{"id":3383,"date":"2021-08-03T07:37:32","date_gmt":"2021-08-03T05:37:32","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=3383"},"modified":"2024-08-18T17:02:45","modified_gmt":"2024-08-18T15:02:45","slug":"windows-security-fundamentals","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=3383","title":{"rendered":"Windows security fundamentals"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><span class=\"caps\">SID<\/span> Security Identifiers<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">All ele\u00adments have attrib\u00adut\u00ades. They are iden\u00adti\u00adfied via a <strong>Secu\u00adri\u00adty Iden\u00adti\u00adfi\u00ader <span class=\"caps\">SID<\/span><\/strong>. The struc\u00adture of a&nbsp;<span class=\"caps\">SID<\/span>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A\u2011B-C\u2011D\n<ul class=\"wp-block-list\">\n<li>A is always S, which here indi\u00adcates a secu\u00adri\u00adty identifier.<\/li>\n\n\n\n<li>B is the revision\/version. It is 1 on most&nbsp;cases.<\/li>\n\n\n\n<li>C is the <span class=\"caps\">ID<\/span> of the author\u00adi\u00adty who cre\u00adat\u00aded the <span class=\"caps\">ID<\/span> with all sub authorities.&nbsp;<ul class=\"wp-block-list\">\n<li>When it is 5, it is the <span class=\"caps\">NT<\/span> Author\u00adi\u00adty, which indi\u00adcates that this is an <span class=\"caps\">ID<\/span> of the local sys\u00adtem. Behind that are fol\u00adlow\u00ading fur\u00adther <em>rel\u00ada\u00adtive iden\u00adti\u00adfiers<\/em>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>D is the rel\u00ada\u00adtive identifier.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>S\u20111\u20135\u201121\u2013466546139-763938477\u20131796994327-1001\n<ul class=\"wp-block-list\">\n<li>A = S (secu\u00adrit identifier)<\/li>\n\n\n\n<li>B = 1 (ver\u00adsion)<\/li>\n\n\n\n<li>C = <strong>5<\/strong> (domain identifier)<\/li>\n\n\n\n<li>D = 21\u2013466546139-763938477\u20131796994327-1001 (rel\u00ada\u00adtive identifier)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The <em>Domain Iden\u00adti\u00adfi\u00ader<\/em> ist the <span class=\"caps\">SID<\/span> with\u00adout the last <span class=\"caps\">RID<\/span>&nbsp;part.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adples for well-known SIDs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>S\u20111\u20130\u20110 Nobody<\/li>\n\n\n\n<li>S\u20111\u20131\u20110 Every\u00adbody<\/li>\n\n\n\n<li>S\u20111\u20135\u201111 Authen\u00adti\u00adcat\u00aded&nbsp;Users<\/li>\n\n\n\n<li>S\u20111\u20135\u201118 Local System<\/li>\n\n\n\n<li>S\u20111\u20135-$domainidentifier-500 Admin\u00adis\u00adtra\u00adtor<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Basic Windows security access control<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Security context<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>When a user logs in, Win\u00addows cre\u00adates an access token for the&nbsp;user.&nbsp;<ul class=\"wp-block-list\">\n<li>This token defines the secu\u00adri\u00adty con\u00adtext. The secu\u00adri\u00adty con\u00adtext defines what a user can do. It con\u00adsists of the user\u2019s <span class=\"caps\">SID<\/span> and the groups of which the user is a mem\u00adber of and it\u2019s privileges.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>When Win\u00addows cre\u00adates a new process \/ thread, it is assigned to a token, which defines the capa\u00adbil\u00adi\u00adties of this process \/ thread, espe\u00adcial\u00adly regard\u00ading access\u00ading oth\u00ader process\u00ades \/ threats or sys\u00adtem ressources.&nbsp;<ul class=\"wp-block-list\">\n<li>This token can also be an <strong>imper\u00adson\u00adation token<\/strong>. This is a token with dif\u00adfer\u00adent secu\u00adri\u00adty capa\u00adbil\u00adi\u00adties, e.g. when a user exe\u00adcutes a process under anoth\u00ader user, the own\u00ader of a process may be user1, but the secu\u00adri\u00adty con\u00adtext is then from&nbsp;user2.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Mandatory Integrity Control and integrity levels<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Win\u00addows (from Vista on) has five integri\u00adty levels:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Sys\u00adtem (<span class=\"caps\">SYSTEM<\/span>)<\/li>\n\n\n\n<li>High (ele\u00advat\u00aded&nbsp;users)<\/li>\n\n\n\n<li>Medi\u00adum (nor\u00admal&nbsp;users)<\/li>\n\n\n\n<li>Low<\/li>\n\n\n\n<li>Untrust\u00aded<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">For each process, Win\u00addows assignes a integri\u00adty lev\u00adel depend\u00ading of the caller. If a user with integri\u00adty lev\u00adel <em>Medi\u00adum<\/em> starts a process, the process has the lev\u00adel <em>Medi\u00adum<\/em> as well, <strong>except<\/strong> the exe\u00adcute\u00adable file has a low\u00ader integri\u00adty lev\u00adel. In this case, the process has the low\u00ader secu\u00adri\u00adty lev\u00adel. A process has can\u00adnot access process\u00ades with high\u00ader secu\u00adri\u00adty levels.