Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 8 Copyright © 2015 Stuart Jacobs.

Published byMervyn Owen Modified over 6 years ago

Similar presentations

Presentation on theme: "Lecture 8 Copyright © 2015 Stuart Jacobs."— Presentation transcript:

1 Lecture 8 Copyright © 2015 Stuart Jacobs

2 Unix Login and User Accounts
Users and Superusers User names (up to 8 characters long) Internally represented by a 16-bit number (user ID, or UID) User ID 0 (superuser) The root user Unrestricted access to the entire system, all security checks are turned off can create and delete other user accounts; can access any files in the system can become another user; can change the system clock cannot decrypt passwords Unix Password Encryption (Version 2) Moved encrypted password entries from /etc/passwd Place them in /etc/shadow and make /etc/shadow secure Increased length of passwords to greater than 8 characters MD-5 hash function now used instead of DES Any length input, 128-bit output Contents of /etc/shadow (9 fields) Username:Password Hash:Date of last password change:Date until change allowed:Days before change required:Days warning for expiration:Days before account inactive:Date when account expires:Reserved Field Copyright © 2015 Stuart Jacobs

3 Unix Security - Groups Users belong to one or more groups
Convenient for access control decisions Example: Keeps all operators in a group operator Keep all users with mail account in a group mail Each user belongs to a primary group This group ID (gid) is stored in /etc/passwd The file /etc/group contains a list of all groups in the format: Group name:Group password:GID:list of users In System V Unix, A user can only belong to one group at a time In Berkeley Unix A user can reside in more than one group Copyright © 2015 Stuart Jacobs

4 Setting UserID and Set GroupID
For controlled invocation Certain OS functions require superuser privilege but users should not be given superuser status SUID and SGID programs Normally, root is the owner of a SUID program A user who is executing this program will get superuser status during execution Examples: /bin/passwd change password /bin/login login program /bin/at job submission /bin/su change UID program Pitfalls Could be the source of attacks if they can be interrupted when the user gets the root access Copyright © 2015 Stuart Jacobs

5 Unix Security - Access Control
Based on attributes of users and resources Discretionary access control with a granularity of owner, group, world Superusers are not subject to this access control Unix treats all resources in a uniform manner No distinction between files and devices Unix File Structure Files are arranged in a tree-like structure containing files and directories Each file entry in the directory is a pointer to a data structure called inode. Some relevant fields in that data structure are: mode (type of file and access rights) uid (user who owns the file) gid (group which owns the file) time (access time) mtime (modification time) block count (size of file), and physical location ,etc. Copyright © 2015 Stuart Jacobs

6 Unix Security – Files & File Systems
Deleting Files What happens when we delete a file from the filesystem? Does it still exist in some form? When links are used Removing the original file will not remove the links Mounting Filesystems The Unix filesystem is built by linking together filesystems resident on different physical devices under a single root (‘/’) The mount command is used to mount the filesystems If the mounted filesystems have been compromised, an attacker could obtain superuser status by running SUID programs mount command has options to mount as read only Copyright © 2015 Stuart Jacobs

7 Typical unix/linux File System Logical Structure
Copyright © 2015 Stuart Jacobs

8 Unix File Security Each directory contains a pointer to itself (the file ‘.’) and a pointer to its parent directory (the file ‘..’) Every file has an owner and each file belongs to a group Depending on the version of Unix, the group is either the creator’s group or its directory’s group Doing an ls –l shows the details about the contents of the directory File permissions Permission bits grouped in three triples that define read, write & execute access for owner, group, and other, respectively A ‘-’ indicates that the right is not granted Example: rw-r--r-- gives read and write access to owner and read access to group and other rwx gives read, write, and execute access to the owner and no rights to group and other Copyright © 2015 Stuart Jacobs

9 Example unix Directory Listing
Permissions uid Owner account name gid size creation date File or directory name Copyright © 2015 Stuart Jacobs

10 Unix Security Access rules Changing Permissions
If your uid indicates that you are the owner of the file, the permission bits for the owner decide whether you can get access If you are not the owner of the file but your gid indicates that your group owns the file, the permission bits for the group decide whether you can get access If you are neither the owner of the file nor a member of the group that owns the file, the permission bits for other decide whether you can get access So, it is possible to set permission bits so that the owner has less access than other users Changing Permissions The chmod command Can be run only by the owner of the file or the superuser chmod [-fR] absolute file absolute specifies all permission bits chmod [-fR] [who]+permission file adds permissions chmod [-fR] [who]–permission file deletes permissions chmod [-fR] [who]=permission file resets permissions as specified Copyright © 2015 Stuart Jacobs

