Windows
Download
1 / 91

Windows - PowerPoint PPT Presentation

Windows Introduction Old black-and-white “Western” movie Gunslinger wants to quit fighting Some new young upstart wants to fight So the old guy fights one more time… “Target-ability” Depends on popularity and reputation Windows is most hackers favorite target Introduction

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

Windows

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Windows

Windows 1


Introduction

  • Old black-and-white “Western” movie

    • Gunslinger wants to quit fighting

    • Some new young upstart wants to fight

    • So the old guy fights one more time…

  • “Target-ability”

    • Depends on popularity and reputation

    • Windows is most hackers favorite target

Windows 2


Introduction

  • Windows is the most popular OS

    • May 2005: 390M Windows machines

    • Over half of those running XP

  • Windows is the obvious target

  • From attacker’s point of view

    • Attacker’s “cost-benefit” analysis

    • Attacker wants most “bang for the buck”

Windows 3


This Chapter

  • Brief history of Windows

  • Consider core NT security features

  • Consider security in Windows 2000+

    • That is, Windows 2000, XP, Server 2003

    • Book does not cover Vista

Windows 4


History

  • History began in April 1993…

    • Release of Windows NT

    • NT == “New Technology”/“No Technology”

  • Before NT

    • Microsoft Windows 3.0, 95, 98, Me

    • No authentication, program isolation, logging, etc.

    • “No security” prior to NT

Windows 5


Modern Windows OSs

  • NT, Windows 2000, XP, Server 2003

    • And Vista, but not covered in book

  • Windows NT

    • Based on technology developed at DEC for their VMS operating system

    • 1988: Microsoft hired David N. Cutler

    • He came from DEC, with 20+ others

Windows 6


Windows NT

  • Originally, Cutler was to build successor to OS/2, called OS/2 NT

    • Microsoft/IBM collaboration

  • With success of Windows 3.0 in 1990

    • Microsoft changed its mind

    • Windows NT to be their UNIX-beater

Windows 7


Backwards Compatibility

  • What is backward compatibility?

    • New-and-improved works with bad/old versions

  • NT tried to be backwards compatible

    • Users complain if not backwards compatible

    • But, creates many security compromises

    • Continues to plague Windows (& others) today

    • Damned if you do, damned if you don’t…

Windows 8


Windows History

  • After introduction of NT…

    • Incremental changes: NT 3.1, 3.5, 3.51, 4.0

  • Major overhaul: Windows 2000

    • In essence, Windows NT 5.0

  • Windows XP (“eXPerience”)

    • Released in October 2001

    • Refers to itself as “Windows 2002”

  • Windows Server 2003

Windows 9


Windows History

  • 1993 to 2001, dual Windows lines

    • Home users: Windows 3.0/3.1/95/98/Me

    • Professional: NT 3.1/3.5/3.51/4.0/2000

  • Windows XP

    • Evolved from NT (“professional”) line

    • For home and professional users

    • Ended the dual Windows approach

Windows 10


BAD Old Days

  • Before Active Directory (BAD)…

  • Windows 2000: Active Directory

    • Major shift in security

  • Active Directory: all-in-one service for locating stuff

    • Find printer in next cubicle

    • Change pwd policy on machines in branch office

Windows 11


Active Directory

  • Active Directory

    • “Native mode” --- all Windows 2000+ environment

    • “Mixed mode” --- some pre-2k machines

    • Which is more common?

    • Backwards compatibility…

  • Necessary to understand what came before Active Directory

  • More on Active Directory later

Windows 12


BAD Basics

  • Before Active Directory…

  • Domains (currently deprecated)

    • Networked Windows computers that share an authentication database

    • Single sign-on for domain

  • Must have a “domain controller”

    • For authentication to the domain

    • Usually more than one controller

Windows 13


BAD Basics

  • Primary Domain Controller (PDC)

    • First server in domain

    • Updates authentication info in Security Accounts Manager (SAM) database

  • Backup Domain Controller (BDC)

    • Can access SAM, but not update

    • Admin can temporarily “promote” BDC

  • Active Directory: all controllers authoritative

    • More robust, but possibly less secure

Windows 14


BAD Basics

  • Domain sets critical parameters

    • Min pwd length

    • Pwd expiration policy

    • Restrictions on users, etc.

