1 JMH Associates © 2004, All rights reserved Chapter 15 Windows System Security.
-
date post
20-Dec-2015 -
Category
Documents
-
view
218 -
download
0
Transcript of 1 JMH Associates © 2004, All rights reserved Chapter 15 Windows System Security.
1JMH Associates © 2004, All rights reserved
Chapter 15Chapter 15Chapter 15Chapter 15
Windows System Security
2JMH Associates © 2004, All rights reserved
OBJECTIVESOBJECTIVESOBJECTIVESOBJECTIVES
Upon completion of this chapter, you will be able to: Describe Windows NT/2000 security and its components
Access Control Lists Security Descriptors Security Identifiers, and more
Describe the differences between privileges and rights Create programs to manage security for NTFS files Be ready to apply security to other NT objects
3JMH Associates © 2004, All rights reserved
OVERVIEW (1 of 2)OVERVIEW (1 of 2)OVERVIEW (1 of 2)OVERVIEW (1 of 2)
Windows NT/2000 supports security; Windows 9x does not Every (sharable) NT object is securable Security applies to NTFS files
Not to FAT or other file systems NT security is C2 compliant
(NSA “Orange Book” for single systems)
4JMH Associates © 2004, All rights reserved
OVERVIEW (2 of 2)OVERVIEW (2 of 2)OVERVIEW (2 of 2)OVERVIEW (2 of 2)
NT security supports the required Discretionary Access Control Lists (DACLs) and System ACLs (SACLs, for auditing)
Specific allow and deny entries for users and groups for different types of access
Security programming is difficult Probably the most difficult in the Windows API
5JMH Associates © 2004, All rights reserved
CONSTRUCTING A SECURITY CONSTRUCTING A SECURITY DESCRIPTORDESCRIPTOR
CONSTRUCTING A SECURITY CONSTRUCTING A SECURITY DESCRIPTORDESCRIPTOR
6JMH Associates © 2004, All rights reserved
1) InitializeSecurityDescriptor
2) SetSecurityDescriptorOwner
3) SetSecurityDescriptorGroup
4) InitializeAcl
5) AddAccessDeniedAce
· · ·
6) AddAccessAllowedAce
· · ·
7) SetSecurityDescriptorDacl
Process Object
Owner SID
Group SIDUser SID
Group SID
AccessToken
Access Control Entry(Denied)
"
Access Control Entry(Allowed)
· · ·
DiscretionaryACL
SecurityDescriptor
7JMH Associates © 2004, All rights reserved
SECURITY ATTRIBUTESSECURITY ATTRIBUTESSECURITY ATTRIBUTESSECURITY ATTRIBUTES
TYPEDEF struct _SECURITY_ATTRIBUTES {DWORD nLength;LPVOID lpSecurityDescriptor;BOOL bInheritHandle;} SECURITY_ATTRIBUTES;
nLength Should be set to sizeof (SECURITY_ATTRIBUTES)
bInheritHandle Should be FALSE for now
8JMH Associates © 2004, All rights reserved
SECURITY DESCRIPTOR (1 of 2)SECURITY DESCRIPTOR (1 of 2)SECURITY DESCRIPTOR (1 of 2)SECURITY DESCRIPTOR (1 of 2)
BOOL InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR psd,DWORD dwRevision)
psd Should be set to address of a SECURITY_DESCRIPTOR
dwRevision Set to SECURITY_DESCRIPTOR_REVISION, which contains: Owner Security Identifier (SID) Group SID Discretionary Access Control List (DACL) System ACL (SACL)
9JMH Associates © 2004, All rights reserved
SECURITY DESCRIPTOR (2 of 2)SECURITY DESCRIPTOR (2 of 2)SECURITY DESCRIPTOR (2 of 2)SECURITY DESCRIPTOR (2 of 2)
SetSecurityDescriptorOwner and SetSecurityDescriptorGroup
Associate SIDs with descriptors
ACLs Initialized using InitializeAcl Associated with a security descriptor using SetSecurityDescriptorDacl or SetSecurityDescriptorSacl
Security descriptors Classified as either absolute or self relative
10JMH Associates © 2004, All rights reserved
ACCESS CONTROL LISTSACCESS CONTROL LISTSACCESS CONTROL LISTSACCESS CONTROL LISTS
Each ACL is a set of Access Control Entries (ACE) Two types of ACE:
Access allowed and access denied Initialize an ACL with InitializeAcl Then add ACEs to discretionary ACLs:
AddAccessAllowedAce AddAccessDeniedAce
AddAuditAccessAce is for adding to a SACL Remove ACEs with DeleteAce
