1 / 91

Windows - PowerPoint PPT Presentation

  • Updated On :

Windows Introduction Old black-and-white “Western” movie Gunslinger wants to quit fighting Some new young upstart wants to fight So the old guy fights one more time… “Target-ability” Depends on popularity and reputation Windows is most hackers favorite target Introduction

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Windows' - Ava

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Windows l.jpg

Windows 1

Introduction l.jpg

  • Old black-and-white “Western” movie

    • Gunslinger wants to quit fighting

    • Some new young upstart wants to fight

    • So the old guy fights one more time…

  • “Target-ability”

    • Depends on popularity and reputation

    • Windows is most hackers favorite target

Windows 2

Introduction3 l.jpg

  • Windows is the most popular OS

    • May 2005: 390M Windows machines

    • Over half of those running XP

  • Windows is the obvious target

  • From attacker’s point of view

    • Attacker’s “cost-benefit” analysis

    • Attacker wants most “bang for the buck”

Windows 3

This chapter l.jpg
This Chapter

  • Brief history of Windows

  • Consider core NT security features

  • Consider security in Windows 2000+

    • That is, Windows 2000, XP, Server 2003

    • Book does not cover Vista

Windows 4

History l.jpg

  • History began in April 1993…

    • Release of Windows NT

    • NT == “New Technology”/“No Technology”

  • Before NT

    • Microsoft Windows 3.0, 95, 98, Me

    • No authentication, program isolation, logging, etc.

    • “No security” prior to NT

Windows 5

Modern windows oss l.jpg
Modern Windows OSs

  • NT, Windows 2000, XP, Server 2003

    • And Vista, but not covered in book

  • Windows NT

    • Based on technology developed at DEC for their VMS operating system

    • 1988: Microsoft hired David N. Cutler

    • He came from DEC, with 20+ others

Windows 6

Windows nt l.jpg
Windows NT

  • Originally, Cutler was to build successor to OS/2, called OS/2 NT

    • Microsoft/IBM collaboration

  • With success of Windows 3.0 in 1990

    • Microsoft changed its mind

    • Windows NT to be their UNIX-beater

Windows 7

Backwards compatibility l.jpg
Backwards Compatibility

  • What is backward compatibility?

    • New-and-improved works with bad/old versions

  • NT tried to be backwards compatible

    • Users complain if not backwards compatible

    • But, creates many security compromises

    • Continues to plague Windows (& others) today

    • Damned if you do, damned if you don’t…

Windows 8

Windows history l.jpg
Windows History

  • After introduction of NT…

    • Incremental changes: NT 3.1, 3.5, 3.51, 4.0

  • Major overhaul: Windows 2000

    • In essence, Windows NT 5.0

  • Windows XP (“eXPerience”)

    • Released in October 2001

    • Refers to itself as “Windows 2002”

  • Windows Server 2003

Windows 9

Windows history10 l.jpg
Windows History

  • 1993 to 2001, dual Windows lines

    • Home users: Windows 3.0/3.1/95/98/Me

    • Professional: NT 3.1/3.5/3.51/4.0/2000

  • Windows XP

    • Evolved from NT (“professional”) line

    • For home and professional users

    • Ended the dual Windows approach

Windows 10

Bad old days l.jpg
BAD Old Days

  • Before Active Directory (BAD)…

  • Windows 2000: Active Directory

    • Major shift in security

  • Active Directory: all-in-one service for locating stuff

    • Find printer in next cubicle

    • Change pwd policy on machines in branch office

Windows 11

Active directory l.jpg
Active Directory

  • Active Directory

    • “Native mode” --- all Windows 2000+ environment

    • “Mixed mode” --- some pre-2k machines

    • Which is more common?

