Modern Windows OSs NT, Windows 2000, XP, Server 2003 o And Vista, but not covered in book Windows NT o Based on technology developed at DEC for their VMS operating system o 1988: Microsoft hired David N. Cutler o He came from DEC, with 20+ others
8
Windows 7 Windows NT Originally, Cutler was to build successor to OS/2, called OS/2 NT o Microsoft/IBM collaboration With success of Windows 3.0 in 1990 o Microsoft changed its mind o Windows NT to be their UNIX-beater
9
Windows 8 Backwards Compatibility What is backward compatibility? o New-and-improved works with bad/old versions NT tried to be backwards compatible o Users complain if not backwards compatible o But, creates many security compromises o Continues to plague Windows (& others) today o Damned if you do, damned if you don’t…
10
Windows 9 Windows History After introduction of NT… o Incremental changes: NT 3.1, 3.5, 3.51, 4.0 Major overhaul: Windows 2000 o In essence, Windows NT 5.0 Windows XP (“eXPerience”) o Released in October 2001 o Refers to itself as “Windows 2002” Windows Server 2003
11
Windows 10 Windows History 1993 to 2001, dual Windows lines o Home users: Windows 3.0/3.1/95/98/Me o Professional: NT 3.1/3.5/3.51/4.0/2000 Windows XP o Evolved from NT (“professional”) line o For home and professional users o Ended the dual Windows approach
12
Windows 11 BAD Old Days Before Active Directory (BAD)… Windows 2000: Active Directory o Major shift in security Active Directory: all-in-one service for locating stuff o Find printer in next cubicle o Change pwd policy on machines in branch office
13
Windows 12 Active Directory Active Directory o “Native mode” --- all Windows 2000+ environment o “Mixed mode” --- some pre-2k machines o Which is more common? o Backwards compatibility… Necessary to understand what came before Active Directory More on Active Directory later
14
Windows 13 BAD Basics Before Active Directory… Domains (currently deprecated) o Networked Windows computers that share an authentication database o Single sign-on for domain Must have a “domain controller” o For authentication to the domain o Usually more than one controller
15
Windows 14 BAD Basics Primary Domain Controller (PDC) o First server in domain o Updates authentication info in Security Accounts Manager (SAM) database Backup Domain Controller (BDC) o Can access SAM, but not update o Admin can temporarily “promote” BDC Active Directory: all controllers authoritative o More robust, but possibly less secure
16
Windows 15 BAD Basics Domain sets critical parameters o Min pwd length o Pwd expiration policy o Restrictions on users, etc. Workgroup --- like domain but worse o No control mechanisms
17
Windows 16 Shares Share o Connection to network devices o Used with domains and Active Directory o Similar to NFS mounts in UNIX o Windows Explorer: My Network Places Convenient transparent way for users to “reach across the network”
18
Windows 17 Windows Architecture NT architecture based on layers Layers important to security o Each layer restricts layer above o “Security issues are nearly always a result of some sort of compromise of this layering.” Two “modes”: user mode, kernel mode
19
Windows 18 Windows Architecture
20
Windows 19 User Mode Part of OS that users interacts with User mode is “go between” o Between user and kernel o Strict communication rules… o …Application Program Interfaces (APIs) User mode: 2 types of services o Integral subsystem: native to Windows o Environment services: support for other OSs
21
Windows 20 User Mode Integral subsystem o Provide APIs used by Win32 apps o For OS functions such as files, windows, process mgmt, virtual memory, I/O, etc. DLLs translate (documented) API calls into (undocumented) calls into kernel o User mode Kernel Executive subsystem
22
Windows 21 LSASS Local Security Authority Subsystem Service o User mode subsystem o Determines if login is valid o Sends login data to SAM database For each account, SAM has 2 entries o NT pwd hash, LM/LanMan pwd hash --- Why??? o Backwards compatibility, of course!
23
Windows 22 Windows Passwords NT hash used in NT and beyond LM hash used in Windows 95 & 98 SAM entries not stored in ASCII o Different from UNIX o Pwdump3 converts to readable form How are pwd hashes derived?
24
Windows 23 Windows Passwords LM pwd hashes o Assume pwd is 14 characters or less o Pad password to 14 characters o Split into two 7-char strings o Convert to lower-case o Hash each half independently o Use DES block cipher (string is the key) o No salt is used
25
Windows 24 Windows Passwords NT password hash o Hash entire pwd using MD4, no salt used o Note: MD4 not a strong hash Which is better, NT or LM? o Spse 64 choices/character, 14 char pwd o NT: try 2 83, LM: try 2 42 o LM is 2,000,000,000,000+ times easier o LM is even worse than that…
26
Windows 25 Windows Password By default, both LM and NT hashes What will attacker do? o Attack LM pwd, of course o May need to convert to upper case o Still much easier than NT pwd o Both types unsalted (dictionary attacks) Disable LM if possible
27
Windows 26 Kernel Mode Fundamental OS issues o Memory mgmt, deal with hardware, etc. More secure than user mode Security Reference Monitor o Part of Executive subsystem o Checks attempts to access kernel mode o Checks attempts to access files, etc. o Checks permissions, gather audit data, etc.
