Report highlights

the privileged operating system code.The two components, which ulti- mately control access to all system resources, the Security Reference Monitor and Object Manager, reside in Kernel Mode.

It is a fundamental security requirement for a Trusted Computer Security Evaluation Criteria (TCSEC) C2 evaluated system, that access to the system is enforced by means o f a mandatory logon (Identification and Authentication). In Windows NT, the logon process differs slightly depending on whether the user is attempting to logon to a local system (Interactively), or onto a remote system.

W h e n attempting to logon to a local system, the following summarizes the main sequence of events:

• The user presses Ctrl+Alt+Delete and then provides a user name and password.

• The logon process hashes the password, using a LAN Manager One Way Function (OWF) and Windows N T OWF, and sends both to the Local Security Authority (LSA).

• The LSA runs the appropriate authentication package, which checks the Security Accounts Manager (SAM) database. If the user account details are found, and the hashed passwords match, the SAM returns the user's Security Identifier (SID) together with any group SIDs of which the user is a member.

• The authentication package then creates a logon session, and passes the SIDs to the LSA.

• The LSA creates a Security Access Token (SAT) using the SIDs returned by the authentication package and other built-in group SIDs.

In the case o f a network logon, as would occur if the user was attempt- ing to access a domain, the following summarizes the main sequence o f events:

• The user presses Ctrl+Alt+Delete then provides a user name and password, together with the name o f a domain against which the users wishes to be authenticated.

• The logon process hashes the password (as in the local logon) and sends both to the LSA.

• The LSA causes the N E T L O G O N process to establish a secure Remote Procedure Call (RPC) session with the chosen domain controller.The user details, but not the password, are forwarded to the domain controller.

• The domain controller and the client workstation then take part in an encrypted nonce-based authentication protocol.

• If the authentication is successful, the domain controller's authentication package returns the user's SID, and global group SIDs to the client workstation.

• The LSA creates a SAT, using the SIDs returned by the domdiin controller's authentication package.

The Local Security Authority (LSA) is one o f the central components o f the security subsystem. It is responsible for validating all local and remote user logons, generating security access tokens, managing the local security policy, including controlling the audit policy. It also has responsibility for writing any audit messages produced by the Security Reference Moni tor to the event logs.

The Security Reference Monitor (SRM), which runs within the kernel, is responsible for enforcing all access validation and audit policies within the local security policy. As such it prevents direct access to objects by any user or process, and thereby ensures that any protec- tion is provided uniformly to objects within the system.

The Object Manager is responsible for the naming, security, allocating and disposal o f objects on the system. Objects include Directories, Symbolic links, Printers, Processes, Network shares, Ports, Devices, Windows, Files, and Threads.

The Security Account Manager is responsible for the control and maintenance o f the SAM Database. The SAM Database is located in a

part o f the Registry, which is not accessible to users during normal system operation.The SAM Database contains account information for all user and group accounts. The SAM database is unique to each Windows N T system, except in the case o f all domain controllers within a particular domain. In this instance, the SAM database from the Primary Domain Controller (PDC) is replicated to all Backup Domain Controllers (BDCs).This allows any DC to respond to authentication requests.

Whilst access to the area o f the Registry containing the SAM Database is still restricted to administrators, a copy o f the relevant area is stored in the repair directory and is not sufficiently protected by default.

Discretionary Access Controls (DAC) provide object owners with the ability to control access to the object. It is a principle of DAC that, by default, the owner of an object ( C R E A T O R / O W N E R in N T terms) is the only person able to set access controls.Therefore, it is possible for a user to exclude the administrator from access to certain objects.The administrator has the ability to always take ownership of an object, but having done so, he cannot easily give it back to the original owner. Thus the act o f taking ownership should be visible to the original owner. The administrator can o f course always read the contents o f a file by backing up the file first. This would leave no trace on the original file.

Windows N T uses Security Identifiers (SIDs) to uniquely identify users, groups, machines and domains within the system.

A Security Access Token (SAT), which is created, by the LSA as part o f the logon process, remains with the user for the length o f their current logon session.When a user initiates a process during the course of the session, a copy of that token is attached to the process.

W i n d o w s N T - R e m o t e A c c e s s ,

John Hayday. All versions o f Windows N T have shipped with an option to install Microsoft Remote Access Service (RAS). An extension to this service, including Multi-Protocol Rout ing support, was made available as the Rout ing and Remote Access Service (RRAS) in 1997. This article provides an overview of these two remote access options for Windows NT, together with an associated security protocol, the Point-to-Point Tunnelling Protocol (PPTP).

RAS permits the remote connection of two computers using the Public Switched Telephone Network (PSTN), X.25 or the Integrated Services Digital Network (ISDN). Connection using an RS-232C null modem cable is also possible. Connecting two Windows NT systems using one of these methods, permits the use o f all networked services available to a LAN connected user (including file and print sharing, database access and messaging), using standard tools.

In addition to the standard Windows NT logon and domain security measures, R_AS supports the following additional security features:

• Authentication to the RAS Server.

• Call back.

• Data encryption

• The ability to restrict RAS users to accessing the RAS server only.

• Support for third-party security hosts.

A high degree of security can only be obtained if clients are restricted to Windows N T systems, or additional third-party authentication and encryption products used.

In the context o f dial-up, if both client and server support Microsoft encrypted authentication, the Challenge Handshake Authentication Protocol (CHAP) will be used.This is the most secure form o f authen- tication supported by RAS, and can be mandated, by selecting the"Require Microsoft encrypted authentication" if required. CHAP uses a challenge-response mechanism with one-way encryption. If the

m

Information Security Technical Report. Prospectus

client does not support CHAP, the Shiva Password Authentication Protocol (SPAP) or Password Authentication Protocol (PAP) will be used. Requir ing encrypted authentication will force the use of either CHAP or SPAR

Users can be granted dial-in permission and call back set on a per-user basis. Three options are available for call back:

• No callback. RAS will establish a connection as soon as the user's name and password are authenticated.