  • Workgroup --- like domain but worse

    • No control mechanisms

Windows 15


Shares

  • Share

    • Connection to network devices

    • Used with domains and Active Directory

    • Similar to NFS mounts in UNIX

    • Windows Explorer: My Network Places

  • Convenient transparent way for users to “reach across the network”

Windows 16


Windows Architecture

  • NT architecture based on layers

  • Layers important to security

    • Each layer restricts layer above

    • “Security issues are nearly always a result of some sort of compromise of this layering.”

  • Two “modes”: user mode, kernel mode

Windows 17


Windows Architecture

Windows 18


User Mode

  • Part of OS that users interacts with

  • User mode is “go between”

    • Between user and kernel

    • Strict communication rules…

    • …Application Program Interfaces (APIs)

  • User mode: 2 types of services

    • Integral subsystem: native to Windows

    • Environment services: support for other OSs

Windows 19


User Mode

  • Integral subsystem

    • Provide APIs used by Win32 apps

    • For OS functions such as files, windows, process mgmt, virtual memory, I/O, etc.

  • DLLs translate (documented) API calls into (undocumented) calls into kernel

    • User mode  Kernel Executive subsystem

Windows 20


LSASS

  • Local Security Authority Subsystem Service

    • User mode subsystem

    • Determines if login is valid

    • Sends login data to SAM database

  • For each account, SAM has 2 entries

    • NT pwd hash, LM/LanMan pwd hash --- Why???

    • Backwards compatibility, of course!

Windows 21


Windows Passwords

  • NT hash used in NT and beyond

  • LM hash used in Windows 95 & 98

  • SAM entries not stored in ASCII

    • Different from UNIX

    • Pwdump3 converts to readable form

  • How are pwd hashes derived?

Windows 22


Windows Passwords

  • LM pwd hashes

    • Assume pwd is 14 characters or less

    • Pad password to 14 characters

    • Split into two 7-char strings

    • Convert to lower-case

    • Hash each half independently

    • Use DES block cipher (string is the key)

    • No salt is used

Windows 23


Windows Passwords

  • NT password hash

    • Hash entire pwd using MD4, no salt used

    • Note: MD4 not a strong hash

  • Which is better, NT or LM?

    • Spse 64 choices/character, 14 char pwd

    • NT: try 283, LM: try 242

    • LM is 2,000,000,000,000+ times easier

    • LM is even worse than that…

Windows 24


Windows Password

  • By default, both LM and NT hashes

  • What will attacker do?

    • Attack LM pwd, of course

    • May need to convert to upper case

    • Still much easier than NT pwd

    • Both types unsalted (dictionary attacks)

  • Disable LM if possible

Windows 25


Kernel Mode

  • Fundamental OS issues

    • Memory mgmt, deal with hardware, etc.

  • More secure than user mode

  • Security Reference Monitor

    • Part of Executive subsystem

    • Checks attempts to access kernel mode

    • Checks attempts to access files, etc.

    • Checks permissions, gather audit data, etc.

Windows 26


Kernel Mode

  • Object Manager

    • Manages info about files, directories, etc.

    • Objects get Object Identifier (OID)

    • OIDs used by Object Manager

    • Object Manager aware of some inheritance relationships (e.g., subfolders)

Windows 27


Kernel Mode

  • Hardware Abstraction Layer (HAL)

    • Deals with hardware in a high-level way

    • Low level details left to device drivers

    • Makes life easier for Windows…

    • …but not for hardware manufacturers

    • Bad drivers can cause serious problems like crashing the whole system

    • Windows used to support multiple processors

Windows 28


Service Packs and Updates

  • When bugs and problems are found…

  • Patches come in 2 flavors

    • Hotfixes/patches --- specific issue

    • Service packs --- major bundle of fixes, once per 6 months to year

    • Automatically (Windows Update service)

    • Fixes to OS and to other MS products

  • Patching is a big deal for companies

Windows 29


Accounts

  • Default accounts: Administrator, Guest

  • Administrator account

    • Administrator has highest privilege

    • Administrator acct cannot be locked or deleted

    • Can only be disabled if another admin exists

    • If one Admin acct, unlimited pwd guessing

    • Good idea to have more than one Admin acct

Windows 30


Accounts

  • Guest account

    • Anyone can log on to guest acct

    • Limited in what it can do, but still…

    • Guest is generally a bad idea

    • Disabled by default on modern Windows

Windows 31


Accounts

  • User accts, application accts, etc.

  • How to secure accounts?

    • Give all admin accts “neutral” names

    • Change acct description(s) too

    • Create decoy acct named “Administrator”

    • Disable Guest, give it a strong pwd

      • “Belt and suspenders principle”

  • Security by obscurity? Is it worth it?

