Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.

Published byOswin Simpson Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation."— Presentation transcript:

1 Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation

2 Topics Single Sign-on Single Sign-on Kerberos v5 integration Kerberos v5 integration Active Directory security Active Directory security Delegation of authentication Delegation of authentication Public key infrastructure Public key infrastructure Encrypting file system Encrypting file system Network security Network security Security policy Security policy Secure Windows Secure Windows

3 Platform Security Requirements Single enterprise logon Single enterprise logon Strong authentication Strong authentication Authorization Authorization Secure communications Secure communications Mandatory policy Mandatory policy Auditing Auditing Interoperability Interoperability Extensible architecture Extensible architecture Goal: Deliver Windows 2000 as the most secure high volume OS

4 Windows 2000 Single Sign On Single account store in Active Directory Single account store in Active Directory Integrated Kerberos v5 logon Integrated Kerberos v5 logon Key Distribution Center (KDC) Protected store for public key credentials Protected store for public key credentials Industry standard network security protocols Industry standard network security protocols Kerberos, SSL/TLS, others

5 Windows 2000 Active Directory Key Distribution Center (KDC) Windows 2000 Domain Controller 1. Insert smart card to reader, activate card with PIN 2. Private key and certificate on card authenticates user to KDC 3. KDC returns TGT response protected by User’s public key certificate TGT 4. Account control option requiring smart card logon per user Smart Card Logon

6 Kerberos V5 Integration KDC relies on the Active Directory as the store for security principals and policy Kerberos SSPI provider manages credentials and security contexts Server Service ticket authorization data supports NT access control model Client Windows 2000 Active Directory Key Distribution Center (KDC) Windows 2000 Domain Controller

7 Application Server (target) Windows 2000 Active Directory Key Distribution Center (KDC) Windows 2000 domain controller 4.Present service ticket at connection setup Target 2.Lookup Service, Compose SPN 1.Publish Service Connection Point and SPN TGT 3.Request service ticket for 3.Request service ticket for 5.Mutual auth using unique session key Kerberos Authentication Mutual Authentication

8 Secure Distributed Services Model Secure Distributed Service Client request Impersonate Client Get object’s security descriptor Get client’s access token Private Data Store Return response Authenticate Client Kernel access check

9 Remote File Access Check Rdr Server Kerberos SSP File application SMB protocol NTFS SSPI \\infosrv\share File Token KDC Ticket Access check SD Token Client

10 Windows 2000 Integration Kerberos Authentication Use LDAP to Active Directory LDAP to Active Directory CIFS/SMB remote file access CIFS/SMB remote file access Secure dynamic DNS update Secure dynamic DNS update System management tools System management tools Host-host IP security using IKE Host-host IP security using IKE Secure Intranet web services in IIS Secure Intranet web services in IIS Authenticate certificate request to Enterprise CA Authenticate certificate request to Enterprise CA COM+/RPC security provider COM+/RPC security provider

11 Cross-platform Interoperability Based on Kerberos V5 Protocol Based on Kerberos V5 Protocol RFC 1510 and RFC 1964 token format RFC 1510 and RFC 1964 token format Testing with MIT Kerb V5 Testing with MIT Kerb V5 Windows 2000 hosts the KDC Windows 2000 hosts the KDC UNIX clients to Unix Servers UNIX clients to Unix Servers UNIX clients to Windows Servers UNIX clients to Windows Servers NT clients to UNIX Servers NT clients to UNIX Servers Cross-realm authentication Cross-realm authentication UNIX realm to Windows domain UNIX realm to Windows domain

12 Secure RPC HTTP SSPI Internet Explorer, Internet Information Server NTLM/ NTLMv2 Kerberos SChannel SSL/TLS MSV1_0/ SAM KDC/DS COM+ application POP3, NNTP Mail, Chat, News CIFS/SMB Remote file Architecture For Multiple Authentication Services LDAP Directory enabled apps using ADSI

13 Windows 2000 Active Directory Domain hierarchy: domain tree Domain hierarchy: domain tree Organizational Unit (OU) hierarchy within a domain Organizational Unit (OU) hierarchy within a domain Users, groups, machines Users, groups, machines Domain configuration Domain configuration OU OU Users

