windows l.
Skip this Video
Loading SlideShow in 5 Seconds..
Windows PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 91

Windows - PowerPoint PPT Presentation

  • Uploaded on

Windows Introduction Old black-and-white “Western” movie Gunslinger wants to quit fighting Some new young upstart wants to fight So the old guy fights one more time… “Target-ability” Depends on popularity and reputation Windows is most hackers favorite target Introduction

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Windows' - Ava

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Windows 1

  • Old black-and-white “Western” movie
    • Gunslinger wants to quit fighting
    • Some new young upstart wants to fight
    • So the old guy fights one more time…
  • “Target-ability”
    • Depends on popularity and reputation
    • Windows is most hackers favorite target

Windows 2

  • Windows is the most popular OS
    • May 2005: 390M Windows machines
    • Over half of those running XP
  • Windows is the obvious target
  • From attacker’s point of view
    • Attacker’s “cost-benefit” analysis
    • Attacker wants most “bang for the buck”

Windows 3

this chapter
This Chapter
  • Brief history of Windows
  • Consider core NT security features
  • Consider security in Windows 2000+
    • That is, Windows 2000, XP, Server 2003
    • Book does not cover Vista

Windows 4

  • History began in April 1993…
    • Release of Windows NT
    • NT == “New Technology”/“No Technology”
  • Before NT
    • Microsoft Windows 3.0, 95, 98, Me
    • No authentication, program isolation, logging, etc.
    • “No security” prior to NT

Windows 5

modern windows oss
Modern Windows OSs
  • NT, Windows 2000, XP, Server 2003
    • And Vista, but not covered in book
  • Windows NT
    • Based on technology developed at DEC for their VMS operating system
    • 1988: Microsoft hired David N. Cutler
    • He came from DEC, with 20+ others

Windows 6

windows nt
Windows NT
  • Originally, Cutler was to build successor to OS/2, called OS/2 NT
    • Microsoft/IBM collaboration
  • With success of Windows 3.0 in 1990
    • Microsoft changed its mind
    • Windows NT to be their UNIX-beater

Windows 7

backwards compatibility
Backwards Compatibility
  • What is backward compatibility?
    • New-and-improved works with bad/old versions
  • NT tried to be backwards compatible
    • Users complain if not backwards compatible
    • But, creates many security compromises
    • Continues to plague Windows (& others) today
    • Damned if you do, damned if you don’t…

Windows 8

windows history
Windows History
  • After introduction of NT…
    • Incremental changes: NT 3.1, 3.5, 3.51, 4.0
  • Major overhaul: Windows 2000
    • In essence, Windows NT 5.0
  • Windows XP (“eXPerience”)
    • Released in October 2001
    • Refers to itself as “Windows 2002”
  • Windows Server 2003

Windows 9

windows history10
Windows History
  • 1993 to 2001, dual Windows lines
    • Home users: Windows 3.0/3.1/95/98/Me
    • Professional: NT 3.1/3.5/3.51/4.0/2000
  • Windows XP
    • Evolved from NT (“professional”) line
    • For home and professional users
    • Ended the dual Windows approach

Windows 10

bad old days
BAD Old Days
  • Before Active Directory (BAD)…
  • Windows 2000: Active Directory
    • Major shift in security
  • Active Directory: all-in-one service for locating stuff
    • Find printer in next cubicle
    • Change pwd policy on machines in branch office

Windows 11

active directory
Active Directory
  • Active Directory
    • “Native mode” --- all Windows 2000+ environment
    • “Mixed mode” --- some pre-2k machines
    • Which is more common?
    • Backwards compatibility…
  • Necessary to understand what came before Active Directory
  • More on Active Directory later

Windows 12

bad basics
BAD Basics
  • Before Active Directory…
  • Domains (currently deprecated)
    • Networked Windows computers that share an authentication database
    • Single sign-on for domain
  • Must have a “domain controller”
    • For authentication to the domain
    • Usually more than one controller

Windows 13

bad basics14
BAD Basics
  • Primary Domain Controller (PDC)
    • First server in domain
    • Updates authentication info in Security Accounts Manager (SAM) database
  • Backup Domain Controller (BDC)
    • Can access SAM, but not update
    • Admin can temporarily “promote” BDC
  • Active Directory: all controllers authoritative
    • More robust, but possibly less secure

Windows 14

bad basics15
BAD Basics
  • Domain sets critical parameters
    • Min pwd length
    • Pwd expiration policy
    • Restrictions on users, etc.
  • Workgroup --- like domain but worse
    • No control mechanisms

