COMP 2221 Networks in Organisations Richard Henson March

  • Slides: 51
Download presentation
COMP 2221 Networks in Organisations Richard Henson March 2014

COMP 2221 Networks in Organisations Richard Henson March 2014

Week 5: The Windows Registry, Principles of Network Security n Objectives: Ø Explain confidentiality,

Week 5: The Windows Registry, Principles of Network Security n Objectives: Ø Explain confidentiality, integrity, and availability principles for networks Ø Explain why user and system settings need to be controlled on networked machines Ø Explain the role of the registry in Windows desktop and network configuration, user settings, and security Ø Select appropriate software tools for backup and fault tolerance

What is a “platform” n Hardware that will support a CPU Ø motherboard (or

What is a “platform” n Hardware that will support a CPU Ø motherboard (or eq 1 uiv) Ø ROM and RAM Ø hard disk and controller n Software that executes through the CPU to provide a stable user environment Ø low-level operating system functions Ø utilities Ø user interface

Connectivity between platforms OSI: Seven Layer model n As far as the user is

Connectivity between platforms OSI: Seven Layer model n As far as the user is concerned… n Ølayer 7 is all that matters n But there should be access control… Øuser needs to log on (via level 5) Øachieved through level 7 pop up and input coupled to interrogation of local or LAN database

BIOS Developments n Earlier motherboards had a single chip containing the BIOS on ROM

BIOS Developments n Earlier motherboards had a single chip containing the BIOS on ROM and a writeable CMOS area Ø the command line interface invoked was 16 -bit n More recent motherboards use EFI (Extensible Firmware Interface) Ø uses a 32 -bit command line Ø only really exploited with Windows 7, and 2008 Server…

Why “access control”? n Organisations have responsibilities, and confidentiality Ønowadays, these are delivered through

Why “access control”? n Organisations have responsibilities, and confidentiality Ønowadays, these are delivered through the network n /Confidentiality. Integrity: Øe. g. Personal data held under the Data Protection Act n Availability: Øthose who need access to files & services must have it…

Platforms: booting to an Intel/Windows platform n BIOS should “point” to selected medium that

Platforms: booting to an Intel/Windows platform n BIOS should “point” to selected medium that contains a “boot loader” program » contains “master boot record” (MBR) » points to the boot partition n n containing the operating system Different media prepared in different ways » hard disk still the conventional boot medium n number of partitions so potential choice of bootable media » CDs & USBs only have one partition

Partitions, Hard Disks and Multiple Operating Systems n n MBR must be on the

Partitions, Hard Disks and Multiple Operating Systems n n MBR must be on the first (C: ) partition Possible to have different operating systems on the same hard disk… Ø varieties of Windows Ø varieties of Unix… n BUT… Ø Master Boot Record systems different on Unix and Windows Ø still possible to have ONE Unix partition…

Logon n Once the operating system has been loaded… Øuser logon screen presented n

Logon n Once the operating system has been loaded… Øuser logon screen presented n Rapid local boot is fine… Øbut most organisational computers are on networks… » why? Øwhy does network logon take so long?

“Policies”: Controlling User and System Settings n The Windows user’s desktop is controlled with

“Policies”: Controlling User and System Settings n The Windows user’s desktop is controlled with policies Ø user policies Ø system policies n Configuring and using policies - essential part of any network administrator’s job! Ø could be 100 s or 1000 s of systems, & users

Storage of User/System Settings: Windows Registry n Early Windows extended DOS text files of

Storage of User/System Settings: Windows Registry n Early Windows extended DOS text files of system & user settings: Ø SYSTEM. INI enhanced CONFIG. SYS Ø WIN. INI enhanced AUTOEXEC. BAT n Windows 95 created a two dimensional structure… known as The Registry Ø principles later extended in Windows NT v 4 to allow system and user settings to be downloaded to local registry across the network

Viewing/Editing the Registry n REGEDT 32 from command prompt… Ølook but don’t touch! Ø

Viewing/Editing the Registry n REGEDT 32 from command prompt… Ølook but don’t touch! Ø contents should not be changed manually unless you really know what you are doing!!! n Registry data that is loaded into memory can also be overwritten by data: Øfrom local profiles Ødownloaded across the network…

System Settings n For configuration of hardware and software Ødifferent types of system need

System Settings n For configuration of hardware and software Ødifferent types of system need different settings Øsystem settings for a given computer may need to be changed for particular users e. g. to change screen refresh rate for epileptics

