windows 2000 security architecture peter brundrett program manager windows 2000 security microsoft...
TRANSCRIPT
Windows 2000 Security Windows 2000 Security ArchitectureArchitecture
Peter Brundrett Peter Brundrett Program ManagerProgram Manager
Windows 2000 SecurityWindows 2000 Security
Microsoft CorporationMicrosoft Corporation
TopicsTopics
Single Sign-onSingle Sign-on Kerberos v5 integrationKerberos v5 integration Active Directory securityActive Directory security Delegation of authenticationDelegation of authentication Public key infrastructurePublic key infrastructure Encrypting file systemEncrypting file system Network securityNetwork security Security policySecurity policy Secure WindowsSecure Windows
Platform Security Platform Security RequirementsRequirements
Single enterprise logonSingle enterprise logon Strong authenticationStrong authentication AuthorizationAuthorization Secure communicationsSecure communications Mandatory policyMandatory policy AuditingAuditing InteroperabilityInteroperability Extensible architectureExtensible architecture
Goal:Goal: Deliver Windows 2000 as Deliver Windows 2000 as the most secure high volume OSthe most secure high volume OS
Windows 2000 Windows 2000 Single Sign OnSingle Sign On
Single account Single account store in Active store in Active DirectoryDirectory
Integrated Kerberos Integrated Kerberos v5 logonv5 logon
Key DistributionKey DistributionCenter (KDC)Center (KDC)
Protected store for Protected store for public key public key credentialscredentials
Industry standard Industry standard network security network security protocolsprotocols
Kerberos,Kerberos,SSL/TLS,SSL/TLS,othersothers
Windows 2000Windows 2000Active DirectoryActive Directory
Key DistributionKey DistributionCenter (KDC)Center (KDC)
Windows 2000 Domain ControllerWindows 2000 Domain Controller
1. Insert smart card to reader,1. Insert smart card to reader, activate card with PIN activate card with PIN
2. Private key and certificate2. Private key and certificate on card authenticates user on card authenticates user to KDC to KDC
3. KDC returns TGT 3. KDC returns TGT response protected response protected by User’s public by User’s public key certificate key certificate
TGTTGT
4. Account control option4. Account control option requiring smart card requiring smart card logon per user logon per user
Smart Card LogonSmart Card Logon
Kerberos V5 IntegrationKerberos V5 Integration
KDC relies on the KDC relies on the Active Directory as Active Directory as the store for the store for security principals security principals and policyand policy
Kerberos SSPI providerKerberos SSPI providermanages credentials manages credentials and security contextsand security contexts
ServerServer Service ticket Service ticket authorization authorization data supports data supports NT access NT access control modelcontrol model
ClientClient
Windows 2000Windows 2000Active DirectoryActive Directory
Key DistributionKey DistributionCenter (KDC)Center (KDC)
Windows 2000 Domain ControllerWindows 2000 Domain Controller
Application Server (target)Application Server (target)
Windows 2000 Windows 2000 Active DirectoryActive Directory
Key DistributionKey DistributionCenter (KDC)Center (KDC)
Windows 2000 domain controllerWindows 2000 domain controller
4.4. Present service ticketPresent service ticketat connection setupat connection setup
TargetTarget
2.2. Lookup Service,Lookup Service,Compose SPNCompose SPN
1.1. Publish ServicePublish ServiceConnection Connection Point and SPNPoint and SPN
TGTTGT
3.3. Request service Request service ticket for <spn>ticket for <spn>
5.5. Mutual auth usingMutual auth usingunique session unique session keykey
Kerberos AuthenticationKerberos AuthenticationMutual AuthenticationMutual Authentication
Secure Distributed Secure Distributed Services ModelServices Model
SecureSecureDistributedDistributed
ServiceService
Client requestClient request
Impersonate ClientImpersonate Client
Get object’sGet object’ssecuritysecuritydescriptordescriptor
Get client’s Get client’s access tokenaccess token
Private DataPrivate DataStoreStore
Return responseReturn response
Authenticate ClientAuthenticate Client
Kernel access checkKernel access check
Remote File Access Remote File Access CheckCheck
RdrRdrServerServer
Kerberos Kerberos SSPSSP
