Microsoft Windows Security Microsoft Windows Security Services Overview Services Overview How Security services are integrated into the How Security services are integrated into the Windows server architecture? Windows server architecture?
Microsoft Windows Security Microsoft Windows Security Services OverviewServices Overview
How Security services are integrated How Security services are integrated into the Windows server architecture?into the Windows server architecture?
Win32Application
Win32Subsystem
Security Subsystem
Plug & playManager
User ModeKernel Mode
Executive Services
I/OManager
MemoryManager
P & PManager
PowerManager
ProcessManager
SecurityReferenceMonitor
WindowsManager
IPCManager
FileSystem
GraphicsDevice Driver
Object Manager
Device Driver Microkernel
Hardware Abstraction Layer
Hardware
Two access mode system and security is split Two access mode system and security is split between,between, User ModeUser Mode
It made up of a set of components referred to as It made up of a set of components referred to as subsystemssubsystems. A subsystem passes I/O requests to . A subsystem passes I/O requests to the appropriate kernel mode driver The the appropriate kernel mode driver The subsystem focus on end user and applications subsystem focus on end user and applications
Kernel ModeKernel Mode has access to system data and hardware has access to system data and hardware Kernel mode provides direct access to memory Kernel mode provides direct access to memory
Ensures that User level process is unable to Ensures that User level process is unable to corrupt lower level system driver that are corrupt lower level system driver that are located at kernel levellocated at kernel level
Active directory service runs in Security Active directory service runs in Security subsystemsubsystem
But actual enforcement of security takes place But actual enforcement of security takes place at Security reference monitor in kernel modeat Security reference monitor in kernel mode
Integration of A.D with security Integration of A.D with security subsystem ensures that security can subsystem ensures that security can exist in window Serverexist in window Server
You can protect all access by combining You can protect all access by combining AuthenticationAuthentication Security principalSecurity principal Necessary permission to perform taskNecessary permission to perform task
Security subsystem performs Security subsystem performs authorization taskauthorization task
Security Subsystem
SecurityReferenceMonitor
DACL(Discretionary access
Control List)
ACE(Access Control
Entries)
DACL checks which object being connectedACE defines permissions that are assigned to that security principal for the object
Pass Request for Authorization
Hardware Abstraction Layer Hardware Abstraction Layer (HAL)(HAL)
It hides the hardware interface details, It hides the hardware interface details, making Windows Server more portable making Windows Server more portable across different hardware architectures across different hardware architectures
The HAL is implemented as a dynamic-The HAL is implemented as a dynamic-link library (.dll)link library (.dll)
It is responsible for all hardware-level, It is responsible for all hardware-level, platform-specific support needed by platform-specific support needed by every component in the system every component in the system
Security Subsystem Security Subsystem ComponentsComponents
Security subsystem components runs within the Local Security subsystem components runs within the Local Security Authority process, which includes….Security Authority process, which includes….
Netlogon service(Netlogon.dll)Netlogon service(Netlogon.dll) NTLM authentication protocol (Msv1_0.dll)NTLM authentication protocol (Msv1_0.dll) SSL authentication protocol (Schannel.dll)SSL authentication protocol (Schannel.dll) Kerberos v5 authentication protocol (Kerberos.dll)Kerberos v5 authentication protocol (Kerberos.dll) Kerberos Key Distribution Center (KDC) service Kerberos Key Distribution Center (KDC) service
(Kdcsv.dll)(Kdcsv.dll) LSA server service (Lsaserv.dll)LSA server service (Lsaserv.dll) Security Authentication Manager(SAM) (samsrv.dll)Security Authentication Manager(SAM) (samsrv.dll) Directory Service module (ntdsa.dll)Directory Service module (ntdsa.dll) Multiple authentication Provider (secre32.dll)Multiple authentication Provider (secre32.dll)
Netlogon Netlogon service(Netlogon.dll)service(Netlogon.dll)
It maintain computers secure channel to It maintain computers secure channel to a domain controller in its domaina domain controller in its domain
It passes credentials to the domain It passes credentials to the domain controller through a secure channel and controller through a secure channel and return access token with security return access token with security identifiers and user rightsidentifiers and user rights
It is also responsible for replication of It is also responsible for replication of active directory data to Windows NT’s active directory data to Windows NT’s Backup domain controller (In Mixed Backup domain controller (In Mixed mode only)mode only)
NTLM authentication NTLM authentication protocol (Msv1_0.dll)protocol (Msv1_0.dll)
Use to authenticate clients that are Use to authenticate clients that are unable to use Kerberos unable to use Kerberos authenticationauthentication
This includes windows 95, windows This includes windows 95, windows 98 and windows NT operating 98 and windows NT operating systemsystem
SSL authentication protocol SSL authentication protocol (Schannel.dll)(Schannel.dll)
Secure socket layer provide Secure socket layer provide encryption service at application encryption service at application layerlayer
To use SSL , application must be To use SSL , application must be coded to recognize and implement coded to recognize and implement SSLSSL
Kerberos v5 authentication Kerberos v5 authentication protocol (Kerberos.dll)protocol (Kerberos.dll)
Default authentication protocol used Default authentication protocol used by windows Serverby windows Server
