Home Uncategorized Practical Connection

Uncategorized

Practical Connection

Course Description:

Course :

Fall 2020 – Application Security (ISOL-534

)

This course covers techniques and strategies for securing computers running Microsoft Windows operating systems, and their applications. Focusing on Windows Server 2012 and newer versions, and Windows 10 for clients, the course introduces the Windows operating system platforms and major areas of security vulnerabilities. Students will learn how to assess Windows computers for security vulnerabilities and how to make them more secure.

Course Activities and Experiences:

Students are expected to: • Review any assigned reading material and prepare responses to homework assigned. • Actively participate in activities, assignments, and discussions. • Evaluate and react to each other’s work in a supportive, constructive manner. • Complete specific assignments and exams when specified and in a professional manner. • Utilize learned technologies for class assignments. • Connect content knowledge from core courses to practical training placement and activities

Security Strategies in Windows Platforms and Applications

Lesson

Microsoft Windows and the
Threat Landscape

www.jblearning.com

Cover image © Sharpshot/Dreamstime.com

Page ‹#›

Security Strategies in Windows Platforms and Applications

Learning Objective(s)

Describe information systems security and the inherent security features of the Microsoft Windows operating system.

Describe threats to Microsoft Windows and applications.

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Key Concepts
Information systems security and the C-I-A triad
Microsoft Windows and a typical IT infrastructure
Vulnerabilities of Microsoft Windows systems and their applications

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Information Systems Security
Defense in depth
A collection of strategies to make a computer environment safe
Information security
Main goal is to prevent loss
Most decisions require balance between security and usability
Security controls are mechanisms used to protect information

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Security Controls

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Type of Control

Administrative

Type of Function

Preventive

Detective

Corrective

Technical

Physical

C-I-A Triad

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The practice of securing information involves ensuring three tenets of information security: confidentiality, integrity, and availability
Known as the C-I-A triad
Also known as the availability, integrity, and confidentiality (A-I-C) triad
Each tenet interacts with the other two and, in some cases, may conflict
6

Confidentiality
The assurance that the information cannot be accessed or viewed by unauthorized users
Examples of confidential information:
Financial information
Medical information
Secret military plans

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
A successful attack against confidential information enables the attacker to use the information to gain an inappropriate advantage or to extort compensation through threats to divulge the information.
7

Integrity
The assurance that the information cannot be changed by unauthorized users
Ensuring integrity means applying controls that prohibit unauthorized changes to information
Examples of integrity controls:
Security classification
User clearance

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Availability
The assurance that the information is available to authorized users in an acceptable time frame when the information is requested is availability
Examples of attacks that affect availability:
Denial of service (DoS)
Hacktivist

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Microsoft Windows and Applications in a Typical IT Infrastructure
IT infrastructure
Collection of computers, devices, and network components that make up an IT environment

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Microsoft Windows and Applications in a Typical IT Infrastructure
Common infrastructure components:
Client platforms
Network segments
Network devices
Server instances (often listed by function)
Cloud-based offerings, such as Microsoft Office 365 and Microsoft Azure

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

A Sample IT Infrastructure

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Clients
Client systems provide functionality to end users; customer-facing systems
Include desktops, laptops, and mobile devices
Each application can be deployed on client systems as either a thin or a thick client
Windows 10
Newest and most popular Windows client operating system

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Windows Servers
Server computers provide services to client applications
Common server applications:
Web servers, application servers, and database servers
Windows Server 2019
Essentials, for small businesses
Standard, for most server functions
Datacenter, for large-scale deployments

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Microsoft’s End-User License Agreement (EULA)
Software license agreement that contains the Microsoft Software License Terms
Must be accepted prior to installation of any Microsoft Windows product
Located in the Windows install folder or on the Microsoft website

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Microsoft EULA Sections

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Updates

Additional Notices—Networks, Data, and Internet Usage

Limited Warranty

Exclusions from Limited Warranty

Windows Threats and Vulnerabilities
Successful attack: One that realizes, or carries out, a threat against vulnerabilities

