Windows Security and Access Control

Operating System 2 PROG 1235 Windows Security And Access Control Introduction Types of authentication Basic authentication NTLM protocol Advance authentication techniques Types of Authentication: Basic Authentication Most simple and straightforward authentication mechanism User provides username and password to gain access to a system or service Does not require additional infrastructure or complex setups Widely supported across various protocols, including HTTP, FTP, and APIs Credentials are included with every request, making it stateless No session tracking required on the server side Basic Authentication Advantage Ease of Use: Simple setup and operation. Compatibility: Works with most HTTP clients and APIs. Stateless Nature: Reduces server-side complexity Disadvantage Lack of Security - Vulnerable to interception if transmitted over unencrypted channels No Expiry - Credentials are valid indefinitely unless explicitly revoked No Multifactor Support - Does not inherently support multifactor authentication Replay Attacks - Attackers can reuse intercepted credentials unless protected by HTTPS Types of Authentication: NTLM protocol - 1 NTLM (New Technology LAN Manager) is suite of Microsoft security protocols intended to provide authentication, integrity and confidentially to users It is primarily used in legacy systems and is often replaced by Kerberos in modern setup Primarily used in windows environments for authenticating users and computers based on challenge/response mechanism This mechanism consists of three messages Negotiation message from client Challenge message from server Authentication message from client Types of Authentication: NTLM protocol - 2 Limitations with NTLM protocol Single Authentication - single authentication method. It relies on a challenge-response protocol to establish the user Security Vulnerabilities - relatively simplistic form of password hashing makes NTLM systems vulnerable to several modes of attacks Outdated cryptography – It does not leverage the latest advances in algorithmic thinking or encryption to make passwords more secure. NTLM protocol Advantage No Plaintext Passwords - Passwords are not sent over the network in plaintext form Compatibility - Works with older Windows systems and legacy applications Ease of Use - Automatic when using Windows-integrated authentication Disadvantage Security Vulnerabilities – No Mutual Authentication - NTLM does not authenticate the server to the client Performance - NTLM is less efficient than modern authentication protocols Advance Authentication Techniques Microsoft recommends passwordless authentication methods because they provide the most secure sign-in experience User can still sign-in using other common methods such as username and password Password should be replaced with more secure authentication methods Multifactor authentication adds another layer of security over only using a password Few of the advance authentication techniques are Credential Guard, Kerberos authentication, MFA (multi-factor authentication), certificate-based authentication (CBA), Pass-through authentication (PTA), OAuth and OpenID connect (OIDC), Credential Guard CG is a security feature in Microsoft windows OS It isolates user credentials i.e login information, from rest of the OS Its purpose is to prevent common credential theft attacks Credential guard was introduced in Windows 10 Enterprise and Windows Server 2016 It is enabled by default on all system running Windows 1, version 22H2 and later Credential Guard uses hardware-backed, virtualization-based security (VBS) and a Local Security Authority (LSA) to store "secrets," i.e., credentials in protected containers Containers are isolated environments separate from the OS "separate" means that the containers, and the credentials stored in them, are not accessible to the rest of the OS Credential Guard - 1 Local Group Policy Editor Credential Guard - 2 Local Group Policy Editor Credential Guard - 3 Window key + R (msinfo32.exe) System Information -> System Summary -> Kerberos Authentication - 1 Kerberos is a system that provides a gateway between users and internet It helps prevent cyber attackers from entering a private network The idea behind Kerberos is to authenticate users while preventing passwords being sent over the internet Kerberos is already integrated into popular operating systems It is the default authorization technology in Microsoft Window Kerberos Authentication - 2 How it works Kerberos uses symmetric key cryptography and a key distribution center (KDC) to authenticate and verify user identities A KDC involves three aspects A ticket-granting server (TGS) that connects the user with the service server (SS) A Kerberos database that stores the password and identification of all verified users An authentication server (AS) that performs the initial authentication During authentication, Kerberos