70-270 MCSE Guide to Microsoft Windows XP Professional Chapter 6

Document Sample
70-270 MCSE Guide to Microsoft Windows XP Professional Chapter 6 Powered By Docstoc
					   70-270: MCSE Guide to
   Microsoft Windows XP
        Professional

      Chapter 6:
Windows XP Security and
    Access Controls
                Objectives
• Describe the Windows XP security model, and the
  key role of logon authentication
• Work with access control and customize the logon
  process
• Disable the default username
• Discuss domain security concepts
• Understand the local computer policy


                70-270: MCSE Guide to Microsoft   2
                    Windows XP Professional
       Objectives (continued)
• Enable and use auditing
• Encrypt NTFS files, folders, or drives using the
  Encrypting File System (EFS)
• Understand and implement Internet security




                 70-270: MCSE Guide to Microsoft     3
                     Windows XP Professional
    The Windows XP Security
            Model

• User must logon with:
   • Valid user ID
   • Password
• User receives access token
• Access token
   • String of bits representing user
   • Attached to processes

                     70-270: MCSE Guide to Microsoft   4
                         Windows XP Professional
    The Windows XP Security
       Model (continued)

• Access token
  • Compared with ACL (Access Control List)
• Domain security
  • Centered on Active Directory




                  70-270: MCSE Guide to Microsoft   5
                      Windows XP Professional
             Active Directory
• Centralized database containing:
   • Security
   • Configuration
   • Communication information
• Manages:
   • Information about domain
   • Resources shared by network



                  70-270: MCSE Guide to Microsoft   6
                      Windows XP Professional
        Logon Authentication
• Logon is mandatory
• Logon process components:
   • Identification
   • Authentication
• Password authentication typically used
• Access token attached to shell process



                  70-270: MCSE Guide to Microsoft   7
                      Windows XP Professional
                            Shell
• Defines environment inside which user executes
  programs or spawns other processes
• Default:
   • Windows Explorer
   • Defines desktop, start menu, etc.




                    70-270: MCSE Guide to Microsoft   8
                        Windows XP Professional
         Resources as Objects
• Access to individual resources controlled at object
  level
• Everything in environment is an object
• Identified by type
• Type determines
   • Permitted range of contents
   • Kinds of operations



                   70-270: MCSE Guide to Microsoft   9
                       Windows XP Professional
         Resources as Objects
             (continued)

• Service
   • How object can be manipulated
• Attributes
   • Named characteristics




                   70-270: MCSE Guide to Microsoft   10
                       Windows XP Professional
                Access Control
• Logon process
    • Initiated with Ctrl+Alt+Delete
    • Hardware interrupt cannot be imitated
•   Mandatory logon
•   Restricted user mode
•   Physical logon
•   User profiles


                    70-270: MCSE Guide to Microsoft   11
                        Windows XP Professional
Customizing the Logon Process
• Administrator can alter default process
• Winlogon process:
   •   Produces logon dialog box
   •   Controls automated logon
   •   Warning text
   •   Display of Shutdown button
   •   Display of last user to log onto system



                      70-270: MCSE Guide to Microsoft   12
                          Windows XP Professional
        Disabling the Default
             Username

• Logon window
  • Displays name of the last user to logon
• Can be unsecure
• DontDisplayLastUserName Regisry setting
• Edit with:
  • Local Computer Policy utility


                   70-270: MCSE Guide to Microsoft   13
                       Windows XP Professional
   Adding a Security Warning
            Message

• Might be legally obligated to add a warning
  message
• Settings in Registry:
   • LegalNoticeCaption
   • LegalNoticeText




                  70-270: MCSE Guide to Microsoft   14
                      Windows XP Professional
          Changing the Shell
• Default shell
   • Windows Explorer
• Change Registry setting




                  70-270: MCSE Guide to Microsoft   15
                      Windows XP Professional
Disabling the Shutdown Button
• Windows XP logon window includes Shutdown
  button
• Potential for unwanted system shutdowns
• ShutdownWithoutLogon Registry setting
• Users can still physically power-off machine
• Winlogon settings for:
  • Laptop Sleep mode
  • Other advanced shutdown settings

