Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP1321 Digital Infrastructure Richard Henson February 2016.

Published byRuby Burns Modified over 9 years ago

Similar presentations

Presentation on theme: "COMP1321 Digital Infrastructure Richard Henson February 2016."— Presentation transcript:

1 COMP1321 Digital Infrastructure Richard Henson February 2016

2 Week 17: Network Operating Systems and Active Directory n Objectives: »Explain a (network) operating system architecture in terms of a multi-layered model »Explain how platforms provide client-end stability for apps (or otherwise…) »Explain how Active Directory is used to control login and access to network resources »Explain how Active directory can provide trust across multiple domains

3 Reminder: Software Layers and Operating Systems (OS) os kernel CPU, motherboard os functions & user interface Applications

4 What if the Operating System has software faults? n The platform becomes “unstable”!!  Could be errors in… »hardware control? »user interface? »utilities?

5 On a client-server network? n Client platform unstable? n What would happen to:  applications running on a poorly designed platform?  the rest of the local network?  businesses depending on such apps?

6 Software Faults & CWE n Lot of recent interest in why software (even some operating systems…) is so unreliable n Mitre Corporation (US) with govt backing…  tested software very thoroughly!  classified software fault types into a Common Weakness Enumeration (CWE) »community developed, formal list of software weakness types [TSI/2012/183] © Copyright 2003-2012 6

7 What is CWE? n Essentially… a list! n CWE provides:  standard measuring stick for software tools targeting software weaknesses  common baseline standard for efforts to identify, mitigate, and prevent software weaknesses

8 More about Mitre and the CWE list n Currently (12/2015) 998 distinct CWE entries identified by Mitre!! (version 2.9)  http://cwe.mitre.org/data http://cwe.mitre.org/data  more commonly encountered weaknesses usually “repeat offenders” n New vulnerabilities found on a regular basis

9 Example of an operating system flaw n Apple:  “dangerous flaw revealed in iOS 7 and X” (21/2/14)  http://gizmodo.com/why-apples-huge- security-flaw-is-so-scary- 1529041062?utm_campaign=socialflow_gi zmodo_facebook&utm_source=gizmodo_f acebook&utm_medium=socialflow http://gizmodo.com/why-apples-huge- security-flaw-is-so-scary- 1529041062?utm_campaign=socialflow_gi zmodo_facebook&utm_source=gizmodo_f acebook&utm_medium=socialflow http://gizmodo.com/why-apples-huge- security-flaw-is-so-scary- 1529041062?utm_campaign=socialflow_gi zmodo_facebook&utm_source=gizmodo_f acebook&utm_medium=socialflow

10 CWE Top 25 faults (part 1) Rank IDName 1CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting') 2CWE-89Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') 3CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 4CWE-352Cross-Site Request Forgery (CSRF) 5CWE-285Improper Access Control (Authorization) 6CWE-807Reliance on Untrusted Inputs in a Security Decision 7CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 8CWE-434Unrestricted Upload of File with Dangerous Type 9CWE-78Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') 10CWE-311Missing Encryption of Sensitive Data 11CWE-798Use of Hard-coded Credentials 12CWE-805Buffer Access with Incorrect Length Value 13CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [TSI/2012/183] © Copyright 2003-2012

11 CWE Top 25 faults (part 2) RankIDName 14CWE-129Improper Validation of Array Index 15CWE-754Improper Check for Unusual or Exceptional Conditions 16CWE-209Information Exposure Through an Error Message 17CWE-190Integer Overflow or Wraparound 18CWE-131Incorrect Calculation of Buffer Size 19CWE-306Missing Authentication for Critical Function 20CWE-494Download of Code Without Integrity Check 21CWE-732Incorrect Permission Assignment for Critical Resource 22CWE-770Allocation of Resources Without Limits or Throttling 23CWE-601URL Redirection to Untrusted Site ('Open Redirect') 24CWE-327Use of a Broken or Risky Cryptographic Algorithm 25CWE-362Race Condition [TSI/2012/183] © Copyright 2003-2012

