To understand the windows security Vulnerability-Secure Logins we need to be well informed on the basic security blocks of this operating system. Several components are interlinked together to form a strong Windows Security Architecture. We are going to explain in-depth about these components making up the security system and explain in detail.
Security Reference Monitor-SRM
These is a component that runs ate the kernel-mode and is responsible for access checks, making of audit logs and managing the privileges of the users. Any task in the Operating System involving permission is done by the Security Reference Monitor to ensure that the security checks cannot be by-passed.
Local Security Authority-LSA
This security component forming the windows security architecture is found at the user-mode level of process and is usually names as lsass.exe, the main task that these security component performs is to put in action the local security policy in windows, Besides that it is also tasked with issuing security tokens to individuals or users as they get to log into the system. A look into the policy that these components helps safeguard includes:
- Password complexity and on its expiration
- Auditing, checking on suspicious actions and looking in depth to analyse for any vulnerability.
- Setting Privileges, Assigning rule on accounts and the level access that they are allowed to operate within.
Security Account Manager-SAM
Security Account Manager is a database that keeps records of data and the security details for the group of local users, in this case local we are not referring to the domain accounts. The windows users can log on to their computer or if a domain account log into the accounts managed centrally, while going through the login process the Security Account Manager(SamSrv) uses the users credentials entered and compares with the value contained in the SAM database located in the Windows System32\config directory like in the Linux Systems in /etc/passwd, Once the check is done and the credential match the system them authenticates the user to log on to the system assuming that all other factors are not preventing such as time restriction or the privileges that are set for the user.SAM functions is just to store the user credentials for comparison purposes as user logs in hence SAM does not perform the logon task instead these is the Job performed by the LSA. With Sam passwords are stored in encrypted form using MD4$ hash algorithm.
Active Directory refers to the Microsoft Directory included in windows server later than 2000.A client using windows will be able to authenticate using Active Directory(AD) when they are logging into a computer using a domain account and not a local account,when we say domain account we refer to an account hosted in the server environment and the credentials have been provided for the user to access with some access levels given to them.Taking the SAM case the credentials entered by the user are sent securely across the network authenticated or approved by the AD and if the information is correct login activity takes place.We are using the term credential here and not password because a user may have been given a different form of authentication into the Active Directory such as a the pair of key(public and private) bound to a smart card hence we find that most companies give their employee a card to use as a form of authenticating to the System.
WinLogon and NetLogon
When it comes to WinLogon and NetLogon, both terms are same but the difference comes in that with WinLogon it is responsible for handling the logon process at the keyboard, NetLogon is responsible for handling the Logons across the network, that is to the Active Directory.