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Risk

Any exposure to a threat

Threat

Any action that could lead to damage, disruption, or loss

Vulnerability

Weakness in an operating system or application software

Windows Threats and Vulnerabilities
A threat is not necessarily dangerous
Fire in fireplace = desirable
Fire in data center = dangerous
For damage to occur, there has to be a threat
Attackers look for vulnerabilities, then devise an attack that will exploit the weakness

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Anatomy of Microsoft Windows Vulnerabilities
Ransomware
Malicious software that renders files or volumes inaccessible through encryption
Attacker demands payment using cryptocurrency for the decryption key
Well-known ransomware attacks
CryptoLocker
Locky
WannaCry

Discovery-Analysis-Remediation Cycle

Discovery
Once an attack starts, attackers become as inconspicuous as possible
Need to compare suspect activity baseline (normal activity) to detect anomalies
Common method of accomplishing this is to use activity and monitoring logs

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Analysis
Security information and event management (SIEM) tools
Collect and aggregate security-related information from multiple sources and devices
Help prepare data for correlation and analysis
Current vulnerability and security bulletin databases
Help you determine if others are experiencing same activity

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
SIEM tools can often cross-reference known vulnerability databases to help identify suspect behavior.
The analysis phase includes validating suspect activity as abnormal and then figuring out what is causing it.
22

Remediation
Contain any damage that has occurred, recover from any loss, and implement controls to prevent a recurrence

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Common Forms of Attack
Threat Description
Phishing Generally start with a message that contains a link or image to click, or a file to open; taking these actions launches malware attacks
Malware Malicious software designed to carry out tasks that the user would not normally allow
Denial of service (DoS) Any action that dramatically slows down or blocks access to one or more resources
Injection attack Depends on ability to send instructions to an application that causes the application to carry out unintended actions; SQL injection is common

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Common Forms of Attack (Cont.)
Threat Description
Unprotected Windows Share A situation that allows attackers to install tools, including malicious software
Session hijacking and credential reuse Attempts by attackers to take over valid sessions or capture credentials to impersonate valid users
Cross-site scripting Specially crafted malicious code used to attack web applications

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Common Forms of Attack (Cont.)
Threat Description
Packet sniffing The process of collecting network messages as they travel across a network in hopes of divulging
sensitive information, such as passwords

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Summary
Information systems security and the C-I-A triad
Microsoft Windows and a typical IT infrastructure
Vulnerabilities of Microsoft Windows systems and their applications

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Security Strategies in Windows Platforms and Applications

Lesson 2

Security in the Microsoft Windows Operating System

Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

Cover image © Sharpshot/Dreamstime.com

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com
All rights reserved.
1

Learning Objective(s)

Describe information systems security and the inherent security features of the Microsoft Windows operating system.

Page ‹#›
Security Strategies in Windows Platforms and Applications

www.jblearning.com
All rights reserved.

Key Concepts
Basic Microsoft Windows operating system architecture
Windows systems and application vulnerabilities
Purpose of access controls, authentication, and permissions
Windows attack surfaces and mitigation

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Operating System Components and Architecture
Operating system
A collection of many programs working together, along with data, to provide access to physical resources
Goal of secure information
All required information is available to authorized users
No information is available to unauthorized users

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Operating System Components and Architecture
First step in planning how to secure operating system is to understand purpose of:
Kernel
Operating system components

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Operating System Kernel

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Kernel
Is part of the operating system that may reside partially in memory and provides the backbone of the operating system’s services
Classic definition of kernel states that the entire kernel resides in memory
Today’s operating system kernels are made up of both the main memory-resident components and external loadable modules
Loadable modules reduces the kernel’s memory footprint
Kernel provides access to physical resources and often runs other operating system programs to complete a task
Memory-resident kernel code directly handles access to the CPU, where efficiency is crucial.
Micro-kernel
Many current operating systems implement microkernel architecture
Implements minimal required functionality in the memory-resident portion of the operating system, such as memory management, interprocess communication, and process scheduling
Other necessary functionality supported by external programs
Main difference between internal and external programs is the privilege level at which each runs. A pure microkernel allows only memory-resident components to run at kernel, or maximum privilege, mode.
6