User Settings n More a matter of convenience for the user Ø mandatory profiles

User Settings n More a matter of convenience for the user Ø mandatory profiles » users all get the same desktop settings! » anything added is lost during logoff! Ø roaming profiles - desktop settings preserved between user sessions » saved across the network…

What is The Registry? n n A hierarchical store of system and user settings

What is The Registry? n n A hierarchical store of system and user settings Five basic subtrees: Ø HKEY_LOCAL_MACHINE : local computer info. Does not change no matter which user is logged on Ø HKEY_USERS : default user settings Ø HKEY_CURRENT_USER : current user settings Ø HKEY_CLASSES_ROOT : software config data Ø HKEY_CURRENT_CONFIG : “active” hardware profile n Each subtree contains one or more subkeys…

Location of the Windows Registry n In XP… Ø c: windowssystem 32config folder n

Location of the Windows Registry n In XP… Ø c: windowssystem 32config folder n Six files (no extensions): Ø Software Ø System – hardware settings Ø Sam, Security » not viewable through regedt 32 Ø Default – default user Ø Sysdiff – HKEY USERS subkeys Ø Also to be considered: ntuser. dat » user settings that override default user

Registry Files in Windows 7 n n n HKEY_LOCAL_MACHINE SYSTEM: Ø system 32configsystem HKEY_LOCAL_MACHINE

Registry Files in Windows 7 n n n HKEY_LOCAL_MACHINE SYSTEM: Ø system 32configsystem HKEY_LOCAL_MACHINE SAM: Ø system 32configsam HKEY_LOCAL_MACHINE SECURITY Ø system 32configsecurity HKEY_LOCAL_MACHINE SOFTWARE Ø system 32configsoftware HKEY_USERS User. Profile Ø winntprofilesusername HKEY_USERS. DEFAULT Ø system 32configdefault

Emergency Recovery if Registry lost or badly damaged n Backup registry files created during

Emergency Recovery if Registry lost or badly damaged n Backup registry files created during text-based part of windows installation Ø also stored in: » c: windowssystem 32config » have. sav suffix Ø only updated if “R” option is chosen during a windows recovery/reinstall n NEVER UPDATED backup is saved to Ø C: windowsrepair folder Ø no user and software settings Ø reboots back to “Windows is now setting up”

Backing up the Registry n Much forgotten… an oversight that may later be much

Backing up the Registry n Much forgotten… an oversight that may later be much regretted!!! Ø can copy to tape, USB stick CD/DVD, or disk Ø rarely more than 100 Mb n Two options; Ø Use third-party backup tool » e. g http: //www. acronis. co. uk Ø Use windows “backup” » not recommended by experts! » but already there & does work! » to copy the registry if this tool is chosen, a “system state” backup option should be selected

System Policy File n n n A collection of registry settings downloaded from the

System Policy File n n n A collection of registry settings downloaded from the domain controller during logon Can apply different system settings to a computer, depending on the user or group logging on Can overwrite: Ø local machine registry settings Ø current user registry settings n Should therefore only be used by those who know what they are doing!!!

System Policy File n n Saved as NTCONFIG. POL Normally held on Domain Controllers

System Policy File n n Saved as NTCONFIG. POL Normally held on Domain Controllers Ø read by local machine during logon procedure Ø provides desktop settings, and therefore used to control aspects of appearance of the desktop n Different NTCONFIG. POL settings can be applied according to: Ø User Ø Group Ø Computer n Users with roaming profiles additionally save desktop settings to their profile folders

Active Directory n Microsoft equivalent of Novell’s NDS (Network Directory Structure) Ø An LDAP

Active Directory n Microsoft equivalent of Novell’s NDS (Network Directory Structure) Ø An LDAP network-wide directory service for providing paths to files and services n Available from Windows 2000 onwards Ø of limited use on earlier Windows networks

Windows Workgroups and Domains. . . Workgroup = peer-peer n Domain = client-server n

Windows Workgroups and Domains. . . Workgroup = peer-peer n Domain = client-server n Client machines can logon n ØLocally (i. e. peer-peer) ØTo domain (client in a client-server network

Servers and Domain Controllers n Client server networks use clients only for users Øclients

Servers and Domain Controllers n Client server networks use clients only for users Øclients need to log on to the domain to access network resources Ødomain access managed by domain controllers n Member servers used to provide and manage services

