Corso referenti s i r a modulo 2
Download
1 / 24

Corso referenti S.I.R.A. – Modulo 2 - PowerPoint PPT Presentation


  • 63 Views
  • Uploaded on

Corso referenti S.I.R.A. – Modulo 2. Windows Client & Server Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano Viola (CSIA). Agenda – Security by product. Client Windows 2000 PRO Windows XP PRO Server Windows 2000 SRV

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Corso referenti S.I.R.A. – Modulo 2' - tadeo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Corso referenti s i r a modulo 2
Corso referenti S.I.R.A. – Modulo 2

Windows Client & Server Security

20/11 – 27/11 – 05/12

11/12 – 13/12 (gruppo 1)

12/12 – 15/12 (gruppo 2)

Cristiano Gentili, Massimiliano Viola (CSIA)


Agenda security by product
Agenda – Security by product

Client

Windows 2000 PRO

Windows XP PRO

Server

Windows 2000 SRV

Windows 2003 SRV


Agenda security by scenario

Domain

OU1

OU2

User1

Computer1

User2

Printer1

Agenda – Security by Scenario

Domain Model – Active Directory

WorkGroup Model


Agenda security by topic
Agenda – Security by Topic

  • Windows Security Model

  • Active Directory

  • Access Control

  • Auditing and Monitoring

  • Service Pack & Patch Management (MBSA, WSUS)

  • Windows Firewall

  • Disaster Recovery

  • Server Security (by service)

  • Desktop Security

  • Group Policy

    Security Guidance http://www.microsoft.com/technet/security/guidance/default.mspx


And not security by someone else fault
…and NOT security by “someone else fault”

User

Hacker

xe Microsoft

Sys Admin


Prerequisiti
Prerequisiti

  • conoscenza gestione sistemi Windows NT

  • conoscenza dei principali servizi e protocolli di rete


Documentazione
Documentazione

  • http://www.microsoft.com/technet/security/guidance/default.mspx (Security Guidance)

  • http://www.microsoft.com/security/default.mspx (security updates)

  • http://technet.microsoft.com/en-us/default.aspx


Architecture of windows nt
Architecture of Windows NT

USER MODE: Programs and subsystems in user mode are limited in terms of what system resources they have access to

KERNEL MODE: has unrestricted access to the system memory and devices. Stops user mode services and applications from accessing critical areas of the operating system

http://en.wikipedia.org/wiki/Architecture_of_Windows_NT


Trusted software and drivers
Trusted Software and Drivers

Designed for Microsoft Windows XP Logo

Hardware and software products displaying the Designed for Microsoft Windows XP logo have been tested for compatibility with Microsoft Windows operating systems through use of Microsoft-provided testing procedures.

Software for hardware products with the Designed for Microsoft Windows XP logo has a digital signature from Microsoft, indicating that the product was tested for compatibility with Windows and has not been altered since testing.


Windows workgroup
Windows WorkGroup

Il workgroup è composto da uno o più sistemi peer-to-peer ciascuno dei quali gestisce in maniera individuale ed autonoma i propri utenti, gruppi e l’accesso alle risorse

La configurazione di un workgroup si presta unicamente per piccoli gruppi di sistemi (<10) ed in presenza di pochi utenti


Windows workgroup esempio

User1

User1

User2

User2

Windows WorkGroup - esempio

User1 = Print

A

B

SAM

SAM

Oggetti diversi

Sono oggetti (account utente) apparentemente uguali ma diversi: diverso Security IDentifier (SID)


Windows domain active directory
Windows Domain – Active Directory

  • Sostituisce il database SAM come deposito primario di utenti, gruppi, security policies …

  • È il centro della flessibilità e scalabilità del modello di sicurezza di Windows

  • È un servizio di directory gerarchico distribuito, scalabile e sicuro

  • Consente una gestione organizzata, centralizzata e granularmente delegabile


Windows domain esempio

User1

User2

Windows Domain - Esempio

DC

ACL

A

B

SAM

SAM


Windows security model introduzione
Windows Security Model - Introduzione

  • Relazione fondamentale tra Active Directory service e Windows Security Model

  • Object-based security - controllo di accesso estremamente granulare (attributes)

  • Securable objects (files, AD, registry, …)

  • Security Descriptor (Owner, DACL, SACL)


Windows security model security principals
Windows Security Model – Security Principals

  • User, Group and Computer accounts

  • Security IDentifier (SID) for authentication and Access Control to domain resources

  • Located in AD Domain Controllers


Security principals naming
Security Principals - Naming

  • Il nome di un account utente, computer o gruppo DEVE essere univoco nel dominio

  • Non si possono i seguenti caratteri /\[]:;|=,+*?><

  • User accounts up to 20 char

  • Computer accounts up to 15 char

  • Group accounts up to 63 char


Security identifier sid
Security IDentifier (SID)

[email protected]

S-1-5-21-436374069-1659004503-1417001333-34813

  • S indica che la stringa è un SID

  • 1 = revision level (versione della struttura del SID)

  • 5 = authority identifier (1 = World Authority, 5 = NT Authority)

  • 21-436374069-1659004503-1417001333 = domain identifier (ds.units.it)

  • 34813 = relative identifier (security principal identifier)


Well known sids in windows
Well-known SIDs in Windows

Identificano utenti o gruppi generici

  • S-1-1-0 Everyone

  • S-1-3-0 Creator Owner

  • S-1-5-4 Interactive

  • S-1-5-domain-500 Administrator

  • S-1-5-32-544 Administrators

    Il primo account creato parte dal RID=1000

    http://support.microsoft.com/kb/243330


Globally unique identifier guid
Globally Unique Identifier (GUID)

Valore di 128-bit assegnato a qualsiasi oggetto creato in Active Directory (non solo security principals)

Il GUID di un oggetto non cambia mai; i SID a volte possono cambiare (es. Utente spostato tra domini della stessa foresta)

I SID precedenti vengono copiati in un attributo dell’oggetto chiamato SID-History (motivo = mantenere l’accesso alle risorse)


Access control

Header

Owner SID

DACL

ACE 1

SACL

ACE 2

ACE 3

ACE 4

ACE 5

ACE 6

Access Control

SD

  • Security Descriptor (SD): definisce i permessi di accesso ad un oggetto

  • Owner SID

  • DACL (Discretionary Access Control List) for permissions

  • SACL (System Access Control List) for auditing

ACL

  • Access control lists (ACL) for protecting each object

    • Each entry is an Access Control Entry (ACE)

    • Each ACE provide a certain level of access permissions (e.g. read, write, change) to one or multiple SIDs



Access control caratteristiche
Access Control: caratteristiche

  • Allow/deny

  • Sono cumulative (ACE multiple)

  • Ereditarietà (default)

  • Ownership


The logon process
The Logon Process

Domain Controller

Local Security

Subsystem

1

2

Ticket

Kerberos Service

3

Ticket

Access Token

Constructs Access Token

4

Ticket

6

5

User Logs On

Kerberos Service Sends a Workstation Ticket

1

4

Local Security Subsystem Obtains a Ticket for the User

Local Security Subsystem Constructs an Access Token

2

5

Local Security Subsystem Requests a Workstation Ticket

Access Token Is Attached to the User’s Process

3

6


Access tokens
Access Tokens

Security ID: S-1-5-21-146...

Group IDs: Employees

EVERYONE

LOCAL

User Rights:

SeChangeNotifyPrivilege

SeDenyInteractiveLogonRight

AccessToken

Access Tokens:

  • Are created during the logon process and used whenever a user attempts to gain access to an object

  • Contain a SID, a unique identifier used to represent a user or a group

  • Contain Group ID, a list of the groups to which a user belongs

  • Contain user rights, the privileges of a User


ad