s development to achieve C2-level security statu
s for the OS, to meet the requirements of certain Defense markets.
Security Architecture
Microsoft engineers designed Windows NT to be a portable OS with minimal dependence on a processor's unique hardware features. However, all NT implementations rely on the processor to provide two execution modes: kernel and user. Kernel mode, as its name implies, is used by the privileged OS code, including the kernel, to protect system data. Code running in this mode communicates directly with the hardware. Code executing in user mode must use OS calls to modify system data and access the hardware.
Windows NT consists of an executive and several protected subsystems (also called servers). The executive lies atop the hardware abstraction layer (HAL) and operates in the kernel mode. Above the executive lie the subsystems that interact with users and execute in user mode. User processes execute only in user mode and must make requests to the subsystems in order to obtain acc
ess to the computer's facilities.
The security components of NT consist of two parts that execute in user mode: WinLogon and a protected server called the Local Security Authority (LSA). The LSA relies on the Security Accounts Manager (SAM) and two executive components, the Object Manager and the Security Reference Monitor (SRM), to determine access privileges and obtain system resources (see the figure
"Windows NT Security Architecture"
).
Although NT is not object-oriented in the broadest sense, it treats all of a computer's resources as objects, and access to all objects is handled by the Object Manager. Files, memory, processes, and more specialized resources like semaphores and I/O completion ports are all objects. This uniform approach simplifies the implementation of security features and provides greater assurance that they work properly. The Win32 environment subsystem must ask the Object Manager on behalf of a user to create, open, close, delete, or perform whatever o
peration is appropriate to the particular type of object.
NT associates a security ID with every user, and every object has an access control list (which may be empty) that specifies which users or groups of users are allowed to work with the object. Before NT performs any operation, the Object Manager checks with the SRM to determine if the user has the permissions or rights required to perform the operation on the object.
Authentication
Identification and authentication are the most fundamental security features of an OS. To log onto NT, you press a familiar key combination: Ctrl-Alt-Del. This actually implements a feature--called Trusted Path--required by the Orange Book. This requirement assures the user that if she presses the so-called Secure Attention Sequence first, the resulting prompt for username and password is from the OS and not from some spoofing program written by a malicious user. The user must identify herself with a username and authenticate herself, typical
ly with a password. NT is sufficiently modular that a more sophisticated authentication mechanism can be implemented; for example, the administrator could substitute a retinal scanner. (See
"Authorizing a User"
for a summary of the log-on sequence.)
Every user belongs to one or more groups, and a few special groups are built in. Each group has a name and a set of user rights. Users have the rights of all the groups they belong to, plus any special rights granted to that particular individual. These rights are assigned collectively when the administrator makes a user a member of a defined group.
There are roughly two dozen user rights, including the ability to define printers, add hardware (such as Ethernet cards) to the system, and shut down the computer. Each user acquires a set of rights, either from the groups she belongs to or by the administrator specifically granting them.
Auditing for Attacks
Because no system is absolutely secure, administrator
s need to be able to determine if their system has been the target of an attack, or has been vulnerable to the misadventures of a nonmalicious user. In the case of NT, auditing policy is set and controlled with the User Manager.
The User Manager provides an easy interface to specify the level of auditing. Because the auditing process contributes to system overhead, the amount of audit information to be captured has to be carefully weighed in consideration to overall system requirements. NT divides audited user actions into seven categories, including file and object access, logging on and off, and exercise of user rights. Actions within each category can be audited for success, failure, or both. For example, you may not want NT to produce an audit record every time a user logs on, but you'd want to record unsuccessful attempts to log on. Similarly, you'd probably record unsuccessful attempts to access files or directories--such activities indicate malicious snooping.
You use the Event Viewer to ex
amine audit records. It allows examination of three different logs: system events, application events, and security events. Each event record is time-stamped, and both the process and the user attempting the operation are identified. A log is an object just like every other resource controlled by NT, and therefore it has an access control list associated with it. By default, only members of the Administrators group can examine the security log. With the Event Viewer, an authorized user can control important aspects of the logs. Particularly important from a security point of view and required for C2-level rating is the ability to guarantee that no security event records can be lost. Logs, naturally, are limited to a certain length, and by default are overwritten when full. In special situations, the administrator can prevent overwriting the log by forcing a system shutdown when the log is full.
Object Reuse
Underlying all of NT's logical objects are physical RAM and disk space, both o
f which are continually being recycled for new processes and files. Object reuse is a security requirement that prevents a user from accessing the remains of another user's work, particularly when the OS creates new objects from previously used resources.
Long-time DOS users are well aware that "erasing" a disk file doesn't clear the file's contents from the hard disk: It simply marks the region on the disk as unused. Other users can examine this region's contents, provided another process hasn't already written over the same area of the disk. Secure systems require that such a scenario isn't possible. When NT creates a new object (either memory or file) for a user, it is empty of data. That is, the OS clears the object of its previous data or assigns it a zero-length size.
For file objects, NT prohibits you from reading past a file's logical end-of-file marker and thus possibly peeking at data from an erased file. Also, if you have the right to extend the file, NT overwrites that area on disk bef
ore granting access to it.
When a program allocates memory, NT first clears the section of RAM that a newly created memory object will occupy. This prevents a user from probing random locations in RAM, searching for the vestiges of documents or file buffers that might contain confidential information. Of course, because of NT's security mechanisms, processes can access only blocks of memory granted to them.
NT is a reasonably secure general-purpose OS. As an indication of this, in August 1995, the National Security Agency granted Windows NT 3.5 C2-level approval. Its security features make it comparable to Digital Equipment's VMS and superior to Unix. NT provides a unique combination of security and convenience that is long overdue in the personal computer world.
illustration_link (18 Kbytes)
The Object Manager and the Security Reference Monitor protect system resources.
illustration_link (20 Kbytes)
NT's log-on process prevents an unauthorized user from entering the system.
Jim Reynolds was a member of the National Security Agency's Windows NT evaluation team. He also participated in the evaluation of three other commercial OS products for the "Orange Book" program. You can reach him at
reynolds@mitre.org
.
Air-Tight Windows NT