stores the specific ticket for each session on the end-user's device Kerberos-aware service looks for this ticket Kerberos Authentication - 3 Kerberos consists following components The client who initiates the need for a service request on the user's behalf The server, which hosts the service that the user needs access to The AS, which performs client authentication. If authentication is successful, the client is issued a ticket-granting ticket (TGT) or user authentication token, which is proof that the client has been authenticated. The KDC and its three components: the AS, the TGS, and the Kerberos database The TGS application that issues service tickets Kerberos Authentication - 4 Advantage Access control - single point for keeping track of all logins and the enforcement of security policies Mutual authentication - allows service systems and users to authenticate each other Limited ticket lifetime - Each ticket in Kerberos has timestamps and lifetime data, and the duration of authentication is controlled by admins Reusable authentication - throughout the lifetime of the ticket, the user can authenticate without the need to reenter personal information Security - Passwords are not sent over the networks, and secret keys are encrypted Disadvantage Single point of failure - If the KDC goes down, no one can access needed resources Strict time requirements - date and time configurations of the hosts need to be synchronized with predefined limits Multi-Factor Authentication - 1 It is a security mechanism that requires users to provide two or more verification factors to gain access to a system In Windows environments, MFA is typically implemented through integration with Azure Active Directory (Azure AD), Windows Hello for Business, or third-party tools Steps Involved User Sign-In - The user enters their username and password Second Factor Prompt - The system prompts the user for a second factor, such as a mobile app notification, OTP (one-time password), or biometric verification Verification and Access - The second factor is verified, and access is granted if both factors are validated Multi-Factor Authentication - 2 Different MFA methods in Windows Microsoft Authenticator App - A mobile app that generates OTPs or approves sign-ins via notifications Hardware Tokens - Devices like FIDO2 security keys (e.g., YubiKey) or smart cards Biometric Authentication - Using Windows Hello for Business, which supports facial recognition, fingerprint, or PIN SMS or Email OTP - One-time codes sent via text message or email Push Notifications - Prompts sent to a registered device for approval Multi-Factor Authentication - 3 Advantage Enhanced Security - Reduces reliance on passwords, mitigating risks from phishing and brute- force attacks User Flexibility - Offers multiple methods (e.g., biometrics, hardware keys) for diverse user needs Compliance - Helps meet regulatory requirements Integration - Seamlessly integrates with Azure AD and other Microsoft services Disadvantage User resistance - Provide training and emphasize benefits Device availability - Offer multiple MFA options to accommodate all users Lost second-factor devices - Implement fallback mechanisms like backup codes Certificate-Based Authentication - 1 It uses digital certificates to authenticate users, devices or services In Windows environments, certificates issued by a trusted Certificate Authority (CA) are used to verify identity without relying on traditional username/password combinations Steps Involved Certificate Issuance - A trusted CA issues a digital certificate containing the user or device's identity and a public key Authentication Request - The client presents the certificate to the server during the authentication process Certificate Validation - The server verifies the certificate against its trusted CA list and checks its validity (e.g., expiration date, revocation status) Access Granted - If the certificate is valid, the server authenticates the user or device and grants access Certificate-Based Authentication - 2 Use cases for certificate-based authentication User Authentication - Replacing passwords with certificate-based smart cards or virtual smart cards Device Authentication - Verifying devices accessing corporate resources via VPN or Wi-Fi Web Server Authentication - Using client certificates for secure access to web applications or services Email Encryption - Enabling secure email communication using certificates with S/MIME Certificate-Based Authentication - 3 Advantage High Security - Certificates are resistant to password-related attacks Mutual Authentication - Both client and server authenticate each other, ensuring secure communication Scalability - Easily manage large-scale deployments using PKI and Group Policy Compliance - Meets regulatory requirements for strong authentication Disadvantage Certificate management - Use automated tools for issuance, renewal, and