FORESEC Academy Security Essentials V WINDOWS SECURITY FORESEC

FORESEC Academy Agenda Chapter 25: The Windows Security Infrastructure Chapter 26: Permissions and User

FORESEC Academy Security Essentials (V) The Windows Security Infrastructure

FORESEC Academy Windows Operating Systems Windows 9 x/Me Windows NT Windows 2000 Windows XP

FORESEC Academy Windows 9 x/Me (1 of 2) Not designed for security and cannot

FORESEC Academy Windows 9 x/Me (2 of 2) But if you’re stuck with 9

FORESEC Academy Windows NT 4. 0 Windows NT is dead, DEAD. Service Pack 6

FORESEC Academy Windows 2000 (1 of 2) It's more like Windows NT version 9.

FORESEC Academy Windows 2000 (2 of 2) Standard Server Advanced Server Datacenter Server Max

FORESEC Academy Windows XP A better Windows 2000 Professional. . . XP Professional vs.

FORESEC Academy Windows Server 2003 (1 of 3) Successor to Windows 2000 Server -

FORESEC Academy Windows Server 2003 (2 of 3) Standard Server Advanced Server Datacenter Server

FORESEC Academy Windows Server 2003 (3 of 3) Windows Server 2003 Web Edition -

FORESEC Academy Workgroups (1 of 3) - No domain controllers! - Stand-alone computers only.

FORESEC Academy Workgroups (2 of 3) Benefits of workgroups: - Conceptual simplicity. - Lower

FORESEC Academy Workgroups (3 of 3) Drawbacks of workgroups: - Users are insane. -

FORESEC Academy Manage Local Accounts Windows NT - User Manager Windows 2000/XP/2003 - User

Slides: 17

Download presentation

FORESEC Academy Security Essentials (V) WINDOWS SECURITY

FORESEC Academy Agenda Chapter 25: The Windows Security Infrastructure Chapter 26: Permissions and User Rights Chapter 27: Security Templates and Group Policy Chapter 28: Service Packs, Hotfixes, and Backups Chapter 29: Securing Windows Network Services Chapter 30: Automation and Auditing

FORESEC Academy Security Essentials (V) The Windows Security Infrastructure

FORESEC Academy Windows Operating Systems Windows 9 x/Me Windows NT Windows 2000 Windows XP Windows 2003

FORESEC Academy Windows 9 x/Me (1 of 2) Not designed for security and cannot be secured, period. - No filesystem security - Can't really require initial logon - Weak authentication protocol (LM) - Extremely vulnerable to Do. S attacks - Virtually no logging capabilities - Prone to lock-ups and crashes - Boot into other OS to circumvent everything

FORESEC Academy Windows 9 x/Me (2 of 2) But if you’re stuck with 9 x/Me, then: - Use them as “thin clients” to Terminal Services or Citrix servers - Keep all mail on Exchange Server, not in local personal storage files (. PST) - Store all documents on servers - Install ADCE for NTLMv 2 support

FORESEC Academy Windows NT 4. 0 Windows NT is dead, DEAD. Service Pack 6 a is the last one. Was at least intended to be secure: - User-based access control - Domain controllers, trusts, and single sign-on - NTFS and NTLM - Detailed logging - Protected memory spaces in OS - VMS pedigree

FORESEC Academy Windows 2000 (1 of 2) It's more like Windows NT version 9. 0: - Active Directory - Group Policy - Kerberos - IPSec - PKI & Smart Cards - EFS - Scriptability & CMD Tools

FORESEC Academy Windows 2000 (2 of 2) Standard Server Advanced Server Datacenter Server Max CPUs 4 8 32 Max RAM 4 GB 8 GB 32 GB Load. Balancing n/a 32 -Node Cluster Nodes n/a 2 -Node 4 -Node

FORESEC Academy Windows XP A better Windows 2000 Professional. . . XP Professional vs. Home Edition Only with XP Professional: - Ability to join a domain - Encrypting File System - Editable file ACLs - Remote Desktop support - Roaming user profiles - Dual CPU support

FORESEC Academy Windows Server 2003 (1 of 3) Successor to Windows 2000 Server - Not intended for desktops. - Mostly an incremental upgrade to Win 2000. - Scalability and fault-tolerance enhancements. Cross-forest trusts. You can mix-and-match your Windows 2000 and 2003 Servers fairly easily.

FORESEC Academy Windows Server 2003 (2 of 3) Standard Server Advanced Server Datacenter Server Max CPUs 4 8 32 Max RAM 4 GB 8 GB 32 GB Load. Balancing n/a 32 -Node Cluster Nodes n/a 8 -Node 64 -bit CPU No Yes

FORESEC Academy Windows Server 2003 (3 of 3) Windows Server 2003 Web Edition - Dedicated-purpose operating system - Not available through retail channels. - Intended for ISP. s and ASP. s. - Intended for turn-key hardware appliances. Only supports two 32 -bit CPUs and no more than 2 GB of RAM. (Why? ? ? ) Probably better off with Standard Server. . .

FORESEC Academy Workgroups (1 of 3) - No domain controllers! - Stand-alone computers only. - Local accounts and local accounts databases only. - Permissions can be assigned to local users and groups only. - Local groups cannot have users from other machines. - User names may be identical across machines, but their SIDs are different (more on this in just a moment). -Users are typically local administrators of their own machines. -A “workgroup administrator” simply has a separate administrative account on every machine. -Workgroups tend to be small, e. g. , less than 100 boxes. -You can have stand-alones or entire workgroups in the midst of domain members, e. g. , IIS servers on a service subnet.

FORESEC Academy Workgroups (2 of 3) Benefits of workgroups: - Conceptual simplicity. - Lower initial cost. - Each computer protects itself. - Each user is typically an administrator of his or her own machine, allowing personal creative expression and joy.

FORESEC Academy Workgroups (3 of 3) Drawbacks of workgroups: - Users are insane. - Workgroup = Anarchy Very difficult to manage a large number of stand-alones (no scalability). - No single sign-on without great effort. - No consistent permissions or rights.

FORESEC Academy Manage Local Accounts Windows NT - User Manager Windows 2000/XP/2003 - User Accounts applet in control Panel. - Computer Management snap-in in Administrative Tools folder. - NET. EXE