Windows Object Security

5.4.17 vjj 1 Windows Object Security DAC logon -> SID -> Access Token -> ACL

5.4.17 vjj 2 logon security local account Microsoft Account domain account - Ctrl+Alt+Del heslo, certificate, PIN, biometrics, draw pattern,...

Windows Kernel Object Security soubory, adresáře Registry procesy, vlákna semafory, události Active Directory objekty Group Policy 5.4.17 vjj 3

Windows Object Security local Properties dialog (F10) Properties option Security tab API funkce pro Security Descriptor, ACL, ACE.NET Framework objects Security Descriptor, ACL, ACE Group Policy Computer Configuration Policies Security Settings File System 5.4.17 vjj 4

5.4.17 vjj 5 THREAD OBJECT SUBJECT's Access Token User SID User Group SIDs Logon SID Privileges Owner SID Primary Group SID Default DACL Access Token Source Primary or Impersonation Restricting SIDs Impersonation Level (Identify, Impersonate, Delegate) Security Descriptor Owner SID Group SID ACL seznam ACE záznam ACE záznam ACE záznam ACE záznam ACE záznam

5.4.17 vjj 6 access verification algorithm get object's ACL compare SIDs and requirements with ACEs deny ACE encountered -> access denied permit ACEs found for all requirements -> access allowed end of ACL encountered -> access denied no ACL -> no restrictions

Access Token User SID - Security ID uživatele, pod kterým proces/vlákno běží User Group SIDs - Security ID všech skupin, jejichž je uživatel členem Primary Group SID Restricting SIDs - list of restricting SIDs added by CreateRestrictedToken Logon SID - identifies the logon session Access Token Source Primary or Impersonation Impersonation Level (Identify, Impersonate, Delegate) k plnému zastupování je zapotřebí aby proces aktivoval uživatelovo privilegium "Act as part of the operating system" (SE_TCB_NAME, "SeImpersonatePrivilege") Security Settings / Local Policies / User Rights Assignment / Act as part of the operating system Privileges - všechna privilegia přidělená uživateli buď individuálně, nebo prostřednictvím skupin, kterých je členem Owner SID - Security ID uživatele, který bude nastaven jako vlastník nově vytvářených objektů Default DACL - zabezpečení, které bude nastaveno u nově vytvářených objektů, pokud není explicitně určeno parametrem Security Decriptor (jaký je vztah k DACL např. adresáře, ve kterém je vytvářen nový soubor?) 5.4.17 vjj 7

5.4.17 vjj 8 Access Token dva druhy: "primary" token je svázán s procesem, default pro každé vlákno procesu "impersonation" token je svázán s vláknem, které je právě v režimu zastupování v tokenu lze změnit: oprávnění přidělená zastupovanému uživatel aktivaci přidělených privilegií defaultního vlastníka a DACL pro kernel objekty, které bude proces s tímto tokenem dále vytvářet

READ_CONTROL WRITE_DAC owner's permissions 5.4.17 vjj 9

API OpenProcessToken Retrieves a handle to the primary access token for a process. OpenThreadToken Retrieves a handle to the impersonation access token for a thread. CreateRestrictedToken Creates a new token that is a restricted version of an existing token. The restricted token can have disabled SIDs, deleted privileges, and a list of restricted SIDs. DuplicateToken Creates a new impersonation token that duplicates an existing token. DuplicateTokenEx Creates a new primary token or impersonation token that duplicates an existing token. AdjustTokenGroups Changes the group information in an access token. AdjustTokenPrivileges Enables or disables the privileges in an access token. It does not grant new privileges or revoke existing ones. SetTokenInformation Changes a token's owner, primary group, or default DACL 5.4.17 vjj 10