Kerberos Kerberos SSPSSP
File File applicationapplication
SMB protocolSMB protocol
NTFSNTFS
SSPISSPI
\\infosrv\share\\infosrv\share
FileFile
TokenToken
KDCKDC
TicketTicket
AccessAccesscheckcheck
SDSD
TokenToken
ClientClient
Windows 2000 IntegrationWindows 2000 IntegrationKerberos Authentication UseKerberos Authentication Use LDAP to Active DirectoryLDAP to Active Directory CIFS/SMB remote file accessCIFS/SMB remote file access Secure dynamic DNS updateSecure dynamic DNS update System management toolsSystem management tools Host-host IP security using IKEHost-host IP security using IKE Secure Intranet web services in IISSecure Intranet web services in IIS Authenticate certificate request to Authenticate certificate request to
Enterprise CAEnterprise CA COM+/RPC security providerCOM+/RPC security provider
Cross-platform Cross-platform InteroperabilityInteroperability Based on Kerberos V5 ProtocolBased on Kerberos V5 Protocol
RFC 1510 and RFC 1964 token format RFC 1510 and RFC 1964 token format Testing with MIT Kerb V5Testing with MIT Kerb V5
Windows 2000 hosts the KDCWindows 2000 hosts the KDC UNIX clients to Unix ServersUNIX clients to Unix Servers UNIX clients to Windows ServersUNIX clients to Windows Servers NT clients to UNIX ServersNT clients to UNIX Servers
Cross-realm authenticationCross-realm authentication UNIX realm to Windows domainUNIX realm to Windows domain
Secure RPCSecure RPC HTTPHTTP
SSPISSPI
Internet Explorer,Internet Explorer,
Internet InformationInternet InformationServerServer
NTLM/NTLM/NTLMv2NTLMv2 KerberosKerberos SChannelSChannel
SSL/TLSSSL/TLS
MSV1_0/MSV1_0/ SAM SAM KDC/DSKDC/DS
COM+ COM+ applicationapplication
POP3, NNTPPOP3, NNTP
Mail, Mail, Chat, Chat, NewsNews
CIFS/SMBCIFS/SMB
Remote Remote filefile
Architecture For Multiple Architecture For Multiple Authentication ServicesAuthentication Services
LDAPLDAP
DirectoryDirectoryenabled appsenabled appsusing ADSIusing ADSI
Windows 2000 Active Windows 2000 Active DirectoryDirectory Domain hierarchy: Domain hierarchy: domain treedomain tree
Organizational Unit (OU)Organizational Unit (OU)hierarchy within a domainhierarchy within a domain Users, groups, machines Users, groups, machines Domain configurationDomain configuration
OUOU
OUOU
UsersUsers
Active DirectoryActive DirectoryAuthentication and Access ControlAuthentication and Access Control
LDAP v3 is core directory access LDAP v3 is core directory access protocol protocol Authenticate using SASL and Kerberos Authenticate using SASL and Kerberos
protocolprotocol LDAP with SSL/TLS supportLDAP with SSL/TLS support
OUOU
OUOU
UsersUsers
Bind RequestBind Request
Every object has a Every object has a unique ACLunique ACL Like NTFS folders and Like NTFS folders and
filesfiles
Security Descriptor
Active Directory Active Directory Security administrationSecurity administration Delegation of administrationDelegation of administration
Grant permissions at organizationalGrant permissions at organizationalunit (OU) levelunit (OU) level
Who creates OUs, users, groups, etc. Who creates OUs, users, groups, etc.
Fine-grain access controlFine-grain access control Grant or deny permissions on per-Grant or deny permissions on per-
property level, or a group of propertiesproperty level, or a group of properties Read propertyRead property Write propertyWrite property
Per-property auditingPer-property auditing
Secure ApplicationsSecure Applications
Connection AuthenticationConnection Authentication Establish CredentialsEstablish Credentials Mutual authentication of client and serverMutual authentication of client and server
Secure CommunicationSecure Communication Message privacy and integrityMessage privacy and integrity
Impersonation and DelegationImpersonation and Delegation Assuming client’s identityAssuming client’s identity
Authorization and AuditingAuthorization and Auditing Using security descriptorsUsing security descriptors
Example: Delegation in Example: Delegation in ActionAction
SQLSQL Server Server
IISIIS
1. 401 Access Denied1. 401 Access Denied WWW-Authenticate: Negotiate WWW-Authenticate: Negotiate
2. Ticket 2. Ticket request request to KDC to KDC
6. SQL Server6. SQL Server impersonates impersonates original client, original client, then data access then data access