    • Backwards compatibility…

  • Necessary to understand what came before Active Directory

  • More on Active Directory later

Windows 12

Bad basics l.jpg
BAD Basics

  • Before Active Directory…

  • Domains (currently deprecated)

    • Networked Windows computers that share an authentication database

    • Single sign-on for domain

  • Must have a “domain controller”

    • For authentication to the domain

    • Usually more than one controller

Windows 13

Bad basics14 l.jpg
BAD Basics

  • Primary Domain Controller (PDC)

    • First server in domain

    • Updates authentication info in Security Accounts Manager (SAM) database

  • Backup Domain Controller (BDC)

    • Can access SAM, but not update

    • Admin can temporarily “promote” BDC

  • Active Directory: all controllers authoritative

    • More robust, but possibly less secure

Windows 14

Bad basics15 l.jpg
BAD Basics

  • Domain sets critical parameters

    • Min pwd length

    • Pwd expiration policy

    • Restrictions on users, etc.

  • Workgroup --- like domain but worse

    • No control mechanisms

Windows 15

Shares l.jpg

  • Share

    • Connection to network devices

    • Used with domains and Active Directory

    • Similar to NFS mounts in UNIX

    • Windows Explorer: My Network Places

  • Convenient transparent way for users to “reach across the network”

Windows 16

Windows architecture l.jpg
Windows Architecture

  • NT architecture based on layers

  • Layers important to security

    • Each layer restricts layer above

    • “Security issues are nearly always a result of some sort of compromise of this layering.”

  • Two “modes”: user mode, kernel mode

Windows 17

User mode l.jpg
User Mode

  • Part of OS that users interacts with

  • User mode is “go between”

    • Between user and kernel

    • Strict communication rules…

    • …Application Program Interfaces (APIs)

  • User mode: 2 types of services

    • Integral subsystem: native to Windows

    • Environment services: support for other OSs

Windows 19

User mode20 l.jpg
User Mode

  • Integral subsystem

    • Provide APIs used by Win32 apps

    • For OS functions such as files, windows, process mgmt, virtual memory, I/O, etc.

  • DLLs translate (documented) API calls into (undocumented) calls into kernel

    • User mode  Kernel Executive subsystem

Windows 20

Lsass l.jpg

  • Local Security Authority Subsystem Service

    • User mode subsystem

    • Determines if login is valid

    • Sends login data to SAM database

  • For each account, SAM has 2 entries

    • NT pwd hash, LM/LanMan pwd hash --- Why???

    • Backwards compatibility, of course!

Windows 21

Windows passwords l.jpg
Windows Passwords

  • NT hash used in NT and beyond

  • LM hash used in Windows 95 & 98

  • SAM entries not stored in ASCII

    • Different from UNIX

    • Pwdump3 converts to readable form

  • How are pwd hashes derived?

Windows 22

Windows passwords23 l.jpg
Windows Passwords

  • LM pwd hashes

    • Assume pwd is 14 characters or less

    • Pad password to 14 characters

    • Split into two 7-char strings

    • Convert to lower-case

    • Hash each half independently

    • Use DES block cipher (string is the key)

    • No salt is used

Windows 23

Windows passwords24 l.jpg
Windows Passwords

  • NT password hash

    • Hash entire pwd using MD4, no salt used

    • Note: MD4 not a strong hash

  • Which is better, NT or LM?

    • Spse 64 choices/character, 14 char pwd

    • NT: try 283, LM: try 242

    • LM is 2,000,000,000,000+ times easier

    • LM is even worse than that…

Windows 24

Windows password l.jpg
Windows Password

  • By default, both LM and NT hashes

  • What will attacker do?

    • Attack LM pwd, of course

    • May need to convert to upper case

    • Still much easier than NT pwd

    • Both types unsalted (dictionary attacks)

  • Disable LM if possible

Windows 25

Kernel mode l.jpg
Kernel Mode

  • Fundamental OS issues

    • Memory mgmt, deal with hardware, etc.

  • More secure than user mode

  • Security Reference Monitor

    • Part of Executive subsystem

    • Checks attempts to access kernel mode

    • Checks attempts to access files, etc.

    • Checks permissions, gather audit data, etc.

Windows 26

Kernel mode27 l.jpg
Kernel Mode

  • Object Manager

    • Manages info about files, directories, etc.

