Chapter Six Windows XP Security and Access Controls.

Slides:



Advertisements
Similar presentations
Chapter Five Users, Groups, Profiles, and Policies.
Advertisements

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies
Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 7 HARDENING SERVERS.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 4: Troubleshoot System Startup and User Logon Problems.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.
12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.
Ch 11 Managing System Reliability and Availability 1.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.
9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Working with Workgroups and Domains
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-270: MCSE Guide to Microsoft Windows XP Professional Second Edition, Enhanced Chapter 6: Windows XP Security and Access Controls.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.
C HAPTER 6 NTFS PERMISSIONS & SECURITY SETTING. INTRODUCTION NTFS provides performance, security, reliability & advanced features that are not found in.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.
Module 14: Configuring Server Security Compliance
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Overview Introduction to Managing User Environments Introduction to Administrative Templates Using Administrative Templates in Group Policy Assigning Scripts.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Lesson 17-Windows 2000/Windows 2003 Server Security Issues.
70-270: MCSE Guide to Microsoft Windows XP Professional 1 Windows XP Professional User Accounts Designed for use as a network client for: Windows NT Windows.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Security Windows 2000 Richard Goldman © December 4, 2001.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy.
Administering Group Policy Chapter Eleven. Exam Objectives in this Chapter  Plan a Group Policy strategy using Resultant Set of Policy Planning mode.
NetTech Solutions Security and Security Permissions Lesson Nine.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
1 Objectives Discuss File Services in Windows Server 2008 Install the Distributed File System in Windows Server 2008 Discuss and create shared file resources.
1 Overview of Microsoft Windows 2000 Multipurpose OS Reduces total cost of ownership (TCO)
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Unit 8 NT1330 Client-Server Networking II Date: 2?10/2016
Configuring the User and Computer Environment Using Group Policy Lesson 8.
Configuring Windows Firewall with Advanced Security
Securing Windows 7 Lesson 10.
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Chapter Six Windows XP Security and Access Controls

Objectives Describe the Windows XP security model, and the key role of logon authentication Describe the Windows XP security model, and the key role of logon authentication Customize the logon process Customize the logon process Discuss domain security concepts Discuss domain security concepts Understand the Local Computer Policy Understand the Local Computer Policy

Objectives Enable and use auditing Enable and use auditing Encrypt NTFS files, folders, or drives using the Encrypted File System (EFS) Encrypt NTFS files, folders, or drives using the Encrypted File System (EFS) Understand and implement Internet security Understand and implement Internet security

The Windows XP Security Model Windows XP Professional can establish local security when used as a standalone system, or participate in domain security Windows XP Professional can establish local security when used as a standalone system, or participate in domain security Domain security Domain security Control of user accounts, group memberships, and resource access for all members of a network Control of user accounts, group memberships, and resource access for all members of a network Password Password Unique string of characters that must be provided before logon or an access is authorized Unique string of characters that must be provided before logon or an access is authorized

The Windows XP Security Model A user who successfully logs on receives and access token A user who successfully logs on receives and access token Process Process Primary unit of execution in the Windows XP operating system environment Primary unit of execution in the Windows XP operating system environment Access control list (ACL) Access control list (ACL) List of security identifiers that are contained by a resource object List of security identifiers that are contained by a resource object

Logon Authentication The logon process has two components: The logon process has two components: Identification Identification Requires that a use supply a valid account name (and in a domain environment, the name of the domain to which that user account belongs) Requires that a use supply a valid account name (and in a domain environment, the name of the domain to which that user account belongs) Authentication Authentication Means that a user must use some method to verify his or her identity Means that a user must use some method to verify his or her identity

Logon Authentication An access token includes all security information pertaining to that user, including the user’s security ID (SID) and SIDs for each of the groups to which the user belongs An access token includes all security information pertaining to that user, including the user’s security ID (SID) and SIDs for each of the groups to which the user belongs An access token includes the following components: An access token includes the following components: Unique SID for the account Unique SID for the account List of groups to which the user belongs List of groups to which the user belongs List of rights and privileges associated with the specific user’s account List of rights and privileges associated with the specific user’s account

