Securing Windows NT

WINDOWS NT SECURITY is a combination of techniques that ensure aconsistent level of protection against unwanted access. To implement security,you must protect your network, the operating system, and your data. You do so byusing NT's logon authentication, object security, and user rights. To takeadvantage of NT's highest security capabilities, C2-level security, you need thecorrect software and hardware in the specified configuration. NT providesauditing tools to help you assess your NT security situation, but you also needto be aware of the security issues involved with communications over theInternet. So to ensure that you're protected on all fronts, you need to knowabout all the issues and techniques involved with NT security.

The Security Spectrum
Security breaks down into three main functional areas: over-the-wire networksecurity, OS security, and data encryption.

Network security provides authentication (making sure the dataserver and the recipient are correct and secure) and ensures data integrity(making sure the data received is the same as the data sent). Achieving networksecurity means implementing a network protocol, such as NetBEUI and TCP/IP,tailored to the data you're transmitting (for more information about networksecurity, see John Enck, "Confronting Your Network Security Nightmares,"page 81). On the Internet, security protocols, such as Kerberos, are mostlyservices that run on top of TCP/IP.

These protocols offer various levels of security, performance (mostlyachieved by minimizing security protocol overhead), flexibility, andavailability across multiple platforms. After the network infrastructure is inplace, adding and extending a security protocol is theoreticallystraightforward. All you need is a consensus among the members of the networkingcommunity--a process like herding cats.

OS security must be integrated from the start. If basic securityfeatures aren't present, adding them later is almost impossible. For example,Microsoft was unable to add meaningful security to 16-bit versions of Windowsafter development. A new 32-bit OS, Windows NT, and a new programming model (theWin32 API) were necessary. NT has robust security features to control useraccess to objects such as files and directories, the system Registry, andprinters.

NT also includes a security auditing system that lets administrators trackaccess to files or other objects, logon attempts, system shutdowns or restarts,and so on (for more on security auditing, see Mike Reilly, "Find Holes inYour NT Security," page 87). In contrast, Windows 95 has only rudimentarylogon security, no object security, and only limited logging capabilities.

Data encryption can work in several ways. Many applications haveencryption built-in. Some protocols, such as Secure Simple Mail TransferProtocol (SSMTP), support automatic encryption. Third-party encryption, such asPretty Good Privacy (PGP), is also available. Microsoft has even added a basicencryption system, the Cryptography API (CAPI), to the Win32 API.

CAPI is a set of functions that let application and systems softwaredevelopers access independent cryptographic services. NT has a basecryptographic service provider that lets you encode data for secure storage andtransmission with a combination of public and private keys. The method ofencryption is similar to PGP's method. (For more on data encryption, seeLawrence Hughes, "Secure Enterprise Email," May 1996, "DigitalEnvelopes and Signatures," September 1996, and "Exchange Email:Signed, Sealed, Delivered," page 103.)

The Facets of NT Security
NT provides security in three fundamental areas. These areas are logonauthentication, object security, and user rights.

NT's Local Security Authority validates interactive and remote (via RemoteAccess Service--RAS) logons to both local and global (domain) accounts, checkingthem against the Security Account Manager (SAM) database of account names andpasswords. The Local Security Authority also manages audit messages.

The Security Reference Monitor checks whether a user has permission toaccess an object and perform the requested action. It's also responsible forgenerating audit messages. With the Permissions dialog in NT's File Manager (orExplorer under NT 4.0), you can secure most objects. For example, NT 4.0'sDistributed Component Object Module (DCOM) object server activation and accesssecurity is fully integrated into the NT security model (for more on DCOM, seemy article, "NT 4.0's Distributed Component Object Model," September1996).

Besides object security, NT lets you control an account's ability toperform system-related functions. With NT's User Manager (or User Manager forDomains), you can control which account or group can, for example, addworkstations to a domain (for information about domains, see Mark Minasi, "Domainsand Workgroups," April 1996, and Ed Tittel and Mary Madden, "Domains,Trust Relationships, and Groups," June 1996), back up or restore files anddirectories, change the system time, log on locally, manage auditing andsecurity logs, and shut down the system. The Local Security Authority maintainsthe Account Policy.

