CONCEPT OF SECURE ADMINISTRATION OF WINDOWS NT.

1. Bookmarks introduced at the OS kernel level (kernel mode). These bookmarks allow dynamic modification of the OS kernel code in the computer memory, access to objects (files) without taking into account the requirements of the access control system.

2. Bookmarks implemented at the user level of the OS (user mode). These bookmarks allow modification of the user authentication procedure or access to objects (files) on behalf of a user with maximum rights (SYSTEM user rights).

Since it is further assumed that the domain architecture of the OS will be considered as the base for constructing an information security system and taking into account the attacks described above, the following most vulnerable elements and data of the security system in the Microsoft Windows NT OS domain can be identified:

• authentication data of workstation users stored in their resource registries;

• authentication data of domain users stored in the resource registries of the workstations from which they logged on to the domain;

• system software of workstations;

• authentication data of users and workstations transmitted over LAN channels;

• some standard actions of the Domain Administrator for direct or remote administration of workstations;

• some calls to each other by distributed OS components.

Model of a security intruder

Before we begin to consider the known concepts of increasing the effectiveness of protection of the Microsoft Windows NT OS and present the concept of secure administration, we will define the model of the intruder. The reference point here will be the classification of the intruder according to his capabilities in the automated system, described in the guidelines of the State Technical Commission of Russia [6].

Since computers in a Microsoft Windows NT domain have different roles (domain controller, server, workstation), it is inappropriate to classify an intruder into one specific class. We will assume that on workstations, the number of which can be large and, therefore, control over their security is complicated, the capabilities of an intruder correspond to the third class (the ability to influence the order of operation and parameters of the security system). On domain controllers, the protection of which from direct access by an intruder and the launch of his applications on them is quite realistic, we will consider the capabilities of an intruder to correspond to the second class (the ability to remotely access using programs containing non-standard functions).

In addition, it should be noted that in a specific situation the intruder model can be specified.

Analysis of known concepts for increasing the effectiveness of Microsoft Windows OS protection

In 1996, the concept of increasing the effectiveness of protection was first proposed by Microsoft Corporation itself. It chose the requirements of the C2 TCSEC protection class as the main guideline [9]. However, in addition to these requirements, it was proposed to impose a significant restriction on the procedure for configuring the OS, namely: computers running Microsoft Windows NT OS must be isolated, that is, disconnected from local or global computer networks.

Certification of the Microsoft Windows NT Workstation, Server version 3.5 U.S. Service Park 3 OS for the C2 TCSEC protection class was successfully completed in 1996 [9]. At the same time, the necessary OS settings and requirements for its configuration were presented [9]. Analyzing these settings, we can conclude that Microsoft Corporation used the following concept of increasing the effectiveness of protection of the Microsoft Windows NT OS.

Ensuring security of the Microsoft Windows NT operating system in accordance with the requirements of class C2 TCSEC is possible:

• without installing additional software or hardware,

• using appropriate settings of parameters and the order of configuration of the operating system [9],

• only if the computer on which the operating system is running is isolated.

When implementing this concept, the main problem is to ensure that the computer is protected from loading another OS other than Microsoft Windows NT. To solve this problem, it is proposed to use password protection for the program for modifying the computer's operating parameters (password for BIOS Setup) in order to prevent the possibility of loading from a floppy disk.

This concept can be implemented in practice, but the required isolation of computers from computer networks significantly narrows the scope of its practical application. Therefore, certification of the Microsoft Windows NT 3.5 SP3 OS for the C2 TCSEC protection class, although it was important for further improvement of the protection system of this OS, was mainly of an advertising nature.

The isolation of computers from the LAN, necessary to bring the settings and configuration of the Microsoft Windows NT 3.5 SP3 OS into compliance with the requirements of the C2 TCSEC protection class, could not satisfy the majority of users of this OS. In this regard, the next step of Microsoft Corporation was to develop requirements for setting up the parameters and configuration of the OS in accordance with the requirements of the F-C2 class and the E3 ITSEC adequacy level, while the OS can function on computers connected to each other in a single LAN. Certification for this protection class of the Microsoft Windows NT Workstation, Server version 4.0 (build 1381) Service Park 3 OS was carried out in 1999 [10]. Thus, Microsoft Corporation proposed a new concept for increasing the effectiveness of protection of the Microsoft Windows NT OS.

