SEC310: Windows Network Security Windows .


40 views
Uploaded on:
Category: Music / Dance
Description
Motivation. Four Components of Windows SecurityAuthentication (??)Authorization (??)Cryptography (??/??)Auditing (??)Windows Security Push. System Authentication (??). Microsoft Provided Security Support Provider (SSP) PackagesMicrosoft NTLM for Windows
Transcripts
Slide 1

SEC310: Windows ® Network Security (Windows 的网络安全性 ) Rui Hu ( ruihu@microsoft.com ) Software Design Engineer Windows Clustering Scale Out & Enterprise Servers Group Windows Division Microsoft Corporation

Slide 3

Agenda Four Components of Windows Security Authentication ( 验证 ) Authorization ( 授权 ) Cryptography ( 加密/解密 ) Auditing ( 审计 ) Windows Security Push

Slide 4

Network Authentication ( 验证 ) Microsoft Provided Security Support Provider (SSP) Packages Microsoft NTLM for Windows NT rendition 3.51 and later, Windows 2000, and Windows XP Microsoft Kerberos for Windows 2000/Windows XP Microsoft Digest SSP for Windows 2000/Windows XP. Secure Channel (Schannel)

Slide 5

Microsoft NTLM non-intuitive validation: User name (in plaintext) Client Server Challenge Client Server

Slide 6

Microsoft NTLM non-intelligent confirmation: Response Client Server Response: challenge scrambled with the hash of the client\'s secret word.

Slide 7

Microsoft NTLM non-intuitive validation: Msg Server DC Msg: the client name the test the reaction DC: space controller SAM (Security Account Manager Database)

Slide 8

Microsoft NTLM (Cont.) NTLM non-intelligent confirmation: Step 0: A client gets to a customer machine and gives an area name, client name, and secret word. The customer processes a cryptographic hash of the secret key and disposes of the real watchword. (Intelligent validation just) Step 1: The customer sends the client name to the server (in plaintext ). Step 2: The server creates a 16-byte irregular number, called a test or nonce , and sends it to the customer.

Slide 9

Microsoft NTLM (Cont.) NTLM non-intelligent validation: Step 3: The customer scrambles this test with the hash of the client\'s secret word and returns the outcome to the server. This is known as the reaction . Step 4: The server sends the accompanying three things to the space controller: the client name, the test sent to the customer, and the reaction got from the customer.

Slide 10

Microsoft NTLM (Cont.) NTLM non-intelligent confirmation: Step 5: The area controller utilizes the client name to recover the hash of the client\'s secret word from the Security Account Manager database. It utilizes this watchword hash to encode the test. Step 6: The area controller looks at the encoded provoke it figured (in step 5) to the reaction processed by the customer (in step 3). In the event that they are indistinguishable, verification is fruitful.

Slide 11

Microsoft NTLM (Cont.) No shared verification: server confirms the customer, yet not the other way around. ( 没有相互验证: server 验证 customer, customer 无法验证 server.)

Slide 12

Microsoft Kerberos Mutual confirmation: server validates customer, and customer verifies server. ( 相互验证: server 验证 customer, customer 验证 server.)

Slide 13

Microsoft Kerberos (Cont.) Server Client Authenticator Message Session Key Session Key

Slide 14

Microsoft Kerberos (Cont.) Kerberos (or Cerberus) was a figure in traditional Greek mythology—a wild, three-headed puppy who shielded living gatecrashers from entering the Underworld. ( Kerberos : 希腊神话中的三头怪物 ) Kerberos convention has three heads: a customer, a server, and a confided in outsider to intercede between them. The trusted delegate in this convention is the Key Distribution Center (KDC). (Key 发布中心 )

Slide 15

Microsoft Kerberos (Cont.) KDC: customer\'s and server\'s lord keys. (Key Distribution Center) KDC Msg1 Client Server Msg1: customer\'s duplicate of session key encoded by customer\'s lord key. ticket: (server\'s duplicate of session key + approval information of the customer) – encoded by server\'s lord key

Slide 16

Microsoft Kerberos (Cont.) KDC: customer\'s and server\'s lord keys. KDC Msg1 Credentials Client Server Credentials: Ticket Authenticator message scrambled with session key.

Slide 17

Microsoft Kerberos (Cont.) KDC: customer\'s and server\'s lord keys. KDC Msg1 Credentials Client Server Timestamp Mutual Authentication: timestamp of authenticator message encoded by session key.

Slide 18

Microsoft Kerberos (cont.) Assumptions: An open system where most customers and numerous servers are not physically secure. ( 开放的网络 ) Packets going along the system can be observed and altered voluntarily. (Bundles 可以被监视和修改 )

Slide 19

Microsoft Kerberos (cont.) The KDC (Key Distribution Center) just gives a ticket-allowing administration. The customer and server are in charge of keeping their particular ace keys secure. (Customer and server 各自保存它们的 ace key)

Slide 20

Microsoft Kerberos (cont.) A customer does not have to get to the KDC each time it needs to get to this specific server. Tickets can be reused. Tickets have a close time. (Ticket 的有效期 ) Ticket-allowing ticket (TGT).

