Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter Six Windows XP Security and Access Controls.

Published byEunice Curtis Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter Six Windows XP Security and Access Controls."— Presentation transcript:

1 Chapter Six Windows XP Security and Access Controls

2 Objectives Describe the Windows XP security model, and the key role of logon authentication Describe the Windows XP security model, and the key role of logon authentication Customize the logon process Customize the logon process Discuss domain security concepts Discuss domain security concepts Understand the Local Computer Policy Understand the Local Computer Policy

3 Objectives Enable and use auditing Enable and use auditing Encrypt NTFS files, folders, or drives using the Encrypted File System (EFS) Encrypt NTFS files, folders, or drives using the Encrypted File System (EFS) Understand and implement Internet security Understand and implement Internet security

4 The Windows XP Security Model Windows XP Professional can establish local security when used as a standalone system, or participate in domain security Windows XP Professional can establish local security when used as a standalone system, or participate in domain security Domain security Domain security Control of user accounts, group memberships, and resource access for all members of a network Control of user accounts, group memberships, and resource access for all members of a network Password Password Unique string of characters that must be provided before logon or an access is authorized Unique string of characters that must be provided before logon or an access is authorized

5 The Windows XP Security Model A user who successfully logs on receives and access token A user who successfully logs on receives and access token Process Process Primary unit of execution in the Windows XP operating system environment Primary unit of execution in the Windows XP operating system environment Access control list (ACL) Access control list (ACL) List of security identifiers that are contained by a resource object List of security identifiers that are contained by a resource object

6 Logon Authentication The logon process has two components: The logon process has two components: Identification Identification Requires that a use supply a valid account name (and in a domain environment, the name of the domain to which that user account belongs) Requires that a use supply a valid account name (and in a domain environment, the name of the domain to which that user account belongs) Authentication Authentication Means that a user must use some method to verify his or her identity Means that a user must use some method to verify his or her identity

7 Logon Authentication An access token includes all security information pertaining to that user, including the user’s security ID (SID) and SIDs for each of the groups to which the user belongs An access token includes all security information pertaining to that user, including the user’s security ID (SID) and SIDs for each of the groups to which the user belongs An access token includes the following components: An access token includes the following components: Unique SID for the account Unique SID for the account List of groups to which the user belongs List of groups to which the user belongs List of rights and privileges associated with the specific user’s account List of rights and privileges associated with the specific user’s account

8 Logon Authentication Access to the system is allowed only after the user receives the access token Access to the system is allowed only after the user receives the access token Each access token is created for one-time use during the logon process Each access token is created for one-time use during the logon process Once constructed, the access token is attached to the user’s shell process Once constructed, the access token is attached to the user’s shell process

9 Objects In Windows XP, access to individual resources is controlled at the object level In Windows XP, access to individual resources is controlled at the object level Object Object Everything within the Windows XP operating environment is an object Everything within the Windows XP operating environment is an object Objects include files, folders, shares, printers, processes, etc. Objects include files, folders, shares, printers, processes, etc.

10 Access Control The Windows XP logon procedure provides security through the use of the following: The Windows XP logon procedure provides security through the use of the following: Mandatory logon Mandatory logon Restricted user mode Restricted user mode Physical logon Physical logon User profiles User profiles

11 Customizing the Logon Process The WinLogon process can be customized to display some or all of the following characteristics: The WinLogon process can be customized to display some or all of the following characteristics: Retain or disable the last logon name entered Retain or disable the last logon name entered Add a logon security warning Add a logon security warning Change the default shell Change the default shell Enable/Disable the WinLogon Shutdown button Enable/Disable the WinLogon Shutdown button Enable automated logon Enable automated logon

12 Customizing the Logon Process Figure 6-1: The WinLogon key viewed through Regedit

13 Disabling the Default Username By default, the logon window displays the name of the last user to log on By default, the logon window displays the name of the last user to log on It is possible to change the default by altering the value of its associated Registry key or Local Security Policy value It is possible to change the default by altering the value of its associated Registry key or Local Security Policy value Disabling the default username option presents a blank username field at the logon prompt Disabling the default username option presents a blank username field at the logon prompt

14 Adding a Security Warning Message Depending on your organization’s security policy, you might be legally obligated to add a warning message that appears before the logon prompt is displayed Depending on your organization’s security policy, you might be legally obligated to add a warning message that appears before the logon prompt is displayed Two Registry or Local Security Policy values are involved in this effort: Two Registry or Local Security Policy values are involved in this effort: LegalNoticeCaption LegalNoticeCaption LegalNoticeText LegalNoticeText

15 Changing the Shell The default shell is Windows Explorer The default shell is Windows Explorer You can change the shell to a custom or third- party application depending on the needs or security policy of your organization You can change the shell to a custom or third- party application depending on the needs or security policy of your organization

16 Disabling the Shutdown Button By default, the Windows XP logon window includes a Shutdown button By default, the Windows XP logon window includes a Shutdown button However, in an environment in which users have access to the keyboard and mouse on a Windows XP machine, this option has the potential for unwanted system shutdowns However, in an environment in which users have access to the keyboard and mouse on a Windows XP machine, this option has the potential for unwanted system shutdowns Fortunately, this option can be disabled Fortunately, this option can be disabled

17 Automating Logons To set up an automated logon, the following Registry value entries must be defined and set within the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon key: To set up an automated logon, the following Registry value entries must be defined and set within the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon key: DefaultDomainName DefaultDomainName DefaultUserName DefaultUserName DefaultPassword DefaultPassword AutoAdminLogon AutoAdminLogon

18 Automatic Account Lockout Disables a user account if a predetermined number of failed logon attempts occur within a specified time limit Disables a user account if a predetermined number of failed logon attempts occur within a specified time limit This feature is intended to prevent intrusion by unauthorized users attempting to gain access by guessing a password or launching a dictionary attack This feature is intended to prevent intrusion by unauthorized users attempting to gain access by guessing a password or launching a dictionary attack The default setting in Windows XP is to allow an unlimited number of failed access attempts to a user account without locking out that account The default setting in Windows XP is to allow an unlimited number of failed access attempts to a user account without locking out that account

19 Domain Security Concepts and Systems A domain is a collection of computers with centrally managed security and activities A domain is a collection of computers with centrally managed security and activities Domain security Domain security Control of user accounts, group memberships, and resource access for all members of a network Control of user accounts, group memberships, and resource access for all members of a network Domain controller Domain controller Windows 2000.NET Server system with the Active Directory support services installed and configured Windows 2000.NET Server system with the Active Directory support services installed and configured

20 Kerberos and Authentication Services Kerberos version 5 Kerberos version 5 An authentication encryption protocol employed by Windows XP to protect logon credentials An authentication encryption protocol employed by Windows XP to protect logon credentials Network authentication Network authentication Act of connecting to or accessing resources from some other member of the domain network Act of connecting to or accessing resources from some other member of the domain network

21 Kerberos and Authentication Services The communications that occur during network authentication are protected by one of several methods, including: The communications that occur during network authentication are protected by one of several methods, including: Kerberos v5 Kerberos v5 Secure Socket Layer/Transport Layer Security (SSL/TLS) Secure Socket Layer/Transport Layer Security (SSL/TLS) NTLM (NT LAN Manager) authentication for compatibility with Windows NT 4.0 NTLM (NT LAN Manager) authentication for compatibility with Windows NT 4.0

22 Kerberos and Authentication Services Kerberos version 5 authentication Kerberos version 5 authentication Windows XP uses Kerberos version 5 as the primary protocol for authentication security Windows XP uses Kerberos version 5 as the primary protocol for authentication security Secure Socket Layer/Transport Layer Secure Socket Layer/Transport Layer Authentication scheme often used by Web-based applications and is supported on Windows XP through IIS Authentication scheme often used by Web-based applications and is supported on Windows XP through IIS SSL functions by issuing an identity certificate to both the client and server SSL functions by issuing an identity certificate to both the client and server

23 Kerberos and Authentication Services NTLM (NT LAN Manager) authentication NTLM (NT LAN Manager) authentication Mechanism used by Windows NT 4.0 Mechanism used by Windows NT 4.0 Windows XP supports this authentication method solely for backward compatibility with Windows NT Servers and Windows NT Workstation clients Windows XP supports this authentication method solely for backward compatibility with Windows NT Servers and Windows NT Workstation clients NTLM is significantly less secure than Kerberos version 5 NTLM is significantly less secure than Kerberos version 5

24 Local Computer Policy Combination of controls that in Windows NT existed only in the Registry, through system policies, or as Control Panel applet controls Combination of controls that in Windows NT existed only in the Registry, through system policies, or as Control Panel applet controls Sometimes the local computer policy is called a software policy or an environmental policy or even a Windows XP policy Sometimes the local computer policy is called a software policy or an environmental policy or even a Windows XP policy No matter what name is actually used, the local computer policy is simply the local system’s group policy No matter what name is actually used, the local computer policy is simply the local system’s group policy

25 Local Computer Policy Figure 6-2: MMC with Group Policy snap-in displaying Local Computer Policy with Security Settings selected on a Windows XP Professional System

26 Computer Configuration There are three purposes for using the public key policies : There are three purposes for using the public key policies : To offer additional controls over the EFS To offer additional controls over the EFS To enable the issuing of certificates To enable the issuing of certificates To allow you to establish trust in a certificate authority To allow you to establish trust in a certificate authority

