2. Windows 1 Windows

3. Windows 2 Introduction  Old black-and-white “Western” movie o Gunslinger wants to quit fighting o Some new young upstart wants to fight o So the old guy fights one more time…  “Target-ability” o Depends on popularity and reputation o Windows is most hackers favorite target

4. Windows 3 Introduction  Windows is the most popular OS o May 2005: 390M Windows machines o Over half of those running XP  Windows is the obvious target  From attacker’s point of view o Attacker’s “cost-benefit” analysis o Attacker wants most “bang for the buck”

5. Windows 4 This Chapter  Brief history of Windows  Consider core NT security features  Consider security in Windows 2000+ o That is, Windows 2000, XP, Server 2003 o Book does not cover Vista

6. Windows 5 History  History began in April 1993… o Release of Windows NT o NT == “New Technology”/“No Technology”  Before NT o Microsoft Windows 3.0, 95, 98, Me o No authentication, program isolation, logging, etc. o “No security” prior to NT

7. Windows 6 Modern Windows OSs  NT, Windows 2000, XP, Server 2003 o And Vista, but not covered in book  Windows NT o Based on technology developed at DEC for their VMS operating system o 1988: Microsoft hired David N. Cutler o He came from DEC, with 20+ others

8. Windows 7 Windows NT  Originally, Cutler was to build successor to OS/2, called OS/2 NT o Microsoft/IBM collaboration  With success of Windows 3.0 in 1990 o Microsoft changed its mind o Windows NT to be their UNIX-beater

9. Windows 8 Backwards Compatibility  What is backward compatibility? o New-and-improved works with bad/old versions  NT tried to be backwards compatible o Users complain if not backwards compatible o But, creates many security compromises o Continues to plague Windows (& others) today o Damned if you do, damned if you don’t…

10. Windows 9 Windows History  After introduction of NT… o Incremental changes: NT 3.1, 3.5, 3.51, 4.0  Major overhaul: Windows 2000 o In essence, Windows NT 5.0  Windows XP (“eXPerience”) o Released in October 2001 o Refers to itself as “Windows 2002”  Windows Server 2003

11. Windows 10 Windows History  1993 to 2001, dual Windows lines o Home users: Windows 3.0/3.1/95/98/Me o Professional: NT 3.1/3.5/3.51/4.0/2000  Windows XP o Evolved from NT (“professional”) line o For home and professional users o Ended the dual Windows approach

12. Windows 11 BAD Old Days  Before Active Directory (BAD)…  Windows 2000: Active Directory o Major shift in security  Active Directory: all-in-one service for locating stuff o Find printer in next cubicle o Change pwd policy on machines in branch office

13. Windows 12 Active Directory  Active Directory o “Native mode” --- all Windows 2000+ environment o “Mixed mode” --- some pre-2k machines o Which is more common? o Backwards compatibility…  Necessary to understand what came before Active Directory  More on Active Directory later

14. Windows 13 BAD Basics  Before Active Directory…  Domains (currently deprecated) o Networked Windows computers that share an authentication database o Single sign-on for domain  Must have a “domain controller” o For authentication to the domain o Usually more than one controller

15. Windows 14 BAD Basics  Primary Domain Controller (PDC) o First server in domain o Updates authentication info in Security Accounts Manager (SAM) database  Backup Domain Controller (BDC) o Can access SAM, but not update o Admin can temporarily “promote” BDC  Active Directory: all controllers authoritative o More robust, but possibly less secure

16. Windows 15 BAD Basics  Domain sets critical parameters o Min pwd length o Pwd expiration policy o Restrictions on users, etc.  Workgroup --- like domain but worse o No control mechanisms

17. Windows 16 Shares  Share o Connection to network devices o Used with domains and Active Directory o Similar to NFS mounts in UNIX o Windows Explorer: My Network Places  Convenient transparent way for users to “reach across the network”

18. Windows 17 Windows Architecture  NT architecture based on layers  Layers important to security o Each layer restricts layer above o “Security issues are nearly always a result of some sort of compromise of this layering.”  Two “modes”: user mode, kernel mode

