windows object security - univerzita karlova dac.pdf · api • openprocesstoken retrieves a handle...
TRANSCRIPT
Windows Object Security
DAC
logon -> SID -> Access Token -> ACL
14.3.19 vjj 1
logon security• local account
• Microsoft Account
• domain account - Ctrl+Alt+Del
• heslo, certificate, PIN, biometrics, draw pattern, ...
14.3.19 vjj 2
Windows Kernel Object Security
• soubory, adresáře
• Registry
• procesy, vlákna
• semafory, události
• Active Directory
• objekty Group Policy
14.3.19 vjj 3
Windows Object Security
• local Properties dialog (F10)Properties optionSecurity tab
• API funkce proSecurity Descriptor, ACL, ACE
• .NET Framework objectsSecurity Descriptor, ACL, ACE
• Group PolicyComputer Configuration | Policies | Security Settings | File System
14.3.19 vjj 4
THREAD OBJECT
SUBJECT's Access Token
User SIDUser Group SIDs
Logon SID
PrivilegesOwner SID
Primary Group SIDDefault DACL
Access Token SourcePrimary or Impersonation
Restricting SIDsImpersonation Level
(Identify, Impersonate, Delegate)
Security Descriptor
Owner SIDGroup SID
ACL seznam
ACE záznam
ACE záznam
ACE záznam
ACE záznam
ACE záznam
14.3.19 vjj 5
access verification algorithm
• get object's ACL
• compare SIDs and requirements with ACEs
• deny ACE encountered -> access denied
• permit ACEs found for all requirements -> access allowed
• end of ACL encountered -> access denied
• no ACL -> no restrictions14.3.19 vjj 6
Access Token• User SID - Security ID uživatele, pod kterým proces/vlákno běží
• User Group SIDs - Security ID všech skupin, jejichž je uživatel členem
• Primary Group SID
• Restricting SIDs - list of restricting SIDs added by CreateRestrictedToken
• Logon SID - identifies the logon session
• Access Token Source
• Primary or Impersonation
• Impersonation Level (Identify, Impersonate, Delegate) – k plnému zastupování je zapotřebí aby proces aktivoval uživatelovo privilegium "Act as part of the operating system" (SE_TCB_NAME, "SeImpersonatePrivilege")
• Security Settings / Local Policies / User Rights Assignment / Act as part of the operating system
• Privileges - všechna privilegia přidělená uživateli buď individuálně, nebo prostřednictvím skupin, kterých je členem
• Owner SID - Security ID uživatele, který bude nastaven jako vlastník nově vytvářených objektů
• Default DACL - zabezpečení, které bude nastaveno u nově vytvářených objektů, pokud není
explicitně určeno parametrem Security Decriptor(jaký je vztah k DACL např. adresáře, ve kterém je vytvářen nový soubor?)
14.3.19 vjj 7
Access Token• dva druhy:
• "primary" token – je svázán s procesem, default pro každé vlákno procesu
• "impersonation" token – je svázán s vláknem, které je právě v režimu zastupování
• v tokenu lze změnit:
• oprávnění přidělená zastupovanému uživatel
• aktivaci přidělených privilegií
• defaultního vlastníka a DACL pro kernel objekty, které bude proces s tímto tokenem dále vytvářet
14.3.19 vjj 8
owner's permissions
• READ_CONTROL
• WRITE_DAC
14.3.19 vjj 9
API• OpenProcessToken Retrieves a handle to the primary access token for
a process.
• OpenThreadToken Retrieves a handle to the impersonation access tokenfor a thread.
• CreateRestrictedToken Creates a new token that is a restricted versionof an existing token. The restricted token canhave disabled SIDs, deleted privileges, and a listof restricted SIDs.
• DuplicateToken Creates a new impersonation token thatduplicates an existing token.
• DuplicateTokenEx Creates a new primary token or impersonation tokenthat duplicates an existing token.
• AdjustTokenGroups Changes the group information in an access token.
• AdjustTokenPrivileges Enables or disables the privileges in an accesstoken. It does not grant new privileges or revokeexisting ones.
