windows object security - univerzita karlova dac.pdf · api • openprocesstoken retrieves a handle...

Windows Object Security

DAC

logon -> SID -> Access Token -> ACL

14.3.19 vjj 1

logon security• local account

• Microsoft Account

• domain account - Ctrl+Alt+Del

• heslo, certificate, PIN, biometrics, draw pattern, ...

14.3.19 vjj 2

Windows Kernel Object Security

• soubory, adresáře

• Registry

• procesy, vlákna

• semafory, události

• Active Directory

• objekty Group Policy

14.3.19 vjj 3

Windows Object Security

• local Properties dialog (F10)Properties optionSecurity tab

• API funkce proSecurity Descriptor, ACL, ACE

• .NET Framework objectsSecurity Descriptor, ACL, ACE

• Group PolicyComputer Configuration | Policies | Security Settings | File System

14.3.19 vjj 4

THREAD OBJECT

SUBJECT's Access Token

User SIDUser Group SIDs

Logon SID

PrivilegesOwner SID

Primary Group SIDDefault DACL

Access Token SourcePrimary or Impersonation

Restricting SIDsImpersonation Level

(Identify, Impersonate, Delegate)

Security Descriptor

Owner SIDGroup SID

ACL seznam

ACE záznam

ACE záznam

ACE záznam

ACE záznam

ACE záznam

14.3.19 vjj 5

access verification algorithm

• get object's ACL

• compare SIDs and requirements with ACEs

• deny ACE encountered -> access denied

• permit ACEs found for all requirements -> access allowed

• end of ACL encountered -> access denied

• no ACL -> no restrictions14.3.19 vjj 6

Access Token• User SID - Security ID uživatele, pod kterým proces/vlákno běží

• User Group SIDs - Security ID všech skupin, jejichž je uživatel členem

• Primary Group SID

• Restricting SIDs - list of restricting SIDs added by CreateRestrictedToken

• Logon SID - identifies the logon session

• Access Token Source

• Primary or Impersonation

• Impersonation Level (Identify, Impersonate, Delegate) – k plnému zastupování je zapotřebí aby proces aktivoval uživatelovo privilegium "Act as part of the operating system" (SE_TCB_NAME, "SeImpersonatePrivilege")

• Security Settings / Local Policies / User Rights Assignment / Act as part of the operating system

• Privileges - všechna privilegia přidělená uživateli buď individuálně, nebo prostřednictvím skupin, kterých je členem

• Owner SID - Security ID uživatele, který bude nastaven jako vlastník nově vytvářených objektů

• Default DACL - zabezpečení, které bude nastaveno u nově vytvářených objektů, pokud není

explicitně určeno parametrem Security Decriptor(jaký je vztah k DACL např. adresáře, ve kterém je vytvářen nový soubor?)

14.3.19 vjj 7

Access Token• dva druhy:

• "primary" token – je svázán s procesem, default pro každé vlákno procesu

• "impersonation" token – je svázán s vláknem, které je právě v režimu zastupování

• v tokenu lze změnit:

• oprávnění přidělená zastupovanému uživatel

• aktivaci přidělených privilegií

• defaultního vlastníka a DACL pro kernel objekty, které bude proces s tímto tokenem dále vytvářet

14.3.19 vjj 8

owner's permissions

• READ_CONTROL

• WRITE_DAC

14.3.19 vjj 9

API• OpenProcessToken Retrieves a handle to the primary access token for

a process.

• OpenThreadToken Retrieves a handle to the impersonation access tokenfor a thread.

• CreateRestrictedToken Creates a new token that is a restricted versionof an existing token. The restricted token canhave disabled SIDs, deleted privileges, and a listof restricted SIDs.

• DuplicateToken Creates a new impersonation token thatduplicates an existing token.

• DuplicateTokenEx Creates a new primary token or impersonation tokenthat duplicates an existing token.

• AdjustTokenGroups Changes the group information in an access token.

• AdjustTokenPrivileges Enables or disables the privileges in an accesstoken. It does not grant new privileges or revokeexisting ones.