19. Windows 18 Windows Architecture

20. Windows 19 User Mode  Part of OS that users interacts with  User mode is “go between” o Between user and kernel o Strict communication rules… o …Application Program Interfaces (APIs)  User mode: 2 types of services o Integral subsystem: native to Windows o Environment services: support for other OSs

21. Windows 20 User Mode  Integral subsystem o Provide APIs used by Win32 apps o For OS functions such as files, windows, process mgmt, virtual memory, I/O, etc.  DLLs translate (documented) API calls into (undocumented) calls into kernel o User mode  Kernel Executive subsystem

22. Windows 21 LSASS  Local Security Authority Subsystem Service o User mode subsystem o Determines if login is valid o Sends login data to SAM database  For each account, SAM has 2 entries o NT pwd hash, LM/LanMan pwd hash --- Why??? o Backwards compatibility, of course!

23. Windows 22 Windows Passwords  NT hash used in NT and beyond  LM hash used in Windows 95 & 98  SAM entries not stored in ASCII o Different from UNIX o Pwdump3 converts to readable form  How are pwd hashes derived?

24. Windows 23 Windows Passwords  LM pwd hashes o Assume pwd is 14 characters or less o Pad password to 14 characters o Split into two 7-char strings o Convert to lower-case o Hash each half independently o Use DES block cipher (string is the key) o No salt is used

25. Windows 24 Windows Passwords  NT password hash o Hash entire pwd using MD4, no salt used o Note: MD4 not a strong hash  Which is better, NT or LM? o Spse 64 choices/character, 14 char pwd o NT: try 2 83, LM: try 2 42 o LM is 2,000,000,000,000+ times easier o LM is even worse than that…

26. Windows 25 Windows Password  By default, both LM and NT hashes  What will attacker do? o Attack LM pwd, of course o May need to convert to upper case o Still much easier than NT pwd o Both types unsalted (dictionary attacks)  Disable LM if possible

27. Windows 26 Kernel Mode  Fundamental OS issues o Memory mgmt, deal with hardware, etc.  More secure than user mode  Security Reference Monitor o Part of Executive subsystem o Checks attempts to access kernel mode o Checks attempts to access files, etc. o Checks permissions, gather audit data, etc.

28. Windows 27 Kernel Mode  Object Manager o Manages info about files, directories, etc. o Objects get Object Identifier (OID) o OIDs used by Object Manager o Object Manager aware of some inheritance relationships (e.g., subfolders)

29. Windows 28 Kernel Mode  Hardware Abstraction Layer (HAL) o Deals with hardware in a high-level way o Low level details left to device drivers o Makes life easier for Windows… o …but not for hardware manufacturers o Bad drivers can cause serious problems like crashing the whole system o Windows used to support multiple processors

30. Windows 29 Service Packs and Updates  When bugs and problems are found…  Patches come in 2 flavors o Hotfixes/patches --- specific issue o Service packs --- major bundle of fixes, once per 6 months to year o Automatically (Windows Update service) o Fixes to OS and to other MS products  Patching is a big deal for companies

31. Windows 30 Accounts  Default accounts: Administrator, Guest  Administrator account o Administrator has highest privilege o Administrator acct cannot be locked or deleted o Can only be disabled if another admin exists o If one Admin acct, unlimited pwd guessing o Good idea to have more than one Admin acct

32. Windows 31 Accounts  Guest account o Anyone can log on to guest acct o Limited in what it can do, but still… o Guest is generally a bad idea o Disabled by default on modern Windows

33. Windows 32 Accounts  User accts, application accts, etc.  How to secure accounts? o Give all admin accts “neutral” names o Change acct description(s) too o Create decoy acct named “Administrator” o Disable Guest, give it a strong pwd  “Belt and suspenders principle”  Security by obscurity? Is it worth it?

