1.Security Subsystem Components

25
Microsoft Windows Security Microsoft Windows Security Services Overview Services Overview How Security services are integrated into the How Security services are integrated into the Windows server architecture? Windows server architecture?

Transcript of 1.Security Subsystem Components

Page 1: 1.Security Subsystem Components

Microsoft Windows Security Microsoft Windows Security Services OverviewServices Overview

How Security services are integrated How Security services are integrated into the Windows server architecture?into the Windows server architecture?

Page 2: 1.Security Subsystem Components

Win32Application

Win32Subsystem

Security Subsystem

Plug & playManager

User ModeKernel Mode

Executive Services

I/OManager

MemoryManager

P & PManager

PowerManager

ProcessManager

SecurityReferenceMonitor

WindowsManager

IPCManager

FileSystem

GraphicsDevice Driver

Object Manager

Device Driver Microkernel

Hardware Abstraction Layer

Hardware

Page 3: 1.Security Subsystem Components

Two access mode system and security is split Two access mode system and security is split between,between, User ModeUser Mode

It made up of a set of components referred to as It made up of a set of components referred to as subsystemssubsystems. A subsystem passes I/O requests to . A subsystem passes I/O requests to the appropriate kernel mode driver The the appropriate kernel mode driver The subsystem focus on end user and applications subsystem focus on end user and applications

Kernel ModeKernel Mode has access to system data and hardware has access to system data and hardware Kernel mode provides direct access to memory Kernel mode provides direct access to memory

Ensures that User level process is unable to Ensures that User level process is unable to corrupt lower level system driver that are corrupt lower level system driver that are located at kernel levellocated at kernel level

Active directory service runs in Security Active directory service runs in Security subsystemsubsystem

But actual enforcement of security takes place But actual enforcement of security takes place at Security reference monitor in kernel modeat Security reference monitor in kernel mode

Page 4: 1.Security Subsystem Components

Integration of A.D with security Integration of A.D with security subsystem ensures that security can subsystem ensures that security can exist in window Serverexist in window Server

You can protect all access by combining You can protect all access by combining AuthenticationAuthentication Security principalSecurity principal Necessary permission to perform taskNecessary permission to perform task

Security subsystem performs Security subsystem performs authorization taskauthorization task

Page 5: 1.Security Subsystem Components

Security Subsystem

SecurityReferenceMonitor

DACL(Discretionary access

Control List)

ACE(Access Control

Entries)

DACL checks which object being connectedACE defines permissions that are assigned to that security principal for the object

Pass Request for Authorization

Page 6: 1.Security Subsystem Components

Hardware Abstraction Layer Hardware Abstraction Layer (HAL)(HAL)

It hides the hardware interface details, It hides the hardware interface details, making Windows Server more portable making Windows Server more portable across different hardware architectures across different hardware architectures

The HAL is implemented as a dynamic-The HAL is implemented as a dynamic-link library (.dll)link library (.dll)

It is responsible for all hardware-level, It is responsible for all hardware-level, platform-specific support needed by platform-specific support needed by every component in the system every component in the system

Page 7: 1.Security Subsystem Components
Page 8: 1.Security Subsystem Components

Security Subsystem Security Subsystem ComponentsComponents

Security subsystem components runs within the Local Security subsystem components runs within the Local Security Authority process, which includes….Security Authority process, which includes….

Netlogon service(Netlogon.dll)Netlogon service(Netlogon.dll) NTLM authentication protocol (Msv1_0.dll)NTLM authentication protocol (Msv1_0.dll) SSL authentication protocol (Schannel.dll)SSL authentication protocol (Schannel.dll) Kerberos v5 authentication protocol (Kerberos.dll)Kerberos v5 authentication protocol (Kerberos.dll) Kerberos Key Distribution Center (KDC) service Kerberos Key Distribution Center (KDC) service

(Kdcsv.dll)(Kdcsv.dll) LSA server service (Lsaserv.dll)LSA server service (Lsaserv.dll) Security Authentication Manager(SAM) (samsrv.dll)Security Authentication Manager(SAM) (samsrv.dll) Directory Service module (ntdsa.dll)Directory Service module (ntdsa.dll) Multiple authentication Provider (secre32.dll)Multiple authentication Provider (secre32.dll)

Page 9: 1.Security Subsystem Components

Netlogon Netlogon service(Netlogon.dll)service(Netlogon.dll)

It maintain computers secure channel to It maintain computers secure channel to a domain controller in its domaina domain controller in its domain

It passes credentials to the domain It passes credentials to the domain controller through a secure channel and controller through a secure channel and return access token with security return access token with security identifiers and user rightsidentifiers and user rights

It is also responsible for replication of It is also responsible for replication of active directory data to Windows NT’s active directory data to Windows NT’s Backup domain controller (In Mixed Backup domain controller (In Mixed mode only)mode only)

Page 10: 1.Security Subsystem Components

NTLM authentication NTLM authentication protocol (Msv1_0.dll)protocol (Msv1_0.dll)

Use to authenticate clients that are Use to authenticate clients that are unable to use Kerberos unable to use Kerberos authenticationauthentication

This includes windows 95, windows This includes windows 95, windows 98 and windows NT operating 98 and windows NT operating systemsystem

Page 11: 1.Security Subsystem Components

SSL authentication protocol SSL authentication protocol (Schannel.dll)(Schannel.dll)

Secure socket layer provide Secure socket layer provide encryption service at application encryption service at application layerlayer

To use SSL , application must be To use SSL , application must be coded to recognize and implement coded to recognize and implement SSLSSL

Page 12: 1.Security Subsystem Components

Kerberos v5 authentication Kerberos v5 authentication protocol (Kerberos.dll)protocol (Kerberos.dll)

