Ch 15- Securing Windows

Objects
• Security Attributes
• Security Overview: The Security Descriptor
– Access Control Lists
• Security Descriptor Control Flags
• Security Identifiers
• Managing ACLs
• Example: UNIX-Style Permission for NTFS Files
• Example: Initializing Security Attributes
• Reading and Changing Security Descriptors
• Example: Reading File Permissions
• Example: Changing File Permissions
• Securing Kernel and Communication Objects
• Example: Securing a Process and Its Threads
• Overview of Additional Security Features
• Windows supports a comprehensive security
model that prevents unauthorized access to
objects such as files, processes, and file mappings.
• Nearly all sharable objects can be protected, and
the programmer has a fine granularity of control
over access rights.
• Windows has Common Criteria Certification at
Evaluation Assurance Level 4 (EAL-4), an
internationally recognized criteria.
 Security Attributes
• Explores Windows access control by proceeding from
the top down to show how to construct an object’s
security.
• In the case of files, it is also possible to use Windows
Explorer to examine and manage some file security
attributes.
• Any object created with a system call has a security
attributes parameter.
• Therefore, programs can secure files, processes,
threads, events, semaphores, named pipes, and so on.
• The first step is to include a
SECURITY_ATTRIBUTES structure in the Create
call.
• In order to implement security, the important
element in the SECURITY_ATTRIBUTES structure
is lpSecurityDescriptor, the the pointer to a
security descriptor, which describes the object’s
owner and determines which users are allowed
or denied various rights.
• An individual process is identified by its access
token, which specifies the owning user and
group membership.
• When a process attempts to access an object,
the Windows kernel can determine the
process’s identity using the token and can then
decide from the information in the security
descriptor whether or not the process has the
required rights to access the object.
• Set nLength to sizeof (SECURITY_ATTRIBUTES).
bInheritHandle indicates whether or not the
handle is inheritable by other processes.
 Notes
• Using a standard install on a clean system,
inspect the permissions and access controls
placed on all resources owned by the system,
including files and registry keys.
• The permissions granted by the system's
default install should exactly match those put
forth by the resource specifier in the security
requirements, or from the global security
policy.
Security Overview: The Security Descriptor
• Analyzing the security descriptor gives a good overview of
essential Windows security elements.
• Security descriptor is initialized with the function
InitializeSecurityDescriptor and it contains the following:
– The owner security identifier (SID)
– The group SID
– A discretionary access control list (DACL)—a list of entries explicitly
grantingand denying access rights.
– A system ACL (SACL), sometimes called an “audit access ACL,”
controls audit message generation when programs access securable
objects; you need to have system administrator rights to set the
SACL.
• SetSecurityDescriptorOwner and
SetSecurityDescriptor Group associate SID
with security descriptor.
• ACL are initialized using the InitalizedAcl
function and are then associated with security
descriptor using SetSecurityDescriptorDacl or
SetSecurityDescriptorSacl.
 The Security Descriptor
• Access Control List
• Each ACL is a set (list) of access control entries (ACEs). There are two types of
ACEs: one for access allowed and one for access denied.
• Using Windows Object Security
• Object Rights and Object Access
– An object, such as a file, gets its security descriptor at creation time,
although the program can change the security descriptor at a later
time.
• Security Descriptor Initialization
– The first step is to initialize the security descriptor using the
InitializeSecurityDescriptor function. Set the pSecurityDescriptor
parameter to the address of a valid SECURITY_DESCRIPTOR structure.
 Security Identifiers
• Windows uses SIDs to identify users and
groups.
• The program can look up a SID from the
account name, which can be a user, group,
domain, and so on. The account can be on a
remote system.
 Managing ACLs
• This section shows how to manage ACLs, how
to associate an ACL with a security descriptor,
and how to add ACEs. Figure 15–1 shows the
relationships between these objects and
functions.
Example: UNIX-Style Permission for NTFS Files

• UNIX file permissions provide a convenient way to

illustrate Windows security, even though Windows
security is much more general than standard UNIX
security.
• Quick review of UNIX file permissions:
– Every file has 9 permission bits, which are specified as
3 octal (base 8) digits.
• The 3 bits in each octal digit grant, or deny, read (high-
order bit), write, and execute (low-order bit) permission.
Read, write, and execute permissions are displayed as r,
w and x respectively. Execute rights are meaningful for
.exe and .bat files but not for .txt files.
• The 3 octal digits, from left to right, represent
rights given to the owner, the group, and to
everyone else.
• if you set the permissions to 640, the
permission will be displayed as rw-r----. The
file owner can read and write the file, group
members can read it, and everyone else has
no access.
• The implementation creates nine ACEs to grant or
deny read, write, and execute permissions to the
owner, group, and everyone. There are two
commands
1. chmodW, sets the permissions and is modeled after
the UNIX chmod command.
2. lsfp, displays the permissions along with other file
information and is an extension of lsw the command
 Example: Initializing Security Attributes
• Program 15–3 shows utility function InitializeUnixSA, which
creates a with ACEs that emulate UNIX file permissions.
• Comments on Program 15–3:
– Several memory allocations are required to hold information such
as the SIDs.
– The security attribute structure in this example is for files, but it is
also used with other objects such as named pipes (Chapter 11).
– To emulate UNIX behavior, the ACE entry order is critical. Notice
that accessdenied and access-allowed ACEs are added to the ACL as
the permission bits are processed from left ( Owner/Read) to right
(Everyone/Execute).
Example: Reading File Permissions
• Program 15–4 is the function
ReadFilePermission
• This program methodically uses the preceding
functions to extract the information
 Example: Changing File Permissions

• Program 15.5
• Function ChangeFilePermissions, replaces the
existing security descriptor with a new one,
preserving the user and group SIDs but
creating a new discretionary ACL.
Securing Kernel and Communication Objects

• Concerned mostly with file security, and the

same techniques apply to other filelike
objects, such as named pipes (Chapter 11),
and to kernel objects.
 Securing Named Pipes
• Optional command line parameters specify
the user and group name.
Server [UserName GroupName]
• If the user and group names are omitted,
default security is used.
Example: Securing a Process and Its Threads

• The OpenProcess documentation shows a

fine-grained collection of access rights, which
is appropriate considering the various
functions that can be performed on a process
handle.
• Example PROCESS_TERMINATE access is
required to terminate the process
 Overview of Additional Security Features

• There is much more to Windows security, but

this chapter is an introduction, showing how
to secure Windows objects using the security
API. The following sections give a brief
overview of additional security subjects that
some readers will want to explore.
 Summary
• Windows implements an extensive security model
that goes beyond the one offered by standard UNIX.
• Programs can secure all objects, not just files. The
example programs have shown how to emulate the
UNIX permissions and ownership that are set with the
umask, chmod, and chown functions.
• Programs can also set the owner (group and user). The
emulation is not easy, but the functionality is much
more powerful. The complexity reflects the complexity
of the requirements.
• That’s all 