Administering Accounts: Logon Authentication
NT manages both machines and users. So it must validate authorizedusers and provide them with the means to access the system.

At the highest level, an NT domain is a collection of machines thatdomain controllers administer as one and that share a security database.That database maintains information for all users with accounts in that domainand for groups (collections of users). An NT domain account--a globalaccount--has the form domainuser. If you log on to an NT machine, youcan use this style of reference in the Connect As option of the MapNetwork Drive dialog to connect to a resource as a different user--even in adifferent domain. (The system will prompt you for that user's password.)

Besides domain accounts, each machine can have a local securitydatabase containing information about users--and groups--that only that machineknows about. Local machines behave like standalone domains. Accounts on localmachines have the form machineuser, but these accounts or groups arenot available on other machines.

The primary tool for administering users and groups on a domain isusrmgr.exe, or User Manager for Domains, which ships with NT Server. Areduced-functionality version, musrmgr. exe or User Manager, ships with NTWorkstation and displays information only for the local system. Screen 1 showsusrmgr.exe, which can display both domain and local information, depending onthe commands you use to start it: usrmgr manages the domain the user iscurrently logged on to, usrmgr domainname manages a specific domain, andusrmgr \machinename manages a specific machine.

Loading domains in organizations with thousands of domain users can takeseveral minutes. The ability to start with a particular machine or domain cansave an administrator time. usrmgr also lets administrators manage trustrelationships with domains, so users in domain A can access resources in domainB as if those users were part of domain B.

A permanent unique value, a Security Identifier (SID), identifiesindividual users and groups. After the system assigns the SID, the system won'tuse that ID again. If you delete a user or group and then re-create it, thatgroup or user must receive a new SID, and you have to reestablish any objectaccess rights for the new SID.

Access Through APIs: Object Security
NT enforces object security by ensuring all object-related requests gothrough its built-in security mechanism. Many Win32 API functions have optionalsecurity-related parameters, and all programs running under NT mustuse these APIs to access objects. If you could shell out to a DOS prompt andcopy, rename, or delete a file without using these functions, security would bepointless. In fact, the ability to directly manipulate hardware in 16-bitWindows and DOS--and the fact that Windows 95 provides complete 16-bit Windowsand DOS support--is a major problem in trying to provide a secure system forthose environments.

The security parameters in the Win32 API are optional, but NT usuallyrequires them when a program accesses a systemwide resource (e.g., setting thesystem time). Some applications can implement security when working with userfiles or directories--the impact on performance is negligible--but most APIcalls don't specify security information.

Win95 doesn't know anything about security and ignores all securityparameters. This blind spot can lead to some subtle differences in how a programthat runs under both NT and Win95 behaves. (This is just one reason why testingsoftware on both platforms is important.)

Implementing security at the API level has another subtle implication. Inclient/server applications, the server application usually controls objectaccess. Because the client usually doesn't access security directly, the serveroften needs to act as the client's proxy. The server can either impersonate theclient using the Impersonate...() APIs or log on as the client (if the serverhas the client's username and password).

Securing Objects
Besides files and directories, NT secures many other objects. The Win32 APIimplements five function groups that work with security descriptors andcorrespond to five kinds of objects.

A security descriptor (SD) describes the security attributes of eachsecurable object. These attributes identify the object's owner and two accesscontrol lists (ACLs), one for object access and the other for auditing. The ACLfor object access is the discretionary access control list (DACL). Itcontains several access-control entries (ACEs). Each ACE identifies an SID andits access permission (allowed or disallowed). The other ACL is the systemaccess control list (SACL), which controls event auditing.

Very Important Privileges: User Rights
In addition to access rights, which are associated with objects, NTimplements privileges. To assign object rights, you use File Manager orExplorer; to assign privileges, you use User Manager. Privileges become part ofthe access token that a user receives when successfully logged on to the system.The OS determines the set of privileges available; applications can't definetheir own. Table 1 shows the privileges NT 4.0 understands.

