1 / 10

Windows 2000 Security

Windows 2000 Security. Tom Bahnck. Active Directory Kerberos Authentication Protocol Encrypting File System Access Token Security Descriptors Registry. 5/4/2004. Active Directory. Active Directory Kerberos Access Token Descriptors EFS Registry.

illias
Download Presentation

Windows 2000 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Windows 2000 Security Tom Bahnck • Active Directory • Kerberos Authentication Protocol • Encrypting File System • Access Token • Security Descriptors • Registry 5/4/2004

  2. Active Directory Active Directory Kerberos Access Token Descriptors EFS Registry • Organizes network resources into directory-like heirarchy in order to propogate access rights • Integrates Kerberos authentication protocol • Domains, organizational units, groups, objects, access tokensEx. objects: user acct, cpu, printer, app, thread, semaphore • Consistent internal security policies propogate from parent  child • Policy settings assigned (1) at boot time, (2) at sign-on time • Clearance checks done in kernel mode, within security subsystem of Win2000 5/4/2004

  3. Kerberos Authentication Protocol Active Directory Kerberos Access Token Descriptors EFS Registry • At logon – Win2000 active directory server sends ticket with client’s credentials to Kerberos server • Kerberos server responds issuing ticket-granting ticket (TGT), or key, to user. Used to identify the client when requesting network resources. • Shared-secretauthentication – only client and Kerberos server know key 5/4/2004

  4. Kerberos Authentication Protocol Active Directory Kerberos Access Token Descriptors EFS Registry Kerberos authentication process illustrated 5/4/2004 Source: Microsoft Corp. Windows 2000 Security Technical Overview.

  5. Access Token Active Directory Kerberos Access Token Descriptors EFS Registry • Security ID (SID) – guaranteed unique for all users • Group SIDs – SIDs for groups to which user belongs • Privileges – Access control entries (ACEs) for secure services, e.g. backup (ability to backup encrypted files), create new token • Access Control List (ACL) – key Win2000 security entity for controlling object access. Contains list of ACEs. • Propogates to all children processes • Win2000 clearance results cached 5/4/2004

  6. Security Descriptors Active Directory Kerberos Access Token Descriptors EFS Registry • Flags – descriptor metadata, verify SD validity, origins of ACLs • Owner – group or user • System Access Control List (SACL) – identifies which type of operations on object should generate audits. • Discretionary Access Control List (DACL) – identifies users and actions cleared for object. List of ACEs. • Access Control Entry (ACE) – SID & access mask 5/4/2004

  7. Security Descriptors Active Directory Kerberos Access Token Descriptors EFS Registry Access Mask32 bits, describes security descriptor 5/4/2004 Source: Stallings, William. Operating Systems.

  8. Encrypting File System Active Directory Kerberos Access Token Descriptors EFS Registry • NTFS dependent, encrypts selected files and directories. Restricts access to owner and admin. • Uses CryptoAPI public key and symmetric encryption algorithms.More info: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/cryptoapi_system_architecture.asp • Encryption automatic on save, decryption automatic on open. Built into file system. • Low-level disk reading utility cannot not rip information • Encryption/decryption key not issued until user logon 5/4/2004

  9. Registry Active Directory Kerberos Access Token Descriptors EFS Registry • All registry keys have an ACL. Can generate audits. • Contain many security keys • Example SID value: always begins with S version identifier authority (5 = NT Authority) domain identifier (500 chars max) relative identifier (acct or group) 5/4/2004 S-1-5-21-2857422465-1465058494-1690550294-500-0462

  10. Sources Honeycutt, Jerry. Microsoft Windows XP Registry Guide.Redmond: Microsoft Press, 2003.Note: WinXP built on code base of Win2000 – IP Security, Kerberos, EFS. See: http://www.microsoft.com/windowsxp/pro/evaluation/whyupgrade/featurecomp.asp Microsoft Corp. Windows 2000 Security Technical Overview.Redmond: Microsoft Corporation, 2000. Stallings, William. Operating Systems. 4th ed.Upper Saddle River: Prentice-Hall, 2001. This presentation available at:http://www.csc.villanova.edu/~tbahnck/w2k_security_prez.ppt 5/4/2004

More Related