TNQ400-05.

Presentation on theme: "TNQ400-05."— Presentation transcript:

1 TNQ400-05

2 认识 Windows® 2000的安全性 <姓名> <职务> Microsoft公司

3 讲座要求 本讲座假定你已经具备以下基础知识： 本讲座的难度级别为200 Windows 2000 Active Directory™
To get the most from this session, you should have a basic understanding of these topics: Windows 2000 Active Directory Windows security This is a level 200 session that covers a fairly wide range of topics in a short time-frame.

4 今天将学习到的知识 Kerberos验证协议 Active Directory 组策略 公钥基础结构 使用安全访问Web的PKI
使用安全访问S/MIME电子邮件的PKI 加强你所处环境的安全防护以抵制常见的非法入侵 We have a lot to show you today. We will present the techniques you need to plan and implement security in your Windows 2000 environment. The topics we will cover are: Kerberos Authentication Protocol Active Directory and Group Policies Public Key Infrastructure, including Certificate Authority, certificate management and Smartcard enrollment and logon. Using PKI for secure Web access Using PKI for secure S/MIME access Securing your environment against common threats

5 一个安全模型 共享密钥协议 公钥验证协议 Active Directory身份验证的多种方式 Windows NTLM身份验证
在混合域中的兼容性 用于企业级网络的Kerberos V5 公钥验证协议 安全套接字层 (SSL) / 传输层安全 (TLS) IP的安全性 Active Directory身份验证的多种方式 Windows 2000 supports one security model by providing both Windows NTLM and Kerberos authentication. Kerberos version 5 is the default for network authentication on computers with Windows 2000, while NTLM is retained in Windows 2000 for compatibility with downlevel clients and servers. NTLM is also used to authenticate logons to standalone computers with Windows 2000. Computers with Windows 3.11, Windows 95, Windows 98, or Windows NT 4.0 will use the NTLM protocol for network authentication in Windows 2000 domains. Additionally, public key certificate protocols such as SSL(Secure Sockets Layer), TLS (Transport Layer Security) and IPSec (IP Security) are supported by Windows 2000.

6 多种身份验证协议的体系结构 SSPI SChannel SSL/TLS 使用ADSI目录使能应用程序 邮件, 聊天, 新闻
聊天, 新闻 Internet Explorer, Internet 信息服务器 DCOM 应用程序 远程文件 CIFS/SMB 安全RPC HTTP LDAP POP3, NNTP SSPI NTLM Kerberos SChannel SSL/TLS DPA The architecture for multiple providers is hinged on SSPI (Security Support Provider Interface). The security providers are NTLM that interacts with the SAM database Kerberos that interacts with the KDC (Key Distribution Center) and Directory Services SSL/TLS that interacts with the CA (Certification Authority) DPA (Distributed Password Authentication) that interacts with membership services such as Site Server These security providers support a variety of services such as CIFS/SMB for remote file access (CIFS = Common Internet File System, SMB=Server Message Block) Secure RPC for COM/DCOM HTTP for IIS and IE LDAP for directory enabled apps that use ADSI (Active Directory Services Interface) POP3, NNTP for mail, chat and news MSV1_0/ SAM KDC/DS 成员关系 服务

7 Kerberos 小测验 Windows 2000为什么使用Kerberos 提供 安全性? 它是标准的 更好的网络性能 相互验证 委派验证
Standards: The implementation of the Kerberos protocol in Windows 2000 closely follows the specification defined in Internet RFC In addition, the mechanism and format for passing security tokens in Kerberos messages follows the specification defined in Internet RFC 1964. Windows 2000 implements extensions to the Kerberos protocol that permit initial authentication using public key certificates rather than conventional shared secret keys. The extensions for public key authentication are based on a draft specification submitted to the IETF (Internet Engineering Task Force). Better network performance: With NTLM authentication, an application server must connect to a domain controller in order to authenticate each client. With Kerberos authentication, the server does not need to go to a domain controller. It can authenticate the client by examining credentials presented by the client. Clients can obtain credentials for a particular server once and reuse them throughout a network logon session. Mutual authentication: NTLM allows servers to verify the identities of their clients. It does not allow clients to verify a server’s identity, or one server to verify the identity of another. NTLM authentication was designed for a network environment in which servers were assumed to be genuine. The Kerberos protocol makes no such assumption. Parties at both ends of a network connection can know that the party on the other end is who it claims to be. Delegated authentication: The Kerberos protocol has a proxy mechanism that allows a service to impersonate its client when connecting to other services. No equivalent is available with NTLM.