Logon Authentication Access to the system is allowed only after the user receives the access token Access to the system is allowed only after the user receives the access token Each access token is created for one-time use during the logon process Each access token is created for one-time use during the logon process Once constructed, the access token is attached to the user’s shell process Once constructed, the access token is attached to the user’s shell process

Objects In Windows XP, access to individual resources is controlled at the object level In Windows XP, access to individual resources is controlled at the object level Object Object Everything within the Windows XP operating environment is an object Everything within the Windows XP operating environment is an object Objects include files, folders, shares, printers, processes, etc. Objects include files, folders, shares, printers, processes, etc.

Access Control The Windows XP logon procedure provides security through the use of the following: The Windows XP logon procedure provides security through the use of the following: Mandatory logon Mandatory logon Restricted user mode Restricted user mode Physical logon Physical logon User profiles User profiles

Customizing the Logon Process The WinLogon process can be customized to display some or all of the following characteristics: The WinLogon process can be customized to display some or all of the following characteristics: Retain or disable the last logon name entered Retain or disable the last logon name entered Add a logon security warning Add a logon security warning Change the default shell Change the default shell Enable/Disable the WinLogon Shutdown button Enable/Disable the WinLogon Shutdown button Enable automated logon Enable automated logon

Customizing the Logon Process Figure 6-1: The WinLogon key viewed through Regedit

Disabling the Default Username By default, the logon window displays the name of the last user to log on By default, the logon window displays the name of the last user to log on It is possible to change the default by altering the value of its associated Registry key or Local Security Policy value It is possible to change the default by altering the value of its associated Registry key or Local Security Policy value Disabling the default username option presents a blank username field at the logon prompt Disabling the default username option presents a blank username field at the logon prompt

Adding a Security Warning Message Depending on your organization’s security policy, you might be legally obligated to add a warning message that appears before the logon prompt is displayed Depending on your organization’s security policy, you might be legally obligated to add a warning message that appears before the logon prompt is displayed Two Registry or Local Security Policy values are involved in this effort: Two Registry or Local Security Policy values are involved in this effort: LegalNoticeCaption LegalNoticeCaption LegalNoticeText LegalNoticeText

Changing the Shell The default shell is Windows Explorer The default shell is Windows Explorer You can change the shell to a custom or third- party application depending on the needs or security policy of your organization You can change the shell to a custom or third- party application depending on the needs or security policy of your organization

Disabling the Shutdown Button By default, the Windows XP logon window includes a Shutdown button By default, the Windows XP logon window includes a Shutdown button However, in an environment in which users have access to the keyboard and mouse on a Windows XP machine, this option has the potential for unwanted system shutdowns However, in an environment in which users have access to the keyboard and mouse on a Windows XP machine, this option has the potential for unwanted system shutdowns Fortunately, this option can be disabled Fortunately, this option can be disabled

Automating Logons To set up an automated logon, the following Registry value entries must be defined and set within the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon key: To set up an automated logon, the following Registry value entries must be defined and set within the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon key: DefaultDomainName DefaultDomainName DefaultUserName DefaultUserName DefaultPassword DefaultPassword AutoAdminLogon AutoAdminLogon

Automatic Account Lockout Disables a user account if a predetermined number of failed logon attempts occur within a specified time limit Disables a user account if a predetermined number of failed logon attempts occur within a specified time limit This feature is intended to prevent intrusion by unauthorized users attempting to gain access by guessing a password or launching a dictionary attack This feature is intended to prevent intrusion by unauthorized users attempting to gain access by guessing a password or launching a dictionary attack The default setting in Windows XP is to allow an unlimited number of failed access attempts to a user account without locking out that account The default setting in Windows XP is to allow an unlimited number of failed access attempts to a user account without locking out that account

