SID Security Identifiers
All elements have attributes. They are identified via a Security Identifier SID. The structure of a SID:
- A‑B-C‑D
- A is always S, which here indicates a security identifier.
- B is the revision/version. It is 1 on most cases.
- C is the ID of the authority who created the ID with all sub authorities.
- When it is 5, it is the NT Authority, which indicates that this is an ID of the local system. Behind that are following further relative identifiers.
- D is the relative identifier.
Example:
- S‑1–5‑21–466546139-763938477–1796994327-1001
- A = S (securit identifier)
- B = 1 (version)
- C = 5 (domain identifier)
- D = 21–466546139-763938477–1796994327-1001 (relative identifier)
The Domain Identifier ist the SID without the last RID part.
Examples for well-known SIDs:
- S‑1–0‑0 Nobody
- S‑1–1‑0 Everybody
- S‑1–5‑11 Authenticated Users
- S‑1–5‑18 Local System
- S‑1–5-$domainidentifier-500 Administrator
Basic Windows security access control
Security context
- When a user logs in, Windows creates an access token for the user.
- This token defines the security context. The security context defines what a user can do. It consists of the user’s SID and the groups of which the user is a member of and it’s privileges.
- When Windows creates a new process / thread, it is assigned to a token, which defines the capabilities of this process / thread, especially regarding accessing other processes / threats or system ressources.
- This token can also be an impersonation token. This is a token with different security capabilities, e.g. when a user executes a process under another user, the owner of a process may be user1, but the security context is then from user2.
Mandatory Integrity Control and integrity levels
Windows (from Vista on) has five integrity levels:
- System (SYSTEM)
- High (elevated users)
- Medium (normal users)
- Low
- Untrusted
For each process, Windows assignes a integrity level depending of the caller. If a user with integrity level Medium starts a process, the process has the level Medium as well, except the executeable file has a lower integrity level. In this case, the process has the lower security level. A process has cannot access processes with higher security levels.
Note: The integrity levels can be shown in the TaskManager.
UAC User Account Control
- UAC was introduced in Vista and Server 2008.
- It requires to confirm tasks which can affect the system.
- Users has to confirm the action with their password, admins with a confirmation dialog.
- Even as administrator, some system commands does not work without UAC confirmation.
- Example:
- Try to change the password as administrator
net user admin Ev!lpass
- It doesn’t work “Access is denied”
- Switch to a higher integrity level with
powershell.exe Start-Process cmd.exe -Verb runAs - Repeat the command. Now it will work.
- Try to change the password as administrator
Separation of Kernel space
There are two access modes in Windows:
- Kernel mode runs in ring 0 and allows access to core os elements or drivers
- User mode runs in ring 3 and is the default mode where applications run.
From the user mode, applications can go to functions/components in the kernel mode via security gates. These gates are implemented in ntdll.dll. This is the global entry point for applications from the userland to access kernel functions. The normal way is via exposed OS-APIs. These APIs are exposed and documented. When an application calls one, then these APIs will probably go through other functions until they call something in ntdll. The calls in ntdll usually require more parameters than the easy-to-use high-level API functions. A developer can also access the exposed functions in ntdll directly which could provide more possibilities for attacks.
Linking and loading
In comparison to Linux, Windows uses other terms.
| Linux | Windows | Purpose |
|---|---|---|
| GOT/PLT (Global Offset Table/Procedure Linking Table) | IAT/EAT (Import Address Table/Export Address Table) | Referencing the position of functions in the memory. |
| ELF (Executable and Linking Format) | PE/COFF (Portable Executeable/Common Object File Format) | Structure for executeable files. |
Leave a Reply
You must be logged in to post a comment.