Practical Connection
csunil
winsec3e_ppt_ch03.pptxSecurity Strategies in Windows Platforms and Applications
Lesson 3
Access Controls in Microsoft Windows
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Cover image © Sharpshot/Dreamstime.com
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective(s)
Implement security controls to protect Microsoft Windows systems and networks.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Principle of least privilege
Access models
Microsoft Windows objects and access controls
Forms of identification
Windows access permissions and access management tools
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Security Control Process
Think
Plan
Design
Implement
Evaluate
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
4
Principle of Least Privilege
Definition per the Orange Book:
Grant each subject in a system the most restrictive set of privileges (or lowest clearance) needed to perform authorized tasks
Limits the damage that can result from accident, error, or unauthorized use
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The United States Department of Defense Trusted Computer System Evaluation Criteria, DOD-5200.28-STD, also known as the Orange Book because of its orange colored cover, was one of the first generally accepted standards for computer security.
The Orange Book defines least privilege to be a principle that “requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.”
The Orange Book has since been replaced by the Common Criteria for Information Technology Security Evaluation—an international standard. The Common Criteria extend the concepts stated in the Orange Book.
5
Least Privilege and LUAs
In Windows, principle of least privilege is implemented at user account level
Microsoft refers to user accounts defined using this principle as least privilege user accounts (LUAs)
Recommended: To implement least privilege, create user groups that represent roles in the organization
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
6
Sample Default Active Directory Security Groups
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7
Account operators
Administrators
IIS_IUSRS
Users
Guests
Backup operators
Remote desktop users
Rights and Permissions
Each group in Windows has ability to apply rights and permissions to sets of users
User rights are defined and maintained through group security policy objects
Permissions:
Apply to specific objects
Are maintained through each object’s security settings
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8
Rights and Permissions (Cont.)
Each object has access control rules > access control list (ACL) for the object
ACLs in Active Directory are made up of lists of access control entries (ACEs)
ACLs that Windows uses are implemented as discretionary access control, so list of access control rules is a discretionary access control list (DACL)
Each entry in DACL is an access control entry (ACE)
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Object DACL
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Access Models: User Validation
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows prompts the user to enter identification and authentication credentials.
Windows looks up the defined user and the associated authentication information. If the supplied information matches the stored information, the user is authenticated.
The operating system records the user account’s security identifier (SID), the SID of each group to which the user is assigned, and the current user’s privileges in a token.
The SAT, with all the user and group SIDs, is attached to each process the user runs.
11
User enters ID and authentication credentials
Windows compares supplied info to stored info
If a match, user authenticated
Windows records user SID, SID of each group, and user privileges in a token
SAT (contains user and groups SIDs) is attached to each process user runs
Windows Security Access Token (SAT)
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
12
Windows Server 2012-2019 Dynamic Access Control (DAC)
Describes a collection of features to describe user and data attributes
Attributes help Windows protect files using policies that provide more access control
DAC used to:
Identify and classify data
Control file access
Audit file access
Apply encryption to sensitive documents
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identify and classify data—You can tag data either automatically or manually to tell
Windows how to secure different types of data. Automatic tagging can look for special
types of data, such as Social Security numbers.
Control file access—Central access policies allow organizations to set global rules on
who can access different types of data.
Audit file access—DAC includes central audit policies that provide the ability for auditors
and forensic investigators to find out who accessed sensitive information.
Apply encryption to sensitive documents—Automatic Rights Management Services
(RMS) can encrypt files that contain tagged sensitive data without requiring user interaction.
13
User Access Control
Administrators group has split SAT
One part has full privileges
Other part is more limited like a normal user
Processes initially run using limited SAT
If a process requires a privilege that is allowed for administrators and the process also contains an administrator SAT, Windows prompts user for an escalation confirmation
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
14
User Access Control
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows feature of prompting users before escalating to administrator privileges is called User Account Control (UAC).
Each time a process needs access to an object, Windows refers to the process’s SAT and the object’s DACL to see if the access request is allowed.
If the access request is allowed, the process accesses the object.
If the access request is not allowed, Windows returns an error and the process cannot complete the requested object access.
Once Windows builds the SAT and attaches it to each process, the SAT becomes the subject part of the authorization process.
Before granting access to an object, Windows must first authorize the request. Windows uses the DACL defined for an object to decide whether
the access request will be granted or denied.
15
User Account Control Settings
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In previous Windows versions, UAC was often seen as annoying and intrusive. The only options were to turn UAC on or off.
Starting with Windows 7 and Windows Server 2008 R2, users can choose one of four “comfort levels” of UAC, from “Never Notify” to “Always Notify.”
