Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







EFS Architecture


To troubleshoot EFS, or to be able to design proper EFS recovery and EFS policy for the organization, you must understand how EFS works.

EFS is a component of the NTFS file system of Windows 2000 and above. Thus, its operations are mostly transparent to the user and to the application that needs to open and close the files. If the user has the ability to encrypt and decrypt the files, when the file is opened, it is decrypted, and when it is saved, it is encrypted. The setup of shared EFS files is not transparent.

File System Operations


Several operating system components both in user space and in the kernel participate in the operation of the EFS. These components are listed and described in Table 6-2.

Table 6-2. Components of EFS

Component

Description

Local Security Authority (LSA)

Responsible for a number of EFS operations and provides the interfaces for other EFS components such as feclient and efsadue. LSA creates the file encryption key (FEK) and then encrypts it using the public key of the user and separately with the public key of the recovery agent if one is present. LSA also checks to see if the file can be encrypted. During decryption, LSA checks for changes in user encryption and recovery agent encryption keys. LSA exports interfaces for use via RPC with feclient and LPC with ksecdd.

Feclient

Receives Win32 API calls and calls the EFS remote procedure call (RPC) or local procedure call (LPC) interfaces in the LSA. Feclient determines where the file resides (locally or on some remote server) and calls the LSA of the appropriate server.

Efsadu

Provides the EFS user interface (the Advanced sub-dialog of file Properties and the Details button).

The shell

Displays the filenames in Windows Explorer in green.

Winlogon

Creates the domain controller default recovery policy when a domain administrator logs on for the first time to a domain controller. On a domain member computer, Winlogon calls the security configuration engine to process EFS recovery policy from the domain.

NTFS driver

Contains most of the EFS code in the kernel and responds to requests from the LSA to encrypt or decrypt. The NTFS driver passes the encrypted FEK to ksecdd for passing to LSA for decryption. NTFS then decrypts the data. NTFS functions also include reading and writing encrypted file functions in raw mode so that NTBACKUP can be used to back up and restore encrypted files.

The WebDAV redirector

Used to handle encrypted files in WebDAV folders.

Ksecdd

Used to communicate NTFS LPC calls to LSA.

When a request to encrypt an existing file is received by the file system, the following steps occur:


1.

The NTFS driver passes the request to feclient.

2.

Feclient determines if the file will be located locally or on a remote server and then passes the request to either the local or remote Local Security Authority (LSA).

3.

LSA verifies the following:

The file may be encrypted.

There is enough disk space to do so.

4.

LSA then generates the file encryption key (FEK).

5.

The LSA encrypts a copy of the FEK using the user's public key.

6.

If a recovery policy is in effect, the FEK is also encrypted with the recovery agent's public key.

7.

The EFS metadata is created. This consists of the EFS information such as version and encryption algorithm and the Data Decryption Fields (DDF) and Data Recovery Fields (DRF). Each DDF is the FEK encrypted with the public key of a user who is authorized to encrypt the file. Each DRF is the FEK encrypted with the public key of a recovery agent.

8.

A temporary file is created in the current directory.

9.

Each data stream in the file is copied into the temporary files in the directory for backup, and the original file is emptied.

10.

EFS reads the streams from the temporary files, encrypts the file using the FEK passed to the kernel by the LSA, and writes encrypted data into the original file.

11.

When all the data is written back into the file, EFS verifies that it is encrypted and then deletes the temporary file.


NOTE: Role of the User's Master Key in EFS

The user's certificate and private key are stored in the user's profile and protected by the user's master key. The master key is based on the user's password. When the master key is not in use, it is encrypted and stored in the user's profile. Knowledge of the user's password at the time the master key was encrypted is necessary to decrypt the master key. This is why a normal password change instituted by the user will not affect EFS-encrypted files, but a password reset done by an administrator will. It is also why even though encryption keys can be found on the disk, EFS-encrypted files cannot be decrypted without knowledge of the user's password at the time of the encryption. Without the password, the master key cannot be decrypted, and the encryption keys cannot be used.

Encrypting, Decrypting, and Recovery Algorithms


EFS uses two types of encryption: symmetric (single key) and asymmetric or public key encryption. Files are encrypted using symmetric algorithms, which are very fast. The symmetric key is protected with public key encryption.

Symmetric key encryption uses the same key both to encrypt and decrypt. This is similar to using a physical key to lock the door to a house. The security of the data, or of the house, depends on keeping tabs on the symmetric key. The house key should not be left in the lock, and it should not be stored nearby and easily found. Likewise, the symmetric key used in encryption must be protected. It is typically stored separately from the data. When it is necessary to decrypt the data, the symmetric key (or a copy of it) must be produced and used. For two parties to share encrypted data, the symmetric key must be securely provided to both parties and therefore cannot merely accompany the encrypted data. The problem of key distribution can be difficult to solve.