• SetTokenInformation Changes a token's owner,primary group, ordefault DACL
14.3.19 vjj 10
APIBOOL WINAPI GetTokenInformation(
_In_ HANDLE TokenHandle,
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
_Out_opt_ LPVOID TokenInformation,
_In_ DWORD TokenInformationLength,
_Out_ PDWORD ReturnLength
);
• TokenUse = 1, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled, TokenIntegrityLevel, TokenUIAccess, TokenMandatoryPolicy, TokenLogonSid, TokenIsAppContainer, TokenCapabilities, TokenAppContainerSid, TokenAppContainerNumber, TokenUserClaimAttributes, TokenDeviceClaimAttributes, TokenRestrictedUserClaimAttributes, TokenRestrictedDeviceClaimAttributes, TokenDeviceGroups, TokenRestrictedDeviceGroups, TokenSecurityAttributes, TokenIsRestricted, MaxTokenInfoClass
14.3.19 vjj 11
Access Token in .NET
• IIdentity – autentizace
• IPrincipal – autorizace
• .NET: WindowsIdentity a WindowsPrincipal
• objekty WindowsPrincipal a WindowsIdentityjsou navzájem provázány
• token of the current thread: WindowsIdentity.GetCurrent( )wraps the token that represents the thread's security context (for non impersonating thread)
14.3.19 vjj 12
Identity <-> PrincipalWindowsIdentity myIdentity =
WindowsIdentity.GetCurrent();
WindowsPrincipal myPrincipal =new WindowsPrincipal (myIdentity) ;
myIdentity = myPrincipal.Identity ;
14.3.19 vjj 13
WindowsIdentityWindowsIdentity myIdentity =
WindowsIdentity.GetCurrent () ;
WindowsIdentity nullIdentity =WindowsIdentity.GetAnonymous () ;
myIdentity.NamemyIdentity.IsAuthenticatedmyIdentity.IsAnonymousmyIdentity.IsGuestmyIdentity.IsSystemmyIdentity.AuthenticationType == "NTLM"
IntPtr myToken = myIdentity.Token ;14.3.19 vjj 14
WindowsPrincipalmyPrincipal.IsInRole (
WindowsBuiltInRole.Administrator )
• Determines whether the (current) principal belongs to the Windows user group.
14.3.19 vjj 15
Roles
• how to create new application dependent roles?
14.3.19 vjj 16
Roles
• System.Web.Security.Roles
• CreateRole( string roleName )
• AddUserToRole( string username,string roleName )
• AddUsersToRole( string[] usernames,string roleName )
• AddUserToRoles( string username,string[] roleNames )
14.3.19 vjj 17
imperative role-based securityPrincipalPermission p =new PrincipalPermission ("novak","admins");
PrincipalPermission p =new PrincipalPermission (null, "admins") ;
try {
p.Demand () ;
}
catch( SecurityException e )
{
}14.3.19 vjj 18
declarative role-based security[PrincipalPermission (SecurityAction.Demand,
Name = "novak")]
[PrincipalPermission (SecurityAction.Demand,Name = "novak",Role = "admins")]
[PrincipalPermission (SecurityAction.Demand,Role = "admins")]
14.3.19 vjj 19
ACL
PowerShell
14.3.19 vjj 20
get-acldir | get-acl | fl
• Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\vjj\Documents\WindowsPo
• werShell\Active Directory
• Owner : WIN\vjj
• Group :
• Access :
• FileSystemRights : FullControl
• AccessControlType : Allow
• IdentityReference : BUILTIN\Administrators
• IsInherited : True
• InheritanceFlags : ContainerInherit, ObjectInherit
• PropagationFlags : None
• Audit :
• Sddl (Security Descriptor Definition Language):
14.3.19 vjj 21
get-acl> get-acl C:\Users\vjj\Documents | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\vjj\Documents