11 Unix Security In absolute mode, permissions directly specified by an octal number In symbolic mode, the who parameter takes the values u, g, o, a (user, group, other, all) the permission parameter takes the values r, w, x, s (read, write, execute, set UID or set GID) The chown command changes the owner of a file The chgrp command changes the group of a file Unix Access Control Mechanisms Unix does not use Access Control Lists Almost all Unix security is built around file (and device) permissions The root with UID=0 can do anything Attackers often want to get root Unix kernel enforces file permissions Copyright © 2015 Stuart Jacobs

12 Unix Security Unprivileged applications (those with UID, GID > 0) cannot access privileged data Privileged applications can access privileged data May be persuaded to display it, transmit it, copy it, etc. Buffer overflow exploits Application insecurities (e.g., sendmail) Principle of Least Privilege Applications should have only sufficient privilege for their needs at the time Instances of General Security Principles Controlled Invocation Sensitive resource (e.g., password file) Accessed by many users Can be protected by controlled invocation schemes that combine the concepts of ownership, permission bits, and SUID programs In such cases: Create a new UID that owns the resource and all the programs that needs access to that resource Give access permissions to the resource only to the owner Define all programs that access the resource as SUID programs Copyright © 2015 Stuart Jacobs

13 Unix Security Audit Logs and Intrusion Detection
The purpose of the security mechanisms is to prevent illegal user actions However, they may be inadequate or flawed Further mechanisms to detect security violations are useful Auditing Record security relevant events in an audit log (audit trail) for later analysis Intrusion Detection Detect suspicious events when they happen and inform the system manager Automatic Retaliation (Intrusion Response) React immediately to security alarms by taking appropriate actions The audit log should be kept secure Only privileged users would have write access to the audit log Send the audit log to a dedicated audit machine Send the audit log to a secure printer Copyright © 2015 Stuart Jacobs

14 Unix Security – Log files
The following log files automatically record security related events: /var/adm/lastlog records the last time a user has logged in (the finger command can be used to display this) /var/adm/utmp records accounting information used by the who command /var/adm/wtmp records every time a user logs in or out (the last command can be used to display this) /var/adm/acct records all executed commands What should happen when the audit log exceeds its allocated space in memory? If the /var directory is in the same disk partition as / then the system freezes Always create a separate disk partition (out of the 4 allowed partitions per disk) for locating the /var directory Copyright © 2015 Stuart Jacobs

15 Unix Security Checklist - Network Services
inetd daemon listens to incoming network connections When a connection is made, inetd starts the appropriate server program and then returns to listening for further connections Also known as super-server as it handles work for many server programs Has a configuration file (inetd.conf) that maps services (port numbers) to server programs The entries in inetd.conf have the following format: service type protocol waitflag userid executable command_line Example for telnet telnet stream tcp nowait root /usr/bin/in.telnetd in.telnet /etc/inetd.conf ENSURE that the permissions on this file are set to 600. ENSURE that the owner is root. Disable any services which you do not require. Enable access controls and logging for inetd Copyright © 2015 Stuart Jacobs

16 Unix Security – More Network Services
fingerd Disable the finger service if it is not considered essential. Fingerd can provide a would-be intruder with a lot of information about your host. CONSIDER the finger information you provide and think about reducing the content by disabling finger or by replacing it with a version that only offers restricted information. ENSURE that you configure fingerd to deny indirect finger requests. (i.e. finger “r” commands If you don't NEED to use the "r" commands (e.g. rlogin, rsh, rcp)... Disable all "r" commands unless specifically required, as they may increase your risk of password exposure in network sniffer attacks. "r" commands have been a regular source of insecurities and attacks. If you must run the "r" commands... Replace the "r" command functionality with more secure utilities, for example ssh and scp. DO NOT allow the use of $HOME/.rhosts Copyright © 2015 Stuart Jacobs

17 Unix Security – TCP Wrappers
inetd daemon listens to incoming network connections When a connection is made, inetd starts the appropriate server program and then returns to listening for further connections Also known as super-server as it handles work for many server programs Has a configuration file that maps services (port numbers) to programs The entries in the file have the following format: service type protocol waitflag userid executable command_line Example: for telnet telnet stream tcp nowait root /usr/bin/in.telnetd in.telnet The executable can now be pointed to a wrapper program instead of the original executable telnet stream tcp nowait root /usr/bin/tcpd in.telnet With the wrapper, access control or logging can be done Copyright © 2015 Stuart Jacobs

