Windows security for n00bs part 1 Security architecture & Access Control

Grenoble INP Ensimag _ (in)security we trust _!! SecurIMAG 2011-05-12 Windows security for n00bs part 1 Security architecture & Access Control Description: whether you are in favor or against it, the Windows NT OS does not let any IT engineer nor researcher indifferent. We will first introduce some basics regarding the OS structure, then talk about authentication, and each time remind some attacks. Lecturer: Fabien Duchene WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.

Summary 0. Introduction 1. Security components 2. Access control ==next session== Memory (Guillaume & Karim) ==next next session== 3. Authentication (Fabien) 4. Network (Fabien)

0. Introduction What Windows is What else not? Windows NT brief history Talk perimeter

0. Introduction What windows is? A major OS in the market # numbers Windows XP SP3 major in the corporation client OS o ~ 10y old

0. Introduction What else not? NOT The most secure system ever built Important attack surface but ability to harden it NOT The most configurable OS Source code «normally» not available o Government, security agencies o you know where ;)

0. Windows NT brief history NT 4.0 (1996) NT 5.0 (1999) NT5.1 (2001) NT6.0 (2008) NT 7 (2009) 2000 XP Vista, Server 2008 7, Server 2008 R2 SSPI DEP ASLR More granular UAC MSGINA Integrity Levels NLA firewall UAC BitLocker CredentialProviders

0. Talk perimeter Security mechanisms regarding: Windows XP Vista And 7 Not necessarily presented per version, but more per functionality

1. Windows NT6 & NT7 Security components Security components (Windows Vista ie NT6) Windows XP vs Vista & 7 processes hierarchy Security Reference Monitor (SRM) Local Security Authority SubSystem (LSASS) Session Manager SubSystem (SMSS) Wininit Services SAM

1.1. Security components (Windows Vista) System threads Session Windows Mgr DLLs Windows LSA DLLs Windows Winlogon DLLs Windows Wininit DLLs Windows DLLs I/O Manager Device & File System Driver Cache manager Service Host Windows Print spooler DLLs Windows DLLs Task Mgr SubSystem Explorer DLLs User SubSystem application DLLs System service dispatcher (Kernel-mode callable interfaces) Object Manager PnP Manager NTDLL.DLL Power Manager Security Ref. Monitor Kernel SubSystem DLLs Virtual Memory Process Mgr Hardware Abstraction Layer (HAL) Configuration Mgr (Registry) Local Procedure Call POSIX Windows DLLs Windows Win32 USER, GDI Graphics Drivers User Mode Kernel Mode Windows Internals, 5th Edition Windows Vista & Server 2008, Mark Russinovich, David Salomon

1.2. Windows XP processes hierarchy System Idle Process (0) System (4) Explorer.exe Interrupts SMSS Notepad.exe cmd.exe CRSS Winlogon Services LSASS Service1 (identity1)

1.2. Windows Vista & 7 process hierarchy Thanks to ProcessExplorer ;) System Idle Process (0) System (4) CRSS CRSS Wininit winlogon Explorer.exe Interrupts SMSS Services LSASS Notepad.exe cmd.exe Service1 (identity1)

1.2. Security Reference Monitor Controls performed on objects and access allowed or restricted regarding Privileges Users rights (ACL) Generating auditing entries Security Ref. Monitor

1.3. Local Security Authority SubSystem User-mode process running under SYSTEM identity SID=S-1-5-18 Authentication o Trusted domains Token LSA Policy Privileges Netlogon LSA Server LSASS Msv1_0.dll Kerberos.dll Audit entries (security event user logs) Parameters stored under HKLM\security Active Directory SAM Server Active Directory SAM Mécanismes internes de la sécurité Windows, Pascal Saulière, 2010, Microsoft Event Logger

1.3. LSASS enforces password policy Locally or via GPO configurable

Session Manager SubSystem (SMSS)

