SEC310: Windows® Network Security (Windows 的网络安全性) Rui Hu (email@example.com) Software Design Engineer Windows ClusteringScale Out & Enterprise Servers Group Windows Division Microsoft Corporation
Agenda • Four Components of Windows Security • Authentication (验证) • Authorization (授权) • Cryptography (加密/解密) • Auditing (审计) • Windows Security Push
Network Authentication(验证) • Microsoft Provided Security Support Provider (SSP) Packages • Microsoft NTLM for Windows NT version 3.51 and later, Windows 2000, and Windows XP • Microsoft Kerberos for Windows 2000/Windows XP • Microsoft Digest SSP for Windows 2000/Windows XP. • Secure Channel (Schannel)
Microsoft NTLM NTLM non-interactive authentication: User name (in plaintext) Client Server Challenge Client Server
Microsoft NTLM NTLM non-interactive authentication: Response Client Server Response: challenge encrypted with the hash of the user’s password.
Microsoft NTLM NTLM non-interactive authentication: Msg Server DC Msg: the user name the challenge the response DC: domain controller SAM (Security Account Manager Database)
Microsoft NTLM (Cont.) NTLM non-interactive authentication: • Step 0: A user accesses a client machine and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password. (Interactive authentication only) • Step 1: The client sends the user name to the server (in plaintext). • Step 2: The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client.
Microsoft NTLM (Cont.) NTLM non-interactive authentication: • Step 3: The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is called the response. • Step 4: The server sends the following three items to the domain controller: the user name, the challenge sent to the client, and the response received from the client.
Microsoft NTLM (Cont.) NTLM non-interactive authentication: • Step 5: The domain controller uses the user name to retrieve the hash of the user's password from the Security Account Manager database. It uses this password hash to encrypt the challenge. • Step 6: The domain controller compares the encrypted challenge it computed (in step 5) to the response computed by the client (in step 3). If they are identical, authentication is successful.
Microsoft NTLM (Cont.) • No mutual authentication: server authenticates the client, but not vice versa. (没有相互验证：server 验证 client, client 无法验证 server.)
Microsoft Kerberos • Mutual authentication: server authenticates client, and client authenticates server. (相互验证：server 验证 client, client 验证 server.)
Microsoft Kerberos (Cont.) Server Client Authenticator Message Session Key Session Key
Microsoft Kerberos (Cont.) • Kerberos (or Cerberus) was a figure in classical Greek mythology—a fierce, three-headed dog who kept living intruders from entering the Underworld. (Kerberos: 希腊神话中的三头怪物) • Kerberos protocol has three heads: a client, a server, and a trusted third party to mediate between them. The trusted intermediary in this protocol is the Key Distribution Center (KDC). (Key 发布中心)
Microsoft Kerberos (Cont.) KDC: client’s and server’s master keys. (Key Distribution Center) KDC Msg1 Client Server Msg1: client’s copy of session key encrypted by client’s master key. ticket: (server’s copy of session key + authorization data of the client) – encrypted by server’s master key
Microsoft Kerberos (Cont.) KDC: client’s and server’s master keys. KDC Msg1 Credentials Client Server Credentials: Ticket Authenticator message encrypted with session key.
Microsoft Kerberos (Cont.) KDC: client’s and server’s master keys. KDC Msg1 Credentials Client Server Timestamp Mutual Authentication: timestamp of authenticator message encrypted by session key.
Microsoft Kerberos (cont.) • Assumptions: • An open network where most clients and many servers are not physically secure. (开放的网络) • Packets traveling along the network can be monitored and modified at will. (Packets 可以被监视和修改)
Microsoft Kerberos (cont.) • The KDC (Key Distribution Center) only provides a ticket-granting service. • The client and server are responsible for keeping their respective master keys secure. (Client and server 各自保存它们的 master key)
Microsoft Kerberos (cont.) • A client does not need to access the KDC each time it wants to access this particular server. Tickets can be reused. Tickets have an expiration time. (Ticket 的有效期) • Ticket-granting ticket (TGT).
