1 JMH Associates © 2004, All rights reserved Chapter 15 Windows System Security.

Slides:



Advertisements
Similar presentations
NT Net Lib Roteiro da apresentação: diagrama de fluxo de chamadas da API Win32 explicação das chamadas apresentação da classe Uma mini-biblioteca com as.
Advertisements

Microsoft Windows NT File System (NTFS) “Providing a false sense of file security for Windows users since 1993”
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
6/2/2015B.Ramamurthy1 Security B.Ramamurthy. 6/2/2015B.Ramamurthy2 Computer Security Collection of tools designed to thwart hackers Became necessary with.
1 JMH Associates © 2004, All rights reserved Chapter 6 Process Management.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
7-1 JMH Associates © 2003, All rights reserved Designing and Developing Reliable, Scaleable Multithreaded Windows Applications Chapter 10 Supplement Advanced.
8-1 JMH Associates © 2004, All rights reserved Windows Application Development Chapter 10 - Supplement Introduction to Pthreads for Application Portability.
1 Security and Protection Chapter 9. 2 The Security Environment Threats Security goals and threats.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
1 JMH Associates © 2004, All rights reserved Chapter 4 Structured Exception Handling.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
1 JMH Associates © 2004, All rights reserved Chapter 2-3 Supplement Registry Programming.
Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 
1 JMH Associates © 2004, All rights reserved Chapter 1 Getting Started with Win32/64.
BR1 Protection and Security B. Ramamurthy Chapters 18 and 19.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
POSIX: Files Introduction to Operating Systems: Discussion 1 Read Solaris System Interface Guide: Ch. 5.1 Basic File I/O.
Windows Security Mechanisms Al Bento - University of Baltimore.
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
Chapter 5 File and Printer Services
Access Control Lists and NTFS Permissions INFO333 – Lecture Mariusz Nowostawski Noria Foukia.
Security features of Windows What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 11 Case Study 2: Windows Vista Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
Operating System Security CS460 Cyber Security Spring 2010.
MAC in Windows Vista Autor : Martin ONDRÁČEK, Product Director SODATSW spol. s r. o.; Horní 32; Brno; Czech Republic.
7.3. Windows Security Descriptors
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.
Segmentation & O/S Input/Output Chapter 4 & 5 Tuesday, April 3, 2007.
Designing Group Security Designing security groups Designing user rights.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
Module 4 Managing Access to Resources in Active Directory ® Domain Services.
File Permission and Access. Module 6 File Permission and Access ♦ Introduction Linux is a multi-user system where users can assign different access permission.
Lesson 9-Setting and Using Permissions. Overview Describing file permissions. Using execute permissions with a file. Changing file permissions using mnemonics.
Win32 Programming Lesson 7: Kernel Objects. Abstract  Many of the concepts we’ll look at today won’t make complete sense until you use them  However,
G53SEC 1 Access Control principals, objects and their operations.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
UNIX System Protection. Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969.
Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data.
Access Control  privilege How does your code manage who has access to what?  authorization  permission Two OS models: Unix Windows.
Chapter 8 File System Security. File Protection Schemes Login passwords Encryption File Access Privileges.
MA194Using WindowsNT1 Topics for the day… WindowsNT Security WindowsNT File System (NTFS) Viewing/Setting Document and Folder Permissions Access Control.
Lecture 18 Windows – NT File System (NTFS)
1 Introduction to NTFS Permissions Assign NTFS permissions to specify Which users and groups can gain access to folders and files What they can do with.
Understand Audit Policies LESSON Security Fundamentals.
Privilege Management Chapter 22.
System Programming Course introduction Getting Started …
Configuring and Managing Resource Access Lecture 5.
1 Chapter Overview Understanding Shared Folders Planning, Sharing, and Connecting to Shared Folders Combining Shared Folder Permissions and NTFS Permissions.
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
11/06/ أساسيات الأتصال و الشبكات Communication & Networks Fundamentals lab 5.
Mario Tayah and Jim Fawcett CSE 775 – Distributed Objects Spring 2007
Chapter 8 File Security.
File Management.
CE Operating Systems Lecture 21
Windows APIs File Processing Copyright © 2016 Curt Hill.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
UNIX System Protection
Security and File Permission
Managing Data by Using NTFS
File system mounting, sharing, protection
The CreateFile Function
Presentation transcript:

1 JMH Associates © 2004, All rights reserved Chapter 15 Windows System Security

2 JMH Associates © 2004, All rights reserved OBJECTIVESOBJECTIVES Upon completion of this chapter, you will be able to:  Describe Windows NT/2000 security and its components  Access Control Lists  Security Descriptors  Security Identifiers, and more  Describe the differences between privileges and rights  Create programs to manage security for NTFS files  Be ready to apply security to other NT objects