Domain Security Concepts and Systems A domain is a collection of computers with centrally managed security and activities A domain is a collection of computers with centrally managed security and activities Domain security Domain security Control of user accounts, group memberships, and resource access for all members of a network Control of user accounts, group memberships, and resource access for all members of a network Domain controller Domain controller Windows 2000.NET Server system with the Active Directory support services installed and configured Windows 2000.NET Server system with the Active Directory support services installed and configured

Kerberos and Authentication Services Kerberos version 5 Kerberos version 5 An authentication encryption protocol employed by Windows XP to protect logon credentials An authentication encryption protocol employed by Windows XP to protect logon credentials Network authentication Network authentication Act of connecting to or accessing resources from some other member of the domain network Act of connecting to or accessing resources from some other member of the domain network

Kerberos and Authentication Services The communications that occur during network authentication are protected by one of several methods, including: The communications that occur during network authentication are protected by one of several methods, including: Kerberos v5 Kerberos v5 Secure Socket Layer/Transport Layer Security (SSL/TLS) Secure Socket Layer/Transport Layer Security (SSL/TLS) NTLM (NT LAN Manager) authentication for compatibility with Windows NT 4.0 NTLM (NT LAN Manager) authentication for compatibility with Windows NT 4.0

Kerberos and Authentication Services Kerberos version 5 authentication Kerberos version 5 authentication Windows XP uses Kerberos version 5 as the primary protocol for authentication security Windows XP uses Kerberos version 5 as the primary protocol for authentication security Secure Socket Layer/Transport Layer Secure Socket Layer/Transport Layer Authentication scheme often used by Web-based applications and is supported on Windows XP through IIS Authentication scheme often used by Web-based applications and is supported on Windows XP through IIS SSL functions by issuing an identity certificate to both the client and server SSL functions by issuing an identity certificate to both the client and server

Kerberos and Authentication Services NTLM (NT LAN Manager) authentication NTLM (NT LAN Manager) authentication Mechanism used by Windows NT 4.0 Mechanism used by Windows NT 4.0 Windows XP supports this authentication method solely for backward compatibility with Windows NT Servers and Windows NT Workstation clients Windows XP supports this authentication method solely for backward compatibility with Windows NT Servers and Windows NT Workstation clients NTLM is significantly less secure than Kerberos version 5 NTLM is significantly less secure than Kerberos version 5

Local Computer Policy Combination of controls that in Windows NT existed only in the Registry, through system policies, or as Control Panel applet controls Combination of controls that in Windows NT existed only in the Registry, through system policies, or as Control Panel applet controls Sometimes the local computer policy is called a software policy or an environmental policy or even a Windows XP policy Sometimes the local computer policy is called a software policy or an environmental policy or even a Windows XP policy No matter what name is actually used, the local computer policy is simply the local system’s group policy No matter what name is actually used, the local computer policy is simply the local system’s group policy

Local Computer Policy Figure 6-2: MMC with Group Policy snap-in displaying Local Computer Policy with Security Settings selected on a Windows XP Professional System

Computer Configuration There are three purposes for using the public key policies : There are three purposes for using the public key policies : To offer additional controls over the EFS To offer additional controls over the EFS To enable the issuing of certificates To enable the issuing of certificates To allow you to establish trust in a certificate authority To allow you to establish trust in a certificate authority

Computer Configuration IP Security (IPSec) IP Security (IPSec) Security measure added to TCP/IP to protect communications between two systems using that protocol Security measure added to TCP/IP to protect communications between two systems using that protocol Negotiates a secure encrypted communications link between a client and server through public and private encryption key management Negotiates a secure encrypted communications link between a client and server through public and private encryption key management Can be used over a RAS or WAN link (through L2TP) or within a LAN Can be used over a RAS or WAN link (through L2TP) or within a LAN

Computer Configuration The controls available through the Administrative Templates folder include: The controls available through the Administrative Templates folder include: Controlling security and software updates for Internet Explorer Controlling security and software updates for Internet Explorer Controlling access and use of the Task Scheduler and Windows Installer Controlling access and use of the Task Scheduler and Windows Installer Controlling logon security features and operations Controlling logon security features and operations Controlling disk quotas Controlling disk quotas

