Windows

Security
 Agenda
1. Security Context & Security
Principal
2. What is Access Token?
3. How to secure Accounts in
Windows?
4. Rights and Permissions
5. How & where does Windows store
passwords?
6. Trade Off in Windows Security
7. Duties of a Developer!
Security Context
One of the basic tenets of Windows Security is
that each process runs on behalf of a user.
So, each process running is associated with a
security context.
security context is a bit of cached data about a
user, including her SID, group SIDs, privileges.

Security Principal
A security principal is an entity that can be
positively identified and verified via a technique
known as authentication
Security principals in Windows are assigned on a
process-by-process basis, via a little kernel object
called a token.
Each user, computer or group account is a
security principal on the system running Windows
Server 2003, Windows 2000, and Windows XP.
Security principal receive permissions to access
resources such as files and folders. User rights,
such as interactive logons, are granted or denied
to accounts directly or by membership in a group.
There are 3 types of Security
Principals
1) User principals
2) Machine principal
3) Service principals
 Security Identifier: (SID)
Users reference their accounts by usernames
but the Operating system, internally,
references accounts by their security identifier.
SIDs are unique in their scope (domain or
local) and are never reused. So, they are used
to uniquely identify user and group account in
Windows.
By default the operating system
SID contains of various parts
S <revision> <identifier authority>
<subauthorities>
<relative identifiers>
 Revision: This value indicates the version
of the SID structure used in a particular
SID. For Windows Server 2003, Windows
2000 and Windows XP , it is currently 1.
Identifier authority: This value identifies
the authority that can issue SID for this
particular type of security principal.
Subauthority: The most important
information in a SID is contained in a
series of one or more subauthority values.
All values except the last one conllectivly
identify the Domain and are called
Domain Identifier and the last value
represents the Relative Identifier (RID).
Where is the SID located?
When a users logs in for the first time, the
operating system makes chuckling sounds.
And explorer.exe starts running after some
time. This is because, the operating system
is creating a user profile.
The operating system dynamically loads
the subkeys under HKEY_USERS as users
log on and off interactively.
To see this, open registry (type regedit
at startmenu-run),type runas /u: user-
account cmd at the command prompt, give
the password. Now, a new window will
open. Refresh the registry(F5) at
HKEY_USERS to see the dynamically
loaded SIDs.
The files NTUSER.DAT and
Access Token
A token is a kernel object that
caches part of a user's security
profile, including the user SID,
group SIDs, and privileges.
A token is created when ever a user
successfully logs on to the network.
And a copy of this token is assigned
to every process and thread that
executes on the users behalf.
A token consists of the following
components.
Account Security
User accounts are core unit of Network security.
In Win Server 2003 & Win2000, domain accounts
are stored in Active Directory directories
databases, where as in local accounts, they are
stored in Security Accounts Manager database.
The passwords for the accounts are stored and
maintained by System Key.
Though the accounts are secured by default, we
can secure them even further.
Go to Administrative tools in control panel (only
when you are logged in as an admin) and click on
Local Security and Settings.
There you will find the Account policies.
It contains, password policies and account
lockout policies.
Account Lock out policies:
Account lockout duration: Locks out the
account after a particular duration.( 1-
99,999 minutes). This feature is only
present is Win Ser 2003, Win 2000, but not
in Windows XP.
Account lockout threshold: Locks out
the account after a particular number of
failure attempts.( 1- 999 attempts). This
feature is only present is Win Ser 2003,
Win 2000, but not in Windows XP.
Resent account lockout countdown
after: reset account lockout countdown
after (1- 99,999 minutes) ). This feature is
Password Policies:
Enforce password History: Enforces password
history(0-24)
Maximum password age: Set max password
age(0-999)
Minimum password age: Set min password
age(0 to 999)
Minimum password length: set min password
length(0 to 14)
Password must meet complexity
requirements: forces user to set complex alpha
numeric passwords.
Storing password using reversible encryption
for users in
the domain: We enable this if we want the
 Rights: Rights are actions or operations that
an account can or cannot perform.
User Rights are of two types:
Privileges: A right assigned to an account
and specifying allowable actions on the
network. Ex: Right backup files and
directories..
LOGON rights : A right assigned to an
account and specifying the ways in which
the account can log on to a system locally.
Ex: Acess this computer From Network.

Permissions: define which resources

accounts can access and the level of access
they have.
Right click on any file, under properties, go
to security tab and set permissions.
Where are the passwords stored on
the system?
The system stores the passwords at
machines password strash, i.e., under
HKLM/Secuirty/Policy/Secretes.
Type at 9:23am /interactive regedit.exe,
substituting whatever time is
appropriate: Make it one minute in the
future.) Once regedit fires up, carefully
look at the subkeys under
HKLM/Security/Policy/Secrets. You're
looking at the machine's password
stash, more formally known as the LSA
private data store
 There are registry settings to turn this feature
off or restrict the number of accounts cached.
For the following registry entry, change the
default value..
Location:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\Current Version\Winlogon\
Type: REG_SZ
Key: CachedLogonsCount
Default Value 10
Recommended value : 0-50 depending on your
secuirty needs.
 But how secret is the LSA secrete
Data store?
There is a tool available on net named
LSADUMP2.exe which when run retrieves
the admin passwords of the system.

LSAdump2 uses DLL injection to bypass

the normal access control on security
information stored by the Local Security
Authority (LSA).
D:\dnload\lsadump2>lsadump2 RasCredentials!S-1-5-21-459157917-
1707938598-1849977318-500#0 39 00 39 00 30 00 36 00 32 00 00 00 31 00
36 00 9.9.0.6.2...1.6. 30 00 30 00 00 00 35 00 00 00 00 00 00 00 77 00
0.0...5.......w. 6D 00 61 00 70 00 6C 00 65 00 73 00 00 00 00 00 m.a.p.l.e.s.....
00 00 30 00 00 00 00 00 ..0..... RasDialParams!S-1-5-21-459157917-
1707938598-1849977318-500#0 39 00 39 00 30 00 36 00 32 00 00 00 31 00
36 00 9.9.0.6.2...1.6. 30 00 30 00 00 00 36 00 33 00 00 00 00 00 2A 00
0.0...6.3.....*. 00 00 77 00 6D 00 61 00 70 00 6C 00 65 00 73 00 ..w.m.a.p.l.e.s.
00 00 77 00 77 00 77 00 77 00 77 00 77 00 77 00 ..w.w.w.w.w.w.w. 31 00 00 00
00 00 31 00 00 00 00 00 1.....1..... SAC 02 00 00 00 .... SAI 02 00 00 00 ....
 There is another tool named Crain&Abel.
It is recommended not to use it with Service
Pack 2 installed. It is prone to cause serious
damage to the system.
 System key is a machine key which
will encrypt the password and then,
passwords cannot to retrieved in
Clear text.
Type Syskey on command prompt
and press OK to enable System key.
 Trade Off
There is always a tradeoff between
countermeasures and convenience.
Security and ease of you are like two
corners of a long scale.
Securi satisfaction Ease of you

ty

Users other than admins are denied

from installing softwares because they
dont have access to program files.
 Developers Duty

That is because, there may be trojens taking

control of winword.exe in program files.
A good programmer is a one who developers
applications which can be run by all the users
of the system.
The applications should be running smoothly
even with all the security features of windows
enabled.
 Windows is getting better and
better in protection but it is weak in
countermeasures.
The only counter measure it
provides is Auditing.
We can audit every file on the
system.
Right click the file and in
properties, go to auditing and set
auditing.