Windows 15

  • Share
    • Connection to network devices
    • Used with domains and Active Directory
    • Similar to NFS mounts in UNIX
    • Windows Explorer: My Network Places
  • Convenient transparent way for users to “reach across the network”

Windows 16

windows architecture
Windows Architecture
  • NT architecture based on layers
  • Layers important to security
    • Each layer restricts layer above
    • “Security issues are nearly always a result of some sort of compromise of this layering.”
  • Two “modes”: user mode, kernel mode

Windows 17

user mode
User Mode
  • Part of OS that users interacts with
  • User mode is “go between”
    • Between user and kernel
    • Strict communication rules…
    • …Application Program Interfaces (APIs)
  • User mode: 2 types of services
    • Integral subsystem: native to Windows
    • Environment services: support for other OSs

Windows 19

user mode20
User Mode
  • Integral subsystem
    • Provide APIs used by Win32 apps
    • For OS functions such as files, windows, process mgmt, virtual memory, I/O, etc.
  • DLLs translate (documented) API calls into (undocumented) calls into kernel
    • User mode  Kernel Executive subsystem

Windows 20

  • Local Security Authority Subsystem Service
    • User mode subsystem
    • Determines if login is valid
    • Sends login data to SAM database
  • For each account, SAM has 2 entries
    • NT pwd hash, LM/LanMan pwd hash --- Why???
    • Backwards compatibility, of course!

Windows 21

windows passwords
Windows Passwords
  • NT hash used in NT and beyond
  • LM hash used in Windows 95 & 98
  • SAM entries not stored in ASCII
    • Different from UNIX
    • Pwdump3 converts to readable form
  • How are pwd hashes derived?

Windows 22

windows passwords23
Windows Passwords
  • LM pwd hashes
    • Assume pwd is 14 characters or less
    • Pad password to 14 characters
    • Split into two 7-char strings
    • Convert to lower-case
    • Hash each half independently
    • Use DES block cipher (string is the key)
    • No salt is used

Windows 23

windows passwords24
Windows Passwords
  • NT password hash
    • Hash entire pwd using MD4, no salt used
    • Note: MD4 not a strong hash
  • Which is better, NT or LM?
    • Spse 64 choices/character, 14 char pwd
    • NT: try 283, LM: try 242
    • LM is 2,000,000,000,000+ times easier
    • LM is even worse than that…

Windows 24

windows password
Windows Password
  • By default, both LM and NT hashes
  • What will attacker do?
    • Attack LM pwd, of course
    • May need to convert to upper case
    • Still much easier than NT pwd
    • Both types unsalted (dictionary attacks)
  • Disable LM if possible

Windows 25

kernel mode
Kernel Mode
  • Fundamental OS issues
    • Memory mgmt, deal with hardware, etc.
  • More secure than user mode
  • Security Reference Monitor
    • Part of Executive subsystem
    • Checks attempts to access kernel mode
    • Checks attempts to access files, etc.
    • Checks permissions, gather audit data, etc.

Windows 26

kernel mode27
Kernel Mode
  • Object Manager
    • Manages info about files, directories, etc.
    • Objects get Object Identifier (OID)
    • OIDs used by Object Manager
    • Object Manager aware of some inheritance relationships (e.g., subfolders)

Windows 27

kernel mode28
Kernel Mode
  • Hardware Abstraction Layer (HAL)
    • Deals with hardware in a high-level way
    • Low level details left to device drivers
    • Makes life easier for Windows…
    • …but not for hardware manufacturers
    • Bad drivers can cause serious problems like crashing the whole system
    • Windows used to support multiple processors

Windows 28

service packs and updates
Service Packs and Updates
  • When bugs and problems are found…
  • Patches come in 2 flavors
    • Hotfixes/patches --- specific issue
    • Service packs --- major bundle of fixes, once per 6 months to year
    • Automatically (Windows Update service)
    • Fixes to OS and to other MS products
  • Patching is a big deal for companies

Windows 29

  • Default accounts: Administrator, Guest
  • Administrator account
    • Administrator has highest privilege
    • Administrator acct cannot be locked or deleted
    • Can only be disabled if another admin exists
    • If one Admin acct, unlimited pwd guessing
    • Good idea to have more than one Admin acct

Windows 30

  • Guest account
    • Anyone can log on to guest acct
    • Limited in what it can do, but still…
    • Guest is generally a bad idea
    • Disabled by default on modern Windows

Windows 31

  • User accts, application accts, etc.
  • How to secure accounts?
    • Give all admin accts “neutral” names
    • Change acct description(s) too
    • Create decoy acct named “Administrator”
    • Disable Guest, give it a strong pwd
      • “Belt and suspenders principle”
  • Security by obscurity? Is it worth it?