                 70-270: MCSE Guide to Microsoft   16
                     Windows XP Professional
          Automating Logons
• Values for username and password can be coded
  into Registry to automate logons
• Registry settings:
  •   DefaultDomainName
  •   DefaultUserName
  •   DefaultPassword
  •   AutoAdminLogon



                 70-270: MCSE Guide to Microsoft   17
                     Windows XP Professional
  Automatic Account Lockout
• Disables account
   • Predetermined number of failed logins
   • Predetermined amount of time
• Default:
   • Unlimited number of attempts




                   70-270: MCSE Guide to Microsoft   18
                       Windows XP Professional
Domain Security Concepts and
          Systems

• Domain
   • Collection of computers with centrally managed
     security and activities
• Offers:
   • Increased security
   • Centralized control
   • Broader access to resources


                   70-270: MCSE Guide to Microsoft    19
                       Windows XP Professional
   Domain Security Overview
• Control of:
   • User accounts
   • Group memberships
   • Resource access
  for all members of a network instead of only a
  single computer




                 70-270: MCSE Guide to Microsoft   20
                     Windows XP Professional
          Domain Controller
• Windows 2000 Server
• Windows Server 2003 system
• Active Directory support services installed and
  configured




                 70-270: MCSE Guide to Microsoft    21
                     Windows XP Professional
  Kerberos and Authentication
            Services

• Authentication conditions:
   • Interactive logon
      • Press attention sequence
      • Enter username and password
   • Network authentication
      • Attempt to connect to or access resources from some other
        member of the domain network




                     70-270: MCSE Guide to Microsoft                22
                         Windows XP Professional
  Kerberos and Authentication
     Services (continued)
• Kerberos version 5:
   • Used for communication between local system and
     domain controller
   • May be used in network authentication
   • Primary protocol for authentication security
   • Verifies identify of client and server
   • Designed to allow two parties to exchange private
     information across an open network
   • Assigns unique key to each user that logs on to network

                   70-270: MCSE Guide to Microsoft        23
                       Windows XP Professional
 Kerberos and Authentication
    Services (continued)
• Secure Socket Layer/Transport Layer Security
  (SSL/TLS)
   • Authentication scheme often used by Web-based
     applications
   • Supported on Windows XP through IIS (Internet
     Information Server).
   • Uses third-party Certificate Authority
   • Client sends its certificate to the server
   • Uses encrypted communication link

                  70-270: MCSE Guide to Microsoft    24
                      Windows XP Professional
 Kerberos and Authentication
    Services (continued)

• NTLM (NT LAN Manager) authentication
  • Used by Windows NT 4.0
  • Supported by XP for backwards compatibility
  • Uses static encryption level (40-bit or 128-bit) to
    encrypt traffic between a client and server
  • Less secure than Kerberos



                   70-270: MCSE Guide to Microsoft        25
                       Windows XP Professional
       Local Computer Policy
• Combination of controls
   • System policies
   • Control panel applets
   • Registry settings
• Other names:
   • Software policy
   • Environmental policy
   • Windows XP policy


                   70-270: MCSE Guide to Microsoft   26
                       Windows XP Professional
       Local Computer Policy
            (continued)

• Local system’s group policy
• Effective policy:
   • Result of combination of all group policies applicable
     to system
• Controlled on a domain basis on a Windows
  domain controller
• Add Global Policy snap-in to MMC

                    70-270: MCSE Guide to Microsoft           27
                        Windows XP Professional
       Local Computer Policy
            (continued)
• Local Group Policy tool
   • Also called Local Security Policy tool
   • Accessed from Administrative Tools
• Local computer policy contents:
   • Determined during installation
   • Based on:
      • System configuration
      • Existing devices
      • Selected options and components

                    70-270: MCSE Guide to Microsoft   28
                        Windows XP Professional
       Local Computer Policy
            (continued)
• Custom policies:
   • Created through the use of .adm files
• Local group policy:
   • System.adm file
• Local Computer Policy snap-in
   • Divided into two sections:
      • User Configuration
      • Computer Configuration
   • Contains over 300 individual controls
                  70-270: MCSE Guide to Microsoft   29
                      Windows XP Professional
    Computer Configuration
• Subnodes:
  • Software Settings
  • The Windows Settings folder:
     • Scripts
     • Security Settings
  • Administrative Templates folder




