1 / 31

Chapter 15

Chapter 15. Windows System Security. OBJECTIVES. Upon completion of this chapter, you will be able to: Describe Windows NT/2000 security and its components Access Control Lists Security Descriptors Security Identifiers, and more Describe the differences between privileges and rights

anson
Download Presentation

Chapter 15

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 15 Windows System Security

  2. OBJECTIVES • Upon completion of this chapter, you will be able to: • Describe Windows NT/2000 security and its components • Access Control Lists • Security Descriptors • Security Identifiers, and more • Describe the differences between privileges and rights • Create programs to manage security for NTFS files • Be ready to apply security to other NT objects

  3. OVERVIEW (1 of 2) • Windows NT/2000 supports security; Windows 9x does not • Every (sharable) NT object is securable • Security applies to NTFS files • Not to FAT or other file systems • NT security is C2 compliant • (NSA “Orange Book” for single systems)

  4. OVERVIEW (2 of 2) • NT security supports the required Discretionary Access Control Lists (DACLs) and System ACLs (SACLs, for auditing) • Specific allow and deny entries for users and groups for different types of access • Security programming is difficult • Probably the most difficult in the Windows API

  5. CONSTRUCTING A SECURITY DESCRIPTOR

  6. Process Object Security Descriptor 1) InitializeSecurityDescriptor 2) SetSecurityDescriptorOwner 3) SetSecurityDescriptorGroup 4) InitializeAcl 5) AddAccessDeniedAce · · · 6) AddAccessAllowedAce · · · 7) SetSecurityDescriptorDacl Access Token Owner SID Group SID User SID Group SID Discretionary ACL Access Control Entry (Denied) " Access Control Entry (Allowed) · · ·

  7. SECURITY ATTRIBUTES • TYPEDEF struct _SECURITY_ATTRIBUTES { • DWORD nLength; • LPVOID lpSecurityDescriptor; • BOOL bInheritHandle; • } SECURITY_ATTRIBUTES; • nLength • Should be set to sizeof (SECURITY_ATTRIBUTES) • bInheritHandle • Should be FALSE for now

  8. SECURITY DESCRIPTOR (1 of 2) • BOOL InitializeSecurityDescriptor( • PSECURITY_DESCRIPTOR psd, • DWORD dwRevision) • psd • Should be set to address of a SECURITY_DESCRIPTOR • dwRevision • Set to SECURITY_DESCRIPTOR_REVISION, which contains: • Owner Security Identifier (SID) • Group SID • Discretionary Access Control List (DACL) • System ACL (SACL)

  9. SECURITY DESCRIPTOR (2 of 2) • SetSecurityDescriptorOwner and SetSecurityDescriptorGroup • Associate SIDs with descriptors • ACLs • Initialized using InitializeAcl • Associated with a security descriptor using SetSecurityDescriptorDacl or SetSecurityDescriptorSacl • Security descriptors • Classified as either absolute or self relative

  10. ACCESS CONTROL LISTS • Each ACL is a set of Access Control Entries (ACE) • Two types of ACE: • Access allowed and access denied • Initialize an ACL with InitializeAcl • Then add ACEs to discretionary ACLs: • AddAccessAllowedAce • AddAccessDeniedAce • AddAuditAccessAce is for adding to a SACL • Remove ACEs with DeleteAce • Retrieve them with GetAce

  11. SECURITY IDENTIFIERS (1 of 7) • BOOL LookupAccountName (LPCTSTR lpSystem, • LPCTSTR lpAccount, PSID psid, • LPDWORD lpcbSid, • LPTSTR lpReferencedDomain, • LPDWORD lpcchReferencedDomain, • PSID_NAME_USE psnu) • lpSystem • Points to the system name (is often NULL) • lpAccount • Points to the account name

  12. SECURITY IDENTIFIERS (2 of 7) • psid • Returned information of size *lpcbSid • lpcbSid • The DWORD should be initialized to the size of your SID structure (psid) • On return, you get the actual size • lpReferencedDomain • String of length *lpcchReferencedDomain • Should be initialized to the buffer size

  13. SECURITY IDENTIFIERS (3 of 7) • psnu • Points to a SID_NAME_USE (enumerated type) variable • Can be tested for values such as: SidTypeUser SidTypeGroup SidTypeWellKnownGroup

  14. SECURITY IDENTIFIERS (4 of 7) • To convert a SID to an account name: • BOOL LookupAccountSid ( • LPCTSTR lpSystem, • PSID psid, • LPTSTR lpAccount, • LPDWORD lpcchName, • LPTSTR lpReferencedDomain, • LPDWORD lpcchReferencedDomain, • PSID_NAME_USe psnu)

  15. SECURITY IDENTIFIERS (5 of 7) • BOOL GetUserName (LPTSTR lpBuffer, • LPDWORD lpcchBuffer) • Other functions: • InitializeSid • AllocateAndInitializeSid