Asymmetric key encryption, also known as public key/private key encryption, can be used to solve the key distribution problem. Asymmetric key encryption uses an associated key pair approach. If one of the keys is used to encrypt, only the other associated key can be used to decrypt. Therefore, one key can be made public (the public key) and widely available as long as the other (the private key) is kept private. Public key encryption is used for key distribution in many email encryption schemes. In the typical email encryption scheme, a symmetric key is used to encrypt the message, and the recipient's public key is used to encrypt the symmetric key. The protected symmetric key can therefore be sent with the encrypted email. The recipient can use his private key to decrypt the encrypted symmetric key, and the symmetric key can be used to decrypt the message.

EFS uses a similar approach. An asymmetric key pair is used to protect the file encryption key. In EFS, each user who is allowed to encrypt files is provided a public key/private key pair to do so. The public key is placed in a certificate and bound to the user account. The private key is stored separately. A symmetric key, the FEK, is used to encrypt the file, and the user's public key is used to encrypt the file encryption key. The public key cannot be used to decrypt the FEK. Instead, the associated private key must be used.

NOTE: Why Are Both Algorithms Used?

Both email and EFS schemes might have been developed to only use public key encryption. Instead of first using a symmetric key to encrypt the data, the public key could be used. The observed result would be the sameonly the holder of the private key would be able to decrypt the data. However, asymmetric key encryption is very slow. The difference might not be noticed when small amounts of data are encrypted, but it would be very noticeable if larger amounts of data were encrypted.

If multiple users are authorized to encrypt the file, or there is a designated File Recovery Agent, the FEK is also separately encrypted with these public keys. All encrypted copies of the FEK are stored in the files properties. Decryption and recovery work the algorithm in reverse. First, the appropriate private key is used to decrypt the encrypted FEK, and then the FEK is used to decrypt the file.

File Encryption

The file encryption process is illustrated in Figure 6-13 and described in the following steps.


1.

A file marked for encryption is saved, or a file is saved to a folder marked for encryption.

2.

A random encryption key (the FEK) is generated and used to encrypt the file. A different key is used for each file encrypted.

3.

The public key of the user is used to encrypt the FEK and stored in the file's Data Decryption Field (DDF).

4.

If other users are authorized to share the encrypted file, their public keys are used to encrypt the FEK, and the result is stored in the file properties.

5.

If a recovery agent exists, his public key is used to encrypt the FEK, and the results are stored in the Data Recovery Field (DRF) of the file properties.

6.

If additional recovery agents exist, their public keys are used to encrypt the FEK and are stored with the file properties.


Figure 6-13. The file encryption key is protected by encryption using the user's public key.

File Decryption

File decryption is illustrated in Figure 6-14 and described in the following steps.


1.

A user attempts to open a file or to use cipher or the file system to decrypt the file.

2.

If her public key is one that encrypted the FEK, then the associated private key related to her public keys used to encrypt the FEK is used to decrypt the FEK.

3.

The FEK is used to decrypt the file.


Figure 6-14. The encrypted file encryption key can be decrypted using the associated private key.

File Recovery

File recovery is also illustrated in Figure 6-14.


1.

A recovery agent attempts to open a file or to decrypt the file using cipher or the file properties.

2.

If her public key is one that encrypted the FEK, then the associated private key related to her public keys used to encrypt the FEK is used to decrypt the FEK.

3.

The FEK is used to decrypt the file.


Encryption Types and Strengt


The symmetric and asymmetric algorithms used for EFS are industry standards. A Windows Server 2003 computer may be configured to use DESX, 3DES, or AES symmetric encryption algorithms. RC4 is used for asymmetric encryption. Earlier versions of the operating system may not be able to use all of the encryption algorithms. Windows 2000 uses DESX. XP Professional pre-service pack 1 uses DESX by default, but it can be modified to use 3DES. Post-service pack 1, Windows XP Professional defaults to AES but can be modified to use DESX or 3DES. This can mean problems if users attempt to move encrypted files to different OS-based machines and decrypt the files. Caution should be used to select the algorithm that will work in your environment and prevent potential damage by setting all versions of the OS that are capable of doing EFS to use the same encryption algorithm. Instructions for configuring the symmetric key algorithm using the registry are located in the section "Changing Encryption Algorithm," later in this chapter.

Another way to manage the file encryption strength for EFS is to modify the Security Option System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing. This setting manages the encryption strength for all operations, including the use of SHA-1 for hashing, 3DES for Transport Layer Security (TLS) traffic and EFS, and RSA for TLS public key exchange.

NOTE: FIPS

The Federal Information Processing Standard (FIPS) 140-1 is required by the U.S. government certification of cryptographic software.

On Windows Server 2003, the default encryption key strength can also be modified. To do so, you must add the value RSAKeyLength to the EFS registry key and set it to a value between 1024 and 16384. The entered value will be rounded to the next multiple of 8. While the Microsoft Base Provider Cryptographic Service Provider (CSP) is used for encryption, if the key strength is greater than 1024, the Microsoft Enhanced Provider CSP will be used.


/ 194