Presentation is loading. Please wait.

Presentation is loading. Please wait.

70-270: MCSE Guide to Microsoft Windows XP Professional Second Edition, Enhanced Chapter 6: Windows XP Security and Access Controls.

Published byShanon Phebe Whitehead Modified over 9 years ago

Similar presentations

Presentation on theme: "70-270: MCSE Guide to Microsoft Windows XP Professional Second Edition, Enhanced Chapter 6: Windows XP Security and Access Controls."— Presentation transcript:

1 70-270: MCSE Guide to Microsoft Windows XP Professional Second Edition, Enhanced Chapter 6: Windows XP Security and Access Controls

2 Guide to MCSE 70-270, Second Edition, Enhanced2 Objectives Describe the Windows XP security model, and the key role of logon authentication Work with access control and customize the logon process Disable the default username Discuss domain security concepts Understand the local computer policy

3 Guide to MCSE 70-270, Second Edition, Enhanced3 Objectives (continued) Enable and use auditing Encrypt NTFS files, folders, or drives using the Encrypting File System (EFS) Understand and implement Internet security

4 Guide to MCSE 70-270, Second Edition, Enhanced4 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access token String of bits representing user Attached to processes

5 Guide to MCSE 70-270, Second Edition, Enhanced5 The Windows XP Security Model (continued) Access token Compared with ACL (Access Control List) Domain security Centered on Active Directory

6 Guide to MCSE 70-270, Second Edition, Enhanced6 Active Directory Centralized database containing: Security Configuration Communication information Manages: Information about domain Resources shared by network

7 Guide to MCSE 70-270, Second Edition, Enhanced7 Logon Authentication Logon is mandatory Logon process components: Identification Authentication Password authentication typically used Access token attached to shell process

8 Guide to MCSE 70-270, Second Edition, Enhanced8 Shell Defines environment inside which user executes programs or spawns other processes Default: Windows Explorer Defines desktop, start menu, etc.

9 Guide to MCSE 70-270, Second Edition, Enhanced9 Resources as Objects Access to individual resources controlled at object level Everything in environment is an object Identified by type Type determines Permitted range of contents Kinds of operations

10 Guide to MCSE 70-270, Second Edition, Enhanced10 Resources as Objects (continued) Service How object can be manipulated Attributes Named characteristics

11 Guide to MCSE 70-270, Second Edition, Enhanced11 Access Control Logon process Initiated with Ctrl+Alt+Delete Hardware interrupt cannot be imitated Mandatory logon Restricted user mode Physical logon User profiles

12 Guide to MCSE 70-270, Second Edition, Enhanced12 Customizing the Logon Process Administrator can alter default process Winlogon process: Produces logon dialog box Controls automated logon Warning text Display of Shutdown button Display of last user to log onto system

13 Guide to MCSE 70-270, Second Edition, Enhanced13 Disabling the Default Username Logon window Displays name of the last user to logon Can be unsecure DontDisplayLastUserName Regisry setting Edit with: Local Computer Policy utility

14 Guide to MCSE 70-270, Second Edition, Enhanced14 Adding a Security Warning Message Might be legally obligated to add a warning message Settings in Registry: LegalNoticeCaption LegalNoticeText

15 Guide to MCSE 70-270, Second Edition, Enhanced15 Changing the Shell Default shell Windows Explorer Change Registry setting

16 Guide to MCSE 70-270, Second Edition, Enhanced16 Disabling the Shutdown Button Windows XP logon window includes Shutdown button Potential for unwanted system shutdowns ShutdownWithoutLogon Registry setting Users can still physically power-off machine Winlogon settings for: Laptop Sleep mode Other advanced shutdown settings

17 Guide to MCSE 70-270, Second Edition, Enhanced17 Automating Logons Values for username and password can be coded into Registry to automate logons Registry settings: DefaultDomainName DefaultUserName DefaultPassword AutoAdminLogon

18 Guide to MCSE 70-270, Second Edition, Enhanced18 Automatic Account Lockout Disables account Predetermined number of failed logins Predetermined amount of time Default: Unlimited number of attempts

19 Guide to MCSE 70-270, Second Edition, Enhanced19 Domain Security Concepts and Systems Domain Collection of computers with centrally managed security and activities Offers: Increased security Centralized control Broader access to resources

20 Guide to MCSE 70-270, Second Edition, Enhanced20 Domain Security Overview Control of: User accounts Group memberships Resource access for all members of a network instead of only a single computer

21 Guide to MCSE 70-270, Second Edition, Enhanced21 Domain Controller Windows 2000 Server Windows Server 2003 system Active Directory support services installed and configured

22 Guide to MCSE 70-270, Second Edition, Enhanced22 Kerberos and Authentication Services Authentication conditions: Interactive logon Press attention sequence Enter username and password Network authentication Attempt to connect to or access resources from some other member of the domain network

23 Guide to MCSE 70-270, Second Edition, Enhanced23 Kerberos and Authentication Services (continued) Kerberos version 5: Used for communication between local system and domain controller May be used in network authentication Primary protocol for authentication security Verifies identify of client and server Designed to allow two parties to exchange private information across an open network Assigns unique key to each user that logs on to network

