The majority of concepts of administration OS Microsoft Windows NT removes special role to numerous disordered of the parameters OS, give insufficient attention to questions of the determination of roles administrator and other privileged users OS. Thus, is not considered the fact that even some regular actions of users can bear the threat of safety entire OS, not to mention the errors of administration or the ill-intended actions on the breaking of the separate elements of the protective system.

Introduction

As is known, the order of the functioning of the system of safety OS Microsoft Windows NT (subsequently, with exception of the separately specified cases, speech it goes about version 4.0 with the arbitrary Service Pack) is determined by the large number of tuning parameters and elements of its structures, which with the installation OS on silence are established in such a way that to the solution of the problem of the protection of information in OS is assigned the secondary role. This circumstance forces user OS to independently select one or other method or another of solution of the task of the protection of information. Important role in this case the policy of safety accepted by user plays, and if we look to the problem wider, the concept of an increase in the effectiveness of protection OS Microsoft Windows NT.

It should be noted that in the majority of the concepts known to the author (some of them they will be presented below) special attention is paid to the numerous tuning of the parameters OS for the purpose of bringing the order of its functioning into correspondence to certain formal requirements, and also testing the correctness of the work of separate shielding mechanisms. At the same time, to the view of the author, it is given to questions of the determination of the roles of administrator and other privileged users OS, rules of safe administration, order of interaction of the distributed components of the protective system insufficient attention. Thus, is not considered the fact that even some regular actions of users can bear the threat of safety entire OS, not to mention the errors of administration or the ill-intended actions.

In this article the concept of safe administration OS, built taking into account the described deficiencies, will be represented.

Some known attacks on OS Microsoft Windows NT

Let us examine attacks on OS Microsoft Windows NT, whose purpose - the realization of the threats of security or integrity of information. It is possible to divide them into several groups.

* the attacks, realized through the action on the subsystem of authorization, with the use of the following possibilities:

1. Possibility of obtaining of direct access or access through the load on the computer other OS (for example, OS Ms- pill box) to divisions SAM or SECURITY list of resources for the purpose of the subsequent modification of stored in them authorized data of users.

2. Possibility of obtaining of direct access or access through the load on the computer other OS to divisions SAM or SECURITY list of resources for the purpose of the subsequent selection of stored in them authorization data of users.

3. Possibility of the modification of system software, for the purpose of the substitution of the procedure of authorization.

4. Possibility of interception and analysis of the packets of net exchange of data carriers for the purpose of the selection transmitted along the channels LVS of authorized data of users.

* the attacks, realized by the illegal seizure of privileges. On the utilized breach in the protective system it is possible to divide them into two groups.

1. With the use of an absence of checking the presence of privilege to fix system processes in some functions OS. According to this principle works the known program GetAdmin. Despite the fact that in OS Microsoft Windows NT 4.0 Service Pack 4 this problem is solved, as shows experience, there are no guarantees of the absence of analogous breaches.

2. With the use of a possibility of substitution by a disturber of system communication channels (pipe) and obtaining due to this of the privileges of the users to them of those turning. This approach is realized in program AdminTrap. The seizure of privileges occurs with the remote editing of the list of resources OS, of periodical of Audit, the administration of net printer and in some other cases.

* the attacks, realized by introduction in OS of program layings or Trojan horses. For introducing the layings in the majority of the cases are necessary obtaining the rights of administrator OS or load on the computer of different from Microsoft Windows NT of operating system. On the level of the introduction of laying in OS it is possible to divide them into two groups.

1. Layings, injected at the level of nucleus OS (kernel mode). These layings make it possible to dynamically modify in the memory of computer the code of nucleus OS, to effect access to the objects (files) without taking into account the requirements of the system of the differentiation of access.

2. Layings, injected at the user level OS (user mode). Data of laying make it possible to modify the procedure of authorization i of user or to effect access to the objects (files) on behalf of user with the maximum rights (rights of user SYSTEM).

Since subsequently it is intended to consider domain architecture OS as base during the construction of the system of the protection of information and taking into account attacks described above, it is possible to isolate the following most vulnerable elements and data of the protective system in the domain OS Microsoft Windows NT:

* Authorized data of the users of working stations, which are stored in their lists of resources;

* Authorization data of the users of domain, preserved in the lists of the resources of the working stations, from which they accomplished an entrance into the domain;

* system software of working stations;

* Authorization data of the users of working stations, transferred by the channels LVS;

* some regular actions of the administrator of domain on the direct or remote administration of working stations;

* some turnings to each other of the distributed components OS.

Model of the disturber of the protection

Before to approach the examination of the known concepts of an increase in the effectiveness of protection OS Microsoft Windows NT and to the idea of the concept of safe administration, let us determine the model of the disturber of protection.

Since in the domain OS Microsoft Windows NT computers have different roles (controller of domain, server, working station), then it is inexpedient to carry criminal to one defined class. We will consider that at the working stations, whose number can be great and, therefore, is complicated control of their safety, the possibilities of disturber correspond to the third class (possibility to influence of functioning and parameters of the protective system by an order). On the controllers of the domains, whose protection from the direct access of criminal and starting with it on them its applications to completely actually ensure, the possibility of criminal we will consider corresponding to the second class (possibility of the remote rotation with the aid of the programs, which contain nonstandard functions).

Furthermore, it should be noted that in the concrete situation the model of disturber could be refined.

Analysis of the known concepts of an increase in the effectiveness of protection OS Microsoft Windows

To the first in 1996 the concept of an increase in the effectiveness of protection proposed corporation itself Microsoft. However, in addition to these requirements it was proposed to put a substantial limitation by an order of configuration OS, namely: the computers, on which functions OS Microsoft Windows NT, must be isolated, i.e., off from the local or global computational networks.

Certification OS Microsoft Windows NT Workstation, Server version 3.5 u.s. Service Analyzing the tuning indicated, it is possible to draw a conclusion, by corporation Microsoft was used the following concept of an increase in the effectiveness of protection OS Microsoft Windows NT.

Providing safety OS Microsoft Windows NT in accordance with the requirements of class S2 TCSEC is possible: