1 / 24

Corso referenti S.I.R.A. – Modulo 2

Corso referenti S.I.R.A. – Modulo 2. Windows Client & Server Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano Viola (CSIA). Agenda – Security by product. Client Windows 2000 PRO Windows XP PRO Server Windows 2000 SRV

tadeo
Download Presentation

Corso referenti S.I.R.A. – Modulo 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Corso referenti S.I.R.A. – Modulo 2 Windows Client & Server Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano Viola (CSIA)

  2. Agenda – Security by product Client Windows 2000 PRO Windows XP PRO Server Windows 2000 SRV Windows 2003 SRV

  3. Domain OU1 OU2 User1 Computer1 User2 Printer1 Agenda – Security by Scenario Domain Model – Active Directory WorkGroup Model

  4. Agenda – Security by Topic • Windows Security Model • Active Directory • Access Control • Auditing and Monitoring • Service Pack & Patch Management (MBSA, WSUS) • Windows Firewall • Disaster Recovery • Server Security (by service) • Desktop Security • Group Policy Security Guidance http://www.microsoft.com/technet/security/guidance/default.mspx

  5. …and NOT security by “someone else fault” User Hacker xe Microsoft Sys Admin

  6. Prerequisiti • conoscenza gestione sistemi Windows NT • conoscenza dei principali servizi e protocolli di rete

  7. Documentazione • http://www.microsoft.com/technet/security/guidance/default.mspx (Security Guidance) • http://www.microsoft.com/security/default.mspx (security updates) • http://technet.microsoft.com/en-us/default.aspx

  8. Architecture of Windows NT USER MODE: Programs and subsystems in user mode are limited in terms of what system resources they have access to KERNEL MODE: has unrestricted access to the system memory and devices. Stops user mode services and applications from accessing critical areas of the operating system http://en.wikipedia.org/wiki/Architecture_of_Windows_NT

  9. Trusted Software and Drivers Designed for Microsoft Windows XP Logo Hardware and software products displaying the Designed for Microsoft Windows XP logo have been tested for compatibility with Microsoft Windows operating systems through use of Microsoft-provided testing procedures. Software for hardware products with the Designed for Microsoft Windows XP logo has a digital signature from Microsoft, indicating that the product was tested for compatibility with Windows and has not been altered since testing.

  10. Windows WorkGroup Il workgroup è composto da uno o più sistemi peer-to-peer ciascuno dei quali gestisce in maniera individuale ed autonoma i propri utenti, gruppi e l’accesso alle risorse La configurazione di un workgroup si presta unicamente per piccoli gruppi di sistemi (<10) ed in presenza di pochi utenti

  11. User1 User1 User2 User2 Windows WorkGroup - esempio User1 = Print A B SAM SAM Oggetti diversi Sono oggetti (account utente) apparentemente uguali ma diversi: diverso Security IDentifier (SID)

  12. Windows Domain – Active Directory • Sostituisce il database SAM come deposito primario di utenti, gruppi, security policies … • È il centro della flessibilità e scalabilità del modello di sicurezza di Windows • È un servizio di directory gerarchico distribuito, scalabile e sicuro • Consente una gestione organizzata, centralizzata e granularmente delegabile

  13. User1 User2 Windows Domain - Esempio DC ACL A B SAM SAM

  14. Windows Security Model - Introduzione • Relazione fondamentale tra Active Directory service e Windows Security Model • Object-based security - controllo di accesso estremamente granulare (attributes) • Securable objects (files, AD, registry, …) • Security Descriptor (Owner, DACL, SACL)

  15. Windows Security Model – Security Principals • User, Group and Computer accounts • Security IDentifier (SID) for authentication and Access Control to domain resources • Located in AD Domain Controllers

  16. Security Principals - Naming • Il nome di un account utente, computer o gruppo DEVE essere univoco nel dominio • Non si possono i seguenti caratteri /\[]:;|=,+*?>< • User accounts up to 20 char • Computer accounts up to 15 char • Group accounts up to 63 char

  17. Security IDentifier (SID) 5137@ds.units.it S-1-5-21-436374069-1659004503-1417001333-34813 • S indica che la stringa è un SID • 1 = revision level (versione della struttura del SID) • 5 = authority identifier (1 = World Authority, 5 = NT Authority) • 21-436374069-1659004503-1417001333 = domain identifier (ds.units.it) • 34813 = relative identifier (security principal identifier)

  18. Well-known SIDs in Windows Identificano utenti o gruppi generici • S-1-1-0 Everyone • S-1-3-0 Creator Owner • S-1-5-4 Interactive • S-1-5-domain-500 Administrator • S-1-5-32-544 Administrators Il primo account creato parte dal RID=1000 http://support.microsoft.com/kb/243330

  19. Globally Unique Identifier (GUID) Valore di 128-bit assegnato a qualsiasi oggetto creato in Active Directory (non solo security principals) Il GUID di un oggetto non cambia mai; i SID a volte possono cambiare (es. Utente spostato tra domini della stessa foresta) I SID precedenti vengono copiati in un attributo dell’oggetto chiamato SID-History (motivo = mantenere l’accesso alle risorse)

  20. Header Owner SID DACL ACE 1 SACL ACE 2 ACE 3 ACE 4 ACE 5 ACE 6 Access Control SD • Security Descriptor (SD): definisce i permessi di accesso ad un oggetto • Owner SID • DACL (Discretionary Access Control List) for permissions • SACL (System Access Control List) for auditing ACL • Access control lists (ACL) for protecting each object • Each entry is an Access Control Entry (ACE) • Each ACE provide a certain level of access permissions (e.g. read, write, change) to one or multiple SIDs

  21. Access Control: in pratica

  22. Access Control: caratteristiche • Allow/deny • Sono cumulative (ACE multiple) • Ereditarietà (default) • Ownership

  23. The Logon Process Domain Controller Local Security Subsystem 1 2 Ticket Kerberos Service 3 Ticket Access Token Constructs Access Token 4 Ticket 6 5 User Logs On Kerberos Service Sends a Workstation Ticket 1 4 Local Security Subsystem Obtains a Ticket for the User Local Security Subsystem Constructs an Access Token 2 5 Local Security Subsystem Requests a Workstation Ticket Access Token Is Attached to the User’s Process 3 6

  24. Access Tokens Security ID: S-1-5-21-146... Group IDs: Employees EVERYONE LOCAL User Rights: SeChangeNotifyPrivilege SeDenyInteractiveLogonRight AccessToken Access Tokens: • Are created during the logon process and used whenever a user attempts to gain access to an object • Contain a SID, a unique identifier used to represent a user or a group • Contain Group ID, a list of the groups to which a user belongs • Contain user rights, the privileges of a User

More Related