8 Kerberos身份验证登录 密钥发布中心(KDC) Windows 2000 域控制器 1.使用DNS搜索在域中定位
Active Directory和Kerberos KDC 3. 使用TGT 为工作站请求 带有许可的会话证书 2. 验证用户并从KDC获得一个证书授予证书 (TGT) TGT Windows 2000 Active Directory 密钥发布中心(KDC) In Kerberos, rather than sharing a password, communication partners share a cryptographic key, and they use knowledge of this key to verify one another’s identity. For the technique to work, the shared key must be symmetric—a single key must be capable of both encryption and decryption. One party proves knowledge of the key by encrypting a piece of information, the other by decrypting it. Kerberos was a figure in classical Greek mythology, a fierce, three-headed dog who guarded the gates of the Underworld. Like Kerberos the guard, Kerberos the protocol has three heads: a client, a server, and a trusted third party to mediate between them. The trusted intermediary in the protocol is known as the Key Distribution Center (KDC). Kerberos authenticates the user by Locating the Active Directory and Key Distribution Center (KDC) for the domain using a DNS lookup. The workstation uses the user’s password through a hashing algorithm to request a Ticket Granting Ticket from the KDC. The KDC determines the user from the Active Directory, validates the user and returns the TGT to the workstation. The TGT is sent only once for the logged on user (until the TGT expires or the user logs off). The TGT is cached by the LSA (Local Security Authority). Windows 2000 域控制器

9 票据授予票据 第一个票据是一个票据授予的票据 TGT在KDC能够识别的用户密钥中加密
被客户端使用去获得其它服务的票据 包括基于组成员关系和特权的授权数据 TGT在KDC能够识别的用户密钥中加密 需要密码或者智能卡PIN的知识来解码 票据保存在票据缓存中，由本地安全授权机构 (LSA) 管理 Initial logon results in the user obtaining a TGT TGT can be used to obtain additional tickets to communicate with other domain services To use TGT, user must prove knowledge of a password or a smart card PIN in order to decrypt the KDC’s response Tickets are managed by the Local Security Authority in a secure cache that does not persist beyond the logon session

10 Kerberos身份验证 网络服务器连接 应用程序服务器 (目标) 密钥发布中心(KDC) Windows 2000 域控制器
2. 在连接设置过程中显示 　会话票据 票据 3. 证明由KDC发行的会话票据 Windows 2000 Active Directory TGT 1. 发送TGT并向目标服务器的KDC请求会话票据 When a client program attempts to access a network service, the Kerberos run-time checks the ticket cache for a valid session ticket to the server. If a ticket is not available, the TGT is sent in a request to the KDC for a session ticket that allows access to the server. 2. The Kerberos session ticket is presented to the remote service during the initial connection message. 3. The server can quickly authenticate the client by verifying the session ticket without going to the authentication service because the Kerberos run time for the server has a cached copy of the server’s secret key. The session ticket is added to the ticket cache and may be reused for future connections to the same server until the ticket expires. The ticket expiration period is defined by domain security policy and is usually set for about eight hours. If the session ticket expires during the middle of an active session, the Kerberos security provider returns appropriate error values that allow the client and server to refresh the ticket, generate a new session key, and resume the connection. 密钥发布中心(KDC) Windows 2000 域控制器

11 使用Kerberos的委派 服务器 1 服务器 2 密钥发布中心 (KDC) Windows NT 域控制器 4. 服务器2的会话票据
4. 服务器2的会话票据 服务器 2 3. 模仿, 请求票据服务器 2 2. 显示会话票据 1. 从服务器1的KDC请求带有proxy会话票据 Windows NT 目录服务器 The difference in this scenario from the previous example of a network server connection is that the session ticket is requested with the Proxy flag enabled. The session ticket is presented to the server upon connection Server 1 impersonates the user that presented the session ticket and requests a session ticket for connecting to server 2 密钥发布中心 (KDC) Windows NT 域控制器

12 Kerberos身份验证用法： Active Directory的LDAP CIFS/SMB远程文件访问 安全的动态DNS升级
分布式文件系统管理 使用IKE的主机-主机的 IP安全性 IIS中企业内部网的安全web服务 向企业CA请求的身份验证证书 DCOM/RPC安全性提供器

13 Kerberos同Unix的互用性 基于Kerberos V5协议 Windows NT® DS 管理KDC 简单的跨区域身份验证
RFC 1510和RFC 1964的格式 Windows NT® DS 管理KDC 同Unix服务器相连的UNIX客户端 同Windows NT服务器相连的UNIX 客户端 同UNIX服务器相连的Windows NT客户端 简单的跨区域身份验证 从UNIX区域到Windows NT域 A trust relationship can be established between a domain and an MIT-based Kerberos realm. This means that a client in a Kerberos realm can authenticate to an Active Directory domain to access network resources in that domain. Within a domain, UNIX clients and servers can have Active Directory accounts, and therefore obtain authentication from a domain controller. Interoperability Issues Domestic and International Cryptography 56-bit DES and 3DES are not exportable for bulk data encryption Is used for exportable authentication 40-bit session key used for bulk data Kerberos interoperability requires North America version of Windows NT For message integrity and encryption

