Windows

Security

By,
Omkar Sravan Kasinadh

1.
2.
3.
4.
5.

6.
7.
8.

Agenda
Security Context & Security Principal
What is Access Token?
How to secure Accounts in Windows?
Rights and Permissions
How & where does Windows store
passwords?
Trade Off in Windows Security
Duties of a Developer!
Countermeasure (Auditing)

Security Context

One of the basic tenets of Windows Security is that

each process runs on behalf of a user.
So, each process running is associated with a security
context.
security context is a bit of cached data about a user,
including her SID, group SIDs, privileges.

Security Principal

A security principal is an entity that can be positively

identified and verified via a technique known as
authentication
Security principals in Windows are assigned on a
process-by-process basis, via a little kernel object
called a token.
Each user, computer or group account is a security
principal on the system running Windows Server 2003,
Windows 2000, and Windows XP.
Security principal receive permissions to access
resources such as files and folders. User rights, such
as interactive logons, are granted or denied to
accounts directly or by membership in a group. The
accumulation of these permissions and rights define
what security principal can and cannot do.

There are 3 types of Security

Principals
1) User principals
2) Machine principal
3) Service principals

Security Identifier: (SID)

Users reference their accounts by usernames

but the Operating system, internally,

references accounts by their security identifier.
SIDs are unique in their scope (domain or

local) and are never reused. So, they are used

to uniquely identify user and group account in
Windows.

By default the operating system

SID contains of various parts

S <revision> <identifier authority>

<subauthorities>
<relative identifiers>

Revision: This value indicates the version

of the SID structure used in a particular
SID. For Windows Server 2003, Windows
2000 and Windows XP , it is currently 1.
Identifier authority: This value identifies
the authority that can issue SID for this
particular type of security principal.
Subauthority: The most important
information in a SID is contained in a
series of one or more subauthority values.
All values except the last one conllectivly
identify the Domain and are called Domain
Identifier and the last value represents the
Relative Identifier (RID).

Where is the SID located?

When a users logs in for the first time, the
operating system makes chuckling sounds. And
explorer.exe starts running after some time.
This is because, the operating system is
creating a user profile.
The operating system dynamically loads the
subkeys under HKEY_USERS as users log on
and off interactively.
To see this, open registry (type regedit at
startmenu-run),type runas /u: user-account
cmd at the command prompt, give the
password. Now, a new window will open.
Refresh the registry(F5) at HKEY_USERS to see
the dynamically loaded SIDs.
The files NTUSER.DAT and NTUSER.DAT.LOG
(which are present in the account profile
c:/Documents and settings/your-account) , make
up the registry hive for the user profile.

Access Token
A token is a kernel object that caches part
of a user's security profile, including the
user SID, group SIDs, and privileges.
A token is created when ever a user
successfully logs on to the network. And a
copy of this token is assigned to every
process and thread that executes on the
users behalf.
A token consists of the following
components.
accountID, groupID, Rights, Owner,
Primary group, Source, Type,
Impersonation level, statistics, Restricted

Account Security
User accounts are core unit of Network security.
In Win Server 2003 & Win2000, domain accounts
are stored in Active Directory directories
databases, where as in local accounts, they are
stored in Security Accounts Manager database.
The passwords for the accounts are stored and
maintained by System Key.
Though the accounts are secured by default, we
can secure them even further.
Go to Administrative tools in control panel (only
when you are logged in as an admin) and click on
Local Security and Settings.
There you will find the Account policies.
It contains, password policies and account
lockout policies.

Account Lock out policies:

Account lockout duration: Locks out the
account after a particular duration.( 1- 99,999
minutes). This feature is only present is Win
Ser 2003, Win 2000, but not in Windows XP.
Account lockout threshold: Locks out the
account after a particular number of failure
attempts.( 1- 999 attempts). This feature is
only present is Win Ser 2003, Win 2000, but
not in Windows XP.
Resent account lockout countdown after:
reset account lockout countdown after (199,999 minutes) ). This feature is only present
is Win Ser 2003, Win 2000, but not in
Windows XP.

