Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Logon Process


To access most resources on Windows computers based on NT technologies, a user must know a valid account name in the account database of the computer or domain and the password for that account. Then she must use this information to log on. Users are not the only security principals (objects that can be granted rights and permissions on Windows systems). In a Windows domain, those computers (Windows NT 4.0, Windows 2000, Windows XP Professional, and Windows Server 2003) that can become domain members are also considered security principals and, like users, must be provided a domain computer account.

Both users and computers use the logon process to authenticate. The details of the logon process may vary based on operating systems, account type, logon type, and credentials, but the basic steps are similar. The process includes three steps:

The security principal (user or computer) must present a user ID or other identity symbol such as a smart card.

When requested, the security principal must present credentials. Credentials may be a password, biometric, token, or PIN.

The combination of identity symbol and credentials are validated or rejected. The validation process consists of identifying the account as legitimate, satisfying account restrictions (logon hours, for example), and evaluating the proof of identity (password or other factor) provided. If the logon is not local, (based on an account database on the same computer), a network authentication protocol is used.



Password Storage


Passwords are not stored in the Windows password database in clear text. Instead, a hash of each password is stored. A hash is the result of taking a variable-length binary input and processing it to produce a fixed-length binary output. When a good hashing algorithm is used, it is statistically infeasible that two different inputs will produce the same output. This also means that the same input will always produce the same output. A cryptographic hash uses a secret key to protect the results of the process. Cryptographic hashing is a one-way function (OWF); that is, the process is irreversible. Unlike the results of secret key encryption, the cryptographic hash cannot be decrypted.

The hash used in Windows is a cryptographic hash, and thus the process is irreversible. This is why a comparison process is used during authentication. A sound hash algorithm will never reduce different bits of data to the same result, so if the result of hashing the entered password matches the stored password hash, then the password has been validated, and the user has proved his or her identity to the system.

NOTE: Reality Check

In reality, no existing hashing algorithm is perfectly sound. That is, mathematically there is the possibility that two different passwords might hash to the same result or produce a collision. The question to ask here is not whether we should throw out hashing algorithms as security tools for password storage, but rather how likely the collision is and how easy it would be for someone to use this possibility to crack passwords. At this point, the possibility of collision is considered slight enough and the difficulty of exploiting this flaw is high enough to justify continuing to use current hashing algorithms while seeking better ones and alternative mechanisms. (Current password cracking tools do not crack passwords by using this flaw.)

Password hashes for local accounts are stored in the local account database, the security accounts manager (SAM), on the local computer, or, when accounts are domain accounts, in the domain password database in the Active Directory. During local logon, when a user presents a password, the hash cannot be decrypted, so the same cryptographic hashing process is used on the entered password, and the results are compared to the stored hash. If both hashes match, then the passwords match, and the user is authenticated.

Logon Types


The exact process used during authentication is dependent on the logon type. Logon types are as follows:

Interactive
In most cases, the user provides credentials at a console. Exceptions are some types of remote logon such as web server access that require interactive logon permissions but for which the user does not have to log on from the console. The user's credentials are checked against the user account database either in the SAM if the account is local or in the Active Directory if it is the domain account. If the account is a domain account, Kerberos is used by default. In an Active Directory forest, a user's domain account can be used for approved access to resources in any domain in the forest. Cross-forest trusts can extend this access to other external domains. The ability to use a single account for such wide-reaching access is known as single sign-on.

Network
Provides proof of the user's identity to a network service or resource that the user is attempting to access. Many types of network authentication are available, such as Kerberos V5, Secure Socket Layer/Transport Layer Security (SSL/TLS), and, for compatibility with Windows NT 4, NTLM. Network authentication occurs when a domain account (an account stored in a domain database) is used or when a remote resource is accessed.

Anonymous
No user account or credentials are required.


NOTE: Variations on Logon Types

Microsoft extends these definitions with additional types of logon, including batch (executing on behalf of a user), service (a service starts), unlock (a locked computer was unlocked), network clear text (password passed in clear text across the network), new credentials (new credentials are used for other network connections), remote interactive (Terminal services or Remote desktop), and cached interactive (locally cached credentials are used and no domain controller was contacted.) However, these are only slight variations of the following explanations.

Interactive Logon Process Details


When the logon process is interactive (a user is sitting at a Windows computer), the following steps are used:


1.

The user provides an attention signal, such as the CTRL+ALT+DEL key combination, the insertion of a smart card, or the presentation of a biometric.

2.

The Winlogon service calls the Graphical Identification and Authentication (GINA) dynamic link library (dll), and the logon screen is presented. (When the logon process involves something other than passwords, the GINA may be altered or replaced and a different screen may appear.)

3.

The user provides credentials in the form of a user ID and password or, in the case of a smart card, a PIN. After entering the data, the user may need to click an OK button.

4.

The Local Security Authority (LSA) processes the credentials.

5.

If a user ID and password are used, the LSA user function converts the credentials into the same form in which they are stored in the account database (either the local SAM or domain controller resident Active Directory). In an unmodified Windows Server 2003 server, two storage forms are prepared and storedan LM hash and an NTLM hash. If a smart card is used, the LSA uses the entered PIN (if it is valid) to obtain the private key of the user's smart card certificate from the smart card.

6.

Account restrictions are checked. Account restrictions are things such as Account is disabled or Smart card is required for interactive logon.

7.

User logon rights, such as the right to log on locally, are checked and the credentials are validated.

8.

If the logon is local, the LSA compares the result of step 5 with the hashed password data stored in the local SAM. If the result is a match, the user is authenticated and access is provided.

9.

If the logon is to a domain, the authentication package MSV_0, which includes Kerberos, LM, and NTLM, is used to validate the credentials.



Smart Card Processing


Native Windows Server 2003 smart card processing is integrated into Windows Server 2003 certificate services and is available only in an Active Directory domain. Smart card authentication also uses certificates for the initial Kerberos processing. More information is provided in the "Certificates, Smart Cards, Tokens, and Biometrics" section later in this chapter and in Chapter 13, "Implementing a Secure PKI."

Domain and Network Authentication


Local interactive logon simply compares a password hash to the hash stored in the local account database, the SAM.

When a domain account is used, the process is different. A network authentication protocol, such as Kerberos, LAN Manager (LM), NT LAN Manager (NTLM), or NTLM version 2 (NTLMv2), is used. A network authentication protocol is also used when a user requests access to a network resource. For example, if a user attempts to access files on a network file server, he must first authenticate to the file server. The remote authentication process is transparent to the user when the process is able to use currently cached logon credentials (password hash or Kerberos tickets). If the ticket has expired and cannot be renewed, or if the credentials for the account on the remote system do not match those used by the logged-on user, a prompt for new credentials may appear.


/ 194