Access Controls in Microsoft Windows

Modes of Learning
For this module, the following modes of learning will be used:

• Interactive Module
• Hands-on Exercises
• Self- Quizzes

Introduction
In this module we will look at the access models used by Windows. We will also contrast the access
models of a standalone workstation and the domain through Active Directory. The Kerberos protocol is
particularly important for maintaining security in a distributed resource environment. We will also look
at how security is maintained on file and folders through permissions.

As you begin this module, please refer to the timeline and make note of any assessments or important
dates. If you have any questions, ask your instructor.

Learning Outcomes
Upon completion of this interactive module, you will be able to:

1. Identify Windows objects and access controls.

2. Describe access models in Microsoft Windows.
3. Demonstrate best practices for Microsoft Windows access control.
4. Analyze Microsoft SIDs and GUIDs.
5. Examine the use of security in Active Directory.
6. Analyze how security access tokens enforce object access.
7. Assess the use of auditing, tracking, and the use of Microsoft access management tools.

Key Terms and Concepts

Listed below are some important key terms and concepts within this module.

• Active Directory
• WinLogon
• Local Security Authority
• Kerberos
• Key Distribution Center
• Ticket Granting Service
• SID & GUID
• Relative Identifier
• Discretionary Access Control List
• Access Control Entry
• Access token
 • Ntds.dit
• Inheritance
• Effective permissions

Access Models in Microsoft Windows

When a user logs into a Windows device they will need to authenticate either to the local machine or a
domain. Authenticating to a local machine when you log onto the local machine is simple because the
database of security information, SAM, is physically on the same machine. You can also log on to one
machine and access the resources of another machine in your workgroup, for example shared files or
printers.

This is marginally more complicated because the authentication provided on the local machine must be
forwarded to the remote machine and on the remote machine you must also have an account and be
authenticated. The management of multiple accounts on multiple machines is feasible if the numbers
are small.

Large organizations are different with their tens to thousands of users. Managing user accounts on each
workstation is not possible and therefore the security in a domain is provided by the Active Directory
(AD) service. The purpose of Active Directory is easy to describe. If you already have hands-on
experience with managing users on a Windows workstation, you can appreciate how much work is
involved in securing the machine and user access to it and its data.

Now multiply this effort by the number of users in the large company network and the need for
centralized management becomes apparent. The basic concept of Active Directory is that once a user
has authenticated to AD they will have access to all of the domain resources that they have been
authorized for. In addition, the administrator can manage multiple users and multiple machines from a
central location.

Components of the Authentication System

The components of the Windows logon service are shown in this figure. Note that this procedure is
performed on the local workstation and accepts both local as well as domain credentials. Domain
credentials are passed over the network to a domain controller.

The following components are important to know:

MSGINA – The Microsoft Graphical Identification and Authentication dll provides the logon dialog box to
accept the username and password.

WinLogon – This service coordinates the logon/logoff process. It calls on the MSGINA dll to accept the
user’s credentials and then passes them on to the LSA for verification.
Local Security Authority – Accepts the user identification from WinLogon and decides if the logon
process will authenticate the user locally or across the network. If locally, LSA uses SAM to authenticate
the user. Otherwise, it forwards the credentials to AD on a domain controller.

Security Accounts Manager (SAM) – The database that holds the local user information including the
password hashes.

Network

Authentication Components of the Domain

All of the following components are housed in domain controllers and are installed when Active
Directory is installed.

• Active Directory- AD is the database of objects, including users and groups, which are defined in
the domain.
• Kerberos- Kerberos V5 is the authentication system used for the domain. It is very secure and
provides single sign-on access to all of the resources on the domain that the user is authorized access to only
to use. authorised
resources
Its components include:
o Key Distribution Centre
The KDC holds the other components and uses the Kerberos protocol to authenticate
users.
o Authentication Service
The AS is a component of the KDC and provides authentication by querying AD when a
request comes in.
o Ticket Granting Service
The TGS provides an authentication ticket to the user when the user attempts to access
a resource on the domain.