14 跨平台策略 Kerberos v5互用性 应用程序协议 应用程序协议 SSPI GSS Kerberos 机制 Kerberos SSP
Windows NT KDC UNIX KDC UNIX 服务器 Windows NT 工作站 应用程序协议 应用程序协议 SSPI GSS-API GSS Kerberos 机制 Kerberos SSP

15 跨平台策略 公钥互用性和客户端身份验证 HTTPS应用程序 ISAPI应用程序 SSL 3.0 or TLS SChannel SSP
信任的CA UNIX 客户端 Windows NT 服务器 ISAPI应用程序 HTTPS应用程序 SSL API? SSPI SSL 3.0 or TLS SChannel SSP

16 使用经Windows NT授权的Unix KDCs
COMPANY.REALM nt.company.com Unix KDC Windows NT KDC 2 TGT 1 TGT 名称 映射到NT 帐号 3 证书 带有NT授权数据 Unix工作站 Windows NT Server

17 主框架单一签名 PDC 顶级域 主机 帐号 缓冲 PDC 资源域 SNA服务器 Windows NT Workstation 附加
The previously discussed methods of providing SSO did so by means of open-industry standards like the Kerberos and SSL protocols. However, a member of the Microsoft BackOffice family of products, SNA Server, works in conjunction with proprietary security protocols implemented by packages such as RACF, ACF2, and Top Secret to provide SSO between Windows NT-based networks and MVS/ESA and AS/400 mainframe systems. SNA Server is packaged with Proginet SecurePass, and the two products work in tandem. SecurePass provides password synchronization services that ensure that a user’s security credentials are always identical on both systems. This allows SNA Server to perform password stuffing. When the mainframe’s security provider requires authentication, SNA Server supplies the user’s Windows NT password (which is identical to his mainframe password because of the password synchronization) via an automated 3270 or 5250 logon. SNA服务器 Windows NT Workstation MC_Allocate MS$SAME 附加 CPROD32 *****

18 Kerberos 演示 Kerberos配置 IPSec 的默认安全提供器 Demo…

19 Active Directory 的安全特性
组织单位 (OU)用于组织目录的名称空间 不同包容器中的用户、组和计算机 目录对象安全性 按属性的访问控制 按属性的审核 管理委派 向OU委派责任 按类型管理对象 经验证的目录查询

20 Active Directory 安全特性 域分级结构: 域树 一个域中的组织单位(OU)分级结构 用户，组，计算机 域配置 OU OU
域分级结构: 域树 一个域中的组织单位(OU)分级结构 用户，组，计算机 域配置 OU OU 用户

21 Active Directory演示 创建一个 OU，用户 管理委派 Demo…

22 分布式安全性策略 集中管理安全性策略 全局可用 整个域的策略 本地计算机的策略 在域中的计算机上实现本地策略 易管理性 可伸缩性 分布式控制

23 分级策略设置 Domain 等级策略 OU 等级策略 OU 等级策略 将策略应用于一台结合有多个策略对象的计算机 1 2 3
Hierarchical set of group policy objects Domain Policy Objects (GPOs) Organizational Unit Policy Objects (GPOs) Computers in the same OU have the same security policy settings DCs, Desktops, Application Servers 将策略应用于一台结合有多个策略对象的计算机

24 实施企业级策略 在每台计算机上，策略作为GPO实现的一部分进行应用 Policy propagation Default Intervals
Workstation\Server: 90 minutes Domain Controller: 5 minutes Triggered Automatically via Machine Boot (before CAD) Secedit /refreshPolicy machine_policy Policy applied only if it has changed

25 安全性配置 涵盖各种安全区域 帐号策略 – 密码, 封锁, Kerberos 本地策略- 审核, 用户权限, …
受限组 - Administrators, Power Users, … 注册表和文件系统 – 安全性描述 服务 – 启动模式和安全性描述 done

26 安全性配置工具集 Security configuration is part of Group Policy 安全性配置编辑器
定义安全配置 所包括的预定义安全配置 安全性配置管理器 应用配置并进行分析 组策略编辑器的安全性扩展 将配置传送给多个系统 SecEdit.exe – 命令行工具 Security configuration is part of Group Policy Group Policy for a computer includes the security configuration Security configuration applied at startup