• SetTokenInformation Changes a token's owner,primary group, ordefault DACL

14.3.19 vjj 10

APIBOOL WINAPI GetTokenInformation(

_In_ HANDLE TokenHandle,

_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,

_Out_opt_ LPVOID TokenInformation,

_In_ DWORD TokenInformationLength,

_Out_ PDWORD ReturnLength

);

• TokenUse = 1, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled, TokenIntegrityLevel, TokenUIAccess, TokenMandatoryPolicy, TokenLogonSid, TokenIsAppContainer, TokenCapabilities, TokenAppContainerSid, TokenAppContainerNumber, TokenUserClaimAttributes, TokenDeviceClaimAttributes, TokenRestrictedUserClaimAttributes, TokenRestrictedDeviceClaimAttributes, TokenDeviceGroups, TokenRestrictedDeviceGroups, TokenSecurityAttributes, TokenIsRestricted, MaxTokenInfoClass

14.3.19 vjj 11

Access Token in .NET

• IIdentity – autentizace

• IPrincipal – autorizace

• .NET: WindowsIdentity a WindowsPrincipal

• objekty WindowsPrincipal a WindowsIdentityjsou navzájem provázány

• token of the current thread: WindowsIdentity.GetCurrent( )wraps the token that represents the thread's security context (for non impersonating thread)

14.3.19 vjj 12

Identity <-> PrincipalWindowsIdentity myIdentity =

WindowsIdentity.GetCurrent();

WindowsPrincipal myPrincipal =new WindowsPrincipal (myIdentity) ;

myIdentity = myPrincipal.Identity ;

14.3.19 vjj 13

WindowsIdentityWindowsIdentity myIdentity =

WindowsIdentity.GetCurrent () ;

WindowsIdentity nullIdentity =WindowsIdentity.GetAnonymous () ;

myIdentity.NamemyIdentity.IsAuthenticatedmyIdentity.IsAnonymousmyIdentity.IsGuestmyIdentity.IsSystemmyIdentity.AuthenticationType == "NTLM"

IntPtr myToken = myIdentity.Token ;14.3.19 vjj 14

WindowsPrincipalmyPrincipal.IsInRole (

WindowsBuiltInRole.Administrator )

• Determines whether the (current) principal belongs to the Windows user group.

14.3.19 vjj 15

Roles

• how to create new application dependent roles?

14.3.19 vjj 16

Roles

• System.Web.Security.Roles

• CreateRole( string roleName )

• AddUserToRole( string username,string roleName )

• AddUsersToRole( string[] usernames,string roleName )

• AddUserToRoles( string username,string[] roleNames )

14.3.19 vjj 17

imperative role-based securityPrincipalPermission p =new PrincipalPermission ("novak","admins");

PrincipalPermission p =new PrincipalPermission (null, "admins") ;

try {

p.Demand () ;

}

catch( SecurityException e )

{

}14.3.19 vjj 18

declarative role-based security[PrincipalPermission (SecurityAction.Demand,

Name = "novak")]

[PrincipalPermission (SecurityAction.Demand,Name = "novak",Role = "admins")]

[PrincipalPermission (SecurityAction.Demand,Role = "admins")]

14.3.19 vjj 19

ACL

PowerShell

14.3.19 vjj 20

get-acldir | get-acl | fl

• Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\vjj\Documents\WindowsPo

• werShell\Active Directory

• Owner : WIN\vjj

• Group :

• Access :

• FileSystemRights : FullControl

• AccessControlType : Allow

• IdentityReference : BUILTIN\Administrators

• IsInherited : True

• InheritanceFlags : ContainerInherit, ObjectInherit

• PropagationFlags : None

• Audit :

• Sddl (Security Descriptor Definition Language):

14.3.19 vjj 21

get-acl> get-acl C:\Users\vjj\Documents | fl

Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\vjj\Documents

Owner : WIN\vjj

Group : WIN\Domain Users

Access : NT AUTHORITY\SYSTEM Allow FullControl

BUILTIN\Administrators Allow FullControl

WIN\vjj Allow FullControl

Audit :

Sddl : O:S-1-5-21-2378754280-655980599-3492758231-1103

G:DU

D:

(A;OICIID;FA;;;SY)

(A;OICIID;FA;;;BA)

(A;OICIID;FA;;;S-1-5-21-2378754280-655980599-3492758231-1103)

14.3.19 vjj 22

SDDL

(D;OICI;GA;;;BG)

• Deny Access to ANonymous logon

(D;OICI;GA;;;AN)

• Allow Read/Write/eXecute to Authenticated Users

(A;OICI;GRGWGX;;;AU)

14.3.19 vjj 23

• Allow full control (Access) to Built-in Administrators

(A;OICI;GA;;;BA)

• Deny Access to Built-in Guests

Security Descriptor Definition Language

• D - SDDL_ACCESS_DENIED

• A - SDDL_ACCESS_ALLOWED

• CI - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE

• OI - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.

• ID - ACE IS INHERITED

• GA - GENERIC ALL

• FA - FILE ALL ACCESS

• .....14.3.19 vjj 24

GetAccessRules$sd = get-acl C:\users\vjj\Documents

$accessrules =

$sd.GetAccessRules($true, $true,

[System.Security.Principal.NTAccount])

$accessrules | fl

14.3.19 vjj 25

copy ACL$myACL = Get-Acl myTest1.txt

Set-Acl myTest2.txt -aclobject $myACL

dir –Path c:\temp -recurse -include *.txt -force |

Set-Acl -aclobject $myACL14.3.19 vjj 26

.NETFileSecurity fSecurity =

File.GetAccessControl(fileName);

fSecurity.AddAccessRule(

new FileSystemAccessRule(

stringAccount,

FileSystemRights,

AccessControlType));

File.SetAccessControl(

fileName, fSecurity);14.3.19 vjj 27

.NETDirectoryInfo dInfo =

new DirectoryInfo(FileName);

DirectorySecurity dSecurity =

dInfo.GetAccessControl();

dSecurity.AddAccessRule(

new FileSystemAccessRule(

stringAccount,

FileSystemRights,

AccessControlType));

dInfo.SetAccessControl(dSecurity);14.3.19 vjj 28

.NET and ACE in ADusing ActiveDs;using System.Collections;

DirectoryEntry DirEnt = new DirectoryEntry( "LDAP://CN=vjj, DC=WIN, DC=MS, DC=MFF, DC=CUNI, DC=CZ") ;

SecurityDescriptor sd = (SecurityDescriptor)DirEnt.Properties["ntSecurityDescriptor"].Value ;

AccessControlList acl= (AccessControlList)sd.DiscretionaryAcl;

foreach ( AccessControlEntry ace in (IEnumerable) acl ){

Console.WriteLine ("Trustee: {0}", ace.Trustee);Console.WriteLine ("AccessMask: {0}", ace.AccessMask);Console.WriteLine ("Access Type: {0}", ace.AceType);

}

14.3.19 vjj 29

ACL

API

14.3.19 vjj 30

THREAD OBJECT


User SIDUser Group SIDs

Logon SID

PrivilegesOwner SID

Primary Group SIDDefault DACL

Access Token SourcePrimary or Impersonation

Restricting SIDsImpersonation Level

(Identify, Impersonate, Delegate)

Security Descriptor

Owner SIDGroup SID

ACL seznam

ACE záznam

ACE záznam

ACE záznam

ACE záznam

ACE záznam

14.3.19 vjj 31

Povolení libovolného přístupuPSECURITY_DESCRIPTOR pSD ;

pSD = (PSECURITY_DESCRIPTOR) HeapAlloc (hHeap, 0,SECURITY_DESCRIPTOR_MIN_LENGTH) ;

InitializeSecurityDescriptor (pSD,SECURITY_DESCRIPTOR_REVISION) ;

SetSecurityDescriptorDacl(pSD, FALSE, NULL, FALSE) ;

SetFileSecurity (lpszFileName,DACL_SECURITY_INFORMATION, pSD) ;

14.3.19 vjj 32

FALSE =>

v bezpečnostním deskriptoru je zrušeno nastavení příznaku SE_DACL_PRESENT

vlákno výpočtu Objekt

SID uživatele

SID skupinySID skupiny

.

