Windows NT Security Theory and Practice

Source: Internet
Author: User
Windows NT Security Theory and Practice

Release date:2002-06-11
Abstract:

Windows NT Security Theory and Practice

Ruediger R. asche

Microsoft Developer Network Technology Group

Summary

This is the first article in a series of technical papers. It describes the C ++ class layer that encapsulates Windows NT Security application interfaces.
Implementation and programming. This series of papers includes:

"Windows NT Security in theory and practice" (Introduction)

"The guts of security" (security class level implementation)

"Security bits and pieces" (sample program structure)

"A homegrown RPC mechanic" (describes the remote communication used by the sample program)

In this article, we will discuss security encryption at a very high level.

Introduction

Security should be quite easy to implement in the operating system, right? That is to say, to specify a security for any object
All the work required for the level is a simple function call, such as grantaccessto or denyaccess.
To, right?

Unfortunately, the Windows NT Security application interface (API) does not seem that simple. It contains too many
Security-related functions, and the work of opening an object for a user is very complicated.

To correctly use the security API, you need to understand the following layers:

The first level is to understand the data structure: Access control table (ACLs), access control element (ACEs), Security Descriptor (
SDS and security IDs (SIDS ).
The second level is to understand the semantics of ACLs (although it is not necessary to understand how they work ). Establish a shun according to ACLs
The access to the same user may be allowed or not allowed due to different orders.
The third level is to understand how the operating system uses security. Security APIs can be understood as server applications.
The program provides a service set to protect objects from being accessed by unauthorized users.
Errors are recorded in the order and application, and the methods used to confirm that the event provides services are the same.
When these services are only used by third-party applications, it is quite easy to understand how security works. However, win
Dows NT is a secure operating system. In addition, Windows NT-based networks depend heavily on security. Because
Therefore, the method of combining security with the system is vague.

Who needs security?

Before entering any details, you must clarify why security is required. If not
This does not have to worry about security:

A server application is being written, that is, an application that can be accessed by several users.
Applications only provide data structures for a subset of these users.

Note that this is a fairly broad definition. The following are examples of programs that meet the conditions.

For a single machine (a computer without a network connection), write a service that runs continuously after Windows NT is started, and
Multiple users log on to and exit from the computer. The information provided by this service is only visible to a few users. For example
The collection usage mode or logon data may be restricted to administrator access.

Many privileges are restricted at the system level. For example, the system registry is protected so that only users with special privileges can
Add a device driver to the system. This is because of security. For example, a malicious user can exploit
The device driver monitors the ability of user input to steal the work of other users. Security also helps system stability.
Imagine an unauthorized user installing a crude device driver. When other users work
The driver may cause a system crash. By limiting the right to register a new device driver to trusted users
To prevent this situation on Windows NT computers.

Many server programs that work on the network as well as standalone servers benefit from some sort of hook-up with the security system. Example
For example, a database server may serve several users at the same time, and some users are not allowed to view
Some data. Assume that everyone in the company can query the employee database. Administrator needs to access all employees
Information, while others should only see the job title and office number. If
The field is restricted to access by administrators, so that all people in the company can use the same database without compromising
Security and confidentiality.

Security micro view

One of the security issues is that the use of secure APIS is nothing new and exciting. Code Compiled by others can rotate the teapot
Display animations in the window, bring up the cool windows 95 control, send data back and forth through mapi, etc.
Full programming is always annoying.

Windows NT Security performance is very complex, in contrast, from the micro level, it is relatively simple. Each Windo
The ws NT domain (or domain group) stores the database of the user that the domain knows. The user wants the Windows NT domain
To work, you must first use a user name and password to prove yourself. Once the security system proves the password, the user
Is associated with an access token to identify the user's internal data structure.

The first thing you need to know about the security of Windows NT is that it is user-centered.
Each line of code accessing the protected object must be associated with a special user, and the user must use a password
Prove your identity. Each security check depends on user authentication. For example, write code to prevent Microsoft
It is impossible to access an object in Excel. Protects an object from running Microsoft Excel by Joe Blow.
But if Carla VIP is allowed to access this object, she can use Microsoft Excel or
As long as Carla uses a password only known to prove its identity to the client.