Ensuring the security of the Microsoft Windows NT OS in accordance with the requirements of class F-C2 and the adequacy level of E3 ITSEC is possible:

• without installing additional software or hardware,

• using the appropriate settings of parameters and the order of configuring the OS [10].

This concept allows increasing the efficiency of OS protection, but at the same time has a number of shortcomings.

1. The necessary OS settings related to ensuring safe operation on computers connected to the LAN are not fully specified:

• disabling the ability to remotely authenticate via the LANManager protocol;

• prohibiting the issuance of a list of network resources for an anonymous user;

• allowing remote access to the resource registry only for users specifically authorized for this;

• prohibiting the use of the remote task launch service (Schedule).

2. Protecting data transmitted over LAN communication channels from interception without the use of additional (primarily cryptographic) modules is, as a rule, a complex and difficult task to implement in practice.

3. The procedure for the domain administrator to prevent or reduce damage from the attacks described above, which implement the illegal seizure of privileges, is not provided.

4. The structure of the domain protection system is presented in the concept as a single line, it does not provide requirements for setting up and configuring the OS, the purpose of which is to reduce damage to the overall security of the domain when an intruder overcomes the protection of one of the workstations, compromises the authentication data of one of the users, etc.

To eliminate the shortcomings of the first group, you can use special OS settings [1,5]. When eliminating the shortcomings of the next three groups, it is advisable to keep in mind the following circumstances:

• The main reason for the listed shortcomings of the above concept is that the requirements of class F-C2 and the adequacy level of the ITSEC E3 were chosen as a guideline for its development, which are quite general, since they are intended to assess the security of a wide class of protection systems. Therefore, the necessary settings for ensuring security, structure elements, requirements for the order of functioning and administration of the OS, specified in the shortcomings for ensuring security, were left outside the scope of consideration during the development of the concept. Thus, it is necessary to choose a new concept that takes into account the specifics of the Microsoft Windows NT OS as a network multi-user OS.

• The new concept cannot be built on the basis of the requirements of any other functional classes of ITSEC protection, since the requirements of the functional class F-BI following F-C2 are not feasible, since they contain a condition for implementing a mandatory security policy, which is practically impossible without a complete study of the OS, and the implementation of the requirements of functional classes F-AV, F-DI, F-DX does not eliminate the shortcomings of groups 3 and 4.

• When developing a new concept, it is necessary to keep in mind the fact that the source code of executable modules and complete documentation of the Microsoft Windows NT OS are not available for independent examination, and therefore, sufficient guarantees of the correct operation of all OS protection mechanisms cannot be obtained.

• Using the requirements of the automated systems protection classes presented in the guidelines of the State Technical Commission of Russia [7] as a guide will not lead to the desired result. Due to the requirement to implement a mandatory security policy in classes of groups 1 and 2, only classes of group 3 remain possible for use, the requirements of which in turn do not eliminate the shortcomings listed above.

• The concept of secure administration of the Microsoft Windows NT operating system cannot fail to take into account the latest achievements in the development of criteria for assessing protected computer systems, as set out in the “Unified Criteria for Information Technology Security” [8]. It is advisable to take into account security profiles that describe, for example, the requirement for a precise definition of the role of security administrators and the requirement for allocating the necessary number of domains in accordance with the security policy [1].

Thus, the elimination of the shortcomings of the above-described concept of bringing the settings of the Microsoft Windows NT OS protection system in accordance with the requirements of class F-C2 of the ITSEC E3 adequacy level is possible through the development and implementation of the provisions of a new concept of secure administration. This new concept must take into account the circumstances listed above and be specific to foreign-made OSs, inaccessible for full analysis and study.

Provisions of the concept of secure administration of the Microsoft Windows NT OS

We will describe the concept of secure administration, the purpose of which is to provide a set of recommendations for increasing the effectiveness of protecting information processing systems built on the basis of this OS from threats to confidentiality and integrity of information. The measures and recommendations presented in the concept are aimed primarily at preventing the threats described earlier.

