Operating systems are pieces of software applications that run computer systems. Without operating systems, computer systems would not work effectively, and humans would find no use in them. Simply, operating systems is a collection of software applications that facilitate the management of computer resources and give an interface for computer applications to interact with hardware. In spite the importance of these systems in bridging the relationship between the user and the hardware, most of the commercial OS have buggy code that is susceptible to security threats. Thus, building a trusted OS that can withstand all the security threats in the computing environment has been the goal of many vendors. This paper will focus on the distinction and similarities between two of the most widely used and common operating systems, Linux and Microsoft Windows from a security perspective. In this paper, different security features, components and designs of the two systems will be investigated in an elaborate manner, pin-pointing their major characteristics over the other through a head-to-head comparison.
SECURITY MODEL 6
Security Reference Monitor (SRM) 6
Local Security Authority Subsystem 7
Lsass Policy Database 7
Authentication Packages 7
Graphical Identification and Authentication 7
Active Directory 7
Security Accounts Manager 8
Network Logon Service (Netlogon) 8
PAM Configuration File 9
Authentication module 10
Account Management Module 10
Password management module 10
Session management module 10
ACCESS TOKENS 12
PRIVILEGES AND USER RIGHTS 16
Operating systems are a collection of applications, utilities and tools that manage computer hardware and provide common services for client application software. Operating Systems play a crucial role in system software because it is the first one to execute at boot time. Further, the OS runs all users application programs giving an interface for interaction with the hardware. Other uses of operating systems include but not limited to the creation of threads, allocation of primary memory to applications, management of data storage and retrieval, control of I/O peripherals, hosting device drivers and provision of multi-level safe execution environment.
One operating system that is popular is Microsoft Windows. It is a proprietary OS that is compatible with Intel-based PCs architectures. The summation of all the Windows versions makes up 92% of the total net market share qualifying it as the largest dominant operating systems for PCs. Microsoft Corporation designs Windows and its flagship product were originally add-ons for MS-DOS, which was the standard OS shipped on most Intel-based computers after 1985. Microsoft has experienced tremendous changes in terms of growth and expansion with the most recent version for personal computers being Windows 8.1 and that for servers being Microsoft Server 2012.
Linux, is an operating system that is based on a kernel component. It was Designed by Linux Torvalds, but later extended and made better by vast number of developers all over the world. It also has a GNU, which is a software collection comprising of software parts, utility tools and programs originally envisioned by Richard Stallman to develop a completely free and open OS from the Linux kernel. Thus, the general name GNU/Linux to represent the general product of the Linux kernel and GNU software applications. GNU is open-source, and its use has resulted in the development of software’s regarded as Linux distributions which include Debian, Red Hat, SuSE, Google Android and Ubuntu.
In the course of their use, operating systems such as Linux and Windows are faced with security vulnerabilities, flaws and bugs that impede their operations. To that effect, operating system manufacturers endear to eliminate the majority of security challenges that associate with the OS to deliver the most reliable and stable computing environment for users and application programs.
The point of focus in this paper is an analysis of the two operating systems Windows and Linux through an analysis of their internal security models. It will only be achieved if the differences and similarities between their architectures, security designs, processes and algorithms are analyzed.
The differences in the way security parameters are handled in Windows and Linux OS’s can be analyzed in the form of identification, security model, access tokens, impersonation, access control lists, privileges and user rights, auditing, file system security and login or authentication.
Windows security model combines user-mode and kernel-mode processes that work, in unison, to deliver, monitor and manage different OS security components. These combinations comprises of:
Security Reference Monitor (SRM)
SRM is a component in the kernel mode that implements security policies on the local computer by performing various functions that guard the operating system resources. The operations include run-time object protection and auditing and manipulation of user rights and privileges.
Local Security Authority Subsystem
Lsass is a user-mode process accessed via (c:Windows\System32\Lsass.exe) and is mandated with local security policy, forwarding security audit messages to the log and user authentication. Lsass implements most of the functionalities in a dynamic-link library (Lsasrv.dll). Another Lsass related security functionality is Policy Database
Lsass Policy Database
It is a collection of local security policy settings that are stored in the registry via HKLM\SECURITY. It comprises of such information as the access rights and permissions accorded to users, domains entrusted to authenticated logins, security audits to be performed and the nature of interactions with networks and logins.
These are the DLLs that run with respect to Lsass and enforce Windows authentication policies. An authentication DLL is mandated with whether the supplied username and password matches, and if so, feeds back Lsass with the security identity of the user. Authentication packages in Windows include Kerberos and MSV1-1.
Graphical Identification and Authentication
GINA is a user-mode DLL that executes with Winlogon processes and Winlogon uses it to get username and passwords or smart card Personal Identification Numbers. Its standard library is based on \Winnt\System32\Msgina.dll
Winlogon is a user-mode process that responds to Lsass and is used for maintaining interactive logon instances. It creates a GUI user’s shell process in the event that a user logs on.
AD is a directory instance that comprises of a database used to store object information in a domain. A domain can be taken as a collection of computers and associated security groups that are managed as a single item. AD documents the information about objects in the domain such as privileges, passwords, computers, users and groups. Active directory server is implemented as \Windows\System32\Ntdsa.dll and executes in the Lsass process.
