nt-part2_26
Analysis of the Security of Windows NT
1 March 1999
26
trust account on the trusted domain. This logon attempt will not succeed since these
type of accounts does not allow interactive logons. Instead an error message is returned
stating that this is an illegal operation. The error message will, however, tell the system
that the account exists and that a trust relationship should be established between the
two domain controllers. The events that takes place now is somewhat similar to the
events taking place when a client is first started and a user logs on to a domain, see sec-
tion 5.4.1. First a type of discovery process is carried out by the trusting PDC to locate
the trusted PDC. The trusting PDC will then establish a secure channel to the trusted
PDC. This channel is then used in the same way as the secure channel in a normal
logon and any attempt, remote or interactive, to logon to a machin in the trusting
domain will be handled as a pass-through-logon.
4.4 Shares
A share is basically an exported resource, i.e. a printer or a file system tree. A folder, a
drive or a printer can be shared by an administrator, power user or server operator.
There are two types of security on shares: user-level security or share-level security. In
user-level security users are given access to a share dependent of their user name and
password. This type of share is the one used in NT and optionally in Window 95. Every
share has an ACL attached to it. Depending on the rights of the user, or a group of
which s/he is a member of in this ACL, s/he can do different things in this share. If the
share is a NTFS file system tree, the least of the rights in the combination of the ACL
for the share and the ACL for the manipulated file or directory will be used when
granting access to the user to this object. When the share is created it will by default
have Everyone full control as its permissions. The shares that a computer export can be
seen in the network neighbourhood or by typing net view \\computername in the
command prompt. If the share name of a share is ended with a $-sign, it will not show
up in any of the previously mentioned methods. In share-level security users are given
access depending on if they can give the right password for a particular share or not.
Every share has an optional password for reading and one for writing. This type of
security is used in Windows for workgroups and Windows 95.
In NT, there exists a special kind of shares called administrative shares or system
shares. They have all a $-sign at the end of their names and are created by the system
when it is booted. Some of the shares that are created in this way are C$-Zx$, IPC$,
PRINT$ and ADMIN$. The shares with volume names are the local drives of the
exporting computer. IPC$ is the interprocess communication share which is used
among other things for establishing secure channels on Domain Control (DC). PRINT$
is the local spooler service and ADMIN$ is the root of the local system directory, e.g.
c:\winnt. The rights on these shares can not be set and the access rights on the drive
shares are limited to administrators. These shares can be removed or stopped from
being created at boot time. However, if IPC$ is removed from a PDC or a BDC no user
will be able to logon to that domain using that DC. This might even take some time to
discover since the last ten logons on a workstation is cached by default to enable logon
if a DC should fail.
4.5 Server Message Block (SMB)
SMB is a application level protocol used by Microsoft for a number of thinks. Among
those are authentication, RPC and the Common Internet File System protocol (CIFS).