Windows 32

  • Used to control access/privilege
  • Why not users accounts?
  • Easier to manage (fewer) groups instead of (many) users
  • Before Active Directory (Win 2K)
    • Two types of groups
    • Global groups, local groups

Windows 33

  • Local groups give access to resources
    • Global groups cannot grant access
  • Typically, users included in global groups
    • Global groups then included in local groups
    • Access given to those in local group (including those in included global groups)
    • Global groups cannot be included in global groups
    • Local groups cannot be included in local groups

Windows 34

  • Huh?
  • For example, suppose a new hire
    • Include user in global groups
    • Then automatically included in appropriate local groups
    • Otherwise, have to make config changes to individual local machines

Windows 35

default groups
Default Groups
  • Local: Administrators, Account Operators, Power Users, Server Operators, Backup Operators, Print Operators, Replicator, Users, Guests
  • Global: Domain Administrators, Domain Users

Windows 36

special groups
Special Groups
  • Special since cannot add or delete users
    • But can change group rights/privileges
  • Special groups are local groups
  • EVERYONE --- for about anything
  • SYSTEM --- “holy grail”
    • Nothing has higher privilege
    • Not a login ID
    • Some processes run with SYSTEM privilege
    • Compromise one of these and you “own” system

Windows 37

special groups38
Special Groups
  • Other special groups
    • INTERACTIVE --- currently logged in locally
    • NETWORK --- currently logged in non-locally
    • CREATOR OWNER --- owner of a given object (confusing name…)
  • These are not as special as SYSTEM…

Windows 38

  • Privilege --- capacity to access and manipulate things
  • Rights --- things users can do; can be added/modified (accts and groups)
  • Abilities --- built-in capabilities
  • Administrator --- highest privilege
    • Operator groups --- like bits and pieces of admin
  • Power user --- next highest
    • Then users followed by guest

Windows 39

privilege control
Privilege Control
  • “…advanced rights control internal functions within Windows system”
    • Example: “Act as Part of Operating System”
    • Gives right to reach into kernel mode
    • Attacker has got to love this…
  • Principle of least privilege
    • Give least privilege needed to do job
    • “Putting this into practice is one of the most fundamental steps to making Windows (or any operating system, for that matter) more secure.”

Windows 40

  • Admin can create “policies”
    • Can affect local machine
    • Or entire domain
  • Account Policy --- most basic policy
    • Applies to all accounts in a domain
    • Max pwd age, pwd history, lockout, etc.
    • See next 2 slides…

Windows 42

user properties settings
User Properties Settings
  • User Properties
    • Technically, not Policies, but serve similar purpose
  • Like Policies, but set for individual accts
    • E.g., User Must Change Password at Next Login, User Cannot Change Password, etc.

Windows 45

  • Extends “login” across domains
    • Like single sign-on to trusting domains
    • One (or more) global group in trusted domain must be included in one (or more) local groups in trusting domain
    • Can limit access via local group(s)

Windows 47

windows trust models
Windows Trust Models
  • No trust --- most secure, most inconvenient
  • Complete trust --- every domain trusts every other domain
  • Master domain --- user accounts in central account domain
    • Gives central control for mapping users to resources (via groups)
  • Multiple master domains --- like a distributed master domain

Windows 48

windows trust
Windows Trust
  • Based on password authentication
  • Better than UNIX r-commands
    • Btw, what is authentication based on in UNIX r-commands?
  • Active Directory uses Kerberos (Windows 2000+)

Windows 49

  • Can only audit what you log
  • Types of logging/audit
    • System
    • Security (or just “auditing”) --- logons, logoffs, file access, use of rights, etc.
    • Application

Windows 50

  • By default, detailed auditing is off
    • And not available in XP home edition
  • Not easy to decide what to log
  • Some important data not logged
    • Source/destination IP address, whether system reinstall occurred, etc.