Security Accounts Manager
SAM comprises of services and databases and can be defined as sets of subroutines used to implement usernames and groups contained in the database. The implementation is in the dynamic-link library (\Windows\System32\Samsrv.dll) and executes in the Lsass process. On systems that are not functioning as domain controllers, SAM database is used to store the defined local users, together with their passwords and attributes. SAM database is stored in the registry under HKLM\SAM.
Network Logon Service (Netlogon)
Netlogon located at (\Windows\System32\Netlogon.dll) execute authentication of account logon events, verify logon requests and registers events in the domain. It also discovers domain controllers.
Linux security model differs from that of Windows and comprises of a collection of active processes, libraries and daemon services that secure the operation environment of the Linux kernel.
Pluggable Authentication Modules
PAM library is the interface upon which the functions for developing PAM-aware applications are based on. PAM library allows for authentication of users in the Linux OS.
PAM Configuration File
It is a text file used by system administrators to specify the authentication scheme for a specific application. The configuration information is saved in the /etc/pam directory as a file format or /etc/conf configuration file as a line.
It is a module made up of various authentication procedures primarily used for creating authentication credentials, authenticating users, and giving privileges to authenticated users.
Account Management Module
It is used to manage user accounts and determines whether a certain user has the privileges to enter the system. It creates a login session after successful authentication and is mandated with validating the end dates of the username or password.
Password management module
The module is responsible for password creation and related features including resetting and change.
Session management module
A session has a beginning and the end. SMM manages the session’s duration and is responsible for creating appropriate log entries for every session.
Windows OS and Linux OS exhibit different standards and designs, but their security features operate in an independent manner characteristic of their kernel mode and user mode. The independent services and processes employed in each case are used by the OS to accomplish a number of activities such as logging, authentication and auditing and account management. The modularization involved herein, derives more stability, and easier extension and updates to the system.
Identification is a method of uniquely classifying entities in the system. In this case, entities can be resources, processes domains or users among others.
In windows, an SID is used for identification. It comprises of variable length numeric value that is made up of structure revision number, 48-bit authority ID, 32-bit sub-authority variable number that becomes the actual identity of the entity and a relative identification value.
The SID number can be illustrated as follows:
SID string implies that the string is in an SID while authority ID refers to who created the SID. RID in this case refers to the relative ID, ID for the SID or an index. 1128 RID implies that the system has already 1128 SID created.
SID number is assigned to each user, network device or group during a login session. Winlogon process is mandated with creating a unique SID for each interactive login instance.
In Linux, a user is identified by the username that is assigned when the user logs on to the system. Internally, the user is granted a User Identification Number (UID) selected by the administrator at the time of account creation. In most instances, selecting a unique UID for each user is advised though not compulsory. Mapping of the username to UID is kept in the file /etc/passwd and managed by NIS. The root is assigned UID 0 while other users are assigned incremental numbers. All users should each belong to one group or more identified by the group identification number (GID).
Both operating systems use different naming systems, but all apply the concept of ID to uniquely represent and identity. Both OSs generate IDs for login sessions groups and individual users. One difference is found in the location of the IDs in the system. While Windows stores its SIDs in the registry under HKLM\Security, Linux stores it in /etc/passwd file.
Access tokens refer to data structures that map the security aspect of a given thread.
The information contained in a token in Windows OS includes SID, group SID, default DACL of the user account associated with the process and group SIDs. Upon login successfully by the user, the Winlogon process establishes an initial token which represents the host user and will attach the token in questionto the initial process. It starts by default from the process Userinit.exe. All other child process has to inherit a copy of the access token from their creator hence the user sessions has to run under the same token. It implies that a copy of the access token is attached to every process and threads that implement on the users behalf. Windows access token has the following elements as manifested below: Security identifier, SIDs for groups of which the user belongs to, an authentication SID to identify the current logon session, list of privileges held by the users, SID for the primary group, source of the access token, specification whether the token is primary or impersonation, restricted SIDs (optional) and default DACL among other characteristics.
Linux OS has a different token mechanism. Access tokens refer to data objects whose storage is in memory. These data tokens will be attached each time there is the spawning of a new process. Session management components take care of the creation and attachment of access tokens whenever a new process is initiated. The components in Linux access tokens include a UID for user accounts, group ID’s UID for the primary group, UIDs for groups the user belongs, DACL entries that determine who is allowed to access.
The similarity in terms of tokens is that both the two OSs utilize the concept of access tokens. However, each one adopts a different perspective in implementing them. Linux uses DAC and MAC to restrict a particular process while Windows stores the restrictions in the access tokens. Linux access tokens are not restricted to entries as in the case of Windows. Further, Linux does not save the type of token whether primary or impersonate inside the token itself; rather, the system automatically deduces if it is primary or otherwise.
Impersonation is a security concept that allows a server application to be temporary plays the role of the client in respect to access to secure objects.