    • Objects get Object Identifier (OID)

    • OIDs used by Object Manager

    • Object Manager aware of some inheritance relationships (e.g., subfolders)

Windows 27

Kernel mode28 l.jpg
Kernel Mode

  • Hardware Abstraction Layer (HAL)

    • Deals with hardware in a high-level way

    • Low level details left to device drivers

    • Makes life easier for Windows…

    • …but not for hardware manufacturers

    • Bad drivers can cause serious problems like crashing the whole system

    • Windows used to support multiple processors

Windows 28

Service packs and updates l.jpg
Service Packs and Updates

  • When bugs and problems are found…

  • Patches come in 2 flavors

    • Hotfixes/patches --- specific issue

    • Service packs --- major bundle of fixes, once per 6 months to year

    • Automatically (Windows Update service)

    • Fixes to OS and to other MS products

  • Patching is a big deal for companies

Windows 29

Accounts l.jpg

  • Default accounts: Administrator, Guest

  • Administrator account

    • Administrator has highest privilege

    • Administrator acct cannot be locked or deleted

    • Can only be disabled if another admin exists

    • If one Admin acct, unlimited pwd guessing

    • Good idea to have more than one Admin acct

Windows 30

Accounts31 l.jpg

  • Guest account

    • Anyone can log on to guest acct

    • Limited in what it can do, but still…

    • Guest is generally a bad idea

    • Disabled by default on modern Windows

Windows 31

Accounts32 l.jpg

  • User accts, application accts, etc.

  • How to secure accounts?

    • Give all admin accts “neutral” names

    • Change acct description(s) too

    • Create decoy acct named “Administrator”

    • Disable Guest, give it a strong pwd

      • “Belt and suspenders principle”

  • Security by obscurity? Is it worth it?

Windows 32

Groups l.jpg

  • Used to control access/privilege

  • Why not users accounts?

  • Easier to manage (fewer) groups instead of (many) users

  • Before Active Directory (Win 2K)

    • Two types of groups

    • Global groups, local groups

Windows 33

Groups34 l.jpg

  • Local groups give access to resources

    • Global groups cannot grant access

  • Typically, users included in global groups

    • Global groups then included in local groups

    • Access given to those in local group (including those in included global groups)

    • Global groups cannot be included in global groups

    • Local groups cannot be included in local groups

Windows 34

Groups35 l.jpg

  • Huh?

  • For example, suppose a new hire

    • Include user in global groups

    • Then automatically included in appropriate local groups

    • Otherwise, have to make config changes to individual local machines

Windows 35

Default groups l.jpg
Default Groups

  • Local: Administrators, Account Operators, Power Users, Server Operators, Backup Operators, Print Operators, Replicator, Users, Guests

  • Global: Domain Administrators, Domain Users

Windows 36

Special groups l.jpg
Special Groups

  • Special since cannot add or delete users

    • But can change group rights/privileges

  • Special groups are local groups

  • EVERYONE --- for about anything

  • SYSTEM --- “holy grail”

    • Nothing has higher privilege

    • Not a login ID

    • Some processes run with SYSTEM privilege

    • Compromise one of these and you “own” system

Windows 37

Special groups38 l.jpg
Special Groups

  • Other special groups

    • INTERACTIVE --- currently logged in locally

    • NETWORK --- currently logged in non-locally

    • CREATOR OWNER --- owner of a given object (confusing name…)

  • These are not as special as SYSTEM…

Windows 38

Privilege l.jpg

  • Privilege --- capacity to access and manipulate things

  • Rights --- things users can do; can be added/modified (accts and groups)

  • Abilities --- built-in capabilities

  • Administrator --- highest privilege

    • Operator groups --- like bits and pieces of admin

  • Power user --- next highest

    • Then users followed by guest

Windows 39

Privilege control l.jpg
Privilege Control

  • “…advanced rights control internal functions within Windows system”

    • Example: “Act as Part of Operating System”

    • Gives right to reach into kernel mode

    • Attacker has got to love this…

  • Principle of least privilege

    • Give least privilege needed to do job

    • “Putting this into practice is one of the most fundamental steps to making Windows (or any operating system, for that matter) more secure.”