14 Active Directory Authentication and Access Control LDAP v3 is core directory access protocol LDAP v3 is core directory access protocol Authenticate using SASL and Kerberos protocol Authenticate using SASL and Kerberos protocol LDAP with SSL/TLS support LDAP with SSL/TLS support OU OU Users Bind Request Every object has a unique ACL Every object has a unique ACL Like NTFS folders and files Like NTFS folders and files Security Descriptor

15 Active Directory Security administration Delegation of administration Delegation of administration Grant permissions at organizational unit (OU) level Grant permissions at organizational unit (OU) level Who creates OUs, users, groups, etc. Who creates OUs, users, groups, etc. Fine-grain access control Fine-grain access control Grant or deny permissions on per- property level, or a group of properties Grant or deny permissions on per- property level, or a group of properties Read property Read property Write property Write property Per-property auditing Per-property auditing

16 Secure Applications Connection Authentication Connection Authentication Establish Credentials Establish Credentials Mutual authentication of client and server Mutual authentication of client and server Secure Communication Secure Communication Message privacy and integrity Message privacy and integrity Impersonation and Delegation Impersonation and Delegation Assuming client’s identity Assuming client’s identity Authorization and Auditing Authorization and Auditing Using security descriptors Using security descriptors

17 Example: Delegation in Action SQL Server IIS 1. 401 Access Denied WWW-Authenticate: Negotiate 2. Ticket request to KDC 6. SQL Server impersonates original client, then data access 5. ASP uses ADO to query SQL, integrated security requests ticket 3. WWW-Authenticate: Negotiate 3. WWW-Authenticate: Negotiate ISAPI 4. IIS impersonates client, invokes ISAPI extension Server-A Server-B

18 Interoperability Cross Platform Secure 3-Tier App Windows 2000 Professional Smart Card Logon Windows 2000 Server Web Server Solaris UNIX Server Oracle DB Application IIS ISAPI Extension SSPI/Krb AppService GSS/Krb IE5 SSPI/Krb HTTPTCP

19 Public Key Components Windows 2000 Active Directory Certificate Server For clients  User key and certificate mgmt  Secure channel  Secure storage  CA enrollment For servers  Key and certificate management  Secure channel with Client authentication  Auto enrollment Enterprise  Certificate services  Trust policy

20 SSL Client Authentication SChannel SSP Client certificate  Server Server Certificate Store of Trusted CAs Authentication service  Domain Org (OU) Users 2. Locate user object in directory by subject name Access token  3. Build NT access token based on group membership 1. Verify user certificate based on trusted CA, CRL Server resources  ACL 4. Impersonate client, object access verification

21 Crypto API Architecture Crypto API 1.0 RSA base RSA baseCSPFortezzaCSP Application SmartCardCSP u Cryptographic Service Providers Certificate management services Secure channel Key database Certificate store

22 Encrypting File System Privacy of data that goes beyond access control Privacy of data that goes beyond access control Protect confidential data on laptops Protect confidential data on laptops Configurable approach to data recovery Configurable approach to data recovery Integrated with core operating system components Integrated with core operating system components Windows NT File System - NTFS Windows NT File System - NTFS Crypto API key management Crypto API key management LSA security policy LSA security policy Transparent and very high performance Transparent and very high performance

23 EFS Architecture I/O manager EFS NTFS User mode Kernel mode Win32 layer Applications Encrypted on-disk data storage LPC communication for all key management support Crypto API EFSservice

24 RNG Data recovery field generation (RSA) DRF Recovery agent’s public key in recovery policy Randomly-generated file encryption key File Encryption File encryption (DESX) Data decryption field generation (RSA) DDF User’s public key A quick brown fox jumped... *#$fjda^ju539!3t t389E *&

25 *#$fjda^ju539!3t DDF File Decryption DDF contains file encryption key encrypted under user’s public key A quick brown fox jumped... A quick brown fox jumped... File decryption (DESX) DDF extraction (e.g., RSA) File encryption key DDF is decrypted using the private key to get to the file encryption key User’s private key

26 Secure Networking Internet Protocol Security (IPSec) Internet Protocol Security (IPSec) Extended Authentication Protocol/PPP Extended Authentication Protocol/PPP Token and SmartCard support Token and SmartCard support Remote Authentication Dial In User Service (RADIUS) Remote Authentication Dial In User Service (RADIUS) Kerberos security package Kerberos security package Public key (SSL/TLS) security package Public key (SSL/TLS) security package

