1. Bezpečnost Windows pro pokročilé: uživatelské účty GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS Ing. Ondřej Ševeček | GOPAS a.s. | MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com | www.sevecek.com |

2. Local and domain user accounts Advanced Windows Security

3. Local User Accounts  Stored in local registry HKLM\SAM\Domains\Account  Password hashed (MD4) can be stored in full Policy: Store passwords using reversible encryption  Can enforce password complexity and history Policy: Password complexity requirements Policy: Enforce password history  Single login: COMPUTER\username

4. Domain User Accounts  Stored in Active Directory database  Password Hashes (MD4) stores Digest (MD5) since Windows 2003 stored AES (SHA-1) since Windows 2008  Two logins user principal name (kamil@gopas.virtual) SAM account name (GPS\kamil)  Can enforce password policies Domain-wide using Group Policy Per users/groups using Granular Password Policies

5. Logins  User Principal Name (kamil@gopas.virtual) userPrincipalName attribute up to 64 characters configurable UPN suffixes must be unique forest-wide  SAM Account Name (GPS\kamil) sAMAccountName attribute up to 20 characters always bound to NetBIOS domain name

6. Alternative UPN Suffixes

7. Account vs. Password Expiration  Password expiration after policy configured time User Must Change Password at Next Logon Cannot log on in fact  may not be able to change password remotely over VPN or web applications Does not affect smart cards  Account expiration Cannot log on after a specific time regardles of password validity Affect smart cards

8. Account vs. Password Expiration

9. Děkuji za pozornost GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS Ing. Ondřej Ševeček | GOPAS a.s. | MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com | www.sevecek.com |