slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Windows 2000 Security PowerPoint Presentation
Download Presentation
Windows 2000 Security

Loading in 2 Seconds...

play fullscreen
1 / 10

Windows 2000 Security - PowerPoint PPT Presentation


  • 127 Views
  • Uploaded on

Windows 2000 Security. Tom Bahnck. Active Directory Kerberos Authentication Protocol Encrypting File System Access Token Security Descriptors Registry. 5/4/2004. Active Directory. Active Directory Kerberos Access Token Descriptors EFS Registry.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Windows 2000 Security' - illias


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Windows 2000 Security

Tom Bahnck

  • Active Directory
  • Kerberos Authentication Protocol
  • Encrypting File System
  • Access Token
  • Security Descriptors
  • Registry

5/4/2004

slide2

Active Directory

Active Directory

Kerberos

Access Token

Descriptors

EFS

Registry

  • Organizes network resources into directory-like heirarchy in order to propogate access rights
  • Integrates Kerberos authentication protocol
  • Domains, organizational units, groups, objects, access tokensEx. objects: user acct, cpu, printer, app, thread, semaphore
  • Consistent internal security policies propogate from parent  child
  • Policy settings assigned (1) at boot time, (2) at sign-on time
  • Clearance checks done in kernel mode, within security subsystem of Win2000

5/4/2004

slide3

Kerberos Authentication Protocol

Active Directory

Kerberos

Access Token

Descriptors

EFS

Registry

  • At logon – Win2000 active directory server sends ticket with client’s credentials to Kerberos server
  • Kerberos server responds issuing ticket-granting ticket (TGT), or key, to user. Used to identify the client when requesting network resources.
  • Shared-secretauthentication – only client and Kerberos server know key

5/4/2004

slide4

Kerberos Authentication Protocol

Active Directory

Kerberos

Access Token

Descriptors

EFS

Registry

Kerberos authentication process illustrated

5/4/2004

Source: Microsoft Corp. Windows 2000 Security Technical Overview.

slide5

Access Token

Active Directory

Kerberos

Access Token

Descriptors

EFS

Registry

  • Security ID (SID) – guaranteed unique for all users
  • Group SIDs – SIDs for groups to which user belongs
  • Privileges – Access control entries (ACEs) for secure services, e.g. backup (ability to backup encrypted files), create new token
  • Access Control List (ACL) – key Win2000 security entity for controlling object access. Contains list of ACEs.
  • Propogates to all children processes
  • Win2000 clearance results cached

5/4/2004

slide6

Security Descriptors

Active Directory

Kerberos

Access Token

Descriptors

EFS

Registry

  • Flags – descriptor metadata, verify SD validity, origins of ACLs
  • Owner – group or user
  • System Access Control List (SACL) – identifies which type of operations on object should generate audits.
  • Discretionary Access Control List (DACL) – identifies users and actions cleared for object. List of ACEs.
  • Access Control Entry (ACE) – SID & access mask

5/4/2004

slide7

Security Descriptors

Active Directory

Kerberos

Access Token

Descriptors

EFS

Registry

Access Mask32 bits, describes security descriptor

5/4/2004

Source: Stallings, William. Operating Systems.

slide8

Encrypting File System

Active Directory

Kerberos

Access Token

Descriptors

EFS

Registry

  • NTFS dependent, encrypts selected files and directories. Restricts access to owner and admin.
  • Uses CryptoAPI public key and symmetric encryption algorithms.More info: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/cryptoapi_system_architecture.asp
  • Encryption automatic on save, decryption automatic on open. Built into file system.
  • Low-level disk reading utility cannot not rip information
  • Encryption/decryption key not issued until user logon

5/4/2004

slide9

Registry

Active Directory

Kerberos

Access Token

Descriptors

EFS

Registry

  • All registry keys have an ACL. Can generate audits.
  • Contain many security keys
  • Example SID value:

always begins with S

version

identifier authority (5 = NT Authority)

domain identifier (500 chars max)

relative identifier (acct or group)

5/4/2004

S-1-5-21-2857422465-1465058494-1690550294-500-0462

slide10

Sources

Honeycutt, Jerry. Microsoft Windows XP Registry Guide.Redmond: Microsoft Press, 2003.Note: WinXP built on code base of Win2000 – IP Security, Kerberos, EFS. See: http://www.microsoft.com/windowsxp/pro/evaluation/whyupgrade/featurecomp.asp

Microsoft Corp. Windows 2000 Security Technical Overview.Redmond: Microsoft Corporation, 2000.

Stallings, William. Operating Systems. 4th ed.Upper Saddle River: Prentice-Hall, 2001.

This presentation available at:http://www.csc.villanova.edu/~tbahnck/w2k_security_prez.ppt

5/4/2004