28
Windows 27 Kernel Mode Object Manager o Manages info about files, directories, etc. o Objects get Object Identifier (OID) o OIDs used by Object Manager o Object Manager aware of some inheritance relationships (e.g., subfolders)
29
Windows 28 Kernel Mode Hardware Abstraction Layer (HAL) o Deals with hardware in a high-level way o Low level details left to device drivers o Makes life easier for Windows… o …but not for hardware manufacturers o Bad drivers can cause serious problems like crashing the whole system o Windows used to support multiple processors
30
Windows 29 Service Packs and Updates When bugs and problems are found… Patches come in 2 flavors o Hotfixes/patches --- specific issue o Service packs --- major bundle of fixes, once per 6 months to year o Automatically (Windows Update service) o Fixes to OS and to other MS products Patching is a big deal for companies
31
Windows 30 Accounts Default accounts: Administrator, Guest Administrator account o Administrator has highest privilege o Administrator acct cannot be locked or deleted o Can only be disabled if another admin exists o If one Admin acct, unlimited pwd guessing o Good idea to have more than one Admin acct
32
Windows 31 Accounts Guest account o Anyone can log on to guest acct o Limited in what it can do, but still… o Guest is generally a bad idea o Disabled by default on modern Windows
33
Windows 32 Accounts User accts, application accts, etc. How to secure accounts? o Give all admin accts “neutral” names o Change acct description(s) too o Create decoy acct named “Administrator” o Disable Guest, give it a strong pwd “Belt and suspenders principle” Security by obscurity? Is it worth it?
34
Windows 33 Groups Used to control access/privilege Why not users accounts? Easier to manage (fewer) groups instead of (many) users Before Active Directory (Win 2K) o Two types of groups o Global groups, local groups
35
Windows 34 Groups Local groups give access to resources o Global groups cannot grant access Typically, users included in global groups o Global groups then included in local groups o Access given to those in local group (including those in included global groups) o Global groups cannot be included in global groups o Local groups cannot be included in local groups
36
Windows 35 Groups Huh? For example, suppose a new hire o Include user in global groups o Then automatically included in appropriate local groups o Otherwise, have to make config changes to individual local machines
37
Windows 36 Default Groups Local: Administrators, Account Operators, Power Users, Server Operators, Backup Operators, Print Operators, Replicator, Users, Guests Global: Domain Administrators, Domain Users
38
Windows 37 Special Groups Special since cannot add or delete users o But can change group rights/privileges Special groups are local groups EVERYONE --- for about anything SYSTEM --- “holy grail” o Nothing has higher privilege o Not a login ID o Some processes run with SYSTEM privilege o Compromise one of these and you “own” system
39
Windows 38 Special Groups Other special groups o INTERACTIVE --- currently logged in locally o NETWORK --- currently logged in non-locally o CREATOR OWNER --- owner of a given object (confusing name…) These are not as special as SYSTEM…
40
Windows 39 Privilege Privilege --- capacity to access and manipulate things Rights --- things users can do; can be added/modified (accts and groups) Abilities --- built-in capabilities Administrator --- highest privilege o Operator groups --- like bits and pieces of admin Power user --- next highest o Then users followed by guest
41
Windows 40 Privilege Control “…advanced rights control internal functions within Windows system” o Example: “Act as Part of Operating System” o Gives right to reach into kernel mode o Attacker has got to love this… Principle of least privilege o Give least privilege needed to do job o “Putting this into practice is one of the most fundamental steps to making Windows (or any operating system, for that matter) more secure.”
42
Windows 41 User Rights Assignments
43
Windows 42 Policies Admin can create “policies” o Can affect local machine o Or entire domain Account Policy --- most basic policy o Applies to all accounts in a domain o Max pwd age, pwd history, lockout, etc. o See next 2 slides…
44
Windows 43 Account Policies: Passwords
45
Windows 44 Account Policies: Lockout
46
Windows 45 User Properties Settings User Properties o Technically, not Policies, but serve similar purpose Like Policies, but set for individual accts o E.g., User Must Change Password at Next Login, User Cannot Change Password, etc.
