in PowerPoint format
Download
Report
Transcript in PowerPoint format
Windows 2000 Security
Tom Bahnck
Active Directory
Kerberos Authentication Protocol
Encrypting File System
Access Token
Security Descriptors
Registry
5/4/2004
Active Directory
Organizes network resources into
directory-like heirarchy in order to
propogate access rights
Integrates Kerberos authentication
protocol
Domains, organizational units, groups,
objects, access tokens
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
Ex. objects: user acct, cpu, printer, app, thread, semaphore
Consistent internal security policies
propogate from parent child
Policy settings assigned (1) at boot
time, (2) at sign-on time
Clearance checks done in kernel mode,
within security subsystem of Win2000
5/4/2004
Kerberos Authentication Protocol
At logon – Win2000 active directory
server sends ticket with client’s
credentials to Kerberos server
Kerberos server responds issuing
ticket-granting ticket (TGT), or key, to
user. Used to identify the client when
requesting network resources.
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
Shared-secret authentication – only
client and Kerberos server know key
5/4/2004
Kerberos Authentication Protocol
Kerberos authentication process illustrated
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
5/4/2004
Source: Microsoft Corp. Windows 2000 Security Technical Overview.
Access Token
Security ID (SID) – guaranteed unique
for all users
Group SIDs – SIDs for groups to which
user belongs
Privileges – Access control entries
(ACEs) for secure services, e.g. backup
(ability to backup encrypted files),
create new token
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
Access Control List (ACL) – key
Win2000 security entity for controlling
object access. Contains list of ACEs.
Propogates to all children processes
Win2000 clearance results cached
5/4/2004
Security Descriptors
Flags – descriptor metadata, verify SD
validity, origins of ACLs
Owner – group or user
System Access Control List (SACL) –
identifies which type of operations on
object should generate audits.
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
Discretionary Access Control List
(DACL) – identifies users and actions
cleared for object. List of ACEs.
Access Control Entry (ACE) – SID &
access mask
5/4/2004
Security Descriptors
Access Mask
32 bits, describes security descriptor
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
Source: Stallings, William. Operating Systems.
5/4/2004
Encrypting File System
NTFS dependent, encrypts selected files
and directories. Restricts access to
owner and admin.
Uses CryptoAPI public key and
symmetric encryption algorithms.
More info:
http://msdn.microsoft.com/library/default.asp?url=/library/enus/security/security/cryptoapi_system_architecture.asp
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
Encryption automatic on save,
decryption automatic on open. Built
into file system.
Low-level disk reading utility cannot
not rip information
Encryption/decryption key not issued
until user logon
5/4/2004
Registry
All registry keys have an ACL. Can
generate audits.
Contain many security keys
Example SID value:
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
always begins with S
version
identifier authority (5 = NT Authority)
domain identifier (500 chars max)
relative identifier (acct or group)
5/4/2004
S-1-5-21-2857422465-1465058494-1690550294-500-0462
Sources
Honeycutt, Jerry. Microsoft Windows XP Registry Guide.
Redmond: Microsoft Press, 2003.
Note: WinXP built on code base of Win2000 – IP Security, Kerberos, EFS. See:
http://www.microsoft.com/windowsxp/pro/evaluation/whyupgrade/featurecomp.asp
Microsoft Corp. Windows 2000 Security Technical Overview.
Redmond: Microsoft Corporation, 2000.
Stallings, William. Operating Systems. 4th ed.
Upper Saddle River: Prentice-Hall, 2001.
5/4/2004
This presentation available at:
http://www.csc.villanova.edu/~tbahnck/w2k_security_prez.ppt