1 / 41

Chapter Six

Chapter Six. Windows XP Security and Access Controls. Objectives. Describe the Windows XP security model, and the key role of logon authentication Customize the logon process Discuss domain security concepts Understand the Local Computer Policy. Objectives. Enable and use auditing

robertneal
Télécharger la présentation

Chapter Six

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter Six Windows XP Security and Access Controls

  2. Objectives • Describe the Windows XP security model, and the key role of logon authentication • Customize the logon process • Discuss domain security concepts • Understand the Local Computer Policy

  3. Objectives • Enable and use auditing • Encrypt NTFS files, folders, or drives using the Encrypted File System (EFS) • Understand and implement Internet security

  4. The Windows XP Security Model • Windows XP Professional can establish local security when used as a standalone system, or participate in domain security • Domain security • Control of user accounts, group memberships, and resource access for all members of a network • Password • Unique string of characters that must be provided before logon or an access is authorized

  5. The Windows XP Security Model • A user who successfully logs on receives and access token • Process • Primary unit of execution in the Windows XP operating system environment • Access control list (ACL) • List of security identifiers that are contained by a resource object

  6. Logon Authentication • The logon process has two components: • Identification • Requires that a use supply a valid account name (and in a domain environment, the name of the domain to which that user account belongs) • Authentication • Means that a user must use some method to verify his or her identity

  7. Logon Authentication • An access token includes all security information pertaining to that user, including the user’s security ID (SID) and SIDs for each of the groups to which the user belongs • An access token includes the following components: • Unique SID for the account • List of groups to which the user belongs • List of rights and privileges associated with the specific user’s account

  8. Logon Authentication • Access to the system is allowed only after the user receives the access token • Each access token is created for one-time use during the logon process • Once constructed, the access token is attached to the user’s shell process

  9. Objects • In Windows XP, access to individual resources is controlled at the object level • Object • Everything within the Windows XP operating environment is an object • Objects include files, folders, shares, printers, processes, etc.

  10. Access Control • The Windows XP logon procedure provides security through the use of the following: • Mandatory logon • Restricted user mode • Physical logon • User profiles

  11. Customizing the Logon Process • The WinLogon process can be customized to display some or all of the following characteristics: • Retain or disable the last logon name entered • Add a logon security warning • Change the default shell • Enable/Disable the WinLogon Shutdown button • Enable automated logon

  12. Customizing the Logon Process Figure 6-1: The WinLogon key viewed through Regedit

  13. Disabling the Default Username • By default, the logon window displays the name of the last user to log on • It is possible to change the default by altering the value of its associated Registry key or Local Security Policy value • Disabling the default username option presents a blank username field at the logon prompt

  14. Adding a Security Warning Message • Depending on your organization’s security policy, you might be legally obligated to add a warning message that appears before the logon prompt is displayed • Two Registry or Local Security Policy values are involved in this effort: • LegalNoticeCaption • LegalNoticeText

  15. Changing the Shell • The default shell is Windows Explorer • You can change the shell to a custom or third-party application depending on the needs or security policy of your organization

  16. Disabling the Shutdown Button • By default, the Windows XP logon window includes a Shutdown button • However, in an environment in which users have access to the keyboard and mouse on a Windows XP machine, this option has the potential for unwanted system shutdowns • Fortunately, this option can be disabled

  17. Automating Logons • To set up an automated logon, the following Registry value entries must be defined and set within the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key: • DefaultDomainName • DefaultUserName • DefaultPassword • AutoAdminLogon

  18. Automatic Account Lockout • Disables a user account if a predetermined number of failed logon attempts occur within a specified time limit • This feature is intended to prevent intrusion by unauthorized users attempting to gain access by guessing a password or launching a dictionary attack • The default setting in Windows XP is to allow an unlimited number of failed access attempts to a user account without locking out that account

  19. Domain Security Concepts and Systems • A domain is a collection of computers with centrally managed security and activities • Domain security • Control of user accounts, group memberships, and resource access for all members of a network • Domain controller • Windows 2000 .NET Server system with the Active Directory support services installed and configured

  20. Kerberos and Authentication Services • Kerberos version 5 • An authentication encryption protocol employed by Windows XP to protect logon credentials • Network authentication • Act of connecting to or accessing resources from some other member of the domain network

