Unit OS7: Security Unit OS7: Security
7.1. 7.1. The Security Problem The Security Problem
Copyright Notice Copyright Notice
© 2000-2005 David A. Solomon and Mark Russinovich
© 2000-2005 David A. Solomon and Mark Russinovich
These materials are part of the
These materials are part of the Windows Operating Windows Operating System Internals Curriculum Development Kit,
System Internals Curriculum Development Kit, developed by David A. Solomon and Mark E.
developed by David A. Solomon and Mark E.
Russinovich with Andreas Polze Russinovich with Andreas Polze
Microsoft has licensed these materials from David Microsoft has licensed these materials from David Solomon Expert Seminars, Inc. for distribution to Solomon Expert Seminars, Inc. for distribution to academic organizations solely for use in academic academic organizations solely for use in academic environments (and not for commercial use)
environments (and not for commercial use)
Roadmap for Section 7.1 Roadmap for Section 7.1
The Security Problem - a Definition The Security Problem - a Definition
Program & System Threats Program & System Threats
Security Ratings
Security Ratings
The Security Problem The Security Problem
System is secure if its resources are utilized and access System is secure if its resources are utilized and access is as intended under all circumstances is as intended under all circumstances
Security violations:
Security violations:
Unauthorized reading of data (theft of information) Unauthorized reading of data (theft of information)
Unauthorized modification of data Unauthorized modification of data
Unauthorized destruction of data Unauthorized destruction of data
Security measures:
Security measures:
Physical Physical
User authorization User authorization
Weakness at high-level security may circumvent low- Weakness at high-level security may circumvent low- level (operating system) measures
level (operating system) measures
Solving the Security Problem Solving the Security Problem
Access to a system (1) vs.
Access to a system (1) vs.
access to resources on a system (2) access to resources on a system (2)
(1) is solved through (1) is solved through
Authentication Authentication
Local or networked database of users Local or networked database of users
(2) is solved through (2) is solved through
Permissions Permissions
Mandatory vs. discretionary access control Mandatory vs. discretionary access control Capabilities vs. access control lists
Capabilities vs. access control lists
Authentication Authentication
Username/password, biometric ID, smartcards Username/password, biometric ID, smartcards
Special case of keys/capabilities Special case of keys/capabilities
System generated vs. User generated passwords System generated vs. User generated passwords (hard to remember/easy to guess)
(hard to remember/easy to guess)
Paired passwords: system selects one/user responds Paired passwords: system selects one/user responds appropriately
appropriately
How to store passwords securely How to store passwords securely
one-way functions executed on passwords one-way functions executed on passwords
easy to calculate but hard to invert easy to calculate but hard to invert
Shadow passwords Shadow passwords
restricted access to password files restricted access to password files
Security Ratings & Windows NT Security Ratings & Windows NT
Windows NT was designed to be secure from the start, which meant Windows NT was designed to be secure from the start, which meant aiming at achieving a security rating from a recognized rating
aiming at achieving a security rating from a recognized rating system
system
In 1981 the National Computer Security Center (NCSC In 1981 the National Computer Security Center (NCSC www.radium.
www.radium.nscnsc.mil/.mil/tpeptpep) was established as part of the US DoD’s ) was established as part of the US DoD’s NSA to help government, corporations and home users protect
NSA to help government, corporations and home users protect proprietary, confidential information
proprietary, confidential information
Part of the goal was to create security ratings, also known as the Part of the goal was to create security ratings, also known as the
“Orange Book”, which were defined in 1983
“Orange Book”, which were defined in 1983
A1A1 Verified DesignVerified Design B3B3 Security DomainsSecurity Domains
B2B2 Structured Protection (Trusted XENIX)Structured Protection (Trusted XENIX)
B1B1 Labeled Security Protection (HP-UX, Trusted Labeled Security Protection (HP-UX, Trusted IRIX, Tru64 UNIX)
IRIX, Tru64 UNIX)
C2C2 Controlled Access Protection (highest level Controlled Access Protection (highest level considered practical for general purpose OS) considered practical for general purpose OS) C1C1 Discretionary Access Protection (obsolete)Discretionary Access Protection (obsolete) DD Minimal Protection (e.g. DOS)Minimal Protection (e.g. DOS)
Security Ratings
Security Ratings
Windows Security Support Windows Security Support
Microsoft’s goal was to achieve C2, which Microsoft’s goal was to achieve C2, which
requires:
requires:
Secure Logon: NT provides this by requiring user name and Secure Logon: NT provides this by requiring user name and
