Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.

Published byLucy Cook Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body."— Presentation transcript:

1 Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body text block to +1.67 if more than two lines of text in title  Next horizontal guide set at +1.17  Left vertical guide set at -4.58

2 Colors In This Template Useful for testing projectors during setup

3 TNQ200-13

4 Deploying Windows® 2000 Security in Corporate Networks Brent Lane OakRidge Consulting Group

5 Session Prerequisites  Familiarity with Windows 2000, beta 3 or later  General knowledge of Windows security and administration principles

6 Topics Covered  Windows ® 2000 default security  Single Sign On  Network authentication  Kerberos v5  NTLM v2  Security Interoperability  Network data protection

7 Windows 2000 Default Security Settings

8 Administrators Versus Users  Administrators  Full control of the operating system  Install system components, drivers  Upgrade or repair the system  Users  Cannot compromise system integrity  Read-only access to system resources  Interactive and network logon rights  Can shutdown desktop system  Legacy application issues

9 Power Users  Have sufficient access to run legacy applications  Can add files to system directory  Cannot modify existing system files  Create, manage non-admin resources:  Users and groups, file and print shares

10 Default Group Membership Local GroupDefault Workstation Members Default Server Members AdministratorsAdministrator Power UsersInteractive Users UsersAuthenticated Users

11 Secondary Logon  Run commands as another user without logoff - logon  RunAs  Command line  runas /user:MyDomain\Admin cmd  Shell support  Optional support for user profile  Terminal Server – separate console for admin

12 Windows Single Sign On  Single account store in Active Directory  Easier to administer user accounts  Single user id and password  Application integration

13 Kerberos Basic Concepts  Authentication  Key Distribution  Session Tickets  Requested for each network connection  Contains authorization data  Ticket Granting Ticket  Protected by user’s secret key  Contains session key for KDC

14 Active Directory Key Distribution Center (KDC) Windows Domain Controller 1.Locate KDC for domain by DNS lookup for Active Directory service 2.Use hash(pwd) to sign pre-auth data in AS request 3.Group membership expanded by KDC, added to TGT auth data TGT Ticket - NTW 4.Send TGS request for service ticket to workstation Kerberos Authentication Interactive domain logon

15 Application Server (target) 3.Verifies session ticket issued by KDC Active Directory Key Distribution Center (KDC) Windows domain controller 1.Send TGT and request session ticket from KDC for target server TGT 2.Present session ticket at connection setup Target Kerberos Authentication Network server connection

16 Cross-realm Authorization Referral

17 Kerberos Authentication Use  LDAP to Active Directory  CIFS/SMB remote file access  Secure dynamic DNS update  Distributed file system management  Host-host authentication for IP security  Secure Intranet web services in IIS  Authenticate certificate request to Enterprise CA  DCOM/RPC security provider

18 Active Directory KDC Microsoft DNS Server DNS DHCP 157.55.20.10 host.domain.company.com Secure Dynamic DNS Update

19 Cross-platform Interoperability  Based on Kerberos V5 Protocol  Windows 2000 hosts the KDC  UNIX clients to Unix Servers  UNIX clients to Windows Servers  Windows NT clients to UNIX Servers  Simple cross-realm authentication  UNIX realm to Windows domain

20 Cross-platform Strategy Common Kerberos Domain Windows Desktop SSPI Kerberos SSP Application protocol Windows KDC TICKET GSS-API Application protocol GSS Kerberos mechanism Unix Server

21 Windows 2000 Professional Smart Card Logon Windows 2000 Server Web Server Solaris UNIX Server Oracle Application IIS ISAPIExtension SSPI/Krb AppService GSS/Krb IE5 SSPI/Krb HTTPTCP Interoperability Cross platform secure 3-tier app

22 1.NTLM challenge/response Application server Windows NT domain controller MSV1_0 Netlogon 5. Server impersonates client 2.Uses LSA to log on to domain 3.Netlogon service returns user and group SIDs from domain controller Windows NT Directory Service 4. SP4 Netlogon secure channel is protected NTLM Authentication Version 2

23 NTLMv2  Unique session key per connection  Key exchange key protects session key  Generate unique keys for integrity and encryption of session data  Client -> Server, Server -> Client

24 NTLMv2 Deployment  LMCompatibilityLevel = {0..5}  Upgrade DCs for user account domains  Upgrade clients and servers  Use Level 1 to negotiate NTLMv2  Use Level 3 to eliminate LM support  If users never need to connect to pre-SP4 servers  Use Level 4 at the DC to refuse LM clients

25 Network Data Protection  Options to enable data integrity and privacy  File Protection  Protect systems and applications from network attacks  Strong network encryption available  56-bit encryption world-wide  IPSec

26 File Server Encryption  Changed through Browser  Can easily let Administrator lock files or folders with encryption

27 IP Security  Host-to-host authentication and encryption  Network layer  IP security policy with domain policy  Negotiation policies, IP filters

28 Summary  Windows ® 2000 default security  Single Sign On  Network authentication  Security Interoperability  Network data protection

29 For More Information  Refer to the TechNet website at www.microsoft.com/technet  Web Pages  http://www.microsoft.com/ntserver/ security/default.asp  http://www.microsoft.com/security http://www.microsoft.com/security

30 For More Information  http://www.microsoft.com/ntserver/ security/default.asp  http://www.microsoft.com/security http://www.microsoft.com/security  http://www.microsoft.com/technet http://www.microsoft.com/technet  http://msdn.microsoft.com/winlogo/win 2000.asp

31 Session Credits  Author: Brent Lane  Producer/Editor: Alan Maier

32

Download ppt "Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body."

Similar presentations

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.

Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.

Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.

Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
Understanding Active Directory

Understanding Active Directory
Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.

Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
August 25, 20151 SSO with Microsoft Active Directory Presented by: Craig Larrabee.

August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Security features of Windows 2000. What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored.

Security features of Windows What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored.

Similar presentations

Ads by Google