Computer Configuration The controls available through the Administrative Templates folder include (cont.): The controls available through the Administrative Templates folder include (cont.): Managing how group policies are processed Managing how group policies are processed Managing system file protection Managing system file protection Managing offline access of network resources Managing offline access of network resources Controlling printer use and function Controlling printer use and function

User Configuration The items contained in the User Configuration’s Administrative Templates section include: The items contained in the User Configuration’s Administrative Templates section include: Internet Explorer configuration, interface, features, and function controls Internet Explorer configuration, interface, features, and function controls Windows Explorer management (interface, available commands, features) Windows Explorer management (interface, available commands, features) MMC Management MMC Management Task Scheduler and Windows Installer controls Task Scheduler and Windows Installer controls

User Configuration The items contained in the User Configuration’s Administrative Templates section include (cont.): The items contained in the User Configuration’s Administrative Templates section include (cont.): Start menu and Taskbar features management Start menu and Taskbar features management Desktop environment management Desktop environment management Control Panel applet management Control Panel applet management Offline network access control Offline network access control

User Configuration The items contained in the User Configuration’s Administrative Templates section include (cont.): The items contained in the User Configuration’s Administrative Templates section include (cont.): Network connection management Network connection management Logon and logoff script management Logon and logoff script management Group Policy application Group Policy application

User Configuration Figure 6-3: The Explain tab of a Local Computer Policy control dialog box

User Configuration The Policy tab on the Properties dialog box for each control offers three settings: The Policy tab on the Properties dialog box for each control offers three settings: Not configured Not configured Enabled Enabled Disabled Disabled

Auditing Auditing Auditing Security process that records the occurrence of specific operating system events in a Security log Security process that records the occurrence of specific operating system events in a Security log Event Viewer Event Viewer Utility that maintains application, security, and system event logs on your computer Utility that maintains application, security, and system event logs on your computer

Auditing Figure 6-4: The Security Log viewed through the Event Viewer

Auditing Figure 6-5: The security log event detail

Encrypted File System (EFS) Allows you to encrypt data stored on NTFS drive Allows you to encrypt data stored on NTFS drive When EFS is enabled on a file, folder, or drive, only the enabling user can gain access to the encrypted object When EFS is enabled on a file, folder, or drive, only the enabling user can gain access to the encrypted object EFS uses a public and private key encryption method EFS uses a public and private key encryption method

Internet Security Connecting to the Internet requires that you accept some risk Connecting to the Internet requires that you accept some risk Most of the security features used to protect data within a LAN or even on a standalone system can also be leveraged to protect against Internet attacks Most of the security features used to protect data within a LAN or even on a standalone system can also be leveraged to protect against Internet attacks As well, Microsoft has added the Internet Connection Firewall (ICF) to Windows XP As well, Microsoft has added the Internet Connection Firewall (ICF) to Windows XP

Chapter Summary Windows XP has object-level access controls that provide the foundation on which all resource access rest Windows XP has object-level access controls that provide the foundation on which all resource access rest The Windows XP logon process strictly controls how users identify themselves and log onto a Windows XP machine The Windows XP logon process strictly controls how users identify themselves and log onto a Windows XP machine Likewise, WinLogon’s protected memory structures keep this all-important gatekeeper function from being replaced by would-be system crackers Likewise, WinLogon’s protected memory structures keep this all-important gatekeeper function from being replaced by would-be system crackers

Chapter Summary WinLogon also supports a number of logon controls WinLogon also supports a number of logon controls Key Local Computer Policy settings can be used to block unauthorized break-in attempts Key Local Computer Policy settings can be used to block unauthorized break-in attempts The local computer policy controls many aspects of the security system as well as enabling or restricting specific functions and features of the operating system The local computer policy controls many aspects of the security system as well as enabling or restricting specific functions and features of the operating system

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.