Microsoft Windows Security Architecture Flashcards
Security Architecture - Security Reference Monitor:
The SRM defines the access token data structure, performs access control on objects, manipulates privileges and emits audit records
Security Architecture - Local Security Authority:
The LSA subsystem is a user-mode process and maintains the local system security policy
Security Architecture - LSASS Policy Database:
Loaded from the registry, includes Active Directory and server trust settings and access rights, will also contain domain logon keys
Security Architecture - Security Accounts Manager:
The SAM service manages local user and group names
Security Architecture - Active Directory:
When running, operates in the LSASS process alongside the SAM and LSA
Security Architecture - Authentication Packages:
Extensions to basic authentication mechanisms, will run in the LSASS context and act as an authentication provider to the remainder of LSASS
Security Architecture - Winlogon:
The interactive login user-mode component responding to the System Attention Sequence (SAS) and creating a user’s first process
Security Architecture - LogonUI:
The Logon User Interface is a user-mode process presenting a visual interface for authentication, but interfaces with different credential providers
Security Architecture - Credential Providers:
COM objects running within the LogonUI process once Winlogon has triggered LogonUI after a SAS event
Security Architecture - Netlogon:
Sets up a secure channel to an Active Directory or legacy Domain Controller for interactive authentication
Security Architecture - KSecDD:
The Kernel Security Device Driver is a library of components implementing local procedure call interfaces to other kernel-mode security components, e.g. The Encrypting File System
The object-based design of Windows allows handling of most entities within the operating system as objects…
This includes all system resources exposed to user mode. Objects are accessed via the Object Manager, which maintains name spaces and handles, the latter on a per-process basis. Any access requires the specification of desired access privileges on handle creation.
Windows Security Identifiers (SIDs) are unique…
On installation each machine is issued with a SID. Accounts and other derivative entities are then derived from this source SID. N case of domain accounts, the relative security identifiers (RIDs) are based on that of the domain controller. Some RIDs are pre-defined for special roles and groups, these are well known SIDs
Machines can be cloned, although for proper operations…
The SID will need to be adjusted after cloning
Winlogon creates a unique ephemeral SID for each interactive login session, called a logon SID…
This can be used to generate a unique access token, which is then tied to the interactive window station and desktop. The SID for a logon session is fixed, but the RID is randomly generated
SIDs are also used to specify integrity levels. These range from…
Untrusted via Low, Medium to High and System
Tokens exist to identify security contexts of processes and threads and also include session identifiers, privileges, group, accounts, integrity levels and the UAC virtualisation state…
Initial tokens are created on logon and are inherited but can be modified or filtered. In addition to inheritance, Windows frequently uses Impersonation to temporarily change security contexts
Auditing Mechanism - The Object Manager:
May generate audit records
Auditing Mechanism - Kernel-Level Code:
Can always generate audit records
Auditing Mechanism - User-Level Code:
Can generate audit records, but must have the appropriate privilege set in an object’s SACL
Audit behaviour is then controlled by the Local Security Policy maintained by the LSASS and executed by the SRM, the SRM…
Generates audit events and sends them to LSASS via ALPC
Auditing Mechanism - The LSASS receives…
Audit records, formats and amends them and forwards them to the Event Logger
Virtualisation can be considered as the…
Construction of an isomorphism from guest to host state
Hardware must assist VM monitor in insulating virtual machines…
Any immediate VM access to physical hardware would allow VM to violate isolation boundaries
Virtualisation Requirements:
- All access to the virtual system instruction system architecture by the guest must be emulated by a monitor in software
- Guest system state must be kept in memory
- Guest system instructions must be implemented as functions within the VM monitor
Virtualisation Approaches - Objective of CPU Virtualisation:
- Process all unprivileged instructions unchanged
* Emulate all privileged instructions
Virtualisation Approaches - Trap and Emulate:
- Privileged instructions from guest VM cause privileged state trap
- A processor is only virtualisable if all instructions either execute normally or if privileged, trap.
Virtualisation Approaches - Problems with Trap and Emulate:
- Not every instruction set architecture supports this
- Cost of traps can be high, particularly in ISAs requiring “deep” pipelines
- The VM monitor requires use of a privileged level for trapping
Virtualisation Approaches - Binary Translation:
- Code is analysed a priori or on the fly and translated
- Privileged instructions are substituted with code causing the desired effect in the mapped state: This does not affect the state of the physical hardware
Virtualisation Approaches - Challenges for Binary Translation:
- Complex ISAs have internal state which needs to be maintained: Particularly problematic for viewing translation cache indices not normally visible to software
- Synchronisation of PC upon interrupts
- Handling of self-modifying code
Virtualisation generally provides the guest system with:
- Virtual memory environment
- Device drivers or virtual devices, multiplexing physical hardware or emulating devices
- Images of one or more file systems
Interactions among the host system, the virtualised system and device drivers may result in behaviour that is substantially different from that of a direct instantiation. Counter-forensics mechanisms make use of this to…
Detect if they are running inside a sandbox. Common problems also for forensics of cloud-based systems including modern PaaS environments
Microsoft Hyper-V…
- Virtualisation requires adaptation to the given hardware implementation via the HAL layer as access is now directed via Hyper-V
- Support is provided for operating efficiently as hypervisor - in this case a Windows instance will operate as a parent, offering virtualisation services (VSP) to clients (VSC)
- The VMbus allows efficient inter-VM communication, but this can also be misused
- Optimisations allow the detection of running in a client partition and adapting behaviour according to avoid forcing the hypervisor to emulate inefficient behaviour
- This has been the major construction site for the server code
VMWare:
A common example of direct virtualisation supporting a number of client operating systems and running on a number of different host platforms. Some problems arise, e.g. From non-persistent virtual machines or branches of other machines
Xen:
An example of a paravirtualised environment: As this has explicit client-side support, it is trivial to detect by anti-forensics software. Can also run on top of a regular operating system with appropriate hardware support