24 Guide to MCSE 70-270, Second Edition, Enhanced24 Kerberos and Authentication Services (continued) Secure Socket Layer/Transport Layer Security (SSL/TLS) Authentication scheme often used by Web-based applications Supported on Windows XP through IIS (Internet Information Server). Uses third-party Certificate Authority Client sends its certificate to the server Uses encrypted communication link

25 Guide to MCSE 70-270, Second Edition, Enhanced25 Kerberos and Authentication Services (continued) NTLM (NT LAN Manager) authentication Used by Windows NT 4.0 Supported by XP for backwards compatibility Uses static encryption level (40-bit or 128-bit) to encrypt traffic between a client and server Less secure than Kerberos

26 Guide to MCSE 70-270, Second Edition, Enhanced26 Local Computer Policy Combination of controls System policies Control panel applets Registry settings Other names: Software policy Environmental policy Windows XP policy

27 Guide to MCSE 70-270, Second Edition, Enhanced27 Local Computer Policy (continued) Local system’s group policy Effective policy: Result of combination of all group policies applicable to system Controlled on a domain basis on a Windows domain controller Add Global Policy snap-in to MMC

28 Guide to MCSE 70-270, Second Edition, Enhanced28 Local Computer Policy (continued) Local Group Policy tool Also called Local Security Policy tool Accessed from Administrative Tools Local computer policy contents: Determined during installation Based on: System configuration Existing devices Selected options and components

29 Guide to MCSE 70-270, Second Edition, Enhanced29 Local Computer Policy (continued) Custom policies: Created through the use of.adm files Local group policy: System.adm file Local Computer Policy snap-in Divided into two sections: User Configuration Computer Configuration Contains over 300 individual controls

30 Guide to MCSE 70-270, Second Edition, Enhanced30 Computer Configuration Subnodes: Software Settings The Windows Settings folder: Scripts Security Settings Administrative Templates folder

31 Guide to MCSE 70-270, Second Edition, Enhanced31 Public Key Policies Three purposes Offers additional controls over the Encrypting File System (EFS) Enables the issuing of certificates Allows you to establish trust in a certificate authority

32 Guide to MCSE 70-270, Second Edition, Enhanced32 IP Security Policies Security measure added to TCP/IP Protects communications between two systems using that protocol Can be used over a RAS or WAN link Creates a secured point-to-point link between two systems Configured and enabled with Advanced TCP/IP Settings dialog box

33 Guide to MCSE 70-270, Second Edition, Enhanced33 IP Security Policies (continued) Modes: Transport Tunneling Predefined IPSec policies: Client (Respond Only) Server (Request Security) Secure Server (Require Security)

34 Guide to MCSE 70-270, Second Edition, Enhanced34 IP Security Policies (continued) Authentication methods: Kerberos version 5 Default and preferred Public key certificate authentication Preshared key Less secure

35 Guide to MCSE 70-270, Second Edition, Enhanced35 Administrative Templates Offer controls on a wide range of environmental functions and features Registry based group policy information Used to overwrite Registry to force compliance with group policy

36 Guide to MCSE 70-270, Second Edition, Enhanced36 User Configuration Subfolders: Software Settings Windows Settings folder Administrative Templates folder

37 Guide to MCSE 70-270, Second Edition, Enhanced37 Security Configuration and Analysis Tool MMC snap-in Used to: Analyze Configure Export Validate system security based on a security template Seven predefined security templates

38 Guide to MCSE 70-270, Second Edition, Enhanced38 Security Configuration and Analysis Tool (continued) Checks system’s current configuration against selected security template Produces a report of discrepancies Apply security templates to system

39 Guide to MCSE 70-270, Second Edition, Enhanced39 Secedit Command-line version of Security Configuration and Analysis tool Favored by administrators Can be scripted Four functions: Analyze Configure Export Validate

40 Guide to MCSE 70-270, Second Edition, Enhanced40 Auditing Security process Records occurrence of specific operating system events inSecurity log Every object has audit events related to it Event Viewer Maintains logs about: Application events Security events System events

41 Guide to MCSE 70-270, Second Edition, Enhanced41 Event Properties Dialog Box

42 Guide to MCSE 70-270, Second Edition, Enhanced42 Encrypting File System Allows you to encrypt data stored on an NTFS drive Only enabling user can gain access to encrypted object Enabled using Properties dialog Uses public and private key encryption method Encryption process is invisible to user

43 Guide to MCSE 70-270, Second Edition, Enhanced43 Encrypting File System (continued) Recovery Agent Used to recover encrypted files Required for EFS to function CIPHER Command-line tool for batch processing of encryption

44 Guide to MCSE 70-270, Second Edition, Enhanced44 Internet Security Risks Unwittingly downloading Trojan horses or viruses, Accepting malicious e-mail Allowing a remote cracker to take complete control of your computer Protection: Security features for standalone or LAN system Internet Connection Firewall

45 Guide to MCSE 70-270, Second Edition, Enhanced45 Summary Object-level access controls Winlogon controls how users logon Local computer policy controls many aspects of the security system as well as enabling or restricting specific functions and features of the operating system Encrypting File System (EFS) protects data with an encryption system

Download ppt "70-270: MCSE Guide to Microsoft Windows XP Professional Second Edition, Enhanced Chapter 6: Windows XP Security and Access Controls."

Similar presentations

Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.

Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 4: Troubleshoot System Startup and User Logon Problems.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 4: Troubleshoot System Startup and User Logon Problems.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

Similar presentations

Ads by Google