HostedDB - Dedicated UNIX Servers
nt-part2_37 Analysis of the Security of  Windows NT 1 March 1999 37 FIGURE 14. Schematic view of the login procedure: step 3 (Numbers state chain of events) The parameters passed to LSA in the call are those collected and created above and the Authentication package that WinLogon wants to use. Since it is possible to use more than one Authentication package this information is important. Before the password is passed to LSA it is once again encrypted with an encryption known only to WinLogon and the Authentication package. Once LSA been called it calls the Authentication package. This is done because LSA can not use some of the parameters because they are encrypted. It is instead the Authentication package that verifies the username and the password. This is done by retrieving some information from the SAM database, including the hashed password, the user SID and the group SIDs that are associated with this user, see Figure 15. The authentication is done by comparing the two hashed passwords with each other. The hashed clear-text password, the username and the hashed case-sensitive password is then stored in a variable supplied by LSA. FIGURE 15. Schematic view of the login procedure: step 4 (Numbers state chain of events) If the authentication package part of the login process succeeds the LSA will check the privileges held by the user and the groups of which s/he is a member and determine if the user is allowed to perform this type of login (there are three types available: inter- active, network and service logons). If s/he has the right privileges the logon SID men- 2.Send Password, Username and Domain 1.Send Password, Username and Domain 3. Send Password, Username and Domain Win Logon Win32 Window Station Logon Desktop 1.Create and suspend new process 2. Send Ey(Password), Username, Domain and Auth.Package 3. Send Ey(Password), Username and Domain 4. Request Info 5. Send Hashed Passwd, User SID, and Group SID 6. Supply Password and Username 7.Supply newly created access token 8. Change access token Win Logon LSA SAM Auth. Package Suspended Process