Windows 32


Groups

  • Used to control access/privilege

  • Why not users accounts?

  • Easier to manage (fewer) groups instead of (many) users

  • Before Active Directory (Win 2K)

    • Two types of groups

    • Global groups, local groups

Windows 33


Groups

  • Local groups give access to resources

    • Global groups cannot grant access

  • Typically, users included in global groups

    • Global groups then included in local groups

    • Access given to those in local group (including those in included global groups)

    • Global groups cannot be included in global groups

    • Local groups cannot be included in local groups

Windows 34


Groups

  • Huh?

  • For example, suppose a new hire

    • Include user in global groups

    • Then automatically included in appropriate local groups

    • Otherwise, have to make config changes to individual local machines

Windows 35


Default Groups

  • Local: Administrators, Account Operators, Power Users, Server Operators, Backup Operators, Print Operators, Replicator, Users, Guests

  • Global: Domain Administrators, Domain Users

Windows 36


Special Groups

  • Special since cannot add or delete users

    • But can change group rights/privileges

  • Special groups are local groups

  • EVERYONE --- for about anything

  • SYSTEM --- “holy grail”

    • Nothing has higher privilege

    • Not a login ID

    • Some processes run with SYSTEM privilege

    • Compromise one of these and you “own” system

Windows 37


Special Groups

  • Other special groups

    • INTERACTIVE --- currently logged in locally

    • NETWORK --- currently logged in non-locally

    • CREATOR OWNER --- owner of a given object (confusing name…)

  • These are not as special as SYSTEM…

Windows 38


Privilege

  • Privilege --- capacity to access and manipulate things

  • Rights --- things users can do; can be added/modified (accts and groups)

  • Abilities --- built-in capabilities

  • Administrator --- highest privilege

    • Operator groups --- like bits and pieces of admin

  • Power user --- next highest

    • Then users followed by guest

Windows 39


Privilege Control

  • “…advanced rights control internal functions within Windows system”

    • Example: “Act as Part of Operating System”

    • Gives right to reach into kernel mode

    • Attacker has got to love this…

  • Principle of least privilege

    • Give least privilege needed to do job

    • “Putting this into practice is one of the most fundamental steps to making Windows (or any operating system, for that matter) more secure.”

Windows 40


User Rights Assignments

Windows 41


Policies

  • Admin can create “policies”

    • Can affect local machine

    • Or entire domain

  • Account Policy --- most basic policy

    • Applies to all accounts in a domain

    • Max pwd age, pwd history, lockout, etc.

    • See next 2 slides…

Windows 42


Account Policies: Passwords

Windows 43


Account Policies: Lockout

Windows 44


User Properties Settings

  • User Properties

    • Technically, not Policies, but serve similar purpose

  • Like Policies, but set for individual accts

    • E.g., User Must Change Password at Next Login, User Cannot Change Password, etc.

Windows 45


User Property Settings

Windows 46


Trust

  • Extends “login” across domains

    • Like single sign-on to trusting domains

    • One (or more) global group in trusted domain must be included in one (or more) local groups in trusting domain

    • Can limit access via local group(s)

Windows 47


Windows Trust Models

  • No trust --- most secure, most inconvenient

  • Complete trust --- every domain trusts every other domain

  • Master domain --- user accounts in central account domain

    • Gives central control for mapping users to resources (via groups)

  • Multiple master domains --- like a distributed master domain

Windows 48


Windows Trust

  • Based on password authentication

  • Better than UNIX r-commands

    • Btw, what is authentication based on in UNIX r-commands?

  • Active Directory uses Kerberos (Windows 2000+)

Windows 49


Auditing

  • Can only audit what you log

  • Types of logging/audit

    • System

    • Security (or just “auditing”) --- logons, logoffs, file access, use of rights, etc.

    • Application

Windows 50


Auditing

  • By default, detailed auditing is off

    • And not available in XP home edition

  • Not easy to decide what to log

  • Some important data not logged

    • Source/destination IP address, whether system reinstall occurred, etc.

Windows 51


Audit Settings

Windows 52


Access Control and Permissions

  • How to control access to objects

  • Ownership

    • Each object has owner (OWNER CREATOR)

    • Owner can always change permissions

  • File Allocation Table (FAT)

    • No access control --- the reason why Windows 95, 98, Me cannot be secure

Windows 53


Access Control and Permissions

  • NTFS (NT File System)

    • Good performance, recoverability, etc.

