Introduction To Windows NT ® Server And Internet Information Server.
-
date post
15-Jan-2016 -
Category
Documents
-
view
223 -
download
0
Transcript of Introduction To Windows NT ® Server And Internet Information Server.
![Page 1: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/1.jpg)
Introduction To Introduction To Windows NTWindows NT®® Server And Server And
Internet Information Server Internet Information Server
![Page 2: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/2.jpg)
AgendaAgenda
Basic security principlesBasic security principles Basics of Windows NTBasics of Windows NT®® security security Basics of Internet Information Basics of Internet Information
Server securityServer security How the two relateHow the two relate Top tipsTop tips
![Page 3: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/3.jpg)
Provided byProvided byWindows NTWindows NT
Added byAdded byInternet Internet InformationInformationServerServer
Basic Security PrinciplesBasic Security Principles
Security covers:Security covers: AuthenticationAuthentication Access controlAccess control PrivacyPrivacy Data integrityData integrity Monitoring Monitoring Non-repudiationNon-repudiation
![Page 4: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/4.jpg)
Basics Of Basics Of Windows NT SecurityWindows NT Security
![Page 5: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/5.jpg)
To understand To understand Internet Information Server Security Internet Information Server Security
you you mustmust understand understand Windows NT Security!Windows NT Security!
A Simple FactA Simple Fact
![Page 6: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/6.jpg)
AuthenticationAuthentication
Windows NT requires Windows NT requires “authenticated” users“authenticated” users A user must present A user must present
his/her “credentials”his/her “credentials” User name/passwordUser name/password
No notion of an anonymous userNo notion of an anonymous user InsecureInsecure
Each user has a unique Each user has a unique security ID (SID)security ID (SID)
![Page 7: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/7.jpg)
How Applications WorkHow Applications Work
Windows NT applications must Windows NT applications must run in the “context” of a userrun in the “context” of a user When an application runs, When an application runs,
the user’s security information the user’s security information is tagged onto the applicationis tagged onto the application Called a “token”Called a “token” A token identifies the user A token identifies the user
by their SID and group membershipby their SID and group membership Group SIDsGroup SIDs
![Page 8: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/8.jpg)
How Applications WorkHow Applications Work
When an application attempts When an application attempts to use a resource the token is used to use a resource the token is used to determine if that user has accessto determine if that user has access All secure resources have All secure resources have
“access control lists” (ACLs)“access control lists” (ACLs) ACLs are a list of SIDs ACLs are a list of SIDs
and associated access rightsand associated access rights
Windows NT is very pessimisticWindows NT is very pessimistic Access denies are performed firstAccess denies are performed first Do not set everyone (no access)!Do not set everyone (no access)!
![Page 9: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/9.jpg)
Windows NTWindows NT
Windows NT DomainWindows NT Domain
User ID on User ID on this domainthis domain
A Side BarA Side BarWhat does a SID look like?What does a SID look like?
S-1-5-21S-1-5-21-2127521184-1604012920-1887927527--2127521184-1604012920-1887927527-10011001
![Page 10: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/10.jpg)
Services Are ApplicationsServices Are Applications
Windows NT has special Windows NT has special applications called “services”applications called “services” Start when Windows NT startsStart when Windows NT starts Run in the backgroundRun in the background No UINo UI Similar to UNIX daemonsSimilar to UNIX daemons Examples:Examples:
Internet Information ServerInternet Information Server SQL ServerSQL Server™™
Event logEvent log
![Page 11: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/11.jpg)
Services Are ApplicationsServices Are Applications
Because they are applications, Because they are applications, they must run in a user contextthey must run in a user context
But they run before anyone logs on!But they run before anyone logs on! You can configure a service You can configure a service
to run as an accountto run as an account Usually localsystemUsually localsystem No passwordNo password Limited access beyond Limited access beyond
the current server the current server
![Page 12: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/12.jpg)
Principle Of Least PrivilegePrinciple Of Least Privilege
A process always runs in A process always runs in the context of user accountthe context of user account
If the account is privileged then the If the account is privileged then the application has those privileges tooapplication has those privileges too Always run a process in the lowest-Always run a process in the lowest-
possible user contextpossible user context Remember the famous Remember the famous
unix sendmail bug?unix sendmail bug?
![Page 13: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/13.jpg)
ImpersonationImpersonation
Most services run Most services run as localsystem, hence they as localsystem, hence they access resources as localsystemaccess resources as localsystem Not as the user accountNot as the user account Impersonation lets the service Impersonation lets the service
impersonate the user before impersonate the user before accessing the resourceaccessing the resource
In fact is swaps out the localsystem In fact is swaps out the localsystem token for the user’s tokentoken for the user’s token On a thread-by-thread basisOn a thread-by-thread basis
![Page 14: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/14.jpg)
ImpersonationImpersonation
All servers must impersonate All servers must impersonate before accessing a resourcebefore accessing a resource
Also, impersonation reduces the Also, impersonation reduces the number of times a user needs to number of times a user needs to enter their credentialsenter their credentials
![Page 15: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/15.jpg)
Basics Of Basics Of Internet Information Server Internet Information Server
SecuritySecurity
![Page 16: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/16.jpg)
Internet Information Server Internet Information Server AuthenticationAuthentication
Internet Information Server Internet Information Server is a Windows NT serviceis a Windows NT service Hence it must run as a user accountHence it must run as a user account By default LocalSystemBy default LocalSystem
Don’t change!Don’t change!
Every user request must be Every user request must be authenticated and then impersonatedauthenticated and then impersonated
![Page 17: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/17.jpg)
WWW Service SecurityWWW Service Security
AuthenticationAuthentication AnonymousAnonymous BasicBasic Password Password
authenticated authenticated Windows NT Windows NT user accessuser access
SSL 3.0SSL 3.0Client CertificatesClient Certificates
CustomCustom
![Page 18: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/18.jpg)
Authentication ModelsAuthentication Models
AnonymousAnonymous Map onto IUSR_Map onto IUSR_machinenamemachinename account account Guest accountGuest account
BasicBasic Base64 encoded password/usernameBase64 encoded password/username
NTLMNTLM Uses Windows NT network authenticationUses Windows NT network authentication No passwordNo password
![Page 19: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/19.jpg)
WWW Service SecurityWWW Service Security
Privacy/data Privacy/data integrityintegrity Channel Channel
encryptionencryption Message Message
authentication authentication codescodes
![Page 20: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/20.jpg)
WWW Service SecurityWWW Service Security
Access control restricted by:Access control restricted by: Client TCP/IP address (or range)Client TCP/IP address (or range) Client domain nameClient domain name Mapping Client Mapping Client
Authentication CertificatesAuthentication Certificates Publishing point access permissionsPublishing point access permissions Designated site operatorsDesignated site operators NTFS access controlNTFS access control Custom ISAPI/CGI/ASP/componentCustom ISAPI/CGI/ASP/component
![Page 21: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/21.jpg)
WWW Service SecurityWWW Service Security
![Page 22: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/22.jpg)
WWW Service SecurityWWW Service Security
System integritySystem integrity Process isolationProcess isolation Bandwidth limitingBandwidth limiting Application mappingApplication mapping CGI/script time-outsCGI/script time-outs Connection time-outConnection time-out
![Page 23: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/23.jpg)
Custom SecurityCustom Security
Custom:Custom: AuthenticationAuthentication Access controlAccess control
Implement via:Implement via: ISAPI and CGI ISAPI and CGI ASP and Perl ScriptsASP and Perl Scripts Server-side componentsServer-side components
Requires understanding of:Requires understanding of: HTTP ProtocolHTTP Protocol Authentication methodsAuthentication methods
![Page 24: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/24.jpg)
Using Certificates Using Certificates On The WebOn The Web
Authenticated accessAuthenticated access ServersServers ClientsClients
Secure access using SSL/TLSSecure access using SSL/TLS ExamplesExamples
Departmental access controlDepartmental access control Interenterprise access via InternetInterenterprise access via Internet Certificate authority operationCertificate authority operation
E.g., software publishingE.g., software publishing
![Page 25: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/25.jpg)
Credential Credential ties a nameties a name
or identity to or identity to a public keya public key
Credential Credential expirationexpiration
Subject Name: Subject Name: “Internet, Organization, “Internet, Organization, Jane Doe”Jane Doe”
Expires: 6/18/98Expires: 6/18/98
Signed: CA’s signatureSigned: CA’s signature
Serial #: 29483756Serial #: 29483756Public key:Public key: P
ub
lic
Pu
bli
c
Other data: Other data: 1023628302527310236283025273
Usage-specific Usage-specific attributesattributes
PrivatePrivate
What Is A Certificate?What Is A Certificate?
Signed documentSigned document Signed by a “trusted” certifying authoritySigned by a “trusted” certifying authority Binds subject to a public keyBinds subject to a public key
![Page 26: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/26.jpg)
Using Certificates Using Certificates
On The WebOn The Web Why do it?Why do it? Better security than passwordsBetter security than passwords Better scalability than passwordsBetter scalability than passwords
No need to distribute No need to distribute password databasespassword databases
Use emerging technologiesUse emerging technologies Smart CardsSmart Cards Crypto acceleratorsCrypto accelerators
![Page 27: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/27.jpg)
Top Tips AndTop Tips AndRules Of ThumbRules Of Thumb
![Page 28: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/28.jpg)
Top TipsTop Tips
10.10. NTFS is the last bastionNTFS is the last bastion
9.9. If you must use basicIf you must use basicauthentication then use SSL!authentication then use SSL!
8.8. Seriously consider certificatesSeriously consider certificates
7.7. Create a company security policyCreate a company security policy
6.6. Use the Windows NT Option PackUse the Windows NT Option PackResource Kit (shameless plug!)Resource Kit (shameless plug!)
![Page 29: Introduction To Windows NT ® Server And Internet Information Server.](https://reader033.fdocuments.us/reader033/viewer/2022051115/56649d635503460f94a45de8/html5/thumbnails/29.jpg)
Top TipsTop Tips
5.5. Lock down your serverLock down your server
4.4. Lock away your server!Lock away your server!
3.3. Restrict components at the serverRestrict components at the server
2.2. Do not allow Execute permission!Do not allow Execute permission!
1.1. Use the Windows NT Audit Log!Use the Windows NT Audit Log!