27 策略演示 Demo… 组策略编辑器 安全性策略 策略等级 定义安全配置 预定义的配置 安全性模板 安全性分析
Available policies for the Group Policy Editor in a DC Default Domain Controllers Policy Default Domain Policy Local Policy Predefined configurations Default Configuration Workstation, Server and Domain Controllers Applications Compatible Configuration Workstations and Server Secure Configuration Workstation and Server Highly Secure Configuration Workstation, Server and DCs

28 策略的最佳练习 认真定义目录并在OU等级上应用策略 定义安全性配置一次并应用多次 比较一个管理员选择的基本配置，对安全性进行周期性分析
Windows NT 4.0 (SP4)的安全配置 使用命令行工具 (secedit.exe)， 使用计划任务使任务在业余时间执行 提示: 使用Secedit /refreshpolicy machine_policy /enforce 强制刷新策略设置

29 策略小测验 如何实现指定用户的高安全性? 在DS中使用OUs 使用所提供的高安全性工作站模板 使用安全性分析

30 公钥体系结构 Windows 2000 CryptoAPI 证书管理 服务 SSPI Crypto Services 应用程序 经认证的代码
软件 CSP 硬件 证书管理 服务 Msg stds (PKCS) CryptoAPI 应用程序 经认证的代码 安全 通道 网络 APIs SSPI 阅读器 智能卡 CryptoAPI encompasses both algorithm support such as RSA and DES as well as certificate management such as storage and revocation checking. Authenticode is really a toolset for developers to support software publishing both internally on an intranet and externally on the Internet. Smart Card includes support for both cards and readers and is intended to provide a consistent model for how these devices interface to the PC.

31 PKI组件 Active Directory 证书服务 信任管理服务 策略管理服务 CryptoAPI APIs 和保护性存储
Infrastructure has minimal value w/o apps Windows 2000 public key infrastructure is self-supporting Provides functions used by other core infrastructure services, e.g., trust support

32 PK应用程序 Windows 2000包括很多方面的 PK 应用程序 : 客户端身份验证(SSL/TLS) Web服务器身份验证和加密
加密和签名电子邮件 (S/MIME) 数字式签名内容 驱动程序代码签名 文件系统等级的磁盘加密 (EFS) 基于智能卡的登录 网络等级的身份验证/加密 (IPSec) 远程访问 (拔号和VPN) 经验证的目录访问 (带有SSL 的LDAP) 为其它应用程序开发框架

33 证书授权机构 发行证书，以实现： 同Active Directory集成 证书注册，使用： 服务器验证， 客户端验证，安全电子邮件， …
发布证书和CRLs CA信息 证书注册，使用： ActiveX® 控件，Win32® 向导，或者http When a CA is installed, information about it is automatically published in the Active Directory, if present. The information published includes CA root certificate Certificate templates Certificate Revocation List The types of CAs to install and the types of certificates to issue are the major deployment considerations that customers need to deal with ... Types of CAs are distinguished by their policy module: Enterprise Standalone Exchange

34 智能卡登录 LSA KDC SC 阅读器 1 插入智能卡，导致Winlogon显示 GINA 4 LSA 访问智能卡并从卡中接收 证书信息
2 用户输入PIN 8 Sm智能卡使用允许LSA登记用户的私人密钥对TGT进行解码 3 GINA将PIN传递给LSA 6 KDC接下来在DS搜索规则对证书进行核实 Talk to the slide at each build point Additional information: Private key and certificate on card Public key domain authentication 5 Kerberos在一个PKINIT登录请求中将证书发送给KDC LSA Kerberos Kerberos KDC 7 KDC返回TGT，使用一个会话密钥进行加密，而它又依次使用用户的公钥进行加密

35 PKI演示 请求和管理证书 废止的证书列表 证书策略 智能卡注册 智能卡登录 Demo…

36 PKI的最佳练习 规划CA的物理安全性， CPS 建立三级CA分层结构 根节点应该脱机和库存 外部发布 (证书， CRLs， CPS 叙述)
首先进行简单的要素操作；IPSEC, EFS, 然后再S/MIME 不要惧怕实验，你可以经常撤回CA的并再试一次 备份!　

