Windows

1
Windows
2
Introduction

• Old black-and-white Western movie
• Gunslinger wants to quit fighting
• Some new young upstart wants to fight
• So the old guy fights one more time
• Target-ability
• Depends on popularity and reputation
• Windows is most hackers favorite target

3
Introduction

• Windows is the most popular OS
• May 2005 390M Windows machines
• Over half of those running XP
• Windows is the obvious target
• From attackers point of view
• Attackers cost-benefit analysis
• Attacker wants most bang for the buck

4
This Chapter

• Brief history of Windows
• Consider core NT security features
• Consider security in Windows 2000
• That is, Windows 2000, XP, Server 2003
• Book does not cover Vista

5
History

• History began in April 1993
• Release of Windows NT
• NT New Technology/No Technology
• Before NT
• Microsoft Windows 3.0, 95, 98, Me
• No authentication, program isolation, logging,
  etc.
• No security prior to NT

6
Modern Windows OSs

• NT, Windows 2000, XP, Server 2003
• And Vista, but not covered in book
• Windows NT
• Based on technology developed at DEC for their
  VMS operating system
• 1988 Microsoft hired David N. Cutler
• He came from DEC, with 20 others

7
Windows NT

• Originally, Cutler was to build successor to
  OS/2, called OS/2 NT
• Microsoft/IBM collaboration
• With success of Windows 3.0 in 1990
• Microsoft changed its mind
• Windows NT to be their UNIX-beater

8
Backwards Compatibility

• What is backward compatibility?
• New-and-improved works with bad/old versions
• NT tried to be backwards compatible
• Users complain if not backwards compatible
• But, creates many security compromises
• Continues to plague Windows ( others) today
• Damned if you do, damned if you dont

9
Windows History

• After introduction of NT
• Incremental changes NT 3.1, 3.5, 3.51, 4.0
• Major overhaul Windows 2000
• In essence, Windows NT 5.0
• Windows XP (eXPerience)
• Released in October 2001
• Refers to itself as Windows 2002
• Windows Server 2003

10
Windows History

• 1993 to 2001, dual Windows lines
• Home users Windows 3.0/3.1/95/98/Me
• Professional NT 3.1/3.5/3.51/4.0/2000
• Windows XP
• Evolved from NT (professional) line
• For home and professional users
• Ended the dual Windows approach

11
BAD Old Days

• Before Active Directory (BAD)
• Windows 2000 Active Directory
• Major shift in security
• Active Directory all-in-one service for locating
  stuff
• Find printer in next cubicle
• Change pwd policy on machines in branch office

12
Active Directory

• Active Directory
• Native mode --- all Windows 2000 environment
• Mixed mode --- some pre-2k machines
• Which is more common?
• Backwards compatibility
• Necessary to understand what came before Active
  Directory
• More on Active Directory later

13
BAD Basics

• Before Active Directory
• Domains (currently deprecated)
• Networked Windows computers that share an
  authentication database
• Single sign-on for domain
• Must have a domain controller
• For authentication to the domain
• Usually more than one controller

14
BAD Basics

• Primary Domain Controller (PDC)
• First server in domain
• Updates authentication info in Security Accounts
  Manager (SAM) database
• Backup Domain Controller (BDC)
• Can access SAM, but not update
• Admin can temporarily promote BDC
• Active Directory all controllers authoritative
• More robust, but possibly less secure

15
BAD Basics

• Domain sets critical parameters
• Min pwd length
• Pwd expiration policy
• Restrictions on users, etc.
• Workgroup --- like domain but worse
• No control mechanisms

16
Shares

• Share
• Connection to network devices
• Used with domains and Active Directory
• Similar to NFS mounts in UNIX
• Windows Explorer My Network Places
• Convenient transparent way for users to reach
  across the network

17
Windows Architecture

• NT architecture based on layers
• Layers important to security
• Each layer restricts layer above
• Security issues are nearly always a result of
  some sort of compromise of this layering.
• Two modes user mode, kernel mode