3 JMH Associates © 2004, All rights reserved OVERVIEW (1 of 2)  Windows NT/2000 supports security; Windows 9x does not  Every (sharable) NT object is securable  Security applies to NTFS files  Not to FAT or other file systems  NT security is C2 compliant  (NSA “Orange Book” for single systems)

4 JMH Associates © 2004, All rights reserved OVERVIEW (2 of 2)  NT security supports the required Discretionary Access Control Lists (DACLs) and System ACLs (SACLs, for auditing)  Specific allow and deny entries for users and groups for different types of access  Security programming is difficult  Probably the most difficult in the Windows API

5 JMH Associates © 2004, All rights reserved CONSTRUCTING A SECURITY DESCRIPTOR

6 JMH Associates © 2004, All rights reserved 1)InitializeSecurityDescriptor 2)SetSecurityDescriptorOwner 3)SetSecurityDescriptorGroup 4)InitializeAcl 5)AddAccessDeniedAce · · · 6)AddAccessAllowedAce · · · 7)SetSecurityDescriptorDacl Process Object Owner SID Group SID User SID Group SID Access Token Access Control Entry (Denied) " Access Control Entry (Allowed) · · · Discretionary ACL Security Descriptor

7 JMH Associates © 2004, All rights reserved SECURITY ATTRIBUTES TYPEDEF struct _SECURITY_ATTRIBUTES { DWORD nLength; LPVOID lpSecurityDescriptor; BOOL bInheritHandle; } SECURITY_ATTRIBUTES; nLength  Should be set to sizeof (SECURITY_ATTRIBUTES) bInheritHandle  Should be FALSE for now

8 JMH Associates © 2004, All rights reserved SECURITY DESCRIPTOR (1 of 2) BOOL InitializeSecurityDescriptor( PSECURITY_DESCRIPTOR psd, DWORD dwRevision) psd  Should be set to address of a SECURITY_DESCRIPTOR dwRevision  Set to SECURITY_DESCRIPTOR_REVISION, which contains:  Owner Security Identifier (SID)  Group SID  Discretionary Access Control List (DACL)  System ACL (SACL)

9 JMH Associates © 2004, All rights reserved SECURITY DESCRIPTOR (2 of 2) SetSecurityDescriptorOwner and SetSecurityDescriptorGroup  Associate SIDs with descriptors ACLs  Initialized using InitializeAcl  Associated with a security descriptor using SetSecurityDescriptorDacl or SetSecurityDescriptorSacl Security descriptors  Classified as either absolute or self relative

10 JMH Associates © 2004, All rights reserved ACCESS CONTROL LISTS  Each ACL is a set of Access Control Entries (ACE)  Two types of ACE:  Access allowed and access denied  Initialize an ACL with InitializeAcl  Then add ACEs to discretionary ACLs:  AddAccessAllowedAce  AddAccessDeniedAce  AddAuditAccessAce is for adding to a SACL  Remove ACEs with DeleteAce  Retrieve them with GetAce

11 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (1 of 7) BOOL LookupAccountName (LPCTSTR lpSystem, LPCTSTR lpAccount, PSID psid, LPDWORD lpcbSid, LPTSTR lpReferencedDomain, LPDWORD lpcchReferencedDomain, PSID_NAME_USE psnu) lpSystem  Points to the system name (is often NULL ) lpAccount  Points to the account name

12 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (2 of 7) psid  Returned information of size *lpcbSid lpcbSid  The DWORD should be initialized to the size of your SID structure ( psid )  On return, you get the actual size lpReferencedDomain  String of length *lpcchReferencedDomain  Should be initialized to the buffer size

13 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (3 of 7) psnu  Points to a SID_NAME_USE (enumerated type) variable  Can be tested for values such as: SidTypeUser SidTypeGroup SidTypeWellKnownGroup

14 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (4 of 7) To convert a SID to an account name: BOOL LookupAccountSid ( LPCTSTR lpSystem, PSID psid, LPTSTR lpAccount, LPDWORD lpcchName, LPTSTR lpReferencedDomain, LPDWORD lpcchReferencedDomain, PSID_NAME_USe psnu)

15 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (5 of 7) BOOL GetUserName (LPTSTR lpBuffer, LPDWORD lpcchBuffer) Other functions:  InitializeSid  AllocateAndInitializeSid

16 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (6 of 7) BOOL SetSecurityDescriptorOwner ( PSECURITY_DESCRIPTOR psd, PSID psidOwner BOOL fOwnerDefaulted) BOOLSetSecurityDescriptorGroup ( PSECURITY_DESCRIPTOR psd, PSID psidGroup, BOOL fGroupDefaulted) Return: The SID from a security descriptor  Owner or group

17 JMH Associates © 2004, All rights reserved SECURITY IDENTIFIERS (7 of 7) Parameters psd  Points to the appropriate security descriptor psidOwner or psidGroup  The address of the owner’s (group’s) SID fOwnerDefaulted or fGroupDefaulted  Use default information

