Operating System Security

Outline
 Windows OS security architecture
 Linux OS security architecture
 Password security
 Hardening hosts
WINDOWS SECURITY
High level review of Windows security architecture
Windows security

Principle Object SID

Access
ACE/ACL Kerberos
Token
Who accesses what?
Duplicate names
ACE / ACL
 ACE / ACL
 Access Control List (Just a list of ACEs)

Bob Smith
SID

Domain
Users

System
Bob Smith
Bob Smith
SID
Admin

See https://www.youtube.com/watch?v=Ed_2BKn3QR8
Unauthorised access
 How do we prevent unauthorised access?

Bob Smith
I’m Bob Smith. SID
Give me access
Domain
Users

System
Bob Smith
Bob Smith
SID
Admin

Attacker
Bob Smith
SID
Access Token
 Preventing unauthorized access

User
SID

Group1
SID

Group2
SID Group 1
Domain SID
Controller Group 2
SID
Group 3
SID

Group 4
SID
Bob Smith
Bob Smith
File Server
SID
Kerberos
 Kerberos is a computer network security protocol that authenticates service requests
between two or more trusted hosts across an untrusted network, like the internet. It uses
secret-key cryptography and a trusted third party for authenticating client-server applications
and verifying users' identities.

TGT (Ticket granting ticket): The ticket presented to

the KDC to obtain the TGS. Encrypted with KDC key

TGS (Ticket Granting Service): presented to the

service in order to access the resources. Encrypted
with the service key

PAC (Privilege Attribute Certificate): structure

included in the TGS tickets that contains the user
privileges
Kerberos attacks
 Brute force attacks
 Only requires visibility over the KDC.

 Pass the hash:

 Reuse user hash to impersonate the user in KDC.
 Hashes can be dumped from SAM files, NTDS.DIT (DC) or LSASS

 Pass the ticket:

 Steal kerberos tickets (TGS) by dumping them from the system.
 Common tools used by attackers are Mimikatz and Rubeus
 High privileges needed to dump all tickets from the system from LSASS process.
Kerberos attacks II
Golden ticket:
 An attacker gains control over the Directory Key Distribution Service Account (KRBTGT). That allows to
forge valid TGTs.

Kerberoasting:
 TGS tickets comes encrypted with the service key, which has been derived from the NTLM
hash of the account that runs the service. Offline password cracking is possible.

ASREPRoast
 Its main goal is also offline password cracking. Leverages user accounts
with DONT_REQ_PREAUTH attribute. KRB_AS_REQ can be created without knowing user
credentials. An attacker can get the KRB_AS_REP and crack it.
Active Directory
 Central database of usernames and passwords
 Similar to W10 ‘HomeGroup’ (for small networks)
 Can be distributed globally
 Stores credentials and resources, eg: printers, shares
 Stores Group policy settings
 AD stores everything as an object
 Active Directory
 Domain
 A logical group with same AD Database
 Contains AD objects
 There can be trust between domains
 Each domain has a Domain Controller
 Domain Controller
 Holds copy of the AD DB
 The DC replicates changes to other DC on network

See https://www.youtube.com/watch?v=OTpbQkW3kj4
LINUX SECURITY
High level review of Linux security architecture
Linux Security Transactions
Linux and DAC

 Typical Linux distributions use DAC

 Examples: chmod, chown, chattr, setfacl
 System security is discretion of users and daemons
 File permissions set by the user
 Directory access defined by application
 Compromised account = compromised security

 System intrusion can lead to malware install/execute

 Kernel Space and User Space

 Kernel space
Memory for Linux kernel/modules (e.g device drivers)
 User space
Memory used by all other processes
 Since kernel enforces Linux DAC1 and security, its
extremely critical to isolate kernel from user space
 So, kernel space never swapped to disk
 Only root may load and unload kernel modules

1 – A loadable module known as Security Enhanced Linux (SE Linux) provides MAC support
Linux Security Module (LSM)
 Linux kernel has LSM capability (since v2.6)
 LSM is enforced after regular DAC checks
 LSM implements MAC
 Some examples are SELinux (label based) and AppArmor (path based)
PASSWORD SECURITY
Vulnerabilities, good practice and password policies
Password Locations
 Windows
Security Account Manager (SAM) file:
C:\Windows\System32\Config\SAM

LSA (Local Security Authority) secrets:

\HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets

 Linux
Password and shadow files:
/etc/passwd Contains basic account details
/etc/shadow Contains encrypted password
Password Vulnerabilities
 Dictionary attack
 Brute force attack
 Rainbow table attack
 Social engineering
 Malware
 Offline cracking
 Offline forensics
 Guess
 Password Vulnerabilities
Offline cracking
Popular cracking tools include:
Brutus Rainbow Crack Medusa
Cain & Abel John the Ripper THC Hydra
AirCrack-NG 0phCrack L0phtcrack1
Pwdump Tableau Password Recovery PRTK

1 – Just like 0phtcrack, but has brute force and dictionary capability too
 Password Policies
 Best practices:
Aging Storage and protection
Reuse Complexity
History Logon retries
Encryption Single sign-on
Length Blacklist, eg: DOB

1 - https://www.dglegacy.com/
HARDENING HOSTS
Going beyond out of the box security
What is Hardening Host Computers?
 Out of the box, OSs such as Windows provide good security, but there are
also many vulnerabilities!
 Hardening
Actions taken to make it hard for an attacker to successfully attack a host
 Organisations typically adopt a standard hardening methodology or a
standard security baseline
 Different security baseline for different kind of host; i.e.
 Different OS and versions
 Different types of servers
Eg: web servers, mail servers
 Security Baseline
 Different standards available:
 OS vendors’ baselines and tools
Microsoft Baseline Security Analyzer (MBSA)1
SCCM
Standards Agencies baselines
COBIT2 Security Baseline3
CIS Benchmarks
Company’s own security baselines
1. https://www.microsoft.com/en-gb/download/details.aspx?id=7558
2. Control Objectives for Information and Related Technology
3. http://www.isaca.org/COBIT/Pages/default.aspx
Elements of Hardening
 Physical security
 Secure installation and configuration
A
 Fix known vulnerabilities c
c b
 Remove/Turn off unnecessary services (applications) o a
r s
 Harden all remaining applications d e
i l
 Manage users and groups n i
n
g
e
 Manage access permissions t
 For individual files and directories, assign access permissions to o
specific users and groups
 Back up the server regularly
 OS Vulnerability test 2020
 Tools used to test vulnerabilities:
 Scanning tools (Nessus1)
 Network mapping (Nmap2)
 National Vulnerability Database3

 Results
 Microsoft's Windows, Oracle, IBM, Google and Apple's are ripe with remotely
accessible vulnerabilities and allow for executing malicious code
 The UNIX and Linux variants present a much more robust exterior to the outside
 Once patched and correctly configured, all systems were secure from the outside.

1 – https://www.tenable.com/products/nessus-vulnerability-scanner
2 - https://nmap.org/
3 - https://web.nvd.nist.gov/view/vuln/statistics
4 - https://www.comparitech.com/blog/vpn-privacy/vendor-vulnerabilities/
Security Baseline for Win 10 Clients
(Example)
 OS Installation
 Single partition/ NTFS file system / Win 7 Pro SP1
 Fixing OS vulnerabilities
 Download and install latest patches, enable Automatic Updates
 Configure Windows Firewall
 Block incoming connections except Remote Assistance
 Turn off unnecessary services
 Turn off FTP, telnet, USB (secure/sensitive data usage)
 Application Installation
 Centrally assign applications using group policies
 Fixing applications’ vulnerabilities
 Enable application’s automatics
 UNIX / Linux Hardening
 Three ways to start services
inetd / systemd program used to start services
when requests come in from users
rc scripts to start services automatically at boot up
Start a service manually by typing its name or
executing a batch file that does so

Inetd = Internet daemon

i.e. a computer program that runs in the background
UNIX / Linux Hardening
 Starting services upon client requests
 Services not frequently used are dormant
 Requests do not go directly to the service
 Requests are sent to the inetd / systemd program which is started at server boot up

Program A
4. Start and 1. Client Request
Program B Process To Port 123
This Request inetd
Program C

3. Program C 2. Port 123

Program D
/etc/inetd.config
Port 23 Program A
/etc/systemd/
Port 80 Program B
Port 123 Program C
Port 1510 Program D
UNIX/ Linux Hardening
 Turning On/Off unnecessary Services In UNIX
 Identifying services running at any moment
ps lists running programs (incl. PID), eg: ps –aux
netstat lists services are running & on what ports

 Turning Off Services In UNIX

kill PID command is used to kill a particular process
kill 47 (If PID=47)
Review

 Windows OS security architecture

 Linux OS security architecture
 Password security
 Hardening hosts