• Set by Caller. This offers no security, but is often used to minimize telephone charges for the caller.

• Preset to. RAS will establish a connection as soon as the user's name and password are authenticated by dropping the line and calling the user back on a pre-set number entered by the RAS Administrator. This offers the highest level o f security and should be used where possible.

User accounts with administrative rights should not be given dial-in permission. R.emember even if dial-in users are restricted to accessing the RAS Server, users with administrative rights can change this. If administrative access is necessary via RAS, additional security measures, such as the use off a third-party one-t ime password system should he considered.

The Point-to-Point Tunnelling Protocol (PPTP) serves to extend the authentication and encryption available under RAS to PPTP clients on the Internet. It allows a remote RAS client to dial a local Internet service provider and establish an Internet link to their corporate PPTP RAS server, thereby creating a Virtual Private Network (VPN) between the remote client and a PPTP server.

PPTP uses Microsoft's RAS or R R A S and the Point- to-Point Protocol (PPP) to establish connections with remote computers or networks. The PPP provides remote user authentication and data encryption between the PPTP client and server.

PPTP utilizes standard tkAS data encryption methods. These use a symmetric 'shared secret' encryption process based on a 'secret' known to both client and server.The encryption key is derived from the users hashed password and the 1LSA R C 4 algorithm used to create a 40-bit session key. This key is used to encrypt all data in the PPTP packets, which are subsequently encapsulated in IP datagrams.

Following some concerns over the strength of the Microsoft imple- mentation o f PPTP, Microsoft has recently released an upgrade to both P,.RAS and PPTP. These address several security issues including: pro- vision o f mutual authentication (lacking in MSCHAP vl) , stronger data encryption keys, and different encryption keys for the transmit and receive paths;Version 2 will also not transmit the users' LAN Manager hashed password.

Developing a Windows NT Security Policy, Ian White.

The choice of Windows N T as the strategic platform for the desktop and shared application server is becoming more widespread. A chal- lenge for the security team is to provide guidelines on the minimum level o f security controls that should be implemented on these systems. This article discusses some of the controls that might be expected to be included within such a Windows N T Security Policy (the policy).

Probably the most important consideration when developing a Windows N T Security Policy is to decide who the intended audience is and what they are expected to do with the policy. The level o f detail that should be provided will change significantly between a policy supplied to all users and one that is targeted primarily at system admin- istrators and other technical personnel. In many organizations the Windows N T Security Policy is itself treated as a restricted document, the concern being that the level o f detail provided may highlight which security controls are implemented and which are not. As such the policy may prove a valuable source o f information to any potential

attacker.

An underlying assumption of the N T security model is that access to disks will only be through the Windows NT operating system. The physical protection of the Windows N T environment is an essential requirement to ensure that the security model may not be subverted or bypassed. Until the release of Windows N T 5.0 and the planned encrypted version o f NTFS, all application and system data held on disk is unencrypted. Use o f another operating system with a driver capable o f understanding NTFS,for instance NTFSDOS, enables the user to bypass all NTFS permissions and read/copy any or all files and thereby gain access to the information.The policy should therefore provide for physical protection of all Windows N T systems, especially where the data held upon them is confidential or critical.

Windows N T supports the provision of smart-UPS. The UPS service is able to execute a small number of commands prior to complete power failure. The UPS service may be used to attempt to introduce commands to perform unauthorized actions under the system account upon a power failure. For example, installing a Trojan horse to monitor and record password entry.The policy should ensure that this and other similar services running under a system account may only execute known and authorized command scripts. This may require changes to the associated registry key and command file permissions.

AllWindows N T systems have a local account called administrator.This account has a number of special properties that make it the first target for any attacker. Use o f this special account should be restricted as much as possible. In fact many organizations rename the account, give it a complex password (14 random letters, special characters and numbers) and keep the details locked away for use only in an emer- gency. The policy should provide guidelines on usage of the adminis- trator account both to protect the account from external attack as well as providing accountability for its use.

Windows N T uses the standard Server Message Block (SMB) protocol when exchanging information through a network share. This protocol provides little protection against unauthorized modification or disclo- sure of the transmitted information. Where Windows N T is sharing information with another Windows N T system, providing they are both at a minimum service level o f N T 4.0 sp3, the packets o f infor- mation may be digitally signed to ensure theyhave not been altered and that they are genuine.

The circumstances under which usage o f the Point to Point Tunnelling Protocol (PPTP) is permitted should be specified. Designed as an Internet tunnelling protocol that allows a user to remotely connect to their Windows NT domain, PPTP has been subject to numerous studies that have in the past highlighted a number o f potential security vulnerabilities. The policy should highlight required patches and perhaps hmit the information that can be transmitted across such a link by classification category.

Some privileges such as the ability to change the system time may be acceptable on a workstation but not on a shared server whilst others such as debug or act as part o f the operating system enable a user to bypass normal Windows N T security mechanisms and should not be assigned to any user by default.The policy should provide guidance on the default user rights setting at the workstation, at a server and at a domain controller.

Trust relationships provide the mechanism through which a user in one domain may access resources in another domain without relying upon 'guest access'. The trusting domain trusts that the trusted domain performs user account management and authentication in an accept- able manner. Any decision concerning setting up a trust relationship with an external organization should take into account both their account policy settings and any relevant procedures associated with user account management (adding, changing, removing).

Implementation of a standard desktop is possible through the use of both user profiles and the more recently introduced System Policy.The Windows NT policy should detail the default settings to be used for different types of users. Through the use o f multiple policies a number

19