Windows 2000 Security - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Windows 2000 Security

Description:

Only FEK is available to agent (not the user's private key) Local Administrator default recovery agent on stand alone workstations ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 35
Provided by: tomd9
Category:

less

Transcript and Presenter's Notes

Title: Windows 2000 Security


1
Windows 2000 Security
Tom Davis University IT Security Office Office
of the Vice President for Information Technology
2
Key Areas
  • Group Policy
  • Encrypting File System (EFS)
  • Security Configuration Tool Set
  • Kerberos
  • Internet Protocol Security (IPSec)
  • Certificate Services

3
Key Areas
  • Group Policy
  • Encrypting File System (EFS)
  • Security Configuration Tool Set
  • Kerberos
  • Internet Protocol Security (IPSec)
  • Certificate Services

4
Group Policy
  • Overview
  • Active Directory Objects
  • Other Issues
  • Demo

5
Group Policy - Overview
  • Used to define user and computer configurations
  • Group Policy settings contained in Group Policy
    Object (GPO)
  • GPOs associated with Active Directory objects
    (sites, domains, and organization units)

6
Group Policy Active Directory Objects
  • Tree
  • set of one or more domains with contiguous names

7
Group Policy Active Directory Objects
(continued)
  • Forrest
  • set of one or more trees

IUAsia.edu
japan.IUAsia.edu
8
Group Policy Active Directory Objects
(continued)
  • Site
  • set of one or more IP subnets
  • used to direct requests to other computers at
    same site
  • can have group policy applied to it
  • Domain
  • grouping of servers and network objects under a
    single name
  • can have group policy applied to it

9
Group Policy Active Directory Objects
(continued)
  • Organizational Unit (OU)
  • directory object contained within domains
  • logical groupings for users, computers, and other
    OUs
  • can have group policy applied to it
  • Container
  • intended for generic containment
  • cannot have group policy applied to it
  • Users and Computers contained used in NT4 upgrade

10
Group Policy Inheritance Rules
  • Local
  • Site
  • Domain
  • Organization Unit

11
Group Policy Inheritance Rules (continued)
  • Any GPO (except local) may be enforced
  • If more than one enforced, highest in hierarchy
    takes precedence
  • GPO inheritance may be blocked
  • Blocking does not prevent enforced GPOs from
    being applied

12
Group Policy Other Issues
  • Password, lockout, and kerberos policies are
    applied at the domain level only (ignored at OU
    or LGPO level)
  • Access Control Lists can be applied to GPO to
    modify scope of policy
  • Loopback processing to enforce computer settings
    for use (student lab environment)

13
Group Policy - Demo
14
Key Areas
  • Group Policy
  • Encrypting File System (EFS)
  • Security Configuration Tool Set
  • Kerberos
  • Internet Protocol Security (IPSec)
  • Certificate Services

15
Encrypting File System (EFS)
  • Overview
  • Data Recovery Agents
  • Microsoft Recommendations
  • Vulnerabilities?
  • Demo

16
EFS - Overview
  • File Encryption Key (FEK)
  • Encrypts objects with DESX using FEK
  • FEK encrypted with users public key
  • FEK can only be decrypted with users private key
  • Each file has its own FEK
  • Data Decryption Field (DDF) holds FEK encrypted
    with users public key

17
EFS Overview (continued)
  • No need to decrypt file before use (transparent)
  • Resides in kernel mode
  • Uses non-paged pool to store FEKs
  • Supports remote file server encrypting of files
  • Data in transit is not encrypted
  • File sharing not exposed (in current release)
  • Objects can be encrypted via Explorer or cipher
    command line tool

18
EFS Overview (continued)
  • Encrypted directory does not encrypt file lists
    contained within directory
  • Flag tells EFS to encrypt all files placed in
    that directory
  • Copying file to non Win2k NTFS partition makes it
    unencrypted

19
EFS - Data Recovery Agents
  • Can decrypt files encrypted by users
  • Only FEK is available to agent (not the users
    private key)
  • Local Administrator default recovery agent on
    stand alone workstations
  • Domain Administrator default recovery agent for
    domain

20
EFS - Data Recovery Agents (continued)
  • Encrypted Data Recovery Agent policy defined at
    domain controller
  • Policy applies to computers (not users)
  • No accumulation of this policy (the one applied
    last gets enforced)
  • Data Recovery Field (DRF) holds FEK encrypted
    with Data Recovery Agents public key

21
EFS - MS Recommendations
  • Encrypt folders rather than individual files
  • Encrypt the My Documents folder
  • Encrypt the Temp folder
  • Backup Recovery Agent certificates and private
    keys, then delete certificate from certificate
    store

22
EFS Vulnerabilities?
  • Cracking Win2000 EFS whitepaper
  • Relies on Data Recovery Agent certificate being
    present (which is against Microsofts
    recommendation)

23
EFS - Demo
24
Key Areas
  • Group Policy
  • Encrypting File System (EFS)
  • Security Configuration Tool Set
  • Kerberos
  • Internet Protocol Security (IPSec)
  • Certificate Services

25
Security Configuration (SC) Tool Set
  • Overview
  • Security Settings (GPO)
  • Templates (MMC snap-in)
  • Configuration and Analysis (MMC snap-in)
  • Configuration and Analysis (Secedit.exe command
    line tool)

26
SC Tool Set - Overview
  • Account Policies
  • password, lockout, and kerberos settings
  • Local Policies
  • audit, user rights, and security options
  • Event Log
  • log size, restricting guest access, retention,
    etc.
  • Restricted Groups
  • enforcing group membership

27
SC Tool Set Overview (continued)
  • System Services
  • service startup modes and access controls
  • Registry
  • access control for registry keys
  • File System
  • access control for folders and files

28
SC Tool Set Security Settings (GPO)
  • Described earlier under Group Policy

29
SC Tool Set Templates
  • Text based security template file
  • Security Templates MMC Snap-in
  • Contains security settings for all security areas
    of the tool set
  • Can be
  • imported into Security Settings (GPO)
  • used via Security Configuration and Analysis
    Snap-in
  • used via Secedit.exe command line tool

30
SC Tool Set - Configuration and Analysis (MMC
snap-in)
  • Identify security holes
  • Identify changes that potential policy might make
    to system
  • Identify deviations from policy

31
SC Tool Set - Configuration and Analysis
(Secedit.exe)
  • Identify security holes
  • Identify changes that potential policy might make
    to system
  • Identify deviations from policy
  • Can be scripted
  • Allows verbose logging
  • Can specify particular area(s) to be configured

32
SC Tool Set - Demo
33
Key Areas
  • Group Policy
  • Encrypting File System (EFS)
  • Security Configuration Tool Set
  • Kerberos
  • Internet Protocol Security (IPSec)
  • Certificate Services

34
Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Windows 2000 Security" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!