Windows 2000 Security. Yingzi Jin. Introduction. Active Directory Group Policy Encrypting File System. What is a Directory Service. A directory is an information source used to store information about objects. Users want to find and use these objects
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Windows 2000 Security Yingzi Jin
Introduction • Active Directory • Group Policy • Encrypting File System
What is a Directory Service • A directory is an information source used to store information about objects. • Users want to find and use these objects • Directory Service makes the information available and usable to the users.
What is Active Directory • Essential and inseparable part of the Windows 2000 network architecture • Provide a directory service for distributed networking environment
Active Directory - Structure • Tree structure make up of objects and containers • Objects represent network resources • users, groups, devices, applications • Containers represent organizations or collections of related objects • marketing department, printers
Active Directory Security • An access-control list(ACL) protects all objects in AD. • An ACL is stored as a binary value, called a security descriptor. • Every object in AD is protected by its own security descriptor.
Active Directory - Authentication • Several options for user authentication: • Kerberos: verifies the clients right to access the network and authenticates the server to the client. • Public Key Infrastructure(PKI): normally done to authenticate external users.
Group Policy • New Capability in Win2K • Defines, manages, and enforces the environment settings for both computer and user objects. • Integrates with AD and can be assigned to AD sites, domains, and organizational units(OUs) • contained in Group Policy Objects(GPO)
Security-related Policies • Account policies - password policies • Local policies - audit policy • File system - permissions for folders and files • System services - permission for system services
Group Policy Objects(GPO’s) • Contain a set of “rules”. • To specify account and password setting, audit capabilities, etc. • Can be applied to Windows 2000 sites, domains, or OU’s.
Active Directory and Group Policy • Group Policy Objects are created to set the rules that govern the domain. • A Default Domain Policy GPO at the highest lever. • Additional GPO’s can be created and applied for each “child OU”
Implement Group Policy • Account policies are domain-wide • GPO’s for account settings defined for lower level OU’s will not work for domain users. • No Override and Block Inheritance Settings • Policy Processed in a hierarchy: • Local GPO’s • GPO’s applied to Sites • GPO’s applied to domain • GPO’s applied to OU’s
Encrypting File System • Integral part of the new NTFS file system. • Users can encrypt/decrypt files on the fly to protect sensitive data from unauthorized access. • Uses a combination of symmetric key and public key encryption.
Encrypting File System • A random file encryption key (FEK) is generated for each file. • Using the FEK, the file is encrypted using DESX • The FEK is encrypted with the user’s public key • Decryption uses the user’s or recovery agent’s private key to get the FEK
Encrypting File System • Protect sensitive files and folders. • Encrypting a directory/folder encrypts all subsequent files • EFS does not cache any of the keys onto the hard disk • EFS does not encrypt required system files and folders
Encrypting File System • EFS need a strong password policy • A Windows 2000 user can delete files encrypted by another user