Step 1 and 2

When the logon request is forwarded from the workstation to AD, Kerberos jumps into action and refers
to AD’s database for the user’s credentials. If it can verify them the Authentication Service sends a ticket
granting ticket (TGT) back to the workstation to allow the logon to proceed. This is illustrated as steps 1
and 2.

Step 3 and 4

When the user at the workstation wants to access a network resource such as a server, file share or
network printer it sends a request to the Ticket Granting Service (TGS) on the KDS. The TGS verifies the
user’s identity and sends back a Ticket Granting Ticket (TGT) to the client. This is illustrated in steps 3
and 4.

* Note: that each request for a new service requires its own TGT but a TGT is valid for about 10 hours
allowing the client unlimited access to that service during that period.

Step 5 and 6
The client can now forward the TGT to the service for access. The TGT has been encrypted by the KDC
with the service’s public encryption key and only the service can decrypt it with its private encryption
key. The secure connection is now in place – this is illustrated in steps 5 & 6.

Active Directory
Active Directory can only be loaded onto a server and becomes available only after it has been installed.
The server becomes a domain controller. It controls security in the large organizational network and it is
important to understand if you expect to implement robust security.

Active Directory is basically a large database that has the following characteristics:

• It contains objects that need to be managed centrally. There are many types of objects including
users, groups, computers, servers, and printers. Objects are defined by the attributes that they
have. For example, users have an e-mail attribute while printers don’t.
• It uses a multi-master model for fault tolerance. Multiple copies of Active Directory can be
installed on multiple domain controllers and they will synchronize with each other to provide
fault tolerance to the system in case a domain controller goes offline.
• AD is hierarchical meaning that at the top of the AD tree is the parent domain. If child domains
are created they are below the parent.
• AD is very flexible for organizations and can be designed to meet the needs of the Company.
Multiple domains can be created and different naming schemes are supported if this is useful
for the organization.
• All the domains trust each other. If a user logs on and is authenticated by one domain, then the
other domains will allow access to their resources to that user in keeping with the permissions
that have been defined.
Objects and Attributes
An object is defined within its class which control the required and optional attributes that it can have.
For example, you want to create a new user named John Smith. There is a class for User objects. The
user class has required attributes such as name and security identifier (SID) and optional attributes such
as password and email address. This is how the class User is defined. Different attributes will define
other objects such as groups, computers, printers, and so on.

The rules for the different classes found in AD are codified in the schema. The schema is the structure of
AD and must be universal in AD across all domains. The schema may be changed if, say, a new type of
class needs to be created or attributes of a class need to be modified. Because a schema change affects
the whole AD forest it is difficult to do and only members of the Schema Admins group have the
permissions to do so.

SID
Each security principle in Windows including users, groups, and computers has to have a unique security
identifier usually shortened to SID. A SID identifies the object created locally in SAM or in AD if created
in a domain. The SID must be unique and stays permanently with the object forever. If an object is
renamed only the display name is affected; it has no effect on the SID.

The middle part of this SID is provided by the computer or domain. This means that all objects in the
computer or domain have the identical middle part. But the RID must be unique. The first object created
will have a RID of 1000 and the RID will increment by one for each object created thereafter. The
numbers are never reused.

Accounts created by the system have assigned numbers which are standard. The administrator account
always has the RID of 500. Although it is good practice to rename the administrator account, the RID
does not change. Therefore, if the SID is intercepted during communications the administrator account
can be identified.

The SID was created for Windows NT and even though that makes it very old it is still used in AD.
However, there is one occasion when it could change. Recall that the middle part of the number is
assigned by the domain. If a user is moved to another domain then it must acquire a new SID generated
by the new domain. Nevertheless restrictions on the account may still need to be applied in the new
domain and therefore the old SID is still tracked in an object property called SID-history.

GUID
A Globally Unique Identifier (GUID) is another number assigned to each object by the system. It is a
128bit number that is truly unique in the system and never changes. Because of this property it is used
to identify objects in the Global Catalog. The Global Catalog tracks all objects in the forest whereas the
domain only tracks objects created in it. This figure shows the properties of a user object and that the
SID is a property:
Accessing Objects in the Windows OS
Accessing objects in the Windows operating system has two facets.

