Module 2:Introducing

Windows 2000 Security

Overview

Introducing Security Features in Active Directory

Authenticating User Accounts

Securing Access to Resources

Introducing Encryption Technologies

Encrypting Stored and Transmitted Data

Introducing Public Key Infrastructure Technology

Introducing Security Features in Active Directory

Active Directory Hierarchical Structure

Trust Relationships

Administration Using Group Policy

Active Directory Hierarchical Structure

DomainDomain

DomainTree

Tree

ForestObjects

OUOU

OUOU OUOUDomainDomain

DomainDomain

DomainDomain

Defining Security Boundaries Using Domains

Supporting Security Settings Using OUs

Providing Delegation of Administration

Trust Relationships

Transitive (Two Way)

Shortcut (Two Way) External (One Way)

Forest 1 Forest 2

Administration Using Group Policy

Group Policy

DomainDomain

OUOU OUOU

OUOU OUOU OUOU

OUOU

Security Policies with Domain-wide

Scope

Security Policieswith OU-wide

Scope

Authenticating User Accounts

Using Kerberos V5 Authentication

Using Certificate-based Authentication

Using NTLM Protocol for Authentication

Using Kerberos V5 Authentication

Ticket-GrantingTicket

1111 Service Ticket

Windows 2000–based Computer

Windows 2000–based Computer

2222

4444

3333

TGT

Initial Logon

KDCKDC KDCKDC

11112222

TGT

Service Request

ST

ST

Session Established

3333TGT Cached Locally

Windows 2000–based Computer

Windows 2000–based Computer Target ServerTarget Server

Using Certificate-based Authentication

CertificationAuthority

Windows 2000–based Server

(configured for clientcertificate authentication)

SSL Protocol

Map Certificates to Active Directory Accounts

Implement Smart Card Authentication

User

Using NTLM Protocol for Authentication

Windows 2000Stand–alone Server

Windows 2000–based Computer

Windows NT–basedServer

Windows 2000–based Computer

Windows 2000 Domain Controller

Directory Services Client

Securing Access to Resources

Describing Security Identifiers

Controlling Access to Resources

Defining Security Groups for Resource Access

Discussion: Authentication and Access Control

Describing Security Identifiers

SID

S-1–5–21-212721301…S-1–5–21-212721301…

Automatically Created When an Object Is Added

Identify Users, Groups, or Computers

Used to Grant Access Rights and Permissions to Resources

Groups SID

Users SID

Computers

SID

Controlling Access to Resources

DACL Specifies Access

Permissions for a Resource

ACEs List Actions That Users or Groups Can Perform

SACL Specifies Users or

Groups to Be Audited

ACEs List Events to Be Audited Based on Successes or Failures

Domain Local Groups

Global Groups

Universal Groups

Defining Security Groups for Resource Access

Resources

TreeOUOU

OUOU OUOU

DomainDomain

DomainDomain

DomainDomain Domain Local

Groups

Global Groups

Universal Groups

Discussion: Authentication and Access Control

Houston

Windows 2000Domain Controllers

New York

Windows NT 4.0Domain

Windows NT

Windows 98

Introducing Encryption Technologies

Using Symmetric Key Encryption

Using Public Key Encryption

Using Digital Signatures

Using Symmetric Key Encryption

Encrypting Application Data

EFS S/MIME

Encrypting Communication Protocols

IPSec TLS

Shared Secret KeyShared Secret Key

Encryption by User1

Encryption Encryption AlgorithmAlgorithm

Shared Secret KeyShared Secret Key

Decryption by User2

Decryption Decryption AlgorithmAlgorithm

Using Public Key Encryption

Plaintext Ciphertext

User1

Plaintext

User2

Certification Authority

User2’s Public KeyUser2’s Public Key User2’s Private KeyUser2’s Private Key

Using Digital Signatures

Digest Digest FunctionFunction

User1 (Sender)

Plaintext

User1’s Private Key

Digest

EncryptedDigest

1111

2222

3333

User2 (Receiver)

User1’s Public Key

4444

6666Compare Compare

5555

Digest Digest FunctionFunction

Encrypting Stored and Transmitted Data

Encrypting Stored Data Using EFS

Encrypting Transmitted Data

Discussion: Encrypting Data

Encrypting Stored Data Using EFS

EFS Protects Stored Data

The File Encryption Key Encrypts the Data

The File Encryption Key Is Encrypted By:

The user’s public key

The EFS recovery agent’s public key

IPSec Encrypts Data at the IP Layer

SSL Encrypts Data at the Application Layer

TLS Encrypts Data at the Application Layer

Encrypting Transmitted Data

Encrypted IP Packet

Discussion: Encrypting Data

Windows 2000Professional

Houston

Windows 2000Domain Controllers

New York

Windows NT 4.0Domain

Windows 2000Windows NT

Windows 95

Introducing Public Key Infrastructure Technology

Describing PKI Components

Using Digital Certificates for Authentication

Describing Certification Authorities

Describing PKI Components

Key and Certificate Management Tools

Certification Authority

Certificate Publication Point

Digital Certificate Public Key–Enabled

Applications and Services

Certificate Revocation List

Using Digital Certificates for Authentication

Issuer’s identity

Extensions

Subject’s identity

CA–issued ID number

Subject: Scott Culp

Issuer: CA1

Subject’s Public Key:

Serial Number: 29483756

Not Before: 6/18/99

Not After: 6/18/06Secure E-mail ClientAuthentication

Signed: Cg6&^78

Subject: Scott Culp

Issuer: CA1

Subject’s Public Key:

Serial Number: 29483756

Not Before: 6/18/99

Not After: 6/18/06Secure E-mail ClientAuthentication

Signed: Cg6&^78

Subject’s public key value

Validity period

CA’s digital signature

Describing Certification Authorities

Root CA

Intermediate CAs

Public Key–enabled Applications and Services

Review

Introducing Security Features in Active Directory

Authenticating User Accounts

Securing Access to Resources

Introducing Encryption Technologies

Encrypting Stored and Transmitted Data

Introducing Public Key Infrastructure Technology