    • Reasonable set of permissions

    • “One of the most effective parts of Windows security”

  • Number of permissions is “bewildering”

Windows 54


Example NTFS Permissions

  • No access --- what it says

  • Read --- read and execute

  • Change --- read, execute, write, delete

  • Full Control --- Change plus change permissions and take ownership

  • These are actually combinations of more granular permissions

Windows 55


Share Permissions

  • Recall shares are kind of like NFS mounts

  • Permissions on components of file system

    • For example, a shared folder

  • Remote access depends on both NTFS and share permissions

    • Least access wins

  • Local login --- only NTFS permissions apply

    • Potentially a security issue

Windows 56


Weak Default Permissions

  • Many default permissions “faulty”

    • E.g., default permission on \Windows (\winnt) directory allows Power Users to get copy of SAM database

  • System should be hardened

    • Entire books written on this subject

Windows 57


Network Security

  • Protocols and APIs

  • SMB/CIFS

    • Server Message Block protocol --- MS implementation is called Common Internet File System

    • “Weak authentication” --- many attacks

    • No details at this point in book…

Windows 58


Network Security

  • NetBEUI/NetBIOS --- older (deprecated) network environment

    • DoS and other attacks

  • Microsoft Internet Information Service (IIS) --- built-in Web server

    • Attackers love IIS

Windows 59


Summary of BAD Old Days

  • Before Active Directory (BAD)

    • That is, before Windows 2000+

  • We discussed…

  • History

    • Windows 3.0/95/98 (no security)

    • Windows NT

  • Backwards compatibility

Windows 60


Summary of BAD Old Days

  • Domains --- SSO to networked machines

  • Shares --- analogous to NFS mounts

  • Modes --- User Mode, Kernel Mode

  • Service packs/updates

  • Accounts

  • Groups --- local and global

  • Privilege --- rights and abilities

Windows 61


Summary of BAD Old Days

  • Policies --- apply to all accts in domain

  • Properties --- individual accounts

  • Trust --- across domains

  • Auditing/Logging

  • Access control/permissions

    • FAT --- no security

    • NTFS --- good level of security

  • Network security/protocols

Windows 62


Windows 2000+

  • What is Windows 2000+?

    • Windows 2000, XP, Server 2003

    • Vista not covered in text

  • Much of BAD stuff lives on…

  • But some important changes

    • Including many new security features

Windows 63


Windows 2000+

  • “Windows 2000+ offers a multitude of features and represents a huge increase in the growth of operating system size, resource consumption, and complexity…”

  • According to Paul Kocher, “complexity is the enemy of security”

Windows 64


Windows 2000+

  • New non-security features

    • Power management, built-in terminal services, Microsoft Management Console, Microsoft Recovery Console, Plug-and-Play (Plug-and-Pray?)

  • But we’re interested in security…

Windows 65


Windows 2000+

  • New security features

    • MS implementation of Kerberos

    • SSPI --- supports new authentication mechanisms

    • MS implementation of IPSec

    • L2TP --- Layer Two Tunneling Protocol, for security on the LAN

    • Active Directory --- “central nervous system”

    • Support for smart cards

    • Encrypting File System (EFS)

Windows 66


Native vs Mixed Mode

  • Native Mode --- all domain controllers 2000+

    • Backward compatibility issues go away

    • Can take full advantage of 2k+ security

    • Remainder of chapter deals with Native mode

  • Mixed Mode --- some older domain controllers

    • 1st part of chapter applies to Mixed mode

Windows 67


Domains Deemphasized

  • NT domains “got in the way”

    • Boundary between resources & services

    • NT browsing services costly

  • Domains exist in 2000+…

    • But not as important as in NT

  • Active Directory --- simplifies way to find and administer resources

Windows 68


Domains in Windows 2000+

  • Not for network organization…

  • Instead, for common policy settings

  • Domains deployed in trees or forests

    • Link trusted domains together

    • Trees have “contiguous” name space (easier to find resources)

    • Forests: “noncontiguous” name space

Windows 69


Domains

  • In tree form

Windows 70


Domains

  • In Win 2000+

    • No distinction between PDCs and BDCs

    • All domain controllers authoritative

    • I.e., all can propagate pwd changes

    • Good for robustness…

    • …questionable for security

    • Multiple single points of failure

Windows 71


Active Directory

  • Active Directory

    • “All of your eggs in one basket”

    • Based on LDAP

    • Find resources on network

  • Security-wise…

    • Acts a s “massive data repository”

    • Accounts, security policies, files, etc., etc.