First the object:

• Who has what rights to do what?

Second the user side:

• What can the user do to a particular object?

• How then does the system mesh the two together so that security is maintained?

Access Control Lists: An Access Control List (ACL) is defined for each object. Basically it lists who can do
what to the object. There are actually two different ACLs for each object. The Discretionary ACL (DACL)
is defined for access. The Security ACL (SACL) is used to define logging actions for the object.

The ACL is composed of Access Control Entries (ACE) of the objects that have access and in what form.
Each ACE will include the SID of the group or user, permissions, and whether they are allowed or denied.

Access Tokens: An access token of an object, such as a user, identifies the user and her privileges. When
a user logs on and successfully authenticates, LSA issues a token with the user’s identity (SID), the
groups that the user belongs to (their SIDs) and her rights.
Whenever the user tries to access an object such as a file, folder, printer or other system object the
system compares the access token with the DACL to see if an ACE matches the token. The system
examines the DACL ACE by ACE and when it finds the first match, allow or deny, then it takes the
appropriate action.

This figure illustrates how access is granted. The object has the DACL attached while the user has the
access token attached. The system compares the two and if it finds a match it takes the appropriate
action which could either be an allow or a deny access.

Active Directory Structure

The domain is the basic unit which holds the user, group, and computer objects. Domains are
independent administrative units which have their own security policies and administration. In a larger
organization, multiple domains can be created but they are separate and independent from each other
and allow the organization to set up their AD structure to follow the organizational structure.

A child domain is created below a parent domain. The domains are still separate from each other but
the child domain will have the parent’s name included at the root. To illustrate, if the parent domain is
called abc.com and the child domain will be accounting, then the child domain’s name will be
accounting.abc.com.

A tree in AD is the parent domain along with all of the child domains. All of the domains in the tree will
have the parent domain’s name incorporated in the child domain’s names.

Multiple trees can be created in AD, but additional trees must use different names for the parent
domain. If there are multiple trees in a domain, this is referred to as a forest.

ABC.COM is the first domain created. It has several roles. It is the forest root domain as well as the root
domain for the tree ABC.COM. Many organizations only have a single domain and it is sufficient for their
needs. However, if another domain is required it becomes the child domain to the parent.

Therefore, both NAMERICA.ABC.COM and EUROPE.ABC.COM are the child domains to ABC.COM. Notice
that the naming of the child domain always includes the parent’s name as its root. The creation of
additional domains can continue as the requirements of the organization require. Therefore,
NAMERICA.ABC.COM is the parent to the child domain SALES.NAMERICA.ABC.COM.
Occasionally it is important to have domains with different root names. For example, if ABC corp went
out and bought XYZ corp then the two AD structures could be amalgamated. However, if it was also
important for XYZ to keep its own identity then a new tree could be created with XYZ.COM as the tree
root domain. Both ABC and XYZ are trees in the same forest but maintain their own root names.

Within a domain there is usually a need for further subdivision. This can be accomplished by using
Organization Units or OUs. This allows the administrator to group objects together for management
purposes especially delegation of rights and applying GPOs. For example, you might create OUs based
on geography, say city locations, or departments such as marketing and finance.

Security is an important issue with domains particularly the administrator rights. The domain is
considered the security boundary but it is not leak proof.

Domain Admins - The Domain Admins group has all rights within the boundary. Not only does this group
have all rights in AD for the domain but it also has all rights on any workstation that has been joined to
the domain. The mechanism is that the Domain Admins group is added to the local Administrators group
on the workstation.

Enterprise Admins - The Enterprise Admins group is another group to be aware of. This group has
capabilities that span the entire forest and not just the domain. The Enterprise Admins group is created
on the forest root domain and is included in the Domain Admins group of each domain. In an extremely
high security environment it may be required that no user has rights outside its own domain. In that
case the Enterprise Admins group must be deleted from the Domain Admins group of the domain.