API BOOL WINAPI GetTokenInformation( _In In_ HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_opt_ LPVOID TokenInformation, _In Out_ DWORD TokenInformationLength, PDWORD ReturnLength ); TokenUse = 1, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled, TokenIntegrityLevel, TokenUIAccess, TokenMandatoryPolicy, TokenLogonSid, TokenIsAppContainer, TokenCapabilities, TokenAppContainerSid, TokenAppContainerNumber, TokenUserClaimAttributes, TokenDeviceClaimAttributes, TokenRestrictedUserClaimAttributes, TokenRestrictedDeviceClaimAttributes, TokenDeviceGroups, TokenRestrictedDeviceGroups, TokenSecurityAttributes, TokenIsRestricted, MaxTokenInfoClass 5.4.17 vjj 11

5.4.17 vjj 12 Access Token in.net IIdentity autentizace IPrincipal autorizace.net: WindowsIdentity a WindowsPrincipal objekty WindowsPrincipal a WindowsIdentity jsou navzájem provázány token of the current thread: WindowsIdentity.GetCurrent( ) wraps the token that represents the thread's security context (for non impersonating thread)

Identity <-> Principal WindowsIdentity myidentity = WindowsIdentity.GetCurrent(); WindowsPrincipal myprincipal = new WindowsPrincipal (myidentity) ; myidentity = myprincipal.identity ; 5.4.17 vjj 13

5.4.17 vjj 14 WindowsIdentity WindowsIdentity myidentity = WindowsIdentity.GetCurrent () ; WindowsIdentity nullidentity = WindowsIdentity.GetAnonymous () ; myidentity.name myidentity.isauthenticated myidentity.isanonymous myidentity.isguest myidentity.issystem myidentity.authenticationtype == "NTLM" IntPtr mytoken = myidentity.token ;

5.4.17 vjj 15 myprincipal.isinrole ( WindowsPrincipal WindowsBuiltInRole.Administrator ) Determines whether the (current) principal belongs to the Windows user group.

5.4.17 vjj 16 Roles how to create new application dependent roles?

5.4.17 vjj 17 Roles System.Web.Security.Roles CreateRole( string rolename ) AddUserToRole( AddUsersToRole( AddUserToRoles( string username, string rolename ) string[] usernames, string rolename ) string username, string[] rolenames )

5.4.17 vjj 18 imperative role-based security PrincipalPermission p = new PrincipalPermission ("novak","admins"); PrincipalPermission p = new PrincipalPermission (null, "admins") ; try { } p.demand () ; catch( SecurityException e ) { }

declarative role-based security [PrincipalPermission (SecurityAction.Demand, Name = "novak")] [PrincipalPermission (SecurityAction.Demand, Name = "novak", Role = "admins")] [PrincipalPermission (SecurityAction.Demand, Role = "admins")] 5.4.17 vjj 19

5.4.17 vjj 20 ACL PowerShell

5.4.17 vjj 21 dir get-acl fl get-acl Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\vjj\Documents\WindowsPo wershell\active Directory Owner : WIN\vjj Group : Access : FileSystemRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : True InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : None Audit : Sddl (Security Descriptor Definition Language):

5.4.17 vjj 22 get-acl > get-acl C:\Users\vjj\Documents fl Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\vjj\Documents Owner : WIN\vjj Group : WIN\Domain Users Access : NT AUTHORITY\SYSTEM Audit : Sddl G:DU D: Allow FullControl BUILTIN\Administrators Allow FullControl WIN\vjj Allow FullControl : O:S-1-5-21-2378754280-655980599-3492758231-1103 (A;OICIID;FA;;;SY) (A;OICIID;FA;;;BA) (A;OICIID;FA;;;S-1-5-21-2378754280-655980599-3492758231-1103)

5.4.17 vjj 23 (D;OICI;GA;;;BG) (D;OICI;GA;;;AN) SDDL Deny Access to Built-in Guests Deny Access to ANonymous logon (A;OICI;GRGWGX;;;AU) Allow Read/Write/eXecute to Authenticated Users (A;OICI;GA;;;BA) Allow full control (Access) to Built-in Administrators

5.4.17 vjj 24 Security Descriptor Definition Language D - SDDL_ACCESS_DENIED A - SDDL_ACCESS_ALLOWED CI - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE OI - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. ID - ACE IS INHERITED GA - GENERIC ALL FA - FILE ALL ACCESS...

