Windows -NT Logon Process.ppt.ppt

Security System Components Security Reference Monitor(SRM) -Component of the Windows NT executive (NTOSKRNL.EXE). Local Security Authority ( LSA) server - User-mode process responsible for the local system security policy. LSA policy Database - Database that contains the system security policy settings. Security Accounts Manager (SAM) server - Set of subroutines responsible for managing the database that contains the usernames and groups defined on the local machine or for a domain. SAM runs in the context of the LSASS process. SAM Database - Database that contains the defined users and groups along with their passwords and other attributes. Default Authentication package - A dynamic Link Library (DLL) named MSV1_0.DLL that runs in the context of the LSASS process. Logon Process - A user mode process running WINLOGON.EXE. Logon Process Local Machine Logon (1)Press ctrl+alt+delete keys together to display a logon dialog box Type the userid and password Press enter (2,3)The password is hashed and sent to the Local Security Authority (LSA) (4,5)The LSA makes a call to the MSV1_0 authentication package and compares the hash to the hash stored in the local SAM database . (6,7)The LSA creates an access token using the user’s account SID and group SIDs returned from the MSV1_0 authentication package (8,9)The NT Explorer Shell opens with the user’s access token attached Components involved in Logon Logon occurs through the interaction of the logon process (WinLogon), the LSA, one or more authentication packages, and the SAM. MSV1_0 is the Windows NT authentication package for interactive logon. WinLogon makes a call to the LSA to authenticate the user attempting to log on. If the user is authenticated , the logon process activates a logon shell on behalf of the user. Steps involved in Logon Logon begins when a user presses the Secure Attention Sequence(SAS) - Ctrl - Alt - Delete. Winlogon prompts for a username and password. Winlogon now calls the LSA,