  16. SECURITY IDENTIFIERS (6 of 7) • BOOL SetSecurityDescriptorOwner ( • PSECURITY_DESCRIPTOR psd, PSID psidOwner • BOOL fOwnerDefaulted) • BOOL SetSecurityDescriptorGroup ( • PSECURITY_DESCRIPTOR psd, PSID psidGroup, • BOOL fGroupDefaulted) • Return: The SID from a security descriptor • Owner or group

  17. SECURITY IDENTIFIERS (7 of 7) • Parameters • psd • Points to the appropriate security descriptor • psidOwner or psidGroup • The address of the owner’s (group’s) SID • fOwnerDefaulted or fGroupDefaulted • Use default information

  18. INITIALIZING ACLs • BOOL InitializeAcl (PACL pAcl, DWORD cbAcl, • DWORD dwAclRevision • Pacl • Address of a programmer-supplied buffer of cbAcl bytes • dwAclRevision • Should be ACL_REVISION

  19. ADDING ACEs (1 of 2) • BOOL AddAccessAllowedAce (PACL pAcl, • DWORD dwAclRevision • DWORD dwAccessMask, PSID pSid) • BOOL AddAccessDeniedAce (PACL pAcl, • DWORD dwAclRevision, • DWORD dwAccessMask, PSID pSid) • pAcl • Points to ACL structure initialized with InitializeAcl

  20. ADDING ACEs (2 of 2) • dwAclRevision • Use ACL_REVISION • pSid • Points to a SID • Might be obtained from LookupAccountName • Access Mask typical values: GENERIC_READ GENERIC_WRITE GENERIC_EXECUTE

  21. ACL WITH SECURITY DESCRIPTOR • BOOL SetSecurityDesciptorDacl ( • PSECURITY_DESCRIPTOR psd, • bool fDaclPresent, • PACL pAcl, BOOL fDaclDefaulted) • fDaclPresent • If TRUE, you have an ACL in the pAcl structure • If FALSE, the function ignores anything already in pAcl • fDaclDefaulted • If FALSE, indicates an ACL generated by the programmer • If TRUE, it was obtained by a default mechanism

  22. SECURITY DESCRIPTOR • BOOL GetFileSecurity (LPCTSTR lpFileName, • SECURITY_INFORMATION secInfo, • PSECURITY_DESCRIPTOR psd, • DWORD cbSd, • LPDWORD lpcbLengthNeeded) • BOOL SetFileSecurity (LPCTSTR lpFileName, • SECURITY_INFORMATION secInfo, • PSECURITY_DESCRIPTOR psd)

  23. SECURITY DESCRIPTOR • secInfo • An enumerated type • Takes on values such as: OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION DACL_SECURITY_INFORMATION SACL_SECURITY_INFORMATION (which can be combined with the bitwise OR)

  24. SECURITY DESCRIPTOR • To find the GetFileSecurity return buffer size • Call it twice • The first call uses 0 as the cbSd value • After allocating a buffer, call the function a second time • You must have the correct permissions on the file

  25. OBTAIN AN ACL • BOOL GetSecurityDescriptorDacl ( • PSECURITY_DESCRIPTOR psd, • LPBOOL fDaclPresent, • PACL *pAcl, • LPBOOL lpfDaclDefaulted) • The parameters are nearly identical to SetSecurityDescriptorDacl

  26. HOW MANY ACEs IN AN ACL (1 of 2) • BOOL GetAclInformation (PACL pAcl, • LPVOID pAclInformation, • DWORD cbAclInfo, • ACL_INFORMATION_CLASS dwAclInfoClass • dwAclInfoClass • Use AclSizeInformation in most cases

  27. HOW MANY ACEs IN AN ACL (2 of 2) • pAclInformation • A structure of type ACL_SIZE_INFORMATION • Has three members: AceCount — How many entries are on the list AclBytesInUse AclBytesFree

  28. OBTAIN ACEs • BOOL GetAce (PACL pAcl, • DWORD dwAceIndex, LPVOID *pAce) • pAce • Points to an Ace structure • Ace structure has a member called “Header” • Header has an AceType member which can be tested for: ACCESS_ALLOWED_ACE ACCESS_DENIED_ACE

  29. SECURITY SUMMARY • Remove ACEs with DeleteAce function • For kernel security descriptors, use: GetKernelObjectSecurity SetKernelObjectSecurity • Associate security descriptors with programmer-generated objects: GetUserObjectSecurity SetUserObjectSecurity • Note difference between absolute and self-relative security descriptors • System administrators can manage system ACLs

  30. LAB D–A (1 of 2) • The functions in InitUnFp.c create and manage a SECURITY_ATTRIBUTES structure • With (Read, Write, and Execute) permissions • For (User, Group, and Other) • Similar to UNIX file permissions • You will need these functions in the two lab exercises

  31. LAB D–A (2 of 2) • 1. Write a program, chmod, to create a new file with specified permissions • Expressed as a 9-bit UNIX-style file permission • 2. Write an enhancement of the ls program, lsFP, to find the existing permissions on a specified file • Assume that the permissions were created with chmod

More Related