Windows Process Table Contents

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Kernel
The kernel includes areas of memory reserved for the operating system data structures.
One example of an operating system data structure is the process, or task table.
The process table contains one entry for each running process. Each operating system stores different process properties, but the basic information in the process table is consistent.
Processes generally run in either user mode or supervisor mode. You may also see supervisor mode referred to as kernel mode.
Processes run in supervisor mode can perform more tasks and access more restricted parts of the computer system.
One way for an attacker to access a protected resource is to modify the process table entry and change a user mode process to supervisor mode.
7

Operating System Components
Kernel provides core services of the operating system and calls external programs to provide many more operating system services
Operating system is the collection of programs that control access to the physical hardware
Information is stored and transmitted on physical hardware
Ensuring security of protected information starts with ensuring security of the operating system

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Operating System Components
Operating System Service Description
Program/process management
OS manages locating, loading, and executing programs; handles memory allocation, CPU scheduling, and providing environment for programs
Input and output OS hides details of physical hardware and provides programs with ability to process input and output
File system OS provides access to long-term storage and helps to organize information to make
it easily and efficiently accessible
Communication OS provides support for exchanging information between programs locally and on other computers
Error detection and alerts OS monitors activities that occur within computer responds when errors occur

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Basic Windows Operating System Architecture
Current versions of client and server Windows operating systems:
Are based on Windows NT code base
Are designed with modified microkernel architectures
Because of modular nature of Windows, major components can be removed, replaced, or enhanced without having to rewrite the entire operating system

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Windows Run Modes
Windows architecture consists of two main layered components
Kernel (or supervisor) mode
User mode programs
Kernel mode and user mode programs:
Run in privileged mode, also called kernel or supervisor mode
Interact closely with physical hardware
User mode programs interact with both users and kernel mode programs

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Windows Operating System Components

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Kernel Mode
Programs running in kernel mode have complete access to computer’s hardware and system services
Needed by the operating system and provides an attractive target for attackers
Windows kernel mode components:
Hardware Abstraction Layer (HAL)
Kernel mode drivers
Microkernel
Executive

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Hardware Abstraction Layer (HAL)
The HAL provides the actual access to physical hardware. All other kernel mode programs interact with hardware
through the HAL. This allows Microsoft to support multiple hardware platforms by just writing different HAL modules,
instead of rewriting all operating system programs.
Kernel mode drivers
Kernel mode drivers provide user programs and other kernel mode programs access to individual hardware devices,
through the HAL. These drivers provide the translation to allow other programs to access devices as file objects.
Microkernel
The microkernel is the memory-resident portion of the operating system that provides the core functionality of operating
system functionality, including CPU synchronization, process thread/interrupt scheduling, and exception handling.
Executive
The executive is at the “highest level” of the kernel mode programs. It provides services, such as managing objects,
I/O, security, and process management. User mode programs interact with the operating system via the executive.

User Mode
Nonkernel mode programs run under user mode
Includes application programs and the user mode layer of Windows
Windows user mode layer programs:
Handle user interaction and processing requests
Pass I/O requests to the necessary kernel mode drivers, using the executive

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Main User Mode Program Components

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Environment subsystem

Provides ability to run programs written for different operating systems, including previous Windows versions and Linux

Integral subsystem

Handles user mode functions on behalf of environment subsystem, including logon and access control, network access, and providing network services

Access Controls and Authentication
Access control
Process of providing and denying access
Multistep process, starting with identification and authentication
Regardless of methods used, operating system needs to identify user asking for access to a resource
Most often, user provides a username (or user ID)

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Authentication Methods
Authentication system
Collects identification credentials, such as a username
Collects authentication credentials, such as a password
Finds stored information that corresponds to supplied credentials in user list, often in an authentication database
Compares stored credentials with supplied credentials; if they match, user is authenticated
Strongest authentication: Two-factor authentication and multifactor authentication

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Authentication Types
Type I–What you know
Examples: Passwords and personal identification number (PINs)
Type II–What you have
Examples: Token, smart card
Type III–What you are
Examples: Fingerprint, hand print, or retina characteristic

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Access Control Methods

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Access Control Methods

Mandatory access control (MAC)

Role-based access control (RBAC)

Discretionary access control (DAC)

Tokens, Rights, and Permissions
Each local user and group in Windows has a unique security identifier (SID)
When Windows user logs on, operating system:
Fetches user’s SID, and SIDs for groups to which user is assigned
Looks up local rights for computer
All SIDs and local rights are written to an ID object called Security Access Token (SAT)

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In a Windows environment, each local system defines local users and groups during the installation process. You can add more local users and groups at any time using the Computer Management tool.
The Local Users and Groups section of the Computer Management tool allows you to add, remove, and manage local users and groups. This tool is most commonly used to create new users and groups, and to associate users with groups.

Access Rules, Rights, and Permissions
User rights
Actions a user is permitted to carry out
Permissions
Define what user can do to a specific object, such a read or delete
Access control list (ACL)
Stores access rules, or permissions, for resources (objects)

Users, Groups, and Active Directory
Computing environments becoming more diverse and geographically separated, but still integrated using networks
Windows environments becoming more dependent on internally and externally shared resources

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Workgroups
Peer-to-peer networks that allow Windows computers to share resources
Users and groups must be defined on each computer
Every change to security permissions must be applied to every computer
Administration of workgroups with more than a half dozen computers becomes difficult

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Active Directory
Allows users and groups to be defined at a central location and shared among multiple computers
Can define limits of how many computers share users and groups by defining domains
Domain
A group of computers that can be grouped together for some purpose

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Active Directory (Cont.)
Ability to define identity and authorization permission that can be shared among multiple computers within one or more domains
Reduces redundant administrative effort
Requires additional administration time and resources than workgroups

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Windows Attack Surfaces and Mitigation
Operating system services expose part of computer to external access; risk involved
Vulnerabilities
Weaknesses that can allow unauthorized access if successfully exploited
Attack surface
Total collection of vulnerabilities that could provide unauthorized access to computer resources

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Multilayered Defense

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Mitigation

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Remove vulnerabilities

Stop attacks from exploiting vulnerabilities

Fundamentals of Windows Security Monitoring and Maintenance
Points in a system’s life cycle that serve as milestones for security management:
Install the operating system or application software
Monitor the operation of the computer system
Make any configuration changes to the computer system

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Security Monitoring

Define security goals

Describe secure behavior as a baseline

Sample performance information and compare with the baseline

Report anomalies

Vulnerabilities

Identify vulnerabilities

Make a plan to address each vulnerability

Summary
Basic Microsoft Windows operating system architecture
Windows systems and application vulnerabilities
Purpose of access controls, authentication, and permissions
Windows attack surfaces and mitigation

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Security Strategies in Windows Platforms and Applications

Lesson 3

Access Controls in Microsoft Windows

Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

Cover image © Sharpshot/Dreamstime.com

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com
All rights reserved.
1

Learning Objective(s)

Implement security controls to protect Microsoft Windows systems and networks.

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Principle of least privilege
Access models
Microsoft Windows objects and access controls
Forms of identification
Windows access permissions and access management tools

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Principle of Least Privilege
Definition per the Orange Book:
Grant each subject in a system the most restrictive set of privileges (or lowest clearance) needed to perform authorized tasks
Limits the damage that can result from accident, error, or unauthorized use

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The United States Department of Defense Trusted Computer System Evaluation Criteria, DOD-5200.28-STD, also known as the Orange Book because of its orange colored cover, was one of the first generally accepted standards for computer security.
The Orange Book defines least privilege to be a principle that “requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.”
The Orange Book has since been replaced by the Common Criteria for Information Technology Security Evaluation—an international standard. The Common Criteria extend the concepts stated in the Orange Book.
5

Least Privilege and LUAs
In Windows, principle of least privilege is implemented at user account level
Microsoft refers to user accounts defined using this principle as least privilege user accounts (LUAs)
Recommended: To implement least privilege, create user groups that represent roles in the organization

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Sample Default Active Directory Security Groups

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Account operators

Administrators

IIS_IUSRS

Users

Guests

Backup operators

Remote desktop users

Rights and Permissions
Each group in Windows has ability to apply rights and permissions to sets of users
User rights are defined and maintained through group security policy objects
Permissions:
Apply to specific objects
Are maintained through each object’s security settings

