SEC310: Windows ® Network Security (Windows 的网络安全性 ) Rui Hu ( firstname.lastname@example.org ) Software Design Engineer Windows Clustering Scale Out & Enterprise Servers Group Windows Division Microsoft CorporationSlide 3
Agenda Four Components of Windows Security Authentication ( 验证 ) Authorization ( 授权 ) Cryptography ( 加密/解密 ) Auditing ( 审计 ) Windows Security PushSlide 4
Network Authentication ( 验证 ) Microsoft Provided Security Support Provider (SSP) Packages Microsoft NTLM for Windows NT rendition 3.51 and later, Windows 2000, and Windows XP Microsoft Kerberos for Windows 2000/Windows XP Microsoft Digest SSP for Windows 2000/Windows XP. Secure Channel (Schannel)Slide 5
Microsoft NTLM non-intuitive validation: User name (in plaintext) Client Server Challenge Client ServerSlide 6
Microsoft NTLM non-intelligent confirmation: Response Client Server Response: challenge scrambled with the hash of the client\'s secret word.Slide 7
Microsoft NTLM non-intuitive validation: Msg Server DC Msg: the client name the test the reaction DC: space controller SAM (Security Account Manager Database)Slide 8
Microsoft NTLM (Cont.) NTLM non-intelligent confirmation: Step 0: A client gets to a customer machine and gives an area name, client name, and secret word. The customer processes a cryptographic hash of the secret key and disposes of the real watchword. (Intelligent validation just) Step 1: The customer sends the client name to the server (in plaintext ). Step 2: The server creates a 16-byte irregular number, called a test or nonce , and sends it to the customer.Slide 9
Microsoft NTLM (Cont.) NTLM non-intelligent validation: Step 3: The customer scrambles this test with the hash of the client\'s secret word and returns the outcome to the server. This is known as the reaction . Step 4: The server sends the accompanying three things to the space controller: the client name, the test sent to the customer, and the reaction got from the customer.Slide 10
Microsoft NTLM (Cont.) NTLM non-intelligent confirmation: Step 5: The area controller utilizes the client name to recover the hash of the client\'s secret word from the Security Account Manager database. It utilizes this watchword hash to encode the test. Step 6: The area controller looks at the encoded provoke it figured (in step 5) to the reaction processed by the customer (in step 3). In the event that they are indistinguishable, verification is fruitful.Slide 11
Microsoft NTLM (Cont.) No shared verification: server confirms the customer, yet not the other way around. ( 没有相互验证： server 验证 customer, customer 无法验证 server.)Slide 12
Microsoft Kerberos Mutual confirmation: server validates customer, and customer verifies server. ( 相互验证： server 验证 customer, customer 验证 server.)Slide 13
Microsoft Kerberos (Cont.) Server Client Authenticator Message Session Key Session KeySlide 14
Microsoft Kerberos (Cont.) Kerberos (or Cerberus) was a figure in traditional Greek mythology—a wild, three-headed puppy who shielded living gatecrashers from entering the Underworld. ( Kerberos : 希腊神话中的三头怪物 ) Kerberos convention has three heads: a customer, a server, and a confided in outsider to intercede between them. The trusted delegate in this convention is the Key Distribution Center (KDC). (Key 发布中心 )Slide 15
Microsoft Kerberos (Cont.) KDC: customer\'s and server\'s lord keys. (Key Distribution Center) KDC Msg1 Client Server Msg1: customer\'s duplicate of session key encoded by customer\'s lord key. ticket: (server\'s duplicate of session key + approval information of the customer) – encoded by server\'s lord keySlide 16
Microsoft Kerberos (Cont.) KDC: customer\'s and server\'s lord keys. KDC Msg1 Credentials Client Server Credentials: Ticket Authenticator message scrambled with session key.Slide 17
Microsoft Kerberos (Cont.) KDC: customer\'s and server\'s lord keys. KDC Msg1 Credentials Client Server Timestamp Mutual Authentication: timestamp of authenticator message encoded by session key.Slide 18
Microsoft Kerberos (cont.) Assumptions: An open system where most customers and numerous servers are not physically secure. ( 开放的网络 ) Packets going along the system can be observed and altered voluntarily. (Bundles 可以被监视和修改 )Slide 19
Microsoft Kerberos (cont.) The KDC (Key Distribution Center) just gives a ticket-allowing administration. The customer and server are in charge of keeping their particular ace keys secure. (Customer and server 各自保存它们的 ace key)Slide 20
Microsoft Kerberos (cont.) A customer does not have to get to the KDC each time it needs to get to this specific server. Tickets can be reused. Tickets have a close time. (Ticket 的有效期 ) Ticket-allowing ticket (TGT).Slide 21
Authentication Cluster Service Account Password Change : Cluster benefit on all group hubs are utilizing a similar bunch benefit account, which is a space account. Group hubs:Slide 22
Authentication Cluster Service Account Password Change : distinctive DCs. DC Cluster hubs Cluster hubs Cluster hubsSlide 23
Authentication Cluster Service Account Password Change. DC Cluster hubs Cluster hubs Cluster hubs Change secret key on: DC SCM and LSA on each bunch hub.Slide 24
Authentication Cluster Service Account Password Change. DC Client Cluster hubs Cluster hubs Cluster hubsSlide 25
Authentication Cluster Service Account Password Change. DC N3 N4 Client Cluster hubs Cluster hubs Cluster hubsSlide 26