18
Windows Architecture
19
User Mode

• Part of OS that users interacts with
• User mode is go between
• Between user and kernel
• Strict communication rules
• Application Program Interfaces (APIs)
• User mode 2 types of services
• Integral subsystem native to Windows
• Environment services support for other OSs

20
User Mode

• Integral subsystem
• Provide APIs used by Win32 apps
• For OS functions such as files, windows, process
  mgmt, virtual memory, I/O, etc.
• DLLs translate (documented) API calls into
  (undocumented) calls into kernel
• User mode ? Kernel Executive subsystem

21
LSASS

• Local Security Authority Subsystem Service
• User mode subsystem
• Determines if login is valid
• Sends login data to SAM database
• For each account, SAM has 2 entries
• NT pwd hash, LM/LanMan pwd hash --- Why???
• Backwards compatibility, of course!

22
Windows Passwords

• NT hash used in NT and beyond
• LM hash used in Windows 95 98
• SAM entries not stored in ASCII
• Different from UNIX
• Pwdump3 converts to readable form
• How are pwd hashes derived?

23
Windows Passwords

• LM pwd hashes
• Assume pwd is 14 characters or less
• Pad password to 14 characters
• Split into two 7-char strings
• Convert to lower-case
• Hash each half independently
• Use DES block cipher (string is the key)
• No salt is used

24
Windows Passwords

• NT password hash
• Hash entire pwd using MD4, no salt used
• Note MD4 not a strong hash
• Which is better, NT or LM?
• Spse 64 choices/character, 14 char pwd
• NT try 283, LM try 242
• LM is 2,000,000,000,000 times easier
• LM is even worse than that

25
Windows Password

• By default, both LM and NT hashes
• What will attacker do?
• Attack LM pwd, of course
• May need to convert to upper case
• Still much easier than NT pwd
• Both types unsalted (dictionary attacks)
• Disable LM if possible

26
Kernel Mode

• Fundamental OS issues
• Memory mgmt, deal with hardware, etc.
• More secure than user mode
• Security Reference Monitor
• Part of Executive subsystem
• Checks attempts to access kernel mode
• Checks attempts to access files, etc.
• Checks permissions, gather audit data, etc.

27
Kernel Mode

• Object Manager
• Manages info about files, directories, etc.
• Objects get Object Identifier (OID)
• OIDs used by Object Manager
• Object Manager aware of some inheritance
  relationships (e.g., subfolders)

28
Kernel Mode

• Hardware Abstraction Layer (HAL)
• Deals with hardware in a high-level way
• Low level details left to device drivers
• Makes life easier for Windows
• but not for hardware manufacturers
• Bad drivers can cause serious problems like
  crashing the whole system
• Windows used to support multiple processors

29
Service Packs and Updates

• When bugs and problems are found
• Patches come in 2 flavors
• Hotfixes/patches --- specific issue
• Service packs --- major bundle of fixes, once per
  6 months to year
• Automatically (Windows Update service)
• Fixes to OS and to other MS products
• Patching is a big deal for companies

30
Accounts

• Default accounts Administrator, Guest
• Administrator account
• Administrator has highest privilege
• Administrator acct cannot be locked or deleted
• Can only be disabled if another admin exists
• If one Admin acct, unlimited pwd guessing
• Good idea to have more than one Admin acct

31
Accounts

• Guest account
• Anyone can log on to guest acct
• Limited in what it can do, but still
• Guest is generally a bad idea
• Disabled by default on modern Windows

32
Accounts

• User accts, application accts, etc.
• How to secure accounts?
• Give all admin accts neutral names
• Change acct description(s) too
• Create decoy acct named Administrator
• Disable Guest, give it a strong pwd
• Belt and suspenders principle
• Security by obscurity? Is it worth it?