password password
Discretionary Access Control: fine grained protection over Discretionary Access Control: fine grained protection over
resources by user/group resources by user/group
Security Auditing: ability to save a trail of important security Security Auditing: ability to save a trail of important security
events, such as access or attempted access of a resource events, such as access or attempted access of a resource
Object reuse protection: must initialize physical resources that Object reuse protection: must initialize physical resources that
are reused e.g. memory, files are reused e.g. memory, files
Windows Certification Windows Certification
Certifications achieved:
Certifications achieved:
Windows NT 3.5 (workstation and server) with SP3 earned C2 in Windows NT 3.5 (workstation and server) with SP3 earned C2 in
July 1995 July 1995
In March 1999 Windows NT 4 with SP3 earned e3 rating from In March 1999 Windows NT 4 with SP3 earned e3 rating from
UK’s Information Technology Security (ITSEC) – equivalent to C2 UK’s Information Technology Security (ITSEC) – equivalent to C2 In November 1999 NT4 with SP6a earned C2 in stand-alone and In November 1999 NT4 with SP6a earned C2 in stand-alone and
networked environments networked environments
Windows meets two B-level requirements:
Windows meets two B-level requirements:
Trusted Path Functionality: way to prevent trojan horses with Trusted Path Functionality: way to prevent trojan horses with
“secure attention sequence” (SAS) - Ctrl-Alt-Del
“secure attention sequence” (SAS) - Ctrl-Alt-Del
Trusted Facility Management: ability to assign different roles to Trusted Facility Management: ability to assign different roles to
different accounts different accounts
Common Criteria Common Criteria
New standard, called Common Criteria (CC), is the new standard for New standard, called Common Criteria (CC), is the new standard for software and OS ratings
software and OS ratings
Consortium of US, UK, Germany, France, Canada, and the Netherlands Consortium of US, UK, Germany, France, Canada, and the Netherlands in 1996
in 1996
Became ISO standard 15408 in 1999 Became ISO standard 15408 in 1999 For more information, see
For more information, see http://http://www.commoncriteriaportal.orgwww.commoncriteriaportal.org// and and http://
http://csrc.nist.govcsrc.nist.gov/cc/cc
CC is more flexible than TCSEC trust ratings, and includes concept of CC is more flexible than TCSEC trust ratings, and includes concept of Protection Profile to collect security requirements into easily specified Protection Profile to collect security requirements into easily specified and compared sets, and the concept of Security Target (ST) that
and compared sets, and the concept of Security Target (ST) that
contains a set of security requirements that can be made by reference contains a set of security requirements that can be made by reference to a PP
to a PP
Windows 2000 was certified as compliant with the CC Controlled Windows 2000 was certified as compliant with the CC Controlled Access Protection Profile (CAPP) in October 2002
Access Protection Profile (CAPP) in October 2002
Windows XP and Server 2003 are undergoing evaluation Windows XP and Server 2003 are undergoing evaluation
A Note About Physical Security A Note About Physical Security
Windows is definitely
Windows is definitely not secure if someone has physical access:not secure if someone has physical access:
At the minimum they can destroy data At the minimum they can destroy data
They can easily gain access to FAT/FAT32 files (by booting DOS) They can easily gain access to FAT/FAT32 files (by booting DOS) They can gain access to NTFS files with NTFSDOS or ERD
They can gain access to NTFS files with NTFSDOS or ERD Commander (or free Linux-based tools)
Commander (or free Linux-based tools)
Encryption (like EFS) is the only way to secure data on systems that can Encryption (like EFS) is the only way to secure data on systems that can have compromised physical security (like laptops)
have compromised physical security (like laptops)
On Windows 2000, must encrypt with domain credentials On Windows 2000, must encrypt with domain credentials
On Windows XP & higher, the local administrator account is no longer a recovery On Windows XP & higher, the local administrator account is no longer a recovery agent
agent
Since credentials are cached and can be cracked, must remove SAM's Since credentials are cached and can be cracked, must remove SAM's encryption key from system (use syskey level 1 or 2)
encryption key from system (use syskey level 1 or 2)
Further Reading Further Reading
Mark E. Russinovich and David A. Solomon, Mark E. Russinovich and David A. Solomon, Microsoft Windows Internals,
Microsoft Windows Internals,
4th Edition, Microsoft Press, 2004.
4th Edition, Microsoft Press, 2004.
Security (from pp. 485) Security (from pp. 485)
Ken Thompson, Reflections on Trusting Trust, Communication of Ken Thompson, Reflections on Trusting Trust, Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763.
the ACM, Vol. 27, No. 8, August 1984, pp. 761-763.