37 PKI 小测验 Windows 2000 PKI的实现是私 有的吗? 它基于一组标准，是实现互用性的关键! ITU X.509
　有的吗? 它基于一组标准，是实现互用性的关键! ITU X.509 RSA PKCS IETF: PKIX, SSL/TLS, S/MIME PC/SC Interoperability Windows 2000 PKI supports Rooted CA hierarchies PKCS#10 and PKCS#7 message formats for certificate enrollment X.509 certificate formats and IETF PKIX Part 1 RSA cryptographic smart cards Windows 2000 PKI works with Netscape, and other commercial CAs Federal FIPS 140-1 Level 1 crypto module certification DSS, RSA Key Applications Web, and certificate services Fortezza Web services Spyrus CSP, Litronic reader Netscape Communicator SSL-based authentication S/MIME Signed forms Certificate Server Issues certificates and CRLs Integrated with LDAP-based directory Entrust PKI Key lifecycle management Requires application plug-ins Enterprise Toolkit Scenario oriented kits Client Software Entrust Entelligence Entrust Express Web Connector Just issues certificates

38 安全IP 主机对主机的验证和加密 使用域策略的IP安全策略 策略代理 IP 安全性策略 网络层 用户对用户 协商策略, IP筛选 PA
下载IPSEC策略 PA 源地址: 目标地址: 任何协议

39 安全IP 协会 使用Kerberos验证 用于 SMB 数据加密 KDC 157.55.20.100 147.20.10.200 SA
Windows NT 目录服务器 KDC SA Oakley Oakley TCP IP TCP IP

40 安全Web访问 安全 Web 服务器 客户端 证书授权 带有SSL/TLS的HTTP 证书注册 信任关系
Let’s look at the components of a secure intranet application: The user needs to get a certificate before he/she can use PK so there needs to be a CA available to accept and process requests Once the user has the certificate he/she will need to connect to the secure Web server configured to require SSL/TLS authentication and certificates Once authenticated access to resources can be controlled by Windows 2000 security and the Access Control privileges of the user account that the Subject lookup matched The ability to use PK certificates to authenticate users and to map certificates to user accounts is a very powerful feature of Windows 2000 and PK. 证书授权

41 SSL 客户端验证 使用X.509证书的强大的验证功能 安全帐号管理 从信任证书授权机构接受第三方X.509 证书 商业间的验证
用于多种协议的单用户ID 安全帐号管理 使用现存的基础结构 帐号管理和访问控制 从信任证书授权机构接受第三方X.509 证书 商业间的验证

42 SSL 客户端验证  Œ Ž  服务器 1. 证实用记的基于可信的CA, CRL的证书 2. 按用户名在目录中定位用户对象
服务器资源 ACL 4. 模仿客户端，对象访问验证 服务器 客户端证书 SChannel SSP 访问标识 3. 基于组成员关系建立Windows NT访问标识 验证服务 域 组织单元 (OU) 用户 2. 按用户名在目录中定位用户对象 Œ 可信 Cas的证书存储 1. 证实用记的基于可信的CA, CRL的证书

43 证书映射 验证 授权 可替换的安全标识 公钥和Active Directory 基于帐号组成员关系进行访问控制 一对一 多对一
主体 + 发行者, 单一证书 多对一 发行者, 多个证书 Active Directory is where the user account is stored. Access Control is how access to network resources is determined based on group membership. 1:1 mapping means that you are matching the Subject name in the certificate to an account meaning that two different users cannot use the same account Many:1 mapping means that you are matching the Issuer name in the certificate to an account where there can be many different certificates that meet this match criteria

44 安全Web访问演示 在IIS中安装证书 使用SSL 保证一个Web站点的安全 使用证书访问站点 为模仿而映射用户证书 Demo…

45 安全Web访问的最佳练习 安装最小的服务 设置适当的验证 设置适当的虚拟目录权限和划分Web 设置IP限制 安装SSL
删除不可信的根节点CAs 启用日志和设置ACLs 严格管理索引服务器 禁用RDS支持

46 安全Web访问小测验 如何能够确定RDS的脆弱部位正在受到攻击? 保证你一直在记录HTTP请求 分析日志文件中包含msadcs.dll的签名
:38:12 - POST /msadc/msadcs.dll …

47 安全E-Mail 核心组件 基于Internet标准的传输 公钥基础结构 证书(x.509, PKIX Part I)
建立并证实用户的身份 发行和废除证书 证书(x.509, PKIX Part I) 与公钥相关的身份 S/MIME 适用的邮件客户端 消息的签名，加密和解密 验证数字证书和签名

