User Identity and Access Tokens in Windows Security
undefined
B
e
z
p
e
č
n
o
s
t
W
i
n
d
o
w
s
p
r
o
p
o
k
r
o
č
i
l
é
:
i
d
e
n
t
i
t
a
u
ž
i
v
a
t
e
l
e
GOPAS: info@gopas,cz
|
www.gopas.cz
|
www.facebook.com/P.S.GOPAS
Ing.
Ondřej Ševeček
| GOPAS a.s. |
MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker |
CHFI: Computer Hacking Forensic Investigator
ondrej@sevecek.com | www.sevecek.com |
K
u
r
z
y
v
p
o
č
í
t
a
č
o
v
é
š
k
o
l
e
G
O
P
A
S
http
://
www.gopas.cz
GOC175 - Advanced Windows Security
GOC171 - Active Directory Internals and
Troubleshooting
GOC172 - Kerberos Troubleshooting
GOC173 - Enterprise PKI Deployment
GOC169 - ISO 2700x in Windows Environment
CHFI -
Computer Hacking Forensic Investigator
U
s
e
r
i
d
e
n
t
i
t
y
,
S
I
D
a
n
d
a
c
c
e
s
s
t
o
k
e
n
Advanced Windows Security
W
i
n
d
o
w
s
P
r
o
c
e
s
s
e
s
Everything runs as a process
•
some code runs in Kernel mode, but mostly under identity of
the calling process
•
interrupts, DPCs and file cache are executing without user
context
Every process runs under a user identity
•
SYSTEM, Network Service, Local Service, local user,
domain user
Access permissions are always checked
•
there is no root superuser as in unix
U
s
e
r
I
d
e
n
t
i
t
y
User identity is represented as a SID
•
NT Authority\SYSTEM = S-1-5-18
•
NT Authority\Local Service = S-1-5-19
•
NT Authority\Network Service = S-1-5-20
•
BUILTIN\Administrators = S-1-5-32-544
•
BUILTIN\Users = S-1-5-32-545
•
local user = S-1-5-21-LocalSID-RID
•
domain user = S-1-5-21-DomainSID-RID
Every process gets its own copy of an Access Token
•
list of user’s SID and SIDs of his groups
•
created by LSASS.exe (Local Security Authority)
A
c
c
e
s
s
T
o
k
e
n
Memory structure that contains user SID and the
SIDs of his groups
•
identified by its Logon Session ID
Inherited by child processes
Cached after a successful interactive logon in registry
•
HKLM\Security\Cache
•
Policy: Number of Previous Logons to Cache
Limitted to 1025 SIDs
A
c
c
e
s
s
T
o
k
e
n
C
a
c
h
e
L
i
m
i
t
T
o
o
l
s
f
o
r
A
c
c
e
s
s
T
o
k
e
n
WHOAMI /ALL
•
built into Vista/2008 and newer
•
member of Support Tools for 2003/xp and older
PROCEXP
•
Process Explorer
•
download from
http://live.sysinternals.com
PSEXEC
•
download from
http://live.sysinternals.com
ADUC Attribute Editor
•
Active Directory Users and Computers console
•
Select View – Advanced Features
•
Can show user and group SIDs in AD
S
y
s
t
e
m
S
I
D
s
Some SIDs are added automatically
INTERACTIVE, NETWORK, BATCH, REMOTE
INTERACTIVE LOGON
Everyone, Authenticated Users, This Organization,
NTLM Authentication
E
v
e
r
y
o
n
e
v
s
.
A
u
t
h
e
n
t
i
c
a
t
e
d
U
s
e
r
s
Windows 2000-
•
Everyone = Authenticated Users + Anonymous Logon
Windows XP+
•
Everyone = Authenticated Users
•
can be changed back in security policy
Let Everyone permissions apply to Anonymous Users
E
v
e
r
y
o
n
e
v
s
.
A
u
t
h
e
n
t
i
c
a
t
e
d
U
s
e
r
s
D
ě
k
u
j
i
z
a
p
o
z
o
r
n
o
s
t
GOPAS: info@gopas,cz
|
www.gopas.cz
|
www.facebook.com/P.S.GOPAS
Ing.