12 Susceptibilities n The confirmed presence of one or more vulnerabilities within an implemented system, such as the presence of an operating system with a buffer overflow defect n Susceptibilities in systems stem from:  a. initial implementation  b. changes to software, such as from adding new facilities or the correction of detected errors (‘patching’)  c. use of utility programs, which may be capable of circumventing security measures in the controlling or application software TSI Logo [TSI/2013/306 | Draft 0.B | 2014-02-10]

13 Vulnerabilities n Vulnerabilities can be:  The existence of a generic weakness in a particular platform, such as a buffer overflow occurring in a specific operating system or application  Interactions between multiple software elements that bypass intended controls  Accidental actions of software developers that result in defects and deviations  Deliberate actions of software developers that bypass intended controls, such as trap doors that permit unauthorised access to the system TSI Logo [TSI/2013/306 | Draft 0.B | 2014-02-10]

14 Vulnerabilities from Major Vendors (2011 figures) [TSI/2012/183] © Copyright 2003-2012

15 Software Weakness Mitigation n What to do about all these faults….? n Many concepts and practices needed for Trustworthy development of software have existed for many years…  “Due Diligence”  Pareto 80:20 [TSI/2012/183] © Copyright 2003-2012 15

16 Due Diligence  Implies software should be reasonably trustworthy…. »what does “reasonably” mean?  Implementations vary with Audiences and Assurance Requirements

17 Pareto 80:20 (favoured by TSI)  Practice improved iteratively using existing experience  Example: »switching on and acting on Compiler Warning Flags… n would obviates many common “repeat offender” weaknesses n If only this was normal practice!!! It could be….

18 Apps and Operating Systems n Applications need a platform…  better designed platform…? »easier to design trustworthy apps n Mobile phone app vulnerabilities by malware for platform (F-Secure, 2012):  http://www.f-secure.com/static/doc/labs_global/Research/Mobile%20Threat%20Report%20Q3%202012.pdf http://www.f-secure.com/static/doc/labs_global/Research/Mobile%20Threat%20Report%20Q3%202012.pdf  Apple iOS: 1.1  Symbian: 29.8  Android: 62.8  Windows mobile: 0.6

19 Why the differences? n Apps written to use operating system (os) platform appropriately…  well designed os restricts/prevents inappropriate use  poorly designed os allows sloppy habits »but may have performance advantages… (!) »e.g. Android top 25 vulnerabilities (CWE): n http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id- 19997/Google-Android.html http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id- 19997/Google-Android.html http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id- 19997/Google-Android.html

20 Logon & protecting the client end n When a networked client is turned on…  operating system loaded…  user logon screen presented n Rapid local boot is fine…  but most organisational computers are on networks… »why?  why does network logon take so long?

21 “Policies”: Controlling User and System Settings n The Windows user’s desktop is controlled with policies  user policies  system policies n Configuring and using policies - essential part of any network administrator’s job!  could be 100s or 1000s of systems, & users

22 Storage of User/System Settings: Windows Registry n Early Windows extended DOS text files of system & user settings:  SYSTEM.INI enhanced CONFIG.SYS  WIN.INI enhanced AUTOEXEC.BAT n Windows 95: two dimensional structure… known as The Registry  principles later extended in Windows NT v4 to allow system and user settings to be downloaded to local registry across the network

23 Viewing/Editing the Registry n REGEDT32 from command prompt…  look but don’t touch!  contents should not be changed manually unless you really know what you are doing!!! n Registry data that is loaded into memory can also be overwritten by data:  from local profiles  downloaded across the network…

24 System Settings n For configuration of hardware and software  different types of system need different settings  system settings for a given computer may need to be changed for particular users e.g. to change screen refresh rate for epileptics

25 User Settings n More a matter of convenience for the user  mandatory profiles »users all get the same desktop settings! »anything added is lost during logoff!  roaming profiles - desktop settings preserved between user sessions »saved across the network…

26 What is The Registry? n A hierarchical store of system and user settings n Five basic subtrees:  HKEY_LOCAL_MACHINE : local computer info. Does not change no matter which user is logged on  HKEY_USERS : default user settings  HKEY_CURRENT_USER : current user settings  HKEY_CLASSES_ROOT : software config data  HKEY_CURRENT_CONFIG : “active” hardware profile n Each subtree contains one or more subkeys…

