1. Windows Security Mechanisms Al Bento - University of Baltimore

2. Authentication Challenge/response authentication protocol (CHAP) LAN Manager: saves passwords as hashes: as a 128-bit number, with passwords up to14 digits, but with two 7 digits parts, not case sensitive, easier to break change possible combinations from 2 84 to 2 37 uses old, easy to break DES encryptionDES saved on SAM (Windows Security Accounts Manager) at %systemroot%\system32\config\SAM NTLM and NTLM2: improved LAN ManagerNTLM and NTLM2 NTLM -- MD4 encryption, case sensitive, password up to 127 characters, supports up 56 bit encryption.MD4 NTLM2 -- improves NTLM to authenticate by session, and supports up to 128-bit encryption Kerberos: uses AES encryption and very secure.AES

3. Authentication (2) Defaults XP by default uses both LM & NTLM Vista, Windows 7 defaults to NTML2 Active Directory defaults to Kerberos, drops back as needed Security options See Microsoft long note on optionsnote on options Many different options: store LAN Manager, Lan Manager authentication level, etc.options authentication level Compatibility issues: example of Windows 7 and Win 2k serverWindows 7 and Win 2k server example of Windows 7 and Win 2003 serverWindows 7 and Win 2003 server of course all sort of issues with XP, 98, and other settings in NT, 2K, etc. More on authentication : a black hat presentation.black hat presentation

4. Tokens What are tokens?tokens A data structure that contains authentication and authorization information for a user. Windows creates the access token when the user logs on and the user's identity is confirmed.access token The access token contains the user's security ID (SID), the list of groups that the user is a member of, and the list of privileges held by that user. Each process or thread started for the user inherits a copy of the access token. In some cases a user may have more than one access token, with different levels of authority. What do they do? Provide the security context for processes and threads when accessing objects in the system Securable objects include files, directories, devices, registry keys, etc, and have specific user and group permissions. Some risks: token kidnapping.token kidnapping

5. Access Control List What is an ACL?ACL is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL. DACL: discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. SACL: A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. Tokens and ACL When a user logs in he/she is assigned a access token; and securable objects have ACLs. When an user attempts to access a securable object the Windows security subsystem compare the information in the token access with the securable object and grant or deny access.