A Comparison of the Security of Windows NT and UNIX Hans Hedbom, Stefan Lindskog, Stefan Axelsson and Erland Jonsson Originally presented at the Third.

Slides:



Advertisements
Similar presentations
Security Issues in Mobile Code Systems David M.Chess, High Integrity Computing Lab, IBM T.J. Watson Research Center Hawthorne, NY, USA Mobile code systems.
Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Authentication Applications The Kerberos Protocol Standard
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Akshat Sharma Samarth Shah
By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.
Password Cracking Lesson 10. Why crack passwords?
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Chapter One The Essence of UNIX.
Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Midterm Review Questions SOEN321 – Information-Systems Security.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Georgy Melamed Eran Stiller
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Windows Security Mechanisms Al Bento - University of Baltimore.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
Enforcing Concurrent Logon Policies with UserLock.
User Manager for Domains.  Manages the user accounts in a domain  It is located in the PDC  While User Manager exists in each NT machine, but it is.
Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.
Chapter 3.  Help you understand different types of servers commonly found on a network including: ◦ File Server ◦ Application Server ◦ Mail Server ◦
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
CIS 450 – Network Security Chapter 8 – Password Security.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Authentication Key HMAC(MK, “auth”) Server Encryption Key HMAC(MK, “server_enc”) User Password Master Key (MK) Client Encryption Key HMAC(MK, “client_enc”)
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.
Centralized logins with NIS Eric Stolten Tim Meade Mark Sidnam.
Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.
Authentication Proxy for the VistA Hospital Information System William Majurski Information Technology Laboratory.
Introduction to Information Security Network Traversal nirkrako at post.tau.ac.il itamargi at post.tau.ac.il.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
Kerberos Guilin Wang School of Computer Science 03 Dec
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.
Database Security David Nguyen. Dangers of Internet  Web based applications open up new threats to a corporation security  Protection of information.
Password cracking Patrick Sparrow, Matt Prestifillipo, Bill Kazmierski.
King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan Password Authentication1.
General Concerns on WWW Security Name: Huaying Chen ID# Instructor: Dr Mort Anvari.
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
Introduction to Secure Shell Greg Porter Data Processing Manager USPFO For California.
1 Security of NIS (YP) Gary Lam
Biometrics and Security Colin Soutar, CTO Bioscrypt Inc. 10th CACR Information Security Workshop May 8th, 2002.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Managing Users CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.
1 Example security systems n Kerberos n Secure shell.
KERBEROS. Introduction trusted key server system from MIT.Part of project Athena (MIT).Developed in mid 1980s. provides centralised private-key third-party.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
Microsoft Windows NT 4.0 Authentication Protocols
Unit OS7: Security 7.4. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze.
Password Cracking Lesson 10.
PPP – Point to Point Protocol
Authentication Protocol
Computer Security Distributed System Security
Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.
Presentation transcript:

A Comparison of the Security of Windows NT and UNIX Hans Hedbom, Stefan Lindskog, Stefan Axelsson and Erland Jonsson Originally presented at the Third Nordic Workshop on Secure IT Systems, November Presented by Clare West

Outline Introduction Security Comparison –Identification –Authentication –Networking Man-in-the-Middle Authentication Attacks on both Windows NT and UNIX Conclusion

Introduction “It has been claimed that the security of Windows NT is far better than that of previous commercial operating systems.” Compare NT with UNIX –Networked Windows NT 4.0 –UNIX with NFS (Network File System) and NIS (Network Information System)

Introduction cont. Windows NT –Released in 1992 –Processes –Threads –Symmetric multiprocessing –Distributed computing –Object model to manage resources UNIX –Released in ~1974 –Processes –Threads –Symmetric multiprocessing –Distributed computing –File model to manage resources

Identification Windows NT –Usernames –Numeric SID (Security IDentifier) –SID is unique to a Domain –SIDs are never reused UNIX –Usernames –Numeric UID (User IDentifier) –UID may not be unique within an NIS domain –UID may be reused

Authentication Windows NT –Passwords –Stored encrypted in SAM (Security Account Manager). Only accessible to Domain Administrators –Encrypted by DES and MD4 UNIX –Passwords –Stored encrypted in /etc/passwd or NIS (Network Information System). Accessible to any user. –Encrypted by DES

Authenticating with a UNIX NIS Domain Client yp_match response Server Alice alice:23:20:sCFNq7Qf8/kwg:Alice Cooper:/home/alice:/bin/tcsh Client Alice Server yp_match request for alice’s passwd entry The password supplied by Alice is encrypted and compared with the encrypted password in the passwd entry supplied by the NIS Server

Authenticating with a Windows NT Domain AliceServer Request for Service ServerAlice Challenge - random string AliceServer Response - encrypted string Alice encrypts her password and then uses this to encrypt the random string sent by the server. The server encrypts the random string it sent with Alice’s encrypted password and compares this with her response.

Networking Windows NT –Logging by computer name not IP address –Trust placed in clients not acting maliciously UNIX –Address based authentication –Trust placed in clients not acting maliciously

A Man-in-the-middle Attack vs UNIX Goal: Mallory impersonates Alice to the Client Mallory prepares a yp_match response with the encrypted password of his choice Mallory Client yp_match response Mallory alice:23:20:FdFNq7Qf85twg:Alice Cooper:/home/alice:/bin/tcsh ClientServer yp_match request Mallory for alice’s passwd entry

A Man-in-the-middle Attack vs NT Goal: Mallory impersonates Alice to the Server Challenge - random string (A) MalloryServer Alice Request for Service Server Mallory Challenge - random string (A) MalloryAlice Response - encrypted string (A) Mallory ServerAlice Response - encrypted string (A) MalloryServerMalloryServer Request for Service as Alice Mallory waits for Alice to attempt to use the Server

Man-in-the-Middle Attacks Results Windows NT –Allows access to the server as Alice –Mallory must wait for Alice –Mallory can only impersonate active users he can spy on UNIX –Allows access to the client as Alice –Mallory can attack at any time –Mallory can impersonate any user –Combined with NFS (Network File System) allows access to any file systems exported to the client as any user

Conclusions “…the security mechanisms of Windows NT are slightly better than those of UNIX” “…the two systems display a similar set of vulnerabilities” “…with the present way of installing and using the systems there seems to be no significant difference between their security level”

Question What System Security Threats are posed by the Man-in-the-middle attacks presented earlier? Interception Interruption ModificationFabrication

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.