18 Unix Security – Best Practices
Account Security Policy ENSURE that you have a password policy for your site. ENSURE you have a User Registration Form for each user on each system. Make sure that this form includes a section that the intending applicant signs, stating that they have read your account usage policy and what the consequences are if they misuse their account. DO use anlpasswd or a similar utility to proactively screen passwords as they are entered. This program runs a series of checks on passwords when they are set, which assists in avoiding poor passwords. CONSIDER checking passwords periodically with Crack or "John the Ripper" or other password cracking program. CONSIDER implementing a Role Based Access Control mechanism such as RBAC Administration ENSURE that you regularly audit your system for dormant accounts and disable any that have not been used for a specified period of time, in accordance with your site's security policy. Copyright © 2015 Stuart Jacobs

19 Unix Security – Best Practices
ENSURE that any user area is adequately backed up and archived. DO regularly monitor logs for successful and unsuccessful su(1) attempts. DO regularly check for repeated login failures. DO regularly check for LOGIN REFUSED messages. Consider quotas on user accounts if you do not have them. Consider requiring that users physically identify themselves before granting any requests regarding accounts Special Accounts ENSURE that there are no shared accounts other than root in accordance with site security policy. (i.e. more than one person should not know the password to an account) Disable guest accounts. Better yet, do not create guest accounts! [NOTE: Some systems come preconfigured with guest accounts.] DO use special groups (such as the "wheel" group under FreeBSD) to restrict which users can use su to become root. DISABLE ALL default vendor accounts shipped with the Operating System. This should be checked after each upgrade or installation. Copyright © 2015 Stuart Jacobs

20 Unix Security – Best Practices
Root account DO restrict the number of people who know the root password. These should be the same users registered with groupid 0. Typically this is limited to at most 3 or 4 people. DO NOT log in as root over the network, in accordance with site security policy. DO su from user accounts rather than logging in as root. This provides greater accountability. ENSURE root does not have a ~/.rhosts file. ENSURE "." is not in root's search path. ENSURE root's login files do not source any other files not owned by root or which are group or world writable. DO use absolute path names when root. (e.g. /bin/su, /bin/find, /bin/passwd.) This is to stop the possibility of root accidentally executing a trojan horse. To execute commands in the current directory, root should prefix the command with "./" (e.g. ./command) Copyright © 2015 Stuart Jacobs

21 Unix Security – Best Practices
System Monitoring Account Security DO regularly expire user passwords. CONSIDER performing periodic checks of password security by running a cracking tool - for example, Crack or "John the Ripper" against your password file. CONSIDER enabling auditing capabilities if available for your system - Solaris for example has a C2 auditing facility. DO actively monitor processes on your machines - tools are available that make it possible to do this remotely, like Big Brother DO run process accounting. CONSIDER logging all login attempts, both successful and unsuccessful. DO examine accounting logfiles for activity, for example for su attempts. CONSIDER disabling accounts after a number of failed login attempts. Copyright © 2015 Stuart Jacobs

22 Unix/Linux Security (The Seven Most Deadly Sins)
Bob Toxen, Linux Security: The Seven Most Deadly Sins, June (1) Weak and Default Passwords Use the cracklib capability in the Pluggable Authentication Modules (PAM) enhancements to the passwd program (2) Open Network Ports Disable unnecessary services which get installed by default installation Comment them in the /etc/inetd.conf file (3) Old Software Versions (4) Insecure and Badly Configured Programs Example: telnet and ftp send passwords in clear text Use ssh or sftp Never run Web server as a privileged user Know the data that is supplied by Web clients Analyze CGIs for vulnerabilities Avoid creating set-UID and set-GID programs to the maximum extent possible Do not keep client’s confidential data on the web server (5) Insufficient Resources and Misplaced Priorities (6) Stale and Unnecessary Accounts If for some reasons, an ex-user’s account is still needed, disable the account by putting a ‘*’ or ‘!!’ in the ex-user’s password field in the /etc/passwd file (7) Procrastination Consider setting aside some time weekly to upgrade security Copyright © 2015 Stuart Jacobs

23 Windows Security Security Architecture Windows Security Components
Kernel mode (protection ring 0) User mode (protection ring 3) Core OS services (Windows executive) run in kernel mode User programs make API calls to invoke OS services Context switch and transition from ring 3 to ring 0 are handled by the Local Procedure Call facility In contrast to Unix, DAC in Windows may vary between object types Windows Security Components Security Reference Monitor (SRM) In charge of access control Is an executive component, running in kernel mode Local Security Authority (LSA) A user mode component At login time checks user account & creates a System Access Token (SAT) which includes an account unique Security Identifier (SID) Security Account Manager (SAM) A user mode component that maintains user account database used by LSA Provides user authentication for LSA Login Process The process which authenticates user login Runs in user mode Copyright © 2015 Stuart Jacobs