47
Windows 46 User Property Settings
48
Windows 47 Trust Extends “login” across domains o Like single sign-on to trusting domains o One (or more) global group in trusted domain must be included in one (or more) local groups in trusting domain o Can limit access via local group(s)
49
Windows 48 Windows Trust Models No trust --- most secure, most inconvenient Complete trust --- every domain trusts every other domain Master domain --- user accounts in central account domain o Gives central control for mapping users to resources (via groups) Multiple master domains --- like a distributed master domain
50
Windows 49 Windows Trust Based on password authentication Better than UNIX r-commands o Btw, what is authentication based on in UNIX r-commands? Active Directory uses Kerberos (Windows 2000+)
51
Windows 50 Auditing Can only audit what you log Types of logging/audit o System o Security (or just “auditing”) --- logons, logoffs, file access, use of rights, etc. o Application
52
Windows 51 Auditing By default, detailed auditing is off o And not available in XP home edition Not easy to decide what to log Some important data not logged o Source/destination IP address, whether system reinstall occurred, etc.
53
Windows 52 Audit Settings
54
Windows 53 Access Control and Permissions How to control access to objects Ownership o Each object has owner (OWNER CREATOR) o Owner can always change permissions File Allocation Table (FAT) o No access control --- the reason why Windows 95, 98, Me cannot be secure
55
Windows 54 Access Control and Permissions NTFS (NT File System) o Good performance, recoverability, etc. o Reasonable set of permissions o “One of the most effective parts of Windows security” Number of permissions is “bewildering”
56
Windows 55 Example NTFS Permissions No access --- what it says Read --- read and execute Change --- read, execute, write, delete Full Control --- Change plus change permissions and take ownership These are actually combinations of more granular permissions
57
Windows 56 Share Permissions Recall shares are kind of like NFS mounts Permissions on components of file system o For example, a shared folder Remote access depends on both NTFS and share permissions o Least access wins Local login --- only NTFS permissions apply o Potentially a security issue
58
Windows 57 Weak Default Permissions Many default permissions “faulty” o E.g., default permission on \Windows (\winnt) directory allows Power Users to get copy of SAM database System should be hardened o Entire books written on this subject
59
Windows 58 Network Security Protocols and APIs SMB/CIFS o Server Message Block protocol --- MS implementation is called Common Internet File System o “Weak authentication” --- many attacks o No details at this point in book…
60
Windows 59 Network Security NetBEUI/NetBIOS --- older (deprecated) network environment o DoS and other attacks Microsoft Internet Information Service (IIS) --- built-in Web server o Attackers love IIS
61
Windows 60 Summary of BAD Old Days Before Active Directory (BAD) o That is, before Windows 2000+ We discussed… History o Windows 3.0/95/98 (no security) o Windows NT Backwards compatibility
62
Windows 61 Summary of BAD Old Days Domains --- SSO to networked machines Shares --- analogous to NFS mounts Modes --- User Mode, Kernel Mode Service packs/updates Accounts Groups --- local and global Privilege --- rights and abilities
63
Windows 62 Summary of BAD Old Days Policies --- apply to all accts in domain Properties --- individual accounts Trust --- across domains Auditing/Logging Access control/permissions o FAT --- no security o NTFS --- good level of security Network security/protocols
64
Windows 63 Windows 2000+ What is Windows 2000+? o Windows 2000, XP, Server 2003 o Vista not covered in text Much of BAD stuff lives on… But some important changes o Including many new security features
65
Windows 64 Windows 2000+ “Windows 2000+ offers a multitude of features and represents a huge increase in the growth of operating system size, resource consumption, and complexity…” According to Paul Kocher, “complexity is the enemy of security”
66
Windows 65 Windows 2000+ New non-security features o Power management, built-in terminal services, Microsoft Management Console, Microsoft Recovery Console, Plug-and- Play (Plug-and-Pray?) But we’re interested in security…
67
Windows 66 Windows 2000+ New security features o MS implementation of Kerberos o SSPI --- supports new authentication mechanisms o MS implementation of IPSec o L2TP --- Layer Two Tunneling Protocol, for security on the LAN o Active Directory --- “central nervous system” o Support for smart cards o Encrypting File System (EFS)
68
Windows 67 Native vs Mixed Mode Native Mode --- all domain controllers 2000+ o Backward compatibility issues go away o Can take full advantage of 2k+ security o Remainder of chapter deals with Native mode Mixed Mode --- some older domain controllers o 1st part of chapter applies to Mixed mode
69
