Windows Security Architecture

Akash Boaz 11030241147 Anshul R Mathur 11030241101 ManojKumar 11030241046 Smruti Priyadarsini 11030241047

Components of Windows Security Architecture

There are three components of Windows Security:

LSA (Local Security Authority) SAM (Security Account Manager) SRM (Security Reference Monitor)

LSA (Local Security Authority)

LSA is the Central Part of NT Security.

It is also known as Security Subsystem.

The Local Security Authority or LSA is a key component
ofthe logon process in both Windows NT and Windows 2000.

In Windows 2000, the LSA is responsible for validating

users for both local and remote logons.

The LSA also maintains the local security policy.

How LSA Works

During the local logon to a machine, a person enters his name and
password to the logon dialog.

This information is passed to the LSA, which then calls the

appropriate authentication package.

The password is sent in a non-reversible secret key format using a

one-way hash function.

The LSA then queries the SAM database for the Users account
information.

If the key provided matches the one in the SAM, the SAM returns
the users SID and the SIDs of any groups the user belongs to.

The LSA then uses these SIDs to generate the security access
token.

 Windows 2000/2003/XP professional can use various

technologies to authenticate a network users logon request: Kerberos, Certificates

Kerberos
Kerberos is a computer network authentication protocol which works on the
basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Its designers aimed primarily at a clientserver model, and it provides mutual

authentication both the user and the server verify each other's identity. attacks.

Kerberos protocol messages are protected against eavesdropping and replay Kerberos builds on symmetric key cryptography and requires a trusted third
party, and optionally may use public-key cryptography by utilizing asymmetric key cryptography during certain phases of authentication.

Kerberos uses port 88 by default

Certificates
A certificate is a statement verifying the identity of a person or the
security of a Web site.

Internet Explorer uses two different types of certificates:

A "personal certificate" is a verification that you are who you say you are.
This information is used when you send personal information over the
Internet to a Web site that requires a certificate verifying your identity. You can control the use of your own identity by having a private key that only you know on your own computer. When used with e-mail programs, security certificates with private keys are also known as "digital IDs."

A "Web site certificate" states that a specific Web site is secure and
genuine. It ensures that no other Web site can assume the identity of the original
secure site. When you are sending personal information over the Internet, it is a good idea to check the certificate of the Web site you are using to ensure that it will protect your personally identifiable information.

SAM (Security Account Manager)

The Security Accounts Manager is a database in the Windows
operating system (OS) that contains user names and passwords.

SAM is part of the registry and can be found on the hard disk. This service is responsible for making the connection to the
SAMdatabase (Contains available user-accounts and groups).

The SAMdatabase can either be placed in the local registry or in

the Active Directory (If available).

When the service has made the connection it announces to the

system that the SAM-database is available, so other services can start accessing the SAM-database.

SAM (Security Account Manager)

In the SAM, each user account can be assigned a Windows password
which is in encrypted form.

If someone attempts to log on to the system and the user name and
associated passwords match an entry in the SAM, a sequence of events takes place ultimately allowing that person access to the system.

If the user name or passwords do not properly match any entry in the
SAM, an error message is returned requesting that the information be entered again.

When you make a New User Account with a Password, it gets stored in
the SAM File.

Windows Security Files are located at

C:\Windows\System32\Config\SAM

The moment operating system starts, the SAM file becomes inaccessible

SRM (Security Reference Monitor)

The Security Reference Monitor is a security architecture
component that is used to control user requests to access objects in the system.

The SRM enforces the access validation and audit

generation.

Windows NT forbids the direct access to objects.

Any access to an object must first be validated by the SRM.

For example, if a user wants to access a specific file the
SRM will be used to validate the request.

SRM (Security Reference Monitor)

The reference monitor verifies the nature of the request against a table of
allowable access types for each process on the system.

For example, Windows 3.x and 9x operating systems were not built with a
reference monitor, whereas the Windows NT line, which also includes Windows 2000 and Windows XP, was designed with an entirely different architecture and does contain a reference monitor.

Windows User Account Architecture User account passwords are contained in the SAM in the Hexadecimal
Format called Hashes.

Once the Passwords converted in Hashes, you cannot convert back to the
Clear Text.

Security for stored data

Digital Signatures and Driver Signing

Windows File Protection

Encrypting File System (EFS)

Digital Signatures and Driver Signing

A digital signature is an electronic security mark that can be
added to files. It allows you to verify the publisher of a file and helps verify that the file has not changed since it was digitally signed.

Microsoft brands a digital signature Into core operating system files Drivers that it ships with Windows Into files Drivers released subsequently The three behaviours Ignore, Warn, Fail which activate upon
an attempt to install a new driver.

Windows File Protection

The Guardian Angel

The Windows 2000/2003/XP approach is to run a file system guardian angel in the background. Guardian angel watching over system files that live in the system root folder and have the extensions DLL, EXE, FON, OCX, SYS, and TTF

When this guardian angel detects that a program has updated (or, in some cases, backdated!) one of these files, it tries to automatically restore the original version of the file, typically from the hip pocket folder %systemroot%\SYSTEM32\DLLCACHE. If the file is not in DLLCACHE or in the driver archive %systemroot%\Driver Cache\I386\DRIVER.CAB, then the guardian angel pops up a window asking you to supply the original installation media.

Encrypting File System (EFS)

EFS is a public key encryption method, meaning that a public key is
used to encrypt a file and a private key is used to decrypt it.

Encrypt a folder by right-clicking it in Windows Explorer, choosing

Properties, clicking the Advanced button, and checking the Encrypt Contents to Secure Data box.

After you encrypt a folder, you can only have access to that folder
and its contents when you log on with the same user account and password that you used when you encrypted the folder originally.

A user may forget an account password and have created encrypted

files under that account. If that happens, the recovery agent has a private key that will unlock an encrypted file.

Active Directory
Is a directory service created by Microsoft for Windows domain
networks. It is included in most Windows Server operating systems.

Server computers on which Active Directory is running are called domain

controllers.

Active Directory serves as a central location for network administration

and security.

It is responsible for authenticating and authorizing all users and

computers within a network of Windows domain type, Assigning and enforcing security policies for all computers in a network and installing or updating software on network computers.

Active Directory uses Kerberos and DNS.

Recommendation
User must use a strong password Must not contain any part of the Users account name Must have a minimum of eight characters Must contain characters from at least three of the following categories:

Non alphanumeric symbols ($,:%@!#)

Numbers Uppercase letters Lowercase letters

Recommendation (Cntd..)
Disable all the guest accounts and system accounts
Enable auditing (to track log in & log out) Remove all the share folders, worms spread through this.

Based on requirement disable mass storage on systems as viruses

spread through this.

Blocking of account if wrong password is given repeatedly.

Enable automatic password change request for short regular

interval.

Always use account with least privileges instead of administrator

account