24 Windows Security - Registry
Central database for Windows configuration data A hierarchical database Entries in the registry are called keys Structured into four sections (hives) at the top level Hives contain keys (directories) which in turn contain subkeys (subdirectories) or values (data items) The top level keys in the four hives are also called root key Registry File Permissions Access Control Lists can be set for hives and keys Access permissions: Read only User is only allowed to read the key Full control User may edit, create, delete, or take away ownership of the key Special access Users can be granted permissions according to a specified list (query value, set value, create subkey, enumerate keys, etc.) Copyright © 2015 Stuart Jacobs

25 Windows Security – Root Keys
Default permissions for the root keys: HKEY_LOCAL_MACHINE Contains information about the local computer, hardware, and operating system Administrators: Full control System: Full control Everyone: Read HKEY_CLASSES_ROOT Contains file associations, OLE (object linking and embedding), and DDE (dynamic data interchange) class definitions HKEY_CURRENT_USER Contains user profiles for users currently logged on User: Full control HKEY_USERS Contains user profiles for all users installed on the system Copyright © 2015 Stuart Jacobs

26 Windows Security – Local Machine Keys
HKEY_LOCAL_MACHINE holds security relevant subkeys: HKEY_LOCAL_MACHINE\SAM Database of user and group accounts HKEY_LOCAL_MACHINE\SECURE Information about local security policy used by the security subsystem HKEY_LOCAL_MACHINE\Software\Microsoft\RPC Remote procedure calls HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion By modifying these keys, an attacker can modify the behavior of the OS Permissions for these keys: Administrators: Full Control System: Full Control Creator/Owner: Full Control Everyone: Special Access (query value, enumerate subkeys, notify, and read control) Copyright © 2015 Stuart Jacobs

27 Windows Security - Identity
Identification and Authentication Username and password for authentication NT 5.0 uses Kerberos for authentication Windows Password Scheme Passwords stored in encrypted form Two encrypted passwords are used For Microsoft Lan manager & for the Windows OS Password filtering DLL can be installed to prevent users from selecting weak passwords Encrypted passwords stored in user accounts which are held in the SAM database Part of the registry (binary file) OS makes a SAM API call to extract an enciphered password Has to be in privileged state The Windows OS Password Is hashed using a one-way function Cannot be retrieved from the hash value stored in the SAM database Copyright © 2015 Stuart Jacobs

28 Windows Security - Login
Username and password are gathered by the login process and passed on to the local security authority (LSA) The LSA calls an authentication package which compares the username and password against those stored in the SAM database When a match is found, the SAM returns the user’s security ID (SID) and the security ID of the group the user belongs to The authentication package creates a login session and passes this session together with all the SIDs back to the LSA The LSA creates a system access token (SAT) containing the user’s SID and the user rights The SAT is then attached by the login process to a process created by the Win32 subsystem This process is the subject for access control purposes Copyright © 2015 Stuart Jacobs

29 Windows Security - Authorization
Access Control Features First line of defense Control access to the system Second line of defense Access control within the system Microsoft Domains Facilitate single sign-on and coordinated security administration Domain: A collection of machines sharing a common user accounts database and security policy (User only needs account with the domain) Primary Domain Controller (PDC) A server that holds the master copy of the user accounts database for the domain Backup Domain Controller (BDC) Copies of the above database Users can be authenticated by the PDC or by a BDC Individual workstations can also maintain their own local accounts database and be members of a domain at the same time Users can then logon as local users, taking permissions from the local database, or global users, taking permissions from the domain database Users, in that case, will have two different security identifiers Copyright © 2015 Stuart Jacobs

30 Windows Security – User Accounts & IDs
The user accounts database in the SAM keeps security-related information about users The following fields can be defined in an user account: Security Identifiers Security Identification Number (SID) Every user, group, and account has a unique SID which is used for Discretionary Access Control When account created, an SID created and fixed for lifetime of account When a domain is created, a unique SID is created for the domain When a workstation or a server joins a domain, it receives a SID that includes the domain’s SID User name Passwords Account type (global or local) Login hours and workstations Full Name Home directory Expiration date (by default, no expiration date) User profile path and login script name Copyright © 2015 Stuart Jacobs