  21. Kerberos and Authentication Services • The communications that occur during network authentication are protected by one of several methods, including: • Kerberos v5 • Secure Socket Layer/Transport Layer Security (SSL/TLS) • NTLM (NT LAN Manager) authentication for compatibility with Windows NT 4.0

  22. Kerberos and Authentication Services • Kerberos version 5 authentication • Windows XP uses Kerberos version 5 as the primary protocol for authentication security • Secure Socket Layer/Transport Layer • Authentication scheme often used by Web-based applications and is supported on Windows XP through IIS • SSL functions by issuing an identity certificateto both the client and server

  23. Kerberos and Authentication Services • NTLM (NT LAN Manager) authentication • Mechanism used by Windows NT 4.0 • Windows XP supports this authentication method solely for backward compatibility with Windows NT Servers and Windows NT Workstation clients • NTLM is significantly less secure than Kerberos version 5

  24. Local Computer Policy • Combination of controls that in Windows NT existed only in the Registry, through system policies, or as Control Panel applet controls • Sometimes the local computer policy is called a software policy or an environmental policy or even a Windows XP policy • No matter what name is actually used, the local computer policy is simply the local system’s group policy

  25. Local Computer Policy Figure 6-2: MMC with Group Policy snap-in displaying Local Computer Policy with Security Settings selected on a Windows XP Professional System

  26. Computer Configuration • There are three purposes for using the public key policies: • To offer additional controls over the EFS • To enable the issuing of certificates • To allow you to establish trust in a certificate authority

  27. Computer Configuration • IP Security (IPSec) • Security measure added to TCP/IP to protect communications between two systems using that protocol • Negotiates a secure encrypted communications link between a client and server through public and private encryption key management • Can be used over a RAS or WAN link (through L2TP) or within a LAN

  28. Computer Configuration • The controls available through the Administrative Templates folder include: • Controlling security and software updates for Internet Explorer • Controlling access and use of the Task Scheduler and Windows Installer • Controlling logon security features and operations • Controlling disk quotas

  29. Computer Configuration • The controls available through the Administrative Templates folder include (cont.): • Managing how group policies are processed • Managing system file protection • Managing offline access of network resources • Controlling printer use and function

  30. User Configuration • The items contained in the User Configuration’s Administrative Templates section include: • Internet Explorer configuration, interface, features, and function controls • Windows Explorer management (interface, available commands, features) • MMC Management • Task Scheduler and Windows Installer controls

  31. User Configuration • The items contained in the User Configuration’s Administrative Templates section include (cont.): • Start menu and Taskbar features management • Desktop environment management • Control Panel applet management • Offline network access control

  32. User Configuration • The items contained in the User Configuration’s Administrative Templates section include (cont.): • Network connection management • Logon and logoff script management • Group Policy application

  33. User Configuration Figure 6-3: The Explain tab of a Local Computer Policy control dialog box

  34. User Configuration • The Policy tab on the Properties dialog box for each control offers three settings: • Not configured • Enabled • Disabled

  35. Auditing • Auditing • Security process that records the occurrence of specific operating system events in a Security log • Event Viewer • Utility that maintains application, security, and system event logs on your computer

  36. Auditing Figure 6-4: The Security Log viewed through the Event Viewer

  37. Auditing Figure 6-5: The security log event detail

  38. Encrypted File System (EFS) • Allows you to encrypt data stored on NTFS drive • When EFS is enabled on a file, folder, or drive, only the enabling user can gain access to the encrypted object • EFS uses a public and private key encryption method

  39. Internet Security • Connecting to the Internet requires that you accept some risk • Most of the security features used to protect data within a LAN or even on a standalone system can also be leveraged to protect against Internet attacks • As well, Microsoft has added the Internet Connection Firewall (ICF) to Windows XP

  40. Chapter Summary • Windows XP has object-level access controls that provide the foundation on which all resource access rest • The Windows XP logon process strictly controls how users identify themselves and log onto a Windows XP machine • Likewise, WinLogon’s protected memory structures keep this all-important gatekeeper function from being replaced by would-be system crackers

  41. Chapter Summary • WinLogon also supports a number of logon controls • Key Local Computer Policy settings can be used to block unauthorized break-in attempts • The local computer policy controls many aspects of the security system as well as enabling or restricting specific functions and features of the operating system

More Related