Security Support Provider Interface Explained

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

SSPI functions as a common interface to several Security Support Providers (SSPs):[1] A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to apps.

Providers

The following SSPs are included in Windows:

Comparison

SSPI is a proprietary variant of Generic Security Services Application Program Interface (GSSAPI) with extensions and very Windows-specific data types. It shipped with Windows NT 3.51 and Windows 95 with the NTLMSSP. For Windows 2000, an implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSSAPI mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors.

The tokens generated and accepted by the SSPI are mostly compatible with the GSS-API so an SSPI client on Windows may be able to authenticate with a GSS-API server on Unix depending on the specific circumstances.

One significant shortcoming of SSPI is its lack of channel bindings, which makes some GSSAPI interoperability impossible.

Another fundamental difference between the IETF-defined GSSAPI and Microsoft's SSPI is the concept of "impersonation". In this model, a server can operate with the full privileges of the authenticated client, so that the operating system performs all access control checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on the client. In the traditional (GSSAPI) model, when a server runs under a service account, it cannot elevate its privileges, and has to perform access control in a client-specific and application-specific fashion. The obvious negative security implications of the impersonation concept are prevented in Windows Vista by restricting impersonation to selected service accounts.[11] Impersonation can be implemented in a Unix/Linux model using the seteuid or related system calls. While this means an unprivileged process cannot elevate its privileges, it also means that to take advantage of impersonation the process must run in the context of the root user account.

External links

Notes and References

  1. https://msdn.microsoft.com/en-us/library/aa380502.aspx SSP Packages Provided by Microsoft
  2. https://technet.microsoft.com/en-us/library/cc938854.aspx User Authentication - Security (Windows 2000 Resource Kit Documentation) : MSDN
  3. https://technet.microsoft.com/en-us/library/cc749438.aspx Kerberos Enhancements in Windows Vista: MSDN
  4. https://technet.microsoft.com/en-us/library/bb742431.aspx Windows 2000 Kerberos Authentication
  5. Web site: Windows Authentication. 2020-08-05. Windows Server 2008 R2 and Windows Server 2008 Documentations. 2 July 2012 . Microsoft. Microsoft Docs.
  6. https://technet.microsoft.com/en-us/library/cc766285.aspx TLS/SSL Cryptographic Enhancements in Windows Vista
  7. https://msdn.microsoft.com/en-us/library/aa380123.aspx Secure Channel: SSP Packages Provided by Microsoft
  8. https://msdn.microsoft.com/en-us/library/aa378745.aspx Microsoft Digest SSP: SSP Packages provided by Microsoft
  9. https://technet.microsoft.com/en-us/library/cc749211.aspx Credential Security Service Provider and SSO for Terminal Services Logon
  10. http://msdn.microsoft.com/en-us/library/ms809340.aspx#dcomtec_sec DCOM Technical Overview: Security on the Internet
  11. Web site: Windows Service Hardening: AskPerf blog . 2009-12-22 . 2010-04-02 . https://web.archive.org/web/20100402072054/http://blogs.technet.com/askperf/archive/2008/02/03/ws2008-windows-service-hardening.aspx . dead .