Windows is the world’s most popular operating system and as such has a number of interesting security-related advantages and challenges. The major advantage is any security advancement made to Windows can protect hundreds of millions of nontechnical users, and advances in security technologies can be used by thousands of corporations to secure their assets. The challenges for Microsoft are many, including the fact that security vulnerabilities in Windows can affect millions of users. Of course, there is nothing unique about Windows having security vulnerabilities; all software products have security bugs. However, Windows is used by so many non-technical users that Microsoft has some interesting engineering challenges.
This chapter begins with a description the overall security architecture of Windows 2000 and later (Section 26.1). It is important to point out that versions of Windows based on the Windows 95 code base, including Windows 98, Windows 98 SE, and Windows Me, had no security model, in contrast to the Windows NT code base, on which all current versions of Windows are based. The Windows 9x codebase is no longer supported.
The remainder of the chapter covers the security defenses built into Windows, most notably the security defenses in Windows Vista and later.
26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE
Anyone who wants to understand Windows security must have knowledge of the basic fundamental security blocks in the operating system. There are many important components in Windows that make up the fundamental security infrastructure, among them the following:
The Security Reference Monitor (SRM)
The Local Security Authority (LSA)
The Security Account Manager (SAM)
Active Directory (AD)
WinLogon and NetLogon
Let’s look at each in detail.
The Security Reference Monitor
This kernel-mode component performs access checks, generates audit log entries, and manipulates user rights, also called privileges. Ultimately, every permission check is performed by the SRM. Most modern operating systems include Security Reference Monitor type functionality that performs privileged permission checks. SRMs tend to be small in size so their correctness can be verified because no-one needs a bypass-able SRM!
The Local Security Authority
The Local Security Authority resides in a user-mode process named lsass.exe and is responsible for enforcing local security policy in Windows. It also issues security tokens to accounts as they log on to the system. Security policy includes:
Password policy, such as complexity rules and expiration times
Auditing policy, or which operations on what objects to audit
Privilege settings, or which accounts on a computer can perform privileged operations.
The Security Account Manager
The SAM is a database that stores accounts data and relevant security information about local principals and local groups. Note the term local. Windows has the notion of local and domain accounts. We will explain more about this later, but for now, note that Windows users can log on to a computer using either accounts that are known only on that particular computer or accounts that are managed centrally. When a user logs on to a computer using a local account, the SAM process (SamSrv) takes the logon information and performs a lookup against the SAM database, which resides in the Windows System32\config directory. If you’re familiar with UNIX, think /etc/passwd (or similar). If the credentials match, then the user can log on to the system, assuming there are no other factors preventing logon, such as logon time restrictions or privilege issues, which we discuss later in this chapter. Note that the SAM does not perform the logon; that is the job of the LSA. The SAM file is binary rather than text, and passwords are stored using the MD4 hash algorithm. On Windows Vista and later, the SAM stores password information using a password-based key derivation function (PBKCS), which is substantially more robust against password guessing attacks than MD4.
Note that WinLogon handles local logons at the keyboard and NetLogon handles logons across the network.
Active Directory (AD) is Microsoft’s LDAP directory included with Windows Server 2000 and later. All currently supported client versions of Windows, including Windows XP and Windows 7, can communicate with AD to perform security operations including account logon. A Windows client will authenticate using AD when the user logs on to the computer using a domain account rather than a local account. Like the SAM scenario, the user’s credential information is sent securely across the network, verified by AD, and then, if the information is correct, the user can log on at the computer. Note we say “credential” and not “password” because a credential might take some other form, such as a public and private key pair bound to an X.509 certificate on a smart card. This is why most corporate laptops include smartcard readers.
Local versus Domain Accounts
We used the terms local and domain. A networked Windows computer can be in one of two configurations, either domain joined or in a workgroup. When a computer is domain joined, users can gain access to that computer using domain accounts, which are centrally managed in Active Directory. They can, if they wish, also log on using local accounts, but local accounts may not have access to domain resources such as networked printers, Web servers, e-mail servers, and so on. When a computer is in a workgroup, only local accounts can be used, held in the SAM. There are pros and cons to each scenario. A domain has the major advantage of being centrally managed and as such is much more secure. If an environment has 1000 Windows computers and an employee leaves, the user’s account can be disabled centrally rather than on 1000 individual computers. Security policies, such as which applications are allowed to run, or who can debug applications, are also centrally managed when using AD. This is not only more secure, it saves time and effort as the number of ancillary computers rises.
The only advantage of using local accounts is that a computer does not need the infrastructure required to support a domain using AD.
As mentioned, Windows has the notion of a workgroup, which is simply a collection of computers connected to one another using a network; but rather than using a central database of accounts in AD, the machines use only local accounts. The difference between a workgroup and a domain is simply where accounts are authenticated. A workgroup has no domain controllers; authentication is performed on each computer, and a domain authenticates accounts at domain controllers running AD.
SIDEBAR: Using PowerShell for Security Administration
Windows 7 and Windows Server 2008 and later include an incredibly flexible scripting language named PowerShell. PowerShell provides rich access to Windows computers, and that includes access to security settings. Using PowerShell it is possible to create bespoke management tools for your organization. Throughout this chapter, we will give examples of using PowerShell to investigate or manipulate security related details. Note, in some cases, it might need to run an elevated PowerShell instance, one that runs as a privileged account, such as a domain or local administrator.
If you are new to PowerShell, there are three core things you need to know. They are:
PowerShell is based on .NET. If you can do it in C# or VB.NET, you can do it in a PowerShell environment.
Commands in PowerShell are called cmdlets, and have a consistent verb-noun syntax.
Like all scripting environments, PowerShell supports piping output from one command to another. But unlike other scripting environments, PowerShell pipes objects not text. This allows for very rich data processing, filtering and analysis. For example, the following pipes Process objects from get-process to format-table:
Get-Process | Format-Table
Or, you can stop all running Google Chrome (chrome.exe) processes by running:
Get-Process –name chrome | Stop-Process
This only works because Process objects, one for each Chrome instance, are sent to a cmdlet that calls the Stop method on a Process object.
You can get a list of object methods and properties by piping to the Get-Member cmdlet. For example, the following displays all the methods and properties associated with objects representing Windows: