Upload
eunice-curtis
View
215
Download
1
Embed Size (px)
Citation preview
Chapter SixChapter Six
Windows XP Windows XP Security and Security and
Access ControlsAccess Controls
ObjectivesObjectives
Describe the Windows XP security Describe the Windows XP security model, and the key role of logon model, and the key role of logon authenticationauthentication
Customize the logon processCustomize the logon process Discuss domain security conceptsDiscuss domain security concepts Understand the Local Computer Understand the Local Computer
PolicyPolicy
ObjectivesObjectives
Enable and use auditingEnable and use auditing Encrypt NTFS files, folders, or Encrypt NTFS files, folders, or
drives using the Encrypted File drives using the Encrypted File System (EFS)System (EFS)
Understand and implement Internet Understand and implement Internet securitysecurity
The Windows XP Security The Windows XP Security ModelModel
Windows XP Professional can establish Windows XP Professional can establish local security when used as a standalone local security when used as a standalone system, or participate in system, or participate in domain domain securitysecurity
Domain securityDomain security Control of user accounts, group memberships, Control of user accounts, group memberships,
and resource access for all members of a and resource access for all members of a networknetwork
PasswordPassword Unique string of characters that must be Unique string of characters that must be
provided before logon or an access is provided before logon or an access is authorizedauthorized
The Windows XP Security The Windows XP Security ModelModel
A user who successfully logs on A user who successfully logs on receives and receives and access tokenaccess token
ProcessProcess Primary unit of execution in the Windows Primary unit of execution in the Windows
XP operating system environmentXP operating system environment Access control list (ACL)Access control list (ACL)
List of security identifiers that are List of security identifiers that are contained by a resource objectcontained by a resource object
Logon AuthenticationLogon Authentication
The logon process has two The logon process has two components:components: IdentificationIdentification
Requires that a use supply a valid account Requires that a use supply a valid account name (and in a domain environment, the name (and in a domain environment, the name of the domain to which that name of the domain to which that user user accountaccount belongs) belongs)
AuthenticationAuthentication Means that a user must use some method to Means that a user must use some method to
verify his or her identityverify his or her identity
Logon AuthenticationLogon Authentication
An access token includes all security An access token includes all security information pertaining to that user, including information pertaining to that user, including the user’s the user’s security ID (SID)security ID (SID) and SIDs for and SIDs for each of the groups to which the user belongseach of the groups to which the user belongs
An access token includes the following An access token includes the following components:components: Unique SID for the accountUnique SID for the account List of groups to which the user belongsList of groups to which the user belongs List of rights and privileges associated with the List of rights and privileges associated with the
specific user’s accountspecific user’s account
Logon AuthenticationLogon Authentication
Access to the system is allowed only Access to the system is allowed only after the user receives the access tokenafter the user receives the access token
Each access token is created for one-Each access token is created for one-time use during the logon processtime use during the logon process
Once constructed, the access token is Once constructed, the access token is attached to the user’s attached to the user’s shellshell process process
ObjectsObjects
In Windows XP, access to individual In Windows XP, access to individual resources is controlled at the object resources is controlled at the object levellevel
ObjectObject Everything within the Windows XP Everything within the Windows XP
operating environment is an objectoperating environment is an object Objects include files, folders, shares, Objects include files, folders, shares,
printers, processes, etc.printers, processes, etc.
Access ControlAccess Control
The Windows XP logon procedure The Windows XP logon procedure provides security through the use of provides security through the use of the following:the following: Mandatory logonMandatory logon Restricted user modeRestricted user mode Physical logonPhysical logon User profilesUser profiles
Customizing the Logon Customizing the Logon ProcessProcess
The The WinLogonWinLogon process can be process can be customized to display some or all of the customized to display some or all of the following characteristics:following characteristics: Retain or disable the last logon name enteredRetain or disable the last logon name entered Add a logon security warningAdd a logon security warning Change the default shellChange the default shell Enable/Disable the WinLogon Shutdown Enable/Disable the WinLogon Shutdown
buttonbutton Enable automated logonEnable automated logon
Customizing the Logon Customizing the Logon ProcessProcess
Figure 6-1: The WinLogon key viewed through Regedit
Disabling the Default Disabling the Default UsernameUsername
By default, the logon window displays By default, the logon window displays the name of the last user to log onthe name of the last user to log on
It is possible to change the default by It is possible to change the default by altering the value of its associated altering the value of its associated Registry key or Local Security Policy Registry key or Local Security Policy valuevalue
Disabling the default username option Disabling the default username option presents a blank username field at the presents a blank username field at the logon promptlogon prompt
Adding a Security Adding a Security Warning MessageWarning Message
Depending on your organization’s security Depending on your organization’s security policy, you might be legally obligated to policy, you might be legally obligated to add a warning message that appears add a warning message that appears before the logon prompt is displayedbefore the logon prompt is displayed
Two Registry or Local Security Policy Two Registry or Local Security Policy values are involved in this effort:values are involved in this effort: LegalNoticeCaptionLegalNoticeCaption LegalNoticeTextLegalNoticeText
Changing the ShellChanging the Shell
The default shell is Windows The default shell is Windows ExplorerExplorer
You can change the shell to a custom You can change the shell to a custom or third-party application depending or third-party application depending on the needs or security policy of on the needs or security policy of your organizationyour organization
Disabling the Shutdown Disabling the Shutdown ButtonButton
By default, the Windows XP logon By default, the Windows XP logon window includes a Shutdown buttonwindow includes a Shutdown button
However, in an environment in which However, in an environment in which users have access to the keyboard and users have access to the keyboard and mouse on a Windows XP machine, this mouse on a Windows XP machine, this option has the potential for unwanted option has the potential for unwanted system shutdownssystem shutdowns Fortunately, this option can be disabledFortunately, this option can be disabled
Automating LogonsAutomating Logons
To set up an automated logon, the To set up an automated logon, the following Registry value entries must be following Registry value entries must be defined and set within the defined and set within the HKEY_LOCAL_MACHINE\SOFTWARE\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Microsoft\Windows NT\CurrentVersion\Winlogon key:Winlogon key: DefaultDomainNameDefaultDomainName DefaultUserNameDefaultUserName DefaultPasswordDefaultPassword AutoAdminLogonAutoAdminLogon
Automatic Account Automatic Account LockoutLockout
Disables a user account if a predetermined Disables a user account if a predetermined number of failed logon attempts occur within a number of failed logon attempts occur within a specified time limitspecified time limit
This feature is intended to prevent intrusion by This feature is intended to prevent intrusion by unauthorized users attempting to gain access unauthorized users attempting to gain access by guessing a password or launching a by guessing a password or launching a dictionary attackdictionary attack
The default setting in Windows XP is to allow The default setting in Windows XP is to allow an unlimited number of failed access attempts an unlimited number of failed access attempts to a user account without locking out that to a user account without locking out that accountaccount
Domain Security Domain Security Concepts and SystemsConcepts and Systems
A A domaindomain is a collection of computers is a collection of computers with centrally managed security and with centrally managed security and activitiesactivities
Domain securityDomain security Control of user accounts, group memberships, Control of user accounts, group memberships,
and resource access for all members of a and resource access for all members of a networknetwork
Domain controllerDomain controller Windows 2000 .NET Server system with the Windows 2000 .NET Server system with the
Active Directory support services installed and Active Directory support services installed and configuredconfigured
Kerberos and Kerberos and Authentication ServicesAuthentication Services
Kerberos version 5Kerberos version 5 An authentication encryption protocol An authentication encryption protocol
employed by Windows XP to protect employed by Windows XP to protect logon credentialslogon credentials
Network authenticationNetwork authentication Act of connecting to or accessing Act of connecting to or accessing
resources from some other member of resources from some other member of the domain networkthe domain network
Kerberos and Kerberos and Authentication ServicesAuthentication Services
The communications that occur The communications that occur during network authentication are during network authentication are protected by one of several methods, protected by one of several methods, including:including: Kerberos v5Kerberos v5 Secure Socket Layer/Transport Layer Secure Socket Layer/Transport Layer
Security (SSL/TLS)Security (SSL/TLS) NTLM (NT LAN Manager) authentication NTLM (NT LAN Manager) authentication
for compatibility with Windows NT 4.0for compatibility with Windows NT 4.0
Kerberos and Kerberos and Authentication ServicesAuthentication Services
Kerberos version 5 authenticationKerberos version 5 authentication Windows XP uses Kerberos version 5 as Windows XP uses Kerberos version 5 as
the primary protocol for authentication the primary protocol for authentication securitysecurity
Secure Socket Layer/Transport LayerSecure Socket Layer/Transport Layer Authentication scheme often used by Authentication scheme often used by
Web-based applications and is supported Web-based applications and is supported on Windows XP through IISon Windows XP through IIS
SSL functions by issuing an identity SSL functions by issuing an identity certificatecertificate to both the client and serverto both the client and server
Kerberos and Kerberos and Authentication ServicesAuthentication Services
NTLM (NT LAN Manager) NTLM (NT LAN Manager) authenticationauthentication Mechanism used by Windows NT 4.0Mechanism used by Windows NT 4.0 Windows XP supports this authentication Windows XP supports this authentication
method solely for backward compatibility method solely for backward compatibility with Windows NT Servers and Windows with Windows NT Servers and Windows NT Workstation clientsNT Workstation clients
NTLM is significantly less secure than NTLM is significantly less secure than Kerberos version 5Kerberos version 5
Local Computer PolicyLocal Computer Policy
Combination of controls that in Windows Combination of controls that in Windows NT existed only in the Registry, through NT existed only in the Registry, through system policies, or as Control Panel applet system policies, or as Control Panel applet controlscontrols
Sometimes the local computer policy is Sometimes the local computer policy is called a software policy or an called a software policy or an environmental policy or even a Windows XP environmental policy or even a Windows XP policypolicy No matter what name is actually used, the local No matter what name is actually used, the local
computer policy is simply the local system’s computer policy is simply the local system’s group policygroup policy
Local Computer PolicyLocal Computer Policy
Figure 6-2: MMC with Group Policy snap-in displaying Local Computer Policy with Security Settings selected on
a Windows XP Professional System
Computer ConfigurationComputer Configuration
There are three purposes for using the There are three purposes for using the public key policiespublic key policies:: To offer additional controls over the EFSTo offer additional controls over the EFS To enable the issuing of certificatesTo enable the issuing of certificates To allow you to establish trust in a To allow you to establish trust in a
certificate authoritycertificate authority
Computer ConfigurationComputer Configuration
IP Security (IPSec)IP Security (IPSec) Security measure added to TCP/IP to Security measure added to TCP/IP to
protect communications between two protect communications between two systems using that protocolsystems using that protocol
Negotiates a secure encrypted Negotiates a secure encrypted communications link between a client and communications link between a client and server through public and private server through public and private encryption key managementencryption key management
Can be used over a RAS or WAN link Can be used over a RAS or WAN link (through L2TP) or within a LAN(through L2TP) or within a LAN
Computer ConfigurationComputer Configuration
The controls available through the The controls available through the Administrative Templates folder Administrative Templates folder include:include: Controlling security and software Controlling security and software
updates for Internet Explorerupdates for Internet Explorer Controlling access and use of the Task Controlling access and use of the Task
Scheduler and Windows InstallerScheduler and Windows Installer Controlling logon security features and Controlling logon security features and
operationsoperations Controlling disk quotasControlling disk quotas
Computer ConfigurationComputer Configuration
The controls available through the The controls available through the Administrative Templates folder Administrative Templates folder include (cont.):include (cont.): Managing how group policies are Managing how group policies are
processedprocessed Managing system file protectionManaging system file protection Managing offline access of network Managing offline access of network
resourcesresources Controlling printer use and functionControlling printer use and function
User ConfigurationUser Configuration
The items contained in the User The items contained in the User Configuration’s Administrative Configuration’s Administrative Templates section include:Templates section include: Internet Explorer configuration, interface, Internet Explorer configuration, interface,
features, and function controlsfeatures, and function controls Windows Explorer management (interface, Windows Explorer management (interface,
available commands, features)available commands, features) MMC ManagementMMC Management Task Scheduler and Windows Installer Task Scheduler and Windows Installer
controlscontrols
User ConfigurationUser Configuration
The items contained in the User The items contained in the User Configuration’s Administrative Configuration’s Administrative Templates section include (cont.):Templates section include (cont.): Start menu and Taskbar features Start menu and Taskbar features
managementmanagement Desktop environment managementDesktop environment management Control Panel applet managementControl Panel applet management Offline network access controlOffline network access control
User ConfigurationUser Configuration
The items contained in the User The items contained in the User Configuration’s Administrative Configuration’s Administrative Templates section include (cont.):Templates section include (cont.): Network connection managementNetwork connection management Logon and logoff script managementLogon and logoff script management Group Policy applicationGroup Policy application
User ConfigurationUser Configuration
Figure 6-3: The Explain tab of a Local Computer Policy control dialog box
User ConfigurationUser Configuration
The Policy tab on the Properties The Policy tab on the Properties dialog box for each control offers dialog box for each control offers three settings:three settings: Not configuredNot configured EnabledEnabled DisabledDisabled
AuditingAuditing
AuditingAuditing Security process that records the Security process that records the
occurrence of specific operating system occurrence of specific operating system eventsevents in a Security log in a Security log
Event ViewerEvent Viewer Utility that maintains application, Utility that maintains application,
security, and system event logs on your security, and system event logs on your computercomputer
AuditingAuditing
Figure 6-4: The Security Log viewed through the Event Viewer
AuditingAuditing
Figure 6-5: The security log event detail
Encrypted File System Encrypted File System (EFS)(EFS)
Allows you to encrypt data stored on Allows you to encrypt data stored on NTFS driveNTFS drive
When EFS is enabled on a file, When EFS is enabled on a file, folder, or drive, only the enabling folder, or drive, only the enabling user can gain access to the user can gain access to the encrypted objectencrypted object
EFS uses a public and private key EFS uses a public and private key encryption methodencryption method
Internet SecurityInternet Security
Connecting to the Internet requires that Connecting to the Internet requires that you accept some riskyou accept some risk
Most of the security features used to Most of the security features used to protect data within a LAN or even on a protect data within a LAN or even on a standalone system can also be leveraged standalone system can also be leveraged to protect against Internet attacksto protect against Internet attacks
As well, Microsoft has added the As well, Microsoft has added the Internet Connection Firewall (ICF) to Internet Connection Firewall (ICF) to Windows XPWindows XP
Chapter SummaryChapter Summary
Windows XP has object-level access controls Windows XP has object-level access controls that provide the foundation on which all that provide the foundation on which all resource access restresource access rest
The Windows XP logon process strictly The Windows XP logon process strictly controls how users identify themselves and controls how users identify themselves and log onto a Windows XP machinelog onto a Windows XP machine
Likewise, WinLogon’s protected memory Likewise, WinLogon’s protected memory structures keep this all-important gatekeeper structures keep this all-important gatekeeper function from being replaced by would-be function from being replaced by would-be system crackerssystem crackers
Chapter SummaryChapter Summary
WinLogon also supports a number of WinLogon also supports a number of logon controlslogon controls
Key Local Computer Policy settings can Key Local Computer Policy settings can be used to block unauthorized break-in be used to block unauthorized break-in attemptsattempts
The local computer policy controls many The local computer policy controls many aspects of the security system as well as aspects of the security system as well as enabling or restricting specific functions enabling or restricting specific functions and features of the operating systemand features of the operating system