5.4.17 vjj 25 GetAccessRules $sd = get-acl C:\users\vjj\Documents $accessrules = $sd.getaccessrules($true, $true, [System.Security.Principal.NTAccount]) $accessrules fl

5.4.17 vjj 26 copy ACL $myacl = Get-Acl mytest1.txt Set-Acl mytest2.txt -aclobject $myacl dir Path c:\temp -recurse -include *.txt -force Set-Acl -aclobject $myacl

5.4.17 vjj 27.NET FileSecurity fsecurity = File.GetAccessControl(fileName); fsecurity.addaccessrule( new FileSystemAccessRule( stringaccount, FileSystemRights, AccessControlType)); File.SetAccessControl( filename, fsecurity);

5.4.17 vjj 28.NET DirectoryInfo dinfo = new DirectoryInfo(FileName); DirectorySecurity dsecurity = dinfo.getaccesscontrol(); dsecurity.addaccessrule( new FileSystemAccessRule( stringaccount, FileSystemRights, AccessControlType)); dinfo.setaccesscontrol(dsecurity);

using ActiveDs; using System.Collections;.NET and ACE in AD DirectoryEntry DirEnt = new DirectoryEntry ( "LDAP://CN=vjj, DC=WIN, DC=MS, DC=MFF, DC=CUNI, DC=CZ") ; SecurityDescriptor sd = (SecurityDescriptor) DirEnt.Properties["ntSecurityDescriptor"].Value ; AccessControlList acl= (AccessControlList) sd.discretionaryacl; foreach ( AccessControlEntry ace in (IEnumerable) acl ) { Console.WriteLine ("Trustee: {0}", ace.trustee); Console.WriteLine ("AccessMask: {0}", ace.accessmask); Console.WriteLine ("Access Type: {0}", ace.acetype); } 5.4.17 vjj 29

5.4.17 vjj 30 ACL API

5.4.17 vjj 31 THREAD OBJECT SUBJECT's Access Token User SID User Group SIDs Logon SID Privileges Owner SID Primary Group SID Default DACL Access Token Source Primary or Impersonation Restricting SIDs Impersonation Level (Identify, Impersonate, Delegate) Security Descriptor Owner SID Group SID ACL seznam ACE záznam ACE záznam ACE záznam ACE záznam ACE záznam

Povolení libovolného přístupu PSECURITY_DESCRIPTOR psd ; psd = (PSECURITY_DESCRIPTOR) HeapAlloc (hheap, 0, SECURITY_DESCRIPTOR_MIN_LENGTH) ; InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION) ; SetSecurityDescriptorDacl (psd, FALSE, NULL, FALSE) ; FALSE => v bezpečnostním deskriptoru je zrušeno nastavení příznaku SE_DACL_PRESENT SetFileSecurity (lpszfilename, DACL_SECURITY_INFORMATION, psd) ; 5.4.17 vjj 32

vlákno výpočtu Objekt SUBJECT's Access Token SID uživatele SID skupiny SID skupiny... Privilegia Security Descriptor SID vlastníka SID skupiny 5.4.17 vjj 33

??? PSECURITY_DESCRIPTOR psd ; psd = (PSECURITY_DESCRIPTOR) HeapAlloc (hheap, 0, SECURITY_DESCRIPTOR_MIN_LENGTH) ; InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION) ; SetSecurityDescriptorDacl (psd, TRUE, NULL, TRUE) ; SetFileSecurity (lpszfilename, DACL_SECURITY_INFORMATION, psd) ; 5.4.17 vjj 34

default PSECURITY_DESCRIPTOR psd ; psd = (PSECURITY_DESCRIPTOR) HeapAlloc (hheap, 0, SECURITY_DESCRIPTOR_MIN_LENGTH) ; InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION) ; SetSecurityDescriptorDacl (psd, TRUE, NULL, FALSE) ; FALSE => DACL set to default SetFileSecurity (lpszfilename, DACL_SECURITY_INFORMATION, psd) ; 5.4.17 vjj 35

