Documente Academic
Documente Profesional
Documente Cultură
Security
Agenda
1. Security Context & Security
Principal
2. What is Access Token?
3. How to secure Accounts in
Windows?
4. Rights and Permissions
5. How & where does Windows store
passwords?
6. Trade Off in Windows Security
7. Duties of a Developer!
Security Context
One of the basic tenets of Windows Security is
that each process runs on behalf of a user.
So, each process running is associated with a
security context.
security context is a bit of cached data about a
user, including her SID, group SIDs, privileges.
Security Principal
A security principal is an entity that can be
positively identified and verified via a technique
known as authentication
Security principals in Windows are assigned on a
process-by-process basis, via a little kernel object
called a token.
Each user, computer or group account is a
security principal on the system running Windows
Server 2003, Windows 2000, and Windows XP.
Security principal receive permissions to access
resources such as files and folders. User rights,
such as interactive logons, are granted or denied
to accounts directly or by membership in a group.
There are 3 types of Security
Principals
1) User principals
2) Machine principal
3) Service principals
Security Identifier: (SID)
Users reference their accounts by usernames
but the Operating system, internally,
references accounts by their security identifier.
SIDs are unique in their scope (domain or
local) and are never reused. So, they are used
to uniquely identify user and group account in
Windows.
By default the operating system
SID contains of various parts
S <revision> <identifier authority>
<subauthorities>
<relative identifiers>
Revision: This value indicates the version
of the SID structure used in a particular
SID. For Windows Server 2003, Windows
2000 and Windows XP , it is currently 1.
Identifier authority: This value identifies
the authority that can issue SID for this
particular type of security principal.
Subauthority: The most important
information in a SID is contained in a
series of one or more subauthority values.
All values except the last one conllectivly
identify the Domain and are called
Domain Identifier and the last value
represents the Relative Identifier (RID).
Where is the SID located?
When a users logs in for the first time, the
operating system makes chuckling sounds.
And explorer.exe starts running after some
time. This is because, the operating system
is creating a user profile.
The operating system dynamically loads
the subkeys under HKEY_USERS as users
log on and off interactively.
To see this, open registry (type regedit
at startmenu-run),type runas /u: user-
account cmd at the command prompt, give
the password. Now, a new window will
open. Refresh the registry(F5) at
HKEY_USERS to see the dynamically
loaded SIDs.
The files NTUSER.DAT and
Access Token
A token is a kernel object that
caches part of a user's security
profile, including the user SID,
group SIDs, and privileges.
A token is created when ever a user
successfully logs on to the network.
And a copy of this token is assigned
to every process and thread that
executes on the users behalf.
A token consists of the following
components.
Account Security
User accounts are core unit of Network security.
In Win Server 2003 & Win2000, domain accounts
are stored in Active Directory directories
databases, where as in local accounts, they are
stored in Security Accounts Manager database.
The passwords for the accounts are stored and
maintained by System Key.
Though the accounts are secured by default, we
can secure them even further.
Go to Administrative tools in control panel (only
when you are logged in as an admin) and click on
Local Security and Settings.
There you will find the Account policies.
It contains, password policies and account
lockout policies.
Account Lock out policies:
Account lockout duration: Locks out the
account after a particular duration.( 1-
99,999 minutes). This feature is only
present is Win Ser 2003, Win 2000, but not
in Windows XP.
Account lockout threshold: Locks out
the account after a particular number of
failure attempts.( 1- 999 attempts). This
feature is only present is Win Ser 2003,
Win 2000, but not in Windows XP.
Resent account lockout countdown
after: reset account lockout countdown
after (1- 99,999 minutes) ). This feature is
Password Policies:
Enforce password History: Enforces password
history(0-24)
Maximum password age: Set max password
age(0-999)
Minimum password age: Set min password
age(0 to 999)
Minimum password length: set min password
length(0 to 14)
Password must meet complexity
requirements: forces user to set complex alpha
numeric passwords.
Storing password using reversible encryption
for users in
the domain: We enable this if we want the
Rights: Rights are actions or operations that
an account can or cannot perform.
User Rights are of two types:
Privileges: A right assigned to an account
and specifying allowable actions on the
network. Ex: Right backup files and
directories..
LOGON rights : A right assigned to an
account and specifying the ways in which
the account can log on to a system locally.
Ex: Acess this computer From Network.
ty