Microsoft Windows Security

Services Overview
How Security services are integrated
into the Windows server architecture?

Win32
Application

Win32
Subsystem

Security
Subsystem

Plug & play

Manager

User Mod
Kernel Mo

Executive Services
Security
I/O
IPC Memory P & P Power Process
Windows
Reference
Manager
Manager
Manager
Manager
Manager
Manager
Manager
Monitor
File
System

Object Manager

Device Driver

Microkernel

Hardware Abstraction Layer

Hardware

Graphics
Device
Driver

 Two access mode system and security is

split between,
User Mode
Application generally run in user mode.
It made up of a set of components referred
to as subsystems. A subsystem passes I/O
requests to the appropriate kernel mode
driver The subsystem focus on end user and
applications
Kernel Mode
Operating system functions run in kernel
mode.
has access to system data and hardware
Kernel mode provides direct access to
memory
All access to kernel mode protected because
of this seperation.

 Ensures that User level process is unable

to corrupt lower level system driver that
are located at kernel level
User application send request for system
services located in Kernel mode by API.
Active directory service runs in Security
subsystem
But actual enforcement of security takes
place at Security reference monitor in
kernel mode

Active Directory
Definition-It is a hierarchical tree like
structure.
Information about network resources
stored in Active Directory Database,
which is centralized database.

 When you design active directory for your

organization you will have to decide ,
whether you want single forest or multiple
forest.

 This decision has a major effect on

how the administration of your Active
Directory is performed and whether
you have to duplicate any effort to
ensure that consistent security is
deployed across the enterprise
network.

Active Directory Design Basic or

Active Directory Components

Forest
Domain Tree
Domain
Organizational Unit (OU)
Sites

 Domain- Domain is a logical grouping

of computer network in which one
computer stores database of network
resources.
Network ResourcesUsers,groups,computers,client,workst
ation,policies,shared files and
folders,printers Ous are examples of
network resources.

 Domain Controller-Which contain

domain.It maintain and manage database
of all network resources(domain).
Domain is logical entity while Domain
Controller is a physical entity.
Active Directory Service(ADS)-It is inbuilt
structure of software of Microsofts server
based operating system(Windows NT
etc)

 Root domain-when we install ADS

first time in the server based
operating system in network,it will
create it root domain.Eg.nu.com
Tree- In active directory terminology,
A domain tree is a hierarchical
grouping of one or more domain, that
must contain single root domain and
may have one or more child domain.

Designing your Forest

Structure

ids.com

ce.ids.com

it.com

it.ids.com

ce.it.com

it.it.com

 Forest-Collection of multiple trees is

known as forest.
Collection of multiple domain that
share a common schema,
configuration & global catalog.

Schema : Basic Structure Of object

Configuration : maintain listing of all
domains and sites within a forest, thus
ensuring no duplicate name are
created in domain
Global Catalog:-It is a fully searchable
database of network resources. So it
maintain partial set of attributes for all
object that exist within a forest.

Designing Forest

Deploying Single Forest

Deploying Multiple Fore

Deploying Single Forest

Most common configuration for
deploying forest in an organization
Main reason to deploy a single forest
is that it will share common
information across each of its
component domains
The information is shared include,
Schema , Configuration and Global
catalog

Cont
The domain within forest are joined
together by kerberos v5 transitive trust
Trust Relationship-:It is agreement
between two domain,so that one
domain can access the resources of
another domain.It is mainly established
to manage the interaction between
multiple domains.

Cont

In trust relationship there are two type of domain.

Trusting Domain(That has resources to share)
Trusted Domain(Wants to access share resources)
Trust relationship can be categorized under various
categories.
One way Trust-one is trusting and other is trusted.
Two way Trust-Both are trusty and trusted.
Transitive Trust-Trust relationship between same
OS.
Non Transitive Trust-Trust relationship between
different operating system.

 The domains within a forest are

joined together by Kerberos v5
transitive trust relationship.
In Windows NT trust relationships
that if a domain trusts another
domain, it also trusts all other
domains trusted by that domain.

 Most organizations that have more

than one domain have a legitimate
need for users to access shared
resources located in a different
domain.
Controlling this access requires that
users in one domain can also be
authenticated and authorized to use
resources in another domain.

 To provide authentication and

authorization capabilities between clients
and servers in different domains, there
must be a trust between the two domains.
Trusts are the underlying technology by
which secured Active Directory
communications occur, and are an
integral security component of the
Windows Server2003 network
architecture.

 When a trust exists between two

domains, the authentication
mechanisms for each domain trust
the authentications coming from the
other domain.

 Trusts help provide for controlled

access to shared resources in a
resource domain (the trusting domain)
by verifying that incoming
authentication requests come from a
trusted authority (the trusted
domain).
In this way, trusts act as bridges that
allow only validated authentication
requests to travel between domains.

 Implicit trust are internal/Automatically

created trust relationships such as the
two-way transitive trust relationship
automatically created between ParentChild, Tree-Root domain trust etc.
where as Explicit trust are trust created
manually such as trust between two
different forests or External trusts is the
example of Explicit trust.

Making Decision
Same software is used across the
organization
Minimizing a single forest reduces
the number of administrative task
globally
In forest transitive trust relationship
is going to maintain , so no need to
maintain relationship manually

Deploying Multiple Forest

There are limited scenarios in which
you need to implement multiple forest
These scenario involves decentralized
organizations that perform much of
network operations within each
individual sector
Another scenario is ISP , they doesn't
want common directory for all their
client
In this case create separate forests for
each client to prevent clients from
browsing the directory of another client

 Site- It is physical location where a

network resource resides.
Replication-It is a process to copying
the information.
OUs (Organizational Unit)-It is a
container which logically stores the
network resources.eg-OU of account
department which may contain all
PC,User,Printer of account department
(like group).

