What is the Windows NT logon process?
Windows NT process is the process by which the operating systems belonging to the Windows NT family start up.
The logon process for operating systems introduced by Microsoft since Windows Vista uses a slightly different architecture (methodical steps), but many steps in the windows NT process have been repeated
There are many steps involved with the Windows NT logon process but this blog post summarizes the most important steps and definitions.
The basic architecture of this process can be summarized as follows:
Now let us understand what each section of the above flow diagram does in the Windows NT logon process.
Main sections of the logon process-
Security reference monitor-
The security reference monitor is used to ensure which subjects have authorization to which objects. Thus, it uses the access control policy used in the operating system for its basic functioning.
A security reference monitor contains four main parts:
1. Authorization database (Is the storehouse of the security authorization policies predetermined for objects over subjects. For example, consider two users A and B. Also consider that it has been predetermined that A can also read files, whereas B can both read and write files. )
2. Subject (Are the user(s) who is using the system. In the above example, A and B are the users or the subjects)
3. Object (Are the components that run with the intervention of an operating system. For example, files such as MS office files are objects)
4. Audit trail (The audit trail is the storehouse of the security related events. For example, when a user/subject A accesses a file, a record is created for that user. The records are updated to maintain the database of audit events)
Two important aspects of the security reference monitor are:
1. Security reference monitor should always be invoked
2. Security reference monitor should be tamper proof.
Security accounts manager-
When a user types a password at logon on either an initial login or subsequent login, the local security authority triggers the security accounts manager.
Security accounts manager is a database which stores user's passwords. It is used to authenticate local and remote users. Passwords are hashed when they are initially set up. Therefore, the passwords are confidential and data integrity is ensured.
It is not necessary for the operating system or the security accounts manager to remember the password. In subsequent logins, when the user types a specific password, the subsequent password is hashed and the new hash value and the existing hash value are compared. The existing hash value is stored in the password policy database. Security accounts manager is the place which initiates/triggers the password policy database and processes the subsequent log in hash function.
Depending on the validity of the password, the login details are sent back to the local security authority.
Local Security Authority-
Local Security Authority is a protected subsystem that is used to authenticate and logon users to a local system. Different authentication packages stored within the system are called as needed by the local security authority. For example, audit log is frequently updated whenever a user logon is successful/unsuccessful and the user account database is invoked to identify the validity of users trying to logon to a system,
Local security authentication can be of two types:
1. Interactive authentication
2. Non-interactive authentication
Interactive authentication
Interactive authentication happens when a user is prompted to supply logon information.
First when a user types CTRL + ALT + DEL sequence (commonly referred to as the secure attention sequence or SAS), the Winlogon receives the SAS and a part of Winlogon called the GINA ( a GUI) is called.
Then the user can type the username and password and send the data to the local security authority.
Here the GINA calls the LSALogonUser (used to create new logon session if successful) and specifies the relevant authentication package needed to assess the logon data. As shown in the figure, logon data is generally stored in authentication databases and two-way arrows are used to show the invoking and rendering of information to and from the LSA.
Finally the backward operation takes place up to the GINA.
Simply, this is what the user sees.
Non-interactive authentication
A non-interactive authentication occurs after an interactive authentication. This is typically when a user tries to connect to multiple machines in a network once he/she has already logged in to the local machine.
.jpg)
A special interface called the Secure Support Provider Interface is used and a secure network connection is established using a security package.
The basic flow diagram for non-interactive authentication is as follows:
This is what happens when a client or user wants to connect to another network.
First the user initiates a call to SSPI (Secure Support Provider Interface) to provide authenticated network connection.
Then the SSPI passes this information to the SSP or security packages.
The SSP in turn calls the LSA and the authentication packages and authenticates the user using the user's credentials.
This information is reversed on its way and a success message or an output of a logon screen is displayed to the user.
Therefore, both these types of authentications are similar but the former is used to authenticate a single machine while the latter is used to authenticate a user over a network.