WinInit.exe

Services

2. Access Control Access control? Securable Windows NT objects SID Privileges Security Descriptor Access Control Lists Token Impersonation Mandatory Integrity Levels Auditing

Access Control? Several models: Mandatory Access Control o Several levels o Eg (Windows NT): Mandatory Integrity Level Discretionary Access Control: o Eg (Windows NT): Files ACL Role-Based Access Control o When ACL permissions are only defined on security groups

Securable Windows NT Objects Mailslots Timers Peripherals Semaphores Files Access tokens Jobs Window stations Shared Desktops memory sections I/O SMB completion shares ports Pipes Services (named & anonymous) LPC Registry ports keys Events Printers Mutexes SecurIMAG - Windows security for n00bs part 1 - Fabien Windows Internal 5 th Edition (Windows Vista & Server 2008)

Security Identifier (SID) Statistically unique worldwide Not all AD Objects do own a SID ONLY the following AD objects: o Computer: (when the computer joins the domain) o Domain controllers: (same above) o User/service account (when the account is created) o Security group (a security group can contain security groups, users, and computers) These objects are named security principal. They all: o owns a SID: user account SID o member of [0..n] security groups: Group SIDs 24 Technical overview of the Microsoft PKI ADCS 2008 R2

Brief SID summary S-1-5-21-1679959503-1445791782-2229217306-1109 26 Revision Level 4 bits Valeur : 1 Authority, 48 bits 0 = null 1 = world 2 = local 3 = creator owner 4 = non unique 5 = NT Domain / Computer SID RID du compte 500 = Administrator 501 = Guest 1000 = user1 1001 = user2 Sub-Authorities(=RID) Exemples : 0 = null 0 = world 0 = creator owner 1 = creator group 2 = creator owner server 3 = creator group server Well-Known SID examples: S-1-0-0: Null S-1-1-0: Everyone S-1-2-0: Local S-1-3-0: Creator Owner S-1-3-1: Creator Group S-1-5-1: Dialup S-1-5-2: Network S-1-5-3: Batch S-1-5-4: Interactive S-1-5-5-X-Y : Logon Session S-1-5-6: Service S-1-5-7: Anonymous Logon S-1-5-9: Enterprise Domain Controlers S-1-5-10: Self S-1-5-11: Authenticated Users S-1-5-12: Restricted S-1-5-13: Terminal Server User S-1-5-14: Remote Interactive Logon S-1-5-18: System (LocalSystem) S-1-5-19: Local Service S-1-5-20: Network Service

Well-Know SID for the «built-in» groups SID S-1-5-32-544 S-1-5-32-545 S-1-5-32-546 S-1-5-32-547 S-1-5-32-548 S-1-5-32-549 S-1-5-32-550 S-1-5-32-551 S-1-5-32-552 S-1-5-32-554 S-1-5-32-555 S-1-5-32-556 Name Administrators Users Guests Power Users Account Operators Server Operators Print Operators Backup Operators Replicator Pre-Windows 2000 Compatible Access Remote Desktop Users Network Configuration Operators

RID examples for SID S-1-5-domain-500 S-1-5-domain-501 S-1-5-domain-502 S-1-5-domain-512 S-1-5-domain-513 S-1-5-domain-514 S-1-5-domain-515 S-1-5-domain-516 S-1-5-domain-517 S-1-5-root domain-518 S-1-5-root domain-519 S-1-5-domain-520 S-1-5-domain-553 Name Administrator Guest krbtgt Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Cert Publishers Schema Admins Enterprise Admins Group Policy Creator Owners RAS and IAS Servers

Know your SID! whoami /all

Storing SID? https://secure.wikimedia.org/wikipedia/en/w iki/security_identifier Technical overview of the Microsoft PKI ADCS 2008 R2

Privileges Right to perform a specific action on several Windows NT objects. Eg: Shutdown the computer Allow logon locally Load and Unload Devices drivers Create a pagefile Ajust memory quotas for processes

Privileges changing them graphically Windows Server 2008 and WS 2008 R2 user rights - http://technet.microsoft.com/enus/library/dd349804%28ws.10%29.aspx

Privileges - Know yours! whoami /all once more usefull!