34. Windows 33 Groups  Used to control access/privilege  Why not users accounts?  Easier to manage (fewer) groups instead of (many) users  Before Active Directory (Win 2K) o Two types of groups o Global groups, local groups

35. Windows 34 Groups  Local groups give access to resources o Global groups cannot grant access  Typically, users included in global groups o Global groups then included in local groups o Access given to those in local group (including those in included global groups) o Global groups cannot be included in global groups o Local groups cannot be included in local groups

36. Windows 35 Groups  Huh?  For example, suppose a new hire o Include user in global groups o Then automatically included in appropriate local groups o Otherwise, have to make config changes to individual local machines

37. Windows 36 Default Groups  Local: Administrators, Account Operators, Power Users, Server Operators, Backup Operators, Print Operators, Replicator, Users, Guests  Global: Domain Administrators, Domain Users

38. Windows 37 Special Groups  Special since cannot add or delete users o But can change group rights/privileges  Special groups are local groups  EVERYONE --- for about anything  SYSTEM --- “holy grail” o Nothing has higher privilege o Not a login ID o Some processes run with SYSTEM privilege o Compromise one of these and you “own” system

39. Windows 38 Special Groups  Other special groups o INTERACTIVE --- currently logged in locally o NETWORK --- currently logged in non-locally o CREATOR OWNER --- owner of a given object (confusing name…)  These are not as special as SYSTEM…

40. Windows 39 Privilege  Privilege --- capacity to access and manipulate things  Rights --- things users can do; can be added/modified (accts and groups)  Abilities --- built-in capabilities  Administrator --- highest privilege o Operator groups --- like bits and pieces of admin  Power user --- next highest o Then users followed by guest

41. Windows 40 Privilege Control  “…advanced rights control internal functions within Windows system” o Example: “Act as Part of Operating System” o Gives right to reach into kernel mode o Attacker has got to love this…  Principle of least privilege o Give least privilege needed to do job o “Putting this into practice is one of the most fundamental steps to making Windows (or any operating system, for that matter) more secure.”

42. Windows 41 User Rights Assignments

43. Windows 42 Policies  Admin can create “policies” o Can affect local machine o Or entire domain  Account Policy --- most basic policy o Applies to all accounts in a domain o Max pwd age, pwd history, lockout, etc. o See next 2 slides…

44. Windows 43 Account Policies: Passwords

45. Windows 44 Account Policies: Lockout

46. Windows 45 User Properties Settings  User Properties o Technically, not Policies, but serve similar purpose  Like Policies, but set for individual accts o E.g., User Must Change Password at Next Login, User Cannot Change Password, etc.

47. Windows 46 User Property Settings

48. Windows 47 Trust  Extends “login” across domains o Like single sign-on to trusting domains o One (or more) global group in trusted domain must be included in one (or more) local groups in trusting domain o Can limit access via local group(s)

49. Windows 48 Windows Trust Models  No trust --- most secure, most inconvenient  Complete trust --- every domain trusts every other domain  Master domain --- user accounts in central account domain o Gives central control for mapping users to resources (via groups)  Multiple master domains --- like a distributed master domain

50. Windows 49 Windows Trust  Based on password authentication  Better than UNIX r-commands o Btw, what is authentication based on in UNIX r-commands?  Active Directory uses Kerberos (Windows 2000+)

51. Windows 50 Auditing  Can only audit what you log  Types of logging/audit o System o Security (or just “auditing”) --- logons, logoffs, file access, use of rights, etc. o Application

52. Windows 51 Auditing  By default, detailed auditing is off o And not available in XP home edition  Not easy to decide what to log  Some important data not logged o Source/destination IP address, whether system reinstall occurred, etc.

