Operating systems incorporating unix and windows pdf

In other words, it sets or value selected by the system administrator at the time the changes the user's authentication data. In most cases, selecting unique UIDs for each user is a good idea, though not strictly required. The 6. It and is centrally managed by NIS. The super user, also known also deals with creating the appropriate log entries for every as root, has a UID equals to 0. Every user belongs to one or initialized session.

A group is identified with a group identification number or GID for short [11]. Head-to-Head Comparison Although both systems have their own standards and design, Head-to-Head Comparison they are both modularized in a way that their security Despite the difference in naming, both operating systems components are sort of independent services and processes apply the concept of ID to uniquely identify an entity in working in the kernel mode and in the user mode.

These terms of security context. Both systems generate IDs for the processes are used by the operating system to accomplish a login session, users, and groups. The major difference resides specific task such as authentication, logging, enforcing in where each system stores its IDs. In Windows, SIDs are policies, and account management. Entities can be users, resources, Windows processes, domains, LAN, etc. SID structure revision number, a bit authority ID, and a When a user logs on successfully, the Winlogon process variable number of bit sub-authority that compose the creates an initial token representing the user, and attaches the actual unique ID of the entity and a relative identifier RID token to the initial processes it starts, by default, the value [13].

Figure 3 is an SID sample. Because child processes by default inherit a copy of the access token from their creator, all processes in the user's session run under the same token. In other words, a copy of the access token is attached to every process and thread that executes on the user's behalf. Figure 4 depicts the access token data structure in Windows operating system [14]. Figure 3. The distinct difference is that unlike Windows which stores restrictions in the access token, Linux uses DAC and MAC to impose restrictions on a particular process.

Linux's access token has no restrictions entries as for the case of Windows. Moreover, Linux does not store the type of the access token primary or impersonate inside the token itself; rather, according to the UID, the system can deduce if this Figure 4. Windows access token token is primary or impersonate type.

Clients user creates a securable object without specifying a wanting to access a resource send a request to the server. Impersonation lets a server notify the SRM that the server is Linux temporarily adopting the security profile of a client making a In the Linux operating system, access tokens are data objects resource request.

The server can then access resources on stored in memory and attached whenever a new process is behalf of the client, and the SRM can carry out the access spawned.

The session management component handles the validations. Figure 6 illustrates the impersonation mechanism creation and attachment of access token when a new process in Windows. First client 1 has the right to access file x. Figure 5 represents the different Therefore the server upon receiving request from client 1 elements of an access token in Linux-based systems. Now the server through his impersonated access token can recognize that client 1 has the right to access file x and thus permission is granted and server accesses file x.

Figure 5. Linux access token Figure 6. Typically, certain services that require super user privileges are wrapped in a SUID-super user program, and the users of the system are given permission to execute this program. If the program can be subverted into performing some action that it was not originally intended to perform, serious breaches of security can result [13].

Head-to-Head Comparison The design of impersonation in both systems is totally different. In Windows, a server can substitute its own access token by the access token of the client, then the server can decide whether the client has the right to access a particular file or not. However, in Linux, a client executes in the security context of the server whether or not that client has Figure 8. Windows DACL the right to perform a given operation. Each file or directory has a number of attributes, breaches in security.

The UID of a file specifies its owner. Whenever a process attempts to access a file, the operations should be logged in the security audit log [7]. An object's owner, who is usually also the object's creator, has discretionary authority over who else may access that object. In other words, access rights are Figure 7. Windows DACL administered by the owner. Four types of ACEs can appear in a DACL: access allowed, Objects are tagged with labels representing the sensitivity of access denied, allowed-object, and denied-object.

The the information contained within. MAC restricts access to access-allowed ACE grants access to a user and the access- objects based on their sensitivity. Subjects need formal denied ACE denies the access rights specified in the access clearance or authorization to access objects [15].

These ACEs Both Windows and Linux implement the concept of Access specify which operations performed on the object by specific Control List; nevertheless, some differences exist between users or groups should be audited. Audit information is the two designs. Windows uses privileges and restrictions in stored in the system Audit Log.

Both successful and order to enforce system policies such as denying a user from unsuccessful attempts can be audited. Figure 8 is an example deleting or reading a system file; whereas, Linux uses of access validation.

Logging under Linux is done by an independent separate component. User rights, also known as privileges, are assigned by administrators to individual users or groups as part of the security settings of the operating system. Windows Figure Windows software restrictions policy editor In Windows, a privilege is the right of an account to perform Linux a particular system-related operation, such as shutting down the computer or changing the system time or accessing the Linux uses Mandatory Access Control MAC to enforce registry.

An account right grants or denies the account to privileges. MAC involves aspects that the user cannot control which it is assigned. User rights are always validated in or is not usually allowed to control. Objects are tagged with response to logon requests. For this purpose, the Local labels representing the sensitivity of the information Security Authority LSA retrieves account rights assigned to contained within. MAC restricts access to objects based on a given user from the LSA policy database at the time the their sensitivity.

Subjects need formal clearance user attempts to log on to the system [14]. Figure 9 shows authorization to access objects [12]. Additionally, Linux does not provide the concept of software restrictions; rather, it uses a separate daemon to perform sort of security configuration for specified applications.

It shows who accessed what, when, and how [18]. Windows The Windows object manager can generate audit events as a result of an access check. Lsass maintains audit information on the local system, and it is configured with the local security policy editor secpol. In effect, Lsass Figure 9. Windows local security policy editor sends messages to the SRM Storage Resource Management to inform it of the auditing policy at system initialization Another form of privileges exist in Windows, they are called time and when the policy changes.

Lsass is responsible for Software Restrictions Policies which enable administrators to receiving the generated audit records, editing the audit control, manage, and disable features of the installed records, and sending them to the event logger. The event applications on their systems. Figure 10 shows the software logger then writes the audit record to the security event log.

Basically, audit records are put on a queue to be sent to the LSA as they are received, they are not submitted in batches. The audit records are moved from the SRM to the security subsystem in one of two ways. The audit records are copied from the address space of the SRM to the address space of the Lsass process. If the audit record is large, the SRM uses shared memory to make the message available to Lsass and simply passes a pointer in an LPC message [14].

Figure 11 illustrates the Windows audit complete mechanism. Windows audit mechanism Figure Below is a list of steps systems support a more comprehensive type of auditing involved in the Windows logon process: known as C2 audit. A user accesses a client computer and provides a domain name, user name, and password. Head-to-Head Comparison 2. The client computes a cryptographic hash HMAC- Both operating systems provide some auditing and logging MD5 of the password and discards the plain text features through different mechanisms and services.

Conversely, Windows provides the System Access Control 3. The client sends the user name to the server in plaintext List or SACL which states what operation over what object 4. The server generates a byte random number, called should be logged. Topics from this paper. Microsoft Windows. Citation Type. Has PDF. Publication Type. More Filters. Microsoft Windows: The evolution of a revolutionary product.

The present study explores the history of Microsoft Windows M. W by identifying its origins and describing the advantages and disadvantages of its versions, searching the reasons for the replacement … Expand. In this paper, the novel Delay Weighted Priority Scheduling DWPS algorithm proposed for the management of cellular network's channel access will be presented. Whereas the simple round-robin … Expand.