in PowerPoint format

Download Report

Transcript in PowerPoint format

Windows 2000 Security
Tom Bahnck
 Active Directory
 Kerberos Authentication Protocol
 Encrypting File System
 Access Token
 Security Descriptors
 Registry
5/4/2004
Active Directory
 Organizes network resources into
directory-like heirarchy in order to
propogate access rights
 Integrates Kerberos authentication
protocol
 Domains, organizational units, groups,
objects, access tokens
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
Ex. objects: user acct, cpu, printer, app, thread, semaphore
 Consistent internal security policies
propogate from parent  child
 Policy settings assigned (1) at boot
time, (2) at sign-on time
 Clearance checks done in kernel mode,
within security subsystem of Win2000
5/4/2004
Kerberos Authentication Protocol
 At logon – Win2000 active directory
server sends ticket with client’s
credentials to Kerberos server
 Kerberos server responds issuing
ticket-granting ticket (TGT), or key, to
user. Used to identify the client when
requesting network resources.
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
 Shared-secret authentication – only
client and Kerberos server know key
5/4/2004
Kerberos Authentication Protocol
Kerberos authentication process illustrated
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
5/4/2004
Source: Microsoft Corp. Windows 2000 Security Technical Overview.
Access Token
 Security ID (SID) – guaranteed unique
for all users
 Group SIDs – SIDs for groups to which
user belongs
 Privileges – Access control entries
(ACEs) for secure services, e.g. backup
(ability to backup encrypted files),
create new token
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
 Access Control List (ACL) – key
Win2000 security entity for controlling
object access. Contains list of ACEs.
 Propogates to all children processes
 Win2000 clearance results cached
5/4/2004
Security Descriptors
 Flags – descriptor metadata, verify SD
validity, origins of ACLs
 Owner – group or user
 System Access Control List (SACL) –
identifies which type of operations on
object should generate audits.
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
 Discretionary Access Control List
(DACL) – identifies users and actions
cleared for object. List of ACEs.
 Access Control Entry (ACE) – SID &
access mask
5/4/2004
Security Descriptors
Access Mask
32 bits, describes security descriptor
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
Source: Stallings, William. Operating Systems.
5/4/2004
Encrypting File System
 NTFS dependent, encrypts selected files
and directories. Restricts access to
owner and admin.
 Uses CryptoAPI public key and
symmetric encryption algorithms.
More info:
http://msdn.microsoft.com/library/default.asp?url=/library/enus/security/security/cryptoapi_system_architecture.asp
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
 Encryption automatic on save,
decryption automatic on open. Built
into file system.
 Low-level disk reading utility cannot
not rip information
 Encryption/decryption key not issued
until user logon
5/4/2004
Registry
 All registry keys have an ACL. Can
generate audits.
 Contain many security keys
 Example SID value:
Active Directory
Kerberos
Access Token
Descriptors
EFS
Registry
always begins with S
version
identifier authority (5 = NT Authority)
domain identifier (500 chars max)
relative identifier (acct or group)
5/4/2004
S-1-5-21-2857422465-1465058494-1690550294-500-0462
Sources
Honeycutt, Jerry. Microsoft Windows XP Registry Guide.
Redmond: Microsoft Press, 2003.
Note: WinXP built on code base of Win2000 – IP Security, Kerberos, EFS. See:
http://www.microsoft.com/windowsxp/pro/evaluation/whyupgrade/featurecomp.asp
Microsoft Corp. Windows 2000 Security Technical Overview.
Redmond: Microsoft Corporation, 2000.
Stallings, William. Operating Systems. 4th ed.
Upper Saddle River: Prentice-Hall, 2001.
5/4/2004
This presentation available at:
http://www.csc.villanova.edu/~tbahnck/w2k_security_prez.ppt