Although the security API looks complicated, it only performs two tasks:

Audit: A log entry is generated every time a specific operation is attempted on a specific object.

Restrict object access: the function called by the client program may succeed. If the call fails, error code 5 is returned (Access denied)
Or Failure for other reasons depends on how the server assigns privileges.

The user may not directly see the error message, but a dialog box that says, "You have no privilege to keep the eggs from
Take it from the tray ." The program in this dialog box may contain the following code lines:

If (! Removeeggsfromcarton () & getlasterror () = access_denied)

Afxmessagebox ("you do not have the privilege to remove the eggs from
Carton ");

Security Mechanism

Windows NT uses two mechanisms that cause access failure and Return Error 5: Confirm permissions and confirm privileges. Permission owner
Actions on the object, such as suspending the thread permission or reading the File Permission. Permissions are always the same as specific objects and known users.
Association. For example, the permission to read a file must be the same as that of a file (the permission is applied to this file) and that of a user who has or does not have the permission.
Association. Similarly, the permission to suspend a thread is useless unless associated with a specific thread and user.

Privileges are pre-defined permissions for system operations. For example, privileged users include debugging programs, backup and recovery of storage
Device and load the driver. Privileges are user-centered, not objects.

To make the distinction between the two more clear, you can look at the data structure that implements permissions and privileges: permissions are called access
The data structure of the query control table (ACL) is specified. ACL is usually related to objects. The user uses an access token. When using
When a user tries to access a protected object, the access token is checked against the ACL of the object. The access token contains the unique
An identifier (Security ID, Or sid ). Each permission in the ACL is related to a Sid. In this way, the Security Subsystem
The permissions related to each user are known.

On the other hand, the privilege is encoded in the access token, so there is no associated object. Determine whether the user is allowed
Privileged-related operations. The Security Subsystem checks the access token.

In addition, the permission requires a description of the behavior (what is the permission? For example, reading a file or suspending a thread) with no privileges
Required (user or privileged, or none ). Actions that follow the privileges are hidden in the privileges themselves.

The reason for the privilege encoding in the access token is that most privileges do not consider security requirements. For example
The standby user must be able to bypass file security. To allow users to access each file on the hard disk, add
Entering a new ACE is not feasible. In this way, the backup storage device code first checks whether the user trying to back up has
Has the backup privilege. If yes, the security of a single file is ignored.

Privileged sets related to access tokens are securely encrypted and cannot be expanded by applications. Server programs can use
Special permissions and general ing implement custom security rules.

There are two types of ACLs: DACL and SACL ). DACL controls object access, SACL control audit
Core.

Access Control

In most cases, error 5 is generated internally by the Win32 function unique to Windows NT called accesscheck.
. The input of this function includes the user's access token, required privileges, and ACL. ACL is mainly a small data structure (called access
List of control elements, or ace), each data structure defines a user or a group of users, a set of permissions
And information that is allowed or denied. For example, an ace in the ACL may say "the permission to take the eggs from the tray is clear.
The user elephant and bozo are denied, and the following ace says, "the permission to take the eggs from the tray is clearly
Grant to user Betty Crocker and all users in the chefs group ".

ACL is related to objects and can be dynamically created in server programs. For example, if a file object is in the same
When an application tries to open the object, the ACL will be queried to determine whether to allow the application to run.
Program user to open the file.

The accesscheck function is called internally by many system functions, such as createfile.
When a file is opened on the named pipe) and openfilemapping. However, Win32 server programs can directly call ACC
Esscheck protects any object you want to protect.

Note that security API functions are only called by server programs. Customers do not need or directly use security. Customers once saw
Windows NT Security is error 5. This makes Windows NT Security unnecessary to consider the software running by the customer.
. The server needs to confirm the customer in the security database of the domain and translate the requests received from the customer into services.
The ability to call functions at the device end. This function either implicitly calls accesscheck, or based on the server-side accesschec
K output or do not send its results.

The confusing part of Windows NT Security is that calls to accesscheck may be very vague. Example
For example, the driver installation function of Windows NT monitoring device is a very vague concept. When you try to add a device
Which object does the user need to access when the driver is running "? Where the system calls accesscheck and where it will
Error message displayed to the user?

