nt-part2_64
Analysis of the Security of Windows NT
1 March 1999
64
the advent of networked computing had made many of these data structures rather
large.
To combat this problem, again Sun Microsystems, developed a client server structure
for answering queries from individual workstations. Sun originally named this service
the Sun Yellow Pages, but when it became apparent that the name was already regis-
tered, Sun changed the name to NIS or Network Information System. NIS consists of a
number of primary and secondary servers that answer individual questions from work-
stations about user accounts, hostname to IP address resolution, Ethernet network
addresses etc. For an in depth treatment of UNIX internals see for instance [58], or
[59].
8.1 Security
Neither of the systems above were designed with security as one of the design goals.
They all stem from the time when first make it work was the order of the day. How-
ever, even though UNIX eliminated many of the advanced security features available
in Multics, must still be considered a workable platform on which to build secure sys-
tems. Some basic security mechanisms are present; different processes have different
memory spaces, and they cannot read or write memory belonging to another process.
Calls into the kernel are checked against the user owning the process, only the super
user (an all powerful administrative account) can perform certain security critical oper-
ations. Processes can inherit super user privileges to perform some security critical
function (such as logging in another user) in a limited and secure manner. The filesys-
tem keeps record of ownership of all files and objects and permissible operations (read/
write/execute) can be determined on an individual basis for each file.
The security mechanisms above, while they are the very building blocks that can make
a UNIX system secure, also leave a lot to be desired. The introduction of an all power-
ful administrative account introduces a single point of failure into the system. When an
intruder has gained super user privileges little can be done to trace his actions or to
eject him from the system.
The process privilege inheritance mechanism, the set UID, or SUID mechanism, is in
many respects a too coarse grained mechanism, its all or nothing. Many security flaws
are introduced into UNIX system because a SUID program is tricked into doing some-
thing other than it was originally intended to do. Since all its actions are performed
with maximum privilege, it can affect the system in any way the intruder sees fit, espe-
cially in areas that have no connection with the original privileged operation the pro-
gram was designed to mediate access to.
The file permission system was originally somewhat coarse grained and did not facili-
tate the enforcement of many reasonable security policies. Permissions could be set to
allow read, write, and execute access according to the criteria owner, group, and
others. However, today all major manufacturers of UNIX support some kind of ACL
(Access Control List) feature similar to NT. The various systems do not follow any
standard of how to accomplish this, and perhaps as a result, the majority of UNIX
installations do not activate the ACL feature provided them.