Windows NT process is the process by which the operating systems belonging to the Windows NT family start up.
The logon process for operating systems introduced by Microsoft since Windows Vista uses a slightly different architecture (methodical steps), but many steps in the windows NT process have been repeated
There are many steps involved with the Windows NT logon process but this blog post summarizes the most important steps and definitions.
The basic architecture of this process can be summarized as follows:
 |
| A simplified Windows NT logon process |
Main sections of the logon process-
Security reference monitor-
The security reference monitor is used to ensure which subjects have authorization to which objects. Thus, it uses the access control policy used in the operating system for its basic functioning.
A security reference monitor contains four main parts:
1. Authorization database (Is the storehouse of the security authorization policies predetermined for objects over subjects. For example, consider two users A and B. Also consider that it has been predetermined that A can also read files, whereas B can both read and write files. )
2. Subject (Are the user(s) who is using the system. In the above example, A and B are the users or the subjects)
3. Object (Are the components that run with the intervention of an operating system. For example, files such as MS office files are objects)
4. Audit trail (The audit trail is the storehouse of the security related events. For example, when a user/subject A accesses a file, a record is created for that user. The records are updated to maintain the database of audit events)
Two important aspects of the security reference monitor are:
1. Security reference monitor should always be invoked
2. Security reference monitor should be tamper proof.
Security accounts manager-
When a user types a password at logon on either an initial login or subsequent login, the local security authority triggers the security accounts manager.
Security accounts manager is a database which stores user's passwords. It is used to authenticate local and remote users. Passwords are hashed when they are initially set up. Therefore, the passwords are confidential and data integrity is ensured.
It is not necessary for the operating system or the security accounts manager to remember the password. In subsequent logins, when the user types a specific password, the subsequent password is hashed and the new hash value and the existing hash value are compared. The existing hash value is stored in the password policy database. Security accounts manager is the place which initiates/triggers the password policy database and processes the subsequent log in hash function.
Depending on the validity of the password, the login details are sent back to the local security authority.
Local Security Authority-
Local Security Authority is a protected subsystem that is used to authenticate and logon users to a local system. Different authentication packages stored within the system are called as needed by the local security authority. For example, audit log is frequently updated whenever a user logon is successful/unsuccessful and the user account database is invoked to identify the validity of users trying to logon to a system,
Local security authentication can be of two types:
1. Interactive authentication
2. Non-interactive authentication
Interactive authentication
Interactive authentication happens when a user is prompted to supply logon information.
First when a user types CTRL + ALT + DEL sequence (commonly referred to as the secure attention sequence or SAS), the Winlogon receives the SAS and a part of Winlogon called the GINA ( a GUI) is called.
Then the user can type the username and password and send the data to the local security authority.
Here the GINA calls the LSALogonUser (used to create new logon session if successful) and specifies the relevant authentication package needed to assess the logon data. As shown in the figure, logon data is generally stored in authentication databases and two-way arrows are used to show the invoking and rendering of information to and from the LSA.
Finally the backward operation takes place up to the GINA.
Simply, this is what the user sees.
Non-interactive authentication
A non-interactive authentication occurs after an interactive authentication. This is typically when a user tries to connect to multiple machines in a network once he/she has already logged in to the local machine.
A special interface called the Secure Support Provider Interface is used and a secure network connection is established using a security package.
The basic flow diagram for non-interactive authentication is as follows:
This is what happens when a client or user wants to connect to another network.
First the user initiates a call to SSPI (Secure Support Provider Interface) to provide authenticated network connection.
Then the SSPI passes this information to the SSP or security packages.
The SSP in turn calls the LSA and the authentication packages and authenticates the user using the user's credentials.
This information is reversed on its way and a success message or an output of a logon screen is displayed to the user.
Therefore, both these types of authentications are similar but the former is used to authenticate a single machine while the latter is used to authenticate a user over a network.
Comments
Post a Comment