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Rights and Permissions (Cont.)
Each object has access control rules > access control list (ACL) for the object
ACLs in Active Directory are made up of lists of access control entries (ACEs)
ACLs that Windows uses are implemented as discretionary access control, so list of access control rules is a discretionary access control list (DACL)
Each entry in DACL is an access control entry (ACE)

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Object DACL

Access Models: User Validation

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows prompts the user to enter identification and authentication credentials.
Windows looks up the defined user and the associated authentication information. If the supplied information matches the stored information, the user is authenticated.
The operating system records the user account’s security identifier (SID), the SID of each group to which the user is assigned, and the current user’s privileges in a token.
The SAT, with all the user and group SIDs, is attached to each process the user runs.
11

User enters ID and authentication credentials

Windows compares supplied info to stored info

If a match, user authenticated

Windows records user SID, SID of each group, and user privileges in a token

SAT (contains user and groups SIDs) is attached to each process user runs

Windows Security Access Token (SAT)

Windows Server 2012-2019 Dynamic Access Control (DAC)
Describes a collection of features to describe user and data attributes
Attributes help Windows protect files using policies that provide more access control
DAC used to:
Identify and classify data
Control file access
Audit file access
Apply encryption to sensitive documents

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identify and classify data—You can tag data either automatically or manually to tell
Windows how to secure different types of data. Automatic tagging can look for special
types of data, such as Social Security numbers.
Control file access—Central access policies allow organizations to set global rules on
who can access different types of data.
Audit file access—DAC includes central audit policies that provide the ability for auditors
and forensic investigators to find out who accessed sensitive information.
Apply encryption to sensitive documents—Automatic Rights Management Services
(RMS) can encrypt files that contain tagged sensitive data without requiring user interaction.

User Access Control
Administrators group has split SAT
One part has full privileges
Other part is more limited like a normal user
Processes initially run using limited SAT
If a process requires a privilege that is allowed for administrators and the process also contains an administrator SAT, Windows prompts user for an escalation confirmation

User Access Control

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows feature of prompting users before escalating to administrator privileges is called User Account Control (UAC).
Each time a process needs access to an object, Windows refers to the process’s SAT and the object’s DACL to see if the access request is allowed.
If the access request is allowed, the process accesses the object.
If the access request is not allowed, Windows returns an error and the process cannot complete the requested object access.
Once Windows builds the SAT and attaches it to each process, the SAT becomes the subject part of the authorization process.
Before granting access to an object, Windows must first authorize the request. Windows uses the DACL defined for an object to decide whether
the access request will be granted or denied.
15

User Account Control Settings

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In previous Windows versions, UAC was often seen as annoying and intrusive. The only options were to turn UAC on or off.
Starting with Windows 7 and Windows Server 2008 R2, users can choose one of four “comfort levels” of UAC, from “Never Notify” to “Always Notify.”
16

Sharing SIDs and SATs
SAT for each process built from user’s SID and group SIDs
Active Directory stores shared information to construct SATs
Domain controller sends security information to computer where a user logs on
Windows extends concept of authentication to computer level when constructing SATs
Complete SATs are never shared across a network—only the parts necessary to construct the SAT

Distributed SAT

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The domain controller stores the domain user’s SID and the SIDs for all of the domain groups to which the user is assigned.
Target server, the server where the resource access resides, already has the local group list of groups to which the user is defined and the local user rights definitions.
The domain controller sends the domain user and group SIDs to the target server using one of two Windows authentication protocols.
18

Managed Service Accounts
In Windows Server 2012 and newer
Can be shared across systems
Administrators create these accounts as managed domain accounts that provide automatic password management
Allows Windows Server 2012 and newer domain controllers to manage passwords automatically at the domain level

Kerberos

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Kerberos is a fast and scalable protocol that allows for secure exchange of information.
Each domain controller functions as a Kerberos key distribution center (KDC). The KDC stores all user and computer Kerberos master keys.
When a subject requests access to an object, the subject asks the domain controller for an access ticket.
The domain controller authenticates the subject.
If successful, the domain controller issues the access ticket. The access ticket contains all of the subject’s SIDs and is encrypted with the target server’s public key. The subject then presents the access ticket to the server where the desired object resides.
Since the access ticket was encrypted with the server’s public key, the server can decrypt it with its private key.
Successful decryption means the ticket is valid and the server evaluates the SIDs for access permission
20

