Chapter Six Windows XP Security and Access Controls

Chapter SixChapter Six

Windows XP Windows XP Security and Security and

Access ControlsAccess Controls

ObjectivesObjectives

Describe the Windows XP security Describe the Windows XP security model, and the key role of logon model, and the key role of logon authenticationauthentication

Customize the logon processCustomize the logon process Discuss domain security conceptsDiscuss domain security concepts Understand the Local Computer Understand the Local Computer

PolicyPolicy

ObjectivesObjectives

Enable and use auditingEnable and use auditing Encrypt NTFS files, folders, or Encrypt NTFS files, folders, or

drives using the Encrypted File drives using the Encrypted File System (EFS)System (EFS)

Understand and implement Internet Understand and implement Internet securitysecurity

The Windows XP Security The Windows XP Security ModelModel

Windows XP Professional can establish Windows XP Professional can establish local security when used as a standalone local security when used as a standalone system, or participate in system, or participate in domain domain securitysecurity

Domain securityDomain security Control of user accounts, group memberships, Control of user accounts, group memberships,

and resource access for all members of a and resource access for all members of a networknetwork

PasswordPassword Unique string of characters that must be Unique string of characters that must be

provided before logon or an access is provided before logon or an access is authorizedauthorized

The Windows XP Security The Windows XP Security ModelModel

A user who successfully logs on A user who successfully logs on receives and receives and access tokenaccess token

ProcessProcess Primary unit of execution in the Windows Primary unit of execution in the Windows

XP operating system environmentXP operating system environment Access control list (ACL)Access control list (ACL)

List of security identifiers that are List of security identifiers that are contained by a resource objectcontained by a resource object

Logon AuthenticationLogon Authentication

The logon process has two The logon process has two components:components: IdentificationIdentification

Requires that a use supply a valid account Requires that a use supply a valid account name (and in a domain environment, the name (and in a domain environment, the name of the domain to which that name of the domain to which that user user accountaccount belongs) belongs)

AuthenticationAuthentication Means that a user must use some method to Means that a user must use some method to

verify his or her identityverify his or her identity


An access token includes all security An access token includes all security information pertaining to that user, including information pertaining to that user, including the user’s the user’s security ID (SID)security ID (SID) and SIDs for and SIDs for each of the groups to which the user belongseach of the groups to which the user belongs

An access token includes the following An access token includes the following components:components: Unique SID for the accountUnique SID for the account List of groups to which the user belongsList of groups to which the user belongs List of rights and privileges associated with the List of rights and privileges associated with the

specific user’s accountspecific user’s account


Access to the system is allowed only Access to the system is allowed only after the user receives the access tokenafter the user receives the access token

Each access token is created for one-Each access token is created for one-time use during the logon processtime use during the logon process

Once constructed, the access token is Once constructed, the access token is attached to the user’s attached to the user’s shellshell process process

ObjectsObjects

In Windows XP, access to individual In Windows XP, access to individual resources is controlled at the object resources is controlled at the object levellevel

ObjectObject Everything within the Windows XP Everything within the Windows XP

operating environment is an objectoperating environment is an object Objects include files, folders, shares, Objects include files, folders, shares,

printers, processes, etc.printers, processes, etc.

Access ControlAccess Control

The Windows XP logon procedure The Windows XP logon procedure provides security through the use of provides security through the use of the following:the following: Mandatory logonMandatory logon Restricted user modeRestricted user mode Physical logonPhysical logon User profilesUser profiles

Customizing the Logon Customizing the Logon ProcessProcess

The The WinLogonWinLogon process can be process can be customized to display some or all of the customized to display some or all of the following characteristics:following characteristics: Retain or disable the last logon name enteredRetain or disable the last logon name entered Add a logon security warningAdd a logon security warning Change the default shellChange the default shell Enable/Disable the WinLogon Shutdown Enable/Disable the WinLogon Shutdown

buttonbutton Enable automated logonEnable automated logon

Customizing the Logon Customizing the Logon ProcessProcess

Figure 6-1: The WinLogon key viewed through Regedit

Disabling the Default Disabling the Default UsernameUsername

By default, the logon window displays By default, the logon window displays the name of the last user to log onthe name of the last user to log on

It is possible to change the default by It is possible to change the default by altering the value of its associated altering the value of its associated Registry key or Local Security Policy Registry key or Local Security Policy valuevalue

Disabling the default username option Disabling the default username option presents a blank username field at the presents a blank username field at the logon promptlogon prompt

Adding a Security Adding a Security Warning MessageWarning Message

Depending on your organization’s security Depending on your organization’s security policy, you might be legally obligated to policy, you might be legally obligated to add a warning message that appears add a warning message that appears before the logon prompt is displayedbefore the logon prompt is displayed

Two Registry or Local Security Policy Two Registry or Local Security Policy values are involved in this effort:values are involved in this effort: LegalNoticeCaptionLegalNoticeCaption LegalNoticeTextLegalNoticeText

Changing the ShellChanging the Shell

The default shell is Windows The default shell is Windows ExplorerExplorer

You can change the shell to a custom You can change the shell to a custom or third-party application depending or third-party application depending on the needs or security policy of on the needs or security policy of your organizationyour organization

