User Rights vjj 1

Transcription

1 User Rights vjj 1

2 User Rights některá oprávnění nelze (snadno) vyjádřit pomocí přístupových práv k objektům user rights vjj 2

3 vjj 3 User Rights User rights fall into two general categories: logon rights and privileges. Logon rights control who is authorized to log on to a computer and how they can log on. Privileges control access to system-wide resources on a computer and can override the permissions that are set on particular objects.

4 vjj 4 Logon Rights control how security principals are allowed access to the computer ano nebo ne allow logging on to the computer deny logging on to the computer. Use a deny logon right as you would use a deny permission to exclude a subset of a group that has been assigned an allow logon right. odkud from the keyboard through a network connection speciální způsob as a service as a batch job

5 privilegia privilege assignment prostřednictvím Group Policy Ntrights.exe from command prompt (W2K3 Resource Kit) protože v existujícím Security Tokenu nelze provádět zásadní změny, projeví se změna v přidělených privilegiích až po novém přilogování přidělená privilegia nebývají rovnou i aktivní - před použitím je nutné je explicitně aktivovat vjj 5

6 vjj 6 aktivace privilegia Win32 API HANDLE htok = 0; TOKEN_PRIVILEGES tp, tpold; tp.privilegecount = 1; tp.privileges[0].attributes = SE_PRIVILEGE_ENABLED; DWORD cb = sizeof tp; OpenProcessToken( GetCurrentProcess( ), TOKEN_QUERY TOKEN_ADJUST_PRIVILEGES, &htok ); LookupPrivilegeValue( 0, SE_BACKUP_NAME, &tp.privileges[0].luid ); LUID (locally unique identifier) A 64-bit value that is guaranteed to be unique on the operating system that generated it until the system is restarted. AdjustTokenPrivileges( htok, FALSE, &tp, cb, &tpold, &cb );

7 aktivace privilegia.net API funkce OpenProcessToken GetCurrentProcess LookupPrivilegeValueW AdjustTokenPrivileges dvě možnosti: prostřednictvím P/Invoke volat všechny funkce z.netu komplikované předávání parametrů nekompatibilních s.netem vlastní obalující C++ funkce (v DLL) volaná prostřednictvím P/Invoke z.netu vjj 7

8 vjj 8 myadjusttokenprivileges (C++) BOOL WINAPI myadjusttokenprivilege ( LPCWSTR lpprivilegename, BOOL benable) { TOKEN_PRIVILEGES Privileges; HANDLE htoken; BOOL bresult; OpenProcessToken (GetCurrentProcess(), TOKEN_QUERY, &htoken) Privileges.PrivilegeCount = 1; Privileges.Privileges[0].Attributes = (benable)? SE_PRIVILEGE_ENABLED : 0;

9 myadjusttokenprivileges (C++) LookupPrivilegeValueW( NULL, lpprivilegename, &Privileges.Privileges[0].Luid ) bresult = AdjustTokenPrivileges ( htoken, FALSE, &Privileges, 0, NULL, NULL ); CloseHandle( htoken ); return TRUE; } vjj 9

10 vjj 10 P/Invoke: API ->.NET (C#) [DllImport ( "myapi.dll", CharSet = CharSet.Auto, EntryPoint = "myadjusttokenprivilege", ExactSpelling = false, BestFitMapping = true, CallingConvention = CallingConvention.Winapi )] public static extern System.Boolean myadjusttokenprivilege ( string lpprivilegename, System.Boolean benable );

11 vjj 11 aktivace privilegia TCB (C#) myadjusttokenprivilege ( (string) "SeTcbPrivilege", (bool) true ) ;

12 nepřehledný přehled vjj 12

13 Access this computer from the network Allow logon through Terminal Services Log on as a batch job Log on locally SeNetworkLogonRig ht SeRemoteInteractive LogonRight SeBatchLogonRight SeInteractiveLogonR ight Allows a user to connect to the computer from the network Allows a user to log on to the computer by using a Remote Desktop connection Allows a user to log on by using a batchqueue facility such as the Task Scheduler service Allows a user to start an interactive session on the computer Log on as a service SeServiceLogonRight Allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built-in Administrators Power Users Users Everyone Backup Operators Administrators Remote Desktop Users Administrator System Support_xxxxxxxx Administrators Power Users Users, Guest Backup Operators Network Service When an administrator uses t task to run under a particular automatically assigned the "L scheduled time arrives, the Ta batch job rather than as an in security context. The Support Remote Assistance. Users who do not have this rig the computer if they have the vjj 13

14 Privileges Table B.2 Privileges Privilege Description Act as part of the operating system (SeTcbPrivilege) Allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this privilege. Default setting: Not assigned. Note that potential access is not limited to what is associated with the user by default; the calling process might request that arbitrary additional privileges be added to the access token. The calling process might also build an access token that does not provide a primary identity for tracking events in the audit log. When a service requires this privilege, configure the service to log on using the Local System account, which has the privilege inherently. Do not create a separate account and assign the privilege to it. Add workstations to domain (SeMachineAccountPrivilege) Allows the user to add a computer to a specific domain. For the privilege to take effect, it must be assigned to the user as part of the Default Domain Controllers Policy for the domain. A user who has this privilege can add up to 10 workstations to the domain. Default setting: Not assigned. Users can also join a computer to a domain if they have Create Computer Objects permission for an organizational unit or for the Computers container in Active Directory. Users who have this permission can add an unlimited number of computers to the domain regardless of whether they have been assigned the "Add workstations to a domain" privilege. Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) Allows a process that has access to a second process to increase the processor quota assigned to the second process. This privilege is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial-of-service attack. Default setting: Administrators, Local Service, and Network Service. Back up files and directories (SeBackupPrivilege) Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply. Default setting: Administrators and Backup Operators See also "Restore files and directories" in this table. vjj 14