Schema Admins - One final group to make note of is the Schema Admins group which can make changes
to the schema of AD. This group is found only on the forest root domain. Neither the Enterprise Admins
nor the Domain Admins can make changes to the schema. Because of the capabilities of the Schema
Admins and for the safety of the system, it has no members by default. The administrator must add
themselves to the group temporarily to make the required changes to AD and then afterwards delete
themselves from the group.

Exercise 3-1
Test your knowledge of the AD structure by filling in the blanks:

1. In Figure 3-6 the forest root domain is ________.

2. In Figure 3-6 the tree root domains are __________ and ___________.
3. In Figure 3-6 there are ___________ parent domains.
4. In figure 3-6 there are ___________ child domains.
5. From Figure 3-6 the Enterprise Admins are found in the__________ domain.
6. From Figure 3-6 the Schema Admins are found in the ___________ domain.
7. From Figure 3-6 the Domain Admins are found in ___________ domain.

Answers:

1. ABC.COM
2. ABC.COM and XYZ.COM
3. 3
4. 4
5. ABC.COM
6. ABC.COM
7. Every

Managing Users in AD
In order for a user to log in to AD, they must have an account. Be aware that this is not the same as the
local account on a workstation. Domain accounts have to be managed in AD. You need administrator
privileges to manage AD and you must be able to connect to a domain controller to do so. Appreciate
that in most large organizations the server that is the host to AD is locked in the server room and is
usually rack mounted without a keyboard or monitor.

The workstation that the administrator is sitting at must have the Remote System Administrator Tools
(RSAT) installed or must have access to the server’s console through Remote Desktop. The management
tool is Active Directory Users and Computers. RSAT is specific to the version of Windows desktop OS and
must be downloaded from Microsoft’s website and then installed.

The AD Database
Active Directory has multiple parts. The file is named ntds.dit and is located in C:\Windows\NTDS. AD
also includes Group Policy Objects, logon scripts and files shared among domain controllers. These are
located in C:\Windows\SYSVOL.

In order to hack the AD database you need to access the ntds.dit file which is a protected file. This is the
same issue with the SAM file. Actually it is easier to get an offline copy of this file than the SAM file
because Microsoft gives you a utility to make a backup. The utility is ntdsutil which is now included with
the server package. This utility is a management and troubleshooting utility for AD and conveniently
gives us a copy of the file.

On the domain controller you must be an administrator and open a command prompt.

The commands are as follows:

1. C:\>ntdsutil
2. ntdsutil: activate instance ntds
3. ntdsutil: ifm
4. ifm: create full c:\pentest
5. ifm: quit
6. ntdsutil: quit

The figure below shows NtdsUtil in action. After the utility has finished, the folder specified in the
command (C:\pentest) will contain the following folders and files:

• \Active Directory\ntds.dit
• \registry\SECURITY
• \registry\SYSTEM

Similar to extracting the password hashes from the SAM file, the hashes will need to be extracted from
ntds.dit using third party utilities downloaded from the Internet.
More Security Issues
When hardening Active Directory you need to be aware of other possible attacks.

Pass the Hash or Hash Injection - The point of cracking the hash is to obtain the clear text password so
that the hacker can logon to impersonate the user. But what if you can use the hash as the password? In
that case you can forego the step of cracking the password. Certain Windows logon actions allow you to
pass the hash as the password. Microsoft is familiar with this attack and has provided patches against it
but they only apply to modern Windows, Windows 7/Windows Server 2008 and up. Older operating
systems are still at risk.

Cached Password - If a domain user logs in at a workstation her password is stored in the registry. If a
user logs in but the domain is unavailable the workstation retrieves the cached credentials and lets the
user in. Notice that the domain user doesn’t have an account on the workstation and therefore her
password is not stored in SAM. This scenario is common, think of a user with a laptop who logs onto the
domain when she is in the office but can’t when she is working at home.

A user who has local administration rights can retrieve all cashed domain credentials with the
appropriate hacker utility and attempt to crack them. The cached passwords are not stored in the same
NTLM hash that is used by SAM. The format is Domain Cache Credentials 2 or mscach2 which is actually
harder to crack then the NTLM cache. Nevertheless with weak passwords it can be done.