In the device driver example, the answer is not too difficult: Because the device driver and system pass through the registry (W
Indows nt interprets each entry by browsing the registry subtree and tries to execute the driver specified in the separate registry key.
In Windows NT, the object protected is the registry key, which is in
Indows NT is an object that can be obtained. At the Win32 API layer, any attempt to operate the registry will be translated as a note
For example, the regiopenkey internally calls accesscheck.

In addition to registry protection, the driver's binary files also have security issues. An access to the registry is denied.
Failed hackers can still replace the original driver execution file with a copy of the driver that has added additional features.
This process does not require access to the registry, so how does Windows NT prevent such problems? It is quite simple.
Find that the driver binary file is stored in the NTFS partition and restrict access to it. In this way, replace the binary file of the driver.
The attempt to call deletefile or createfile on the Win32 API layer is inevitably terminated by the AC
Cesscheck caught it, and malicious hackers were unlucky.

Other security objects provided by the system may be difficult to describe. For example, how to prevent users from accessing protected network sharing?
? How does one prevent the Service Control Manager from being opened on a remote computer? How does the system layer make Windows NT impeccable?
How can I make some security functions fail to return error 5 and access is denied? Imagine that if the application can operate freely
What happens when I change the object's privileges as an access token or call a security function? In this case,
You can simply modify the items in the ACL and token to bypass security .. In this way, there must be some "meta-Security
", A mechanism to protect security features from being used incorrectly. How to implement it?

One result of accesscheck-based security implementation is that security relies heavily on the fact that only a well-known entry is allowed.
The architecture of the access security object. For example, the file system in Windows 3.1 Family operating systems includes many
Different entry points: 21 h of interruption (interaction with the file system), 13 H of interruption (interaction with the drive of the disk device), and several
Provides the C Runtime Library and Windows API functions (such as openfile and _ fopen) for file system access ).
From the security point of view, it is useless to call a function such as accesscheck In The openfile internal implementation, and the Application
The program can call _ fopen to bypass file security. Only all different calls to open a file are translated.
It can be called as one "security". If one executes the security check and the other does not, it will be safe.
Problem.

In a 16-bit Windows system, this "Open File System" structure is the main tool for companies that provide encryption software and hardware.
Trouble.

When writing a security server program, it is absolutely necessary to design the program. That is to say, it must be prevented.
All methods that customers can access key data. One of the challenges of a security system is to make key data impeccable.
This may be a very complex task, as in the previous example, to protect the entire
Computer device drivers are not enough.

Access permission type

Using security APIs, the system can help control access to almost any type of objects. What is the meaning of "access "?
? Whether it is about the access type used when the database field is used, or is it completely consistent with the message loop for accessing other windows?
Different types?

This is why "access" is a widely used term in secure APIs. Not like "Open, close, read
The access type that is firmly encrypted. Access in Windows NT is defined as a mask.
A set of bits. The security subsystem matches the bits in the user access mask with those in the object access mask. For example
This allows us to design an employee database. The administrator can read and write the salary and bonus information, and the manager can
Read but not write. Others cannot read or write.

In the same way, applications can define their own access types. For example, if the program wants to protect
The OpenGL object (in the sense that several users can call a function to operate objects on the screen) can be
L all operations that an object can perform (such as rotation, stretching, bounce, and moving) define unique access permissions and
Each user who needs to perform operations on the image specifies a unique subset of these permissions.

Security APIs can work with three groups of permissions:

Standard permissions (provide the same operation permissions for each object type ).
Special permissions (special permissions for each object type. Two different types of objects may have the same permissions.
Mask, but there are different translations for the meaning of permissions ).
General permission, a placeholder for rough (such as generic_read and generic_write), almost applies to all
Object type, but it has different meanings for different object types ). Common permissions are mapped to standard and special permissions.
Limits. This mechanism allows the server to establish the concept of "read" and "write" without actually defining the operation. Server
The program can work with common permissions, no matter whether reading or writing files or database objects, the object can determine
How to translate access permissions into special permissions.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.