1 JMH Associates © 2004, All rights reserved Chapter 15 Windows System Security.

1JMH Associates © 2004, All rights reserved

Chapter 15Chapter 15Chapter 15Chapter 15

Windows System Security


OBJECTIVESOBJECTIVESOBJECTIVESOBJECTIVES

Upon completion of this chapter, you will be able to: Describe Windows NT/2000 security and its components

Access Control Lists Security Descriptors Security Identifiers, and more

Describe the differences between privileges and rights Create programs to manage security for NTFS files Be ready to apply security to other NT objects


OVERVIEW (1 of 2)OVERVIEW (1 of 2)OVERVIEW (1 of 2)OVERVIEW (1 of 2)

Windows NT/2000 supports security; Windows 9x does not Every (sharable) NT object is securable Security applies to NTFS files

Not to FAT or other file systems NT security is C2 compliant

(NSA “Orange Book” for single systems)


OVERVIEW (2 of 2)OVERVIEW (2 of 2)OVERVIEW (2 of 2)OVERVIEW (2 of 2)

NT security supports the required Discretionary Access Control Lists (DACLs) and System ACLs (SACLs, for auditing)

Specific allow and deny entries for users and groups for different types of access

Security programming is difficult Probably the most difficult in the Windows API


CONSTRUCTING A SECURITY CONSTRUCTING A SECURITY DESCRIPTORDESCRIPTOR

CONSTRUCTING A SECURITY CONSTRUCTING A SECURITY DESCRIPTORDESCRIPTOR


1) InitializeSecurityDescriptor

2) SetSecurityDescriptorOwner

3) SetSecurityDescriptorGroup

4) InitializeAcl

5) AddAccessDeniedAce

· · ·

6) AddAccessAllowedAce

· · ·

7) SetSecurityDescriptorDacl

Process Object

Owner SID

Group SIDUser SID

Group SID

AccessToken

Access Control Entry(Denied)

"

Access Control Entry(Allowed)

· · ·

DiscretionaryACL

SecurityDescriptor


SECURITY ATTRIBUTESSECURITY ATTRIBUTESSECURITY ATTRIBUTESSECURITY ATTRIBUTES

TYPEDEF struct _SECURITY_ATTRIBUTES {DWORD nLength;LPVOID lpSecurityDescriptor;BOOL bInheritHandle;} SECURITY_ATTRIBUTES;

nLength Should be set to sizeof (SECURITY_ATTRIBUTES)

bInheritHandle Should be FALSE for now


SECURITY DESCRIPTOR (1 of 2)SECURITY DESCRIPTOR (1 of 2)SECURITY DESCRIPTOR (1 of 2)SECURITY DESCRIPTOR (1 of 2)

BOOL InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR psd,DWORD dwRevision)

psd Should be set to address of a SECURITY_DESCRIPTOR

dwRevision Set to SECURITY_DESCRIPTOR_REVISION, which contains: Owner Security Identifier (SID) Group SID Discretionary Access Control List (DACL) System ACL (SACL)


SECURITY DESCRIPTOR (2 of 2)SECURITY DESCRIPTOR (2 of 2)SECURITY DESCRIPTOR (2 of 2)SECURITY DESCRIPTOR (2 of 2)

SetSecurityDescriptorOwner and SetSecurityDescriptorGroup

Associate SIDs with descriptors

ACLs Initialized using InitializeAcl Associated with a security descriptor using SetSecurityDescriptorDacl or SetSecurityDescriptorSacl

Security descriptors Classified as either absolute or self relative


ACCESS CONTROL LISTSACCESS CONTROL LISTSACCESS CONTROL LISTSACCESS CONTROL LISTS

Each ACL is a set of Access Control Entries (ACE) Two types of ACE:

Access allowed and access denied Initialize an ACL with InitializeAcl Then add ACEs to discretionary ACLs:

AddAccessAllowedAce AddAccessDeniedAce

AddAuditAccessAce is for adding to a SACL Remove ACEs with DeleteAce

Retrieve them with GetAce


SECURITY IDENTIFIERS (1 of 7)SECURITY IDENTIFIERS (1 of 7)SECURITY IDENTIFIERS (1 of 7)SECURITY IDENTIFIERS (1 of 7)

BOOL LookupAccountName (LPCTSTR lpSystem,LPCTSTR lpAccount, PSID psid,LPDWORD lpcbSid,LPTSTR lpReferencedDomain,LPDWORD lpcchReferencedDomain,PSID_NAME_USE psnu)

lpSystem Points to the system name (is often NULL)

lpAccount Points to the account name


SECURITY IDENTIFIERS (2 SECURITY IDENTIFIERS (2 ofof 7) 7)SECURITY IDENTIFIERS (2 SECURITY IDENTIFIERS (2 ofof 7) 7)

psid Returned information of size *lpcbSid

lpcbSid The DWORD should be initialized to the size of your SID

structure (psid) On return, you get the actual size

lpReferencedDomain String of length *lpcchReferencedDomain Should be initialized to the buffer size



psnu Points to a SID_NAME_USE (enumerated type) variable Can be tested for values such as:

SidTypeUser

SidTypeGroup

SidTypeWellKnownGroup



To convert a SID to an account name:

BOOL LookupAccountSid (LPCTSTR lpSystem,PSID psid,LPTSTR lpAccount,LPDWORD lpcchName,LPTSTR lpReferencedDomain,LPDWORD lpcchReferencedDomain,PSID_NAME_USe psnu)



BOOL GetUserName (LPTSTR lpBuffer,LPDWORD lpcchBuffer)

Other functions: InitializeSid AllocateAndInitializeSid



BOOL SetSecurityDescriptorOwner (PSECURITY_DESCRIPTOR psd, PSID psidOwnerBOOL fOwnerDefaulted)

BOOL SetSecurityDescriptorGroup (PSECURITY_DESCRIPTOR psd, PSID psidGroup,BOOL fGroupDefaulted)

Return: The SID from a security descriptor Owner or group



Parameters

psd Points to the appropriate security descriptor

psidOwner or psidGroup The address of the owner’s (group’s) SID

fOwnerDefaulted or fGroupDefaulted Use default information


INITIALIZING ACLsINITIALIZING ACLsINITIALIZING ACLsINITIALIZING ACLs

BOOL InitializeAcl (PACL pAcl,DWORD cbAcl,DWORD dwAclRevision

Pacl Address of a programmer-supplied buffer of cbAcl bytes

dwAclRevision Should be ACL_REVISION


ADDING ACEs (1 of 2)ADDING ACEs (1 of 2)ADDING ACEs (1 of 2)ADDING ACEs (1 of 2)

BOOL AddAccessAllowedAce (PACL pAcl,DWORD dwAclRevisionDWORD dwAccessMask, PSID pSid)

BOOL AddAccessDeniedAce (PACL pAcl,DWORD dwAclRevision,DWORD dwAccessMask, PSID pSid)

pAcl Points to ACL structure initialized with InitializeAcl


ADDING ACEs (2 of 2)ADDING ACEs (2 of 2)ADDING ACEs (2 of 2)ADDING ACEs (2 of 2)

dwAclRevision Use ACL_REVISION

pSid Points to a SID Might be obtained from LookupAccountName

Access Mask typical values:GENERIC_READ

GENERIC_WRITE

GENERIC_EXECUTE


ACL WITH SECURITY DESCRIPTORACL WITH SECURITY DESCRIPTORACL WITH SECURITY DESCRIPTORACL WITH SECURITY DESCRIPTOR

BOOL SetSecurityDesciptorDacl (PSECURITY_DESCRIPTOR psd,bool fDaclPresent,PACL pAcl, BOOL fDaclDefaulted)

fDaclPresent If TRUE, you have an ACL in the pAcl structure If FALSE, the function ignores anything already in pAcl

fDaclDefaulted If FALSE, indicates an ACL generated by the programmer If TRUE, it was obtained by a default mechanism