48 安全E-Mail S/MIME Active Directory Outlook™ Express Exchange 5.5 SP1
Internet Active Directory Outlook™ Express S/MIME 恢复用户的证书 (LDAP) One of the challenges to sending secure is getting the recipient’s certificate so that one can send encrypted . Without a directory this is a tenuous process. Certificates issued by a Windows 2000 CA can be published in the Active Directory on a user’s object so that other users can retrieve it in the same manner they lookup a phone number, address, etc. Exchange 5.5 SP1 works with the Certificate Server 1.0 that shipped as part of Option Pack 4.0 using the Exchange policy module (not the default policy module). Going forward we plan to integrate the Exchange policy module with the Windows 2000 policy module so that organizations can have the same CA issue certificates for and Web. Some organizations may want to separate their CAs from their Web CAs and this will also be supported. Exchange 5.5 SP1 阅读器 SC 证书 Outlook 98

49 数字签名 希望将纯文本数据发送某人并允许他们对源数据进行验证 将文本分散， 对分散后的文本进行加密，为纯文本提供签名 接收者
加密(分散(纯文本) ) 使用私人密钥对分散后的文本进行加密 接收者 分散的纯文本: H(pt) 使用公钥解密 D(E(H(pt)) = H(pt) 比较结果!

50 安全 演示 定义Exchange证书策略 请求Exchange证书 安全的Outlook 签名和加密 Demo…

51 安全电子邮件的 最佳练习 反Office病毒(宏安全性) 运行反病毒软件并保持最新的签名文件
安全电子邮件的 最佳练习 反Office病毒(宏安全性) 运行反病毒软件并保持最新的签名文件 当远程访问电子邮件时使用PPTP、 L2TP/IPSec 签名消息以验证用户 加密敏感消息 当在你所处的环境中检测到一个病毒时，向所有接收者发送消息 备份你的私人密钥(除了你没有人有它的复本!) 恢复密钥，以便在多台计算机上阅读电子邮件

52 安全S/MIME电子邮件 小测验 证书和密钥存储在哪里? 我的证书存储在注册表中 (通过MMC访问)
我的密钥在保护性存储中 (pstore) 其他人的证书位于地址簿中

53 常见的威胁 攻击类型 (S.T.R.I.D.E) 伪造用户身份 数据欺骗 好评 信息泄露 服务否认 提高特权 S.T.R.I.D.E.
Spoofing User Identity In this case, the hacker has obtained the user's personal information or something that enables him to replay the authentication procedure. Spoofing threats are associated with a hacker being able to impersonate a valid system user or resource to get access to the system and thereby compromise system security. Tampering with Data An unauthorized change to stored or in-transit information, formatting of a hard disk, a malicious intruder introducing an undetectable network packet in a communication, and making an undetectable change to a sensitive file are all tampering threats. Repudiability A user performing an illegal operation without the ability to be traced is called “repudiability”. Repudiability threats are associated with users (malicious or otherwise) who can deny a wrongdoing without any way to prove otherwise. Information Disclosure Compromising private or business-critical information. Information disclosure threats expose information to individuals who are not supposed to see it. A user's ability to read a file that she or he was not granted access to, as well as an intruder's ability to read the data while in transit between two computers, are both disclosure threats. Note that this threat differs from a spoofing threat in that here the perpetrator gets access to the information directly rather than by having to spoof a legitimate user. Denial of Service A “Denial of Service” (DoS) attack prevents legitimate users from using a service. The effectiveness of a DoS attack is measured three ways: Effort – A measure of the effort required for the attack to be successful. The least effort is a single packet that crashes a computer. The greatest effort is a lot of large packets, possibly sent by multiple attackers. Severity – A measure of how much the service has been degraded. A severe attack will prevent all legitimate users from accessing the service. A mild attack may slow down access, but not shut it down completely. Persistence – An attack is persistent if its effects continue after the attack stops. The strongest attacks persist even if the attacker is blocked from accessing the service. Some attacks persist until the server is rebooted. The effects of a weak attack end as soon as the attack does. Denial of Service attacks range from mildly annoying to true security risks. In general, a good firewall should prevent them from happening. Elevation of Privilege An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system. The more dangerous aspect of such threats is compromising the system in undetectable ways whereby the user is able to take advantage of the privileges without the knowledge of system administrators. Elevation of privilege threats include those situations where an attacker is allowed more privilege than should properly be granted, completely compromising the security of the entire system and causing extreme system damage. Here the attacker has effectively penetrated all system defenses and become part of the trusted system itself and can do anything.

