Tuesday, December 24, 2013

Microsoft Windows Security Principals

In windows actions are taken by subjects on objects. The subjects are the ones that need the access and the objects are accessed in different ways (read, write etc.).

There are three types of security principals.
1 - The 'User' and by extension its more complicated extension, the 'group'.
2 - The 'computer'
3 - The 'process', Service to be precise.
Every Security Principal is represented by an SID in a particular scope, where the SID is unique within that particular scope.  The above mentioned Security Principals are explained below:
1- The User
The user is the most basic type of security principal, the most basic entity which can be assigned permissions.
The default user in Windows machine is the Administrator and the Guest. The users in a stand alone machine are managed by the SAM : The local SAM contains all the users on that system.  By default in a Windows domain there are the Domain Administrator the guest account is there but in Windows 2003 and later it is disabled by default.
 The other type of user is the domain user which is created on the domain, it is created and maintained by the Active Directory instead of the local SAM. Once a computer becomes and Active Directory Server the SAM does not cease to exist or cease to function, in fact it remains and maintains the local system users which may be used for recovery operations.
The concept of users is pretty straight forward,  so in this article we will be talking about Groups in MS Windows 2008 and later.
Groups (Security Groups)
According to Microsoft itself a 'user group' is a collection of user accounts that all have the same security rights. User groups are also sometimes referred to as security groups.
There are 6 different types of Security Groups
a- The Local Group
b - Global Group
c - Universal Group
These are explained below according to the permissions they can be assigned and the members they can contains.
a- Local Group
Permissions Scope:  They can be assigned permissions to resources in the same domain they are defined in
Possible Members:  Users, Universal and Global groups from any trusting domain or other domain local groups.
b- Global Group
Permissions Scope: resources in any domain in the forest the domain is part of or any trusting forest.
Possible Members: Users and Global groups from the domain the group was defined in
c- Universal Group
Permissions Scope: Resources in any trusting domain.
Possible Members: Users and Universal and Global Groups from any domain.
A fresh Active Directory installation will contain default groups of all above three types three types. As we mentioned above there are 6 different types of security groups. The remaining three types are user defined versions of the above three i.e.
d - User Defined Local Groups
e - User Defined Global Groups
f - User Defined Universal Groups
In a freshly installed default installation of Active Directory there are no less than 63 groups. A large number of these groups abstract concepts called Special Identities

Special Identities
These groups represent dynamic aspects of a security principal, for example the following dynamic groups (special identities)
 INTERACTIVE:    Contains users that have logged on to a terminal or via Terminal Services
NETWORK:     Contains users that have logged in from over the network. According to the purposes of the INTERACTIVE and NETWORK group a user can be a member of only one group and not the other.

AUTHENTICATED USERS:              This group contains all users that have been authenticated and given remote or terminal sessions on the machine. This is the same as saying all users.
EVERYONE:                                         As the name implies, this group includes all users.
The difference between the Authenticated Users group and the Everyone group is that the Everyone user can contain a user which does not need authentication, viz the Guest user. Do note that since Windows 2003 onwards the Guest user has been disabled, so for all practical purposes the groups Authenticated User and Everyonehave the same component users.
2- Computers
The second security principal type is 'Computers'. Computers are, for all practical purposes, just another user in Active Directory.
The last type of security principal is a service. Since Microsoft Windows 2008 services are security principals to the extent that they have their own security identifiers. The security identifier of the service can be used to assign permissions on resources.

About the Author: Saquib Farooq Malik, is a senior Information Security Consultant at ITButler e-Services(www.itbutler.com.au) . Saquib Specializes in Vulnerability Assessment and Penetration Testing, implementations of ISO 27001 in different corporate environments in the Middle East.
He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.

No comments:

Post a Comment