One of the most fascinating parts of Windows NT is its security system. If you don't care about security, you can completely ignore this part of the Win32 API. However, in many cases, NT built-in security features can help solve some interesting questions. In this article, you will understand the intention of the NT security system, which will help you know its use, and how to operate it.
It should be noted that some of the code after this article can log in as an administrator to run. Only administrators have permissions to perform some of the system security tasks discussed here.
Things that NT security can do
In most people, NT is a quite complete and complex security system. Experienced UNIX programmers are familiar with the UNIX operating system file security system and understand the meaning of root privileges. However, these systems are relatively simple compared to NT. The next example will let you know the NT security system.
In the Security Menu and Security Editor of the Document Manager, we can see the security features of the NT. You can write your own code to modify the security information on the NT file system volume, and you can do it in detail as it. In the program you wrote, you can control who has some type of permissions to access files on the NTFS volume, just like the work of the file manager.
You can create a named pipe on the system that only other systems can access. When the user tries to connect to the server, the security system will check to ensure that only users with the corresponding access rights can be accessed, but the user who does not have administrator privileges. You can make the administrators on different machines can communicate with each other, while ensuring security. You can write code to select a user or user group that allows access or denial.
You can create a MUTEX with secure tags that only allow some users or groups to access it. This process can be applied to any object in the system: including files, semaphores, threads, events, shared memory in file mapping, etc. For Mutex, you can use this processing to prevent illegal access to a synchronization mechanism for an application;
You can create a project in an event log when an object (such as a thread, Mutex, Pipe, File, or Registration Key) is accessed. You can specify the type and user of the access, and generate an event log item. For example, for a file, you can set an event log item when you successfully read the file successfully by the user Smith.
From the above example, we can know that NT allows you to set exact secure access to objects in the system and allow you how to monitor and log objects.
NT safety system terms and concepts
The NT security system has a large number of new concepts and the vocabulary describing these concepts, which will express these concepts in a simple word to facilitate you understand.
You should be very familiar with the most common part of the security system: this is the password. You can see the password system as a lock of a building front door. The function of the cryptographic system is like a lock to isolate things inside and outside the building. Your password is equivalent to the key to open the door, let you enter the NT system.
If your hard drive is formatted with NT file system, you know that the NT security system has a second layer. You can see this layer as a lock in the buildings in the building. Some rooms are open, anyone can go in, but some are locking. The locks in each room are a bit different. For example, in a volume formatted using the NT file, if you have created a file above, you can set a variety of access rights for it:
Only the owner of the file can access it
Only a certain user can access it
Some users can access it
You can set a member of a group to access it
You can set a member of a group to access it, but also reject some users in the group to access it.
Can be set to a member of multiple groups to access it
Anyone can visit
Each protected file can be regarded as a room. Your security settings to files are like a lock of the room, used to determine who allows access to the room. You can also control what he does when a person enters the room. For example, for a file, you can read the permissions read by the user and write permissions written by another user. Open the security menu of the File Manager and see the permissions dialog box, you can try to do different settings. NT is like a building with many rooms. Your password is equivalent to a key, let you enter the building. Once you have entered the building, you can use your own key to enter different rooms. Some rooms are unlocked, some are locked, but you can go in, and some are to refuse you into. The room is equivalent to each object in the NT system: file, registration sub-key, thread, and Mutex object, and more.
You can also join a post in the door of the room, the mission of the post is to monitor who uses the room and how he is using. This is called an audit in NT. When you add an audit on a NT object, when some users have access to the object in some way, the object will write related items in the event log. For example, if you can access a NT file system volume, and managed permissions, open the file manager and select a file you own, and then select the review option in the Security menu. For each independent user or group, you can set when you have successful (or fail, or both) open the file, write file, execute file, etc.
To understand these security features, the most convenient is in the NT file system. Through the security editor in the file manager, you can set a variety of different security features in a graphical and easy form. The division of these security details is suitable for many objects in NT. For example, you can protect the project in the registry in the same way, in fact, the Registry Editor contains a visual security editor similar to the file manager. You can also set security properties for many internal system objects. For example, you can use this way to limit access to a named pipe.
The following is a brief summary of the concepts discussed above:
A NT system is like a building. Your password is equivalent to a key, allowing you to enter the building.
After entering the building, you will find thousands of rooms. A file is similar to a room, registry project, named pipes, and threads.
