Understanding Windows Security on System Objects: Pros and Cons Explained

[h0dgey84bc]

Hi, I was asked this at an interview recently, "How does Windows impose security on system objects such as processes and threads? What are the pros and cons of this approach?"

Anyone have any ideas?

thanks.

 

[Xavi]

Starting with Windows NT, Microsoft uses the concept of "access tokens" and ACL (Access Control Lists).

An access token contains all the security information related to the user who has started a session. This token is created when the user logs on and destroyed upon logoff. The access token contains the SID (Security IDentifier) of the user and each group it belongs to. It also contains special privileges that the user my use (like the ability of shutting down the computer, debugging programs, ...). Each process and thread executed by the user contains a copy of this token.

An ACL is associated to every protected object or resource. It contains the list of SID that have access to it and which type of access (Full Control, Read/Write, Read Only, ...). Normally ACL define allowed rights, but it may also contain explicit denies.

When a thread tries to access any kernel object (mutex, semaphore, event, process, thread, ...) or resource (file, registry key, ...) the system compares the ACL of the object with the token associated with the thread requesting access. If a matching is found, the access is allowed, otherwise denied (somewhat simplified)

The main problem is that any change in the group membership of the user is not dinamically propagated. This means that the user can't get instant access to new resources, but even worse, the administrator can't inmediately deny access to some resource by removing the user from the appropiate group. The user must logoff and log on again to get an updated token with the new list of SID's.

One of the advantages is the impersonation (the ability of a process or thread to temporarily take the personality of another user if it has the right to do so). The access token is duplicated on every process and thread, so one thread might impersonate another user without modifying the rights of other threads or processes. This is specially important in services that handle requests from many users. Using impersonation, the service can use the rights of each user instead of the user who started the service (normally SYSTEM or Administrator). This increases security against bugs or malicious users.

It's a little simplified, but I think you can see the concept.

 

[h0dgey84bc]

Dude, you got the job!

What would have said to this one "What is a Windows Service and when might you use one? What special consideration do Services require?"

I think I got this one correct, although my answer was probably a little rough around the edges, especially on the second part of the question.

 

[Xavi]

It's me who is taking the interview ?

Services is a big topic in Windows. There are many types of services and many reasons to create one. For example, internally Windows also treats device drivers as services (although with some special characteristics).

A service in Windows is a process that runs in the background in the context of a preconfigured account. It is not associated with any interactive user session (although it can run with the credentials of any user) and it can be running even if there isn't any user authenticated to the server or workstation. Windows allows multiple services to be running inside one process to save resources (this is the case of svchost.exe that hosts multiple Windows services at once).

Basically you use a service when you need to offer access to shared resources (files, databases, web resources, printers, ...), but there are other reasons not always so obvious. When you design a new program you should eveluate its needs and decide how it should run.

Microsoft is tending to move some management functions to services and even breaking some functionalities into different services (specially in Windows Vista). Personally I don't like this approach because forces you to have many services running. There are many dependencies between services, so it's very difficult to stop some of them without breaking the functionalities you really want.

What special consideration do services require ? a lot. Probably the most obvious is that it cannot interact with any interactive user directly (before Windows Vista this possibility existed). If it needs to interact, you also need to develop some kind of client. The internal structure of a service is quite different from a normal user process. Also, it runs with a fixed set of credentials that generally have elevated privileges, so extremely care must be taken while designing and implementing the service to avoid security holes.

Well, I think this is enough as an introduction. Services is an extensive topic to talk about them generally.

 

[h0dgey84bc]

I think you should apply for this job, haha, you definitley are more qualified than me anyway...I am just a lowly physics grad, no idea why the recruitment guy sent me for this, seems definitley more suited to a comp sci grad.

 

[mathmate]

If you get the job, doesn't he get the commission?! :)