Understand the mechanisms of NT's robust security system
Preventing unauthorized access to sensitive data is essential in environments in which multiple users have access to the same physical or network resources. Operating systems (OSs) and individual users must be able to protect files, memory, and configuration settings from unauthorized viewing and modification. OS security includes obvious mechanisms such as accounts, and passwords. However, OS security also includes less-obvious mechanisms for protecting the OS from corruption, preventing less-privileged users from performing actions such as rebooting the computer, and preventing the programs of less-privileged users from adversely affecting the programs of other users or the OS.
The stringent requirements of providing robust security influenced the design of Windows NT, which has earned a C2 security rating. This security rating puts NT on par with most UNIX systems. Although you're probably familiar with user accounts, groups, and NT's file and Registry security editors, you might find the way NT implements its logon validation, object protection, and privilege checking a mystery. Yet if you have a basic knowledge of what goes on behind the scenes in NT security, you'll know which security policies you need to install, and you can better protect your systems.
To help you gain a basic knowledge of NT security, I'm beginning a two-part look at NT security this month. I'll review what a C2 security rating is and what facilities an OS must include to earn a C2 rating. I'll discuss NT's security identifiers (SIDs), which NT uses to identify users, groups, computers, and domains. Next, I'll present an overview of NT's logon procedure, and I'll discuss local and network (domain) logon. Finally, I'll discuss access tokens. Next month, I'll conclude with a detailed description of object security access validation, client/server impersonation, privileges, and policies.
C2 Security
The US Department of Defense (DoD) National Security Agency (NSA) established the National Computer Security Center (NCSC, at http://www.radium.ncsc.mil) in 1981 to help the government, corporations, and home users protect proprietary and personal data stored in computer systems. The NCSC created a range of security ratings, which Table 1 shows, that measure the degree of protection commercial OSs, network components, and trusted applications offer. The NCSC assigned these security ratings in 1983 based on DoD's Trusted Computer System Evaluation Criteria (TCSEC). The security ratings are commonly known as the "Orange Book."
The TCSEC standard consists of levels of trust ratings, in which higher levels of security build on lower levels, adding more rigorous protection requirements. No OS has earned the A1 rating. A few OSs have earned B1, B2, and B3 ratings, including variants of HP's HP-UX (a UNIX system), Digital's Ultrix and SEVMS, Unisys' OS 1100, and Silicon Graphics' IRIX.
OSs that have earned the C2 rating include versions of IBM's OS/400 and Digital's OpenVMS. NT 3.5 (Workstation and Server) with Service Pack 3 (SP3) earned the C2 rating in July 1995. Microsoft reportedly submitted NT 4.0 for NCSC evaluation, but the evaluation process usually takes several years and is not complete at press time (Microsoft first submitted NT 3.5 in 1991). Because the security-related components in NT 4.0's architecture are virtually identical to those in NT 3.5's architecture, NT 4.0 will probably meet the C2 requirements.
To earn a C2 security rating, an OS must implement the following features: a secure logon facility, discretionary access control, auditing, and object reuse protection. A secure logon facility requires users to enter a unique identifier and password to identify themselves before it will grant them access to the computer. NT uses accounts for user identification and password-based logon for its default authentication mechanism.
When an OS implements discretionary access control, it lets all shareable OS resources associate with a block of information that specifies which users can perform operations on the resource. If you've viewed or set NTFS file or directory permissions or you've modified the security settings on Registry keys, you've seen a representation of NT's discretionary access control, which NT organizes as a list. The list elements describe the actions a user can and cannot perform on an object.
Auditing capability lets authorized users place watchdogs on resources that monitor and record users' failed or successful attempts to access the resources. The NTFS permission editors and the Registry provide access to NT's implementation of file system and Registry object auditing. All shareable objects in NT can have auditing enabled. But auditing can introduce unwanted overhead, so NT disables it systemwide by default.
To have object reuse protection, an OS must prevent users from seeing data that another user has deleted or from accessing memory that another user previously used and released. For example, in some OSs you can create a new file of a certain length and then examine the file's contents to see data that previously occupied the location on the disk allocated to the new file. This data might be sensitive information that another user stored in a file and then deleted. NT prevents this type of security breach by preinitializing file data, memory, and other objects when it allocates them. If you create a file, NT zeros the contents before you can access the file, which prevents you from seeing any data that existed previously in the file's location on the disk.
When NT earned its C2 security rating, NCSC also recognized NT as meeting two requirements of B-level security: Trusted Path functionality and Trusted Facility Management functionality. Trusted Path functionality prevents Trojan horse programs from intercepting a user's name and password as the user logs on. NT's Trusted Path functionality exists in the form of its Ctrl+Alt+Del logon-attention sequence. This sequence of keystrokes, the Secure Attention Sequence (SAS), causes an NT logon dialog box to pop up, which initializes a process that helps NT recognize would-be Trojan horses. NT bypasses any Trojan horse that presents a fake logon dialog when a user enters the attention sequence.
NT meets the Trusted Facility Management requirement by supporting separate account roles for administrative functions. For instance, NT provides separate accounts for administration (Administrators), user accounts charged with backing up the computer (Backup Operators), and standard users (Users). Microsoft is reportedly working on a B-level version of NT, but the company has not made a public statement about when it might release this version.
If you rely on NT's C2 security rating in your security decisions, you must keep in mind two important considerations. First, a C2 security rating is different from a C2 security certification. OSs and programs earn ratings, but individual installations must be certified. This distinction means that most NT installations are not C2 certified, nor would they necessarily want to besecurity needs vary, and too much security can hamper productivity. You can use the Microsoft Windows NT Server 4.0 Resource Kit tool C2Config to help your NT systems meet the requirements for a C2 certification.
Second, NT earned its C2 rating as a standalone system, with no networking enabled. If you take your C2Config C2-certified system and attach it to your LAN, your system loses its C2 certification. Securing a network-based system is harder than securing a standalone machine, but if you keep up to date with service packs and security alerts, you can remain close to a C2 certification level.
Previous
Register