The security of each room is set by the owner, which can be set to only use someone to use, a group of users, a group or anyone who is accessible;
Each room can also join a post. Responsible for checking and documenting anyone who enters the room and everyone has made after each person;
Now you have some basic concepts, and then talk about some of the special terms of NT in security.
NT's security terminology
When you log in into a NT system, the system will give you an access sign. This access marker is the key you use to open the lock in the NT system. Your key can open some locks, but there are some it can't open. Each handles you do include a copy of your access tag.
This visited tag is used to do two different things. First, it is used to identify your identity. For example, when you log in as a user "Smith", your access marker contains the user's identity. Access marks are also used to identify all groups you belong to. For example, in the User Manager, you may be a Power User group, a BACKUP Operator group, and a member of a custom group called Programmers. Your access marker can identify you for these different groups of members.
Your access marker also contains all permissions of the user. Each group you belong has some related user permissions. If you open the User Manager, you will be able to see a list of permissions in the User Permissions menu. For example, the Power Users user group has the permissions of setting the system time, while the ordinary users don't. Some users can turn off the system, some can't. By combining all permissions you belong to, get your permissions list and place it in your access mark. Administrators can also assign some special permissions for each user through the User Manager. ************** Figure 1 ****************
An access marker includes a user ID, the user belongs to the user permission list by all of these groups.
Most of the objects in the system can have their own locks. In NT, a lock is called a security descriptor. If the creation function of an object contains a secure parameter, you can join a lock. The following objects can be locked:
. Document (if they store in a NT file system volume)
. Directory (if they are stored in a NT file system volume)
. Register
. process
. Thread
. Mutexes
. Semaphores
. event
. Named pipe (on system or network)
. Anonymous pipeline (only in the system)
. Mailslots (only in the system)
. Console screen buffer
. File mapping
. service
. Private object
To lock an object, you have to create a security descriptor and transfer it to the object when you create an object. If the value of the security attribute parameter is set to 0, the system creates a default security descriptor for the object, allowing you to access the object.
A security descriptor contains four aspects:
. One owner identifier, used to identify who is the current owner?
. A major group identifier
. A system access control list (SACL, SYSTEM Access Control List), contains audited information
. A Free Access Control List (DACL, Discretionary Access Control List), is used to determine those users and groups and accessible, those can't
The owner of the NT object can change the security information of the object at any time. For example, if you have a file, and set it to no one can access it, you can also change its security information because you are its owner. This is like a hint to enter your room, although the lock is damaged, but you can change a new lock because you are the owner of the room.
*************Figure II******************
Any subject's security descriptor contains IDs of users and groups, free access control lists for access, and system access control lists for control auditing information.
DACL is the core of this lock. It is used to control who can access it, prohibit who access to this object. It is an access control list, or referred to as ACL, which contains access control items (ACE). Each ACE illustrates a user or group, as well as their permissions. For example, if the object is a file, the user "smith" allows the file to be read, which will have an ACE indicating that the user "Smith" has the permissions of the read. This is also known as an access to ACE because it allows a user or group to do something. Similarly, there is an access denial of ACE for disabling an user or group access. For example, you allow the Power User group to access an object, but for the "Smith" user, although he belongs to Power User, you don't want him to access the object, you can use a refusal to access ACE. SACL (System Access Control List, system access control list) also includes ACE, but these ACEs are used to determine why they will be reviewed and reviewed. An ACE in SACL is called an audit Access ACE. For example, when you want to create an audit item when the "Smith" user has successfully opened a file? This is specified by an ACE project in SACL.
************* Figure three ***************
An Access Control Project (ACE) specifies a user (or group) and the allowed access is similar. ACE is stored in the ACL.
Each ACD in an ACL consists of three parts: a security identifier (SID, Security Identifier), an access mask and an ACE header. The SID is a value stored in the registry (also available to the function call), and can uniquely identify each user or group in the User Manager. The ACE header is used to determine the type of ACE: access control, access rejection, etc. A mask has 32 bits to determine how the user can operate on an object. Some standard permissions apply to all objects in the system, and some objects have special access, which can be applied to these objects. For example, the following is a special and standard access to a file object:
specific: FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_EXECUTE FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES FILE_ALL_ACCESS standard: DELETE READ_CONTROL STANDARD_RIGHTS_ALL STANDARD_RIGHTS_EXECUTE STANDARD_RIGHTS_READ STANDARD_RIGHTS_REQUIRED STANDARD_RIGHTS_WRITE SYNCHRONIZE WRITE_DAC WRITE_OWNER generic: GENERIC_ALL GENERIC_EXECUTE GENERIC_READ GENERIC_WRITE
Generic Permissions is a mixture of predefined standards (SPECitive) permissions, which are different for various objects.