In Windows platform, impersonation is ingrained in the client-server programming model. Through impersonation, a server notifies the SRM of it’s intending to adopt security profile of the client making a request to a resource. The server then continues to access the resources on behalf of the client while the SRM carries out the access validations.
For instance, in the figure below, client 1 obtains the right to access file X. The server, upon receiving a request to impersonate client 1, goes ahead and impersonates it. This impersonation involves substituting server's access token with that of client one. The impersonated access token makes the server know that it has the right to access file X and acquires permission to access it.
Impersonation in Linux is handled by two processes namely set-UID and set-GID. All the executable files are marked for SUID or SGID execution. The execution is then conducted with the permission of the file owner and not the current user.
Impersonation is designed differently in Windows and Linux platforms. In Windows, the ability of the client to access a particular file is dictated by ability of the server to substitute its access tokens. In Linux, the client executes with respect to the server security irrespective of whether it has the right to perform the operation or not. Linux does not have the ability to access the disk but is linked to a server that possesses full privileges, thereby, the client can easily access the disk via the server leading to massive security breaches.
PRIVILEGES AND USER RIGHTS
A privilege is defined to be the authority to execute an operation that leads to computer-wide changes rather than a single component. User rights are privileges assigned to administrators and users in as OS security setting.
A privilege in Windows is a right to perform a particular activity while a right will manage the permission on the account that has been placed. User rights are always validated via logon requests. LSA policy database comprises of user and administrator rights which are retrieved when a attempts to log on to the system. Windows local security editor lists all the privileges and rights available to a particular user account.
Another form of privilege in Windows is called Software Restrictions Policies. It allows administrators to exercise control and management of which features to enable and disable in their systems.
Linux adopts the use of Mandatory Access Control to implement privileges. MAC specifies the details that the user cannot control or is not permitted to control. In Linux, objects are labelled to show the sensitivity of this information. It is this sensitivity that objects are restricted based.
Linux does not implement the concept of privileges independently as exhibited in Windows via SLA. Linux uses MAC to restrict access to objects. Further, Linux does not utilize the process of software restrictions; rather, it uses separate daemons to perform security configurations for some application
Logon is a process of validating the user’s identity and is always done via username and password combinations.
In Windows, logon takes place via Winlogon, Lsass, SAM or other authentication packages. An example of Windows authentication package is Kerberos for a domain. Winlogon relies, on GINA, to source users account name and password. The default GINA in Windows is Msgina. NTLM2 protocol is the default standard for authentication. The default authentication package that executes this protocol is referred as the MSV1-0. The process of logon in Windows involves:
A user accesses a client computer and supplies the domain name, user name and password
The computer computes the cryptographic hash MD5 of the password
The client forwards the username to the server and the server generates a 16-byte random number known as a challenge.
The client encrypts the challenge using DES with the hash of the user’s password and return to the server
The server sends Username, challenge and response from the client to the SAM
The SAM server uses the username to derive the hash of the password from the SAM database. The decryption og the challenge is achieved through the use of the password hash. The SAM server compares the encrypted challenge with the client’s response and grant access if they are identical.
In almost all Linux distributions, user information including passwords is stored in /etc/passwd. Because /etc/passwd file is readable by all users, shadow password is used. In shadow passwords, the password field /etc/passwd is replaced by an X while the user’s real encrypted password is saved in /etc/shadow, only readable by the root user. Password encryption in Linux has shifted from the traditional crypt() to MD5 hash logarithm to make it difficult for password cracking software.
Windows implementation of authentication is more secure but much complicated. Windows uses HMAC-MD5, an enhanced hashing function than MD5. Further, Windows performs Advanced Encryption Standard in some instances. It is superior to Linux, which does not use any symmetric encryption algorithm. Finally, hashed elements are stored in SAM in Windows but stored in /etc/passwd file in Linux.
This paper has sufficiently explored the similarities and differences between the two common operating systems Windows and Linux with respect to security. Both OSs has been shown to have similar security concepts and mechanism but different implementation approaches. The main differences are file system encryption and software privileges which are available in Windows, but absent in Linux. Obviously, the analysis revealed that Windows incorporates more security features within its kernel, the opposite of Linux, which concentrates more on user-mode processes.
Carpenter, T. (2012). Microsoft Windows Operating System. Sybex.
Cole, E. (2011). Network Security Bible. John Wiley & Sons.
Ed Bott, C. S. (2012). Windows 7 Inside Out. Microsoft Press.
Emilio Raggi, K. T. (2011). Beginning Ubuntu Linux: Natty Narwhal Edition. Apress.
Ernesto Damiani, C. A. (2008). Open Source Systems Security Certification. Springer.
Jason Eckert, N. (2007.). SUSE Linux Enterprise Server Security. Thomson Learning, Inc.
Keir Thomas, J. S. (2009). Beginning Ubuntu Linux. Apress.
MSDN. (2012). Security Account Manager (SAM). http://technet.microsoft.com/en-us/library/cc75 .
Paul Baccas, K. F. (2011). OS X Exploits and Defense: Own itJust Like Windows or Linux! Syngress.
Systems, G. t. (2011). Guide to Operating Systems. Cengage Learning.