In the Windows architecture, you can see that there are two basic modes – user mode (ring 3) and kernel mode (ring 0). User mode has restrictions, whereas kernel mode allows full access to all resources. This is an important concept for the ethical hacker to contemplate, as hacking tools or code that run in user mode can be detected by antivirus and analysis tools. However, if code can be deployed on a Windows system to run in kernel mode, it can hide itself from user mode detection and will be harder to detect and eradicate. All the code that runs on a Windows computer must run in the context of an account. The system account has the capability to perform kernel mode activities. The level of the account you hold determines your ability to execute code on a system. Hackers always want to run code at the highest possible privilege. Two of the items that Windows uses to help keep track of a user’s security rights and identity are
- Security Identifiers (SID)
- Relative Identifiers (RID)
SIDs are a data structure of variable length that identifies user, group, and computer accounts. For example, a SID of S-1-1-0 indicates a group that includes all users. Closely tied to SIDs are RIDs. A RID is a portion of the SID that identifies a user or group in relation to the authority that user has.
Windows stores user information and passwords in the SAM database. If the system is part of a domain, the domain controller stores the critical information. On standalone systems not functioning as domain controllers, SAM contains the defined local users and groups, along with their passwords and other attributes. The SAM database is stored in a protected area of the registry under HKLM\SAM.
Another important Windows security mechanism is Local security authority subsystem (Lsass). It might sound familiar to you, as Lsass is what the Sasser worm exploited by buffer overflow. Lsass is a user-mode process that is responsible for the local system security policy. This includes controlling access, managing password policies, user authentication, and sending security audit messages to the Event Log.
Network Authentication
Active Directory (AD) introduced with Windows 2000, changed the old NT trust model. AD is a directory service, similar to a database storing information about objects in a domain which includes password information and privileges for domain users and groups which were earlier kept in the domain SAM. A domain is a collection of computers and their associated security groups that are managed as a single entity. AD is compatible with LDAP.
NetBIOS enables applications on different systems to communicate through the LAN. NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. NetBIOS systems identify themselves by a 15-character unique name. As NetBIOS is non-routable by default, it runs over TCP/IP. NetBIOS provides three distinct services:
- Name service (NetBIOS-NS) for name registration and resolution.
- Datagram distribution service (NetBIOS-DGM) for connectionless communication.
- Session service (NetBIOS-SSN) for connection-oriented communication.
Server Message Blocks (SMB) allows for the remote access of shared directories and files. SMB, an upper layer, is a service that runs on top of the Session Service and the Datagram service of NetBIOS, and is not to be confused as a necessary and integral part of NetBIOS itself. SMB, whose another version is also known as Common Internet File System (CIFS). SMB operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. It is mostly used with Microsoft Windows, where it was known as “Microsoft Windows Network” before the subsequent introduction of Active Directory.
Key ports and protocols used by Microsoft are listed in the table
| Port | Protocol | Service |
| 135 | TCP | MS-RPC endpoint mapper |
| 137 | UDP | NetBIOS name service |
| 138 | UDP | NetBIOS datagram service |
| 139 | TCP | NetBIOS session service |
| 445 | TCP | SMB over TCP |
LAN Manager saves passwords as hashes, as a 128-bit number, with passwords up to 14 digits, but with two 7 digits parts which are not case sensitive hence, easier to break. It also change possible combinations from 284 to 237. It uses old and easy to break DES encryption. It is saved on SAM (Windows Security Accounts Manager) at %systemroot%\system32\config\SAM
NTLM and NTLM2 are improved LAN Manager. NTLM uses MD4 encryption and is case sensitive. NTLM can have password up to 127 characters with support for 56 bit encryption. NTLM2 improves NTLM to authenticate by session, and supports up to 128-bit encryption. Kerberos also used in Windows, uses AES encryption and is very secure as compared to others.