53. Windows 52 Audit Settings

54. Windows 53 Access Control and Permissions  How to control access to objects  Ownership o Each object has owner (OWNER CREATOR) o Owner can always change permissions  File Allocation Table (FAT) o No access control --- the reason why Windows 95, 98, Me cannot be secure

55. Windows 54 Access Control and Permissions  NTFS (NT File System) o Good performance, recoverability, etc. o Reasonable set of permissions o “One of the most effective parts of Windows security”  Number of permissions is “bewildering”

56. Windows 55 Example NTFS Permissions  No access --- what it says  Read --- read and execute  Change --- read, execute, write, delete  Full Control --- Change plus change permissions and take ownership  These are actually combinations of more granular permissions

57. Windows 56 Share Permissions  Recall shares are kind of like NFS mounts  Permissions on components of file system o For example, a shared folder  Remote access depends on both NTFS and share permissions o Least access wins  Local login --- only NTFS permissions apply o Potentially a security issue

58. Windows 57 Weak Default Permissions  Many default permissions “faulty” o E.g., default permission on \Windows (\winnt) directory allows Power Users to get copy of SAM database  System should be hardened o Entire books written on this subject

59. Windows 58 Network Security  Protocols and APIs  SMB/CIFS o Server Message Block protocol --- MS implementation is called Common Internet File System o “Weak authentication” --- many attacks o No details at this point in book…

60. Windows 59 Network Security  NetBEUI/NetBIOS --- older (deprecated) network environment o DoS and other attacks  Microsoft Internet Information Service (IIS) --- built-in Web server o Attackers love IIS

61. Windows 60 Summary of BAD Old Days  Before Active Directory (BAD) o That is, before Windows 2000+  We discussed…  History o Windows 3.0/95/98 (no security) o Windows NT  Backwards compatibility

62. Windows 61 Summary of BAD Old Days  Domains --- SSO to networked machines  Shares --- analogous to NFS mounts  Modes --- User Mode, Kernel Mode  Service packs/updates  Accounts  Groups --- local and global  Privilege --- rights and abilities

63. Windows 62 Summary of BAD Old Days  Policies --- apply to all accts in domain  Properties --- individual accounts  Trust --- across domains  Auditing/Logging  Access control/permissions o FAT --- no security o NTFS --- good level of security  Network security/protocols

64. Windows 63 Windows 2000+  What is Windows 2000+? o Windows 2000, XP, Server 2003 o Vista not covered in text  Much of BAD stuff lives on…  But some important changes o Including many new security features

65. Windows 64 Windows 2000+  “Windows 2000+ offers a multitude of features and represents a huge increase in the growth of operating system size, resource consumption, and complexity…”  According to Paul Kocher, “complexity is the enemy of security”

66. Windows 65 Windows 2000+  New non-security features o Power management, built-in terminal services, Microsoft Management Console, Microsoft Recovery Console, Plug-and- Play (Plug-and-Pray?)  But we’re interested in security…

67. Windows 66 Windows 2000+  New security features o MS implementation of Kerberos o SSPI --- supports new authentication mechanisms o MS implementation of IPSec o L2TP --- Layer Two Tunneling Protocol, for security on the LAN o Active Directory --- “central nervous system” o Support for smart cards o Encrypting File System (EFS)

68. Windows 67 Native vs Mixed Mode  Native Mode --- all domain controllers 2000+ o Backward compatibility issues go away o Can take full advantage of 2k+ security o Remainder of chapter deals with Native mode  Mixed Mode --- some older domain controllers o 1st part of chapter applies to Mixed mode

69. Windows 68 Domains Deemphasized  NT domains “got in the way” o Boundary between resources & services o NT browsing services costly  Domains exist in 2000+… o But not as important as in NT  Active Directory --- simplifies way to find and administer resources

70. Windows 69 Domains in Windows 2000+  Not for network organization…  Instead, for common policy settings  Domains deployed in trees or forests o Link trusted domains together o Trees have “contiguous” name space (easier to find resources) o Forests: “noncontiguous” name space

71. Windows 70 Domains  In tree form

72. Windows 71 Domains  In Win 2000+ o No distinction between PDCs and BDCs o All domain controllers authoritative o I.e., all can propagate pwd changes o Good for robustness… o …questionable for security o Multiple single points of failure

73. Windows 72 Active Directory  Active Directory o “All of your eggs in one basket” o Based on LDAP o Find resources on network  Security-wise… o Acts a s “massive data repository” o Accounts, security policies, files, etc., etc.  Depends heavily on DNS o Uses Dynamic DNS (DDNS) to find stuff

