Windows Security Architecture

8/7/2019 Windows Security Architecture

1/28

Windows Security Architecture

Presented by:

Mousumi Ray (9030241120)Reshma Wawhal (9030241129)Samreen Ansari (9030241131)Shubhangini (9030241133)


2/28

Pre-Logon Security: ComputerAccounts

2


3/28

Pre-Logon Security: ComputerAccounts

3


4/28

The second line of defense, after computeraccounts, against both intentional and

unintentional harm Default behavior is to require a user name

and password before you can log on Windows 2000/2003/XP can use various

technologies to authenticate a network userslogon request: Kerberos, Certificates and Smart cards

Logon Security: Getting in the door

4


5/28

User Name

Passwords and Passwords Policies

Ctrl+Alt+Delx %windir%\system32\rundll32.exe

user32.dll,LockWorkStation

RunAs service lets you run any program under

any security contextx The major benefit is that even network

administrators and IT support personnel neednot perform routine daily work with theiradministrative account


5


6/28

Account Lockout

The policies, which can be viewed in the

Domain Security Policy consolex Account lockout duration

x Account lockout threshold

x Reset account lockout counter

Remote Access Security I: RRAS, IAS, and AD Authentication Protocols

AD Authentication

RRAS and IAS


6


7/28

Remote Access Security II: Securing SystemSoftware

Windows Update Software Update Server

Proxy Servers and Firewalls

Antivirus Software


7


8/28

User and Group Rights

Rights are

privileges.

Groups :collection of

useraccounts.

8


9/28

User and Group Rights

9


10/28

User and Group Accounts Built-In Local User and Group Accounts

Local User Accountsx Administrator

x System management & configuration tasksx Rename & dont delete

x Guestx Limited accessx Disable by defaultx Rename.

Local Group Accountsx Administratorsx Backup Operatorsx Guests:x Usersx Power Usersx

Replicators

10


11/28

User and Group Accounts

System Groups Everyone AuthenticatedUsers Terminal Server Users Creator/Owner Network

Anonymous Logon Dialup Interactive

11


12/28

User and Group Accounts

Built-InDomain User and Group Accounts

Domain

User Accounts

Domain Admin

External User

Guest

TsInternetUser (used byTerminal Services only)

Domain User Accounts

12


13/28

Object Permissions

Share permissions

read, change, and full control File and folder (NTFS) permissions

read, read+execute, write, modify, list foldercontents (for folders only), and full control

Registry permissions Printer permissions

13


14/28

Security for stored data

Digital Signatures and Driver Signing

Windows File Protection

Encrypting File System (EFS)

14


15/28

Digital Signatures and Driver

Signing Microsoft brands a digital signature

Into core operating system files Drivers that it ships with Windows Into files Drivers released subsequently

Computer Configuration\Windows

Settings\Security Settings\LocalPolicies\Security Options.

The three behaviours Ignore, Warn, Failwhichactivate upon an attempt to install a new driver.

15


16/28

Windows File Protection

The Guardian Angel

The Windows 2000/2003/XP approach is to run a file system guardian angelin the background.

Guardian angel watching over system files that live in the system root folder andhave the extensions DLL, EXE, FON, OCX, SYS, and TTF

When this guardian angel detects that a program has updated (or, in somecases, backdated!) one of these files, it tries to automatically restore the original

version of the file, typically from the hip pocket folder%systemroot%\SYSTEM32\DLLCACHE.

If the file is not in DLLCACHE or in the driver archive%systemroot%\Driver Cache\I386\DRIVER.CAB, then theguardian angel pops up awindow asking you to supply the originalinstallation media.

16


17/28

Command-Line Utilities

User may run into occasions when he would like to perform asignature scan yourself. Two utilities are available for thispurpose: SIGVERIF and SFC .

The SIGVERIF.EXE command-line utility, a.k.a. SignatureVerification Tool, scans protected system files and verifiestheir digital signatures.

The program creates the log file SIGVERIF.

TXT

to provide arecord of the scan.

Microsoft also provides a command-line program calledSFC.EXE, for System File Checker. SFC to scan system filesfor digital signatures.

17


18/28

Encrypting File System (EFS)

EFS is a public key encryption method, meaning that a public keyis used to encrypt a file and a private key is used to decrypt it.

Encrypt a folder by right-clicking it in Windows Explorer, choosingProperties, clicking the Advanced button, and checking the EncryptContents to Secure Data box.

After you encrypt a folder, you can only have access to that folder

and its contents when you log on with the same user account andpassword that you used when you encrypted the folder originally.

A user may forget an account password and have created encryptedfiles under that account. If that happens, the recovery agent has a

private key that will unlock an encrypted file.

18


19/28

Security for Transmitted Data

IPSec for secure authentication, confidentiality

Key features: IPSec operates at Layer 3 IPSec works between workstations, between

workstations and servers, and between servers. IPSec in Windows 2003/2000/XP permits configuration

through Group Policy and Active Directory utilities. Users do not have to be in the same domain to use IPSec Simple routers do not need any special configuration to

work with IPSec.

19


20/28


Packet filtering is a technique for restricting traffic

or activating a security policy depending on apackets source address, destination address,and/or traffic type.

20


21/28


Wired Equivalent Privacy, known as WEP, arises

from the IEEE standards for wireless networks( 8 0 2 . 11b) and encrypts the data flow betweenthe wireless client and access point.

21


22/28

Local and Group Policy

Policies are really more of a mechanism forimplementing and controlling the various other

types of Windows 2003/2000/XP security than a newtype of security themselves.

Hierarchical Structure :In Active Directory, anenterprise network has different levels, as follows:

Forests Sites Trees Domains Organizational Units

22


23/28


Local Security Policy and Domain Security PolicyWindows provides the Local Security Policy console in

the AdministrativeT

ools folder of a workstationmachine, and the Domain Security Policy console in theAdministrative Tools folder of a server, to enable you towork only with security-related policies.

Local Security Policy console is simply a subset of the

entire set of policies, open GPEDIT.MSC via the Start >Run dialog box, and navigate to\Local Computer Policy\ComputerConfiguration\Windows Settings\SecuritySettings. Now, open the Local Security Policy console

via AdministrativeT

ools > Local Security Policy

23


24/28


SecurityTemplates : The company has provided

a way to set a whole bunch of policies in one fellswoop and a whole bunch of file system andRegistry access permissions, too.

Security templates preconfigured for you by

Microsoft have the suffix INF and live in%systemroot%\security\templates.

e.g. BASICDC, BASICSV, BASICWK,HISECDC,HISECWK,SECUREDC etc.

24


25/28


Security Configuration and Analysis It lets you compare a machines present setup

against a specific security template. apply a template to a local PC, or to a Group Policy

object such as a domain or organizational unit.

Steps:

Duild the console Run MMC.EXE Add the security Configuration and Analysis snap-

n.

25


26/28

Auditing

Auditing is keeping track of events that may reflect onsystem security. (COMPMGMT.MSC)

Activate Logon Auditing : Windows can monitor logons, both

successful and unsuccessful, and record them in theSecurity event log.

Object Auditing : Windows 2000 can also monitorsuccessful and unsuccessful accesses to objects namely files, folders, the Registry, and printers and record those accesses into the Security eventlog.

26


27/28

References

http://hakindia007.blogspot.com/2009/11/win

dows-security-architecture.html http://images.globalknowledge.com/wwwimages/whitepaperpdf/WindowsSecurity.pdf

27


28/28

Thank You !

28

Windows Security Architecture

Documents

Transcript of Windows Security Architecture