Authentication Cluster Service Account Password Change. N1 N2 N6 N8 N3 N7 N5 N4 N9 Client Cluster hubs Cluster hubs Cluster hubs GUM: Global Update ManagerSlide 27
Authentication Global Update Manager Propagates upgrades to all hubs in bunch Updates are nuclear and completely requested Tolerates every single amiable disappointment Depends on enrollment motorSlide 28
Authorization ( 授权 ) ACL (Access Control List)Slide 29
Cryptography ( 加密/解密 ) Cluster Service Account Password Change. DC N3 N4 Client Cluster hubs Cluster hubs Cluster hubsSlide 30
Cryptography (Cont.) General data about utilizing the Crypto API Agreed base information MAC SaltSlide 31
Auditing ( 审计 ) Security review recordsSlide 32
Windows Security Push Entire Windows Team: ~7000 individuals. February and March 2002. Handle Threat Analysis (PM, Dev, Tester) Fixing Security Holes Testing Sign offSlide 33
Windows Security Push (cont.) Extrocluster correspondence: Extrocluster Communication alludes to information exchange over the group limit. Illustrations incorporate clusapi, the extrocluster RPC interface, the join-adaptation RPC interface, and so forth. MSCS (Microsoft Cluster Service): 30 to 40 partsSlide 34
Windows Security Push (cont.) Intracluster correspondence: Intracluster correspondence alludes to information exchange inside the bunch yet crosswise over hub limits. Cases incorporate ClusNet activity, regroup movement, the intracluster RPC interface, SMB movement to MNS offers, and so forthSlide 35
Windows Security Push (cont.) Intranode correspondence: Intranode correspondence alludes to information exchange inside a hub. Illustrations incorporate resapi, ClusNet ioctls, the occasion log, the MNS named pipe, the NetCon API, and so onSlide 36
Windows Security Push (cont.) Internal information: Internal information alludes to information objects neighborhood to a hub that are gotten to by the segment. Illustrations incorporate registry keys, named objects, the majority plate, MNS offers, and so on. Outer information: External information alludes to information objects situated outside of the bunch that are gotten to by the segment. Cases incorporate PC questions in Active Directory.Slide 37
Windows Security Push (cont.) All employments of cryptography All operations that require the enrollment in the neighborhood administrator gather All operations that require raised benefit (e.g. TCB a.k.a. "Go about as a feature of the working framework")Slide 38
Windows Security Push (Cont.) Security Holes: Buffer invade Client caricaturing Server mocking Encryption by obscurity Home-developed cryptography Storing mystery in memory: DPAPI Access check: Who can issue secret key change charge?Slide 39
如果您有任何问题，请上微软中文新闻组 继续讨论 加入微软中文新闻组 http://www.microsoft.com/china/groupSlide 40
For More Information Microsoft assets IPSec, PKI well ordered walkthroughs http://www.microsoft.com/windows2000/library/advancements/security IPSec insurance for AD website replication through firewalls http://www.microsoft.com/ISN/Columnists/P63623.asp "Lockdown" IPSec assurance for server http://www.microsoft.com/ISN/journalists/p66703.asp Using IPSec to fabricate trusted registering foundations "Get some information about Security 12/15/2001" on TechNet Security center webpage: http://www.microsoft.com/security Networking center website: http://www.microsoft.com/interchanges ISA: http://www.microsoft.com/isa http://www.isaserver.org http://www.aspelle.com (few subtle elements; man lives in MPSC with client prepared demos) Other Internet assets IETF IPSec Standards - http://www.ietf.org/html.charters/ipsec-charter.html IETF L2TP Standard - http://www.ietf.org/html.charters/pppext-charter.html IETF L2TP Working Group: http://www.ietf.org/html.charters/l2tpext-charter.html Technology books: Doraswamy, Harkins – "IPSec: The New Security Standard for the Internet, Intranets and Virtual Private Networks"Slide 41
© 2002 Microsoft Corporation. All rights
Shipping. Getting. Dissemination. VOAD. Accomplices. Contributors. Association ... Enter remarks ...
Private information stockpiling: A secured (private) organizer on the system that no one but you ...
System Planning & Migration. POSTECH. DP&NM Lab. (5 ) NETSEC-KR 2000 Policy-based NM ... setup s ...
Windows, ZoneAlarm. Musings on McAfee, Norton, Windows Live. Thpppbt ... Windows Defender - http ...
Goodreads individuals suggest books, think about what they are perusing, ... Any book distribute ...
MPICT Winter 2010 ICT Educator Conference. H ands-on Introduction to Windows 7. Contact. Sa ...
2007 Microsoft Office Add-in: Microsoft Save as PDF or XPS. http://www.microsoft.com/downloads/d ...
Is it accurate to say that you are PREPARED TO MEET THE PROPOSED REVISIONS TO THE ACUITY RULES? ...
Motivation. OverviewWhat is it?How does it work?Potential ApplicationsGun ControlConsumerViabili ...
Virtual Private Network. Tools – Tools Security. Packet filtering – Nama lain firewall, ...
Backbone Networks. Chapter 7. Backbone Network Components. There are two basic components t ...
Encoding with Windows Media. Daniel Orme-Doutre (dano) Consulting Engineer Microsoft Corpor ...
What Is the LRN?. . A Diverse Laboratory NetworkNational system of neighborhood, state and gover ...
What Is the LRN?. . A Diverse Laboratory NetworkNational system of neighborhood, state and gover ...
Last Mile Problems. Indict the mission, as successfully and securely as could reasonably be expe ...