Access Controls in Microsoft Windows - Detailed Notes

Learning Objectives

  • Implement security controls to protect Microsoft Windows systems and networks.

Key Concepts

  • Principle of Least Privilege
  • Access Models
  • Microsoft Windows Objects, Access Controls, and Access Permissions
  • Forms of Identification
  • Windows Access Management Tools: cacls, xcacls, and Robocopy

Security Control Process

  • Stages:
    • Think
    • Plan
    • Implement
    • Design
    • Evaluate

Principle of Least Privilege

  • Definition: Ensures authorized users access required information while denying unauthorized access.
  • Origin:
    • The Orange Book: U.S. Department of Defense Trusted Computer System Evaluation Criteria (DOD-5200.28-STD) - defines least privilege as granting the most restrictive privileges necessary.
    • Now superseded by Common Criteria for Information Technology Security Evaluation, an international standard extending concepts from the Orange Book.

Least Privilege Implementation in Windows

  • In Windows, implementation is at the user account level.
  • Least Privilege User Accounts (LUAs): Recommended practice includes creating user groups representing organizational roles.

Sample Default Active Directory Security Groups

Group Descriptions:

  • Account Operators: Create and modify most types of accounts, can log in to domain controllers.
  • Administrators: Unrestricted access to the computer/domain.
  • IIS_IUSRS: Built-in group used by Internet Information Services.
  • Users: Allows general user operations (run applications, access resources).
  • Guests: Provides basic privileges for one-time users; profile deleted on log out.
  • Backup Operators: Backup and restore all files, to any permissions.
  • Remote Desktop Users: Establish remote connections to Remote Desktop Session Host servers.

Rights and Permissions

  • Each group can assign rights and permissions maintained through group security policy objects.
  • ACL (Access Control List):
    • Lists defining permissions for specific objects.
    • In Windows, it is implemented as Discretionary Access Control List (DACL).
    • Individual access control entries (ACEs) are part of DACL.

Access Control Models

  • Steps for validation:
    1. User enters identification and authentication credentials.
    2. System looks up user data and authenticates.
    3. Records user account security identifier (SID) and associated group SIDs in a token.
    4. Security Access Token (SAT) attached to each process.

Dynamic Access Control (DAC)

  • A collection of features for describing user and data attributes to secure files:
    • Tagging and classification of data.
    • Control over file access and central access policies.
    • Auditing access and applying encryption automatically to sensitive data.

User Account Control (UAC)

  • Members of the Administrators group have split SAT; requires confirmation for elevated privileges.
  • UAC settings allow notifications on changes to the system.

Security Identifiers (SIDs), GUIDs, and CLSIDs

  • Security Identifier (SID): Identifies a security subject or group.
  • Globally Unique Identifier (GUID): Distinguishes objects, stored as CLSIDs in the Windows Registry.

Common CLSIDs

  • Examples:
    • My Computer: ::{20d04fe0-3aea-1069-a2d8-08002b30309d}
    • My Documents: ::{450d8fba-ad25-11d0-98a8-0800361b1103}

Calculating Microsoft Windows Access Permissions

  • Procedure:
    1. Retrieves SIDs from the SAT.
    2. Examines ACEs in the object's DACL.
    3. Defines access based on DACL and ACEs existing.
    4. Returns approval or denial okay.

Auditing and Tracking Windows Access

  • Auditing: Collects performance data on access actions, enabling analysis.
  • Local Audit Policy: Defined for tracking access events.

Microsoft Windows Access Management Tools

  • Cacls.exe: Displays/modifies file or folder ACLs.
  • Icacls.exe: Modern command line tool that replaces cacls for managing ACLs.
  • Robocopy.exe: Robust tool for copying files and folders with ACLs.

Best Practices for Microsoft Windows Access Control

  • AGULP Method: Accounts, Global Groups, Universal Groups, Local Groups, Permissions.
    • Helps manage a large number of users predictably.
    • Systematic nesting of accounts in groups enhances security.

AGULP Variations

  • AGDLP: Accounts/Global Groups/Domain Local Groups/Permissions.
  • AGUDLP: Accounts/Global Groups/Universal Groups/Domain Local Groups/Permissions.
  • AGLP: Pre-AD WinNT domains.