Windows 40

Policies l.jpg

  • Admin can create “policies”

    • Can affect local machine

    • Or entire domain

  • Account Policy --- most basic policy

    • Applies to all accounts in a domain

    • Max pwd age, pwd history, lockout, etc.

    • See next 2 slides…

Windows 42

User properties settings l.jpg
User Properties Settings

  • User Properties

    • Technically, not Policies, but serve similar purpose

  • Like Policies, but set for individual accts

    • E.g., User Must Change Password at Next Login, User Cannot Change Password, etc.

Windows 45

Trust l.jpg

  • Extends “login” across domains

    • Like single sign-on to trusting domains

    • One (or more) global group in trusted domain must be included in one (or more) local groups in trusting domain

    • Can limit access via local group(s)

Windows 47

Windows trust models l.jpg
Windows Trust Models

  • No trust --- most secure, most inconvenient

  • Complete trust --- every domain trusts every other domain

  • Master domain --- user accounts in central account domain

    • Gives central control for mapping users to resources (via groups)

  • Multiple master domains --- like a distributed master domain

Windows 48

Windows trust l.jpg
Windows Trust

  • Based on password authentication

  • Better than UNIX r-commands

    • Btw, what is authentication based on in UNIX r-commands?

  • Active Directory uses Kerberos (Windows 2000+)

Windows 49

Auditing l.jpg

  • Can only audit what you log

  • Types of logging/audit

    • System

    • Security (or just “auditing”) --- logons, logoffs, file access, use of rights, etc.

    • Application

Windows 50

Auditing51 l.jpg

  • By default, detailed auditing is off

    • And not available in XP home edition

  • Not easy to decide what to log

  • Some important data not logged

    • Source/destination IP address, whether system reinstall occurred, etc.

Windows 51

Audit settings l.jpg
Audit Settings

Windows 52

Access control and permissions l.jpg
Access Control and Permissions

  • How to control access to objects

  • Ownership

    • Each object has owner (OWNER CREATOR)

    • Owner can always change permissions

  • File Allocation Table (FAT)

    • No access control --- the reason why Windows 95, 98, Me cannot be secure

Windows 53

Access control and permissions54 l.jpg
Access Control and Permissions

  • NTFS (NT File System)

    • Good performance, recoverability, etc.

    • Reasonable set of permissions

    • “One of the most effective parts of Windows security”

  • Number of permissions is “bewildering”

Windows 54

Example ntfs permissions l.jpg
Example NTFS Permissions

  • No access --- what it says

  • Read --- read and execute

  • Change --- read, execute, write, delete

  • Full Control --- Change plus change permissions and take ownership

  • These are actually combinations of more granular permissions

Windows 55

Share permissions l.jpg
Share Permissions

  • Recall shares are kind of like NFS mounts

  • Permissions on components of file system

    • For example, a shared folder

  • Remote access depends on both NTFS and share permissions

    • Least access wins

  • Local login --- only NTFS permissions apply

    • Potentially a security issue

Windows 56

Weak default permissions l.jpg
Weak Default Permissions

  • Many default permissions “faulty”

    • E.g., default permission on \Windows (\winnt) directory allows Power Users to get copy of SAM database

  • System should be hardened

    • Entire books written on this subject

Windows 57

Network security l.jpg
Network Security

  • Protocols and APIs


    • Server Message Block protocol --- MS implementation is called Common Internet File System

    • “Weak authentication” --- many attacks

    • No details at this point in book…

Windows 58

Network security59 l.jpg
Network Security

  • NetBEUI/NetBIOS --- older (deprecated) network environment

    • DoS and other attacks

  • Microsoft Internet Information Service (IIS) --- built-in Web server

    • Attackers love IIS

Windows 59

Summary of bad old days l.jpg
Summary of BAD Old Days

  • Before Active Directory (BAD)

    • That is, before Windows 2000+

  • We discussed…

  • History

    • Windows 3.0/95/98 (no security)

    • Windows NT

  • Backwards compatibility

Windows 60

Summary of bad old days61 l.jpg
Summary of BAD Old Days

  • Domains --- SSO to networked machines

  • Shares --- analogous to NFS mounts

  • Modes --- User Mode, Kernel Mode

  • Service packs/updates

  • Accounts

  • Groups --- local and global

  • Privilege --- rights and abilities

Windows 61

Summary of bad old days62 l.jpg
Summary of BAD Old Days

  • Policies --- apply to all accts in domain

  • Properties --- individual accounts

  • Trust --- across domains

  • Auditing/Logging

  • Access control/permissions

    • FAT --- no security

    • NTFS --- good level of security

  • Network security/protocols

Windows 62

Windows 2000 l.jpg
Windows 2000+

  • What is Windows 2000+?