Slide 21

Authentication Cluster Service Account Password Change : Cluster benefit on all group hubs are utilizing a similar bunch benefit account, which is a space account. Group hubs:

Slide 22

Authentication Cluster Service Account Password Change : distinctive DCs. DC Cluster hubs Cluster hubs Cluster hubs

Slide 23

Authentication Cluster Service Account Password Change. DC Cluster hubs Cluster hubs Cluster hubs Change secret key on: DC SCM and LSA on each bunch hub.

Slide 24

Authentication Cluster Service Account Password Change. DC Client Cluster hubs Cluster hubs Cluster hubs

Slide 25

Authentication Cluster Service Account Password Change. DC N3 N4 Client Cluster hubs Cluster hubs Cluster hubs

Slide 26

Authentication Cluster Service Account Password Change. N1 N2 N6 N8 N3 N7 N5 N4 N9 Client Cluster hubs Cluster hubs Cluster hubs GUM: Global Update Manager

Slide 27

Authentication Global Update Manager Propagates upgrades to all hubs in bunch Updates are nuclear and completely requested Tolerates every single amiable disappointment Depends on enrollment motor

Slide 28

Authorization ( 授权 ) ACL (Access Control List)

Slide 29

Cryptography ( 加密/解密 ) Cluster Service Account Password Change. DC N3 N4 Client Cluster hubs Cluster hubs Cluster hubs

Slide 30

Cryptography (Cont.) General data about utilizing the Crypto API Agreed base information MAC Salt

Slide 31

Auditing ( 审计 ) Security review records

Slide 32

Windows Security Push Entire Windows Team: ~7000 individuals. February and March 2002. Handle Threat Analysis (PM, Dev, Tester) Fixing Security Holes Testing Sign off

Slide 33

Windows Security Push (cont.) Extrocluster correspondence: Extrocluster Communication alludes to information exchange over the group limit. Illustrations incorporate clusapi, the extrocluster RPC interface, the join-adaptation RPC interface, and so forth. MSCS (Microsoft Cluster Service): 30 to 40 parts

Slide 34

Windows Security Push (cont.) Intracluster correspondence: Intracluster correspondence alludes to information exchange inside the bunch yet crosswise over hub limits. Cases incorporate ClusNet activity, regroup movement, the intracluster RPC interface, SMB movement to MNS offers, and so forth

Slide 35

Windows Security Push (cont.) Intranode correspondence: Intranode correspondence alludes to information exchange inside a hub. Illustrations incorporate resapi, ClusNet ioctls, the occasion log, the MNS named pipe, the NetCon API, and so on

Slide 36

Windows Security Push (cont.) Internal information: Internal information alludes to information objects neighborhood to a hub that are gotten to by the segment. Illustrations incorporate registry keys, named objects, the majority plate, MNS offers, and so on. Outer information: External information alludes to information objects situated outside of the bunch that are gotten to by the segment. Cases incorporate PC questions in Active Directory.

Slide 37

Windows Security Push (cont.) All employments of cryptography All operations that require the enrollment in the neighborhood administrator gather All operations that require raised benefit (e.g. TCB a.k.a. "Go about as a feature of the working framework")

Slide 38

Windows Security Push (Cont.) Security Holes: Buffer invade Client caricaturing Server mocking Encryption by obscurity Home-developed cryptography Storing mystery in memory: DPAPI Access check: Who can issue secret key change charge?

Slide 39

如果您有任何问题,请上微软中文新闻组 继续讨论 加入微软中文新闻组 http://www.microsoft.com/china/group

Slide 40

For More Information Microsoft assets IPSec, PKI well ordered walkthroughs http://www.microsoft.com/windows2000/library/advancements/security IPSec insurance for AD website replication through firewalls http://www.microsoft.com/ISN/Columnists/P63623.asp "Lockdown" IPSec assurance for server http://www.microsoft.com/ISN/journalists/p66703.asp Using IPSec to fabricate trusted registering foundations "Get some information about Security 12/15/2001" on TechNet Security center webpage: http://www.microsoft.com/security Networking center website: http://www.microsoft.com/interchanges ISA: http://www.microsoft.com/isa http://www.isaserver.org http://www.aspelle.com (few subtle elements; man lives in MPSC with client prepared demos) Other Internet assets IETF IPSec Standards - http://www.ietf.org/html.charters/ipsec-charter.html IETF L2TP Standard - http://www.ietf.org/html.charters/pppext-charter.html IETF L2TP Working Group: http://www.ietf.org/html.charters/l2tpext-charter.html Technology books: Doraswamy, Harkins – "IPSec: The New Security Standard for the Internet, Intranets and Virtual Private Networks"

Slide 41

© 2002 Microsoft Corporation. All rights

Recommended
View more...