Users and Groups

1. Intro to Windows7 Security Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active Directory, etc.)

2. Security Features • Users have accounts protected by password. • Ctrl+Alt+Del guards logon. • Each user has a profile and personal files/folders. • NTFS used. • Users have security rights/permissions. • Permissions can be assigned to groups of users. • Resources (objects) protected by ACLs.

3. S-1-5-3 S-1-5-544 S-1-5-500 S-1-5-2 S-1-5-4 S-1-5-545 Interactive group Network group Users group Authenticated Users group Administrator Administrators group Users and SIDs SID - Security IDentifier • each user has a unique SID • each group has a unique SID S-1-5-807522115-735419003- ... -1204 Predefined SIDs

4. Terminology Local vs. Domain • Local refers to the local computer. • Domains are a means for implementing global (non-local) access. Groups • Users with common security privileges are grouped. • One user can be assigned to multiple groups. • Users can log in, but groups cannot. Access Tokens • When a user logs in an access token is created. • An access token includes • An access token must be presented whenever a resource is requested.

5. Main Account Types (Groups) Computer Adminstrator • Created at setup/install. • Complete control (create users & groups, install programs, backup/restore, load/unload device drivers, manage security/auditing, set permissions, access all files, take ownership of objects). Limited • Created by Administrator. • Limited control (change personal account (password, picture, etc.), use installed programs, view permissions, create/change/delete owned files/folders) Guest • Automatically created at setp/install. • Limited control (use installed programs, view permissions, create/change/delete owned files/folders) Unknown • Exist if the system is upgraded.

6. Groups and Permissions Right-click Computer > Manage > Local Users and Groups. Right-click file/folder > properties > security tab

7. File/Folder Permissions

8. Win login Active Directory LSA SAM database SAM SRM NT Security Architecture

9. SAM Database User IDs and passwords Passwords are hashed: • older versions of Windows use LM (DES) hash • post-NT versions of Windows use NTLM (MD4 & MD5) hash • salt?

10. Access Control Lists ACL = a list of Access Control Entries ( SID, right ) An ACL is bound to an object. • the object’s creator can specify an ACL. • the O.S. can find an ACL from a parent object. To validate an operation: 1) The LSA must be presented with an access token. 2) The SRM supplies the ACL for the appropriate object. 3) The LSA validates that the SID from the token matches the ACL.

11. The Registry Registry = central database for configuration settings The individual settings are called keys. The entire registry consists of five hives. HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT HKEY_USERS HKEY_CURRENT_USERS HKEY_CURRENT_CONFIG Keys can be edited with WINDOWS\System32\regedit32.exe.

12. The Registry - cont'd HKEY_LOCAL_MACHINE information about currently installed hardware and software includes SAM access and various important security keys HKEY_CLASSES_ROOT maintains file-application associations etc. HKEY_USERS contains default local user profiles (screen color, wallpaper, screen savers, etc.) HKEY_CURRENT_USERS stores profile for currently logged in user HKEY_CURRENT_CONFIG holds information for the hardware configuration that was booted