Windows security context
•Download as PPTX, PDF•
0 likes•1,005 views
This document discusses Windows security context and concepts such as logon, access checks, and User Access Control (UAC). It covers how Windows uses Logon Sessions and Access Tokens to manage a user's security context after logon. It also explains key concepts like Security Identifiers (SIDs) and how they are used to identify users and grant permissions to securable objects through Access Control Lists (ACLs). The document notes that UAC creates separate standard user and administrator logon sessions to filter administrator privileges for non-administrative tasks.
Recommended
Recommended
More Related Content
What's hot
What's hot (10)
Viewers also liked
Viewers also liked (11)
Similar to Windows security context
Similar to Windows security context (20)
More from InGuen Hwang
More from InGuen Hwang (20)
Recently uploaded
Recently uploaded (20)
Windows security context
- 1. Windows Security Context 로그온, 권한접근 체크, UAC 2015. 06. 11 기술지원팀 황인균
- 2. 황인균 로그온 & 접근권한 체크 사용자 Windows LSASS*( Lsass.exe) Login Session - Access Token( SID포함) Winlogon Userinit.exe 프로세스 - Access Token 프로세스 - Access Token create 로그온 Create Securable Object( 예, file ) - Security Descriptor( ACL SID 포함 ) Duplicate Access Token Security Subsystem 1) Check permissions 2) Token 정보,ACL 정보 비교 1) 세션 생성 2) 사용자의 초기화 프로세스 생성 1) 사용자 Token을 갖는 최상위 부모 프로세스 2) 사용자의 동일 Session에서 실행되는 모든 프로세스들은 이 프로세스에서 Token의 복사본을 상속받는다. create 3) 접근 허용Process Manager * LASS – Local Security Authority Subsystem Service
- 3. 황인균 SID( Security Identifier ) 란? ■ SID In Windows, Security Identifiers(SIDs) uniquely identify users, groups, computers, and other entities. SIDs are what are stored in access tokens and in security descriptors, and they are what are used in access checks. SID =( revision number, authority value, subauthority value, RID( relative identifier ) Authority value : the agent that issued the SID( Windows local System 또는 domain ) Subauthority value : trustees relative to the issuing authority. RID : a way for windows to create unique SIDs based on a common base SID S-1-5-21-211353117-160xx-83xx - 1 : revision, 5 : authority, 21~83xxx : subauthority values S-1-1-0 - everyone 그룹( 고정된 SID – 모든 Windows에서 동일한 값을 가짐) ■ SID name The names that are associated with SIDs are only for userinterface purposes, and because of localization they can change from system to system. US English systems - Administrators group with the SID S-1-5-32-544 German systems – Administratoren, Italian systems - Gruppo Administrators, Finnish systems - Järjestelmänvalvojat ■ Local SID( Machine SID ) Each Windows computer has a local SID, also known as a machine SID, which is created during setup. Each local group and user account on the computer has a SID based on the machine SID with a relative ID (RID) appended to it. ■ Domain SID Likewise, each Active Directory domain has a SID, and entities within the domain (including domain groups, user accounts, and member computers) have SIDs based on that SID with a RID appended. In addition to these machine-specific and domain-specific SIDs, Windows defines a set of well-known SIDs in the NT AUTHORITY and BUILTIN domains. Windows Sysinternals Adminitrator’s Reference 저자 : Mark Russinovich - p. 185 각 엔터티의 SID = Base SID ( local SID, domain SID ) + RID( Relative ID ) p.390 In Windows Vista and newer, services are assigned security identifiers(SIDs), and it becomes possible to grant or deny access to specific services.
- 4. 황인균 SID( Security Identifier ) 란? ※ PsGetSid - SID SID 명령 psgetsid S-1-5-21-1699876237-… 출력결과 Account for 로컬컴퓨터명S-1-5-21-1699876237-…: User: 도메인명dalbong2
- 5. 황인균 권한 객체 #1 Logon Session Access Token SID includehas Process Access Token has duplicate LUID System : 0x3e7( 999 ) Local Service : 0x3e5( 997) Network Service : 0x3e4( 996 ) has LSASS( Lsass.exe) Security Descriptor ACL * SID includeincludeinclude Access Securable Object 예) file ACE * Permissions 다음 슬라이드 >> create Process Manager * ACL, ACE – 다음 슬라이드
- 6. 황인균 권한 객체 #2 • Logon Session • Security Descriptor ACL DACL( Discretionary Access Control List) SACL( System Access Control List ≒ system AUDIT control list ) LSA Logon Session TS Session is is contains • ACE( Access Control Entries) SID permissions • ACL - http://clintboessen.blogspot.kr/2011/04/whats-difference-between-acl-ace-dacl.html Windows Sysinternals Adminitrator’s Reference - 저자 : Mark Russinovich - 출판사 : Microsoft SID : p.185~186, 390 LSA Logon Session : p.18, 30, 280 Process : p.21 * ACE( Access Control Entries ) - An entry in an access control list (ACL) - files, folders, registry keys, process , Windows object manager에서 정의한 객체들( directory, sections, semaphores) - An ACE contains a set of access rights and a security identifier (SID) that identifies a trustee access rights : allowed, denied, or audited. - https://msdn.microsoft.com/en-us/library/windows/desktop/aa374868(v=vs.85).aspx
- 7. 황인균 UAC UAC on Two LSA Logon Session create Standard User Session Administrator Session OTS( Over The Shoulder) elevation – Account Credentials 입력 창 출력 AAM (Admin Approval Mode) elevation – Approval 창 출력 Standard User Session : contains FILTERED TOKEN with powerful groups disabled and powerful privileges removed Administrator Session : contains TOKEN representing the user’s full rights.
- 8. 황인균 Security Context Security Context object Configuration manager Key object, … Memory manager Section object( Shared memory), …. Executive Semaphore, Mutant, … I/O manager File, … Process manager Thread, process, …