5. ASP uses ADO to5. ASP uses ADO to query SQL, query SQL, integrated security integrated security requests ticket requests ticket
3. WWW-Authenticate:3. WWW-Authenticate: Negotiate <blob> Negotiate <blob> ISAPIISAPI
4. IIS impersonates client,4. IIS impersonates client, invokes ISAPI extension invokes ISAPI extension
Server-AServer-A
Server-BServer-B
InteroperabilityInteroperabilityCross Platform Secure 3-Tier AppCross Platform Secure 3-Tier App
Windows 2000 Windows 2000 ProfessionalProfessional
Smart Card LogonSmart Card Logon
Windows 2000 Windows 2000 ServerServer
Web ServerWeb Server
SolarisSolarisUNIX ServerUNIX Server
Oracle DB ApplicationOracle DB Application
IISIISISAPIExtension
SSPI/KrbSSPI/Krb
AppAppServiceService
GSS/KrbGSS/Krb
IE5IE5
SSPI/KrbSSPI/Krb
HTTPHTTP TCPTCP
Public Key ComponentsPublic Key Components
Windows 2000 Windows 2000 Active DirectoryActive Directory
Certificate Certificate ServerServer
For clientsFor clients User key and User key and
certificate mgmtcertificate mgmt Secure channelSecure channel Secure storageSecure storage CA enrollmentCA enrollment
For serversFor servers Key and certificate Key and certificate
managementmanagement Secure channel with Secure channel with
Client authenticationClient authentication Auto enrollmentAuto enrollment
EnterpriseEnterprise Certificate Certificate
servicesservices Trust policyTrust policy
SSL Client AuthenticationSSL Client Authentication
SChannel SSPSChannel SSP
Client certificateClient certificate
Œ
ServerServer
Certificate StoreCertificate Storeof Trusted CAsof Trusted CAs
AuthenticationAuthenticationserviceservice
DomainDomain
Org (OU)Org (OU)
UsersUsers
2. Locate user object in directory by subject name2. Locate user object in directory by subject name
Access tokenAccess token
Ž
3. Build NT access token based on group membership 3. Build NT access token based on group membership
1. Verify user certificate based on trusted CA, CRL1. Verify user certificate based on trusted CA, CRL
Server Server resourcesresources
ACLACL
4. Impersonate client, object access verification4. Impersonate client, object access verification
Crypto API ArchitectureCrypto API Architecture
Crypto API 1.0Crypto API 1.0
RSA baseRSA baseCSPCSP
FortezzaFortezzaCSPCSP
Application Application
SmartCard SmartCard CSPCSP
CryptographicCryptographicService ProvidersService Providers
Certificate management servicesCertificate management services
Secure channelSecure channel
KeyKeydatabasedatabase
CertificateCertificatestorestore
Encrypting File System Encrypting File System Privacy of data that goes beyond Privacy of data that goes beyond
access controlaccess control Protect confidential data on laptops Protect confidential data on laptops Configurable approach to data recoveryConfigurable approach to data recovery
Integrated with core operating Integrated with core operating system components system components Windows NT File System - NTFSWindows NT File System - NTFS Crypto API key managementCrypto API key management LSA security policyLSA security policy
Transparent and very high Transparent and very high performanceperformance
EFS ArchitectureEFS Architecture
I/O managerI/O manager
EFSEFSNTFSNTFS
User modeUser mode
Kernel modeKernel mode
Win32 layerWin32 layer
ApplicationsApplications
Encrypted on-disk data storageEncrypted on-disk data storage
LPC communicationLPC communicationfor all key for all key management supportmanagement support
Crypto APICrypto API
EFSEFSserviceservice
RNGRNG
Data recoveryData recoveryfield generationfield generation
(RSA)(RSA)DRFDRF
Recovery agent’sRecovery agent’spublicpublic key keyin recovery policyin recovery policy
Randomly-Randomly-generatedgeneratedfile encryption keyfile encryption key
File EncryptionFile Encryption
File encryptionFile encryption(DESX)(DESX)
Data decryptionData decryptionfield generationfield generation
(RSA)(RSA)
DDFDDF
User’sUser’spublicpublic key key
A quickA quick brown fox brown foxjumped...jumped...
*#$fjda^j*#$fjda^ju539!3tu539!3tt389E *&t389E *&
*#$fjda^j*#$fjda^ju539!3tu539!3tt389E *&t389E *&
DDFDDF
File DecryptionFile Decryption
DDF contains file DDF contains file encryption key encryption key encrypted under encrypted under user’s user’s public keypublic key
A quick A quick brown foxbrown foxjumped...jumped...
A quick A quick brown foxbrown foxjumped...jumped...