Password Policies:
Enforce password History: Enforces password history(024)
Maximum password age: Set max password age(0-999)
Minimum password age: Set min password age(0 to 999)
Minimum password length: set min password length(0 to
14)
Password must meet complexity requirements: forces
user to set complex alpha numeric passwords.
Storing password using reversible encryption for
users in
the domain: We enable this if we want the password to be
decrypted and compared to pain text using methods like
Challenge Handshake Authentication Protocol (CHAP) or
Shiva password Authentication Protocol (SPAP)

Rights: Rights are actions or operations that

an account can or cannot perform.
User Rights are of two types:
Privileges: A right assigned to an account and
specifying allowable actions on the network.
Ex: Right backup files and directories..
LOGON rights : A right assigned to an account
and specifying the ways in which the account
can log on to a system locally. Ex: Acess this
computer From Network.

Permissions: define which resources

accounts can access and the level of access
they have.
Right click on any file, under properties, go to
security tab and set permissions.

Where are the passwords stored on the

system?
The system stores the passwords at machines
password strash, i.e., under
HKLM/Secuirty/Policy/Secretes.
Type at 9:23am /interactive regedit.exe,
substituting whatever time is appropriate:
Make it one minute in the future.) Once
regedit fires up, carefully look at the subkeys
under HKLM/Security/Policy/Secrets. You're
looking at the machine's password stash,
more formally known as the LSA private data
store
The operating system also,by default ,caches
(store locally), the last 10 passwords.

There are registry settings to turn this feature

off or restrict the number of accounts cached.
For the following registry entry, change the
default value..
Location:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\Current Version\Winlogon\
Type: REG_SZ
Key: CachedLogonsCount
Default Value 10
Recommended value : 0-50 depending on your
secuirty needs.

But how secret is the LSA secrete Data

store?

There is a tool available on net named

LSADUMP2.exe which when run retrieves the
admin passwords of the system.

LSAdump2 uses DLL injection to bypass the

normal access control on security information
stored by the Local Security Authority (LSA).

D:\dnload\lsadump2>lsadump2 RasCredentials!S-1-5-21-459157917-17079385981849977318-500#0 39 00 39 00 30 00 36 00 32 00 00 00 31 00 36 00 9.9.0.6.2...1.6.

30 00 30 00 00 00 35 00 00 00 00 00 00 00 77 00 0.0...5.......w. 6D 00 61 00 70 00 6C
00 65 00 73 00 00 00 00 00 m.a.p.l.e.s..... 00 00 30 00 00 00 00 00 ..0.....
RasDialParams!S-1-5-21-459157917-1707938598-1849977318-500#0 39 00 39 00 30
00 36 00 32 00 00 00 31 00 36 00 9.9.0.6.2...1.6. 30 00 30 00 00 00 36 00 33 00 00
00 00 00 2A 00 0.0...6.3.....*. 00 00 77 00 6D 00 61 00 70 00 6C 00 65 00 73 00
..w.m.a.p.l.e.s. 00 00 77 00 77 00 77 00 77 00 77 00 77 00 77 00 ..w.w.w.w.w.w.w. 31
00 00 00 00 00 31 00 00 00 00 00 1.....1..... SAC 02 00 00 00 .... SAI 02 00 00 00 ....
_SC_ClipSrv 74 00 65 00 73 00 74 00 t.e.s.t.

There is another tool named Crain&Abel.

It is recommended not to use it with Service
Pack 2 installed. It is prone to cause serious
damage to the system.

System key is a machine key which

will encrypt the password and then,
passwords cannot to retrieved in
Clear text.
Type Syskey on command prompt
and press OK to enable System key.

Trade Off
There is always a tradeoff between
countermeasures and convenience.
Security and ease of you are like two
corners of a long scale.
Securi

satisfaction

Ease of you

ty

Users other than admins are denied

from installing softwares because they
dont have access to program files.

Developers Duty

That is because, there may be trojens taking

control of winword.exe in program files.
A good programmer is a one who developers
applications which can be run by all the users of
the system.
The applications should be running smoothly
even with all the security features of windows
enabled.

Windows is getting better and

better in protection but it is weak in
countermeasures.
The only counter measure it
provides is Auditing.
We can audit every file on the
system.
Right click the file and in
properties, go to auditing and set
auditing.

References
Microsoft security Resource Kit By,
Ben Smith and Brian Komar with
Microsoft Security tream
The .NET Developer's Guide to
Windows SecurityBy KeithBrown

http://www.windowsnetworking.com/nt/r
egistry/rtips320.shtml
http://www.windowsecurity.com/article
s/Group-Policy-Changes-Vista.html