Disabling the Shutdown Disabling the Shutdown ButtonButton

By default, the Windows XP logon By default, the Windows XP logon window includes a Shutdown buttonwindow includes a Shutdown button

However, in an environment in which However, in an environment in which users have access to the keyboard and users have access to the keyboard and mouse on a Windows XP machine, this mouse on a Windows XP machine, this option has the potential for unwanted option has the potential for unwanted system shutdownssystem shutdowns Fortunately, this option can be disabledFortunately, this option can be disabled

Automating LogonsAutomating Logons

To set up an automated logon, the To set up an automated logon, the following Registry value entries must be following Registry value entries must be defined and set within the defined and set within the HKEY_LOCAL_MACHINE\SOFTWARE\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Microsoft\Windows NT\CurrentVersion\Winlogon key:Winlogon key: DefaultDomainNameDefaultDomainName DefaultUserNameDefaultUserName DefaultPasswordDefaultPassword AutoAdminLogonAutoAdminLogon

Automatic Account Automatic Account LockoutLockout

Disables a user account if a predetermined Disables a user account if a predetermined number of failed logon attempts occur within a number of failed logon attempts occur within a specified time limitspecified time limit

This feature is intended to prevent intrusion by This feature is intended to prevent intrusion by unauthorized users attempting to gain access unauthorized users attempting to gain access by guessing a password or launching a by guessing a password or launching a dictionary attackdictionary attack

The default setting in Windows XP is to allow The default setting in Windows XP is to allow an unlimited number of failed access attempts an unlimited number of failed access attempts to a user account without locking out that to a user account without locking out that accountaccount

Domain Security Domain Security Concepts and SystemsConcepts and Systems

A A domaindomain is a collection of computers is a collection of computers with centrally managed security and with centrally managed security and activitiesactivities

Domain securityDomain security Control of user accounts, group memberships, Control of user accounts, group memberships,

and resource access for all members of a and resource access for all members of a networknetwork

Domain controllerDomain controller Windows 2000 .NET Server system with the Windows 2000 .NET Server system with the

Active Directory support services installed and Active Directory support services installed and configuredconfigured

Kerberos and Kerberos and Authentication ServicesAuthentication Services

Kerberos version 5Kerberos version 5 An authentication encryption protocol An authentication encryption protocol

employed by Windows XP to protect employed by Windows XP to protect logon credentialslogon credentials

Network authenticationNetwork authentication Act of connecting to or accessing Act of connecting to or accessing

resources from some other member of resources from some other member of the domain networkthe domain network


The communications that occur The communications that occur during network authentication are during network authentication are protected by one of several methods, protected by one of several methods, including:including: Kerberos v5Kerberos v5 Secure Socket Layer/Transport Layer Secure Socket Layer/Transport Layer

Security (SSL/TLS)Security (SSL/TLS) NTLM (NT LAN Manager) authentication NTLM (NT LAN Manager) authentication

for compatibility with Windows NT 4.0for compatibility with Windows NT 4.0


Kerberos version 5 authenticationKerberos version 5 authentication Windows XP uses Kerberos version 5 as Windows XP uses Kerberos version 5 as

the primary protocol for authentication the primary protocol for authentication securitysecurity

Secure Socket Layer/Transport LayerSecure Socket Layer/Transport Layer Authentication scheme often used by Authentication scheme often used by

Web-based applications and is supported Web-based applications and is supported on Windows XP through IISon Windows XP through IIS

SSL functions by issuing an identity SSL functions by issuing an identity certificatecertificate to both the client and serverto both the client and server


NTLM (NT LAN Manager) NTLM (NT LAN Manager) authenticationauthentication Mechanism used by Windows NT 4.0Mechanism used by Windows NT 4.0 Windows XP supports this authentication Windows XP supports this authentication

method solely for backward compatibility method solely for backward compatibility with Windows NT Servers and Windows with Windows NT Servers and Windows NT Workstation clientsNT Workstation clients

NTLM is significantly less secure than NTLM is significantly less secure than Kerberos version 5Kerberos version 5

Local Computer PolicyLocal Computer Policy

Combination of controls that in Windows Combination of controls that in Windows NT existed only in the Registry, through NT existed only in the Registry, through system policies, or as Control Panel applet system policies, or as Control Panel applet controlscontrols

Sometimes the local computer policy is Sometimes the local computer policy is called a software policy or an called a software policy or an environmental policy or even a Windows XP environmental policy or even a Windows XP policypolicy No matter what name is actually used, the local No matter what name is actually used, the local

computer policy is simply the local system’s computer policy is simply the local system’s group policygroup policy

Local Computer PolicyLocal Computer Policy

Figure 6-2: MMC with Group Policy snap-in displaying Local Computer Policy with Security Settings selected on

a Windows XP Professional System

Computer ConfigurationComputer Configuration

There are three purposes for using the There are three purposes for using the public key policiespublic key policies:: To offer additional controls over the EFSTo offer additional controls over the EFS To enable the issuing of certificatesTo enable the issuing of certificates To allow you to establish trust in a To allow you to establish trust in a

certificate authoritycertificate authority


IP Security (IPSec)IP Security (IPSec) Security measure added to TCP/IP to Security measure added to TCP/IP to

protect communications between two protect communications between two systems using that protocolsystems using that protocol

