Windows security for n00bs part 1 Security architecture & Access Control

(1)

• Description: whether you are in favor or against it, the Windows NT OS does not let any IT engineer nor researcher indifferent. We will first introduce some basics regarding the OS structure, then talk about authentication, and each time remind some attacks.

• Lecturer: Fabien Duchene

Windows security for n00bs | part 1

Security architecture & Access Control

SecurIMAG

2011-05-12

WARNING: SecurIMAG is a security club at Ensimag. Thoughts,

ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.

¡¡_ (in)security we trust _!!

Grenoble INP

(2)

Summary

• 0. Introduction

• 1. Security components • 2. Access control

==next session==

• Memory (Guillaume & Karim)

==next next session==

• 3. Authentication (Fabien) • 4. Network (Fabien)

(3)

0. Introduction

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• What Windows is • What else … not?

• Windows NT brief history • Talk perimeter

(4)

0. Introduction – What windows is?

• A major OS in the market

• … # numbers

• Windows XP SP3 major in the corporation client OS

(5)

0. Introduction – What else … not?

• NOT The most secure system ever built

• Important attack surface

• … but ability to harden it

• NOT The most configurable OS

• Source code « normally » not available

o Government, security agencies o … you know where ;)

(6)

0. Windows NT brief history

NT 4.0 (1996) NT 5.0 (1999) 2000 SSPI NT5.1 (2001) XP DEP MSGINA NT6.0 (2008) Vista, Server 2008 ASLR Integrity Levels NLA firewall UAC BitLocker CredentialProviders NT 7 (2009) 7, Server 2008 R2 More granular UAC

(7)

0. Talk perimeter

• Security mechanisms regarding:

• Windows XP

• Vista

• And 7

• Not necessarily presented per version, but more per

(8)

1. Windows NT6 & NT7 Security

components

• Security components (Windows Vista ie NT6) • Windows XP vs Vista & 7 processes hierarchy • Security Reference Monitor (SRM)

• Local Security Authority SubSystem (LSASS) • Session Manager SubSystem (SMSS)

• Wininit • Services • SAM

(9)

Task Mgr SubSystem DLLs Explorer SubSystem DLLs Service Host Windows DLLs … Windows DLLs Session Mgr Windows DLLs LSA Windows DLLs Winlogon Windows DLLs

1.1. Security components (Windows Vista)

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12 System threads Wininit User Mode Kernel Mode

System service dispatcher (Kernel-mode callable interfaces)

Ca che ma nager Ob je ct Manag er PnP Ma nager Powe r Ma nager Secur it y Ref . Monitor V irt ua l M emor y Pr oce ss Mgr Configur ati on Mgr (R eg is tr y) Lo cal P ro ce dure Cal l Device & File System Driver I/O Manager Kernel

Hardware Abstraction Layer (HAL)

Win32 USER,

GDI

Graphics Drivers

Windows Internals, 5th Edition – Windows Vista & Server 2008, Mark Russinovich, David Salomon

Windows DLLs NTDLL.DLL Print spooler Windows DLLs User application SubSystem DLLs POSIX Windows DLLs Windows

(10)

1.2. Windows XP processes hierarchy

System Idle Process (0) System (4) Interrupts SMSS CRSS Winlogon Services Service1 (identity1) LSASS Explorer.exe Notepad.exe cmd.exe

(11)

1.2. Windows Vista & 7 process hierarchy

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12 • Thanks to ProcessExplorer ;) System Idle Process (0) System (4) Interrupts SMSS CRSS CRSS Wininit Services Service1 (identity1) … LSASS winlogon Explorer.exe Notepad.exe cmd.exe

(12)

1.2. Security Reference Monitor

• Controls performed on objects and access allowed or

restricted regarding

• Privileges

• Users rights (ACL)

• Generating auditing entries

Secur it y Ref . Monitor

(13)

1.3. Local Security Authority SubSystem

• User-mode process

• running under SYSTEM identity SID=S-1-5-18

• Authentication

o Trusted domains • Token

• Privileges

• Audit entries (security event user logs) • Parameters stored under HKLM\security

Mécanismes internes de la sécurité Windows, Pascal Saulière, 2010, Microsoft

Msv1_0.dll Kerberos.dll Netlogon LSA Server SAM Server Active Directory LSASS Event Logger Active Directory SAM LSA Policy

(14)

1.3. LSASS enforces password policy

(15)

Session Manager SubSystem (SMSS)

(16)

(17)

Services

(18)

2. Access Control

• Access control?

• Securable Windows NT objects • SID

• Privileges

• Security Descriptor • Access Control Lists • Token

• Impersonation

• Mandatory Integrity Levels • Auditing

(19)

Access Control?

• Several models:

• Mandatory Access Control

o Several “levels”

o Eg (Windows NT): Mandatory Integrity Level

• Discretionary Access Control:

o Eg (Windows NT): Files ACL

• Role-Based Access Control

(20)

Securable Windows NT Objects

• Mailslots • Peripherals • Files

• Jobs

• Shared memory sections • I/O completion ports

• Pipes (named & anonymous) • LPC ports • Events • Mutexes • Timers • Semaphores • Access tokens • Window stations • Desktops • SMB shares • Services • Registry keys • Printers

(21)

Security Identifier (SID)

• Statistically unique worldwide

• Not all AD Objects do own a SID • ONLY the following AD objects:

o Computer: (when the computer joins the domain) o Domain controllers: (same above)

o User/service account (when the account is created)

o Security group (a security group can contain security groups, users, and computers)