It is based on TGTs (Ticket – It is based on TGTs (Ticket – granting tickets) and service ticketsgranting tickets) and service tickets
Kerberos Key Distribution Kerberos Key Distribution Center (KDC) service Center (KDC) service
(Kdcsv.dll)(Kdcsv.dll) Responsible for issuing TGT to the Responsible for issuing TGT to the
client when they initially client when they initially authenticate with networkauthenticate with network
Kerberos security provider uses the Kerberos security provider uses the KDC service on Domain Controller KDC service on Domain Controller and active directory for obtaining and active directory for obtaining TGTsTGTs
LSA server service LSA server service (Lsaserv.dll)(Lsaserv.dll)
LLocal ocal SSecurity ecurity AAuthority enforces all uthority enforces all defined policies within Active defined policies within Active DirectoryDirectory
Security Account Security Account Manager(SAM) (samsrv.dll)Manager(SAM) (samsrv.dll)
It is used on non- domain controllers It is used on non- domain controllers for storage of local security accountfor storage of local security account
It also enforce all locally stored It also enforce all locally stored policiespolicies
Directory Service module Directory Service module (ntdsa.dll)(ntdsa.dll)
It supports replication between It supports replication between windows Server domain controllerwindows Server domain controller
LDAP (Light Weight Directory LDAP (Light Weight Directory Access Protocol) access to active Access Protocol) access to active directory and management of directory and management of context stored in Active Directorycontext stored in Active Directory
Multiple authentication Multiple authentication Provider (secre32.dll)Provider (secre32.dll)
This SSP (This SSP (SSecurity ecurity SSupport upport PProvider) supports all security rovider) supports all security packages available on the systempackages available on the system
Security packages include Security packages include Kerberos , Kerberos , NTNT LLAN AN MManager anager (NTLM), Secure channel and (NTLM), Secure channel and DDistributed istributed PPassword assword AAuthenticationuthentication
LSA FunctionalityLSA Functionality Maintains all local security information for Maintains all local security information for
windows Server based computerwindows Server based computer It allows user to authenticate interactively with It allows user to authenticate interactively with
windows Server bases computerwindows Server bases computer Generate access token contains Generate access token contains ssecurity ecurity
ididentifiers (SID) for user and all groupentifiers (SID) for user and all group It manage local policy, so it override if any other It manage local policy, so it override if any other
domain or OU or Forest level policy is defineddomain or OU or Forest level policy is defined It maintain Audit policy (log , alert for security It maintain Audit policy (log , alert for security
reference by kernel )reference by kernel ) It builds list of trusted domain at interactive It builds list of trusted domain at interactive
logon screenlogon screen It determine which users have assigned privilegesIt determine which users have assigned privileges It manage memory quotaIt manage memory quota It reads It reads SSystem ystem AAccess ccess CControl ontrol LList ( SACL ) for ist ( SACL ) for
each object to determine what security auditing each object to determine what security auditing has been defined for the objecthas been defined for the object
Windows Server security Windows Server security protocolsprotocols
Remotefile
DCOMApp.
IE, IISDirectory
Enable application
Mail , chatNews
SMB Secure RPC HTTP LDAP POP3
NTLM KerberosSChannelSSL/TLS
Application
Application Interface
Security Support Provider Interface(SSPI)
Security Protocol
Windows Server supports multiple security protocols
Distributed Password
Authentication
NTLMNTLM
Windows NT LAN Manager (NTLM)Windows NT LAN Manager (NTLM) Use to authenticate clients that are Use to authenticate clients that are
unable to use Kerberos unable to use Kerberos authenticationauthentication
This includes windows 95, windows This includes windows 95, windows 98 and windows NT operating 98 and windows NT operating systemsystem
KerberosKerberos
Default authentication protocol used Default authentication protocol used by windows Serverby windows Server
It is based on TGTs (Ticket – It is based on TGTs (Ticket – granting tickets) and service ticketsgranting tickets) and service tickets
Kerberos security provider uses the Kerberos security provider uses the KDC service on Domain Controller KDC service on Domain Controller and active directory for obtaining and active directory for obtaining TGTsTGTs
Distributed Password Distributed Password Authentication (DPA)Authentication (DPA)
Shared secret authentication Shared secret authentication protocol used by MSNprotocol used by MSN
Provides you single account and Provides you single account and password to connect all internet password to connect all internet sites that are a member of a same sites that are a member of a same internet membership organizationinternet membership organization
Secure channel ( Schannel) Secure channel ( Schannel) ServiceService
Provides ability to authenticate us by Provides ability to authenticate us by using protocol as SSL and using protocol as SSL and TTransport ransport LLayer ayer SSecurity (TLS)ecurity (TLS)
If you use PKI ( If you use PKI ( PPublic ublic KKey ey IInfrastructure ) , this protocol nfrastructure ) , this protocol provides authentication of both provides authentication of both client and serverclient and server
Security support Provider Security support Provider Interface (SSPI)Interface (SSPI)
It prevents applications determining It prevents applications determining what windows Server security what windows Server security protocols are used to authenticate protocols are used to authenticate the security principalthe security principal