15 vjj 15 standard privilegies Friendly Name Programmatic Name Admin System Act as part of the operating system SE_TCB_NAME S Add workstations to domain SE_MACHINE_ACCOUNT_NAME Back up files and directories SE_BACKUP_NAME A S Bypass traverse checking SE_CHANGE_NOTIFY_NAME U S Change the system time SE_SYSTEMTIME_NAME A S Create a page file SE_CREATE_PAGEFILE_NAME A S Create a token object SE_CREATE_TOKEN_NAME S Create permanent shared object SE_CREATE_PERMANENT_NAME S Debug programs SE_DEBUG_NAME A S Enable computer and user account to be trusted for delegation SE_ENABLE_DELEGATION_NAME Force shutdown from a remote system SE_REMOTE_SHUTDOWN_NAME A Generate security audits SE_AUDIT_NAME S

16 vjj 16 Friendly Name Programmatic Name Admin System Increase quotas SE_INCREASE_QUOTA_NAME A o Increase scheduling priority SE_INC_BASE_PRIORITY_NAME o o Load and unload device drivers SE_LOAD_DRIVER_NAME o o Lock pages in memory SE_LOCK_MEMORY_NAME o Manage auditing and security log SE_SECURITY_NAME o o Modify firmware environment values SE_SYSTEM_ENVIRONMENT_NAME o o Profile single process SE_PROF_SINGLE_PROCESS_NAME o o Profile system performance SE_SYSTEM_PROFILE_NAME o Remove computer from docking station SE_UNDOCK_NAME U o Replace a process-level token SE_ASSIGNPRIMARYTOKEN_NAME o Restore files and directories SE_RESTORE_NAME o o Shut down the system SE_SHUTDOWN_NAME U o Synchronize directory service data SE_SYNC_AGENT_NAME Take ownership of files or other objects SE_TAKE_OWNERSHIP_NAME o o

17 vjj 17 user run as admin SeBackupPrivilege SeChangeNotifyPrivilege SeChangeNotifyPrivilege SeCreateGlobalPrivilege SeCreatePagefilePrivilege SeCreateSymbolicLinkPrivilege SeDebugPrivilege SeImpersonatePrivilege SeIncreaseBasePriorityPivilege SeIncreaseQuotaPrivilege SeIncreaseWorkingSetPrivilege SeIncreaseWorkingSetPrivilege SeLoadDrivePrivilege SeManageVolumePrivilege

18 vjj 18 user run as admin SeProfileSingleProcessPrivilege SeRemoteShutdownPrivilege SeRestorePrivilege SeSecurityPrivilege SeShutdownPrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeSystemTimePrivilege SeTakeOwnershipPrivilege SeTimeZonePrivilege SeTimeZonePrivilege SeUndockPrivilege SeUndockPrivilege

19 vjj 19 Bypass traverse checking This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories On workstations and servers: Administrators Backup Operators Power Users Users Everyone On domain controllers: Administrators Authenticated Users

20 SeEnableDelegationPrivilege dovoluje nastavit v Active Directory pro počítače vlastnost Trusted for Delegation. ta dovoluje zastupovat uživatele i při komunikaci s dalšími servery vjj 20

21 vjj 21 Act as part of the operating system SeTcbPrivilege (Tcb = Trusted Computing Base) Allows a process to perform as a secure, trusted part of the operating system This user right allows a process to impersonate any user without authentication Some subsystems are granted this right required to call LogonUser SeImpersonatePrivilege Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels

22 Act as part of the operating system This privilege allows a process to authenticate as, and therefore gain access to the same resources as any user, by calling the LogonUser APIs to create an access token. Only low-level authentication services should require this privilege. The potential access is not limited to what is associated with the user by default, because the calling process may request that arbitrary additional accesses be put in the access token. Of even more concern is that the calling process can build an anonymous token that can provide any and all accesses. Additionally, this token does not provide a primary identity for tracking events in the audit log. It is recommended that processes requiring this privilege are run using the LocalSystem account, which already includes this privilege. This is preferable to using a separate user account with this privilege specially assigned. Because running as LocalSystem makes use of this privilege unnecessary, this privilege might be made obsolete in a future version of Windows vjj 22

23 Trusted Computing Base Federal Standard 1037C, Telecommunications, Glossary of Terms totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. Note: The ability of a trusted computing base to enforce correctly a unified security policy depends on the correctness of the mechanisms within the trusted computing base, the protection of those mechanisms to ensure their correctness, and the correct input of parameters related to the security policy vjj 23

24 TCB Trusted Computing Base Group Policy : (Start Control Panel Administrative Tools Group Policy Management Local Security Policy) Windows Security Settings Local Policies User Rights Assignment Act as part of the operating system vjj 24