                   70-270: MCSE Guide to Microsoft   30
                       Windows XP Professional
           Public Key Policies
• Three purposes
  • Offers additional controls over the Encrypting File
    System (EFS)
  • Enables the issuing of certificates
  • Allows you to establish trust in a certificate authority




                   70-270: MCSE Guide to Microsoft             31
                       Windows XP Professional
          IP Security Policies
• Security measure added to TCP/IP
• Protects communications between two systems
  using that protocol
• Can be used over a RAS or WAN link
• Creates a secured point-to-point link between two
  systems
• Configured and enabled with Advanced TCP/IP
  Settings dialog box

                 70-270: MCSE Guide to Microsoft   32
                     Windows XP Professional
IP Security Policies (continued)
• Modes:
   • Transport
   • Tunneling
• Predefined IPSec policies:
   • Client (Respond Only)
   • Server (Request Security)
   • Secure Server (Require Security)



                   70-270: MCSE Guide to Microsoft   33
                       Windows XP Professional
IP Security Policies (continued)
• Authentication methods:
  • Kerberos version 5
     • Default and preferred
  • Public key certificate authentication
  • Preshared key
     • Less secure




                     70-270: MCSE Guide to Microsoft   34
                         Windows XP Professional
    Administrative Templates
• Offer controls on a wide range of environmental
  functions and features
• Registry based group policy information
• Used to overwrite Registry to force compliance
  with group policy




                 70-270: MCSE Guide to Microsoft    35
                     Windows XP Professional
         User Configuration
• Subfolders:
  • Software Settings
  • Windows Settings folder
  • Administrative Templates folder




                  70-270: MCSE Guide to Microsoft   36
                      Windows XP Professional
   Security Configuration and
          Analysis Tool
• MMC snap-in
• Used to:
   •   Analyze
   •   Configure
   •   Export
   •   Validate
  system security based on a security template
• Seven predefined security templates

                   70-270: MCSE Guide to Microsoft   37
                       Windows XP Professional
   Security Configuration and
    Analysis Tool (continued)

• Checks system’s current configuration against
  selected security template
• Produces a report of discrepancies
• Apply security templates to system




                 70-270: MCSE Guide to Microsoft   38
                     Windows XP Professional
                      Secedit
• Command-line version of Security Configuration
  and Analysis tool
• Favored by administrators
• Can be scripted
• Four functions:
  •   Analyze
  •   Configure
  •   Export
  •   Validate
                  70-270: MCSE Guide to Microsoft   39
                      Windows XP Professional
                     Auditing
• Security process
• Records occurrence of specific operating system
  events inSecurity log
• Every object has audit events related to it
• Event Viewer
   • Maintains logs about:
      • Application events
      • Security events
      • System events



                   70-270: MCSE Guide to Microsoft   40
                       Windows XP Professional
Event Properties Dialog Box




        70-270: MCSE Guide to Microsoft   41
            Windows XP Professional
      Encrypting File System
• Allows you to encrypt data stored on an NTFS
  drive
• Only enabling user can gain access to encrypted
  object
• Enabled using Properties dialog
• Uses public and private key encryption method
• Encryption process is invisible to user


                 70-270: MCSE Guide to Microsoft    42
                     Windows XP Professional
      Encrypting File System
           (continued)

• Recovery Agent
  • Used to recover encrypted files
  • Required for EFS to function
• CIPHER
  • Command-line tool for batch processing of encryption




                  70-270: MCSE Guide to Microsoft          43
                      Windows XP Professional
             Internet Security
• Risks
   • Unwittingly downloading Trojan horses or viruses,
   • Accepting malicious e-mail
   • Allowing a remote cracker to take complete control of
     your computer
• Protection:
   • Security features for standalone or LAN system
   • Internet Connection Firewall


                   70-270: MCSE Guide to Microsoft           44
                       Windows XP Professional
                  Summary
• Object-level access controls
• Winlogon controls how users logon
• Local computer policy controls many aspects of
  the security system as well as enabling or
  restricting specific functions and features of the
  operating system
• Encrypting File System (EFS) protects data with
  an encryption system

                  70-270: MCSE Guide to Microsoft      45
                      Windows XP Professional