Windows NT Workstation Security
Windows NT security features:
- Logon Characteristics:
- Mandatory Logon
- Restricted user mode - User mode programs can't run during logon.
- Physical logon - The CTRL-ALT-DEL sequence forces physical logon at the local terminal.
- Memory protection
- Limited Network Access
NT security is provided by the Security Reference Monitor executive service. When a user attempts to access files, this part of the system will be sure they have permission before the access is allowed. When a user tries to run a program, and thus perform a function, the security reference monitor will be sure the user has rights to run the program. The term rights are used to refer to the user's ability to perform a function and the term permission is used to refer to a user's ability to access a resource such as a file or printer, but sometimes the terms are used interchangeably.
The NT Logon process
The CTRL-ALT-DEL key combination in NT disables user mode programs so a trojan program cannot intercept the user's name and password during the logon process. No user mode programs can be run until a valid logon has occurred. This is called restricted user mode. The CTRL-ALT-DEL key sequence indicates that there is a physically connected keyboard that the keystrokes are coming from. During the logon process, the Winlogon service passes the user's point of authentication, name, and password to the client/server (CSR) subsystem. The CSR passes the information to the security reference monitor which checks the Security Accounts Manager (SAM) database against the received information to see if the user is authentic. If so, a valid access token is generated and returned back down the line to the processes that sent the information.
Objects contain functions (services) and attributes (data). Every object has a type. Every resource or program is an object. Object types are:
- symbolic links
- Network shares
Each object has an Access Control List (ACL) which defines users and group permissions for the object. Each entry (ACE - Access Control Entry) in an ACL defines the permissions a specific user or group has for the object. Access token attributes are added to the object's ACL. When an object is accessed with given permissions like read and write, other permissions cannot be executed, such as delete, until the object is closed and delete permission is requested.
The Security Access Token
The access token must contain certain attributes or information that the system can use to verify user access and amount of access to resources and programs. Attributes of the access token include:
- Security ID (SID)- Unique user ID
- Group IDs
- User permissions
Account types and where they can be used:
|Workgroup model||Domain model|
|Account Location||Local registry||SAM database on domain controller|
|Account Type||Local account||Global account|
Local accounts are only used to access local resources on one machine. Global accounts may be used to access any resource on a large domain where permission is allowed. In the workgroup model, when a user has an account on a local machine and an account on a remote machine, there is a separate SID at each machine, so the user cannot use their SID from one machine to log onto another. The user must enter a separate logon session on each remote machine and will get a access token for each machine they logon to.
Passwords and User Names
Passwords are case sensitive and can be up to 14 characters. User names are not case sensitive and can be up to 20 characters. User names cannot contain any of the following characters:
" \ / [ ] ; : = | . + ? * < >
- Access Permissions
- File level - User must be authenticated with User name and password.
- User-level - The most secure since it requires both a user name and password. I believe this type of security is a reference to the user domain level security where all users are authenticated by the primary domain controller prior to being allowed access to network resources.
Another type of security often mentioned is share level security. This is normally used for peer to peer resource sharing and only a password is required. This is less secure than user or file level security.
Administrators may view administrative shares from the Control panel server applet by selecting the "Shares" button. The Server Manager may be used on NT server. Adding a $ to the end of a share will make them hidden and you must know the share name thereafter to use the share.
- Admin$ - This is where the system files were installed, usually C:\WINNT40. Users that can use these shares remotely are administrators, backup operators, and server operators.
- drive$ - Every partition's root directory followed by a $. Users that can use these shares remotely are administrators, backup operators, and server operators.
- IPC$ - Named pipes to be used to communicate between systems and programs. It is used to access resources on other computers.
- Netlogon - Used on domain servers to authenticate users.
- Print$ - Provides shared printer support.
- REPL$ - Used on an NT server for directory replication.