Default authentication protocol used Default authentication protocol used by windows Serverby windows Server

It is based on TGTs (Ticket – It is based on TGTs (Ticket – granting tickets) and service ticketsgranting tickets) and service tickets

Page 13: 1.Security Subsystem Components

Kerberos Key Distribution Kerberos Key Distribution Center (KDC) service Center (KDC) service

(Kdcsv.dll)(Kdcsv.dll) Responsible for issuing TGT to the Responsible for issuing TGT to the

client when they initially client when they initially authenticate with networkauthenticate with network

Kerberos security provider uses the Kerberos security provider uses the KDC service on Domain Controller KDC service on Domain Controller and active directory for obtaining and active directory for obtaining TGTsTGTs

Page 14: 1.Security Subsystem Components

LSA server service LSA server service (Lsaserv.dll)(Lsaserv.dll)

LLocal ocal SSecurity ecurity AAuthority enforces all uthority enforces all defined policies within Active defined policies within Active DirectoryDirectory

Page 15: 1.Security Subsystem Components

Security Account Security Account Manager(SAM) (samsrv.dll)Manager(SAM) (samsrv.dll)

It is used on non- domain controllers It is used on non- domain controllers for storage of local security accountfor storage of local security account

It also enforce all locally stored It also enforce all locally stored policiespolicies

Page 16: 1.Security Subsystem Components

Directory Service module Directory Service module (ntdsa.dll)(ntdsa.dll)

It supports replication between It supports replication between windows Server domain controllerwindows Server domain controller

LDAP (Light Weight Directory LDAP (Light Weight Directory Access Protocol) access to active Access Protocol) access to active directory and management of directory and management of context stored in Active Directorycontext stored in Active Directory

Page 17: 1.Security Subsystem Components

Multiple authentication Multiple authentication Provider (secre32.dll)Provider (secre32.dll)

This SSP (This SSP (SSecurity ecurity SSupport upport PProvider) supports all security rovider) supports all security packages available on the systempackages available on the system

Security packages include Security packages include Kerberos , Kerberos , NTNT LLAN AN MManager anager (NTLM), Secure channel and (NTLM), Secure channel and DDistributed istributed PPassword assword AAuthenticationuthentication

Page 18: 1.Security Subsystem Components

LSA FunctionalityLSA Functionality Maintains all local security information for Maintains all local security information for

windows Server based computerwindows Server based computer It allows user to authenticate interactively with It allows user to authenticate interactively with

windows Server bases computerwindows Server bases computer Generate access token contains Generate access token contains ssecurity ecurity

ididentifiers (SID) for user and all groupentifiers (SID) for user and all group It manage local policy, so it override if any other It manage local policy, so it override if any other

domain or OU or Forest level policy is defineddomain or OU or Forest level policy is defined It maintain Audit policy (log , alert for security It maintain Audit policy (log , alert for security

reference by kernel )reference by kernel ) It builds list of trusted domain at interactive It builds list of trusted domain at interactive

logon screenlogon screen It determine which users have assigned privilegesIt determine which users have assigned privileges It manage memory quotaIt manage memory quota It reads It reads SSystem ystem AAccess ccess CControl ontrol LList ( SACL ) for ist ( SACL ) for

each object to determine what security auditing each object to determine what security auditing has been defined for the objecthas been defined for the object

Page 19: 1.Security Subsystem Components

Windows Server security Windows Server security protocolsprotocols

Remotefile

DCOMApp.

IE, IISDirectory

Enable application

Mail , chatNews

SMB Secure RPC HTTP LDAP POP3

NTLM KerberosSChannelSSL/TLS

Application

Application Interface

Security Support Provider Interface(SSPI)

Security Protocol

Windows Server supports multiple security protocols

Distributed Password

Authentication

Page 20: 1.Security Subsystem Components

NTLMNTLM

Windows NT LAN Manager (NTLM)Windows NT LAN Manager (NTLM) Use to authenticate clients that are Use to authenticate clients that are

unable to use Kerberos unable to use Kerberos authenticationauthentication

This includes windows 95, windows This includes windows 95, windows 98 and windows NT operating 98 and windows NT operating systemsystem

Page 21: 1.Security Subsystem Components

KerberosKerberos

Default authentication protocol used Default authentication protocol used by windows Serverby windows Server

It is based on TGTs (Ticket – It is based on TGTs (Ticket – granting tickets) and service ticketsgranting tickets) and service tickets

Kerberos security provider uses the Kerberos security provider uses the KDC service on Domain Controller KDC service on Domain Controller and active directory for obtaining and active directory for obtaining TGTsTGTs

Page 22: 1.Security Subsystem Components

Distributed Password Distributed Password Authentication (DPA)Authentication (DPA)

Shared secret authentication Shared secret authentication protocol used by MSNprotocol used by MSN

Provides you single account and Provides you single account and password to connect all internet password to connect all internet sites that are a member of a same sites that are a member of a same internet membership organizationinternet membership organization

Page 23: 1.Security Subsystem Components

Secure channel ( Schannel) Secure channel ( Schannel) ServiceService

Provides ability to authenticate us by Provides ability to authenticate us by using protocol as SSL and using protocol as SSL and TTransport ransport LLayer ayer SSecurity (TLS)ecurity (TLS)

If you use PKI ( If you use PKI ( PPublic ublic KKey ey IInfrastructure ) , this protocol nfrastructure ) , this protocol provides authentication of both provides authentication of both client and serverclient and server

Page 24: 1.Security Subsystem Components

Security support Provider Security support Provider Interface (SSPI)Interface (SSPI)

It prevents applications determining It prevents applications determining what windows Server security what windows Server security protocols are used to authenticate protocols are used to authenticate the security principalthe security principal

Page 25: 1.Security Subsystem Components