54 NTFSDOS 信息泄露类型 允许从DOS和Windows 98访问NTFS 共享 忽略NTFS ACL检查(SAM是可访问的) 防御:
EFS 物理访问 NTFSDOS Attack Type: Information Disclosure Source: Current Version: 3.03 Related Tools: NTFS for Windows 98, NTFSDOS Pro Description: Allows access to NTFS shares from DOS and Windows 98. Attack: Bypasses NTFS ACL checking. Files such as the SAM, that are normally unavailable, become accessible. Defenses: EFS Windows2000 Effect: System Internals has updated this tool to work on Windows 2000. Notes: Physical access is usually required for this tool to work

55 NTFS加密(EFS) NTFS v5的固有功能 使用独特的按每个文件的密钥进行加密 使用公钥技术恢复企业数据 对用户和应用程序是透明的
恢复单个文件的加密密钥, 而不是用户的加密密钥 对用户和应用程序是透明的 非常快速的操作

56 EFS体系结构 应用程序 EFS Win32层 服务 EFS.sys NTFS 所有密钥的LPC通信 管理支持 FSRTL调出
Crypto API 用户模式 Kernel模式 I/O管理者 所有密钥的LPC通信 管理支持 EFS.sys NTFS FSRTL调出 磁盘数据存储的加密

57 文件加密 文件解密 (e.g., DES) RNG *#$fjda^j 一个快速的 u539!3t 跳转... t389E *& 数据解密
域生成 (e.g., RSA) DDF 用户的 公用密钥 数据恢复 域生成 (e.g., RSA) DRF 随机生成的文件密钥 恢复代理的 公用 密钥 在恢复策略中 RNG

58 文件解密 Demo… 文件解密 (e.g., DES) DDF使用私人密钥被 解密以获得文件的密钥
*#$fjda^j u539!3t t389E *& 文件解密 (e.g., DES) 一个快速 的跳转… 文件密钥 用户的私人 密钥 DDF提取 (e.g., RSA) DDF使用私人密钥被 解密以获得文件的密钥 DDF包括使用用户的公共密钥加密的文件密钥 DDF

59 L0phtcrack Demo… 信息泄露类型 利用NTLM中密码混乱的弱点来攻破Windows NT 的密码。
用于同一个特权提高攻击的结合中 防御: 使用复杂的密码， 长度大于14个字符 使用NTLM v2 Demo… L0phtcrack Attack Type: Information Disclosure Source: Current Version: 2.52 Related Tools: pwdump, pwdump2 Description: L0phtcrack uses weaknesses in the NTLM cryptographic hashes to crack NT passwords. Depending on the complexity of the passwords it may take minutes or weeks to crack a password. The hashes are obtained from the registry, file system, or the network. Attack: The tool compromises passwords. It can be used for undetectable attacks after an Elevation of Privilege attack. The attacker gets a copy of the hashes, erases all evidence of the entry, and then goes home to crack the passwords. Defenses: Use passwords that are longer than 14 characters, contain a mix of numbers, letters, and punctuation characters, and do not contain any words. Avoid passwords created from concatenating words, or a word followed by a couple of non-alphabet characters. Set the “LAN Manager Authentication Level” value to “Send NTLMv2 response only\refuse LM & NTLM”. Windows ‘9x machines will require the DS Client upgrade package. NT4 clients should have SP4, DCs should have SP6. Windows2000 Effect: If all of the systems can use NTLMv2, they should.

60 Msadc.pl 特权提高类型 利用 MS ADC RDS的PERL脚本
防御: 删除RDS文件或者将MSADC置于“安全” 二项式(Windows 2000 以“安全”模式启动)，使用ACLs Msadc.pl Attack Type: Elevation of Privilege Source: .rain.forest.puppy., Current Version: 2 Related Tools: RFPoison.exe, whisker Description: This is a PERL script that exploits the MSADC RDS Vulnerability. Attack: It uses a poorly designed feature of RDS that allows a command to be executed on a remote machine as Local System. Defenses: Remove the RDS files or put MSADC into “safe” mode. Windows2000 Effect: By default Windows 2000 is shipped in “safe” mode. Notes: Hundreds, perhaps thousands, of web sites have been hacked because of this exploit. It points out two problems: shipped software is around for a LONG time, and lots of system administrators either do not keep up with security updates or they ignore them. Some sites have been hacked multiple times with this same attack. Code: msadc2.pl

61 变形的假脱机请求 提高特权类型 打印假脱机中的缓冲区溢出会允许黑客运行任何代码 防御: Windows 2000的修正 封锁服务中的所有输入
安装有效的补丁 Windows 2000的修正 “Malformed Spooler Request” Attack Type: Elevation of Privilege Source: eEye ( Luke Kenneth Casson Leighton, .rain.forest.puppy. Description: A buffer-overflow in the print spooler service may cause the service to crash or allow the attacker to run arbitrary code. Attack: Certain APIs in the Windows NT 4.0 print spooler subsystem have unchecked buffers. If an affected API were provided with random data as input, it could crash the print spooler service. If it were provided with a specially-malformed argument, it could be used to run arbitrary code on the server via a classic buffer overrun attack. The majority of the affected APIs require the caller to be a member of the Power Users or Administrators group; however, at least one is callable by normal users. None of the calls could be made by anonymous users, but the calls could be made remotely. Defenses: Block all input to the service, or install the available patch. Windows2000 Effect: Fixed.