.

.Privilegia

Security Descriptor

SID vlastníka

SID skupiny

14.3.19 vjj 33


???PSECURITY_DESCRIPTOR pSD ;



SetSecurityDescriptorDacl(pSD, TRUE, NULL, TRUE) ;


14.3.19 vjj 34

defaultPSECURITY_DESCRIPTOR pSD ;



SetSecurityDescriptorDacl(pSD, TRUE, NULL, FALSE) ;


14.3.19 vjj 35

FALSE => DACL set to default

Zákaz jakéhokoliv přístupuPSECURITY_DESCRIPTOR pSD ;PACL pAcl ;

pSD = (PSECURITY_DESCRIPTOR) HeapAlloc (hHeap, 0, SECURITYDESCRIPTOR_MIN_LENGTH) ;InitializeSecurityDescriptor

(pSD, SECURITY_DESCRIPTOR_REVISION) ;

pACL = (PACL) HeapAlloc (hHeap, 0, 1024) ;InitializeAcl (pAcl, 1024, ACL_REVISION2) ;

SetSecurityDescriptorDacl(pSD, TRUE, pAcl, FALSE) ;


14.3.19 vjj 36


Access Token

SID uživatele


.

.

.Privilegia

Security Descriptor

SID vlastníka

SID skupiny

ACL seznam

14.3.19 vjj 37


Konkrétní oprávnění 1/3PSECURITY_DESCRIPTOR pSD; PACL pAcl;

PSID pSid;

DWORD dwSidLength = 1024;

DWORD dwDomainLength = 80;

LPSTR lpszAccount = "vjj";

LPSTR lpszDomain;

PSID_NAME_USE pSidNameUse ;

14.3.19 vjj 38

Konkrétní oprávnění 2/3pSD = (PSECURITY_DESCRIPTOR)

HeapAlloc (hHeap, 0, SECURITY_DESCRIPTOR_MIN_LENGTH) ;InitializeSecurityDescriptor (pSD, SECURITY_DESCRIPTOR_REVISION) ;pACL = (PACL) HeapAlloc (hHeap, 0, 1024) ;InitializeAcl (pAcl, 1024, ACL_REVISION2) ;

pSid = (PSID) HeapAlloc (hHeap, 0, dwSidLength) ;

pSidNameUse = (PSID_NAME_USE)HeapAlloc (hHeap, 0, 1024);

lpszDomain =HeapAlloc (hHeap, 0, 80) ;

14.3.19 vjj 39

Konkrétní oprávnění 3/3LookupAccountName( NULL, // = Local System

lpszAccount, pSid, & dwSidLength,lpszDomain,& dwDomainLength,pSidNameUse ) ;

if ( IsValidSid( pSid ) ){

AddAccessAllowedAce ( pAcl, ACL_REVISION2,GENERIC_READ, pSid ) ;

SetSecurityDescriptorDacl( pSD, TRUE, pAcl, FALSE ) ;SetFileSecurity

( lpszFileName, DACL_SECURITY_INFORMATION, pSD ) ;}

14.3.19 vjj 40


Access Token

SID uživatele


.

.

.Privilegia

Security Descriptor

SID vlastníka

SID skupiny

ACL seznam

ACE záznam

14.3.19 vjj 41


PowerShell and ACL$objUser = New-Object System.Security.Principal.NTAccount("win\vjj")

$fsRights = [System.Security.AccessControl.FileSystemRights]"FullControl"

$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None

$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None

$objType =[System.Security.AccessControl.AccessControlType]::Allow

$objACE = New-Object

System.Security.AccessControl.FileSystemAccessRule(

$objUser, $fsRights, $InheritanceFlag, $PropagationFlag, $objType)

$objACL = Get-ACL "C:\testFolder\Test1.txt"

$objACL.AddAccessRule($objACE)

Set-ACL "C:\testFolder\Test1.txt" $objACL

14.3.19 vjj 42

Mandatory Integrity Control

• Integrity Level checks before ACL

• implemented through a new type of ACE on a security descriptor

14.3.19 vjj 43