Unit OS7: Windows Security Components and Concepts

More documents

Recommendations

Info

20 Access Check ACEs in the DACL are examined in order Does the ACE have a SID matching a SID in the token If so, do any of the access bits match any remaining desired accesses If so, what type of ACE is it Deny: return ACCESS_DENIED Allow: grant the specified accesses and if there are no remaining accesses to grant, return ACCESS_ALLOWED If we get to the end of the DACL and there are remaining desired accesses, return ACCESS_DENIED The Security Reference Monitor (SRM) implements an explicit allow model Exposed to apps through Windows API AccessCheck(), AccessCheckByType(), TrusteeAccessToObject())
21 Example: Access granted Security Token Used ID: FredMgr Group Ids: Users Mgrs Everyone Privileges: None Desired access read/write File object Security descriptor AccessAllowed FredMgr Read (RX) AccessAllowed Mgrs Special Access(RW) AccessAllowed Everyone Special Access(X) ACE ACE ACE Discretionary Access Control List
Page 1 and 2: Windows Security
Page 3 and 4: 3 Windows Security Mechanisms Permi
Page 5 and 6: User Mode Security Components WinLo
Page 7 and 8: 7 LSASS Components SAM Service A se
Page 9 and 10: 9 LSASS Components Net Logon servic
Page 11 and 12: 11 Security Reference Monitor Perfo
Page 13 and 14: 13 Protecting Objects Access to an
Page 15 and 16: 15 Tokens The main components of a
Page 17 and 18: 17 Security Descriptors Descriptors
Page 19: 19 Discretionary Access Control Lis
Page 23 and 24: 23 Access Check Quiz Token Mark Aut
Page 25 and 26: 25 Access Special Cases An object
Page 27 and 28: 27 Controllable Inheritance In NT 4
Page 29 and 30: Impersonation Lets an application a
Page 31 and 32: 31 Privileges Specify which system
Page 33 and 34: 33 What Makes Logon Secure Before a
Page 35 and 36: 35 Logon LSASS creates a token for
Page 37 and 38: 37 Remote Logon - Active Directory
Page 39 and 40: 39 Cross-platform Strategy Common K
Page 41 and 42: 41 Kerberos principles Kerberos req
Page 43 and 44: 43 Tickets and Authentication info
Page 45 and 46: 45 Ticket Characteristics KDC retur
Page 47 and 48: 47 Further Reading Mark E. Russinov

Unit OS7: Windows Security Components and Concepts

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?