Windows Security - Windows NT/2000 Login Security
Introduction
As more and more businesses make e-commerce initiatives, the Internet is fast becoming a vault of critical business data. Smart Cards, Retinal Scans, and an array of digital-age technologies are all set to replace the currently prevalent password authentication systems. How flexible are operating systems in allowing use of these technologies? It is not enough for an operating system to support a Smart card or a Retinal scan. It must be able to accommodate newer devices as they come, without any modifications to its architecture.
Therefore, it becomes essential for an operating system to provide both effective and extendable security to its resources. Two of the forerunners in this area are Microsoft Windows NT® and Microsoft Windows 2000®. What features of Windows NT/2000 make it possible to have a flexible and extendable security? What should be done to make a Windows NT/2000 system use a different access mechanism in place of the default password authentication method? - This paper addresses these questions.
How the security in a Windows NT/2000 system works
Windows NT Security Components
The security in Microsoft Windows NT/2000 is taken care of by the security subsystem. The subsystem is designed as a set of components that can be replaced without affecting the other components. Access to the resources in a Windows NT machine is controlled by a security ID (SID). All resources have an access mask that is applied over the SID to determine if the SID is allowed to access the resource in question. Every user of Windows NT is given an access token containing his SID. The user's access token is compared with the access mask of the resource. The user is given access only if his SID is allowed to access the resource.
Logon is performed through the interactive login process (Winlogon). Winlogon is a trusted process for managing security related user interaction. Winlogon is the first process to run on a system. It performs the following tasks on the system:
- It creates a window station to represent keyboard, mouse and monitor.
- It creates three desktops an application desktop (used by the user), a winlogon desktop (used by the winlogon to display the login UI) and a screensaver desktop (to run the screensavers). Only the winlogon process has access to the winlogon desktop. This means whenever winlogon desktop is active, no other process has access to the data associated with the desktop. This prevents any other processes from getting the password that is used to logging and unlocking the desktop. The screensaver is run in a separate desktop so that if the screensaver is marked secure, the winlogon switches to the winlogon desktop on its termination, thus locking the system.
- It registers a Secure Attention Sequence (SAS), a hot key sequence so that the winlogon's keyboard hook handler is called whenever the SAS is entered. This makes sure that no other program gains control of the station when SAS is entered. Since winlogon is the first process started, this ensures that no other program can hook the same key combination.
- Once the user enters the password, the winlogon sends the information to the Local Security Authority Server (LSA) which authenticates the password. It then generates the access token of the user. This access token is then used by the Winlogon to create the user shell.
The identification and authentication aspects of the winlogon are implemented as a replaceable DLL called GINA (Graphical Identification and Authentication). A new GINA DLL can replace the standard msgina.dll, when the system needs to use another method of authentication in place of the Windows NT default username/password mechanism.
What does the GINA do?
Replacing the entire logon process means that the GINA needs to take care of all the services - from displaying the logon UI right through to the level where it creates a shell for the user to work on. This includes the following functions:
SAS Recognition
The GINA can have its own SAS and carries the responsibility of recognizing the SAS. This is not required if the GINA decides to use the Standard SAS of the Winlogon (Ctrl + Alt + Del). The GINA needs call WlxSasNotify whenever it recognizes a SAS, which in turn calls the appropriate routine in the GINA, depending on the current state of the station. If the GINA uses the standard SAS, the winlogon automatically calls the appropriate routine, without the need for the GINA to call WlxSasNotify.
User Interface
Since the GINA can provide an alternative identification mechanism, it is the responsibility of GINA to display the entire user interface that needs to perform the logon authentication. The GINA has to display the user interface to collect data needed to perform the authentication, and all other user interfaces depending on the state of the station at the time.
Shell Creation
When a user performs a successful logon, the GINA needs to create the initial processes, and assign the process the user's access token obtained from the winlogon. This process must start the default Shell for the user. Normally userinit.exe is the process that is started as the initial process. This program is run in the user's context and the user's desktop. It sets up the user environment like restoring network connection, loading the user's profile (such as color, font, screensavers, etc.) and running logon scripts. It then activates the shell programs with the same environment as itself. The standard Shell for Windows NT is Explorer.exe. This program manages the desktop, taskbar, etc. Once the shell is created with the user's access token, all other processes created by the user automatically inherit it, thus securing the resources.