27 Internet Corporate Network InternetServiceProvider Router or Tunnel Server Laptop or Home PC IP Tunnel Host A Modems B C Windows 2000 IPSec Target Scenarios Remote Access User to Corporate Network Remote Access User to Corporate Network Dial Up from Laptop or Home Dial Up from Laptop or Home Using existing network connectivity to Internet Using existing network connectivity to Internet

28 Internet Corporate Net in DC Router C Router D Corporate Net in LA Host A B IP Tunnel Windows 2000 IPSec Target Scenarios LAN Edge Gateway to Edge Gateway of Another LAN LAN Edge Gateway to Edge Gateway of Another LAN Across Internet or private network with Windows 2000 Windows 2000 routers using IP tunnels Across Internet or private network with Windows 2000 Windows 2000 routers using IP tunnels IPSec Tunnel Mode IPSec Tunnel Mode L2TP/IPSec integrated tunneling L2TP/IPSec integrated tunneling

29 IP Security Host-to-host authentication and encryption Host-to-host authentication and encryption Network layer Network layer IP security policy with domain policy IP security policy with domain policy Negotiation policies, IP filters Negotiation policies, IP filters IP Security Policy Source: 157.55.00.00 Dest: 147.20.00.00 Any protocol Policy Agent Policy Agent Downloads IPSEC policy Downloads IPSEC policy PAPA

30 IP Security Association using Kerberos Authentication Windows NT Directory Server KDC 157.55.20.100147.20.10.200 IKE IKE TCP IP SASA Used for SMB data encryption

31 Managing Security Policy Security settings in local or group policy Security settings in local or group policy Local computer policy Local computer policy Audit policy, rights, security options Audit policy, rights, security options Group Policy in the directory Group Policy in the directory Common computer policies Common computer policies Domain level policies Domain level policies Account policies Account policies Public key trust policies Public key trust policies

32 3 OU level policy Hierarchical Policy Settings Applied policy for a computer combines multiple policy objects Applied policy for a computer combines multiple policy objects Domain level policy 1 2 OU level policy

33 Enterprise Framework Integrated with Group Policy management Integrated with Group Policy management Security settings in group policy Security settings in group policy Settings applied as part of policy enforcement on each computer Settings applied as part of policy enforcement on each computer

34 Secure Windows Goals Goals Secure out-of-the-box Secure out-of-the-box Definition of secure system settings Definition of secure system settings Backward compatible user experience Backward compatible user experience Clean install of Windows 2000 Clean install of Windows 2000 Upgrade can apply security configuration Upgrade can apply security configuration Who can do what? Who can do what? Administrators, Power Users, Users Administrators, Power Users, Users Group membership defines access Group membership defines access

35 Administrators vs. Users Administrators Administrators Full control of the operating system Full control of the operating system Install system components, drivers Install system components, drivers Upgrade or repair the system Upgrade or repair the system Users Users Cannot compromise system integrity Cannot compromise system integrity Read-only access to system resources Read-only access to system resources Interactive and network logon rights Interactive and network logon rights Can shutdown desktop system Can shutdown desktop system Legacy application issues Legacy application issues

36 Security Features Summary Single sign on with standard protocols Single sign on with standard protocols Kerberos V5 and X.509 V3 certificates Kerberos V5 and X.509 V3 certificates Public key certificate management Public key certificate management Enterprise services for PKI rollout Enterprise services for PKI rollout Distributed security for applications Distributed security for applications Authentication, authorization, auditing Authentication, authorization, auditing Active Directory integration Active Directory integration Scalable, extensible user account directory Scalable, extensible user account directory

37 For More Information White papers White papers http://www.microsoft.com/windows2000/library http://www.microsoft.com/windows2000/library Active Directory Active Directory Security Services Security Services Windows 2000 Resource Kit Windows 2000 Resource Kit Deployment Guide Deployment Guide Detail technical material Detail technical material Microsoft Security Advisor Microsoft Security Advisor http://www.microsoft.com/security http://www.microsoft.com/security

38

Download ppt "Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.

Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Windows 2000 Remote Access. Remote Access Overview With Windows 2000 remote access, remote access clients connect to remote access servers and are transparently.

Windows 2000 Remote Access. Remote Access Overview With Windows 2000 remote access, remote access clients connect to remote access servers and are transparently.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
Authentication, Authorization and Accounting

Authentication, Authorization and Accounting
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.

Similar presentations

Ads by Google