Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security features of Windows 2000. What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored.

Published bySolomon Shelton Modified over 8 years ago

Similar presentations

Presentation on theme: "Security features of Windows 2000. What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored."— Presentation transcript:

1 Security features of Windows 2000

2 What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored data—of a computer or a group of computers from damage, theft, or unauthorized use. A computer security plan that is well thought out, implemented, and monitored makes authorized computer use easy and unauthorized use or accidental damage difficult or impossible.

3 The security features inherited from Windows NT Secure login with antispoofing measures. Discretionary access controls. Privileged access controls. Address space protection per process. New pages must be zeroed before being mapped in. Security auditing.

4 Secure login with antispoofing measures. Means that the system administrator can require all users to have a password in order to log in. Spoofing is when a malicious user writes a program that displays the login prompt or screen, an innocent user enter a name and password The name and password are then written to disk

5 Secure login with antispoofing measures. Windows 2000 instructs users to hit CTRLALT- DEL to log in. This key sequence is.always captured by the keyboard driver - invokes a system program that puts up the genuine login screen Works because there is no way for user processes to disable CTRL-ALT-DEL

6 Discretionary access controls. – ▫allow the owner of a file or other object to say who can use it and in what way. Privileged access controls ▫allow the system administrator to override them Address space protection ▫each process has its own protected virtual space unaccessible by an unauthorized process Security auditing ▫allows the administrator to produce a log of certain security related events

7 Fundamental concepts Every Windows 2000 user (and group) is identified by a SID (Security ID).

8 Security ID SIDs are binary numbers with a short header followed by a long random component intended to be unique worldwide When a user starts up a process, the process and its threads run under the user‘s SID Makes sure that each object can be accessed only by threads with authorized SIDs

9 Access token Each process has an access token that specifies its SID and other properties assigned at login time by winlogon processes should call GetTokeninformation to acquire this information

10 Header ▫contains some administrative information Expiration time field ▫tells when the token ceases to be valid ▫Not currently used Groups fields ▫specify the groups to which the process belongs DACL (Discretionary ACE) ▫access control list assigned to objects created by the process if no other ACL is specified

11 user SID ▫tells who owns the process restricted SIDS ▫to allow untrustworthy processes to take part in jobs with trustworthy processes but with less power to do damage Privileges ▫give the process special powers, such as the right to shut the machine down or access files to which access would otherwise be denied

12 The privileges split up the power of the superuser into several rights that can be assigned to processes individually. Thus a user can be given a part of superuser power The access token tells who owns the process and which defaults and powers are associated with it.

13 A client thread can pass its access token to a server thread to allow the server to access the client‘s protected files and other objects This mechanism is called impersonation.

14 Security descriptor Every object has a security descriptor Tells who can perform which operations on it Consists of a header followed by a DACL with one or more ACEs (Access Control Elements) two main kinds of elements (Specifies SIDs) ▫Allow ▫Deny

15

16 A security descriptor also has a SACL (System Access Control list) ▫Specifies which operations on the object are recorded in the system-wide security event log.

17 Security API calls

18 Most of the Windows 2000 access control mechanism is based on security descriptors InitializeSecurityDescriptor ▫To create a security descriptor storage for it is first allocated and then initialized using LookupAccountSid ▫If the owner SID is not known, it can be looked up AddAccessAllowedAce, AddAccessDeniedAce ▫ACL entries can be added..etc

19 Other security features

20 Windows 2000 Active Directory Key Distribution Center (KDC) Windows 2000 Domain Controller 1. Insert smart card to reader, activate card with PIN 2. Private key and certificate on card authenticates user to KDC 3. KDC returns TGT response protected by User’s public key certificate TGT 4. Account control option requiring smart card logon per user Smart Card Logon

21 Secure Distributed Services Model Secure Distributed Service Client request Impersonate Client Get object’s security descriptor Get client’s access token Private Data Store Return response Authenticate Client Kernel access check

22 Windows 2000 Active Directory Domain hierarchy: domain tree ▫Organizational Unit (OU) hierarchy within a domain  Users, groups, machines  Domain configuration OU OU Users

23 Active Directory Authentication and Access Control LDAP v3 is core directory access protocol ▫Authenticate using SASL and Kerberos protocol ▫LDAP with SSL/TLS support OU OU Users Bind Request Every object has a unique ACL Every object has a unique ACL Like NTFS folders and files Like NTFS folders and files Security Descriptor

24 Active Directory Security administration Delegation of administration ▫Grant permissions at organizational unit (OU) level ▫Who creates OUs, users, groups, etc. Fine-grain access control ▫Grant or deny permissions on per-property level, or a group of properties  Read property  Write property Per-property auditing

25 Example: Delegation in Action

26 Interoperability Cross Platform Secure 3-Tier App Windows 2000 Professional Smart Card Logon Windows 2000 Server Web Server Solaris UNIX Server Oracle DB Application IIS ISAPI Extension SSPI/Krb AppService GSS/Krb IE5 SSPI/Krb HTTPTCP

27 CryptoAPI (CAPI) Microsoft’s application programming interface allows the developer to access encryption services within the operating system also allows developers to provide their own encryption provider services known as cryptographic service providers (CSPs)

28 Encrypting File System Privacy of data that goes beyond access control ▫Protect confidential data on laptops ▫Configurable approach to data recovery Integrated with core operating system components ▫Windows NT File System - NTFS ▫Crypto API key management Transparent and very high performance

29 EFS Architecture I/O manager EFSEFS NTFSNTFS User mode Kernel mode Win32 layer Applications Encrypted on-disk data storage All key management support Crypto API EFSserviceEFSservice

30 Application Server (target) Windows 2000 Active Directory Key Distribution Center (KDC) Windows 2000 domain controller 4.Present service ticket at connection setup Target 2.Lookup Service, Compose SPN 1.Publish Service Connection Point and SPN TGT 3.Request service ticket for 3.Request service ticket for 5.Mutual auth using unique session key Kerberos Authentication Mutual Authentication

31 Single Sign-On (SSO) Key feature to Windows 2000 authentication User to log on just once to the domain using a single password and then authenticate to any computer within the domain.

32 Managing Security Policy Security settings in local or group policy Local computer policy ▫Audit policy, rights, security options Group Policy in the directory ▫Common computer policies Domain level policies ▫Account policies ▫Public key trust policies

33 Enterprise Framework Integrated with Group Policy management ▫Security settings in group policy ▫Settings applied as part of policy enforcement on each computer

34 Administrators vs. Users Administrators ▫Full control of the operating system ▫Install system components, drivers ▫Upgrade or repair the system Users ▫Cannot compromise system integrity ▫Read-only access to system resources ▫Interactive and network logon rights ▫Can shutdown desktop system

35 Security Features Summary Single sign on with standard protocols ▫Kerberos V5 and X.509 V3 certificates Public key certificate management ▫Enterprise services for PKI rollout Distributed security for applications ▫Authentication, authorization, auditing Active Directory integration ▫Scalable, extensible user account directory

36 THANK YOU

Download ppt "Security features of Windows 2000. What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored."

Similar presentations

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies

Access Control Methodologies
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.

Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Understanding Active Directory

Understanding Active Directory
Authentication, Authorization and Accounting

Authentication, Authorization and Accounting
Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.

Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
OV 11 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

Similar presentations

Ads by Google