31 Windows Security – Access Controls
Access to Windows Objects Access to objects is controlled through permissions given to subjects Each object has a security descriptor which has: the security ID of the owner of the object a group security ID an Access Control List (ACL) a system access control list, controlling the audit messages to be generated The ACL contains access control and auditing permissions: An access control list entry (ACE) for a subject or group can be: AccessDenied (listed first) AccessAllowed (a list of access permissions) SystemAudit Standard access masks that apply to all types of objects: Write_DAC (change the discretionary ACL) Read_Control (grant or deny access to the security descriptor) Delete (grant, deny, or delete access permissions to the object) Copyright © 2015 Stuart Jacobs

32 Windows Security - Access Control list Entry
When a subject requests access to an object: Security reference monitor takes subject’s security token (SAT) and object’s ACL to determine whether requested access should be granted If no ACL exists, no checks are performed and access is granted If an ACL exists, then for each ACE the subject’s SID in the SAT is compared with the SIDs in the ACE and action is taken as follows: The ACE does not contain a matching SID The ACE will then be skipped The ACE contains a matching SID specifying ‘AccessDenied’ If the desired access mask contains a Read_Control or Write_DAC request and if the subject is the owner of the object, access is granted Otherwise, access is denied The ACE contains a matching SID specifying ‘AccessAllowed’. If the access masks allow the permission, access is granted Access is denied if the search reaches the end of the ACL without access having been granted So, access will always be denied if there is an empty ACL Access will always be granted if there exists no ACL Copyright © 2015 Stuart Jacobs

33 Windows Security - NTFS File System
Access permissions defined by file owner for other users & groups read (R), write (W), execute (X), delete (D), change access permissions (P), take ownership (O) The following access permissions apply to files: NoAccess: prevents any access and overrules any other access a user may have Read (RX): read and execute access only Change (RWXD): read, write, execute, and delete access Full Control (all): permits to read, write, execute, and delete the file, to change access permissions, and to take ownership Special Access: Any combination of the above The access permissions for a user are derived from permissions set individually for user and from permissions of all groups user is a member of Copyright © 2015 Stuart Jacobs

34 Windows Security – File Creation
When a new file is created, file inherits access permissions from parent directory. Permissions for directories are: When a file is moved between directories, it keeps the NTFS permissions If a file is copied, it receives the permissions of the destination directory A user who has delete permission for a directory can delete any file within the directory and does not require delete permission for the file itself Read (RX) Add (WX) Add and Read (RWX) Change (RWXD) Special File Access Full Control (all) Special Directory Access Copyright © 2015 Stuart Jacobs

35 Windows Security - Groups
Local and Global Groups (actually roles) Group A collection of user accounts Members of the group inherit the user rights and permissions given to the group Permissions for an object are given to a group Can be selectively withdrawn from individual members of this group System Administrator can set the NoAccess permission for that user on the file Global Groups Defined for the domain Contain only user accounts and no other group account Local Groups Defined for a workstation Contain both user accounts and global groups These two types of groups provide a means to place two layers of control between subjects and objects The global groups collect users who should have the same access rights Permissions for objects held on a particular machine are given to local resource groups They contain the global groups who should have access to the resource, rather than to individual user accounts Copyright © 2015 Stuart Jacobs

36 Windows User Rights & Groups
User Rights (privileges) User rights do not control access to individual objects, rather specify what user is allowed to do on system Access to a computer is also controlled through user rights User rights do allow the holder to bypass access control (e.g., owner of objects) E.g. User access to directory is denied, files within directory are not accessible. If users have right bypass traverse checking, ACLs on directory path are not checked Built-in Groups Built-in accounts and groups have predefined user rights and permissions Unlike Unix, Administrators do not automatically have a superuser privilege Normal system management activities should be carried out from accounts assigned to built-in local groups (Server Operators, Backup Operators, Account Operators, and Print Operators) More built-in groups exist that can be used to define access permissions efficiently Everyone - Contains all local and remote users; this group can be used to grant or deny permissions to all users Interactive - Contains all users logged on locally Network - Contains all users logged on over the network System - The operating system Creator Owner - The creator or owner of a file or a resource Copyright © 2015 Stuart Jacobs

37 Questions??? Copyright © 2015 Stuart Jacobs

Download ppt "Lecture 8 Copyright © 2015 Stuart Jacobs."

Similar presentations

1 Chapter 11: File-System Interface  File Concept  Access Methods  Directory Structure  File System Mounting  File Sharing  Protection  Chapter.

1 Chapter 11: File-System Interface  File Concept  Access Methods  Directory Structure  File System Mounting  File Sharing  Protection  Chapter.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.

Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
O.S security Ge Zhang Karlstad University. Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system.

O.S security Ge Zhang Karlstad University. Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.

Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.

Similar presentations

Ads by Google