2. 황인균
로그온 & 접근권한 체크
사용자
Windows LSASS*( Lsass.exe)
Login Session
- Access Token( SID포함)
Winlogon
Userinit.exe 프로세스
- Access Token
프로세스
- Access Token
create
로그온
Create
Securable Object( 예, file )
- Security Descriptor( ACL SID 포함 )
Duplicate Access Token
Security Subsystem
1) Check permissions 2) Token 정보,ACL 정보 비교
1) 세션 생성
2) 사용자의 초기화 프로세스 생성
1) 사용자 Token을 갖는 최상위 부모 프로세스
2) 사용자의 동일 Session에서 실행되는 모든 프로세스들은
이 프로세스에서 Token의 복사본을 상속받는다.
create
3) 접근 허용Process
Manager
* LASS – Local Security Authority Subsystem Service
3. 황인균
SID( Security Identifier ) 란?
■ SID
In Windows, Security Identifiers(SIDs) uniquely identify users, groups, computers, and other entities.
SIDs are what are stored in access tokens and in security descriptors, and they are what are used in access checks.
SID =( revision number, authority value, subauthority value, RID( relative identifier )
Authority value : the agent that issued the SID( Windows local System 또는 domain )
Subauthority value : trustees relative to the issuing authority.
RID : a way for windows to create unique SIDs based on a common base SID
S-1-5-21-211353117-160xx-83xx
- 1 : revision, 5 : authority, 21~83xxx : subauthority values
S-1-1-0
- everyone 그룹( 고정된 SID – 모든 Windows에서 동일한 값을 가짐)
■ SID name
The names that are associated with SIDs are only for userinterface purposes, and because of localization they can change from system to system.
US English systems - Administrators group with the SID S-1-5-32-544
German systems – Administratoren, Italian systems - Gruppo Administrators, Finnish systems - Järjestelmänvalvojat
■ Local SID( Machine SID )
Each Windows computer has a local SID, also known as a machine SID, which is created during setup.
Each local group and user account on the computer has a SID based on the machine SID with a relative ID (RID) appended to it.
■ Domain SID
Likewise, each Active Directory domain has a SID, and entities within the domain (including domain groups, user accounts, and member computers)
have SIDs based on that SID with a RID appended. In addition to these machine-specific and domain-specific SIDs,
Windows defines a set of well-known SIDs in the NT AUTHORITY and BUILTIN domains.
Windows Sysinternals Adminitrator’s Reference
저자 : Mark Russinovich
- p. 185
각 엔터티의 SID = Base SID ( local SID, domain SID ) + RID( Relative ID )
p.390 In Windows Vista and newer, services are assigned security identifiers(SIDs), and it becomes possible to grant or deny access to specific services.
5. 황인균
권한 객체 #1
Logon Session
Access Token SID
includehas
Process Access Token
has
duplicate
LUID
System : 0x3e7( 999 )
Local Service : 0x3e5( 997)
Network Service : 0x3e4( 996 )
has
LSASS( Lsass.exe)
Security Descriptor ACL * SID
includeincludeinclude
Access
Securable Object
예) file
ACE *
Permissions
다음 슬라이드 >>
create
Process
Manager
* ACL, ACE – 다음 슬라이드
6. 황인균
권한 객체 #2
• Logon Session
• Security Descriptor ACL
DACL( Discretionary Access Control List)
SACL( System Access Control List ≒ system AUDIT control list )
LSA Logon Session
TS Session
is
is
contains
• ACE( Access Control Entries)
SID
permissions
• ACL - http://clintboessen.blogspot.kr/2011/04/whats-difference-between-acl-ace-dacl.html
Windows Sysinternals Adminitrator’s Reference
- 저자 : Mark Russinovich
- 출판사 : Microsoft
SID : p.185~186, 390
LSA Logon Session : p.18, 30, 280
Process : p.21
* ACE( Access Control Entries )
- An entry in an access control list (ACL)
- files, folders, registry keys, process , Windows object manager에서 정의한 객체들( directory, sections, semaphores)
- An ACE contains a set of access rights and a security identifier (SID) that identifies a trustee
access rights : allowed, denied, or audited.
- https://msdn.microsoft.com/en-us/library/windows/desktop/aa374868(v=vs.85).aspx
7. 황인균
UAC
UAC on Two LSA Logon Session
create
Standard User Session
Administrator Session
OTS( Over The Shoulder) elevation – Account Credentials 입력 창 출력
AAM (Admin Approval Mode) elevation – Approval 창 출력
Standard User Session : contains FILTERED TOKEN with powerful groups disabled and powerful privileges removed
Administrator Session : contains TOKEN representing the user’s full rights.