Windows 51

audit settings
Audit Settings

Windows 52

access control and permissions
Access Control and Permissions
  • How to control access to objects
  • Ownership
    • Each object has owner (OWNER CREATOR)
    • Owner can always change permissions
  • File Allocation Table (FAT)
    • No access control --- the reason why Windows 95, 98, Me cannot be secure

Windows 53

access control and permissions54
Access Control and Permissions
  • NTFS (NT File System)
    • Good performance, recoverability, etc.
    • Reasonable set of permissions
    • “One of the most effective parts of Windows security”
  • Number of permissions is “bewildering”

Windows 54

example ntfs permissions
Example NTFS Permissions
  • No access --- what it says
  • Read --- read and execute
  • Change --- read, execute, write, delete
  • Full Control --- Change plus change permissions and take ownership
  • These are actually combinations of more granular permissions

Windows 55

share permissions
Share Permissions
  • Recall shares are kind of like NFS mounts
  • Permissions on components of file system
    • For example, a shared folder
  • Remote access depends on both NTFS and share permissions
    • Least access wins
  • Local login --- only NTFS permissions apply
    • Potentially a security issue

Windows 56

weak default permissions
Weak Default Permissions
  • Many default permissions “faulty”
    • E.g., default permission on \Windows (\winnt) directory allows Power Users to get copy of SAM database
  • System should be hardened
    • Entire books written on this subject

Windows 57

network security
Network Security
  • Protocols and APIs
    • Server Message Block protocol --- MS implementation is called Common Internet File System
    • “Weak authentication” --- many attacks
    • No details at this point in book…

Windows 58

network security59
Network Security
  • NetBEUI/NetBIOS --- older (deprecated) network environment
    • DoS and other attacks
  • Microsoft Internet Information Service (IIS) --- built-in Web server
    • Attackers love IIS

Windows 59

summary of bad old days
Summary of BAD Old Days
  • Before Active Directory (BAD)
    • That is, before Windows 2000+
  • We discussed…
  • History
    • Windows 3.0/95/98 (no security)
    • Windows NT
  • Backwards compatibility

Windows 60

summary of bad old days61
Summary of BAD Old Days
  • Domains --- SSO to networked machines
  • Shares --- analogous to NFS mounts
  • Modes --- User Mode, Kernel Mode
  • Service packs/updates
  • Accounts
  • Groups --- local and global
  • Privilege --- rights and abilities

Windows 61

summary of bad old days62
Summary of BAD Old Days
  • Policies --- apply to all accts in domain
  • Properties --- individual accounts
  • Trust --- across domains
  • Auditing/Logging
  • Access control/permissions
    • FAT --- no security
    • NTFS --- good level of security
  • Network security/protocols

Windows 62

windows 2000
Windows 2000+
  • What is Windows 2000+?
    • Windows 2000, XP, Server 2003
    • Vista not covered in text
  • Much of BAD stuff lives on…
  • But some important changes
    • Including many new security features

Windows 63

windows 200064
Windows 2000+
  • “Windows 2000+ offers a multitude of features and represents a huge increase in the growth of operating system size, resource consumption, and complexity…”
  • According to Paul Kocher, “complexity is the enemy of security”

Windows 64

windows 200065
Windows 2000+
  • New non-security features
    • Power management, built-in terminal services, Microsoft Management Console, Microsoft Recovery Console, Plug-and-Play (Plug-and-Pray?)
  • But we’re interested in security…

Windows 65

windows 200066
Windows 2000+
  • New security features
    • MS implementation of Kerberos
    • SSPI --- supports new authentication mechanisms
    • MS implementation of IPSec
    • L2TP --- Layer Two Tunneling Protocol, for security on the LAN
    • Active Directory --- “central nervous system”
    • Support for smart cards
    • Encrypting File System (EFS)

Windows 66

native vs mixed mode
Native vs Mixed Mode
  • Native Mode --- all domain controllers 2000+
    • Backward compatibility issues go away
    • Can take full advantage of 2k+ security
    • Remainder of chapter deals with Native mode
  • Mixed Mode --- some older domain controllers
    • 1st part of chapter applies to Mixed mode

Windows 67

domains deemphasized
Domains Deemphasized
  • NT domains “got in the way”
    • Boundary between resources & services
    • NT browsing services costly
  • Domains exist in 2000+…
    • But not as important as in NT
  • Active Directory --- simplifies way to find and administer resources

Windows 68

domains in windows 2000
Domains in Windows 2000+
  • Not for network organization…
  • Instead, for common policy settings
  • Domains deployed in trees or forests
    • Link trusted domains together
    • Trees have “contiguous” name space (easier to find resources)
    • Forests: “noncontiguous” name space

Windows 69

  • In tree form

Windows 70

  • In Win 2000+
    • No distinction between PDCs and BDCs
    • All domain controllers authoritative
    • I.e., all can propagate pwd changes
    • Good for robustness…
    • …questionable for security
    • Multiple single points of failure

Windows 71

active directory72
Active Directory
  • Active Directory
    • “All of your eggs in one basket”
    • Based on LDAP
    • Find resources on network
  • Security-wise…
    • Acts a s “massive data repository”
    • Accounts, security policies, files, etc., etc.
  • Depends heavily on DNS
    • Uses Dynamic DNS (DDNS) to find stuff

