7 - Windows Authentication Process

- [Windows client authentication process](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication) involves multiple modules responsible for logon, credential retrieval, and verification - LSA (local security authority) is a protected subsystem that authenticates users, manages local logins, oversees all aspects of local security, and provides services for translating between user names and SIDs (security identifiers) - Local interactive login is handled by: logon process (WinLogon), logon UI process (LogonUI), credential providers, LSASS (local security authority subsystem service), one or more authentication packages (DLLs responsible for performing authentication checks), and either SAM (security accounts manager) or Active Directory ![[images/Pasted image 20251007105700.png]] ## LSASS (local security authority subsystem service) - Comprised of multiple modules and governs all authentication processes - Located at `%SystemRoot%\System32\Lsass.exe`in the file system, it is responsible for enforcing the local security policy, authenticating users, and forwarding security audit logs to the `Event Log` - LSASS serves as the gatekeeper in Windows-based operating systems |**Authentication Packages**|**Description**| |---|---| |`Lsasrv.dll`|The LSA Server service both enforces security policies and acts as the security package manager for the LSA. The LSA contains the Negotiate function, which selects either the NTLM or Kerberos protocol after determining which protocol is to be successful.| |`Msv1_0.dll`|Authentication package for local machine logons that don't require custom authentication.| |`Samsrv.dll`|The Security Accounts Manager (SAM) stores local security accounts, enforces locally stored policies, and supports APIs.| |`Kerberos.dll`|Security package loaded by the LSA for Kerberos-based authentication on a machine.| |`Netlogon.dll`|Network-based logon service.| |`Ntdsa.dll`|This library is used to create new records and folders in the Windows registry.| ## SAM (security accounts manager) - DB file in Windows that stores user account credentials - SAM is used to authenticate both local and remote users and uses cryptographic protections to prevent unauthorized access. User passwords are stored as hashes in the registry - typically in the form of either `LM` or `NTLM` hashes. - SAM is located at `%SystemRoot%\system32\config\SAM` and is mounted under `HKLM\SAM` - Viewing or accessing this file requires `SYSTEM` level privileges - To prevent offline cracking of the SAM, Microsoft introduced a feature in Windows NT 4.0 called `SYSKEY` (`syskey.exe`), which partially encrypts the SAM file on disk, ensuring that password hashes for all local accounts are encrypted with a system-generated key - A Windows machine can be assigned to either a workgroup or domain - If assigned to a workgroup, it handles the SAM database locally and stores all existing users locally in this database - If assigned to a domain, the DC must validate the credentials from the Active Directory database (`ntds.dit`), which is stored in `%SystemRoot%\ntds.dit` ## Credential Manager - Built-in Windows feature that allows users to store and manage credentials used to access network resources, websites, and apps - These saved credentials are stored per user profile in the user's `Credential Locker` at `C:\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\` ![[images/Pasted image 20251007110815.png]] ## NTDS (new technology directory services) - AD simplifies centralized management, allowing administrators to efficiently oversee all systems within their organization - With AD, logon requests are sent to DCs within the same AD forest - Each DC hosts a file called `NTDS.dit`, which is synchronized across all DCs, with the exception of [Read-Only Domain Controllers (RODCs)](https://docs.microsoft.com/en-us/windows/win32/ad/rodc-and-active-directory-schema). - Typically stored at `%SystemRoot%\NTDS` on DC - `NTDS.dit` is a database file that stores AD info, including at least: - User accounts (username & password hash) - Group accounts - Computer accounts - Group policy objects