Retrieve them with GetAce
11JMH Associates © 2004, All rights reserved
SECURITY IDENTIFIERS (1 of 7)SECURITY IDENTIFIERS (1 of 7)SECURITY IDENTIFIERS (1 of 7)SECURITY IDENTIFIERS (1 of 7)
BOOL LookupAccountName (LPCTSTR lpSystem,LPCTSTR lpAccount, PSID psid,LPDWORD lpcbSid,LPTSTR lpReferencedDomain,LPDWORD lpcchReferencedDomain,PSID_NAME_USE psnu)
lpSystem Points to the system name (is often NULL)
lpAccount Points to the account name
12JMH Associates © 2004, All rights reserved
SECURITY IDENTIFIERS (2 SECURITY IDENTIFIERS (2 ofof 7) 7)SECURITY IDENTIFIERS (2 SECURITY IDENTIFIERS (2 ofof 7) 7)
psid Returned information of size *lpcbSid
lpcbSid The DWORD should be initialized to the size of your SID
structure (psid) On return, you get the actual size
lpReferencedDomain String of length *lpcchReferencedDomain Should be initialized to the buffer size
13JMH Associates © 2004, All rights reserved
SECURITY IDENTIFIERS (3 SECURITY IDENTIFIERS (3 ofof 7) 7)SECURITY IDENTIFIERS (3 SECURITY IDENTIFIERS (3 ofof 7) 7)
psnu Points to a SID_NAME_USE (enumerated type) variable Can be tested for values such as:
SidTypeUser
SidTypeGroup
SidTypeWellKnownGroup
14JMH Associates © 2004, All rights reserved
SECURITY IDENTIFIERS (4 of 7)SECURITY IDENTIFIERS (4 of 7)SECURITY IDENTIFIERS (4 of 7)SECURITY IDENTIFIERS (4 of 7)
To convert a SID to an account name:
BOOL LookupAccountSid (LPCTSTR lpSystem,PSID psid,LPTSTR lpAccount,LPDWORD lpcchName,LPTSTR lpReferencedDomain,LPDWORD lpcchReferencedDomain,PSID_NAME_USe psnu)
15JMH Associates © 2004, All rights reserved
SECURITY IDENTIFIERS (5 SECURITY IDENTIFIERS (5 ofof 7) 7)SECURITY IDENTIFIERS (5 SECURITY IDENTIFIERS (5 ofof 7) 7)
BOOL GetUserName (LPTSTR lpBuffer,LPDWORD lpcchBuffer)
Other functions: InitializeSid AllocateAndInitializeSid
16JMH Associates © 2004, All rights reserved
SECURITY IDENTIFIERS (6 of 7)SECURITY IDENTIFIERS (6 of 7)SECURITY IDENTIFIERS (6 of 7)SECURITY IDENTIFIERS (6 of 7)
BOOL SetSecurityDescriptorOwner (PSECURITY_DESCRIPTOR psd, PSID psidOwnerBOOL fOwnerDefaulted)
BOOL SetSecurityDescriptorGroup (PSECURITY_DESCRIPTOR psd, PSID psidGroup,BOOL fGroupDefaulted)
Return: The SID from a security descriptor Owner or group
17JMH Associates © 2004, All rights reserved
SECURITY IDENTIFIERS (7 of 7)SECURITY IDENTIFIERS (7 of 7)SECURITY IDENTIFIERS (7 of 7)SECURITY IDENTIFIERS (7 of 7)
Parameters
psd Points to the appropriate security descriptor
psidOwner or psidGroup The address of the owner’s (group’s) SID
fOwnerDefaulted or fGroupDefaulted Use default information
18JMH Associates © 2004, All rights reserved
INITIALIZING ACLsINITIALIZING ACLsINITIALIZING ACLsINITIALIZING ACLs
BOOL InitializeAcl (PACL pAcl,DWORD cbAcl,DWORD dwAclRevision
Pacl Address of a programmer-supplied buffer of cbAcl bytes
dwAclRevision Should be ACL_REVISION
19JMH Associates © 2004, All rights reserved
ADDING ACEs (1 of 2)ADDING ACEs (1 of 2)ADDING ACEs (1 of 2)ADDING ACEs (1 of 2)
BOOL AddAccessAllowedAce (PACL pAcl,DWORD dwAclRevisionDWORD dwAccessMask, PSID pSid)
BOOL AddAccessDeniedAce (PACL pAcl,DWORD dwAclRevision,DWORD dwAccessMask, PSID pSid)
pAcl Points to ACL structure initialized with InitializeAcl
20JMH Associates © 2004, All rights reserved
ADDING ACEs (2 of 2)ADDING ACEs (2 of 2)ADDING ACEs (2 of 2)ADDING ACEs (2 of 2)
dwAclRevision Use ACL_REVISION
pSid Points to a SID Might be obtained from LookupAccountName
Access Mask typical values:GENERIC_READ
GENERIC_WRITE
GENERIC_EXECUTE
21JMH Associates © 2004, All rights reserved
ACL WITH SECURITY DESCRIPTORACL WITH SECURITY DESCRIPTORACL WITH SECURITY DESCRIPTORACL WITH SECURITY DESCRIPTOR
BOOL SetSecurityDesciptorDacl (PSECURITY_DESCRIPTOR psd,bool fDaclPresent,PACL pAcl, BOOL fDaclDefaulted)
fDaclPresent If TRUE, you have an ACL in the pAcl structure If FALSE, the function ignores anything already in pAcl
fDaclDefaulted If FALSE, indicates an ACL generated by the programmer If TRUE, it was obtained by a default mechanism
22JMH Associates © 2004, All rights reserved
SECURITY DESCRIPTORSECURITY DESCRIPTORSECURITY DESCRIPTORSECURITY DESCRIPTOR
BOOL GetFileSecurity (LPCTSTR lpFileName,SECURITY_INFORMATION secInfo,PSECURITY_DESCRIPTOR psd,DWORD cbSd,LPDWORD lpcbLengthNeeded)
BOOL SetFileSecurity (LPCTSTR lpFileName,SECURITY_INFORMATION secInfo,PSECURITY_DESCRIPTOR psd)
23JMH Associates © 2004, All rights reserved
SECURITY DESCRIPTORSECURITY DESCRIPTORSECURITY DESCRIPTORSECURITY DESCRIPTOR
secInfo An enumerated type Takes on values such as:
OWNER_SECURITY_INFORMATION
GROUP_SECURITY_INFORMATION
DACL_SECURITY_INFORMATION
SACL_SECURITY_INFORMATION
(which can be combined with the bitwise OR)
24JMH Associates © 2004, All rights reserved
SECURITY DESCRIPTORSECURITY DESCRIPTORSECURITY DESCRIPTORSECURITY DESCRIPTOR
To find the GetFileSecurity return buffer size Call it twice
The first call uses 0 as the cbSd value After allocating a buffer, call the function a second time You must have the correct permissions on the file
25JMH Associates © 2004, All rights reserved
OBTAIN AN ACLOBTAIN AN ACLOBTAIN AN ACLOBTAIN AN ACL
BOOL GetSecurityDescriptorDacl (PSECURITY_DESCRIPTOR psd,LPBOOL fDaclPresent,PACL *pAcl,LPBOOL lpfDaclDefaulted)
The parameters are nearly identical toSetSecurityDescriptorDacl
26JMH Associates © 2004, All rights reserved
HOW MANY ACEs IN AN ACL (1 of 2)HOW MANY ACEs IN AN ACL (1 of 2)HOW MANY ACEs IN AN ACL (1 of 2)HOW MANY ACEs IN AN ACL (1 of 2)
BOOL GetAclInformation (PACL pAcl,LPVOID pAclInformation,DWORD cbAclInfo,ACL_INFORMATION_CLASS dwAclInfoClass
dwAclInfoClass Use AclSizeInformation in most cases
27JMH Associates © 2004, All rights reserved
HOW MANY ACEs IN AN ACL (2 of 2)HOW MANY ACEs IN AN ACL (2 of 2)HOW MANY ACEs IN AN ACL (2 of 2)HOW MANY ACEs IN AN ACL (2 of 2)
pAclInformation A structure of type ACL_SIZE_INFORMATION Has three members:
AceCount — How many entries are on the list
AclBytesInUse
AclBytesFree
28JMH Associates © 2004, All rights reserved
OBTAIN ACEsOBTAIN ACEsOBTAIN ACEsOBTAIN ACEs
BOOL GetAce (PACL pAcl,DWORD dwAceIndex, LPVOID *pAce)
pAce Points to an Ace structure Ace structure has a member called “Header” Header has an AceType member which can be tested for:
ACCESS_ALLOWED_ACE
ACCESS_DENIED_ACE
29JMH Associates © 2004, All rights reserved
SECURITY SUMMARYSECURITY SUMMARYSECURITY SUMMARYSECURITY SUMMARY
Remove ACEs with DeleteAce function For kernel security descriptors, use:
GetKernelObjectSecurity
SetKernelObjectSecurity Associate security descriptors with programmer-generated
objects:
GetUserObjectSecurity
SetUserObjectSecurity Note difference between absolute and self-relative security
descriptors System administrators can manage system ACLs
30JMH Associates © 2004, All rights reserved
LAB D–A (1 of 2)LAB D–A (1 of 2)LAB D–A (1 of 2)LAB D–A (1 of 2)
The functions in InitUnFp.c create and manage a SECURITY_ATTRIBUTES structure
With (Read, Write, and Execute) permissions For (User, Group, and Other) Similar to UNIX file permissions You will need these functions in the two lab exercises
31JMH Associates © 2004, All rights reserved
LAB D–A (2 of 2)LAB D–A (2 of 2)LAB D–A (2 of 2)LAB D–A (2 of 2)
1. Write a program, chmod, to create a new file with specified permissions
Expressed as a 9-bit UNIX-style file permission
2. Write an enhancement of the ls program, lsFP, to find the existing permissions on a specified file
Assume that the permissions were created with chmod