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Note: The integri\u00adty lev\u00adels can be shown in the TaskManager.<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">UAC<\/span> User Account Control<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span class=\"caps\">UAC<\/span> was intro\u00adduced in Vista and Serv\u00ader&nbsp;2008.<\/li>\n\n\n\n<li>It requires to con\u00adfirm tasks which can affect the system.<\/li>\n\n\n\n<li>Users has to con\u00adfirm the action with their pass\u00adword, admins with a con\u00adfir\u00adma\u00adtion dialog.<\/li>\n\n\n\n<li>Even as admin\u00adis\u00adtra\u00adtor, some sys\u00adtem com\u00admands does not work with\u00adout <span class=\"caps\">UAC<\/span> confirmation.<\/li>\n\n\n\n<li>Exam\u00adple:<ul><li>Try to change the pass\u00adword as admin\u00adis\u00adtra\u00adtor<br><code>net user admin Ev!lpass<\/code><\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li>It doesn\u2019t work \u201cAccess is denied\u201d<\/li>\n\n\n\n<li>Switch to a high\u00ader integri\u00adty lev\u00adel&nbsp;with<br><code>powershell.exe Start-Process cmd.exe -Verb runAs<\/code><\/li>\n\n\n\n<li>Repeat the com\u00admand. Now it will&nbsp;work.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Separation of Kernel space<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There are two access modes in Windows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ker\u00adnel mode<\/strong> runs in ring 0 and allows access to core os ele\u00adments or drivers<\/li>\n\n\n\n<li><strong>User mode <\/strong>runs in ring 3 and is the default mode where appli\u00adca\u00adtions&nbsp;run.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">From the user mode, appli\u00adca\u00adtions can go to functions\/components in the ker\u00adnel mode <strong>via secu\u00adri\u00adty gates<\/strong>. These gates are imple\u00adment\u00aded <strong>in ntdll.dll<\/strong>. This is the glob\u00adal entry point for appli\u00adca\u00adtions from the user\u00adland to access ker\u00adnel func\u00adtions. The nor\u00admal way is via exposed OS-APIs. These APIs are exposed and doc\u00adu\u00adment\u00aded. When an appli\u00adca\u00adtion calls one, then these APIs will prob\u00ada\u00adbly go through oth\u00ader func\u00adtions until they call some\u00adthing in ntdll. The calls in ntdll usu\u00adal\u00adly require more para\u00adme\u00adters than the easy-to-use high-lev\u00adel <span class=\"caps\">API<\/span> func\u00adtions. A devel\u00adop\u00ader can also access the exposed func\u00adtions in ntdll direct\u00adly which could pro\u00advide more pos\u00adsi\u00adbil\u00adi\u00adties for attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Linking and loading<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In com\u00adpar\u00adi\u00adson to Lin\u00adux, Win\u00addows uses oth\u00ader&nbsp;terms.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Lin\u00adux<\/th><th>Win\u00addows<\/th><th>Pur\u00adpose<\/th><\/tr><\/thead><tbody><tr><td><span class=\"caps\">GOT<\/span>\/<span class=\"caps\">PLT<\/span> (Glob\u00adal Off\u00adset Table\/Procedure Link\u00ading&nbsp;Table)<\/td><td><span class=\"caps\">IAT<\/span>\/<span class=\"caps\">EAT<\/span> (Import Address Table\/Export Address Table)<\/td><td>Ref\u00ader\u00adenc\u00ading the posi\u00adtion of func\u00adtions in the memory.<\/td><\/tr><tr><td><span class=\"caps\">ELF<\/span> (Exe\u00adcutable and Link\u00ading Format)<\/td><td><span class=\"caps\">PE<\/span>\/<span class=\"caps\">COFF<\/span> (Portable Executeable\/Common Object File Format)<\/td><td>Struc\u00adture for exe\u00adcute\u00adable&nbsp;files.<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"caps\">SID<\/span> Secu\u00adri\u00adty Iden\u00adti\u00adfiers All ele\u00adments have attrib\u00adut\u00ades. They are iden\u00adti\u00adfied via a Secu\u00adri\u00adty Iden\u00adti\u00adfi\u00ader <span class=\"caps\">SID<\/span>. The struc\u00adture of a&nbsp;<span class=\"caps\">SID<\/span>: Exam\u00adple: The Domain Iden\u00adti\u00adfi\u00ader ist the <span class=\"caps\">SID<\/span> with\u00adout the last <span class=\"caps\">RID<\/span>&nbsp;part. Exam\u00adples for well-known SIDs: Basic Win\u00addows secu\u00adri\u00adty access con\u00adtrol Secu\u00adri\u00adty con\u00adtext Manda\u00adto\u00adry Integri\u00adty Con\u00adtrol and integri\u00adty lev\u00adels Win\u00addows (from Vista on) has five integri\u00adty levels:&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[438,437,435,436,499,498,24],"class_list":["post-3383","post","type-post","status-publish","format-standard","hentry","category-general","tag-kernel","tag-ntdll","tag-ring-0","tag-ring-3","tag-security-identifier","tag-sid","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3383","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3383"}],"version-history":[{"count":10,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3383\/revisions"}],"predecessor-version":[{"id":4075,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3383\/revisions\/4075"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}