27 Location of the Windows Registry n In XP…  c:\windows\system32\config folder n Six files (no extensions):  Software  System – hardware settings  Sam, Security »not viewable through regedt32  Default – default user  Sysdiff – HKEY USERS subkeys  Also to be considered: ntuser.dat »user settings that override default user

28 Registry Files in Windows 7 n HKEY_LOCAL_MACHINE \SYSTEM:  \system32\config\system n HKEY_LOCAL_MACHINE \SAM:  \system32\config\sam n HKEY_LOCAL_MACHINE \SECURITY  \system32\config\security n HKEY_LOCAL_MACHINE \SOFTWARE  \system32\config\software n HKEY_USERS \UserProfile  \winnt\profiles\username n HKEY_USERS.DEFAULT  \system32\config\default

29 Emergency Recovery if Registry lost or badly damaged n Backup registry files created during text-based part of windows installation  also stored in: »c:\windows\system32\config »have.sav suffix  only updated if “R” option is chosen during a windows recovery/reinstall n NEVER UPDATED backup is saved to  C:\windows\repair folder  no user and software settings  reboots back to “Windows is now setting up”

30 Backing up the Registry n Much forgotten… an oversight that may later be much regretted!!!  can copy to tape, USB stick CD/DVD, or disk  rarely more than 100 Mb n Two options;  Use third-party backup tool »e.g http://www.acronis.co.uk http://www.acronis.co.uk  Use windows “backup” »not recommended by experts! »but already there & does work! »to copy the registry if this tool is chosen, a “system state” backup option should be selected

31 System Policy File n A collection of registry settings downloaded from the domain controller during logon n Can apply different system settings to a computer, depending on the user or group logging on n Can overwrite:  local machine registry settings  current user registry settings n Should therefore only be used by those who know what they are doing!!!

32 System Policy File n Saved as NTCONFIG.POL n Normally held on Domain Controllers  read by local machine during logon procedure  provides desktop settings, and therefore used to control aspects of appearance of the desktop n Different NTCONFIG.POL settings can be applied according to:  User  Group  Computer n Users with roaming profiles additionally save desktop settings to their profile folders

33 Active Directory n Microsoft equivalent of Novell’s NDS (Network Directory Structure)  An LDAP network-wide directory service for providing paths to files and services n Available from Windows 2000 onwards  of limited use on earlier Windows networks

34 Windows Workgroups and Domains... n Workgroup = peer-peer n Domain = client-server n Client machines can logon  Locally (i.e. peer-peer)  To domain (client in a client-server network

35 Servers and Domain Controllers n Client server networks use clients only for users  clients need to log on to the domain to access network resources  domain access managed by domain controllers n Member servers used to provide and manage services

36 What is Active Directory? n A object-oriented database (Internet- approved x500 standard)  a hierarchy of data objects (& their properties) »domain controllers »computers »users & groups of users »network resources

37 Domain Controllers and Active Directory n Good practice to have backups  domain controller should have a backup….  managed as part of the Active Directory system  data on network resources, services & users all stored in a single file »ntds.dit  tools available for AD system management »e.g. ntdsutil

38 Backing up the Database n Goes without saying that the loss of Active Directory will be very bad for the network (!)  people won’t even be able to log on/off! n AD should be backed up…  regularly!  preferably on another computer…  In another location…

39 Microsoft approach to “Scalable” Networks n Domain = Unit of a Microsoft LAN  data store needed that will cover all network users and resources  replicated across domain controllers n Criticised for not being “scalable” beyond a local LAN…  Next week: how Microsoft addressed this

Download ppt "COMP1321 Digital Infrastructure Richard Henson February 2016."

Similar presentations

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Geneva, Switzerland, 15-16 September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.

Geneva, Switzerland, September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.

Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.
Installing software on personal computer

Installing software on personal computer
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Maintaining Windows Server 2008 File Services

Maintaining Windows Server 2008 File Services
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.

Similar presentations

Ads by Google