Ondřej Ševeček
| GOPAS a.s. |
MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker |
CHFI: Computer Hacking Forensic Investigator
ondrej@sevecek.com | www.sevecek.com |
K
u
r
z
y
v
p
o
č
í
t
a
č
o
v
é
š
k
o
l
e
G
O
P
A
S
http
://
www.gopas.cz
GOC175 - Advanced Windows Security
GOC171 - Active Directory Internals and
Troubleshooting
GOC172 - Kerberos Troubleshooting
GOC173 - Enterprise PKI Deployment
GOC169 - ISO 2700x in Windows Environment
CHFI -
Computer Hacking Forensic Investigator
Modul se zabývá principy reprezentace identity uživatelských účtů na platformě Windows. Probírají se detaily vzniku paměťové struktury access token, ve které jsou uloženy SID (security ID) uživatelského účtu i všech jeho skupina (i vnořených) a další systémový SIDy. Access token slouží jako identita procesů skrz které uživatel komunikuje se systémem a přistupuje k jeho prostředkům, jako jsou soubory a registrové klíče, nebo SQL databáze. Porovnává se zde běh procesů pod účtem lokálních i doménových uživatelů a pod účty systémovými (NT AUTHORITY), jako jsou SYSTEM, Network Server a Local Service. Vysvětluje se, jak se identita procesů dědí z procesu rodičovského do procesů, které z rodiče vznikají. Přesně se definují rozdíly mezi systémovými SIDy jako je Authenticated Users a Everyone.
Delve into the intricate world of user identity and access tokens in Windows security. Explore how user identities are represented, the structure of access tokens, and the significance of processes running under different user contexts. Gain insights into advanced Windows security principles and learn about tools for security enhancements.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Bezpenost Windows pro pokro il : identita u ivatele Ing. Ond ej eve ek | GOPAS a.s. | MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com | www.sevecek.com | GOPAS: info@gopas,cz| www.gopas.cz| www.facebook.com/P.S.GOPAS
Kurzy v potaov kole GOPAS http://www.gopas.cz GOC175 - Advanced Windows Security GOC171 - Active Directory Internals and Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI Deployment GOC169 - ISO 2700x in Windows Environment CHFI - Computer Hacking Forensic Investigator
User identity, SID and access token Advanced Windows Security
Windows Processes Everything runs as a process some code runs in Kernel mode, but mostly under identity of the calling process interrupts, DPCs and file cache are executing without user context Every process runs under a user identity SYSTEM, Network Service, Local Service, local user, domain user Access permissions are always checked there is no root superuser as in unix
User Identity User identity is represented as a SID NT Authority\SYSTEM = S-1-5-18 NT Authority\Local Service = S-1-5-19 NT Authority\Network Service = S-1-5-20 BUILTIN\Administrators = S-1-5-32-544 BUILTIN\Users = S-1-5-32-545 local user = S-1-5-21-LocalSID-RID domain user = S-1-5-21-DomainSID-RID Every process gets its own copy of an Access Token list of user s SID and SIDs of his groups created by LSASS.exe (Local Security Authority)
Access Token Memory structure that contains user SID and the SIDs of his groups identified by its Logon Session ID Inherited by child processes Cached after a successful interactive logon in registry HKLM\Security\Cache Policy: Number of Previous Logons to Cache Limitted to 1025 SIDs
Tools for Access Token WHOAMI /ALL built into Vista/2008 and newer member of Support Tools for 2003/xp and older PROCEXP Process Explorer download from http://live.sysinternals.com PSEXEC download from http://live.sysinternals.com ADUC Attribute Editor Active Directory Users and Computers console Select View Advanced Features Can show user and group SIDs in AD
System SIDs Some SIDs are added automatically INTERACTIVE, NETWORK, BATCH, REMOTE INTERACTIVE LOGON Everyone, Authenticated Users, This Organization, NTLM Authentication
Everyone vs. Authenticated Users Windows 2000- Everyone = Authenticated Users + Anonymous Logon Windows XP+ Everyone = Authenticated Users can be changed back in security policy Let Everyone permissions apply to Anonymous Users
Dkuji za pozornost Ing. Ond ej eve ek | GOPAS a.s. | MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com | www.sevecek.com | GOPAS: info@gopas,cz| www.gopas.cz| www.facebook.com/P.S.GOPAS
Kurzy v potaov kole GOPAS http://www.gopas.cz GOC175 - Advanced Windows Security GOC171 - Active Directory Internals and Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI Deployment GOC169 - ISO 2700x in Windows Environment CHFI - Computer Hacking Forensic Investigator
