Microsoft Windows Security Architecture

Question 1

Security Architecture - Security Reference Monitor:

Answer 1

The SRM defines the access token data structure, performs access control on objects, manipulates privileges and emits audit records

Question 2

Security Architecture - Local Security Authority:

Answer 2

The LSA subsystem is a user-mode process and maintains the local system security policy

Question 3

Security Architecture - LSASS Policy Database:

Answer 3

Loaded from the registry, includes Active Directory and server trust settings and access rights, will also contain domain logon keys

Question 4

Security Architecture - Security Accounts Manager:

Answer 4

The SAM service manages local user and group names

Question 5

Security Architecture - Active Directory:

Answer 5

When running, operates in the LSASS process alongside the SAM and LSA

Question 6

Security Architecture - Authentication Packages:

Answer 6

Extensions to basic authentication mechanisms, will run in the LSASS context and act as an authentication provider to the remainder of LSASS

Question 7

Security Architecture - Winlogon:

Answer 7

The interactive login user-mode component responding to the System Attention Sequence (SAS) and creating a user’s first process

Question 8

Security Architecture - LogonUI:

Answer 8

The Logon User Interface is a user-mode process presenting a visual interface for authentication, but interfaces with different credential providers

Question 9

Security Architecture - Credential Providers:

Answer 9

COM objects running within the LogonUI process once Winlogon has triggered LogonUI after a SAS event

Question 10

Security Architecture - Netlogon:

Answer 10

Sets up a secure channel to an Active Directory or legacy Domain Controller for interactive authentication

Question 11

Security Architecture - KSecDD:

Answer 11

The Kernel Security Device Driver is a library of components implementing local procedure call interfaces to other kernel-mode security components, e.g. The Encrypting File System

Question 12

The object-based design of Windows allows handling of most entities within the operating system as objects…

Answer 12

This includes all system resources exposed to user mode. Objects are accessed via the Object Manager, which maintains name spaces and handles, the latter on a per-process basis. Any access requires the specification of desired access privileges on handle creation.

Question 13

Windows Security Identifiers (SIDs) are unique…

Answer 13

On installation each machine is issued with a SID. Accounts and other derivative entities are then derived from this source SID. N case of domain accounts, the relative security identifiers (RIDs) are based on that of the domain controller. Some RIDs are pre-defined for special roles and groups, these are well known SIDs

Question 14

Machines can be cloned, although for proper operations…

Answer 14

The SID will need to be adjusted after cloning

Question 15

Winlogon creates a unique ephemeral SID for each interactive login session, called a logon SID…

Answer 15

This can be used to generate a unique access token, which is then tied to the interactive window station and desktop. The SID for a logon session is fixed, but the RID is randomly generated

Question 16

SIDs are also used to specify integrity levels. These range from…

Answer 16

Untrusted via Low, Medium to High and System

Question 17

Tokens exist to identify security contexts of processes and threads and also include session identifiers, privileges, group, accounts, integrity levels and the UAC virtualisation state…

Answer 17

Initial tokens are created on logon and are inherited but can be modified or filtered. In addition to inheritance, Windows frequently uses Impersonation to temporarily change security contexts

Question 18

Auditing Mechanism - The Object Manager:

Answer 18

May generate audit records

Question 19

Auditing Mechanism - Kernel-Level Code:

Answer 19

Can always generate audit records

Question 20

Auditing Mechanism - User-Level Code:

Answer 20

Can generate audit records, but must have the appropriate privilege set in an object’s SACL

Question 21

Audit behaviour is then controlled by the Local Security Policy maintained by the LSASS and executed by the SRM, the SRM…

Answer 21

Generates audit events and sends them to LSASS via ALPC

Question 22

Auditing Mechanism - The LSASS receives…

Answer 22

Audit records, formats and amends them and forwards them to the Event Logger

Question 23

Virtualisation can be considered as the…

Answer 23

Construction of an isomorphism from guest to host state

Question 24

Hardware must assist VM monitor in insulating virtual machines…

Answer 24

Any immediate VM access to physical hardware would allow VM to violate isolation boundaries

Question 25

Virtualisation Requirements:

Answer 25

• All access to the virtual system instruction system architecture by the guest must be emulated by a monitor in software
• Guest system state must be kept in memory
• Guest system instructions must be implemented as functions within the VM monitor

Question 26

Virtualisation Approaches - Objective of CPU Virtualisation:

Answer 26

• Process all unprivileged instructions unchanged

* Emulate all privileged instructions

Question 27

Virtualisation Approaches - Trap and Emulate:

Answer 27

• Privileged instructions from guest VM cause privileged state trap
• A processor is only virtualisable if all instructions either execute normally or if privileged, trap.

Question 28

Virtualisation Approaches - Problems with Trap and Emulate:

Answer 28

• Not every instruction set architecture supports this
• Cost of traps can be high, particularly in ISAs requiring “deep” pipelines
• The VM monitor requires use of a privileged level for trapping

Question 29

Virtualisation Approaches - Binary Translation:

Answer 29

• Code is analysed a priori or on the fly and translated
• Privileged instructions are substituted with code causing the desired effect in the mapped state: This does not affect the state of the physical hardware

Question 30

Virtualisation Approaches - Challenges for Binary Translation:

Answer 30

• Complex ISAs have internal state which needs to be maintained: Particularly problematic for viewing translation cache indices not normally visible to software
• Synchronisation of PC upon interrupts
• Handling of self-modifying code

Question 31

Virtualisation generally provides the guest system with:

Answer 31

• Virtual memory environment
• Device drivers or virtual devices, multiplexing physical hardware or emulating devices
• Images of one or more file systems

Question 32

Interactions among the host system, the virtualised system and device drivers may result in behaviour that is substantially different from that of a direct instantiation. Counter-forensics mechanisms make use of this to…

Answer 32

Detect if they are running inside a sandbox. Common problems also for forensics of cloud-based systems including modern PaaS environments

Question 33

Microsoft Hyper-V…

Answer 33

• Virtualisation requires adaptation to the given hardware implementation via the HAL layer as access is now directed via Hyper-V
• Support is provided for operating efficiently as hypervisor - in this case a Windows instance will operate as a parent, offering virtualisation services (VSP) to clients (VSC)
• The VMbus allows efficient inter-VM communication, but this can also be misused
• Optimisations allow the detection of running in a client partition and adapting behaviour according to avoid forcing the hypervisor to emulate inefficient behaviour
• This has been the major construction site for the server code

Question 34

VMWare:

Answer 34

A common example of direct virtualisation supporting a number of client operating systems and running on a number of different host platforms. Some problems arise, e.g. From non-persistent virtual machines or branches of other machines

Question 35

Xen:

Answer 35

An example of a paravirtualised environment: As this has explicit client-side support, it is trivial to detect by anti-forensics software. Can also run on top of a regular operating system with appropriate hardware support