Authentication • Cluster Service Account Password Change: Cluster service on all cluster nodes are using the same cluster service account, which is a domain account. Cluster nodes:
Authentication • Cluster Service Account Password Change: different DCs. DC DC DC Cluster nodes Cluster nodes Cluster nodes
Authentication • Cluster Service Account Password Change. DC DC DC Cluster nodes Cluster nodes Cluster nodes Change password on: DC SCM and LSA on each cluster node.
Authentication • Cluster Service Account Password Change. DC DC DC Client Cluster nodes Cluster nodes Cluster nodes
Authentication • Cluster Service Account Password Change. DC DC DC N3 N4 Client Cluster nodes Cluster nodes Cluster nodes
Authentication • Cluster Service Account Password Change. N1 N2 N6 N8 N3 N7 N5 N4 N9 Client Cluster nodes Cluster nodes Cluster nodes GUM: Global Update Manager
Authentication • Global Update Manager • Propagates updates to all nodes in cluster • Updates are atomic and totally ordered • Tolerates all benign failures • Depends on membership engine
Authorization (授权) • ACL (Access Control List)
Cryptography(加密/解密) • Cluster Service Account Password Change. DC DC DC N3 N4 Client Cluster nodes Cluster nodes Cluster nodes
Cryptography (Cont.) • General information about using theCrypto API • Agreed base data • MAC • Salt
Auditing (审计) • Security audit records
Windows Security Push • Entire Windows Team: ~7000 people. • February and March 2002. • Process • Threat Analysis (PM, Dev, Tester) • Fixing Security Holes • Testing • Sign off
Windows Security Push (cont.) • Extrocluster communication: Extrocluster Communication refers to data transfer across the cluster boundary. Examples include clusapi, the extrocluster RPC interface, the join-version RPC interface, etc. MSCS (Microsoft Cluster Service): 30 to 40 components
Windows Security Push (cont.) • Intracluster communication: Intracluster communication refers to data transfer within the cluster but across node boundaries. Examples include ClusNet traffic, regroup traffic, the intracluster RPC interface, SMB traffic to MNS shares, etc.
Windows Security Push (cont.) • Intranode communication: Intranode communication refers to data transfer within a node. Examples include resapi, ClusNet ioctls, the event log, the MNS named pipe, the NetCon API, etc.
Windows Security Push (cont.) • Internal data: Internal data refers to data objects local to a node that are accessed by the component. Examples include registry keys, named objects, the quorum disk, MNS shares, etc. • External data: External data refers to data objects located outside of the cluster that are accessed by the component. Examples include computer objects in Active Directory.
Windows Security Push (cont.) • All uses of cryptography • All operations that require the membership in the local admin group • All operations that require elevated privilege (e.g. TCB a.k.a. “Act as part of the operating system”)
Windows Security Push (Cont.) • Security Holes: • Buffer overrun • Client spoofing • Server spoofing • Encryption by obfuscation • Home-grown cryptography • Storing secret in memory: DPAPI • Access check: Who can issue password-change command?
如果您有任何问题，请上微软中文新闻组继续讨论如果您有任何问题，请上微软中文新闻组继续讨论 • 加入微软中文新闻组 • http://www.microsoft.com/china/community
For More Information • Microsoft resources • IPSec, PKI step-by-step walkthroughs • http://www.microsoft.com/windows2000/library/technologies/security • IPSec protection for AD site replication through firewalls • http://www.microsoft.com/ISN/Columnists/P63623.asp • “Lockdown” IPSec protection for server • http://www.microsoft.com/ISN/columnists/p66703.asp • Using IPSec to build trusted computing infrastructures • “Ask Us About Security 12/15/2001” on TechNet • Security focus site: http://www.microsoft.com/security • Networking focus site: http://www.microsoft.com/communications • ISA: http://www.microsoft.com/isa • http://www.isaserver.org • http://www.aspelle.com (few details; dude lives in MPSC with customer-ready demos) • Other Internet resources • IETF IPSec Standards - http://www.ietf.org/html.charters/ipsec-charter.html • IETF L2TP Standard - http://www.ietf.org/html.charters/pppext-charter.html • IETF L2TP Working Group: http://www.ietf.org/html.charters/l2tpext-charter.html • Technology books: • Doraswamy, Harkins – “IPSec: The New Security Standard for the Internet, Intranets and Virtual Private Networks”
© 2002 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.