Page 397 - DCAP103_Principle of operating system
P. 397
Principles of Operating Systems
Notes 13.3 Security in Windows 2000
Having just looked at encryption in the file system, this is a good time to examine security in
general. NT was designed to meet the U.S. Department of Defense’s C2 security requirements
(DoD 5200.28-STD), the Orange site. This standard requires operating systems to have certain
properties in order to be classified as secured enough for certain kinds of military work. Although
Windows 2000 was not specifically designed for C2 compliance, it inherits many security
properties from NT, including the following:
1. Secure login with antispoofing measures.
2. Discretionary access controls.
3. Privileged access controls.
4. Address space protection per process.
5. New pages must be zeroed before being mapped in.
6. Security auditing.
Let us review these items briefly (none of which are met by Windows 98, incidentally).
Secure login means that the system administrator can require all users to have a password in
order to log in. Spoofing is when a malicious user writes a program that displays the login
prompt or screen and then walks away from the computer in the hope that an innocent user
will sit down and enter a name and password. The name and password are then written to disk
and the user is told that login has failed. Windows 2000 prevents this attack by instructing users
to hit CTRL-ALT-DEL to log in. This key sequence is always captured by the keyboard driver,
which then invokes a system program that puts up the genuine login screen. This procedure
works because there is no way for user processes to disable CTRL-ALT-DEL processing in the
keyboard driver.
Discretionary access controls allow the owner of a file or other object to say who can use it
and in what way. Privileged access controls allow the system administrator (superuser) to
override them when needed. Address space protection simply means that each process has its
own protected virtual address space not accessible by any unauthorized process. The next item
means that when a stack grows, the pages mapped in are initialized to zero so processes cannot
find any old information put there by the previous owner. Finally, security auditing allows the
administrator to produce a log of certain security-related events.
In the next section we will describe the basic concepts behind Windows 2000 security. After
that we will look at the security system calls. Finally, we will conclude by seeing how security
is implemented.
13.3.1 Fundamental Concepts of Security in Windows 2000
Every Windows 2000 user (and group) is identified by a SID (Security ID). SIDs are binary
numbers with a short header followed by a long random component. Each SID is intended to
be unique worldwide. When a user starts up a process, the process and its threads run under
the user’s SID. Most of the security system is designed to make sure that each object can be
accessed only by threads with authorized SIDs.
Each process has an access token that specifies its SID and other properties. It is normally
assigned at login time by winlogon and is shown in Figure 13.13, although processes should call
GetTokenInformation to acquire this information since it may change in the future. The header
contains some administrative information. The expiration time field could tell when the token
ceases to be valid, but it is currently not used. The Groups fields specify the groups to which the
process belongs: this is needed for POSIX conformance. The default DACL (Discretionary ACL) is
390 LOVELY PROFESSIONAL UNIVERSITY