  • Depends heavily on DNS

    • Uses Dynamic DNS (DDNS) to find stuff

Windows 72


Security in Windows 2000+

  • Greater complexity requires more careful configuration

  • Protect Active Directory by…

    • Limited admin privilege

    • Beware of “mixed mode” attacks

    • Install in its own partition (out of the way of way of IIS, other dangerous stuff)

Windows 73


Physical Security

  • Kerberos

    • Recall Key Distribution Center (KDC)

    • Access to KDC gives access to “tickets”

    • KDC lives on a server

    • Client machines cache important info

  • “Credentials” encrypted with KDC key

    • So, access to client credentials not a big deal

    • But, access to KDC key breaks entire system

Windows 74


Templates

  • For setting security parameters

  • Include many pre-packaged recommended settings

  • Easy to develop custom templates

  • Center for Internet Security provides security templates

Windows 75


Windows 2000+ Architecture

  • As before, user mode, kernel mode

  • Kernel mode now includes

    • Plug and Play Manager

    • Power Manager

    • Window Manager, etc.

Windows 76


Accounts and Groups

  • Accounts almost same as pre-2000

  • Power Users group is potential problem

    • Reducing privilege may break things

  • Three security groups

    • Domain local, global, universal

    • Universal == every domain in a forest

    • In native mode, global can include global groups

Windows 77


Organizational Units

  • OUs are hierarchical groups of users

    • Can inherit properties (within domain)

    • Important for privilege control

    • Supports delegation of privilege

    • “Children” OU can never have more rights than “parent” OU

    • Good way to limit privilege

Windows 78


Organizational Units

  • Downside to OUs

    • Only recognized within domain

    • 3 levels is practical max (performance)

Windows 79


Privilege Control

  • “Rights” more granular than in NT

    • Multiple ways to accomplish same thing

  • No “abilities”

Windows 80


RunAs

  • Run with different privilege

    • E.g., Admin execute with lower privilege

Windows 81


Policies

  • Group Policy Objects (GPOs)

    • Password policy, IPSec, Kerberos, etc.

    • Granularity! (e.g., the appearance of IE)

  • GPOs allow for different polices for…

    • Different users

    • Different OUs

    • Different computers, domains, etc.

Windows 82


GPOs

Windows 83


Trust

  • In NT, MS-specific authentication

  • In 2000+, Kerberos

  • Plug a domain into tree (or forest)

    • Automatically trusts (and trusted by) all other domains in tree (or forest)

  • Any domain can trust any other

    • Problem, if not managed carefully

    • Attackers like “orphan domains”

Windows 84


Auditing

  • Similar to NT

  • Security Log

    • 9 (instead of 7) categories

    • Account Logon Events, Account Management, Directory Service Access, Logon Events, Object Access, Policy Change, Privilege Use, Process Tracking, System Events

Windows 85


Access Control

  • Similar to NT

  • NT uses NTFS-4

  • Windows 2000+ uses NTFS-5

  • Standard permissions

    • Full Control

    • Modify

    • Read and Execute

    • Read

    • Write

Windows 86


Access Control

  • NTFS-5 basic permissions

    • Traverse Folder/Execute File

    • List Folder/Read Data

    • Read Attributes

    • Read Extended Attributes (e.g., encryption)

    • Create Files/Write Data

    • Create Folders/Append Data

    • Write Attributes

    • Write Extended Attributes

    • Read Permissions

    • Change Permissions

    • Delete Subfolders and Files

    • Delete

    • Take Ownership

    • Synchronize (make contents of one file identical to another)

Windows 87


Encrypting File System

  • EFS automatically and transparently encrypts/decrypts files

    • DES, 3DES, or AES

  • Does not encrypt files on network

  • Only one user per file allowed

  • Slight performance issue

  • Critical to back up EFS key!

Windows 88


Conclusion

  • Securing Windows not a trivial matter

  • Windows a target-rich environment

  • Weak default settings

  • Backward compatibility

  • Complexity

Windows 89


Summary

  • History

  • Pre-2000

    • Domains, service packs, user mode, kernel mode, SAM & passwords, Security Reference Monitor, accounts, groups, rights, abilities, trust, logging/audit, NTFS/access control/permissions, shares, network security

Windows 90


Summary

  • 2000+

    • Active Directory

    • Kerberos, IPSec, etc.

    • Lesser modifications: domains deemphasized, accounts/groups, OUs, rights, RunAs, Policies/GPOs, Trust, Access control/NTFS-5, EFS

Windows 91


ad
  • Login