1 / 16

Windows 2000 Security

Windows 2000 Security. Yingzi Jin. Introduction. Active Directory Group Policy Encrypting File System. What is a Directory Service. A directory is an information source used to store information about objects. Users want to find and use these objects

archie
Download Presentation

Windows 2000 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows 2000 Security Yingzi Jin

  2. Introduction • Active Directory • Group Policy • Encrypting File System

  3. What is a Directory Service • A directory is an information source used to store information about objects. • Users want to find and use these objects • Directory Service makes the information available and usable to the users.

  4. What is Active Directory • Essential and inseparable part of the Windows 2000 network architecture • Provide a directory service for distributed networking environment

  5. Active Directory - Structure • Tree structure make up of objects and containers • Objects represent network resources • users, groups, devices, applications • Containers represent organizations or collections of related objects • marketing department, printers

  6. Active Directory Security • An access-control list(ACL) protects all objects in AD. • An ACL is stored as a binary value, called a security descriptor. • Every object in AD is protected by its own security descriptor.

  7. Active Directory - Authentication • Several options for user authentication: • Kerberos: verifies the clients right to access the network and authenticates the server to the client. • Public Key Infrastructure(PKI): normally done to authenticate external users.

  8. Group Policy • New Capability in Win2K • Defines, manages, and enforces the environment settings for both computer and user objects. • Integrates with AD and can be assigned to AD sites, domains, and organizational units(OUs) • contained in Group Policy Objects(GPO)

  9. Security-related Policies • Account policies - password policies • Local policies - audit policy • File system - permissions for folders and files • System services - permission for system services

  10. Group Policy Objects(GPO’s) • Contain a set of “rules”. • To specify account and password setting, audit capabilities, etc. • Can be applied to Windows 2000 sites, domains, or OU’s.

  11. Active Directory and Group Policy • Group Policy Objects are created to set the rules that govern the domain. • A Default Domain Policy GPO at the highest lever. • Additional GPO’s can be created and applied for each “child OU”

  12. Implement Group Policy • Account policies are domain-wide • GPO’s for account settings defined for lower level OU’s will not work for domain users. • No Override and Block Inheritance Settings • Policy Processed in a hierarchy: • Local GPO’s • GPO’s applied to Sites • GPO’s applied to domain • GPO’s applied to OU’s

  13. Encrypting File System • Integral part of the new NTFS file system. • Users can encrypt/decrypt files on the fly to protect sensitive data from unauthorized access. • Uses a combination of symmetric key and public key encryption.

  14. Encrypting File System • A random file encryption key (FEK) is generated for each file. • Using the FEK, the file is encrypted using DESX • The FEK is encrypted with the user’s public key • Decryption uses the user’s or recovery agent’s private key to get the FEK

  15. Encrypting File System • Protect sensitive files and folders. • Encrypting a directory/folder encrypts all subsequent files • EFS does not cache any of the keys onto the hard disk • EFS does not encrypt required system files and folders

  16. Encrypting File System • EFS need a strong password policy • A Windows 2000 user can delete files encrypted by another user

More Related