The document provides information about Windows security concepts such as security contexts, security identifiers (SIDs), access tokens, account security, passwords, rights, permissions, and the latest security features in Windows 10. It explains that each running process is associated with a security context that includes the user's SID and group SIDs. It also describes what a SID contains and how SIDs are used to uniquely identify users and groups. The document outlines where tokens and SIDs are located in Windows and what components make up an access token. It discusses various account security and password policies that can be configured in Windows.
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Windows Security in Operating System
1. Birla Institute Of Technology
Mesra, Jaipur
Topic: Windows Security
PRESENTED BY:
YASH SOGANI
MCA/25025/18
2. Security Context
One of the basic tenets of Windows
Security is that each process runs on
behalf of a user.
So, each process running is associated
with a security context.
security context is a bit of cached data
about a user, including his/her SID,
group SIDs, privileges.
3. Security Identifier: (SID)
Users reference their accounts by usernames but the Operating
system, internally, references accounts by their security identifier.
SID’s are unique in their scope (domain or local) and are never
reused. So, they are used to uniquely identify user and group
account in Windows.
By default the operating system
SID contains various parts
S <revision> <identifier authority> <subauthorities>
<relative identifiers>
4. Revision: This value indicates the version of the SID
structure used in a particular SID.
Identifier authority: This value identifies the
authority that can issue SID for this particular type
of security principal.
5. Subauthority: The most important information in
a SID is contained in a series of one or more
subauthority values. All values except the last one
collectively identify the Domain and are called
Domain Identifier and the last value represents
the Relative Identifier (RID).
6. Where is the SID located?
When a users logs in for the first time, the
system makes chuckling sounds. And explorer.exe
starts running after some time. This is because, the
operating system is creating a user profile.
The operating system dynamically loads the
under HKEY_USERS as users log on and off
interactively.
7. To see this, open registry (type “regedit” at
start menu-run),type “run as /u: user-
account cmd” at the command prompt, give
the password. Now, a new window will open.
Refresh the registry(F5) at HKEY_USERS to
see the dynamically loaded SID’s.
The files NTUSER.DAT and NTUSER.DAT.LOG
(which are present in the account profile
c:/Documents and settings/your-account) ,
make up the registry hive for the user
profile.
8. Access Token
A token is a kernel object that caches part of a user's
security profile, including the user SID, group SIDs, and
privileges.
A token is created when ever a user successfully logs on
the network. And a copy of this token is assigned to every
process and thread that executes on the user’s behalf.
A token consists of the following components.
accountID, groupID, Rights, Owner, Primary group,
Type, Impersonation level, statistics, Restricted SID’s,
SessionID
9. Account Security
User accounts are core unit of Network security.
Domain accounts are stored in Active Directory
directories databases, where as in local accounts, they
are stored in Security Accounts Manager database.
The passwords for the accounts are stored and
maintained by System Key.
Though the accounts are secured by default, we can
secure them even further.
10. Passwords storage
The system stores the passwords at machine’s password strash,
i.e., under HKLM/Secuirty/Policy/Secretes.
Type at 9:23am /interactive regedit.exe, substituting whatever
time is appropriate: Make it one minute in the future.) Once
regedit fires up, carefully look at the subkeys under
HKLM/Security/Policy/Secrets. You're looking at the machine's
password stash, more formally known as the LSA private data
store
The operating system also,by default ,caches (store locally), the
last 10 passwords.
11. Account Lock out policies:
Account lockout duration: Locks out the account
after a particular duration.( 1- 99,999 minutes).
Account lockout threshold: Locks out the account
after a particular number of failure attempts.( 1-
attempts).
Resent account lockout countdown after: reset
account lockout countdown after certain period (1-
99,999 minutes) ).
12. Password Policies:
Enforce password History:
Enforces password history(0-24)
Maximum password age:
Set max password age(0-999)
Minimum password age:
Set min password age(0 to 999)
Minimum password length:
Set min password length(0 to 14)
Password must meet complexity requirements: forces
user to set complex alpha numeric passwords.
13. Storing password using reversible
encryption for users in the domain:
We enable this if we
want the password to be decrypted
and compared to pain text using
methods like Challenge Handshake
Authentication Protocol (CHAP) or
Shiva password Authentication
Protocol (SPAP)
14. Rights: Rights are actions or operations that an
account can or cannot perform.
User Rights are of two types:
Privileges: A right assigned to an account and
specifying allowable actions on the network. Ex:
Right backup files and directories..
LOGON rights : A right assigned to an account
and specifying the ways in which the account can
log on to a system locally. Ex: Acess this computer
From Network.
15. Permissions: define which resources
accounts can access and the level of
they have.
Right click on any file, under properties, go
to security tab and set permissions.
16. Latest securities
Windows 10 provides the latest antivirus protection with Windows
Security. Your device will be actively protected from the moment
you start Windows 10. Windows Security continually scans for
malware (malicious software), viruses, and security threats. In
addition to this real-time protection, updates are downloaded
automatically to help keep your device safe and protect it from
threats.
Windows Security continually scans for malware (malicious
software), viruses, and security threats. If you have another
antivirus app installed, Windows Security will turn off automatically.
In previous versions of Windows 10, Windows Security is
called Windows Defender Security Center.
17. Run a scan manually
When you're concerned about risks to a
specific file or folder, you can right-click the file
or folder in File Explorer, then select Scan with
Windows Defender.
If you suspect there's malware or a virus on
your device, you should immediately run a
quick scan. This is much faster than running a
full scan on all your files and folders.
18. To run a quick scan in Windows Security:
Select Virus & threat protection.
Under Current threats, select Quick scan (or in
previous versions of Windows 10, under Threat
history, select Scan now).
If you don't find any urgent issues, you may
want to check your device more thoroughly.
19. To run an advanced scan in Windows Security:
Select Virus & threat protection.
Under Current threats, select Scan options (or in previous
versions of Windows 10, under Threat history, select Run a
new advanced scan).
Select one of the scan options: Full scan (check files and
programs currently running on your device), Custom
scan (scan specific files or folders), or Windows Defender
Offline scan (run this scan if your device has been, or could
potentially be, infected by a virus or malware).
Click Scan now.
20. Turn Windows Defender Antivirus
real-time protection on or off
Sometimes you may need to briefly stop running
real-time protection. While real-time protection is
off, files you open or download won't be scanned
for threats. However, real-time protection will soon
turn on automatically again to protect your device.
21. To turn real-time protection off temporarily:
Select the Start button, then
select Settings > Update & Security > Windows
Security > Virus & threat protection > Manage
settings. (In previous versions of Windows 10,
select Virus & threat protection > Virus & threat
protection settings.)
Switch the Real-time protection setting to Off and
choose Yes to verify.