To mitigate attacks on cached credentials here are some guidelines:

1. All Operating Systems must have the latest patches and fixes applied.
2. Do not give users local administrative privileges to their workstation.
3. Do not log into local workstations with domain administrator privileges. The admin should only
use this account at the domain controller using remote desktop to the server.

Windows File and Folder Security

Authorization is the concept that users can only access areas of the system that we give them access to.
For files and folders this entails giving them permissions to the files or folders. For anything else in the
system, this entails giving them rights.

Permissions
What can you do to a file or a folder? Caution is on order here. A file is the ultimate object that you
manipulate. A folder is a container that holds files and more folders. Although what you can do is mostly
similar, not everything is. For example, you can execute (run) an executable file but you can’t do that for
a folder. You can list the contents of a folder (the DIR command) but you can’t do that for a file.

The basic actions that you can do for a file and a folder and hence their permissions are as follows:

Read - You can view and list a file or folder. When viewing a folder you see the files and folders it
contains. When reading a file you can “open” it up, that is if it is a text file you can view it in a word
processing program, if it is an image, you can see it in an image viewer, etc.

Write - You can create a file and put content in it. If a folder, you can create files and folders in it.
Read & Execute - This applies to executable files such as those with the extension .exe, .com, .dll, .cmd
and gives the right to execute or run them.

Modify - Includes reading and writing but also allows deletion. Also allows renaming and changing
attributes.

List Folder Contents - This only applies to a folder. You can list the contents of the folder.

Full Control - This permission includes all of the others and adds the ability to take ownership of the file
or folder.

Managing permissions is done though the security tab of the properties of the file or folder. Appreciate
that the permissions are stored with the file or folder and only the NTFS file system has this capability.

Do not use the older files systems such as FAT or FAT32 because they do not support permissions. Also
be aware that floppy disks and CD/DVDs cannot support permissions. USB memory sticks are formatted
with FAT32 by default but can be reformatted to NTFS. You must appreciate that losing the protection of
permissions can be an issue if you are using these other media. Finally, permissions are lost when files
are transferred across a network.

Managing permissions is a complex task if you consider the number of files and folders on a typical
computer. Next we will examine some of the methods used to simplify this task.

Groups
The job of setting up each user with a distinct set of permissions increases with the number of users. If
only one individual uses one computer, the job might be manageable, but on a network with thousands
of users the job would be impossible.

Permissions are usually assigned to groups instead of individuals, although there are always exceptions.
The rule is create a group and add all the users who need the same access to the group and then assign
the permissions to the group.

Folders Not Files

There are fewer folders than files. Assign the permissions to the folder and allow the files to inherit the
permissions from the folder.

If a file must have different permissions than the other files in the folder make an exception and edit its
permissions uniquely.

Any file or folder that is created in a parent folder always inherits its permissions from the parent folder.

Rules That Impact Effective Permissions

Permissions for files and folders are complex and all too easy to get wrong if lock-down security is the
goal.

Here are the rules that impact permissions:

 1. A person’s permissions are a combination of the permissions assigned to the user directly
plus any permissions assigned to groups that the person belongs to. The permissions are
additive, which is, they are added together.
2. A file or folder receives its permissions by default from the folder in which it is created.
Therefore, permissions are inherited from the parent directory.
3. Permissions that are modified after the file or folder are created, called explicit permissions,
take precedence over inherited permissions.
4. Permissions on files take precedence over the permissions on the folder that the file is in.
5. If a user does not have an allow permission on a file or folder they do not have access. You
do not need to create an explicit deny permission. This is called an implicit deny.
6. A deny permission always overwrites an allow permission.

From the list of rules it is clear that a combination of these will effect what a user can actually do to a file
or folder and this is called the effective permissions. It is important to be able to examine the effective
permissions and the following exercise will illustrate the procedure.