Negotiates a secure encrypted Negotiates a secure encrypted communications link between a client and communications link between a client and server through public and private server through public and private encryption key managementencryption key management

Can be used over a RAS or WAN link Can be used over a RAS or WAN link (through L2TP) or within a LAN(through L2TP) or within a LAN


The controls available through the The controls available through the Administrative Templates folder Administrative Templates folder include:include: Controlling security and software Controlling security and software

updates for Internet Explorerupdates for Internet Explorer Controlling access and use of the Task Controlling access and use of the Task

Scheduler and Windows InstallerScheduler and Windows Installer Controlling logon security features and Controlling logon security features and

operationsoperations Controlling disk quotasControlling disk quotas


The controls available through the The controls available through the Administrative Templates folder Administrative Templates folder include (cont.):include (cont.): Managing how group policies are Managing how group policies are

processedprocessed Managing system file protectionManaging system file protection Managing offline access of network Managing offline access of network

resourcesresources Controlling printer use and functionControlling printer use and function

User ConfigurationUser Configuration

The items contained in the User The items contained in the User Configuration’s Administrative Configuration’s Administrative Templates section include:Templates section include: Internet Explorer configuration, interface, Internet Explorer configuration, interface,

features, and function controlsfeatures, and function controls Windows Explorer management (interface, Windows Explorer management (interface,

available commands, features)available commands, features) MMC ManagementMMC Management Task Scheduler and Windows Installer Task Scheduler and Windows Installer

controlscontrols


The items contained in the User The items contained in the User Configuration’s Administrative Configuration’s Administrative Templates section include (cont.):Templates section include (cont.): Start menu and Taskbar features Start menu and Taskbar features

managementmanagement Desktop environment managementDesktop environment management Control Panel applet managementControl Panel applet management Offline network access controlOffline network access control


The items contained in the User The items contained in the User Configuration’s Administrative Configuration’s Administrative Templates section include (cont.):Templates section include (cont.): Network connection managementNetwork connection management Logon and logoff script managementLogon and logoff script management Group Policy applicationGroup Policy application


Figure 6-3: The Explain tab of a Local Computer Policy control dialog box


The Policy tab on the Properties The Policy tab on the Properties dialog box for each control offers dialog box for each control offers three settings:three settings: Not configuredNot configured EnabledEnabled DisabledDisabled

AuditingAuditing

AuditingAuditing Security process that records the Security process that records the

occurrence of specific operating system occurrence of specific operating system eventsevents in a Security log in a Security log

Event ViewerEvent Viewer Utility that maintains application, Utility that maintains application,

security, and system event logs on your security, and system event logs on your computercomputer

AuditingAuditing

Figure 6-4: The Security Log viewed through the Event Viewer

AuditingAuditing

Figure 6-5: The security log event detail

Encrypted File System Encrypted File System (EFS)(EFS)

Allows you to encrypt data stored on Allows you to encrypt data stored on NTFS driveNTFS drive

When EFS is enabled on a file, When EFS is enabled on a file, folder, or drive, only the enabling folder, or drive, only the enabling user can gain access to the user can gain access to the encrypted objectencrypted object

EFS uses a public and private key EFS uses a public and private key encryption methodencryption method

Internet SecurityInternet Security

Connecting to the Internet requires that Connecting to the Internet requires that you accept some riskyou accept some risk

Most of the security features used to Most of the security features used to protect data within a LAN or even on a protect data within a LAN or even on a standalone system can also be leveraged standalone system can also be leveraged to protect against Internet attacksto protect against Internet attacks

As well, Microsoft has added the As well, Microsoft has added the Internet Connection Firewall (ICF) to Internet Connection Firewall (ICF) to Windows XPWindows XP

Chapter SummaryChapter Summary

Windows XP has object-level access controls Windows XP has object-level access controls that provide the foundation on which all that provide the foundation on which all resource access restresource access rest

The Windows XP logon process strictly The Windows XP logon process strictly controls how users identify themselves and controls how users identify themselves and log onto a Windows XP machinelog onto a Windows XP machine

Likewise, WinLogon’s protected memory Likewise, WinLogon’s protected memory structures keep this all-important gatekeeper structures keep this all-important gatekeeper function from being replaced by would-be function from being replaced by would-be system crackerssystem crackers

Chapter SummaryChapter Summary

WinLogon also supports a number of WinLogon also supports a number of logon controlslogon controls

Key Local Computer Policy settings can Key Local Computer Policy settings can be used to block unauthorized break-in be used to block unauthorized break-in attemptsattempts

The local computer policy controls many The local computer policy controls many aspects of the security system as well as aspects of the security system as well as enabling or restricting specific functions enabling or restricting specific functions and features of the operating systemand features of the operating system

Documents

Chapter Six Windows XP Security and Access Controls