nt-part2_10
Analysis of the Security of Windows NT
1 March 1999
10
2. Introduction
Computer security is traditionally defined by three attributes: (1) confidentiality (or
secrecy), (2) integrity, and (3) availability [19] also known as the CIA. Secrecy is the
aspect of keeping information protected from unauthorized users. Integrity implies
that data only can be modified by authorized parties. Finally, availability means that
the services are provided to any authorized user. A violation to any of these attributes is
considered to be a successful attack.
Windows NT was designed with security in mind. In fact, it has been classified as a C2
level operating system (OS) by the National Security Agency (NSA) [43]. There were
two major goals with this study: first, to find as many vulnerabilities as possible in NT,
within a limited time. Second, to gather information about NT and its flaws.
A common method to evaluate the security of a system is to use a so called Tiger Team.
For example, see [7], which describes a Tiger Team analysis of VM/370 operating sys-
tem from the mid-seventies. Such a team is very skilled and has deep knowledge about
the system and its potential vulnerabilities. In our case, however, there is a difference.
We were novice NT users.
There is not much in-depth literature on NT or its security design. Lately, a number of
security handbooks have been published, see for example [64], [58], [44] and [18], but
most of them lack technical depth. However, there is one evaluation performed by the
NSA, and the corresponding report has been issued by the National Computer Security
Center (NCSC) [43]. The evaluation is mostly based on the design of the system as
defined in the Orange Book [65]. We have, on the other hand, studied the operational
security of NT using penetration experiments. These may reveal vulnerabilities in the
design, implementation as well as in the installation.
Other penetration experiments have been carried out at our department, the most simi-
lar being a security analysis of a secure database [68]. However, most of our previous
studies differ from the present. Firstly, the object systems were different: a networked
UNIX operating system [62], [63] and a PC Network [66]. Secondly, the attackers
were final year university students. Thirdly, the attackers had to follow some rules,
since the result of these studies were used for mathematical modelling purposes.
Section 3 provides a detailed system overview of NT, while section 4 describes the net-
working part of the system. Section 5 concentrates on the security features, whereas
section 6 focus on utility programs for NT and UNIX. Section 7 presents our intrusion
experiments and section 8 is a comparison between the weaknesses found in NT and
known UNIX weaknesses. In section 9 we discuss the lessons learned during this study
and section 10 concludes. Appendix A presents some of the cryptography used in NT
and in appendix B we explain the domain logon process. The SMB data structure as
well as a detailed description of the flag fields used in SMB is the topic of appendix C.
Appendix D gives examples of utility programs for NT. A list of useful web sites is
presented in appendix E. In appendix F, there is a list of security related news groups.
Appendix G is a list of abbreviations.