What is Active Directory? n A object-oriented database (Internetapproved x 500 standard) Øa hierarchy

What is Active Directory? n A object-oriented database (Internetapproved x 500 standard) Øa hierarchy of data objects (& their properties) » domain controllers » computers » users & groups of users » network resources

Domain Controllers and Active Directory n Good practice to have backups Ødomain controller should

Domain Controllers and Active Directory n Good practice to have backups Ødomain controller should have a backup…. Ømanaged as part of the Active Directory system Ø data on network resources, services & users all stored in a single file » ntds. dit Ø tools available for AD system management » e. g. ntdsutil

Backing up the Database n Goes without saying that the loss of Active Directory

Backing up the Database n Goes without saying that the loss of Active Directory will be very bad for the network (!) Øpeople won’t even be able to log on/off! n AD should be backed up… Øregularly! Øpreferably on another computer… ØIn another location…

Managing Risks… TSI approach predicated on whole-life view (ISO/IEC 12207 & 15288), covering Specification,

Managing Risks… TSI approach predicated on whole-life view (ISO/IEC 12207 & 15288), covering Specification, Realisation and Use 28 [TSI/2012/253] © Copyright 2003 -2012

Trustworthiness: Trustworthiness Definition 29 [TSI/2012/183] © Copyright 2003 -2012

Trustworthiness: Trustworthiness Definition 29 [TSI/2012/183] © Copyright 2003 -2012

Trustworthy Software Audiences Ø Mainstream » “The Industry” (e. g. Microsoft, Oracle, . .

Trustworthy Software Audiences Ø Mainstream » “The Industry” (e. g. Microsoft, Oracle, . . . ) Ø Niche » Specialist Industries (e. g. Aviation, “Security”) Ø Disbursed » Small scale developers (e. g. Smart. Phone Apps) Ø Collateral » developers don’t consider themselves as such (e. g. embedded components, website CMS users, spreadsheets, …) 30 [TSI/2012/183] © Copyright 2003 -2012

Fault Tolerance and Availability n General engineering principle… Øif it can go wrong… it

Fault Tolerance and Availability n General engineering principle… Øif it can go wrong… it will! Trustworthy software should detect failure and trigger a backup n Essential for Business Continuity n

Managing Fault Tolerance n Whole domain controller should be backed up! Øactive directory designed

Managing Fault Tolerance n Whole domain controller should be backed up! Øactive directory designed as a distributed database that backs up all domain controllers to each other Øbackup domain controller software set up using same active directory wizard

Fault Tolerance (data storage fault) e. g. Hard disk crash n System needed for

Fault Tolerance (data storage fault) e. g. Hard disk crash n System needed for a backup to take over “seamlessly” n Øi. e. without the user even noticing… n Trustworthy software system: Ødisk mirroring Øexact copy available to take over at a moment’s notice

“Trust” About people! n In this case: n Ønetwork users on different domains n

“Trust” About people! n In this case: n Ønetwork users on different domains n By default: do not trust strangers with your data!

Domain Trust This allows users on one domain to log onto resources on another

Domain Trust This allows users on one domain to log onto resources on another domain n Trusts can be one or two-way n Domain A Domain B

Enterprise Structure of Active Directory n A hierarchical system of organisational data objects Øi.

Enterprise Structure of Active Directory n A hierarchical system of organisational data objects Øi. e. domains, n A Tree can be » a single domain » group of domains

Domain Trees & Forests n n n Active Directory provides “trust” between the databases

Domain Trees & Forests n n n Active Directory provides “trust” between the databases of domains that are linked in this way A “Tree” is the domains and links between them A “Forest” contains data needed to connect all objects in the tree: Ø domain objects in the tree are logically linked together in the forest and their users can “trust” each other

Active Directory and Users Active directory allows set up and management of domain users

Active Directory and Users Active directory allows set up and management of domain users n Can also define domain groups, and allow domain users to become part of domain groups n Øaids administration Øpolicy file can be set up » interacts with user machines registry during login » controls user desktop

Organisations, Organisational Units, and Domains n An organisation may: Ø have several locations Ø

Organisations, Organisational Units, and Domains n An organisation may: Ø have several locations Ø have several functions in same location n Alternative to multiple domains… Øorganisational units Øgroup policy can be applied selectively

Domain Name System & Active Directory n Active Directory structures designed to be able

