A Comparison of the Security of Windows NT

and UNIX

Hans Hedbom, Stefan Lindskog,Stefan Axelsson and Erland Jonsson

Originally presented at the Third Nordic Workshop on Secure IT Systems, November 1998

http://www.ce.chalmers.se/staff/sax/nt-vs-unix.pdf

Presented by Clare West

Outline

• Introduction• Security Comparison

– Identification– Authentication– Networking

• Man-in-the-Middle Authentication Attacks on both Windows NT and UNIX

• Conclusion

Introduction

• “It has been claimed that the security of Windows NT is far better than that of previous commercial operating systems.”

• Compare NT with UNIX– Networked Windows NT 4.0– UNIX with NFS (Network File System)

and NIS (Network Information System)

Introduction cont.

• Windows NT– Released in 1992– Processes– Threads– Symmetric

multiprocessing– Distributed

computing– Object model to

manage resources

• UNIX– Released in ~1974– Processes– Threads– Symmetric

multiprocessing– Distributed

computing– File model to

manage resources

Identification

• Windows NT– Usernames– Numeric SID

(Security IDentifier)

– SID is unique to a Domain

– SIDs are never reused

• UNIX– Usernames– Numeric UID (User

IDentifier)– UID may not be

unique within an NIS domain

– UID may be reused

Authentication

• Windows NT– Passwords– Stored encrypted in

SAM (Security Account Manager). Only accessible to Domain Administrators

– Encrypted by DES and MD4

• UNIX– Passwords– Stored encrypted

in /etc/passwd or NIS (Network Information System). Accessible to any user.

– Encrypted by DES

Authenticating with a UNIX NIS Domain

Client yp_match response Server

Alice

alice:23:20:sCFNq7Qf8/kwg:Alice Cooper:/home/alice:/bin/tcsh

Client

Alice

Serveryp_match request

for alice’s passwd entry

The password supplied by Alice is encrypted and compared with the encrypted password in the passwd entry supplied by the NIS Server

Authenticating with a Windows NT Domain

Alice ServerRequest for Service

ServerAliceChallenge - random string

Alice ServerResponse - encrypted string

Alice encrypts her password and then uses this to encrypt the random string sent by the server.

The server encrypts the random string it sent with Alice’s encrypted password and compares this with her response.

Networking

• Windows NT– Logging by

computer name not IP address

– Trust placed in clients not acting maliciously

• UNIX– Address based

authentication– Trust placed in

clients not acting maliciously

A Man-in-the-middle Attack vs UNIX

Goal: Mallory impersonates Alice to the Client

Mallory prepares a yp_match response with the encrypted password of his choice

MalloryClient yp_match response

Mallory

alice:23:20:FdFNq7Qf85twg:Alice Cooper:/home/alice:/bin/tcsh

Client Server

yp_match request

Mallory

Mallory

for alice’s passwd entry

A Man-in-the-middle Attack vs NT

Goal: Mallory impersonates Alice to the Server

Challenge - random string (A)Mallory Server

AliceRequest for Service

Server

Mallory

Challenge - random string (A)MalloryAlice

Response - encrypted string (A)

Mallory

ServerAlice

Response - encrypted string (A)Mallory Server

Mallory ServerRequest for Service as Alice

Mallory waits for Alice to attempt to use the Server

Man-in-the-Middle AttacksResults

• Windows NT– Allows access to

the server as Alice– Mallory must wait

for Alice– Mallory can only

impersonate active users he can spy on

• UNIX– Allows access to

the client as Alice– Mallory can

attack at any time– Mallory can

impersonate any user

– Combined with NFS (Network File System) allows access to any file systems exported to the client as any user

Conclusions

• “…the security mechanisms of Windows NT are slightly better than those of UNIX”

• “…the two systems display a similar set of vulnerabilities”

• “…with the present way of installing and using the systems there seems to be no significant difference between their security level”

Question

• What System Security Threats are posed by the Man-in-the-middle attacks presented earlier?

Interception

Interruption

Modification

Fabrication