Access mask is a 32-bit bit mask. In the mask, each Standard, Specific and Generic permissions are related to it. The 16-bit of the beginning is SPECific's permissions, and the key to the object referred to as the access mask (for example, the File_ Constants above). The next 8-bit saved is Standard authority. High 4-bit saved generic permissions.
************ Figure 4 **************** NT security features use a lot of new terms, but through the code in the example You will gradually be familiar with all of these nouns, and it is more likely to understand all of these concepts. The following is a brief summary:
. After the user is logged in, they will get an access marker. An access marker contains user permissions obtained by the user's ID, user group, and user parties.
. Each object has a security descriptor, just like its lock. A security descriptor contains a user and group identifier, a system ACL and a DiscretionAr.
. A DACL control Who allows access and what to do with objects?
. A SACL Control To review some of an object of an object
. The ACL consists of ACE. Each ACE contains a SID that identifies the user or group, an access mask, which is used to determine how it is allowed or group, and an ACE header determines the type of ACD.
The following sections provide two simple examples, combining all of these terms, and how these security settings are operated.
Simple example
This part of the focus is to discuss the creation and application of a security descriptor of a file object. The reason for selecting the file object here is that it is easy to view the code of the code through the security editor in the File Manager because it is common and easy to understand. However, if your hard drive is not formatted with the NT file system, these code will be useless, and the security editor is not available. You can use the following three ways:
1. Re-use NTFS to format your hard drive, and reinstall NT, or use the control command to convert your hard drive to NT file system;
2. Load a new hard drive and use the NT file system to format
3. Dividing a small portion (about 10m) in your hard drive, and use NTFS to format, which means you will have to reformat and reload the original partition
Or, you can wait first, we will apply the same code to a registration key. No matter which file system you use, you will be able to see the security editor in the Registry Editor.
The following code contains a program that creates a new file. The security descriptor created for the new file is set to only "guest" users can use this file, and the user only reads permissions. This program does not have any error detection, so you can easily see it. When you run the code, it will be in C: / create a TestFile file. Select this file in the file manager and select the security menu. You will see that there is only one item in the list: only "guest" can read the file. When you run these code, you can change the name or user's name.
#include #include SECURITY_ATTRIBUTES sa; SECURITY_DESCRIPTOR sd; BYTE aclBuffer [1024]; PACL pacl = (PACL) & aclBuffer; BYTE sidBuffer [100]; PSID psid = (PSID) & sidBuffer; DWORD sidBufferSize = 100; char domainBuffer [80]; DWORD domainBufferSize = 80; SID_NAME_USE snu; HANDLE file; void main (void) {InitializeSecurityDescriptor (& sd, SECURITY_DESCRIPTOR_REVISION); InitializeAcl (pacl, 1024, ACL_REVISION); LookupAccountName (0, "guest", psid, & sidBufferSize, domainBuffer, & domainBufferSize, & snu) ; AddAccessAllowedAce (pacl, ACL_REVISION, GENERIC_READ, psid); SetSecurityDescriptorDacl (& sd, TRUE, pacl, FALSE); sa.nLength = sizeof (SECURITY_ATTRIBUTES); sa.bInheritHandle = FALSE; sa.lpSecurityDescriptor = & sd; file = CreateFile ( "c : // Testfile ", generic_read | generic_write, 0, & sa, create_new, file_attribute_normal, 0); CloseHandle (File);} First look at the end of the program, you will find a call to createfile, the call creates a name File for C: / Testfile. However, this call has a secure parameter, which is located 4th in the parameter list. You may see this parameter in a lot of NT code usually uses a default security descriptor when you create an object when you create an object. 0 values will also prohibit inheritance. The above code uses a security_attributes instead, which contains a valid security descriptor.
The security descriptor first creates in the first line by calling the InitializationDescriptor function. (For the functions used herein, you can see the WIN32 Help file in the SDK or the Visual C help file get more information). This step creates a security descriptor using the absolute (Absolute) format (there is also a second type of format). The new security descriptor is in addition to the information of the modified level, there is no other information: there is no identifier of the owner, no group definition, no SACL, no DACL.
The next line calls InitializeAcl to create an ACL, which will become the DACL of the security descriptor. When the initializeaacl function returns, PACL points to an empty ACL. That is to say, there is no ACE in the ADL. If you comment out of the next two lines, this empty ACL will be placed in the security descriptor, and this security descriptor will apply to the file, then no one can access this file. This is because there is no ACE in the Discretionary ACL. If you don't create DACL, you will pass a NULL in the DACL security step, so everyone can access the file.
The next two lines create an ACE and add it to the ACL. For the specified account name, the lookupaccountname function returns a SID. The lookupaccountname function will find a specific account in the system or local system. If you can't find locally, it will be found in the domain controller or trusted domain controller. This function returns the SID account, if the SID is derived from the domain controller, it will return a domain name, and an enumeration value that is used to indicate the type of account: SidTypeUser SidTypeGroup SidTypeDomain SidTypeAlias SidTypeWellKnownGroup SidTypeDeletedAccount SidTypeInvalid SidTypeUnknown
The SID is a security identifier that uniquely identifies a user or a group in the system.
The SID returned by the lookupaccountname function is used in a call to the addAccessAlloWedAce function, which is used to create an access allowable (relatively relative to access), and add it to the current empty ACL.
The AddaccessAllowedAce function creates the ACE of the SID and the specified access mask and adds it to the specified ACL. Generic_Read Access Mask Adds the read permissions for the file.
An ACE is now included in the ACL and specifies the "Guest" user to read the file. This ACL needs to use the SetSecurityDescriptORDACL function to place it into the DISCRETITIONARY ACL of the Security Descriptor.
A valid DACL is now included in the safety descriptor, with an ACE. The program places this security descriptor in a secure property structure and transmits it to the CreateFile function.
If you comment out the front three-line code and when you call SetSecurityDescriptORDACL, replace the DACL's PACL with null, then anyone can access the file. No DACL means that anyone can access the file.
Compile and run the code above. Before you run, you have to make sure that the file name specified in the program does not exist in the system. When you view the new file via the Security Editor of the File Manager, you will find that its permissions are set to the code.
You can easily modify these code to deepen your understanding of the security descriptor. For example, you can try to give a group of permissions, or add a few ACEs to DACL, or create an access denied ACE using AddaccessDeniedAce. Make sure the access rejection ACE is placed in front of the access allows the ACE. Use the SetSecurityDescriptorowner function to modify the owners in the Security Descriptor.
another example
The same security descriptor code can be applied to other protected NT objects because the security system is the same for all objects. For example, you can use it to create a key value in the registry, see the following code. If you compare the following code and the above, you will find that they are almost exactly the same, except that here is using RegReateKeyex to create a registry key instead of a file.
#include #include SECURITY_ATTRIBUTES sa; SECURITY_DESCRIPTOR sd; BYTE aclBuffer [1024]; PACL pacl = (PACL) & aclBuffer; BYTE sidBuffer [100]; PSID psid = (PSID) & sidBuffer; DWORD sidBufferSize = 100; char domainBuffer [80]; DWORD domainBufferSize = 80; SID_NAME_USE snu; LONG result; HKEY regKey; DWORD disposition; void main (void) {InitializeSecurityDescriptor (& sd, SECURITY_DESCRIPTOR_REVISION); InitializeAcl (pacl, 1024, ACL_REVISION); LookupAccountName (0, "guest", psid, & sidBufferSize, domainBuffer, & domainBufferSize, & snu); AddAccessAllowedAce (pacl, ACL_REVISION, GENERIC_READ, psid); SetSecurityDescriptorDacl (& sd, TRUE, pacl, FALSE); sa.nLength = sizeof (SECURITY_ATTRIBUTES); sa.bInheritHandle = FALSE; sa.lpSecurityDescriptor = & sd; Result = regreateKeyex (HKEY_CURRENT_USER, "JUNK", 0, 0, REG_OPTION_VOLATILE, Key_AC_Access, & Sa,? Key, & Disposition; cout << result << Endl; regclosekey (regkey);} Before running the above code, run the registry first Editor (regedit32.exe), view HKEY_CURRENT_USER, and confirm that there is no name "JUNK" in HKEY_CURRENT_USER. If there is, delete it, or modify the code to create a different key.
You can now run the code. If you are not set to automatically refresh, refresh the Registry Editor's display, you will see a new key name "JUNK". With the permissions in the security menu, check its permissions, you will find that the owner of the key is you or administrator, and "guest" is the only user who can access it. You can change the name of the key or the user, continue to try it, because the above code creates a volatile button, so the key will disappear when you log out or restart the system.