How does the Winlogon interact with GINA?
The Winlogon and GINA have a protocol for interaction. The winlogon calls on the GINA whenever it needs to perform an operation; GINA can perform these duties and send back the appropriate response to the winlogon. The possible request from winlogon and the response of the GINA is given below:
On system boot, the winlogon calls the WlxNegotiate with the version of the winlogon. It then passes tothe GINA, the address of the helper functions and gets the GINA context with the use of WlxIntialize function.
Once the initialization is complete, the station is in a "No user logged on" state. In this mode, the GINA has to monitor the station for SAS. Once the SAS is detected, the GINA calls the WlxSasNotify to register the SAS with the winlogon. The winlogon in turn calls the WlxLoggedOutSAS routine of the GINA. When the logged on user generates an SAS, the winlogon calls the WlxLoggedOnSAS routine. This routine returns to the winlogon, the type of operation that the user wishes to perform. This can be a Lock, Logoff or a Shutdown.
When a user issues a SAS on a locked station the winlogon calls the WlxWkstaLockedSAS routine. The GINA routines WlxLogoff and WlxShutdown are called when the user wants to logoff or shutdown respectively.
When the screensaver is to be activated the Winlogon calls the WlxScreenSaverNotify. The GINA can stop the screensaver from running.
Apart from the routines mentioned above the GINA needs to export some more functions.
WlxActivateUserShell
This function is called by the winlogon, on successful logon. The GINA needs to activate the user shell. The GINA can use CreateProcess or CreateProcessAsUser to do this job.
WlxIsLockOk
This function is called to verify a logoff attempt. It returns true if the logoff is acceptable or otherwise.
WlxStartApplication
This function of the GINA is called when an application needs to be started in the user's context. This can occur when the explorer crashes or when an extended task manager needs to run.
WlxLogoff & WlxShutdown
These functions are called to perform logout and shutdown respectively.
WlxDisplayLockedNotice
This is called to display a "Station Locked" notice.
WlxDisplaySASNotice
This is called to display a notice prompting the user to press SAS to start the logon process.
A GINA DLL needs to export all these functions. If the user is interested in only a part of the functionality, the DLL can use the msgina.dll exported functions to perform the functionality not needed to overwrite.
What's new in Windows 2000?
The Windows 2000 GINA is the same as that of a Window NT 4.0, except that the new GINA DLL needs to export the following functions in addition to the previous ones.
WlxDisplayStatusMessage & WlxGetStatusMessage
The GINA calls these functions whenever it needs to display a message to the user or to obtain the status message displayed respectively.
WlxDisplayStatusMessage
This routine is called to tell the GINA to stop displaying the status messages.
WlxNetworkProviderLoad
This function is called when collecting valid authentication and identification information from the GINA.
What changes do I need to make to use a different GINA?
In order for the Windows NT/2000 to use a GINA different from that of msgina.dll, the user needs to make the following change to the registry and restart the system.
\HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
GinaDLL
Name of the GINA DLL (REG_SZ)
Note: If this value name is present it should have a valid Gina .DLL name in it.
Is there any technology that can be used to replace the password?
One of the commonly used alternate authentication mechanisms is Smart Card. A Windows NT/2000 station can be customized to perform authentication based on smart cards. In a typical scenario, the Windows station can have the insertion of the smart card as an SAS notice. When the smart card pins match, the user shell is activated. The station can be locked once the user takes the smart card out. Such alternate systems will soon start to prevail. In the future, it may not be surprising to see a computer that uses a retinal scan to authenticate the user.
Conclusion
In this age of e-business, the data residing in a computer is more valuable than ever before. It is the responsibility of an operating system to provide highly secure access to its data. An extendable and customizable security system is one of the best ways to achieve that goal. Windows NT/2000 with its replaceable GINA has a head start in the race to provide systems with its enhanced security.