• These objects are named “security principal”. They all:

o owns a SID: user account SID

o member of [0..n] security groups: Group SIDs

Technical overview of the Microsoft PKI ADCS 2008 R2

(22)

Brief SID summary

S-1-5-21-1679959503-1445791782-2229217306-1109 Revision Level 4 bits Valeur : 1 Authority, 48 bits 0 = null 1 = world 2 = local 3 = creator owner 4 = non unique 5 = NT Sub-Authorities(=RID) Exemples : 0 = null 0 = world 0 = creator owner 1 = creator group

2 = creator owner server 3 = creator group server

Well-Known SID examples:

S-1-0-0: Null S-1-1-0: Everyone S-1-2-0: Local S-1-3-0: Creator Owner S-1-3-1: Creator Group S-1-5-1: Dialup S-1-5-2: Network S-1-5-3: Batch S-1-5-4: Interactive

S-1-5-5-X-Y : Logon Session

S-1-5-6: Service

S-1-5-7: Anonymous Logon

S-1-5-9: Enterprise Domain Controlers S-1-5-10: Self

S-1-5-11: Authenticated Users S-1-5-12: Restricted

S-1-5-13: Terminal Server User S-1-5-14: Remote Interactive Logon

RID du compte

500 = Administrator

(23)

Well-Know SID for the « built-in » groups

SID Name S-1-5-32-544 Administrators S-1-5-32-545 Users S-1-5-32-546 Guests S-1-5-32-547 Power Users S-1-5-32-548 Account Operators S-1-5-32-549 Server Operators S-1-5-32-550 Print Operators S-1-5-32-551 Backup Operators S-1-5-32-552 Replicator

S-1-5-32-554 Pre-Windows 2000 Compatible Access S-1-5-32-555 Remote Desktop Users

(24)

RID examples for

SID Name

S-1-5-domain-500 Administrator S-1-5-domain-501 Guest

S-1-5-domain-502 krbtgt

S-1-5-domain-512 Domain Admins S-1-5-domain-513 Domain Users S-1-5-domain-514 Domain Guests

S-1-5-domain-515 Domain Computers S-1-5-domain-516 Domain Controllers S-1-5-domain-517 Cert Publishers

(25)

Know your SID!

• whoami /all

(26)

Storing SID?

https://secure.wikimedia.org/wikipedia/en/w iki/Security_Identifier

(27)

Privileges

• Right to perform a specific action on several

Windows NT objects. Eg:

• Shutdown the computer

• Allow logon locally

• Load and Unload Devices drivers

• Create a pagefile

• Ajust memory quotas for processes

(28)

(29)

Privileges - Know yours!

• whoami /all

(30)

Security descriptor

• for a securable object S contains ACL:

• DACL: contains 0…n ACE

o ACE: a security principal (SID)

• SACL: log who attempted to perform specific actions on S

(31)

Access Control Lists

• a list of ACE (Access Control Entries)

Technical overview of the Microsoft PKI ADCS 2008 R2

36

• ACE:

“right/privilege/permission

given to a specific SID on a

specific object/resource”

• Resource examples:

– Shared folder

– LDAP object

(32)

File object Security

descriptor ACE ACE

(33)

ACL – application order

• From the most "generic" scope to the most precise one

(34)

Exercise – is Sophie able to …?

(35)

SMB Share ACL

• Share ACL are applied • Then system ACL

(36)

Token

• Security context: thread, process

• Privileges, SPN (user SID, group SIDs)

• Logon process: Winlogon creates a token related to a user

• Inheritance: a child process automatically inherits the token of the parent

• Token fields immutable

Token Source Impersonation type Token ID Authentication ID Modified ID Expiration time

Default Primary Group Default DACL

User Account SID Group 1 SID … Group n SID Restricted SID 1 … Restricted SID n

(37)

Token – kernel structure on Windows 7

(38)

Token - administrator

• "Complete"/"normal » token • Restricted token

(39)

Restricted token

• runas /trustlevel:0x20000 cmd.exe • SRP

(40)

(41)

Software Restriction Policy

• Enforce restricted token via group policy for specific executables

(42)

Mandatory Integrity Level

• Ensured by the SRM • Processes isolation

• Mandatory Access Control

• Depending of the process "integrity »

(43)

Mandatory Integrity Level - example

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12 System • 0x4000 • Eg: WININIT.EXE High • 0x3000

• Eg: Admin processes Medium • 0x2000 • Eg: OUTLOOK.EXE Low • 0x1000 • Eg: IEXPLORE.EXE Untrusted • 0x0000

Mandatory Access Control (Wikipedia)

Processes

Object

(could be a process)

System

• Eg: kernel variables

High

Medium

Low

(44)

(45)

Shatter attack

(46)

DLL injection

(47)

Priviledge SE_DEBUG

• Debug programs

o This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right.

Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.

• Caution

• Assigning this user right can be a security risk. Only assign this user right to trusted users.

(48)

Mandatory Integrity Level - advantages

• Consequences:

• Blocks SHATTER attacks

(49)

Impersonation

(50)

(51)

UAC granularity (Windows 7)

(52)

UAC – autoelevation?

• Frequent question: when you change the UAC level alert, for which executable will Windows 7 allow to autoelevate?

• Marker in the executable: • <asmv3:windowsSettings

xmlns="http://schemas.microsoft.com/SMI/2005/Window sSettings">

(53)

UAC – autoelevate markers / whitelist

(54)

UAC – attack?

• How to auto-elevate without the user being prompted? • Add that marker to your executable!

• Additional requirement: executable to be signed by Microsoft!

• Thus prevening EXTERNAL ones from autoelevating • … injecting a DLL into an autoelevated allowed

executable. Problems:

(55)