Security descriptor for a securable object S contains ACL: DACL: contains 0 n ACE o ACE: a security principal (SID) SACL: log who attempted to perform specific actions on S

Access Control Lists a list of ACE (Access Control Entries) ACE: right/privilege/permission given to a specific SID on a specific object/resource Resource examples: Shared folder LDAP object certificate template 36 Technical overview of the Microsoft PKI ADCS 2008 R2

DACL File object Security descriptor ACE ACE Windows Internals, 5th Edition Windows Vista & Server 2008, Mark Russinovich, David Salomon Technical overview of the Microsoft PKI ADCS 2008 R2

ACL application order From the most "generic" scope to the most precise one Technical overview of the Microsoft PKI ADCS 2008 R2

Exercise is Sophie able to? Technical overview of the Microsoft PKI ADCS 2008 R2 https://ensiwiki.ensimag.fr/index.php/fichie r:4mmsr-ensimag-telecom-2a- Network_Security-Examination-2011- EN_US.pdf

SMB Share ACL Share ACL are applied Then system ACL

Token Security context: thread, process Privileges, SPN (user SID, group SIDs) Logon process: Winlogon creates a token related to a user Inheritance: a child process automatically inherits the token of the parent Token fields immutable (because located in the kernel memory) Token Source Impersonation type Token ID Authentication ID Modified ID Expiration time Default Primary Group Default DACL User Account SID Group 1 SID Group n SID Restricted SID 1 Restricted SID n Privilege 1 Privilege n

Token kernel structure on Windows 7

Token - administrator "Complete"/"normal Restricted token» token SecurIMAG - Windows security for n00bs part 1 - Fabien

Restricted token runas /trustlevel:0x20000 cmd.exe SRP

Software Restriction Policy Enforce restricted token via group policy for specific executables http://blog.didierstevens.com/page/2/?s=bpmtk

Mandatory Integrity Level Ensured by the SRM Processes isolation Mandatory Access Control Depending of the process "integrity» Ability to interact with "lower integrity objects" only Mandatory Access Control (Wikipedia)

Mandatory Integrity Level - example System 0x4000 Eg: WININIT.EXE High 0x3000 Eg: Admin processes Medium 0x2000 Eg: OUTLOOK.EXE Low 0x1000 Eg: IEXPLORE.EXE Untrusted 0x0000 Processes Object (could be a process) System Eg: kernel variables High Medium Low Untrusted Mandatory Access Control (Wikipedia)

Mandatory Integrity Level

Shatter attack

DLL injection Priviledge: SE_DEBUG (by default only Administrators)

Priviledge SE_DEBUG Debug programs o This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution Assigning this user right can be a security risk. Only assign this user right to trusted users. Default: Administrators

Mandatory Integrity Level - advantages Consequences: Blocks SHATTER attacks Blocks DLL injection in a higher integrity process!

Impersonation

User Access Control

UAC granularity (Windows 7) Inside Windows 7 UAC

UAC autoelevation? Frequent question: when you change the UAC level alert, for which executable will Windows 7 allow to autoelevate? Marker in the executable: <asmv3:windowssettings xmlns="http://schemas.microsoft.com/smi/2005/window ssettings"> <autoelevate>true</autoelevate> </asmv3:windowssettings>

UAC autoelevate markers / whitelist

UAC attack? How to auto-elevate without the user being prompted? Add that marker to your executable! Additional requirement: executable to be signed by Microsoft! Thus prevening EXTERNAL ones from autoelevating injecting a DLL into an autoelevated allowed executable. Problems: Mandatory integrity levels:

Auditing