Privileges are a source of frustration. Have you ever added an account to asystem, tried to log on to that account, and received the message, "Thelocal policy of this system does not permit you to log on interactively?"By default, NT assigns new users to the group Users, but this group, also bydefault, doesn't have permission to log on locally.

With Microsoft's Internet Information Server (IIS), you can run into asimilar problem. The pre-established Internet user account, iusr_machine,is a local account with few privileges, so you can't use it as the IISanonymous-logon account if the user specifies Hypertext Transfer Protocol (HTTP)basic authentication.

If you explore usrmgr.exe, you find the Everyone group under Access thiscomputer from the network, although the system doesn't appear to have thisgroup. NT defines a few well-known SIDs, such as Everyone and Interactive, tohelp you work with common access rights.

In general, privileges override individual object security. An example ofneeding to override security is when a backup administrator must change thearchive flag on every file on a volume. Without the corresponding privilege, theadministrator has to add another ACE to each file to let the backup programtouch the flag. If you add the SID for Everyone to a privilege or access right,NT security doesn't have to check any further, so some operations go faster.

C2 Security
According to the Trusted Computer System Evaluation Criteria (TCSEC)published by the National Computer Security Center (NCSC)--C2 security requiresa specific combination and configuration of software and hardware. NT isnot a C2-secure OS, but you can make it C2-secure. Microsoft designed thiscapability into NT's security model from the beginning. Here are somerequirements of C2-level security.

The Windows NT Resource Kit includes the c2config.exe (C2 ConfigurationManager) utility, which tests a system for compliance with each C2 requirementas you see in Screens 2 and 3. (For more information about C2 security on NT,see Anne Fischer Lent, "C2 Clearance," and Roger Tachuk, "What IsC2 Security?" November 1995.)

Auditing Events
Auditing can disclose unauthorized access attempts. You have to balance thecosts against the benefits of auditing. The costs include the impact on systemperformance and disk space and the effort required to sift through potentiallylarge volumes of transactions, searching for meaningful information.

The primary auditing tool in NT is the Event Log. It lets you auditsuccessful and failed object access and user rights events. The Auditing dialogin NT's Explorer, for instance, lets you audit Read, Write, Execute, Delete,Change Permissions, and Take Ownership file and directory events. Screen 4 showsthe information the Event Log provides.

With usrmgr.exe, you can turn auditing on or off for logon and logoff, fileand object access, use of user rights, user and group management, securitypolicy changes, and restart, shutdown, and system-process tracking. Of course,if you don't enable the user rights to Manage auditing and security log(see Table 1 for a list of rights), you can't change anything.

Internet Security Framework
In contrast to NT's well-established security model, Microsoft's Internetsecurity model is an evolving process that became apparent only with thecompany's major Internet push. The Internet Security Framework (ISF) is more acollection of related network protocols than a framework.

ISF provides several specialized network protocols on top of the CAPI andMicrosoft's code-signing effort, Authenticode, which uses third-party certifyingauthorities to ensure that no one tampers with downloaded code and that the codehas a known publisher. (For information on Authenticode, see www.microsoft.com/intdev/signcode.)

ISF's network protocols include:

ISF encrypts all network packets. However, applications can have additionalencryption. For instance, with code that Microsoft licensed from NorTel and RSA,Microsoft Exchange can protect email with end-to-end message signing/encryption.The North American version of Exchange can use either 56-bit Data EncryptionStandard (DES) or 64-bit CAST encryption. Export restrictions limit othernational versions to the 40-bit CAST encryption.

Accidents Waiting to Happen
NT uses a variety of technologies to handle security. The increasinglydistributed nature of today's applications and the rapid rise of communicationsoutside the organization--most important, over the Internet--complicatesdrawing a line around something and calling it secure. Although only a fewsecurity technologies are appropriate in any situation, you need to understandall that's available to ensure that systems do not become accidents waiting tohappen.