Post on 18-Jan-2016
Module 2:Introducing
Windows 2000 Security
Overview
Introducing Security Features in Active Directory
Authenticating User Accounts
Securing Access to Resources
Introducing Encryption Technologies
Encrypting Stored and Transmitted Data
Introducing Public Key Infrastructure Technology
Introducing Security Features in Active Directory
Active Directory Hierarchical Structure
Trust Relationships
Administration Using Group Policy
Active Directory Hierarchical Structure
DomainDomain
DomainTree
Tree
ForestObjects
OUOU
OUOU OUOUDomainDomain
DomainDomain
DomainDomain
Defining Security Boundaries Using Domains
Supporting Security Settings Using OUs
Providing Delegation of Administration
Trust Relationships
Transitive (Two Way)
Shortcut (Two Way) External (One Way)
Forest 1 Forest 2
Administration Using Group Policy
Group Policy
DomainDomain
OUOU OUOU
OUOU OUOU OUOU
OUOU
Security Policies with Domain-wide
Scope
Security Policieswith OU-wide
Scope
Authenticating User Accounts
Using Kerberos V5 Authentication
Using Certificate-based Authentication
Using NTLM Protocol for Authentication
Using Kerberos V5 Authentication
Ticket-GrantingTicket
1111 Service Ticket
Windows 2000–based Computer
Windows 2000–based Computer
2222
4444
3333
TGT
Initial Logon
KDCKDC KDCKDC
11112222
TGT
Service Request
ST
ST
Session Established
3333TGT Cached Locally
Windows 2000–based Computer
Windows 2000–based Computer Target ServerTarget Server
Using Certificate-based Authentication
CertificationAuthority
Windows 2000–based Server
(configured for clientcertificate authentication)
SSL Protocol
Map Certificates to Active Directory Accounts
Implement Smart Card Authentication
User
Using NTLM Protocol for Authentication
Windows 2000Stand–alone Server
Windows 2000–based Computer
Windows NT–basedServer
Windows 2000–based Computer
Windows 2000 Domain Controller
Directory Services Client
Securing Access to Resources
Describing Security Identifiers
Controlling Access to Resources
Defining Security Groups for Resource Access
Discussion: Authentication and Access Control
Describing Security Identifiers
SID
S-1–5–21-212721301…S-1–5–21-212721301…
Automatically Created When an Object Is Added
Identify Users, Groups, or Computers
Used to Grant Access Rights and Permissions to Resources
Groups SID
Users SID
Computers
SID
Controlling Access to Resources
DACL Specifies Access
Permissions for a Resource
ACEs List Actions That Users or Groups Can Perform
SACL Specifies Users or
Groups to Be Audited
ACEs List Events to Be Audited Based on Successes or Failures
Domain Local Groups
Global Groups
Universal Groups
Defining Security Groups for Resource Access
Resources
TreeOUOU
OUOU OUOU
DomainDomain
DomainDomain
DomainDomain Domain Local
Groups
Global Groups
Universal Groups
Discussion: Authentication and Access Control
Houston
Windows 2000Domain Controllers
New York
Windows NT 4.0Domain
Windows NT
Windows 98
Introducing Encryption Technologies
Using Symmetric Key Encryption
Using Public Key Encryption
Using Digital Signatures
Using Symmetric Key Encryption
Encrypting Application Data
EFS S/MIME
Encrypting Communication Protocols
IPSec TLS
Shared Secret KeyShared Secret Key
Encryption by User1
Encryption Encryption AlgorithmAlgorithm
Shared Secret KeyShared Secret Key
Decryption by User2
Decryption Decryption AlgorithmAlgorithm
Using Public Key Encryption
Plaintext Ciphertext
User1
Plaintext
User2
Certification Authority
User2’s Public KeyUser2’s Public Key User2’s Private KeyUser2’s Private Key
Using Digital Signatures
Digest Digest FunctionFunction
User1 (Sender)
Plaintext
User1’s Private Key
Digest
EncryptedDigest
1111
2222
3333
User2 (Receiver)
User1’s Public Key
4444
6666Compare Compare
5555
Digest Digest FunctionFunction
Encrypting Stored and Transmitted Data
Encrypting Stored Data Using EFS
Encrypting Transmitted Data
Discussion: Encrypting Data
Encrypting Stored Data Using EFS
EFS Protects Stored Data
The File Encryption Key Encrypts the Data
The File Encryption Key Is Encrypted By:
The user’s public key
The EFS recovery agent’s public key
IPSec Encrypts Data at the IP Layer
SSL Encrypts Data at the Application Layer
TLS Encrypts Data at the Application Layer
Encrypting Transmitted Data
Encrypted IP Packet
Discussion: Encrypting Data
Windows 2000Professional
Houston
Windows 2000Domain Controllers
New York
Windows NT 4.0Domain
Windows 2000Windows NT
Windows 95
Introducing Public Key Infrastructure Technology
Describing PKI Components
Using Digital Certificates for Authentication
Describing Certification Authorities
Describing PKI Components
Key and Certificate Management Tools
Certification Authority
Certificate Publication Point
Digital Certificate Public Key–Enabled
Applications and Services
Certificate Revocation List
Using Digital Certificates for Authentication
Issuer’s identity
Extensions
Subject’s identity
CA–issued ID number
Subject: Scott Culp
Issuer: CA1
Subject’s Public Key:
Serial Number: 29483756
Not Before: 6/18/99
Not After: 6/18/06Secure E-mail ClientAuthentication
Signed: Cg6&^78
Subject: Scott Culp
Issuer: CA1
Subject’s Public Key:
Serial Number: 29483756
Not Before: 6/18/99
Not After: 6/18/06Secure E-mail ClientAuthentication
Signed: Cg6&^78
Subject’s public key value
Validity period
CA’s digital signature
Describing Certification Authorities
Root CA
Intermediate CAs
Public Key–enabled Applications and Services
Review
Introducing Security Features in Active Directory
Authenticating User Accounts
Securing Access to Resources
Introducing Encryption Technologies
Encrypting Stored and Transmitted Data
Introducing Public Key Infrastructure Technology