4 Securing Secure the hardware –Lock the server room and other ways to get access to the hardware. –Password protect the BIOS-setup Secure the NOS

Windows EFS NTFS can be encrypted (EFS) with File Encryption Key (FEK) Encrypting File Recovery Agents (Selected Users) are able to recover FEKs. [Additional users are added by editing EFS recovery policy]

Windows-Authentication Two functions: –Verify a user’s credentials (Username and password). –Provide access to resources. GINA (Graphical Identification and Authentication) Basic Authentication External Authentication –Biometrics/Smartcard/Tokenbased Kerberos

GINA (Graphical Identification and Authentication) Winlogon process GINA Ctrl+Alt+Del Secure Attention Sequence (SAS) Username Password LSA Local Security Authority LPC Local Procedure Call SSPI Security Support Provider Interface Default SSP (Security Service Provider) Kerberos (2003) Next SSP NTLM (NT LAN Manager) SAM Result

Basic Authentication LanManager (LM) and NTLM Challenge/Response (DOS/W3.11/W95/W98/->NT4sp3) Challenge/Response Password (max 14char) Hash (Oneway) Key 2x7byte Random string Encrypt Decrypt Key LMResponse =? Encrypt Decrypt NTLM Response

Basic NTLMv2 NTLMv2 Challenge/Response NT4sp4-> Challenge/Response Password Hash MD5 Key 128bits Random string EncryptDecrypt Key Response =?

External: Biometrics (Fingerprint, eye) Smartcard (Reader for smartcard) RSA SecureID Tokens (Internetpayment)

Kerberos Developed at MIT ~1980 (Massachusetts Institute of Technology) Secure authentication protocol –Uses Public key encryption Ticket Granting (Only one authentication needed) Kerberos supports proxy and forwarding of credentials. Uses NTP (Network Time Protocol) for synchronization. Used in: –W2K3-server –W2000 environment –Active Directory –Windows XP –Stored in AD and generate keys automatically. –Compatible with MIT Kerberos implementation for Unix

Authorization 1.Network login 2.Call to server Authentication server Client Server 1 Login Login Call 2 Authorization

Ticket serverKerberos Authentication server (Public key) Client (Private-key) Server Privilege server PS Login Call

Ticket serverKerberos 1.Network login Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login Login Call

Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT Login Call

Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3TGT -> TGT for PS Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 3 TGT Login Call

Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 4 TGT(PS) 3 TGT Login Call

Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT Login Call

Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 6 Login Call

Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 6 7 Login Call

Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT (’user id’+’Group id’ keep entire session) Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT PTGT Login Call

Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT (’user id’+’Group id’ keep entire session) 9PTGT -> Ticket Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 9 PTGT PTGT Login Call

Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT (’user id’+’Group id’ keep entire session) 9,10PTGT -> Ticket Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 9 PTGT 10 Ticket PTGT Login Call

Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT (’user id’+’Group id’ keep entire session 9,10PTGT -> Ticket 11Ticket to server Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 9 PTGT 10 Ticket Ticket 8 PTGT Login Call

Ticket serverKerberos 9,10PTGT -> Ticket 11Ticket to server Authentication server (Public key) Client (Private-key) Server Privilege server PS 9 PTGT 10 Ticket 11 Ticket Login Call

Ticket serverKerberos 9,10PTGT -> Ticket 11Ticket to server Client (Private-key) Server 9 PTGT 10 Ticket 11 Ticket Call

Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT (’user id’+’Group id’ keep entire session 9,10PTGT -> Ticket 11Ticket to server Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 9 PTGT 10 Ticket Ticket 8 PTGT Login Call