Lektion 4 - TFE
Download
Report
Transcript Lektion 4 - TFE
5 Windows-Security Provisions 5
• User memory
– User programs and applications
User mode memory
LSA
Win32 Subsystem
Kernel mode memory
Device drivers
Hardware
• LSA Local Security Authority
– Security validation
• Win32 Subsystem
– Access to hardware
• Kernel mode memory
– Windows kernel (OS)
– Device drivers
Windows Security Features
•
Internet Connection Firewall
ICF
– Personal Firewall. Secures a single system. Loggs
•
Session Initiation Protocol
SIP
– Provides a secure pathway for real time applications.
•
•
Blank password restrictions
Software restriction policies
– Software can be isolated using
•
•
•
•
Users and Groups as in W2K
Access Control List as in W2K
Auditing for all objects
User rights
GPO
ACL
SACL
– Permission to perform an action.
•
Group Policy Object
–
–
–
–
Are used to control security features
There are templates
GPMC (Group Policy Management Console from MS)
Gpupdate /?
GPO
Security Features Cont.
•
•
•
•
New technology File System as in W2K
Encrypting File System
Kerberos authentication
Virtual Private Network
NTFS
EFS
VPN
– PPTP, L2TP, IPSec
•
•
•
•
•
•
Public Key Infrastructure and Certificate service
Delegation per OU-basis
External Authentication
C2-security
Active Directory
CryptoAPI
PKI & CA
• Microsoft Internet Security and Acceleration Server
ISA-server
– Firewall
– Cache
AD
Securing applications
IIS ‘problem’
• Web-server (‘Stand-alone’)
– HTML
– Server-side processing
– Scripting Languages
– Database connectivity
– Other dynamic contents
• FTP-server (‘Stand-alone’)
– Clear text password
Securing applications: Web
• Use Patches and fixes
• Remove the default site
• Remove all the extension mappings that
you don’t need.
• Change the ODBC settings in registry
HKEY_LOCAL_MACHINE\Software\Microsoft\Jet\4.0\engines\SandboxMode to a value
of 3 (Default is 2)
• Move the wwwroot directory to another drive
then OS
Securing applications:
FTP
• Work as you do with the Web security
Mail
• Use Cryptography if it’s possibly (SSL, VPN, IPSec, …)
• Use SPAM-filter
DNS
• Use External & Internal DNS if possible.
• Lookout for Record poisoning.
– Dynamic updates
– Cache poisoning
• Lookout for Zone transfers.
Limit Zone transfer and DNS updates.
Securing Web & E-mail Using SSL & TSL
• SSL (Secure Sockets Layer)
– CPU-intensive (2-100 times slower)
– Only TCP
• TSL (Transport Layer Security)
– Makes a tunnel for communication
• HTTPS (port 443)
– MS IIS (Web-server) with SSL
• Windows SMTP service with SSL
Certificate Service Windows
•
Two types:
1. Enterprise (require AD)
Computers in the AD will trust the root CA
2. Stand-alone (basic type)
Does not support logon certificates.
Certificate requests are set to pending and
admin has to issue the certificate.
For use in a Stand-alone server.
Certificate Service Windows
1. Install Certificate service.
2. Configurate CA (Certificate
Authority).
3. Set up the policy (CRL and so on).
4. Create Certificate templates.
5. Enable Certificate templates.
6. Certificate enrollment.
IPSec
IPSec ’works’ on layer 3. =>
under TCP, UDP, ICMP,… =>
Transparent for applications! =>
Will protect every application as:
Remote login, Client/server, email, FTP,
Web and so on.
There is special hardware from Intel, 3com,
Cisco, and other, just to unload the IPSec
processing from the CPU.
IPSec
Two protocols:
– AH
– ESP
Authentication Header
Encapsulated Security Payload
Two modes:
– Transport mode
– Tunnel mode
IKE – Protocol for connecting
Creates SA Security Association
(Key, Used protocol, Destination IP…)
If you want duplex you need two SA’s
SPI – Holds used SA (SPI=32bit value in every IP-header)
Anti-replay service 0-(32bitar-1) window=64
Intrusion Detecting System IDS
Tar vid där FW slutar på “insidan” och
övervakar trafiken innanför.
• I samma dator som känsliga data
• Nätverksbaserat – Ett antal agenter som
samlar data till en central som analyserar.
Två Principer:
1. Anomali-detektion.
2. Missbruks-detektion.
(IDS kan fungera enligt båda men vanligast bara som en av
principerna)
I
P
http://www.snort.org/
Intrusion Detecting System IDS
1. Noggrann statistik över “normalt” beteende.
•
Larm om något ovanligt inträffar.
•
•
Sällan använda anrop.
Extremt mycket trafik.
- Risk för falsklarm
+ Angreppsmetod behöver inte var känd.
2. Larmar på kända typer av attacker
- Stor ‘databas’ krävs, måste uppdateras ofta.
+ Falsklarm ovanligt.
Time
• W2K*, W2K, XP uses Windows Time
Service, the time comes from the ADserver and the KDC (Kerberos Key
Distribution Center) there.
(KDC also includes Authentication Server and Ticket Granting Server)
• Kerberos uses SNTP (Simple Network
Time Protocol) for synchronization.
Stratum
http://www.sp.se/metrology/timefreq/eng/tandf.htm
~100
Stratum1
Stratum1
Stratum1
Stratum1
~100 Stratum2
Stratum2
Stratum2
Stratum2
Vanlig
server
• net time /setsntp: serverlist
”ntp1.sp.se ntp1.sth.netnod.se”
• net time /querysntp
• Justera den egna
klockan
• Beräkna driften av
den egna klockan
The end !
*VPN Virtual Private Network
L2TP, PPTP
*Microsoft ISA
(Internet Security and Acceleration Server)
Firewall/Cache
Mer
• Vulnerability
(Sårbarheter,säkerhetshål/Svagheter)?