Managing User Rights

Rights and permissions are often used interchangeably in the Windows world. In this course we want to
distinguish between the two for practical reasons. Permissions are the actions that are allowed on files
and folder; they are stored with the NTFS file system and are easy to find in the properties of the file or
folder.

Rights are also actions that are allowed to be performed on objects but the objects can be anything
except files and folders. These include user objects, groups, parts of the operating system, domains and
objects in Active Directory to name just a few.

Rights are stored in various places including some objects, the local security database called Security
Accounts Manager (SAM) or Active Directory. Modifying rights is more difficult because the controls are
well hidden from standard users. The local security policy is one place to look, Active Directory is
another. The easiest location to change at least some of these is the local groups that are predefined in
the Windows operating system.

Module Summary
In this module we have explored:

1. How the Active Directory provides security and centralized management for large organizations.
2. How the WinLogon process decides whether a logon request is for the local workstation or for
the domain.
3. How Kerberos uses Active Directory for user authentication information and then provides the
Ticket Granting Ticket that allows the user to authenticate to the other resources of the domain.
4. That the attribute that identifies an object is its Security Identifier (SID) and Globally Unique
Identifier (GUID).
5. That the Active Directory is organized along a tree structure with parent domains having child
domains below it. The child domain’s name includes the parent name in its root.
6. How multiple trees with different root names make up a forest.
7. How security on files and folders is controlled by permissions.
 8. That there are many rules for permissions on files and folders but the actually permissions are
the effective permissions.

Knowledge Check
The following questions provide an opportunity for you to see what you remember and understand so
far. Answer the questions to the best of your ability.

1. Which component of the Windows logon process decides if the authentication request is for the
local workstation or the domain?
a. MSGINA.dll.
b. WinLogon.
c. LSA.
d. SAM.

2. Kerberos is _________.
a. The AD database.
b. The authentication system of the domain.
c. The database of resource permissions.
d. Used by SAM to authenticate users.

3. Which of the following statements about Kerberos is true?

a. A resource decrypts a TGT with its own private key.
b. An Authentication Service request is made when a user tries to access a resource.
c. Kerberos uses SAM to find a user’s credentials.
d. One TGT is used for all resources.

4. Active Directory uses a multimaster model. What does this mean?

a. Multiple domain roots are supported.
b. All domains in the forest trust each other.
c. Multiple forest roots are supported.
d. Multiple domain controllers hold copies of AD in case one goes offline.

5. When can the SID of an object change?

a. When the object is renamed.
b. It can’t be changed.
c. When the object is moved to another domain.
d. When the object is moved to another OU.

6. The Discretionary Access Control List is made up of _______.

a. Access Control Entries.
b. SACLs.
c. ACLs.
d. Tokens.
 7. In order to delete a file which permission do you need?
a. Erase.
b. Write.
c. Modify.
d. Full Control.

8. You need to give a user permission to read a file but not delete it. When you go to the file’s
properties you can’t find the security tab. What explains this behaviour?
a. You do not have administrator rights.
b. The file is on a FAT32 partition.
c. The file is on a workstation instead of a file server.
d. You do not have the Full Control permission to the file.

9. A user needs a configuration file for his application to be modified but it is in a Read-Only folder.
What should you do?
a. Give the user explicit Modify permission to the file.
b. Move the file to another folder.
c. Give the folder Modify permission.
d. Give the user administrator rights.

10. Which group has rights in every domain in the forest?

a. Domain Admins.
b. Schema Admins.
c. Forest Admins.
d. Enterprise Admins.

Answers:

1. C) LSA.
2. B) The authentication system of the domain.
3. A) A resource decrypts a TGT with its own private key.
4. D) Multiple domain controllers hold copies of AD in case one goes offline.
5. C) When the object is moved to another domain.
6. A) Access Control Entries.
7. C) Modify.
8. B) The file is on a FAT32 partition.
9. A) Give the user explicit Modify permission to the file.
10. D) Enterprise Admins.

You have completed Access Controls in Microsoft Windows

Remember to check the timeline before you proceed to the next module to ensure you have completed
any assignments as required. Check with your instructor if you have any questions.