180 likes | 387 Vues
FORE SEC Academy Security Essentials (V). Windows Security. Agenda. Chapter 25 : The Windows Security Infrastructure Chapter 26 : Permissions and User Rights Chapter 27 : Security Templates and Group Policy Chapter 28 : Service Packs, Hotfixes, and Backups
E N D
FORESEC AcademySecurity Essentials (V) Windows Security
Agenda • Chapter 25: The Windows Security Infrastructure • Chapter 26: Permissions and User Rights • Chapter 27: Security Templates and Group Policy • Chapter 28: Service Packs, Hotfixes, and Backups • Chapter 29: Securing Windows Network Services • Chapter 30: Automation and Auditing
FORESEC AcademySecurity Essentials (V) The Windows Security Infrastructure
Windows Operating Systems • Windows 9x/Me • Windows NT • Windows 2000 • Windows XP • Windows 2003
Windows 9x/Me (1 of 2) • Not designed for security and cannot be secured, period. - No filesystem security - Can't really require initial logon - Weak authentication protocol (LM) - Extremely vulnerable to DoS attacks - Virtually no logging capabilities - Prone to lock-ups and crashes - Boot into other OS to circumvent everything
Windows 9x/Me (2 of 2) But if you’re stuck with 9x/Me, then: - Use them as “thin clients” to Terminal Services or Citrix servers - Keep all mail on Exchange Server, not in local personal storage files (.PST) - Store all documents on servers - Install ADCE for NTLMv2 support
Windows NT 4.0 • Windows NT is dead, Dead, DEAD. • Service Pack 6a is the last one. • Was at least intendedto be secure: -User-based access control - Domain controllers, trusts, and single sign-on - NTFS and NTLM - Detailed logging - Protected memory spaces in OS - VMS pedigree
Windows 2000 (1 of 2) It's more like Windows NT version 9.0: - Active Directory - Group Policy - Kerberos - IPSec - PKI & Smart Cards - EFS - Scriptability & CMD Tools
Windows XP • A better Windows 2000 Professional... • XP Professional vs. Home Edition • Only with XP Professional: - Ability to join a domain - Encrypting File System - Editable file ACLs - Remote Desktop support - Roaming user profiles - Dual CPU support
Windows Server 2003 (1 of 3) • Successor to Windows 2000 Server - Not intended for desktops. - Mostly an incremental upgrade to Win2000. - Scalability and fault-tolerance enhancements. • Cross-forest trusts. • You can mix-and-match your Windows 2000and 2003 Servers fairly easily.
Windows Server 2003 (3 of 3) • Windows Server 2003 Web Edition - Dedicated-purpose operating system - Not available through retail channels. - Intended for ISP.s and ASP.s. - Intended for turn-key hardware appliances. • Only supports two 32-bit CPUs and no more than 2 GB of RAM. (Why???) • Probably better off with Standard Server...
Workgroups (1 of 3) • Users are typically local administrators of • their own machines. • A “workgroup administrator” simply has • a separate administrative account on • every machine. • Workgroups tend to be small, e.g., less • than 100 boxes. • You can have stand-alones or entire • workgroups in the midst of domain • members, e.g., IIS servers on a service • subnet. • No domain controllers! • Stand-alone computers only. • Local accounts and local accounts • databases only. - Permissions can be assigned • to local users and groups only. - Local groups cannot have • users from other machines. - User names may be identical • across machines, but their • SIDs are different (more on • this in just a moment).
Workgroups (2 of 3) • Benefits of workgroups: - Conceptual simplicity. - Lower initial cost. - Each computer protects itself. - Each user is typically an administrator of his or her own machine, allowing personal creative expression and joy.
Workgroups (3 of 3) • Drawbacks of workgroups: - Users are insane. - Workgroup = Anarchy Very difficult to manage a large number of stand-alones (no scalability). - No single sign-on without great effort. - No consistent permissions or rights.
Manage Local Accounts • Windows NT - User Manager • Windows 2000/XP/2003 - User Accounts applet in control Panel. - Computer Management snap-in in Administrative Tools folder. - NET.EXE