There is no doubt that the large volume of code of the Microsoft Windows NT OS modules and the lack of full documentation (including the source code of the executable modules) do not allow for a detailed study and independent examination of this OS and its protection system. Thus, to increase the effectiveness of OS protection, it is desirable to configure it in such a way that an intruder is forced to sequentially overcome several lines of defense built on the basis of distributed independent elements that are difficult for an intruder to access. For this reason, the domain architecture of the Microsoft Windows NT OS should be selected, since in this case user authentication is performed on domain controllers, direct access to which should be limited.

When operating large distributed LANs, the task of ensuring the protection of each workstation is extremely complex and difficult to implement. Given the above, it is difficult to provide sufficient guarantees of the integrity of data and software for all workstations, and there can be no complete trust in the standard mechanisms for protecting user authentication data. Therefore, authentication data should not be left on workstations, by modifying or using which an intruder could carry out unauthorized access to resources of other workstations. This can be achieved by prohibiting the storage of hashed user passwords in the registry of workstation resources, prohibiting user registration on workstations, and removing the workstation administrator from the group of its administrators.

When administering workstations remotely (reading audit logs, resource registries, managing a network printer, etc.), an attack can be carried out using the AdminTrap program. Thus, it is obvious that even some standard actions of a domain administrator pose a threat to the security of the entire domain, and interactive (direct) login of a domain administrator to a workstation poses a threat of:

• interception of his authentication data by a software backdoor that replaces the login procedure, or when transmitting them over LAN channels,

• use of software backdoors such as «Trojan horses» launched on his behalf and with his privileges.

In this regard, the domain administrator should perform his functions only on the domain controller and only using the standard software, and he should not remotely access the domain workstations. It is advisable to limit the functions of the domain administrator only to managing the budgets of users and domain workstations (registration, deletion, changing parameters), as well as direct management of the resources of domain controllers. Then the functions of administering the workstations should be performed by a user other than the domain administrator, and it is desirable to reduce the damage from a possible compromise of his authentication data. To achieve this goal, you can assign the execution of administrative functions on this workstation to a dedicated user registered in the domain who has the right to log on to the domain only from this workstation.

Like some regular actions of the domain administrator, calls of distributed OS components to each other can also pose a security threat. When determining the order of calls of some OS components to others, especially when equipping the OS with additional security subsystems, it is advisable to use the «safe calls» policy, built by analogy with the mandatory security policy. The essence of the «safe calls» policy is that the OS components are distributed according to trust levels, for example, the domain controller has a high trust level, the workstation — low. Then the call is considered safe if it is directed from components with a low trust level to components with a higher trust level. For example, if it is necessary to maintain a unified audit log on a certain security server, workstations must transmit data from their audit logs to the security server, and not the security server collect them from the workstations.

In some cases, data, including authentication data, transmitted over LAN channels may become vulnerable to interception and analysis. In such a situation, it is advisable to take measures to physically protect communications, and, if possible, use cryptographic means.

Considering the above, there can be no complete trust in the standard access control system of the Microsoft Windows NT OS, therefore, it is advisable to limit the list of resources to which users can gain write access, and it is better to protect these resources themselves using additional mechanisms. In addition, when organizing the protection of this OS, it is advisable to use special settings [1,5,9, 10], if they do not contradict the previous provisions.

The described concept of secure administration can be used to increase the effectiveness of protection of a wide range of information processing systems built on the basis of the Microsoft Windows NT OS. In this case, the provisions of the concept can be clarified in each specific case.

In conclusion, it should be noted that the concept of secure administration:

• does not exclude the use of additional protection mechanisms in the OS, such as environment integrity control. The main thing is that the procedure for configuring additional protection mechanisms does not contradict the provisions of the concept;

• can be applied not to Microsoft Windows NT 4.0 SPx OS. Taking into account the above circumstances concerning the impossibility of conducting a full check of the correct functioning of the protection mechanisms, after the necessary adaptation the concept can also be applied to Microsoft Windows 2000 OS.