《第十三讲系统安全【讲座》由会员分享,可在线阅读,更多相关《第十三讲系统安全【讲座(60页珍藏版)》请在金锄头文库上搜索。
1、网络与信息安全 系统安全:Windows系统安全,潘爱民,北京大学计算机研究所http:/ 容,Windows安全结构 Windows的网络结构 Windows攻防技术 一次针对Windows 2000的入侵过程,Windows安全性,设计目标 一致的、健壮的、基于对象的安全模型 满足商业用户的安全需求 一台机器上多个用户之间安全地共享资源 进程,内存,设备,文件,网络 安全模型 服务器管理和保护各种对象 客户通过服务器访问对象 服务器扮演客户,访问对象 访问的结果返回给服务器,Windows 2000 Architecture,用户管理:帐户(accounts)和组(groups),帐户(u
2、ser accounts) 定义了Windows中一个用户所必要的信息,包括口令、安全ID(SID)、组成员关系、登录限制, 组:universal groups、global groups、local groups Account Identifier: Security identifier(SID) 时间和空间唯一 S-1-N-Y1-Y2-Y3-Y4 Some well-known SIDs 字符串形式和二进制形式的SID,Windows NT安全组件(TCB),Reference monitor,Access validation requests,Audit generation r
3、equests,Kernel mode,user mode,Local security policy database,Local Security Authority,Audit Log file,Authentication Service,Account directory Services,User Account Database,Winlogon,Administratice Tools,Audit messages,security policy,Local Security Authority,Local Security Authority: A protected sub
4、system of Microsoft Windows NT/Windows 2000 that authenticates and logs users onto the local system. In addition, LSA maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system. 两个概念 LSA Authentication Model LSA Logon Sessions
5、:从logon成功到logoff,Security Access Token,是对一个进程或者线程的安全环境的完整描述 包括以下主要信息 用户帐户的SID 所有包含该用户的安全组的SIDs 特权:该用户和用户组所拥有的权利 Owner Default Discretionary Access Control List (DACL) 这是一个基本的安全单元,每个进程一个,Object Security,所有对对象的访问都要通过安全子系统的检查 系统中的所有对象都被保护起来 文件、目录、注册表键 内核对象 同步对象 私有对象(如打印机等) 管道、内存、通讯,等 对象的安全描述符(security
6、descriptor) Owner SID Group SIDs Discretionary ACL Audit System ACL,Object Security,Access Control List manipulation Access Check Audit Generation,Security token,User,Groups,Privileges,User Y process,Access object X,Security Reference monitor,Security descriptor,Owner,DACL,SACL,User Y,User X,ACL,ACE
7、,ACE,Access maskUser Y ,Access mask,Access determination,NTFS file object security,Windows Explorer File, Properties, Security File Access,基于policy的安全性,Auditing Categories: Success/Failure events Logon and Logoff、File and Object Access、Use of User rights、User and Group Management、Security Policy Cha
8、nges、Restart, Shutdown system、Process Tracking Privileges Allow special abilities over and above access rights Fine grained: One Privilege = one Ability Windows NT has 23 defined privileges, such as: Backup files and directories, change the system time Logon Rights Logon on Locally (For interactive
9、logon) Access this computer from network(for remote logon) Logon as a service(start service processes under specific service account) Logon as a batch job(submit jobs to batch queues),Authentication: Winlogon Processing,Winlogon Model Distinct desktops Every system is authenticated (window station)
10、Winlogon Architecture Winlogon GINA DLL Multiple network providers,一些跟Winlogon有关的概念,Initializing Winlogon 首先注册CTRL+ALT+DEL SAS(secure attention sequence) 然后在WinSta0 window station内创建三个desktops Winlogon desktop Application desktop Screen-saver desktop Winlogon的状态 Logged-Out State Logged-On State Work
11、station-Locked State,Winlogon和GINA的职责,Services provided by Winlogon Administrative: 保护Window station and desktop Event notification: SAS Recognition User interface Notify network providers (of password change) Services provided by GINA SAS monitoring Shell activation and display messages Authorizati
12、on: determine if lock workstation is allowed,Winlogon图示,Winlogon,LSA,Auth Pkg,用户登录界面,Account DB,GINA,Netlogon,Win32,Shell,Netlogon,Auth Pkg,Account DB,AD/DC,CTRL+ALT+DEL,LSA(Local Security Authority):Interactive Authentication & Noninteractive Authentication,Domain Credentials,Domain Credentials Dom
13、ain credentials are used by operating system components and authenticated by the Local Security Authority (LSA). Typically, domain credentials are established for a user when a registered security package authenticates logon data provided by the user. The logon credentials are cached by the operatin
14、g system so that a single sign-on gives the user access to a variety of resources. The secret part of domain credentials, the password, is protected by the operating system. Only components running in-process with the LSA can read and write domain credentials. Applications are limited to writing dom
15、ain credentials.,Windows安全性的其他方面,Network connection security Authentication、integrity、privacy Secure distributed applications Authenticated RPC DCOM security,Client,Server,RPC run time,SSP,SSP,RPC run time,Windows Registry(注册表),注册表是一个很大的层次结构数据库,包含了大量的Windows配置信息,对于Windows的安全也是至关重要。一旦攻击者能够修改注册表信息,则系统
16、安全会受到严重的威胁 Windows NT/2000中的每个注册表键都是受保护的对象 用RegEdt32可以远程访问注册表 Windows 2000中,注册表和活动目录(active directory)的关系 注册表是活动目录的一个部分写照 兼容性,Windows 2000中的活动目录(Active Directory),Windows 2000支持两个目录服务 DNS,扩展 找到域控制器 活动目录 访问域中对象的信息 活动目录 一个数据库 访问协议 LDAP 信息的命名和组织方式 LDAP:/CN=smith, OU=users, OU=receivables, DC=us, DC=qwickbank, DC=com 活动目录的安全性 客户的身份认证 默认使用Kerberos作为认证协议 对信息的访问 每个对象和对象的属性都有自己单独的ACL表,从而实现精细的访问控制 活动目录的维护 实现快速的数据库搜索 索引和全局目录(GC, global catalog) 复制机制 站点的概念,基于USN(更新序列号)的复制机制 一组管理工具,