33
Groups

• Used to control access/privilege
• Why not users accounts?
• Easier to manage (fewer) groups instead of (many)
  users
• Before Active Directory (Win 2K)
• Two types of groups
• Global groups, local groups

34
Groups

• Local groups give access to resources
• Global groups cannot grant access
• Typically, users included in global groups
• Global groups then included in local groups
• Access given to those in local group (including
  those in included global groups)
• Global groups cannot be included in global groups
• Local groups cannot be included in local groups

35
Groups

• Huh?
• For example, suppose a new hire
• Include user in global groups
• Then automatically included in appropriate local
  groups
• Otherwise, have to make config changes to
  individual local machines

36
Default Groups

• Local Administrators, Account Operators, Power
  Users, Server Operators, Backup Operators, Print
  Operators, Replicator, Users, Guests
• Global Domain Administrators, Domain Users

37
Special Groups

• Special since cannot add or delete users
• But can change group rights/privileges
• Special groups are local groups
• EVERYONE --- for about anything
• SYSTEM --- holy grail
• Nothing has higher privilege
• Not a login ID
• Some processes run with SYSTEM privilege
• Compromise one of these and you own system

38
Special Groups

• Other special groups
• INTERACTIVE --- currently logged in locally
• NETWORK --- currently logged in non-locally
• CREATOR OWNER --- owner of a given object
  (confusing name)
• These are not as special as SYSTEM

39
Privilege

• Privilege --- capacity to access and manipulate
  things
• Rights --- things users can do can be
  added/modified (accts and groups)
• Abilities --- built-in capabilities
• Administrator --- highest privilege
• Operator groups --- like bits and pieces of admin
• Power user --- next highest
• Then users followed by guest

40
Privilege Control

• advanced rights control internal functions
  within Windows system
• Example Act as Part of Operating System
• Gives right to reach into kernel mode
• Attacker has got to love this
• Principle of least privilege
• Give least privilege needed to do job
• Putting this into practice is one of the most
  fundamental steps to making Windows (or any
  operating system, for that matter) more secure.

41
User Rights Assignments
42
Policies

• Admin can create policies
• Can affect local machine
• Or entire domain
• Account Policy --- most basic policy
• Applies to all accounts in a domain
• Max pwd age, pwd history, lockout, etc.
• See next 2 slides

43
Account Policies Passwords
44
Account Policies Lockout
45
User Properties Settings

• User Properties
• Technically, not Policies, but serve similar
  purpose
• Like Policies, but set for individual accts
• E.g., User Must Change Password at Next Login,
  User Cannot Change Password, etc.

46
User Property Settings
47
Trust

• Extends login across domains
• Like single sign-on to trusting domains
• One (or more) global group in trusted domain must
  be included in one (or more) local groups in
  trusting domain
• Can limit access via local group(s)

48
Windows Trust Models

• No trust --- most secure, most inconvenient
• Complete trust --- every domain trusts every
  other domain
• Master domain --- user accounts in central
  account domain
• Gives central control for mapping users to
  resources (via groups)
• Multiple master domains --- like a distributed
  master domain

49
Windows Trust

• Based on password authentication
• Better than UNIX r-commands
• Btw, what is authentication based on in UNIX
  r-commands?
• Active Directory uses Kerberos (Windows 2000)

50
Auditing

• Can only audit what you log
• Types of logging/audit
• System
• Security (or just auditing) --- logons,
  logoffs, file access, use of rights, etc.
• Application

51
Auditing

• By default, detailed auditing is off
• And not available in XP home edition
• Not easy to decide what to log
• Some important data not logged
• Source/destination IP address, whether system
  reinstall occurred, etc.

