Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.

Slides:

Advertisements

Similar presentations

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

Advertisements

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

1 Preparing Windows 2000 installation (Week 3, Wednesday 2/25/2006) © Abdou Illia, Spring 2006.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

Windows Security Mechanisms Al Bento - University of Baltimore.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.

Working with Workgroups and Domains

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Overview Introduction to Windows NT Workstation 4.0. Installing Windows NT Workstation 4.0. Customizing and managing NT Workstation 4.0. Managing Windows.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-270: MCSE Guide to Microsoft Windows XP Professional Second Edition, Enhanced Chapter 6: Windows XP Security and Access Controls.

September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.

IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.

Chapter Six Windows XP Security and Access Controls.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.

CIS 450 – Network Security Chapter 8 – Password Security.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 UNDERSTANDING USER ACCOUNTS  Local user accounts  stored in the Security.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.

Windows NT Chapter 13 Key Terms By Bill Ward NT Versions NT Workstation n A desktop PC that both accesses a network and works as a stand alone PC NT.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.

Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.

Lesson 17-Windows 2000/Windows 2003 Server Security Issues.

Understanding Group Policy James Michael Stewart CISSP, TICSA, CIW SA, CCNA, MCSE NT & W2K, iNet+

Network Security. Need for security  Connecting to the Internet is quickly becoming a necessity for companies/ individuals  Understand the security.

NT4 SP4 Security Jack Schmidt - Fermilab

CHAPTER Creating and Managing Users and Groups. Chapter Objectives Explain the use of Local Users and Groups Tool in the Systems Tools Option to create.

Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.

NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.

Database Role Activity. DB Role and Privileges Worksheet.

CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.

Chapter 7 Server Management Policies –User accounts –Groups Rights and permissions Examples.

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

LM/NTLMv1 Retirement Hosted by LSP Services.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Managing Users CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.

4 Securing Secure the hardware –Lock the server room and other ways to get access to the hardware. –Password protect the BIOS-setup Secure the NOS.

Understanding Security Policies Lesson 3. Objectives.

19 Copyright © 2008, Oracle. All rights reserved. Security.

Understanding Security Policies

I have edited and added material.

Introduction to Operating Systems

Radius, LDAP, Radius used in Authenticating Users

Computer Security Distributed System Security

Lesson 16-Windows NT Security Issues

SECURITY IN THE LINUX OPERATING SYSTEM

Florida State University

Operating System Security

Greta Mameniskyte IV course 3rd group

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model

Breno de MedeirosFlorida State University Fall 2005 NT networks Networked NT machines can be: –Primary Domain controller Centralizes user database/authentication –Backup Domain controller –Domain member –Non-domain member Trusted domains Trusting resources

Breno de MedeirosFlorida State University Fall 2005 Architecture Modular OS interface (system calls) are available at: –Integral subsystems –Environment subsystems Both run in the “user mode” protection space Source:

Breno de MedeirosFlorida State University Fall 2005 Security viewpoint Four main components: –Executive (kernel mode) –Protected Servers (user mode) –Network Subsystem (both kernel and user modes) –Administrator tools (user mode)

Breno de MedeirosFlorida State University Fall 2005 Handle tables Each process has a table of “object handles” which enable the process to access those resources –Maintained by object manager –Each handle describes the type of access the process has to the object (read, write, etc) –The object manager ensures that access is only granted if compatible with the handle When a process requests a new resource for the first time, the Object Manager asks the Security Reference Monitor to decide if the process may acquire the handle.

Breno de MedeirosFlorida State University Fall 2005 File system protection Windows NT systems support many file systems, including: –File Allocation Table (FAT) FS –NTFS –CD-ROM FS (CDFS) –Named Pipe File System (NPFS) –Mailslot File System (MSFS) Only the NTFS is protected by the access control system. Use FAT only in diskettes

Breno de MedeirosFlorida State University Fall 2005 Configuration Manager Keeps the configuration registry Stores system configuration information, including the password database (SAM), hardware and initialization information, and OS configuration information Entries in the registry are called keys

Breno de MedeirosFlorida State University Fall 2005 Security-related servers Winlogon Session Manager Local Security Authority Security Accounts Manager (SAM) Service Controller Event Logger

Breno de MedeirosFlorida State University Fall 2005 Local Security Authority Local Security Authority Subsystem Service (LSASS) –Invoked at login time, it verifies the user authentication and grants the system access token (SAT), which is used to start the initial shell and is inherited by all programs spawned during this login session –Performs audit functions –Operates in user mode

Breno de MedeirosFlorida State University Fall 2005 Security Account Manager (SAM) User mode component Maintains the user account database required by the LSA Therefore the login sequence requires the following intermediation by security- related services: –Winlogon LSA SAM

Breno de MedeirosFlorida State University Fall 2005 SAM and authentication It is possible to configure a special computer called a domain controller to consolidate the SAM database in a single server. Secure Attention Sequence: + + cannot be captured by user-level programs –The system invokes Winlogon, which starts a graphical application (GINA), to handle local and remote connection requests (via the LSA and SAM)

Breno de MedeirosFlorida State University Fall 2005 Protection (Access Control) Windows NT and later provide discretionary access control (DAC). The unit of control is called an ACE (access control entry). The format of ACEs is as follows: ACE FieldDescription Inheritance Control Flags (Boolean flags) OBJECT_INHERIT ACE CONTAINER_INHERIT_ACE NO_PROPAGATE_INHERIT_ACE INHERIT_ONLY_ACE ACE Type ACCESS_ALLOWED_ACE ACCESS_DENIED_ACE SYSTEM_AUDIT_ACE ACE Type-Specific SUCCESSFUL_ACCESS_ACE_FLAG FAILED_ACCESS_ACE_FLAG Access Mask SID

Breno de MedeirosFlorida State University Fall 2005 Picture from Final Evaluation of Windows NT Workstations by Science Applications International Corp./ Ctr. for Information Security

Breno de MedeirosFlorida State University Fall 2005 Windows passwords Password policies can be established using the UserManager administration tool, which supports the following: Password aging Minimum password length Password uniqueness Account lockout features –Number of failed logon attempts –How long to lockout an account Better password protection is offered through passfilt.dll: Passwords must be at least six characters long Passwords must contain at least three of the following four classes of characters: –Upper case letters –Lower case letters –Numbers –Non-alphanumeric characters (punctuation symbols) Passwords can not match your username or part of your full name listed for the account.

Breno de MedeirosFlorida State University Fall 2005 Windows passwords The original Windows password hashing scheme (LM): –Up to 14-character long passwords (all uppercase). –Computed as two independent hashes on 7-character values –Highly vulnerable to dictionary based attacks, such as L0phtrack NTLM uses 14 characters for a single hash LM hash still exported by default for compatibility with older machines in same network (i.e., placed in the SAM). NTLMv2 accepts longer than 14 characters, and in that case the exported values for LanManager are incorrect (backward incompatibility). –Encrypts password hashes before storing them in the SAM Enforce 15 characters as minimum password length and disable LAM authentication

Breno de MedeirosFlorida State University Fall 2005 Password hash challenge- and-response Windows machines use hash-based challenge and response mechanisms This implies that while passwords are required for local login, password hashes can be used for remote authentication It also means that, by eavesdropping the network and capturing challenge/response pairs, an adversary can collect information to perform dictionary and/or brute- force attacks on the password.