Windows Objects and Access Controls
Common Securable Objects

Pipes, named or unnamed

Processes and threads

Registry keys

Windows services

Printers, local and remote

Network shares

Job objects

Windows DACLs
Securable object requires a DACL for Windows to control access to the object
A DACL is a collection of individual ACEs and can be modified in the object’s Properties dialog box

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Full Control Provides no restrictions on access to object
Modify: Allows all modifications to files and folders; cannot delete files or folders, change permissions, or take ownership
Read and Execute: Traverses folders; executes files; lists folders; reads data, basic and extended attributes, and permissions
Read: Lists folders; reads data, basic and extended attributes, and permissions
Write: Creates files and folders; writes data and basic and extended attributes; reads permissions
Special Permissions: Indicates the ACE for this user or group is defined on the Advanced page

DACL Advanced Permissions

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Advanced page provides access to individual object permissions, as opposed to predefined
groups of permissions in the general Security page. The Advanced page
lists every individual permission for the selected user or group.
23

SIDs, GUIDs, and CLSIDs
Security identifier (SID)
In Windows, all users, groups, and computers have unique SIDs
Globally unique identifier (GUID)
Distinguishes objects that may originate from different computers
Used to identify many different types of objects: Computers, web browsers, database records, files, and application components

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
SIDs, GUIDs, and CLSIDs (Cont.)
Class identifier (CLSID)
Windows Registry uses GUIDs to identify objects and record attributes
GUIDs are stored as CLSIDs

Example
My Computer
CLSID: ::{20d04fe0-3aea-1069-a2d8-08002b30309d}

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Calculating Microsoft Windows Access Permissions
Windows resolves object access requests by following this procedure:
Retrieves user and group SIDs from the process’s SAT.
Examines all ACEs in the object’s DACL for requested permission.
If no DACL or ACE is defined for the requested access, Windows allows the access.

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Calculating Microsoft Windows Access Permissions (Cont.)
If only one ACE exists for the requested access, access is based on whether the ACE is defined as “allow” or “deny.”
If multiple ACEs exist for the same requested access, all ACEs must be defined as “allow” for Windows to allow the access.
Returns an access approval or denial based on permissions.

Auditing and Tracking Windows Access
Auditing: The process of collecting performance information on which actions were taken and storing that information for later analysis
First step — enable auditing
Tells Windows to record the events that will be defined for later analysis
Windows stores audit event notes in event logs

Expression-Based Security Audit Policy
In Windows Server 2012 and newer
DAC in Windows Server enables administrators to create targeted audit policies using expressions based on user, computer, and resource claims
Example:
Audit everyone without a high security clearance and who attempts to access highly sensitive documents

Cacls.exe

Icacls.exe

Robocopy

Best Practices for Microsoft Windows Access Control
AGULP
Accounts
Global groups
Access controls
Local groups
Permissions

Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Principle of least privilege
Access models
Microsoft Windows objects and access controls
Forms of identification
Windows access permissions and access management tools

Turn in your highest-quality paper
Get a qualified writer to help you with

“ Practical Connection ”

Get high-quality paper

NEW! AI matching with writer

Hire a Writer

Client Reviews

4.9

Sitejabber

4.6

Trustpilot

4.8

Our Guarantees

100% Confidentiality

Information about customers is confidential and never disclosed to third parties.

Original Writing

We complete all papers from scratch. You can get a plagiarism report.

Timely Delivery

No missed deadlines – 97% of assignments are completed in time.

Money Back

If you're confident that a writer didn't follow your order details, ask for a refund.

New to Your Trusted Assignment Help Service? Sign up & Save

Calculate the price of your order

Type of paper needed:

Pages:

You will get a personal manager and a discount.

Academic level:

We'll send you the first draft for approval by at

Total price:

$0.00

Power up Your Academic Success with the
Team of Professionals. We’ve Got Your Back.

Power up Your Study Success with Experts We’ve Got Your Back.

Order Now Order Now