    • Windows 2000, XP, Server 2003

    • Vista not covered in text

  • Much of BAD stuff lives on…

  • But some important changes

    • Including many new security features

Windows 63

Windows 200064 l.jpg
Windows 2000+

  • “Windows 2000+ offers a multitude of features and represents a huge increase in the growth of operating system size, resource consumption, and complexity…”

  • According to Paul Kocher, “complexity is the enemy of security”

Windows 64

Windows 200065 l.jpg
Windows 2000+

  • New non-security features

    • Power management, built-in terminal services, Microsoft Management Console, Microsoft Recovery Console, Plug-and-Play (Plug-and-Pray?)

  • But we’re interested in security…

Windows 65

Windows 200066 l.jpg
Windows 2000+

  • New security features

    • MS implementation of Kerberos

    • SSPI --- supports new authentication mechanisms

    • MS implementation of IPSec

    • L2TP --- Layer Two Tunneling Protocol, for security on the LAN

    • Active Directory --- “central nervous system”

    • Support for smart cards

    • Encrypting File System (EFS)

Windows 66

Native vs mixed mode l.jpg
Native vs Mixed Mode

  • Native Mode --- all domain controllers 2000+

    • Backward compatibility issues go away

    • Can take full advantage of 2k+ security

    • Remainder of chapter deals with Native mode

  • Mixed Mode --- some older domain controllers

    • 1st part of chapter applies to Mixed mode

Windows 67

Domains deemphasized l.jpg
Domains Deemphasized

  • NT domains “got in the way”

    • Boundary between resources & services

    • NT browsing services costly

  • Domains exist in 2000+…

    • But not as important as in NT

  • Active Directory --- simplifies way to find and administer resources

Windows 68

Domains in windows 2000 l.jpg
Domains in Windows 2000+

  • Not for network organization…

  • Instead, for common policy settings

  • Domains deployed in trees or forests

    • Link trusted domains together

    • Trees have “contiguous” name space (easier to find resources)

    • Forests: “noncontiguous” name space

Windows 69

Domains l.jpg

  • In tree form

Windows 70

Domains71 l.jpg

  • In Win 2000+

    • No distinction between PDCs and BDCs

    • All domain controllers authoritative

    • I.e., all can propagate pwd changes

    • Good for robustness…

    • …questionable for security

    • Multiple single points of failure

Windows 71

Active directory72 l.jpg
Active Directory

  • Active Directory

    • “All of your eggs in one basket”

    • Based on LDAP

    • Find resources on network

  • Security-wise…

    • Acts a s “massive data repository”

    • Accounts, security policies, files, etc., etc.

  • Depends heavily on DNS

    • Uses Dynamic DNS (DDNS) to find stuff

Windows 72

Security in windows 2000 l.jpg
Security in Windows 2000+

  • Greater complexity requires more careful configuration

  • Protect Active Directory by…

    • Limited admin privilege

    • Beware of “mixed mode” attacks

    • Install in its own partition (out of the way of way of IIS, other dangerous stuff)

Windows 73

Physical security l.jpg
Physical Security

  • Kerberos

    • Recall Key Distribution Center (KDC)

    • Access to KDC gives access to “tickets”

    • KDC lives on a server

    • Client machines cache important info

  • “Credentials” encrypted with KDC key

    • So, access to client credentials not a big deal

    • But, access to KDC key breaks entire system

Windows 74

Templates l.jpg

  • For setting security parameters

  • Include many pre-packaged recommended settings

  • Easy to develop custom templates

  • Center for Internet Security provides security templates

Windows 75

Windows 2000 architecture l.jpg
Windows 2000+ Architecture

  • As before, user mode, kernel mode

  • Kernel mode now includes

    • Plug and Play Manager

    • Power Manager

    • Window Manager, etc.