27 Computer Configuration IP Security (IPSec) IP Security (IPSec) Security measure added to TCP/IP to protect communications between two systems using that protocol Security measure added to TCP/IP to protect communications between two systems using that protocol Negotiates a secure encrypted communications link between a client and server through public and private encryption key management Negotiates a secure encrypted communications link between a client and server through public and private encryption key management Can be used over a RAS or WAN link (through L2TP) or within a LAN Can be used over a RAS or WAN link (through L2TP) or within a LAN

28 Computer Configuration The controls available through the Administrative Templates folder include: The controls available through the Administrative Templates folder include: Controlling security and software updates for Internet Explorer Controlling security and software updates for Internet Explorer Controlling access and use of the Task Scheduler and Windows Installer Controlling access and use of the Task Scheduler and Windows Installer Controlling logon security features and operations Controlling logon security features and operations Controlling disk quotas Controlling disk quotas

29 Computer Configuration The controls available through the Administrative Templates folder include (cont.): The controls available through the Administrative Templates folder include (cont.): Managing how group policies are processed Managing how group policies are processed Managing system file protection Managing system file protection Managing offline access of network resources Managing offline access of network resources Controlling printer use and function Controlling printer use and function

30 User Configuration The items contained in the User Configuration’s Administrative Templates section include: The items contained in the User Configuration’s Administrative Templates section include: Internet Explorer configuration, interface, features, and function controls Internet Explorer configuration, interface, features, and function controls Windows Explorer management (interface, available commands, features) Windows Explorer management (interface, available commands, features) MMC Management MMC Management Task Scheduler and Windows Installer controls Task Scheduler and Windows Installer controls

31 User Configuration The items contained in the User Configuration’s Administrative Templates section include (cont.): The items contained in the User Configuration’s Administrative Templates section include (cont.): Start menu and Taskbar features management Start menu and Taskbar features management Desktop environment management Desktop environment management Control Panel applet management Control Panel applet management Offline network access control Offline network access control

32 User Configuration The items contained in the User Configuration’s Administrative Templates section include (cont.): The items contained in the User Configuration’s Administrative Templates section include (cont.): Network connection management Network connection management Logon and logoff script management Logon and logoff script management Group Policy application Group Policy application

33 User Configuration Figure 6-3: The Explain tab of a Local Computer Policy control dialog box

34 User Configuration The Policy tab on the Properties dialog box for each control offers three settings: The Policy tab on the Properties dialog box for each control offers three settings: Not configured Not configured Enabled Enabled Disabled Disabled

35 Auditing Auditing Auditing Security process that records the occurrence of specific operating system events in a Security log Security process that records the occurrence of specific operating system events in a Security log Event Viewer Event Viewer Utility that maintains application, security, and system event logs on your computer Utility that maintains application, security, and system event logs on your computer

36 Auditing Figure 6-4: The Security Log viewed through the Event Viewer

37 Auditing Figure 6-5: The security log event detail

38 Encrypted File System (EFS) Allows you to encrypt data stored on NTFS drive Allows you to encrypt data stored on NTFS drive When EFS is enabled on a file, folder, or drive, only the enabling user can gain access to the encrypted object When EFS is enabled on a file, folder, or drive, only the enabling user can gain access to the encrypted object EFS uses a public and private key encryption method EFS uses a public and private key encryption method

39 Internet Security Connecting to the Internet requires that you accept some risk Connecting to the Internet requires that you accept some risk Most of the security features used to protect data within a LAN or even on a standalone system can also be leveraged to protect against Internet attacks Most of the security features used to protect data within a LAN or even on a standalone system can also be leveraged to protect against Internet attacks As well, Microsoft has added the Internet Connection Firewall (ICF) to Windows XP As well, Microsoft has added the Internet Connection Firewall (ICF) to Windows XP

40 Chapter Summary Windows XP has object-level access controls that provide the foundation on which all resource access rest Windows XP has object-level access controls that provide the foundation on which all resource access rest The Windows XP logon process strictly controls how users identify themselves and log onto a Windows XP machine The Windows XP logon process strictly controls how users identify themselves and log onto a Windows XP machine Likewise, WinLogon’s protected memory structures keep this all-important gatekeeper function from being replaced by would-be system crackers Likewise, WinLogon’s protected memory structures keep this all-important gatekeeper function from being replaced by would-be system crackers

41 Chapter Summary WinLogon also supports a number of logon controls WinLogon also supports a number of logon controls Key Local Computer Policy settings can be used to block unauthorized break-in attempts Key Local Computer Policy settings can be used to block unauthorized break-in attempts The local computer policy controls many aspects of the security system as well as enabling or restricting specific functions and features of the operating system The local computer policy controls many aspects of the security system as well as enabling or restricting specific functions and features of the operating system

Download ppt "Chapter Six Windows XP Security and Access Controls."

Similar presentations

Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.

Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 4: Troubleshoot System Startup and User Logon Problems.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 4: Troubleshoot System Startup and User Logon Problems.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Similar presentations

Ads by Google