Download presentation
Presentation is loading. Please wait.
1
4 Securing Secure the hardware –Lock the server room and other ways to get access to the hardware. –Password protect the BIOS-setup Secure the NOS
2
Windows EFS NTFS can be encrypted (EFS) with File Encryption Key (FEK) Encrypting File Recovery Agents (Selected Users) are able to recover FEKs. [Additional users are added by editing EFS recovery policy]
3
Windows-Authentication Two functions: –Verify a user’s credentials (Username and password). –Provide access to resources. GINA (Graphical Identification and Authentication) Basic Authentication External Authentication –Biometrics/Smartcard/Tokenbased Kerberos
4
GINA (Graphical Identification and Authentication) Winlogon process GINA Ctrl+Alt+Del Secure Attention Sequence (SAS) Username Password LSA Local Security Authority LPC Local Procedure Call SSPI Security Support Provider Interface Default SSP (Security Service Provider) Kerberos (2003) Next SSP NTLM (NT LAN Manager) SAM Result
5
Basic Authentication LanManager (LM) and NTLM Challenge/Response (DOS/W3.11/W95/W98/->NT4sp3) Challenge/Response Password (max 14char) Hash (Oneway) Key 2x7byte Random string Encrypt Decrypt Key LMResponse =? Encrypt Decrypt NTLM Response
6
Basic NTLMv2 NTLMv2 Challenge/Response NT4sp4-> Challenge/Response Password Hash MD5 Key 128bits Random string EncryptDecrypt Key Response =?
7
External: Biometrics (Fingerprint, eye) Smartcard (Reader for smartcard) RSA SecureID Tokens (Internetpayment)
8
Kerberos Developed at MIT ~1980 (Massachusetts Institute of Technology) Secure authentication protocol –Uses Public key encryption Ticket Granting (Only one authentication needed) Kerberos supports proxy and forwarding of credentials. Uses NTP (Network Time Protocol) for synchronization. Used in: –W2K3-server –W2000 environment –Active Directory –Windows XP –Stored in AD and generate keys automatically. –Compatible with MIT Kerberos implementation for Unix
9
Authorization 1.Network login 2.Call to server Authentication server Client Server 1 Login Login Call 2 Authorization
10
Ticket serverKerberos Authentication server (Public key) Client (Private-key) Server Privilege server PS Login Call
11
Ticket serverKerberos 1.Network login Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login Login Call
12
Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT Login Call
13
Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3TGT -> TGT for PS Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 3 TGT Login Call
14
Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 4 TGT(PS) 3 TGT Login Call
15
Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT Login Call
16
Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 6 Login Call
17
Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 6 7 Login Call
18
Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT (’user id’+’Group id’ keep entire session) Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 6 7 8 PTGT Login Call
19
Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT (’user id’+’Group id’ keep entire session) 9PTGT -> Ticket Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 9 PTGT 6 7 8 PTGT Login Call
20
Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT (’user id’+’Group id’ keep entire session) 9,10PTGT -> Ticket Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 9 PTGT 10 Ticket 6 7 8 PTGT Login Call
21
Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT (’user id’+’Group id’ keep entire session 9,10PTGT -> Ticket 11Ticket to server Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 9 PTGT 10 Ticket 6 7 11 Ticket 8 PTGT Login Call
22
Ticket serverKerberos 9,10PTGT -> Ticket 11Ticket to server Authentication server (Public key) Client (Private-key) Server Privilege server PS 9 PTGT 10 Ticket 11 Ticket Login Call
23
Ticket serverKerberos 9,10PTGT -> Ticket 11Ticket to server Client (Private-key) Server 9 PTGT 10 Ticket 11 Ticket Call
24
Ticket serverKerberos 1.Network login 2.TGT Ticket Granting Ticket Encrypted with Public key 3,4TGT -> TGT for PS 5TGT(PS) 6,7 ->8 PrivilegeTGT (’user id’+’Group id’ keep entire session 9,10PTGT -> Ticket 11Ticket to server Authentication server (Public key) Client (Private-key) Server Privilege server PS 1 Login 2 TGT 5 TGT (PS) 4 TGT(PS) 3 TGT 9 PTGT 10 Ticket 6 7 11 Ticket 8 PTGT Login Call
Similar presentations