52
Audit Settings
53
Access Control and Permissions

• How to control access to objects
• Ownership
• Each object has owner (OWNER CREATOR)
• Owner can always change permissions
• File Allocation Table (FAT)
• No access control --- the reason why Windows 95,
  98, Me cannot be secure

54
Access Control and Permissions

• NTFS (NT File System)
• Good performance, recoverability, etc.
• Reasonable set of permissions
• One of the most effective parts of Windows
  security
• Number of permissions is bewildering

55
Example NTFS Permissions

• No access --- what it says
• Read --- read and execute
• Change --- read, execute, write, delete
• Full Control --- Change plus change permissions
  and take ownership
• These are actually combinations of more granular
  permissions

56
Share Permissions

• Recall shares are kind of like NFS mounts
• Permissions on components of file system
• For example, a shared folder
• Remote access depends on both NTFS and share
  permissions
• Least access wins
• Local login --- only NTFS permissions apply
• Potentially a security issue

57
Weak Default Permissions

• Many default permissions faulty
• E.g., default permission on \Windows (\winnt)
  directory allows Power Users to get copy of SAM
  database
• System should be hardened
• Entire books written on this subject

58
Network Security

• Protocols and APIs
• SMB/CIFS
• Server Message Block protocol --- MS
  implementation is called Common Internet File
  System
• Weak authentication --- many attacks
• No details at this point in book

59
Network Security

• NetBEUI/NetBIOS --- older (deprecated) network
  environment
• DoS and other attacks
• Microsoft Internet Information Service (IIS) ---
  built-in Web server
• Attackers love IIS

60
Summary of BAD Old Days

• Before Active Directory (BAD)
• That is, before Windows 2000
• We discussed
• History
• Windows 3.0/95/98 (no security)
• Windows NT
• Backwards compatibility

61
Summary of BAD Old Days

• Domains --- SSO to networked machines
• Shares --- analogous to NFS mounts
• Modes --- User Mode, Kernel Mode
• Service packs/updates
• Accounts
• Groups --- local and global
• Privilege --- rights and abilities

62
Summary of BAD Old Days

• Policies --- apply to all accts in domain
• Properties --- individual accounts
• Trust --- across domains
• Auditing/Logging
• Access control/permissions
• FAT --- no security
• NTFS --- good level of security
• Network security/protocols

63
Windows 2000

• What is Windows 2000?
• Windows 2000, XP, Server 2003
• Vista not covered in text
• Much of BAD stuff lives on
• But some important changes
• Including many new security features

64
Windows 2000

• Windows 2000 offers a multitude of features and
  represents a huge increase in the growth of
  operating system size, resource consumption, and
  complexity
• According to Paul Kocher, complexity is the
  enemy of security

65
Windows 2000

• New non-security features
• Power management, built-in terminal services,
  Microsoft Management Console, Microsoft Recovery
  Console, Plug-and-Play (Plug-and-Pray?)
• But were interested in security

66
Windows 2000

• New security features
• MS implementation of Kerberos
• SSPI --- supports new authentication mechanisms
• MS implementation of IPSec
• L2TP --- Layer Two Tunneling Protocol, for
  security on the LAN
• Active Directory --- central nervous system
• Support for smart cards
• Encrypting File System (EFS)

67
Native vs Mixed Mode

• Native Mode --- all domain controllers 2000
• Backward compatibility issues go away
• Can take full advantage of 2k security
• Remainder of chapter deals with Native mode
• Mixed Mode --- some older domain controllers
• 1st part of chapter applies to Mixed mode

68
Domains Deemphasized

• NT domains got in the way
• Boundary between resources services
• NT browsing services costly
• Domains exist in 2000
• But not as important as in NT
• Active Directory --- simplifies way to find and
  administer resources

69
Domains in Windows 2000

• Not for network organization
• Instead, for common policy settings
• Domains deployed in trees or forests
• Link trusted domains together
• Trees have contiguous name space (easier to
  find resources)
• Forests noncontiguous name space

70
Domains

• In tree form

71
Domains

• In Win 2000
• No distinction between PDCs and BDCs
• All domain controllers authoritative
• I.e., all can propagate pwd changes
• Good for robustness
• questionable for security
• Multiple single points of failure

72
Active Directory

• Active Directory
• All of your eggs in one basket
• Based on LDAP
• Find resources on network
• Security-wise
• Acts a s massive data repository
• Accounts, security policies, files, etc., etc.
• Depends heavily on DNS
• Uses Dynamic DNS (DDNS) to find stuff