Owner : WIN\vjj
Group : WIN\Domain Users
Access : NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
WIN\vjj Allow FullControl
Audit :
Sddl : O:S-1-5-21-2378754280-655980599-3492758231-1103
G:DU
D:
(A;OICIID;FA;;;SY)
(A;OICIID;FA;;;BA)
(A;OICIID;FA;;;S-1-5-21-2378754280-655980599-3492758231-1103)
14.3.19 vjj 22
SDDL
(D;OICI;GA;;;BG)
• Deny Access to ANonymous logon
(D;OICI;GA;;;AN)
• Allow Read/Write/eXecute to Authenticated Users
(A;OICI;GRGWGX;;;AU)
14.3.19 vjj 23
• Allow full control (Access) to Built-in Administrators
(A;OICI;GA;;;BA)
• Deny Access to Built-in Guests
Security Descriptor Definition Language
• D - SDDL_ACCESS_DENIED
• A - SDDL_ACCESS_ALLOWED
• CI - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE
• OI - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
• ID - ACE IS INHERITED
• GA - GENERIC ALL
• FA - FILE ALL ACCESS
• .....14.3.19 vjj 24
GetAccessRules$sd = get-acl C:\users\vjj\Documents
$accessrules =
$sd.GetAccessRules($true, $true,
[System.Security.Principal.NTAccount])
$accessrules | fl
14.3.19 vjj 25
copy ACL$myACL = Get-Acl myTest1.txt
Set-Acl myTest2.txt -aclobject $myACL
dir –Path c:\temp -recurse -include *.txt -force |
Set-Acl -aclobject $myACL14.3.19 vjj 26
.NETFileSecurity fSecurity =
File.GetAccessControl(fileName);
fSecurity.AddAccessRule(
new FileSystemAccessRule(
stringAccount,
FileSystemRights,
AccessControlType));
File.SetAccessControl(
fileName, fSecurity);14.3.19 vjj 27
.NETDirectoryInfo dInfo =
new DirectoryInfo(FileName);
DirectorySecurity dSecurity =
dInfo.GetAccessControl();
dSecurity.AddAccessRule(
new FileSystemAccessRule(
stringAccount,
FileSystemRights,
AccessControlType));
dInfo.SetAccessControl(dSecurity);14.3.19 vjj 28
.NET and ACE in ADusing ActiveDs;using System.Collections;
DirectoryEntry DirEnt = new DirectoryEntry( "LDAP://CN=vjj, DC=WIN, DC=MS, DC=MFF, DC=CUNI, DC=CZ") ;
SecurityDescriptor sd = (SecurityDescriptor)DirEnt.Properties["ntSecurityDescriptor"].Value ;
AccessControlList acl= (AccessControlList)sd.DiscretionaryAcl;
foreach ( AccessControlEntry ace in (IEnumerable) acl ){
Console.WriteLine ("Trustee: {0}", ace.Trustee);Console.WriteLine ("AccessMask: {0}", ace.AccessMask);Console.WriteLine ("Access Type: {0}", ace.AceType);
}
14.3.19 vjj 29
ACL
API
14.3.19 vjj 30
THREAD OBJECT
SUBJECT's Access Token
User SIDUser Group SIDs
Logon SID
PrivilegesOwner SID
Primary Group SIDDefault DACL
Access Token SourcePrimary or Impersonation
Restricting SIDsImpersonation Level
(Identify, Impersonate, Delegate)
Security Descriptor
Owner SIDGroup SID
ACL seznam
ACE záznam
ACE záznam
ACE záznam
ACE záznam
ACE záznam
14.3.19 vjj 31
Povolení libovolného přístupuPSECURITY_DESCRIPTOR pSD ;
pSD = (PSECURITY_DESCRIPTOR) HeapAlloc (hHeap, 0,SECURITY_DESCRIPTOR_MIN_LENGTH) ;
InitializeSecurityDescriptor (pSD,SECURITY_DESCRIPTOR_REVISION) ;
SetSecurityDescriptorDacl(pSD, FALSE, NULL, FALSE) ;
SetFileSecurity (lpszFileName,DACL_SECURITY_INFORMATION, pSD) ;
14.3.19 vjj 32
FALSE =>
v bezpečnostním deskriptoru je zrušeno nastavení příznaku SE_DACL_PRESENT
vlákno výpočtu Objekt
SID uživatele
SID skupinySID skupiny
.
.