Domain Name System & Active Directory n Active Directory structures designed to be able to mirror naming of servers that are part of the Internet n Systematic Internet server naming already available for some time as DNS (Domain Name System)

Active Directory and DNS n In Active directory, each domain in the tree has

Active Directory and DNS n In Active directory, each domain in the tree has a unique DNS identity Øtherefore a unique IP address… Øcan cause confusion when setting up domain structure!! n Also, each device within a domain can also made use of DNS, via its IP address… ØWindows-based naming (WINS) obsolete

Microsoft TCP/IP stack n n n Differs from UNIX TCP/IP (e. g. no FTP,

Microsoft TCP/IP stack n n n Differs from UNIX TCP/IP (e. g. no FTP, SMTP or Telnet) DNS is available as a network service Application layer components: Ø Windows sockets - to interface with sockets-based applications Ø Net. BT - to interface with Net. BIOS applications n SNMP, TCP, UDP, IP as with Unix protocol stack

Tips for Configuring TCP/IP on Windows clients Make sure network card is active n

Tips for Configuring TCP/IP on Windows clients Make sure network card is active n Requires local administrator access!! n Access via “properties” after rightclicking “LAN connection” n TCP/IP settings then easily changed n

Manual Setting of IP address n Subnet mask: Ø 255. 0 for small networks

Manual Setting of IP address n Subnet mask: Ø 255. 0 for small networks Ø 255. x. 0 for larger networks Øx -> 0 as the network gets larger » About optimisation of network performance… n Default gateway is the IP address of the LAN-Internet interface computer…

TCP/IP Configuration via DHCP Dynamic Host Configuration Protocol n Network management of IP addresses…

TCP/IP Configuration via DHCP Dynamic Host Configuration Protocol n Network management of IP addresses… n Øautomatically assign IP addresses from a Windows 2000 server machine running DHCP server Øintegrates with active directory

Windows TCP/IP utilities n n Not available from the GUI… Only accessible via cmd

Windows TCP/IP utilities n n Not available from the GUI… Only accessible via cmd prompt Ø Ping (packet internet groper): Ø FTP Ø Telnet Ø Finger (retrieval of system information from a computer running TCP/IP & finger Ø ARP (displays local IP addresses according to equivalent MAC or “physical” addresses) Ø ipconfig (displays local IP configuration) Ø tracert (checks route to a remote IP address)

Terminal Services (“thin client”) n Allows any PC running a version of Windows to

Terminal Services (“thin client”) n Allows any PC running a version of Windows to remotely run an NT series server Øuses a copy of the server’s desktop on the client machine n Client tools must be installed first, but the link can run with very little bandwidth Øpossible to remotely manage a server thousands of miles away using a phone connection…

Remote Access Service (RAS) n Allows access to an external network through public/other networks

Remote Access Service (RAS) n Allows access to an external network through public/other networks Ø uses Point to Point protocol (PPP): remember that? Ø standard username/password authentication Ø also PPP Multilink protocol, which allows a combination of communications links and multiple links to be used n Capability for VPNs (Virtual Private Networks) using secure Internet access Ø using L 2 TP (point-point “tunnelling” protocol)

RAS & Secure Remote Login n n To login remotely, user must have a

RAS & Secure Remote Login n n To login remotely, user must have a valid username/password and RAS dial-in permission RAS can use “call back” security: Ø Server receives a remote request for access Ø Server makes a note of the telephone number Ø Server calls the remote client back, guaranteeing that the connection is made from a trusted site n n Login information encrypted by default All remote connections can be audited

Internet Information Server (IIS) n Microsoft’s Web Server Ø can also provide ftp or

Internet Information Server (IIS) n Microsoft’s Web Server Ø can also provide ftp or smtp publishing service n Purpose: Ø make html pages available: » as a local www service » across the network as an Intranet » across trusted external users/domains as an Extranet Ø run server-scripts in communication with client browsers n n Sets up its own directory structure for developing Intranets, Extranets, etc. Access to any IIS service can be restricted using username/password security

Internet Information Server (2) n Can allow anonymous remote login: Ø Uses a “guest”

Internet Information Server (2) n Can allow anonymous remote login: Ø Uses a “guest” account – access only to files that make up the Intranet Ø Anonymous login prevents trying to hack in through guessing passwords of existing users n Provides the software connectivity for a server -side interface that can connect client-server Internet applications to online databases e. g. . aspx or. php