File decryptionFile decryption(DESX)(DESX)
DDF extractionDDF extraction(e.g., RSA)(e.g., RSA)
File encryptionFile encryptionkeykey
DDF is decrypted DDF is decrypted using the using the private private keykey to get to the file to get to the file encryption keyencryption key
User’s User’s privateprivatekeykey
Secure NetworkingSecure Networking
Internet Protocol Security (IPSec)Internet Protocol Security (IPSec) Extended Authentication Protocol/PPPExtended Authentication Protocol/PPP
Token and SmartCard supportToken and SmartCard support Remote Authentication Dial In User Remote Authentication Dial In User
Service (RADIUS)Service (RADIUS) Kerberos security packageKerberos security package Public key (SSL/TLS) security packagePublic key (SSL/TLS) security package
InternetInternet
Corporate NetworkCorporate Network
InternetInternetServiceServiceProviderProvider
Router or Router or Tunnel ServerTunnel Server
Laptop or Home PCLaptop or Home PC IP TunnelIP Tunnel
Host
A
ModemsModemsHost
B
Host
C
Windows 2000 IPSec Windows 2000 IPSec Target ScenariosTarget Scenarios
Remote Access User to Corporate Remote Access User to Corporate NetworkNetwork Dial Up from Laptop or HomeDial Up from Laptop or Home Using existing network connectivity to InternetUsing existing network connectivity to Internet
InternetInternet
Corporate Net in DCCorporate Net in DC
Router CRouter C Router DRouter D
Corporate Net in LACorporate Net in LA
Host
AHost
B
IP TunnelIP Tunnel
Windows 2000 IPSec Windows 2000 IPSec Target ScenariosTarget Scenarios
LAN Edge Gateway to Edge Gateway LAN Edge Gateway to Edge Gateway of Another LANof Another LAN Across Internet or private network with Windows 2000 <-Across Internet or private network with Windows 2000 <-
> Windows 2000 routers using > Windows 2000 routers using IP tunnelsIP tunnels IPSec Tunnel ModeIPSec Tunnel Mode L2TP/IPSec integrated tunnelingL2TP/IPSec integrated tunneling
IP SecurityIP Security
Host-to-host Host-to-host authentication and authentication and encryptionencryption Network layerNetwork layer
IP security policy IP security policy with domain policywith domain policy Negotiation policies, Negotiation policies, IP filtersIP filters
IP Security IP Security PolicyPolicy
Source: 157.55.00.00Source: 157.55.00.00Dest: 147.20.00.00Dest: 147.20.00.00Any protocolAny protocol
Policy AgentPolicy AgentDownloads IPSEC Downloads IPSEC policypolicy
PAPA PAPA
IP Security AssociationIP Security Associationusing Kerberos Authenticationusing Kerberos Authentication
Windows NTWindows NTDirectory ServerDirectory ServerKDCKDC
157.55.20.100 147.20.10.200
IKEIKE IKEIKE
TCPTCPIPIP
SASA SASA
TCPTCPIPIP
Used for Used for SMB data SMB data encryptionencryption
Managing Security PolicyManaging Security Policy
Security settings in local or Security settings in local or group policy group policy
Local computer policyLocal computer policy Audit policy, rights, security optionsAudit policy, rights, security options
Group Policy in the directoryGroup Policy in the directory Common computer policiesCommon computer policies
Domain level policiesDomain level policies Account policiesAccount policies Public key trust policiesPublic key trust policies
33 OU level policyOU level policy
Hierarchical Policy SettingsHierarchical Policy Settings
Applied policy for a computer Applied policy for a computer combines multiple policy objectscombines multiple policy objects
Domain level policyDomain level policy11
22 OU level policyOU level policy
Enterprise FrameworkEnterprise Framework
Integrated with Group Policy Integrated with Group Policy managementmanagement Security settings in group policy Security settings in group policy Settings applied as part of policy Settings applied as part of policy
enforcement on each computerenforcement on each computer
Secure WindowsSecure Windows
GoalsGoals Secure out-of-the-boxSecure out-of-the-box Definition of secure system settingsDefinition of secure system settings Backward compatible user experienceBackward compatible user experience
Clean install of Windows 2000Clean install of Windows 2000 Upgrade can apply security Upgrade can apply security
configurationconfiguration
Who can do what?Who can do what? Administrators, Power Users, UsersAdministrators, Power Users, Users Group membership defines accessGroup membership defines access
Administrators vs. Administrators vs. UsersUsers AdministratorsAdministrators
Full control of the operating systemFull control of the operating system Install system components, driversInstall system components, drivers Upgrade or repair the systemUpgrade or repair the system
UsersUsers Cannot compromise system integrityCannot compromise system integrity Read-only access to system resourcesRead-only access to system resources Interactive and network logon rightsInteractive and network logon rights Can shutdown desktop systemCan shutdown desktop system Legacy application issuesLegacy application issues
Security Features SummarySecurity Features Summary
Single sign on with standard protocolsSingle sign on with standard protocols Kerberos V5 and X.509 V3 certificatesKerberos V5 and X.509 V3 certificates
Public key certificate managementPublic key certificate management Enterprise services for PKI rolloutEnterprise services for PKI rollout
Distributed security for applicationsDistributed security for applications Authentication, authorization, auditingAuthentication, authorization, auditing
Active Directory integrationActive Directory integration Scalable, extensible user account directory Scalable, extensible user account directory
For More InformationFor More Information
White papersWhite papers http://www.microsoft.com/windows2000/libraryhttp://www.microsoft.com/windows2000/library Active Directory Active Directory Security ServicesSecurity Services
Windows 2000 Resource KitWindows 2000 Resource Kit Deployment GuideDeployment Guide Detail technical materialDetail technical material
Microsoft Security AdvisorMicrosoft Security Advisor http://www.microsoft.com/securityhttp://www.microsoft.com/security
