120 likes | 350 Vues
Windows 2000 Security. Tom Bahnck. Active Directory Kerberos Authentication Protocol Encrypting File System Access Token Security Descriptors Registry. 5/4/2004. Active Directory. Active Directory Kerberos Access Token Descriptors EFS Registry.
E N D
Windows 2000 Security Tom Bahnck • Active Directory • Kerberos Authentication Protocol • Encrypting File System • Access Token • Security Descriptors • Registry 5/4/2004
Active Directory Active Directory Kerberos Access Token Descriptors EFS Registry • Organizes network resources into directory-like heirarchy in order to propogate access rights • Integrates Kerberos authentication protocol • Domains, organizational units, groups, objects, access tokensEx. objects: user acct, cpu, printer, app, thread, semaphore • Consistent internal security policies propogate from parent child • Policy settings assigned (1) at boot time, (2) at sign-on time • Clearance checks done in kernel mode, within security subsystem of Win2000 5/4/2004
Kerberos Authentication Protocol Active Directory Kerberos Access Token Descriptors EFS Registry • At logon – Win2000 active directory server sends ticket with client’s credentials to Kerberos server • Kerberos server responds issuing ticket-granting ticket (TGT), or key, to user. Used to identify the client when requesting network resources. • Shared-secretauthentication – only client and Kerberos server know key 5/4/2004
Kerberos Authentication Protocol Active Directory Kerberos Access Token Descriptors EFS Registry Kerberos authentication process illustrated 5/4/2004 Source: Microsoft Corp. Windows 2000 Security Technical Overview.
Access Token Active Directory Kerberos Access Token Descriptors EFS Registry • Security ID (SID) – guaranteed unique for all users • Group SIDs – SIDs for groups to which user belongs • Privileges – Access control entries (ACEs) for secure services, e.g. backup (ability to backup encrypted files), create new token • Access Control List (ACL) – key Win2000 security entity for controlling object access. Contains list of ACEs. • Propogates to all children processes • Win2000 clearance results cached 5/4/2004
Security Descriptors Active Directory Kerberos Access Token Descriptors EFS Registry • Flags – descriptor metadata, verify SD validity, origins of ACLs • Owner – group or user • System Access Control List (SACL) – identifies which type of operations on object should generate audits. • Discretionary Access Control List (DACL) – identifies users and actions cleared for object. List of ACEs. • Access Control Entry (ACE) – SID & access mask 5/4/2004
Security Descriptors Active Directory Kerberos Access Token Descriptors EFS Registry Access Mask32 bits, describes security descriptor 5/4/2004 Source: Stallings, William. Operating Systems.
Encrypting File System Active Directory Kerberos Access Token Descriptors EFS Registry • NTFS dependent, encrypts selected files and directories. Restricts access to owner and admin. • Uses CryptoAPI public key and symmetric encryption algorithms.More info: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/cryptoapi_system_architecture.asp • Encryption automatic on save, decryption automatic on open. Built into file system. • Low-level disk reading utility cannot not rip information • Encryption/decryption key not issued until user logon 5/4/2004
Registry Active Directory Kerberos Access Token Descriptors EFS Registry • All registry keys have an ACL. Can generate audits. • Contain many security keys • Example SID value: always begins with S version identifier authority (5 = NT Authority) domain identifier (500 chars max) relative identifier (acct or group) 5/4/2004 S-1-5-21-2857422465-1465058494-1690550294-500-0462
Sources Honeycutt, Jerry. Microsoft Windows XP Registry Guide.Redmond: Microsoft Press, 2003.Note: WinXP built on code base of Win2000 – IP Security, Kerberos, EFS. See: http://www.microsoft.com/windowsxp/pro/evaluation/whyupgrade/featurecomp.asp Microsoft Corp. Windows 2000 Security Technical Overview.Redmond: Microsoft Corporation, 2000. Stallings, William. Operating Systems. 4th ed.Upper Saddle River: Prentice-Hall, 2001. This presentation available at:http://www.csc.villanova.edu/~tbahnck/w2k_security_prez.ppt 5/4/2004