73
Security in Windows 2000

• Greater complexity requires more careful
  configuration
• Protect Active Directory by
• Limited admin privilege
• Beware of mixed mode attacks
• Install in its own partition (out of the way of
  way of IIS, other dangerous stuff)

74
Physical Security

• Kerberos
• Recall Key Distribution Center (KDC)
• Access to KDC gives access to tickets
• KDC lives on a server
• Client machines cache important info
• Credentials encrypted with KDC key
• So, access to client credentials not a big deal
• But, access to KDC key breaks entire system

75
Templates

• For setting security parameters
• Include many pre-packaged recommended settings
• Easy to develop custom templates
• Center for Internet Security provides security
  templates

76
Windows 2000 Architecture

• As before, user mode, kernel mode
• Kernel mode now includes
• Plug and Play Manager
• Power Manager
• Window Manager, etc.

77
Accounts and Groups

• Accounts almost same as pre-2000
• Power Users group is potential problem
• Reducing privilege may break things
• Three security groups
• Domain local, global, universal
• Universal every domain in a forest
• In native mode, global can include global groups

78
Organizational Units

• OUs are hierarchical groups of users
• Can inherit properties (within domain)
• Important for privilege control
• Supports delegation of privilege
• Children OU can never have more rights than
  parent OU
• Good way to limit privilege

79
Organizational Units

• Downside to OUs
• Only recognized within domain
• 3 levels is practical max (performance)

80
Privilege Control

• Rights more granular than in NT
• Multiple ways to accomplish same thing
• No abilities

81
RunAs

• Run with different privilege
• E.g., Admin execute with lower privilege

82
Policies

• Group Policy Objects (GPOs)
• Password policy, IPSec, Kerberos, etc.
• Granularity! (e.g., the appearance of IE)
• GPOs allow for different polices for
• Different users
• Different OUs
• Different computers, domains, etc.

83
GPOs
84
Trust

• In NT, MS-specific authentication
• In 2000, Kerberos
• Plug a domain into tree (or forest)
• Automatically trusts (and trusted by) all other
  domains in tree (or forest)
• Any domain can trust any other
• Problem, if not managed carefully
• Attackers like orphan domains

85
Auditing

• Similar to NT
• Security Log
• 9 (instead of 7) categories
• Account Logon Events, Account Management,
  Directory Service Access, Logon Events, Object
  Access, Policy Change, Privilege Use, Process
  Tracking, System Events

86
Access Control

• Similar to NT
• NT uses NTFS-4
• Windows 2000 uses NTFS-5
• Standard permissions
• Full Control
• Modify
• Read and Execute
• Read
• Write

87
Access Control

• NTFS-5 basic permissions
• Traverse Folder/Execute File
• List Folder/Read Data
• Read Attributes
• Read Extended Attributes (e.g., encryption)
• Create Files/Write Data
• Create Folders/Append Data
• Write Attributes
• Write Extended Attributes
• Read Permissions
• Change Permissions
• Delete Subfolders and Files
• Delete
• Take Ownership
• Synchronize (make contents of one file identical
  to another)

88
Encrypting File System

• EFS automatically and transparently
  encrypts/decrypts files
• DES, 3DES, or AES
• Does not encrypt files on network
• Only one user per file allowed
• Slight performance issue
• Critical to back up EFS key!

89
Conclusion

• Securing Windows not a trivial matter
• Windows a target-rich environment
• Weak default settings
• Backward compatibility
• Complexity

90
Summary

• History
• Pre-2000
• Domains, service packs, user mode, kernel mode,
  SAM passwords, Security Reference Monitor,
  accounts, groups, rights, abilities, trust,
  logging/audit, NTFS/access control/permissions,
  shares, network security

91
Summary

• 2000
• Active Directory
• Kerberos, IPSec, etc.
• Lesser modifications domains deemphasized,
  accounts/groups, OUs, rights, RunAs,
  Policies/GPOs, Trust, Access control/NTFS-5, EFS