Understanding User Identity and Access Tokens in Windows Security
Delve into the intricate world of user identity and access tokens in Windows security. Explore how user identities are represented, the structure of access tokens, and the significance of processes running under different user contexts. Gain insights into advanced Windows security principles and learn about tools for security enhancements.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Bezpenost Windows pro pokro il : identita u ivatele Ing. Ond ej eve ek | GOPAS a.s. | MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com | www.sevecek.com | GOPAS: info@gopas,cz| www.gopas.cz| www.facebook.com/P.S.GOPAS
Kurzy v potaov kole GOPAS http://www.gopas.cz GOC175 - Advanced Windows Security GOC171 - Active Directory Internals and Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI Deployment GOC169 - ISO 2700x in Windows Environment CHFI - Computer Hacking Forensic Investigator
User identity, SID and access token Advanced Windows Security
Windows Processes Everything runs as a process some code runs in Kernel mode, but mostly under identity of the calling process interrupts, DPCs and file cache are executing without user context Every process runs under a user identity SYSTEM, Network Service, Local Service, local user, domain user Access permissions are always checked there is no root superuser as in unix
User Identity User identity is represented as a SID NT Authority\SYSTEM = S-1-5-18 NT Authority\Local Service = S-1-5-19 NT Authority\Network Service = S-1-5-20 BUILTIN\Administrators = S-1-5-32-544 BUILTIN\Users = S-1-5-32-545 local user = S-1-5-21-LocalSID-RID domain user = S-1-5-21-DomainSID-RID Every process gets its own copy of an Access Token list of user s SID and SIDs of his groups created by LSASS.exe (Local Security Authority)
Access Token Memory structure that contains user SID and the SIDs of his groups identified by its Logon Session ID Inherited by child processes Cached after a successful interactive logon in registry HKLM\Security\Cache Policy: Number of Previous Logons to Cache Limitted to 1025 SIDs
Tools for Access Token WHOAMI /ALL built into Vista/2008 and newer member of Support Tools for 2003/xp and older PROCEXP Process Explorer download from http://live.sysinternals.com PSEXEC download from http://live.sysinternals.com ADUC Attribute Editor Active Directory Users and Computers console Select View Advanced Features Can show user and group SIDs in AD
System SIDs Some SIDs are added automatically INTERACTIVE, NETWORK, BATCH, REMOTE INTERACTIVE LOGON Everyone, Authenticated Users, This Organization, NTLM Authentication
Everyone vs. Authenticated Users Windows 2000- Everyone = Authenticated Users + Anonymous Logon Windows XP+ Everyone = Authenticated Users can be changed back in security policy Let Everyone permissions apply to Anonymous Users
Dkuji za pozornost Ing. Ond ej eve ek | GOPAS a.s. | MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com | www.sevecek.com | GOPAS: info@gopas,cz| www.gopas.cz| www.facebook.com/P.S.GOPAS
Kurzy v potaov kole GOPAS http://www.gopas.cz GOC175 - Advanced Windows Security GOC171 - Active Directory Internals and Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI Deployment GOC169 - ISO 2700x in Windows Environment CHFI - Computer Hacking Forensic Investigator