62 Trin00/TFN/TFN2k/stacheldraht
分布式的拒绝服务类型类型 复杂的工具 自动搜索有弱点的计算机 自动利用易受攻击的部位 使用一个工具分级结构，执行拒绝服务攻击 使用密码学来隐藏组件间的通信 使用客户端、处理者和代理 Trin00/TFN/TFN2k/stacheldraht Attack Type: Distributed Denial of Service Source: trin00, unknown TFN, Mixter ( TFN2K, Mixter ( stacheldraht, unknown Related Tools: Lots Description: These are sophisticated tools that use a variety of technologies: 1) Automated tools to find machines with known vulnerabilities 2) Automated tools to exploit the vulnerabilities found in step 1, and to install the actual distributed denial of service tools 3) A hierarchy of tools that perform the denial of service attacks 4) Cryptographic and other techniques to hide the communication between the components. Attack: There are three parts to this attack: clients, handlers, and agents. Handlers and agents are installed on compromised systems. Agents register themselves with handlers. Clients tell handlers to initiate attacks, and the handlers contact the agents to perform the attacks. The attacks themselves are a variety of known DoS attacks. Because the number of clients may be very large, there are reports of networks having over 2000 agents, the victim may easily be overwhelmed. Since the attack is broadly distributed, it is difficult to defend against. Defenses: Prevent steps 1 & 2 from happening by blocking exploits. Communication between handlers and agents may be detected in older versions. Newer versions are using a variety of techniques to obscure this communication. Windows2000 Effect: SFP may make it marginally harder for these Trojans to be installed. However, there is no reason to believe that Windows 2000 machines are immune. Notes: These tools are derived from some tools used to disrupt IRC networks. They are a synthesis of a lot of well-known techniques. The attackers create a network of “handlers” and “agents” on exploited machines. Handlers keep a list of known agents. The client sends a signal to the handler to initiate an attack. The handlers then send messages to the agents and the agents start attacking.

63 Trin00/TFN/TFN2k/stacheldraht
攻击步骤 侦查 安装 注册 客户端 > 处理者 处理者> 代理 代理攻击 防御: 封锁避免步骤1和2 SFP、安全启动、侵入检测

64 审核实例 动作 对登录/注销的失败审核 对登录/注销的成功审核 对用户权限、用户和组管理、安全更改策略、重新启动、关机和系统事件的成功审核
攻击 随机口令攻击 被盗窃的口令侵入 滥用特权 不适当的文件访问 动作 对登录/注销的失败审核 对登录/注销的成功审核 对用户权限、用户和组管理、安全更改策略、重新启动、关机和系统事件的成功审核 对敏感文件访问和对象访问事件的成功和失败审核 文件管理器通过猜测敏感文件的用户和组，对R/W访问权限的成功和失败进行审核

65 讨论

66 Policies white paper Microsoft Official Curriculum Advanced Administration for Microsoft Windows Course 1558 Updating Support Skills from Microsoft Windows NT 4.0 to Microsoft Windows 2000 Course 1560 White Papers

67 更多信息 参见TechNet Web站点 www.microsoft.com/technet/ Microsoft®正式教程
访问我们的Windows 2000技术中心 在你所处区域的IT专业用户组 Policies white paper Microsoft Official Curriculum Advanced Administration for Microsoft Windows Course 1558 Updating Support Skills from Microsoft Windows NT 4.0 to Microsoft Windows 2000 Course 1560 White Papers

68 鸣谢 作者: Mauro Torres 制片/编导: Dave Rhoades 感谢Microsoft技术部负责审查本次讲座的以下人士:
Shanen Boettcher Manish Patel Shawn Travers Manish Bhatt

69

70 常见词汇释义 SSPI – 安全性支持提供器接口 NTLM – Windows NT LAN管理器 KDC – 密钥分配中心
Realm – 域 TGT – 票据授予票据 (Kerberos票据) SSL – 安全套接字层 TLS – 传输层安全 DPA – 分布式密码验证 OU – 组织单元，位于Active Directory

71 常见词汇释义 ACL – 访问控制列表 LDAP – 轻便目录访问协议 CA – 证书授权机构 PDC – 主域控制器
BDC – 备份域控制器 PCT – 私人通信技术 EPAC – 扩展特权属性证书 LSA – 本地安全性授权机构 AH – 验证数据头 ESP – 压缩安全性负载