74. Windows 73 Security in Windows 2000+  Greater complexity requires more careful configuration  Protect Active Directory by… o Limited admin privilege o Beware of “mixed mode” attacks o Install in its own partition (out of the way of way of IIS, other dangerous stuff)

75. Windows 74 Physical Security  Kerberos o Recall Key Distribution Center (KDC) o Access to KDC gives access to “tickets” o KDC lives on a server o Client machines cache important info  “Credentials” encrypted with KDC key o So, access to client credentials not a big deal o But, access to KDC key breaks entire system

76. Windows 75 Templates  For setting security parameters  Include many pre-packaged recommended settings  Easy to develop custom templates  Center for Internet Security provides security templates

77. Windows 76 Windows 2000+ Architecture  As before, user mode, kernel mode  Kernel mode now includes o Plug and Play Manager o Power Manager o Window Manager, etc.

78. Windows 77 Accounts and Groups  Accounts almost same as pre-2000  Power Users group is potential problem o Reducing privilege may break things  Three security groups o Domain local, global, universal o Universal == every domain in a forest o In native mode, global can include global groups

79. Windows 78 Organizational Units  OUs are hierarchical groups of users o Can inherit properties (within domain) o Important for privilege control o Supports delegation of privilege o “Children” OU can never have more rights than “parent” OU o Good way to limit privilege

80. Windows 79 Organizational Units  Downside to OUs o Only recognized within domain o 3 levels is practical max (performance)

81. Windows 80 Privilege Control  “Rights” more granular than in NT o Multiple ways to accomplish same thing  No “abilities”

82. Windows 81 RunAs  Run with different privilege o E.g., Admin execute with lower privilege

83. Windows 82 Policies  Group Policy Objects (GPOs) o Password policy, IPSec, Kerberos, etc. o Granularity! (e.g., the appearance of IE)  GPOs allow for different polices for… o Different users o Different OUs o Different computers, domains, etc.

84. Windows 83 GPOs

85. Windows 84 Trust  In NT, MS-specific authentication  In 2000+, Kerberos  Plug a domain into tree (or forest) o Automatically trusts (and trusted by) all other domains in tree (or forest)  Any domain can trust any other o Problem, if not managed carefully o Attackers like “orphan domains”

86. Windows 85 Auditing  Similar to NT  Security Log o 9 (instead of 7) categories o Account Logon Events, Account Management, Directory Service Access, Logon Events, Object Access, Policy Change, Privilege Use, Process Tracking, System Events

87. Windows 86 Access Control  Similar to NT  NT uses NTFS-4  Windows 2000+ uses NTFS-5  Standard permissions o Full Control o Modify o Read and Execute o Read o Write

88. Windows 87 Access Control  NTFS-5 basic permissions o Traverse Folder/Execute File o List Folder/Read Data o Read Attributes o Read Extended Attributes (e.g., encryption) o Create Files/Write Data o Create Folders/Append Data o Write Attributes o Write Extended Attributes o Read Permissions o Change Permissions o Delete Subfolders and Files o Delete o Take Ownership o Synchronize (make contents of one file identical to another)

89. Windows 88 Encrypting File System  EFS automatically and transparently encrypts/decrypts files o DES, 3DES, or AES  Does not encrypt files on network  Only one user per file allowed  Slight performance issue  Critical to back up EFS key!

90. Windows 89 Conclusion  Securing Windows not a trivial matter  Windows a target-rich environment  Weak default settings  Backward compatibility  Complexity

91. Windows 90 Summary  History  Pre-2000 o Domains, service packs, user mode, kernel mode, SAM & passwords, Security Reference Monitor, accounts, groups, rights, abilities, trust, logging/audit, NTFS/access control/permissions, shares, network security

92. Windows 91 Summary  2000+ o Active Directory o Kerberos, IPSec, etc. o Lesser modifications: domains deemphasized, accounts/groups, OUs, rights, RunAs, Policies/GPOs, Trust, Access control/NTFS-5, EFS