16
Sharing SIDs and SATs
SAT for each process built from user’s SID and group SIDs
Active Directory stores shared information to construct SATs
Domain controller sends security information to computer where a user logs on
Windows extends concept of authentication to computer level when constructing SATs
Complete SATs are never shared across a network—only the parts necessary to construct the SAT
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
17
Distributed SAT
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The domain controller stores the domain user’s SID and the SIDs for all of the domain groups to which the user is assigned.
Target server, the server where the resource access resides, already has the local group list of groups to which the user is defined and the local user rights definitions.
The domain controller sends the domain user and group SIDs to the target server using one of two Windows authentication protocols.
18
Managed Service Accounts
In Windows Server 2012 and newer
Can be shared across systems
Administrators create these accounts as managed domain accounts that provide automatic password management
Allows Windows Server 2012 and newer domain controllers to manage passwords automatically at the domain level
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
19
Kerberos
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Kerberos is a fast and scalable protocol that allows for secure exchange of information.
Each domain controller functions as a Kerberos key distribution center (KDC). The KDC stores all user and computer Kerberos master keys.
When a subject requests access to an object, the subject asks the domain controller for an access ticket.
The domain controller authenticates the subject.
If successful, the domain controller issues the access ticket. The access ticket contains all of the subject’s SIDs and is encrypted with the target server’s public key. The subject then presents the access ticket to the server where the desired object resides.
Since the access ticket was encrypted with the server’s public key, the server can decrypt it with its private key.
Successful decryption means the ticket is valid and the server evaluates the SIDs for access permission
20
Windows Objects and Access Controls
Common Securable Objects
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NTFS files and folders
Pipes, named or unnamed
Processes and threads
Registry keys
Windows services
Printers, local and remote
Network shares
Job objects
Windows DACLs
Securable object requires a DACL for Windows to control access to the object
A DACL is a collection of individual ACEs and can be modified in the object’s Properties dialog box
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Full Control Provides no restrictions on access to object
Modify: Allows all modifications to files and folders; cannot delete files or folders, change permissions, or take ownership
Read and Execute: Traverses folders; executes files; lists folders; reads data, basic and extended attributes, and permissions
Read: Lists folders; reads data, basic and extended attributes, and permissions
Write: Creates files and folders; writes data and basic and extended attributes; reads permissions
Special Permissions: Indicates the ACE for this user or group is defined on the Advanced page
22
DACL Advanced Permissions
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Advanced page provides access to individual object permissions, as opposed to predefined
groups of permissions in the general Security page. The Advanced page
lists every individual permission for the selected user or group.
23
SIDs, GUIDs, and CLSIDs
Security identifier (SID)
In Windows, all users, groups, and computers have unique SIDs
Globally unique identifier (GUID)
Distinguishes objects that may originate from different computers
Used to identify many different types of objects: Computers, web browsers, database records, files, and application components
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
SIDs, GUIDs, and CLSIDs (Cont.)
Class identifier (CLSID)
Windows Registry uses GUIDs to identify objects and record attributes
GUIDs are stored as CLSIDs
Example
My Computer
CLSID: ::{20d04fe0-3aea-1069-a2d8-08002b30309d}
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Calculating Microsoft Windows Access Permissions
Windows resolves object access requests by following this procedure:
Retrieves user and group SIDs from the process’s SAT.
Examines all ACEs in the object’s DACL for requested permission.
If no DACL or ACE is defined for the requested access, Windows allows the access.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Calculating Microsoft Windows Access Permissions (Cont.)
If only one ACE exists for the requested access, access is based on whether the ACE is defined as “allow” or “deny.”
If multiple ACEs exist for the same requested access, all ACEs must be defined as “allow” for Windows to allow the access.
Returns an access approval or denial based on permissions.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Object Effective Permissions
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
28
Auditing and Tracking Windows Access
Auditing: The process of collecting performance information on which actions were taken and storing that information for later analysis
First step -- enable auditing
Tells Windows to record the events that will be defined for later analysis
Windows stores audit event notes in event logs
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Local Audit Policy
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
30
Expression-Based Security Audit Policy
In Windows Server 2012 and newer
DAC in Windows Server enables administrators to create targeted audit policies using expressions based on user, computer, and resource claims
Example:
Audit everyone without a high security clearance and who attempts to access highly sensitive documents
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Management Tools
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Tools
Cacls.exe
Icacls.exe
Robocopy
Best Practices for Microsoft Windows Access Control
AGULP
Accounts
Global groups
Access controls
Local groups
Permissions
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Principle of least privilege
Access models
Microsoft Windows objects and access controls
Forms of identification
Windows access permissions and access management tools
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
