nt-part2_37
Analysis of the Security of Windows NT
1 March 1999
37
FIGURE 14. Schematic view of the login procedure: step 3 (Numbers state chain of events)
The parameters passed to LSA in the call are those collected and created above and the
Authentication package that WinLogon wants to use. Since it is possible to use more
than one Authentication package this information is important. Before the password is
passed to LSA it is once again encrypted with an encryption known only to WinLogon
and the Authentication package.
Once LSA been called it calls the Authentication package. This is done because LSA
can not use some of the parameters because they are encrypted. It is instead the
Authentication package that verifies the username and the password. This is done by
retrieving some information from the SAM database, including the hashed password,
the user SID and the group SIDs that are associated with this user, see Figure 15.
The authentication is done by comparing the two hashed passwords with each other.
The hashed clear-text password, the username and the hashed case-sensitive password
is then stored in a variable supplied by LSA.
FIGURE 15. Schematic view of the login procedure: step 4 (Numbers state chain of events)
If the authentication package part of the login process succeeds the LSA will check the
privileges held by the user and the groups of which s/he is a member and determine if
the user is allowed to perform this type of login (there are three types available: inter-
active, network and service logons). If s/he has the right privileges the logon SID men-
2.Send Password, Username and Domain
1.Send Password,
Username and
Domain
3. Send Password,
Username and
Domain
Win
Logon
Win32
Window
Station
Logon
Desktop
1.Create and
suspend
new process
2. Send Ey(Password),
Username, Domain
and Auth.Package
3. Send Ey(Password),
Username and
Domain
4. Request
Info
5. Send Hashed
Passwd, User
SID, and
Group SID
6. Supply Password
and Username
7.Supply newly created
access token
8. Change access token
Win
Logon
LSA
SAM
Auth.
Package
Suspended
Process