revocation Device dependency - Implement virtual smart cards to reduce hardware reliance Revocation of certificates - Regularly update CRLs (Certificate Revocation Lists) OAuth and OpenID Connect - 1 Both are modern authentication and authorization protocols Oauth 2.0 – open standard that allows a user to grant limited access to their resources on one system to another system without sharing credentials Key components for Oauth 2.0 Resource Owner: The user who owns the data or resources. Client: The application requesting access to the resource. Authorization Server: Handles user authentication and issues tokens. Resource Server: Hosts the user's data and validates tokens. OAuth and OpenID Connect - 2 How OAuth 2.0 works The client requests authorization from the resource owner. The resource owner grants authorization, typically via a browser- based flow. The client exchanges the authorization code for an access token. The client uses the token to access protected resources on the resource server. Standard Scopes: Includes openid, profile, and email for fetching user details. Standard Scopes: Includes openid, profile, and email for fetching user details. Authentication Context: Adds login-related information, such as time of authentication and authentication methods Authentication Context: Adds login-related information, such as time of authentication and authentication methods OAuth and OpenID Connect - 3 OIDC - extends OAuth 2.0 by adding an identity layer, It allows clients to verify the identity of the end-user and obtain basic profile information via ID Tokens Key components ID Token: A JWT (JSON Web Token) that contains user identity information. Standard Scopes: Includes openid, profile, and email for fetching user details. Authentication Context: Adds login-related information, such as time of authentication and authentication methods Standard Scopes: Includes openid, profile, and email for fetching user details. Standard Scopes: Includes openid, profile, and email for fetching user details. Authentication Context: Adds login-related information, such as time of authentication and authentication methods Authentication Context: Adds login-related information, such as time of authentication and authentication methods OAuth and OpenID Connect - 4 OIDC - How it works The client sends an authorization request, including the openid scope. The authorization server authenticates the user. An ID token (along with an access token) is issued. The client uses the ID token to verify user identity and the access token for resource access. Standard Scopes: Includes openid, profile, and email for fetching user details. Standard Scopes: Includes openid, profile, and email for fetching user details. Authentication Context: Adds login-related information, such as time of authentication and authentication methods Authentication Context: Adds login-related information, such as time of authentication and authentication methods OAuth and OpenID Connect - 5 Use cases for OAuth / OIDC authentication Securing APIs - Use OAuth 2.0 for token-based API authentication Single Sign-On (SSO) - Enable seamless user authentication using OIDC Hybrid Environments - Bridge on-premises Active Directory with Azure AD for modern authentication Third-Party App Integration - Allow secure access to third-party services using OAuth/OIDC Standard Scopes: Includes openid, profile, and email for fetching user details. Standard Scopes: Includes openid, profile, and email for fetching user details. Authentication Context: Adds login-related information, such as time of authentication and authentication methods Authentication Context: Adds login-related information, such as time of authentication and authentication methods OAuth and OpenID Connect - 6 Advantage Security - Eliminates the need to share credentials across applications Scalability - Easily integrates with on-premises and cloud applications User Experience - Enables Single Sign-On (SSO) for seamless user access Standardization - Widely adopted and supported across platforms and services Disadvantage Token Management - Use libraries like MSAL to simplify handling Integration Complexity - Leverage Azure AD or AD FS for easier setup Token Revocation - Use short-lived tokens and refresh tokens Reference NTLM Overview | Microsoft Learn NTLM – Wikipedia Windows Authentication Technical Overview | Microsoft Learn https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication- methods https://learn.microsoft.com/en- us/iis/configuration/system.webserver/security/authentication/basicauthentication https://www.microsoft.com/en-ca/security/business/identity-access/microsoft-entra-id https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for- business/ https://auth0.com/docs/secure/tokens/id-tokens https://auth0.com/intro-to-iam/what-is-oauth-2

Windows Security and Access Control

Document Details

Tags

Related

Summary

Full Transcript