Windows 68 Domains Deemphasized NT domains “got in the way” o Boundary between resources & services o NT browsing services costly Domains exist in 2000+… o But not as important as in NT Active Directory --- simplifies way to find and administer resources
70
Windows 69 Domains in Windows 2000+ Not for network organization… Instead, for common policy settings Domains deployed in trees or forests o Link trusted domains together o Trees have “contiguous” name space (easier to find resources) o Forests: “noncontiguous” name space
71
Windows 70 Domains In tree form
72
Windows 71 Domains In Win 2000+ o No distinction between PDCs and BDCs o All domain controllers authoritative o I.e., all can propagate pwd changes o Good for robustness… o …questionable for security o Multiple single points of failure
73
Windows 72 Active Directory Active Directory o “All of your eggs in one basket” o Based on LDAP o Find resources on network Security-wise… o Acts a s “massive data repository” o Accounts, security policies, files, etc., etc. Depends heavily on DNS o Uses Dynamic DNS (DDNS) to find stuff
74
Windows 73 Security in Windows 2000+ Greater complexity requires more careful configuration Protect Active Directory by… o Limited admin privilege o Beware of “mixed mode” attacks o Install in its own partition (out of the way of way of IIS, other dangerous stuff)
75
Windows 74 Physical Security Kerberos o Recall Key Distribution Center (KDC) o Access to KDC gives access to “tickets” o KDC lives on a server o Client machines cache important info “Credentials” encrypted with KDC key o So, access to client credentials not a big deal o But, access to KDC key breaks entire system
76
Windows 75 Templates For setting security parameters Include many pre-packaged recommended settings Easy to develop custom templates Center for Internet Security provides security templates
77
Windows 76 Windows 2000+ Architecture As before, user mode, kernel mode Kernel mode now includes o Plug and Play Manager o Power Manager o Window Manager, etc.
78
Windows 77 Accounts and Groups Accounts almost same as pre-2000 Power Users group is potential problem o Reducing privilege may break things Three security groups o Domain local, global, universal o Universal == every domain in a forest o In native mode, global can include global groups
79
Windows 78 Organizational Units OUs are hierarchical groups of users o Can inherit properties (within domain) o Important for privilege control o Supports delegation of privilege o “Children” OU can never have more rights than “parent” OU o Good way to limit privilege
80
Windows 79 Organizational Units Downside to OUs o Only recognized within domain o 3 levels is practical max (performance)
81
Windows 80 Privilege Control “Rights” more granular than in NT o Multiple ways to accomplish same thing No “abilities”
82
Windows 81 RunAs Run with different privilege o E.g., Admin execute with lower privilege
83
Windows 82 Policies Group Policy Objects (GPOs) o Password policy, IPSec, Kerberos, etc. o Granularity! (e.g., the appearance of IE) GPOs allow for different polices for… o Different users o Different OUs o Different computers, domains, etc.
84
Windows 83 GPOs
85
Windows 84 Trust In NT, MS-specific authentication In 2000+, Kerberos Plug a domain into tree (or forest) o Automatically trusts (and trusted by) all other domains in tree (or forest) Any domain can trust any other o Problem, if not managed carefully o Attackers like “orphan domains”
86
Windows 85 Auditing Similar to NT Security Log o 9 (instead of 7) categories o Account Logon Events, Account Management, Directory Service Access, Logon Events, Object Access, Policy Change, Privilege Use, Process Tracking, System Events
87
Windows 86 Access Control Similar to NT NT uses NTFS-4 Windows 2000+ uses NTFS-5 Standard permissions o Full Control o Modify o Read and Execute o Read o Write
88
Windows 87 Access Control NTFS-5 basic permissions o Traverse Folder/Execute File o List Folder/Read Data o Read Attributes o Read Extended Attributes (e.g., encryption) o Create Files/Write Data o Create Folders/Append Data o Write Attributes o Write Extended Attributes o Read Permissions o Change Permissions o Delete Subfolders and Files o Delete o Take Ownership o Synchronize (make contents of one file identical to another)
89
Windows 88 Encrypting File System EFS automatically and transparently encrypts/decrypts files o DES, 3DES, or AES Does not encrypt files on network Only one user per file allowed Slight performance issue Critical to back up EFS key!
90
Windows 89 Conclusion Securing Windows not a trivial matter Windows a target-rich environment Weak default settings Backward compatibility Complexity
91
Windows 90 Summary History Pre-2000 o Domains, service packs, user mode, kernel mode, SAM & passwords, Security Reference Monitor, accounts, groups, rights, abilities, trust, logging/audit, NTFS/access control/permissions, shares, network security
92
Windows 91 Summary 2000+ o Active Directory o Kerberos, IPSec, etc. o Lesser modifications: domains deemphasized, accounts/groups, OUs, rights, RunAs, Policies/GPOs, Trust, Access control/NTFS-5, EFS
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.