SECURITY DESCRIPTORSECURITY DESCRIPTORSECURITY DESCRIPTORSECURITY DESCRIPTOR

BOOL GetFileSecurity (LPCTSTR lpFileName,SECURITY_INFORMATION secInfo,PSECURITY_DESCRIPTOR psd,DWORD cbSd,LPDWORD lpcbLengthNeeded)

BOOL SetFileSecurity (LPCTSTR lpFileName,SECURITY_INFORMATION secInfo,PSECURITY_DESCRIPTOR psd)



secInfo An enumerated type Takes on values such as:

OWNER_SECURITY_INFORMATION

GROUP_SECURITY_INFORMATION

DACL_SECURITY_INFORMATION

SACL_SECURITY_INFORMATION

(which can be combined with the bitwise OR)



To find the GetFileSecurity return buffer size Call it twice

The first call uses 0 as the cbSd value After allocating a buffer, call the function a second time You must have the correct permissions on the file


OBTAIN AN ACLOBTAIN AN ACLOBTAIN AN ACLOBTAIN AN ACL

BOOL GetSecurityDescriptorDacl (PSECURITY_DESCRIPTOR psd,LPBOOL fDaclPresent,PACL *pAcl,LPBOOL lpfDaclDefaulted)

The parameters are nearly identical toSetSecurityDescriptorDacl


HOW MANY ACEs IN AN ACL (1 of 2)HOW MANY ACEs IN AN ACL (1 of 2)HOW MANY ACEs IN AN ACL (1 of 2)HOW MANY ACEs IN AN ACL (1 of 2)

BOOL GetAclInformation (PACL pAcl,LPVOID pAclInformation,DWORD cbAclInfo,ACL_INFORMATION_CLASS dwAclInfoClass

dwAclInfoClass Use AclSizeInformation in most cases


HOW MANY ACEs IN AN ACL (2 of 2)HOW MANY ACEs IN AN ACL (2 of 2)HOW MANY ACEs IN AN ACL (2 of 2)HOW MANY ACEs IN AN ACL (2 of 2)

pAclInformation A structure of type ACL_SIZE_INFORMATION Has three members:

AceCount — How many entries are on the list

AclBytesInUse

AclBytesFree


OBTAIN ACEsOBTAIN ACEsOBTAIN ACEsOBTAIN ACEs

BOOL GetAce (PACL pAcl,DWORD dwAceIndex, LPVOID *pAce)

pAce Points to an Ace structure Ace structure has a member called “Header” Header has an AceType member which can be tested for:

ACCESS_ALLOWED_ACE

ACCESS_DENIED_ACE


SECURITY SUMMARYSECURITY SUMMARYSECURITY SUMMARYSECURITY SUMMARY

Remove ACEs with DeleteAce function For kernel security descriptors, use:

GetKernelObjectSecurity

SetKernelObjectSecurity Associate security descriptors with programmer-generated

objects:

GetUserObjectSecurity

SetUserObjectSecurity Note difference between absolute and self-relative security

descriptors System administrators can manage system ACLs


LAB D–A (1 of 2)LAB D–A (1 of 2)LAB D–A (1 of 2)LAB D–A (1 of 2)

The functions in InitUnFp.c create and manage a SECURITY_ATTRIBUTES structure

With (Read, Write, and Execute) permissions For (User, Group, and Other) Similar to UNIX file permissions You will need these functions in the two lab exercises


LAB D–A (2 of 2)LAB D–A (2 of 2)LAB D–A (2 of 2)LAB D–A (2 of 2)

1. Write a program, chmod, to create a new file with specified permissions

Expressed as a 9-bit UNIX-style file permission

2. Write an enhancement of the ls program, lsFP, to find the existing permissions on a specified file

Assume that the permissions were created with chmod

1 JMH Associates © 2004, All rights reserved Chapter 15 Windows System Security.

Documents

Transcript of 1 JMH Associates © 2004, All rights reserved Chapter 15 Windows System Security.