Zákaz jakéhokoliv přístupu PSECURITY_DESCRIPTOR psd ; PACL pacl ; psd = (PSECURITY_DESCRIPTOR) HeapAlloc (hheap, 0, SECURITYDESCRIPTOR_MIN_LENGTH) ; InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION) ; pacl = (PACL) HeapAlloc (hheap, 0, 1024) ; InitializeAcl (pacl, 1024, ACL_REVISION2) ; SetSecurityDescriptorDacl (psd, TRUE, pacl, FALSE) ; SetFileSecurity (lpszfilename, DACL_SECURITY_INFORMATION, psd) ; 5.4.17 vjj 36

vlákno výpočtu Objekt Access Token SUBJECT's Access Token SID uživatele SID skupiny SID skupiny... Privilegia Security Descriptor SID vlastníka SID skupiny ACL seznam 5.4.17 vjj 37

Konkrétní oprávnění 1/3 PSECURITY_DESCRIPTOR psd; PACL pacl; PSID psid; DWORD dwsidlength = 1024; DWORD dwdomainlength = 80; LPSTR lpszaccount = "vjj"; LPSTR lpszdomain; PSID_NAME_USE psidnameuse ; 5.4.17 vjj 38

Konkrétní oprávnění 2/3 psd = (PSECURITY_DESCRIPTOR) HeapAlloc (hheap, 0, SECURITY_DESCRIPTOR_MIN_LENGTH) ; InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION) ; pacl = (PACL) HeapAlloc (hheap, 0, 1024) ; InitializeAcl (pacl, 1024, ACL_REVISION2) ; psid = (PSID) HeapAlloc (hheap, 0, dwsidlength) ; psidnameuse = (PSID_NAME_USE) HeapAlloc (hheap, 0, 1024); lpszdomain = HeapAlloc (hheap, 0, 80) ; 5.4.17 vjj 39

Konkrétní oprávnění 3/3 LookupAccountName( NULL, // = Local System lpszaccount, psid, & dwsidlength, lpszdomain, & dwdomainlength, psidnameuse ) ; if ( IsValidSid( psid ) ) { AddAccessAllowedAce ( pacl, ACL_REVISION2, GENERIC_READ, psid ) ; SetSecurityDescriptorDacl( psd, TRUE, pacl, FALSE ) ; SetFileSecurity ( lpszfilename, DACL_SECURITY_INFORMATION, psd ) ; } 5.4.17 vjj 40

5.4.17 vjj 41 vlákno výpočtu Objekt Access Token SUBJECT's Access Token SID uživatele SID skupiny SID skupiny... Privilegia Security Descriptor SID vlastníka SID skupiny ACL seznam ACE záznam

5.4.17 vjj 42 PowerShell and ACL $objuser = New-Object System.Security.Principal.NTAccount("win\vjj") $fsrights = [System.Security.AccessControl.FileSystemRights]"FullControl" $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None $objtype =[System.Security.AccessControl.AccessControlType]::Allow $objace = New-Object System.Security.AccessControl.FileSystemAccessRule( $objuser, $fsrights, $InheritanceFlag, $PropagationFlag, $objtype) $objacl = Get-ACL "C:\testFolder\Test1.txt" $objacl.addaccessrule($objace) Set-ACL "C:\testFolder\Test1.txt" $objacl

5.4.17 vjj 43 Mandatory Integrity Control Integrity Level checks before ACL implemented through a new type of ACE on a security descriptor