Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction To Windows NT ® Server And Internet Information Server.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction To Windows NT ® Server And Internet Information Server."— Presentation transcript:

1 Introduction To Windows NT ® Server And Internet Information Server

2 Agenda Basic security principles Basic security principles Basics of Windows NT ® security Basics of Windows NT ® security Basics of Internet Information Server security Basics of Internet Information Server security How the two relate How the two relate Top tips Top tips

3 Provided by Windows NT Added by Internet Information Server Basic Security Principles Security covers: Security covers:  Authentication  Access control  Privacy  Data integrity  Monitoring  Non-repudiation

4 Basics Of Windows NT Security

5 To understand Internet Information Server Security you must understand Windows NT Security! A Simple Fact

6 Authentication Windows NT requires “authenticated” users Windows NT requires “authenticated” users  A user must present his/her “credentials”  User name/password  No notion of an anonymous user  Insecure Each user has a unique security ID (SID) Each user has a unique security ID (SID)

7 How Applications Work Windows NT applications must run in the “context” of a user Windows NT applications must run in the “context” of a user  When an application runs, the user’s security information is tagged onto the application  Called a “token”  A token identifies the user by their SID and group membership  Group SIDs

8 How Applications Work When an application attempts to use a resource the token is used to determine if that user has access When an application attempts to use a resource the token is used to determine if that user has access  All secure resources have “access control lists” (ACLs)  ACLs are a list of SIDs and associated access rights Windows NT is very pessimistic Windows NT is very pessimistic  Access denies are performed first  Do not set everyone (no access)!

9 Windows NT Windows NT Domain User ID on this domain A Side Bar What does a SID look like? S-1-5-21-2127521184-1604012920-1887927527-1001

10 Services Are Applications Windows NT has special applications called “services” Windows NT has special applications called “services”  Start when Windows NT starts  Run in the background  No UI  Similar to UNIX daemons  Examples:  Internet Information Server  SQL Server ™  Event log

11 Services Are Applications Because they are applications, they must run in a user context Because they are applications, they must run in a user context But they run before anyone logs on! But they run before anyone logs on! You can configure a service to run as an account You can configure a service to run as an account  Usually localsystem  No password  Limited access beyond the current server

12 Principle Of Least Privilege A process always runs in the context of user account A process always runs in the context of user account If the account is privileged then the application has those privileges too If the account is privileged then the application has those privileges too  Always run a process in the lowest- possible user context  Remember the famous unix sendmail bug?

13 Impersonation Most services run as localsystem, hence they access resources as localsystem Most services run as localsystem, hence they access resources as localsystem  Not as the user account  Impersonation lets the service impersonate the user before accessing the resource  In fact is swaps out the localsystem token for the user’s token  On a thread-by-thread basis

14 Impersonation All servers must impersonate before accessing a resource All servers must impersonate before accessing a resource Also, impersonation reduces the number of times a user needs to enter their credentials Also, impersonation reduces the number of times a user needs to enter their credentials

15 Basics Of Internet Information Server Security

16 Internet Information Server Authentication Internet Information Server is a Windows NT service Internet Information Server is a Windows NT service  Hence it must run as a user account  By default LocalSystem  Don’t change! Every user request must be authenticated and then impersonated Every user request must be authenticated and then impersonated

17 WWW Service Security Authentication Authentication  Anonymous  Basic  Password authenticated Windows NT user access  SSL 3.0 Client Certificates  Custom

18 Authentication Models Anonymous Anonymous  Map onto IUSR_machinename account  Guest account Basic Basic  Base64 encoded password/username NTLM NTLM  Uses Windows NT network authentication  No password

19 WWW Service Security Privacy/data integrity Privacy/data integrity  Channel encryption  Message authentication codes

20 WWW Service Security Access control restricted by: Access control restricted by:  Client TCP/IP address (or range)  Client domain name  Mapping Client Authentication Certificates  Publishing point access permissions  Designated site operators  NTFS access control  Custom ISAPI/CGI/ASP/component

21 WWW Service Security

22 System integrity System integrity  Process isolation  Bandwidth limiting  Application mapping  CGI/script time-outs  Connection time-out

23 Custom Security Custom: Custom:  Authentication  Access control Implement via: Implement via:  ISAPI and CGI  ASP and Perl Scripts  Server-side components Requires understanding of: Requires understanding of:  HTTP Protocol  Authentication methods

24 Using Certificates On The Web Authenticated access Authenticated access  Servers  Clients Secure access using SSL/TLS Secure access using SSL/TLS Examples Examples  Departmental access control  Interenterprise access via Internet  Certificate authority operation  E.g., software publishing

25 Credential ties a name or identity to a public key Credential expiration Subject Name: “Internet, Organization, Jane Doe” Expires: 6/18/98 Signed: CA’s signature Serial #: 29483756 Public key: Public Other data: 10236283025273 Usage-specific attributes Private What Is A Certificate? Signed document Signed document  Signed by a “trusted” certifying authority  Binds subject to a public key

26 Using Certificates On The Web Why do it? Why do it?  Better security than passwords  Better scalability than passwords  No need to distribute password databases  Use emerging technologies  Smart Cards  Crypto accelerators

27 Top Tips And Rules Of Thumb

28 Top Tips 10.NTFS is the last bastion 9.If you must use basic authentication then use SSL! 8.Seriously consider certificates 7.Create a company security policy 6.Use the Windows NT Option Pack Resource Kit (shameless plug!)

29 Top Tips 5.Lock down your server 4.Lock away your server! 3.Restrict components at the server 2.Do not allow Execute permission! 1. Use the Windows NT Audit Log!

Download ppt "Introduction To Windows NT ® Server And Internet Information Server."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.

Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
OV 11 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Similar presentations

Ads by Google