www.sevecek.com
Download
Report
Transcript www.sevecek.com
Bezpečnost Windows pro
pokročilé: identita uživatele
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker |
CHFI: Computer Hacking Forensic Investigator
[email protected] | www.sevecek.com |
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Kurzy v počítačové škole GOPAS
http://www.gopas.cz
GOC175 - Advanced Windows Security
GOC171 - Active Directory Internals and
Troubleshooting
GOC172 - Kerberos Troubleshooting
GOC173 - Enterprise PKI Deployment
GOC169 - ISO 2700x in Windows Environment
CHFI - Computer Hacking Forensic Investigator
User identity, SID and access token
Advanced Windows Security
Windows Processes
Everything runs as a process
• some code runs in Kernel mode, but mostly under identity of
the calling process
• interrupts, DPCs and file cache are executing without user
context
Every process runs under a user identity
• SYSTEM, Network Service, Local Service, local user,
domain user
Access permissions are always checked
• there is no root superuser as in unix
User Identity
User identity is represented as a SID
•
•
•
•
•
•
•
NT Authority\SYSTEM = S-1-5-18
NT Authority\Local Service = S-1-5-19
NT Authority\Network Service = S-1-5-20
BUILTIN\Administrators = S-1-5-32-544
BUILTIN\Users = S-1-5-32-545
local user = S-1-5-21-LocalSID-RID
domain user = S-1-5-21-DomainSID-RID
Every process gets its own copy of an Access Token
• list of user’s SID and SIDs of his groups
• created by LSASS.exe (Local Security Authority)
Access Token
Memory structure that contains user SID and the
SIDs of his groups
• identified by its Logon Session ID
Inherited by child processes
Cached after a successful interactive logon in registry
• HKLM\Security\Cache
• Policy: Number of Previous Logons to Cache
Limitted to 1025 SIDs
Access Token Cache Limit
Tools for Access Token
WHOAMI /ALL
• built into Vista/2008 and newer
• member of Support Tools for 2003/xp and older
PROCEXP
• Process Explorer
• download from http://live.sysinternals.com
PSEXEC
• download from http://live.sysinternals.com
ADUC Attribute Editor
• Active Directory Users and Computers console
• Select View – Advanced Features
• Can show user and group SIDs in AD
System SIDs
Some SIDs are added automatically
INTERACTIVE, NETWORK, BATCH, REMOTE
INTERACTIVE LOGON
Everyone, Authenticated Users, This Organization,
NTLM Authentication
Everyone vs. Authenticated Users
Windows 2000• Everyone = Authenticated Users + Anonymous Logon
Windows XP+
• Everyone = Authenticated Users
• can be changed back in security policy
Let Everyone permissions apply to Anonymous Users
Everyone vs. Authenticated Users
Děkuji za pozornost
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker |
CHFI: Computer Hacking Forensic Investigator
[email protected] | www.sevecek.com |
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Kurzy v počítačové škole GOPAS
http://www.gopas.cz
GOC175 - Advanced Windows Security
GOC171 - Active Directory Internals and
Troubleshooting
GOC172 - Kerberos Troubleshooting
GOC173 - Enterprise PKI Deployment
GOC169 - ISO 2700x in Windows Environment
CHFI - Computer Hacking Forensic Investigator