Windows 72

security in windows 2000
Security in Windows 2000+
  • Greater complexity requires more careful configuration
  • Protect Active Directory by…
    • Limited admin privilege
    • Beware of “mixed mode” attacks
    • Install in its own partition (out of the way of way of IIS, other dangerous stuff)

Windows 73

physical security
Physical Security
  • Kerberos
    • Recall Key Distribution Center (KDC)
    • Access to KDC gives access to “tickets”
    • KDC lives on a server
    • Client machines cache important info
  • “Credentials” encrypted with KDC key
    • So, access to client credentials not a big deal
    • But, access to KDC key breaks entire system

Windows 74

  • For setting security parameters
  • Include many pre-packaged recommended settings
  • Easy to develop custom templates
  • Center for Internet Security provides security templates

Windows 75

windows 2000 architecture
Windows 2000+ Architecture
  • As before, user mode, kernel mode
  • Kernel mode now includes
    • Plug and Play Manager
    • Power Manager
    • Window Manager, etc.

Windows 76

accounts and groups
Accounts and Groups
  • Accounts almost same as pre-2000
  • Power Users group is potential problem
    • Reducing privilege may break things
  • Three security groups
    • Domain local, global, universal
    • Universal == every domain in a forest
    • In native mode, global can include global groups

Windows 77

organizational units
Organizational Units
  • OUs are hierarchical groups of users
    • Can inherit properties (within domain)
    • Important for privilege control
    • Supports delegation of privilege
    • “Children” OU can never have more rights than “parent” OU
    • Good way to limit privilege

Windows 78

organizational units79
Organizational Units
  • Downside to OUs
    • Only recognized within domain
    • 3 levels is practical max (performance)

Windows 79

privilege control80
Privilege Control
  • “Rights” more granular than in NT
    • Multiple ways to accomplish same thing
  • No “abilities”

Windows 80

  • Run with different privilege
    • E.g., Admin execute with lower privilege

Windows 81

  • Group Policy Objects (GPOs)
    • Password policy, IPSec, Kerberos, etc.
    • Granularity! (e.g., the appearance of IE)
  • GPOs allow for different polices for…
    • Different users
    • Different OUs
    • Different computers, domains, etc.

Windows 82


Windows 83

  • In NT, MS-specific authentication
  • In 2000+, Kerberos
  • Plug a domain into tree (or forest)
    • Automatically trusts (and trusted by) all other domains in tree (or forest)
  • Any domain can trust any other
    • Problem, if not managed carefully
    • Attackers like “orphan domains”

Windows 84

  • Similar to NT
  • Security Log
    • 9 (instead of 7) categories
    • Account Logon Events, Account Management, Directory Service Access, Logon Events, Object Access, Policy Change, Privilege Use, Process Tracking, System Events

Windows 85

access control
Access Control
  • Similar to NT
  • NT uses NTFS-4
  • Windows 2000+ uses NTFS-5
  • Standard permissions
    • Full Control
    • Modify
    • Read and Execute
    • Read
    • Write

Windows 86

access control87
Access Control
  • NTFS-5 basic permissions
    • Traverse Folder/Execute File
    • List Folder/Read Data
    • Read Attributes
    • Read Extended Attributes (e.g., encryption)
    • Create Files/Write Data
    • Create Folders/Append Data
    • Write Attributes
    • Write Extended Attributes
    • Read Permissions
    • Change Permissions
    • Delete Subfolders and Files
    • Delete
    • Take Ownership
    • Synchronize (make contents of one file identical to another)

Windows 87

encrypting file system
Encrypting File System
  • EFS automatically and transparently encrypts/decrypts files
    • DES, 3DES, or AES
  • Does not encrypt files on network
  • Only one user per file allowed
  • Slight performance issue
  • Critical to back up EFS key!

Windows 88

  • Securing Windows not a trivial matter
  • Windows a target-rich environment
  • Weak default settings
  • Backward compatibility
  • Complexity

Windows 89

  • History
  • Pre-2000
    • Domains, service packs, user mode, kernel mode, SAM & passwords, Security Reference Monitor, accounts, groups, rights, abilities, trust, logging/audit, NTFS/access control/permissions, shares, network security

Windows 90

  • 2000+
    • Active Directory
    • Kerberos, IPSec, etc.
    • Lesser modifications: domains deemphasized, accounts/groups, OUs, rights, RunAs, Policies/GPOs, Trust, Access control/NTFS-5, EFS

Windows 91