Windows 76

Accounts and groups l.jpg
Accounts and Groups

  • Accounts almost same as pre-2000

  • Power Users group is potential problem

    • Reducing privilege may break things

  • Three security groups

    • Domain local, global, universal

    • Universal == every domain in a forest

    • In native mode, global can include global groups

Windows 77

Organizational units l.jpg
Organizational Units

  • OUs are hierarchical groups of users

    • Can inherit properties (within domain)

    • Important for privilege control

    • Supports delegation of privilege

    • “Children” OU can never have more rights than “parent” OU

    • Good way to limit privilege

Windows 78

Organizational units79 l.jpg
Organizational Units

  • Downside to OUs

    • Only recognized within domain

    • 3 levels is practical max (performance)

Windows 79

Privilege control80 l.jpg
Privilege Control

  • “Rights” more granular than in NT

    • Multiple ways to accomplish same thing

  • No “abilities”

Windows 80

Runas l.jpg

  • Run with different privilege

    • E.g., Admin execute with lower privilege

Windows 81

Policies82 l.jpg

  • Group Policy Objects (GPOs)

    • Password policy, IPSec, Kerberos, etc.

    • Granularity! (e.g., the appearance of IE)

  • GPOs allow for different polices for…

    • Different users

    • Different OUs

    • Different computers, domains, etc.

Windows 82

Slide83 l.jpg

Windows 83

Trust84 l.jpg

  • In NT, MS-specific authentication

  • In 2000+, Kerberos

  • Plug a domain into tree (or forest)

    • Automatically trusts (and trusted by) all other domains in tree (or forest)

  • Any domain can trust any other

    • Problem, if not managed carefully

    • Attackers like “orphan domains”

Windows 84

Auditing85 l.jpg

  • Similar to NT

  • Security Log

    • 9 (instead of 7) categories

    • Account Logon Events, Account Management, Directory Service Access, Logon Events, Object Access, Policy Change, Privilege Use, Process Tracking, System Events

Windows 85

Access control l.jpg
Access Control

  • Similar to NT

  • NT uses NTFS-4

  • Windows 2000+ uses NTFS-5

  • Standard permissions

    • Full Control

    • Modify

    • Read and Execute

    • Read

    • Write

Windows 86

Access control87 l.jpg
Access Control

  • NTFS-5 basic permissions

    • Traverse Folder/Execute File

    • List Folder/Read Data

    • Read Attributes

    • Read Extended Attributes (e.g., encryption)

    • Create Files/Write Data

    • Create Folders/Append Data

    • Write Attributes

    • Write Extended Attributes

    • Read Permissions

    • Change Permissions

    • Delete Subfolders and Files

    • Delete

    • Take Ownership

    • Synchronize (make contents of one file identical to another)

Windows 87

Encrypting file system l.jpg
Encrypting File System

  • EFS automatically and transparently encrypts/decrypts files

    • DES, 3DES, or AES

  • Does not encrypt files on network

  • Only one user per file allowed

  • Slight performance issue

  • Critical to back up EFS key!

Windows 88

Conclusion l.jpg

  • Securing Windows not a trivial matter

  • Windows a target-rich environment

  • Weak default settings

  • Backward compatibility

  • Complexity

Windows 89

Summary l.jpg

  • History

  • Pre-2000

    • Domains, service packs, user mode, kernel mode, SAM & passwords, Security Reference Monitor, accounts, groups, rights, abilities, trust, logging/audit, NTFS/access control/permissions, shares, network security

Windows 90

Summary91 l.jpg

  • 2000+

    • Active Directory

    • Kerberos, IPSec, etc.

    • Lesser modifications: domains deemphasized, accounts/groups, OUs, rights, RunAs, Policies/GPOs, Trust, Access control/NTFS-5, EFS

Windows 91