18 JMH Associates © 2004, All rights reserved INITIALIZING ACLs BOOL InitializeAcl (PACL pAcl, DWORD cbAcl, DWORD dwAclRevision Pacl  Address of a programmer-supplied buffer of cbAcl bytes dwAclRevision  Should be ACL_REVISION

19 JMH Associates © 2004, All rights reserved ADDING ACEs (1 of 2) BOOL AddAccessAllowedAce (PACL pAcl, DWORD dwAclRevision DWORD dwAccessMask, PSID pSid) BOOL AddAccessDeniedAce (PACL pAcl, DWORD dwAclRevision, DWORD dwAccessMask, PSID pSid) pAcl  Points to ACL structure initialized with InitializeAcl

20 JMH Associates © 2004, All rights reserved ADDING ACEs (2 of 2) dwAclRevision  Use ACL_REVISION pSid  Points to a SID  Might be obtained from LookupAccountName Access Mask typical values: GENERIC_READ GENERIC_WRITE GENERIC_EXECUTE

21 JMH Associates © 2004, All rights reserved ACL WITH SECURITY DESCRIPTOR BOOL SetSecurityDesciptorDacl ( PSECURITY_DESCRIPTOR psd, bool fDaclPresent, PACL pAcl, BOOL fDaclDefaulted) fDaclPresent  If TRUE, you have an ACL in the pAcl structure  If FALSE, the function ignores anything already in pAcl fDaclDefaulted  If FALSE, indicates an ACL generated by the programmer  If TRUE, it was obtained by a default mechanism

22 JMH Associates © 2004, All rights reserved SECURITY DESCRIPTOR BOOL GetFileSecurity (LPCTSTR lpFileName, SECURITY_INFORMATION secInfo, PSECURITY_DESCRIPTOR psd, DWORD cbSd, LPDWORD lpcbLengthNeeded) BOOL SetFileSecurity (LPCTSTR lpFileName, SECURITY_INFORMATION secInfo, PSECURITY_DESCRIPTOR psd)

23 JMH Associates © 2004, All rights reserved SECURITY DESCRIPTOR secInfo  An enumerated type  Takes on values such as: OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION DACL_SECURITY_INFORMATION SACL_SECURITY_INFORMATION (which can be combined with the bitwise OR)

24 JMH Associates © 2004, All rights reserved SECURITY DESCRIPTOR To find the GetFileSecurity return buffer size  Call it twice  The first call uses 0 as the cbSd value  After allocating a buffer, call the function a second time  You must have the correct permissions on the file

25 JMH Associates © 2004, All rights reserved OBTAIN AN ACL BOOL GetSecurityDescriptorDacl ( PSECURITY_DESCRIPTOR psd, LPBOOL fDaclPresent, PACL *pAcl, LPBOOL lpfDaclDefaulted) The parameters are nearly identical to SetSecurityDescriptorDacl

26 JMH Associates © 2004, All rights reserved HOW MANY ACEs IN AN ACL (1 of 2) BOOL GetAclInformation (PACL pAcl, LPVOID pAclInformation, DWORD cbAclInfo, ACL_INFORMATION_CLASS dwAclInfoClass dwAclInfoClass  Use AclSizeInformation in most cases

27 JMH Associates © 2004, All rights reserved HOW MANY ACEs IN AN ACL (2 of 2) pAclInformation  A structure of type ACL_SIZE_INFORMATION  Has three members: AceCount — How many entries are on the list AclBytesInUse AclBytesFree

28 JMH Associates © 2004, All rights reserved OBTAIN ACEs BOOL GetAce (PACL pAcl, DWORD dwAceIndex, LPVOID *pAce) pAce  Points to an Ace structure  Ace structure has a member called “Header”  Header has an AceType member which can be tested for: ACCESS_ALLOWED_ACE ACCESS_DENIED_ACE

29 JMH Associates © 2004, All rights reserved SECURITY SUMMARY  Remove ACEs with DeleteAce function  For kernel security descriptors, use: GetKernelObjectSecurity SetKernelObjectSecurity  Associate security descriptors with programmer-generated objects: GetUserObjectSecurity SetUserObjectSecurity  Note difference between absolute and self-relative security descriptors  System administrators can manage system ACLs

30 JMH Associates © 2004, All rights reserved LAB D–A (1 of 2) The functions in InitUnFp.c create and manage a SECURITY_ATTRIBUTES structure  With (Read, Write, and Execute) permissions  For (User, Group, and Other)  Similar to UNIX file permissions  You will need these functions in the two lab exercises

31 JMH Associates © 2004, All rights reserved LAB D–A (2 of 2) 1. Write a program, chmod, to create a new file with specified permissions  Expressed as a 9-bit UNIX-style file permission 2. Write an enhancement of the ls program, lsFP, to find the existing permissions on a specified file  Assume that the permissions were created with chmod

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.