.Privilegia
Security Descriptor
SID vlastníka
SID skupiny
14.3.19 vjj 33
SUBJECT's Access Token
???PSECURITY_DESCRIPTOR pSD ;
pSD = (PSECURITY_DESCRIPTOR) HeapAlloc (hHeap, 0,SECURITY_DESCRIPTOR_MIN_LENGTH) ;
InitializeSecurityDescriptor (pSD,SECURITY_DESCRIPTOR_REVISION) ;
SetSecurityDescriptorDacl(pSD, TRUE, NULL, TRUE) ;
SetFileSecurity (lpszFileName,DACL_SECURITY_INFORMATION, pSD) ;
14.3.19 vjj 34
defaultPSECURITY_DESCRIPTOR pSD ;
pSD = (PSECURITY_DESCRIPTOR) HeapAlloc (hHeap, 0,SECURITY_DESCRIPTOR_MIN_LENGTH) ;
InitializeSecurityDescriptor (pSD,SECURITY_DESCRIPTOR_REVISION) ;
SetSecurityDescriptorDacl(pSD, TRUE, NULL, FALSE) ;
SetFileSecurity (lpszFileName,DACL_SECURITY_INFORMATION, pSD) ;
14.3.19 vjj 35
FALSE => DACL set to default
Zákaz jakéhokoliv přístupuPSECURITY_DESCRIPTOR pSD ;PACL pAcl ;
pSD = (PSECURITY_DESCRIPTOR) HeapAlloc (hHeap, 0, SECURITYDESCRIPTOR_MIN_LENGTH) ;InitializeSecurityDescriptor
(pSD, SECURITY_DESCRIPTOR_REVISION) ;
pACL = (PACL) HeapAlloc (hHeap, 0, 1024) ;InitializeAcl (pAcl, 1024, ACL_REVISION2) ;
SetSecurityDescriptorDacl(pSD, TRUE, pAcl, FALSE) ;
SetFileSecurity (lpszFileName,DACL_SECURITY_INFORMATION, pSD) ;
14.3.19 vjj 36
vlákno výpočtu Objekt
Access Token
SID uživatele
SID skupinySID skupiny
.
.
.Privilegia
Security Descriptor
SID vlastníka
SID skupiny
ACL seznam
14.3.19 vjj 37
SUBJECT's Access Token
Konkrétní oprávnění 1/3PSECURITY_DESCRIPTOR pSD; PACL pAcl;
PSID pSid;
DWORD dwSidLength = 1024;
DWORD dwDomainLength = 80;
LPSTR lpszAccount = "vjj";
LPSTR lpszDomain;
PSID_NAME_USE pSidNameUse ;
14.3.19 vjj 38
Konkrétní oprávnění 2/3pSD = (PSECURITY_DESCRIPTOR)
HeapAlloc (hHeap, 0, SECURITY_DESCRIPTOR_MIN_LENGTH) ;InitializeSecurityDescriptor (pSD, SECURITY_DESCRIPTOR_REVISION) ;pACL = (PACL) HeapAlloc (hHeap, 0, 1024) ;InitializeAcl (pAcl, 1024, ACL_REVISION2) ;
pSid = (PSID) HeapAlloc (hHeap, 0, dwSidLength) ;
pSidNameUse = (PSID_NAME_USE)HeapAlloc (hHeap, 0, 1024);
lpszDomain =HeapAlloc (hHeap, 0, 80) ;
14.3.19 vjj 39
Konkrétní oprávnění 3/3LookupAccountName( NULL, // = Local System
lpszAccount, pSid, & dwSidLength,lpszDomain,& dwDomainLength,pSidNameUse ) ;
if ( IsValidSid( pSid ) ){
AddAccessAllowedAce ( pAcl, ACL_REVISION2,GENERIC_READ, pSid ) ;
SetSecurityDescriptorDacl( pSD, TRUE, pAcl, FALSE ) ;SetFileSecurity
( lpszFileName, DACL_SECURITY_INFORMATION, pSD ) ;}
14.3.19 vjj 40
vlákno výpočtu Objekt
Access Token
SID uživatele
SID skupinySID skupiny
.
.
.Privilegia
Security Descriptor
SID vlastníka
SID skupiny
ACL seznam
ACE záznam
14.3.19 vjj 41
SUBJECT's Access Token
PowerShell and ACL$objUser = New-Object System.Security.Principal.NTAccount("win\vjj")
$fsRights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objACE = New-Object
System.Security.AccessControl.FileSystemAccessRule(
$objUser, $fsRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL "C:\testFolder\Test1.txt"
$objACL.AddAccessRule($objACE)
Set-ACL "C:\testFolder\Test1.txt" $objACL
14.3.19 vjj 42
Mandatory Integrity Control
• Integrity Level checks before ACL
• implemented through a new type of ACE on a security descriptor
14.3.19 vjj 43