21
Windows Security Windows Security -- Archana Galipalli -- Archana Galipalli
Windows SecurityWindows Security
-- Archana Galipalli-- Archana Galipalli
AgendaAgenda
Windows SecurityWindows Security Windows Security and CLRWindows Security and CLR Implementing Windows Security for IISImplementing Windows Security for IIS Configuring Security settingsConfiguring Security settings DEMO- By pass traverse checkingDEMO- By pass traverse checking Token, Principal and Identity objectsToken, Principal and Identity objects DEMO- Accessing TokenDEMO- Accessing Token DEMO- User RolesDEMO- User Roles Runtime security through windowsRuntime security through windows
Why windows security?Why windows security?
To make application more secureTo make application more secure
Configuring the system level settings Configuring the system level settings along with application level settingsalong with application level settings
Vulnerability Trends Vulnerability Trends
Physical
Network
OS
Application
DataBROWSER
Logic/WebSvcsWeb Server
VVeerrttiiccaall
HorizonHorizontaltal
DecreasinDecreasing – g – Leveling Leveling outout
IncreasingIncreasing
Windows Windows security andsecurity and CLR CLR.NET CLR.NET CLR
Ad
min
istr
ato
rA
dm
inis
trat
or
WindowsWindows
Use
rU
ser P
rotected
resou
rces
MMC Snap-insMMC Snap-ins Database ofaccounts
Database ofaccounts
SecurityPolicy
SecurityPolicy
SecurityMonitorSecurityMonitorLogon authenticationLogon authentication
.NETConfiguration
.NETConfiguration AuthorizationAuthorization
AuthenticationAuthentication.NETApplication
.NETApplication
Implementing Windows SecurityImplementing Windows Security
Minimize servicesMinimize services Define the user account for anonymous Define the user account for anonymous
accessaccess Secure the file systemSecure the file system Apply specific registry settingsApply specific registry settings
Securing file systemSecuring file system
wwwRoot
Executables
Scripts
Include
Static
Images
Specific registry settingsSpecific registry settings
SynAttackProtect register value to HKLM\SynAttackProtect register value to HKLM\System\Currentcontrolset\Services\Tcpip\System\Currentcontrolset\Services\Tcpip\Parameters\SynAttackProtectParameters\SynAttackProtect
TCPMaxPortsExhaustedTCPMaxPortsExhausted TCPMaxHalfOpenTCPMaxHalfOpen TCPMaxHalfOpenedRetiredTCPMaxHalfOpenedRetired
Configuring Security settingsConfiguring Security settings
Configuring account policies Configuring account policies • Password policyPassword policy
• Account lock out policyAccount lock out policy
Configuring Local PoliciesConfiguring Local Policies• Audit policyAudit policy
• User Rights AssignmentUser Rights Assignment
• Security OptionsSecurity Options
Walkthrough to configure the Walkthrough to configure the Account policies and Local Account policies and Local
policies….policies….
By pass traverse checkingBy pass traverse checkingWill it workWill it work? ?
DirADirA
DirBDirB
DirCDirC
File.txtFile.txt
User AUser A
User A has no rightsto access folder A
User A has no rightsto access folder A
User A has fullaccess to file
file.txt
User A has fullaccess to file
file.txt
Here goes the answerHere goes the answer!!
By pass traverse checking By pass traverse checking
Is user checked for permissions???Is user checked for permissions???
TokenToken Token unifies data about identityToken unifies data about identity::
User’sUser’s SID SID GroupGroup SID SID PrivilegesPrivileges
Every process has own token representing Every process has own token representing principalprincipal
First process are running on behalf of the First process are running on behalf of the SYSTEM account when computer is SYSTEM account when computer is startedstarted
When user logs on then shell is running in When user logs on then shell is running in user mode under specific principaluser mode under specific principal WinLogon.exe (SYSTEM) WinLogon.exe (SYSTEM) starts user’s shell starts user’s shell
withwith CreateProcessAsUser CreateProcessAsUser method method = => then > then user’s token is propagated to other processesuser’s token is propagated to other processes
What are Principal and Identity What are Principal and Identity objects?objects?
WindowsIdentity: This object encapsulates the WindowsIdentity: This object encapsulates the Windows login user name and the type of Windows login user name and the type of protocol adopted for authentication by Windows protocol adopted for authentication by Windows
GenericIdentity: also stores information about a GenericIdentity: also stores information about a user, but is used when an application needs to user, but is used when an application needs to implement custom logon. implement custom logon.
GenericPrincipal: This object encapsulates the GenericPrincipal: This object encapsulates the identity object and the role identity object and the role
WindowsPrincipal: also stores identity and the WindowsPrincipal: also stores identity and the Windows group membership of the user. Windows group membership of the user.
User Roles User Roles
Acquiring User’s name. Acquiring User’s name. Displaying all the roles in which user Displaying all the roles in which user
is a member.is a member.
Accessing tokenAccessing token
Is token inIs token in WindowsIdentity? WindowsIdentity? Acquiring token from running Acquiring token from running
processprocess User’s name and SID from User’s name and SID from
GetTokenInformationGetTokenInformation
Runtime security through windowsRuntime security through windows
Increase Assembly TrustIncrease Assembly Trust Adjust Zone SecurityAdjust Zone Security Evaluate AssemblyEvaluate Assembly Create Deployment PackageCreate Deployment Package Reset All Policy LevelsReset All Policy Levels
Walkthrough to configure the Walkthrough to configure the runtime security policies….runtime security policies….
ReferencesReferences
Windows Security 2Windows Security 2ndnd Edition by Ben Edition by Ben Smith and Brain Komar.Smith and Brain Komar.
http://pluralsight.com/wiki/default.aspx/Keithttp://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATokenForAUser.h.GuideBook/HowToGetATokenForAUser.htmlhtml
http://www.skilldrive.com/WindowsSecIntEhttp://www.skilldrive.com/WindowsSecIntEngOut.zipngOut.zip
Questions?Questions?