NTLM is a suite of authentication and session security protocols used in various Microsoft network protocol implementations and supported by the NTLM Security Support Provider (“NTLMSSP”). Originally used for authentication and negotiation of secure DCE/RPC, NTLM is also used throughout Microsoft’s systems as an integrated single sign-on mechanism. It is probably best recognized as part of the “Integrated Windows Authentication” stack for HTTP authentication; however, it is also used in Microsoft implementations of SMTP, POP3, IMAP (all part of Exchange), CIFS/SMB, Telnet, SIP, and possibly others.
The NTLM Security Support Provider provides authentication, integrity, and confidentiality services within the Window Security Support Provider Interface (SSPI) framework. SSPI specifies a core set of security functionality that is implemented by supporting providers; the NTLMSSP is such a provider. The SSPI specifies, and the NTLMSSP implements, the following core operations:
- Authentication — NTLM provides a challenge-response authentication mechanism, in which clients are able to prove their identities without sending a password to the server.
- Signing — The NTLMSSP provides a means of applying a digital “signature” to a message. This ensures that the signed message has not been modified (either accidentally or intentionally) and that that signing party has knowledge of a shared secret. NTLM implements a symmetric signature scheme (Message Authentication Code, or MAC); that is, a valid signature can only be generated and verified by parties that possess the common shared key.
- Sealing — The NTLMSSP implements a symmetric-key encryption mechanism, which provides message confidentiality. In the case of NTLM, sealing also implies signing (a signed message is not necessarily sealed, but all sealed messages are signed).
NTLM has been largely supplanted by Kerberos as the authentication protocol of choice for domain-based scenarios. However, Kerberos is a trusted-third-party scheme, and cannot be used in situations where no trusted third party exists; for example, member servers (servers that are not part of a domain), local accounts, and authentication to resources in an untrusted domain. In such scenarios, NTLM continues to be the primary authentication mechanism (and likely will be for a long time).
Windows XP by default uses both LM & NTLM. Windows Vista and Windows 7 defaults to NTML2. Active Directory defaults to Kerberos, drops back as needed
Windows Token – It is a data structure that contains authentication and authorization information for a user. Windows creates the access token when the user logs on and the user’s identity is confirmed. The access token contains the user’s security ID (SID), the list of groups that the user is a member of, and the list of privileges held by that user. Each process or thread started for the user inherits a copy of the access token. In some cases a user may have more than one access token, with different levels of authority.
Token kidnapping refers to impersonation of authenticated token and could allow elevation of privilege. If an attacker is allowed to log on to the system and then run a specially crafted application. The attacker must be able to run code on the local machine in order to exploit this vulnerability. An attacker who successfully exploited any of these vulnerabilities could take complete control over the affected system.
ACL – It is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs, which are
- DACL – Discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object’s DACL to determine whether to grant access to it.
- SACL – A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log.
When a user logs in he/she is assigned a access token; and securable objects have ACLs. When an user attempts to access a securable object the Windows security subsystem compare the information in the token access with the securable object and grant or deny access.
Windows Firewall
Windows Firewall is a stateful host firewall designed to drop unsolicited incoming traffic that does not correspond to a dynamic or configured exception. A stateful firewall tracks the state of network connections. The firewall monitors traffic sent by the host and dynamically adds exceptions so that the responses to the sent traffic are allowed. Some of the state parameters that the Windows Firewall tracks include source and destination addresses and TCP and UDP port numbers.
This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic.
Windows Firewall, a replacement for the Internet Connection Firewall (ICF) in Windows XP with Service Pack 1 and Windows XP with no service packs installed, is enabled by default in SP2. This means that all the connections of a computer running Windows XP with SP2 have Windows Firewall enabled, including LAN (wired and wireless), dial-up, and virtual private network (VPN) connections. New connections also have Windows Firewall enabled by default.
Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer Configuration only. They are located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.
Identical sets of policy settings, are available for two profiles:
- Domain profile. Used when computers are connected to a network that contains your organization’s Active Directory domain.
- Standard profile. Used when computers are not connected to a network that contains your organization’s Active Directory domain, such as a home network or the Internet.