 Two access mode system and security is

split between,
User Mode
Application generally run in user mode.
It made up of a set of components referred
to as subsystems. A subsystem passes I/O
requests to the appropriate kernel mode
driver The subsystem focus on end user and
applications
Kernel Mode
Operating system functions run in kernel
mode.
has access to system data and hardware
Kernel mode provides direct access to
memory
All access to kernel mode protected because
of this seperation.

 Ensures that User level process is unable

to corrupt lower level system driver that
are located at kernel level
User application send request for system
services located in Kernel mode by API.
Active directory service runs in Security
subsystem
But actual enforcement of security takes
place at Security reference monitor in
kernel mode

 Integration of A.D with security

subsystem ensures that security can
exist in window Server
You can protect all access by combining
Authentication
Security principal
Necessary permission to perform task

Security subsystem performs

authorization task

Security
Subsystem
Pass Request for
Authorization

Security
Reference
Monitor

DACL
ccess
(Discretionary a
Control List)

ACE
(Access Control
Entries)

DACL checks which object being connected

ACE defines permissions that are assigned to that se
for the object.

Hardware Abstraction Layer

(HAL)
It hides the hardware interface details,
making Windows Server more portable
across different hardware architectures
The HAL is implemented as a dynamiclink library (.dll)
It is responsible for all hardware-level,
platform-specific support needed by
every component in the system

Security Subsystem
Components
Security subsystem components runs within the
Local Security Authority process, which includes.
Netlogon service(Netlogon.dll)
NTLM authentication protocol (Msv1_0.dll)
SSL authentication protocol (Schannel.dll)
Kerberos v5 authentication protocol (Kerberos.dll)
Kerberos Key Distribution Center (KDC) service
(Kdcsv.dll)
LSA server service (Lsaserv.dll)
Security Authentication Manager(SAM)
(samsrv.dll)
Directory Service module (ntdsa.dll)
Multiple authentication Provider (secre32.dll)

Netlogon
service(Netlogon.dll)
It maintain computers secure channel to a
domain controller in its domain
It passes credentials to the domain
controller through a secure channel and
return access token with security identifiers
and user rights
It is also responsible for replication of
active directory data to Windows NTs
Backup domain controller (In Mixed mode
only)

NTLM authentication protocol

(Msv1_0.dll)
Use to authenticate clients that are
unable to use Kerberos
authentication
This includes windows 95, windows
98 and windows NT operating system

SSL authentication protocol

(Schannel.dll)
Secure socket layer provide
encryption service at application
layer
To use SSL , application must be
coded to recognize and implement
SSL

Kerberos v5 authentication
protocol (Kerberos.dll)
Default authentication protocol used
by windows Server
It is based on TGTs (Ticket granting
tickets) and service tickets

Kerberos Key Distribution

Center (KDC) service
(Kdcsv.dll)
Responsible for issuing TGT to the
client when they initially authenticate
with network
Kerberos security provider uses the
KDC service on Domain Controller
and active directory for obtaining
TGTs

LSA server service (Lsaserv.dll)

Local Security Authority enforces all
defined policies within Active
Directory

Security Account
Manager(SAM) (samsrv.dll)
It is used on non- domain controllers
for storage of local security account
It also enforce all locally stored
policies

Directory Service module

(ntdsa.dll)
It supports replication between
windows Server domain controller
LDAP (Light Weight Directory Access
Protocol) access to active directory
and management of context stored
in Active Directory

Multiple authentication
Provider (secre32.dll)
This SSP (Security Support Provider)
supports all security packages
available on the system
Security packages include Kerberos ,
NT LAN Manager (NTLM), Secure
channel and Distributed Password
Authentication

LSA Functionality
Maintains all local security information for windows
Server based computer
It allows user to authenticate interactively with
windows Server bases computer
Generate access token contains security identifiers
(SID) for user and all group
It manage local policy, so it override if any other
domain or OU or Forest level policy is defined in Active
Directory.
It maintain Audit policy (log , alert for security
reference by kernel )
It builds list of trusted domain at interactive logon
screen
It determine which users have assigned privileges
It manage memory quotes for the usage.
It reads System Access Control List ( SACL ) for each
object to determine what security auditing has been
defined for the object

Windows Server security

protocols
Remote DCOM
file
App.
SMB

Directory
Mail , chat
IE, IIS
Enable
News
application

Secure RPC HTTP LDAP

POP3

Application

Application Interfac

Security Suppo
Provider Interf
(SSPI)

NTLM

SChannel Distributed
Kerberos
Security Proto
Password
SSL/TLS
Authentication

Windows Server supports multiple

security protocols

NTLM
Windows NT LAN Manager (NTLM)
Used for pass-through network
authentication,local account
authentication for windows 2000
professionals & memebr servers.
Use to authenticate clients that are
unable to use Kerberos authentication
This includes windows 95, windows 98
and windows NT operating system

Kerberos
Default authentication protocol used by
windows Server
It provides mutual authentication of client
and server and better performance.
It is based on TGTs (Ticket granting
tickets) and service tickets
Kerberos security provider uses the KDC
service on Domain Controller and active
directory for obtaining TGTs and service
tickets.

Distributed Password
Authentication (DPA)
Shared secret authentication protocol
used by MSN
DPA is a part of MCIS services.
It Provides you tu use single account
and password to connect all internet
sites that are a member of a same
internet membership organization.

Secure channel ( Schannel)

Service
Provides ability to authenticate using
public key-based protocols as SSL
and Transport Layer Security (TLS)
If you use PKI ( Public Key
Infrastructure ) , this protocol
provides authentication of both client
and server in distributed network.

Security support Provider

Interface (SSPI)
It prevents applications determining
what windows Server security
protocols are used to authenticate
the security principal