Embed Size (px)
Citation preview
SEC310: SEC310: WindowsWindows®® Network Security Network Security (Windows (Windows 的网络安全性的网络安全性 ))
Rui Hu (Rui Hu ([email protected]@microsoft.com))Software Design EngineerSoftware Design EngineerWindows ClusteringWindows ClusteringScale Out & Enterprise Servers GroupScale Out & Enterprise Servers GroupWindows DivisionWindows DivisionMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Four Components of Windows SecurityFour Components of Windows Security AuthenticationAuthentication ( ( 验证验证 )) AuthorizationAuthorization ( ( 授权授权 )) CryptographyCryptography ( ( 加密加密 // 解密解密 )) AuditingAuditing ( ( 审计审计 ))
Windows Security PushWindows Security Push
Network AuthenticationNetwork Authentication (( 验证验证 )) Microsoft Provided Security Microsoft Provided Security
Support Provider (SSP) PackagesSupport Provider (SSP) Packages Microsoft NTLM for Windows NT version Microsoft NTLM for Windows NT version
3.51 and later, Windows 2000, and 3.51 and later, Windows 2000, and Windows XP Windows XP
Microsoft Kerberos for Microsoft Kerberos for Windows 2000/Windows XP Windows 2000/Windows XP
Microsoft Digest SSP for Microsoft Digest SSP for Windows 2000/Windows XP. Windows 2000/Windows XP.
Secure Channel (Schannel) Secure Channel (Schannel)
Microsoft NTLM Microsoft NTLM NTLM non-interactive authentication:NTLM non-interactive authentication:
ClientClient ServerServerUser name (in plaintext)User name (in plaintext)
ClientClient ServerServerChallengeChallenge
Microsoft NTLM Microsoft NTLM NTLM non-interactive authentication:NTLM non-interactive authentication:
ClientClient ServerServerResponseResponse
Response: challenge encrypted with the hash of the user’sResponse: challenge encrypted with the hash of the user’s password.password.
Microsoft NTLM Microsoft NTLM NTLM non-interactive authentication:NTLM non-interactive authentication:
ServerServer DCDCMsgMsg
Msg: the user nameMsg: the user name the challengethe challenge the responsethe response
DC: domain controllerDC: domain controller SAM (Security Account Manager Database)SAM (Security Account Manager Database)
Microsoft NTLM (Cont.)Microsoft NTLM (Cont.)
NTLM non-interactive authentication:NTLM non-interactive authentication: Step 0: A user accesses a client Step 0: A user accesses a client
machine and provides a domain name, machine and provides a domain name, user name, and password. The client user name, and password. The client computes a cryptographic computes a cryptographic hashhash of the of the password and discards the actual password and discards the actual password. (Interactive authentication password. (Interactive authentication only) only)
Step 1: The client sends the user name Step 1: The client sends the user name to the server (in to the server (in plaintextplaintext). ).
Step 2: The server generates a 16-byte Step 2: The server generates a 16-byte random number, called a random number, called a challengechallenge or or noncenonce, and sends it to the client. , and sends it to the client.
Microsoft NTLM (Cont.)Microsoft NTLM (Cont.)
NTLM non-interactive authentication:NTLM non-interactive authentication: Step 3: The client encrypts this Step 3: The client encrypts this
challenge with the hash of the user's challenge with the hash of the user's password and returns the result to the password and returns the result to the server. This is called the server. This is called the responseresponse. .
Step 4: The server sends the following Step 4: The server sends the following three items to the domain controller: three items to the domain controller: the user name, the challenge sent to the user name, the challenge sent to the client, and the response received the client, and the response received from the client. from the client.
Microsoft NTLM (Cont.)Microsoft NTLM (Cont.)
NTLM non-interactive authentication:NTLM non-interactive authentication: Step 5: The domain controller uses the Step 5: The domain controller uses the
user name to retrieve the hash of the user name to retrieve the hash of the user's password from the Security user's password from the Security Account Manager database. It uses this Account Manager database. It uses this password hash to encrypt the password hash to encrypt the challenge. challenge.
Step 6: The domain controller Step 6: The domain controller compares the encrypted challenge it compares the encrypted challenge it computed (in step 5) to the response computed (in step 5) to the response computed by the client (in step 3). If computed by the client (in step 3). If they are identical, authentication is they are identical, authentication is successful. successful.
Microsoft NTLM (Cont.)Microsoft NTLM (Cont.)
No mutual authentication: server No mutual authentication: server authenticates the client, but not vice authenticates the client, but not vice versa. versa. (( 没有相互验证:没有相互验证: server server 验证 验证 client, client client, client 无法验证 无法验证 server.)server.)
Microsoft KerberosMicrosoft Kerberos
Mutual authentication: server Mutual authentication: server authenticates client, and client authenticates client, and client authenticates server. authenticates server. (( 相互验证:相互验证:server server 验证 验证 client, client client, client 验证 验证 server.)server.)
Microsoft Kerberos (Cont.)Microsoft Kerberos (Cont.)
Authenticator MessageAuthenticator Message
Session KeySession Key Session KeySession Key
ClientClient ServerServer
Microsoft Kerberos (Cont.)Microsoft Kerberos (Cont.)
Kerberos (or Cerberus) was a figure in Kerberos (or Cerberus) was a figure in classical Greek mythology—a fierce, classical Greek mythology—a fierce, three-headed dog who kept living three-headed dog who kept living intruders from entering the intruders from entering the Underworld. Underworld. ((KerberosKerberos: : 希腊神话中的三希腊神话中的三头怪物头怪物 ))
Kerberos protocol has three heads: a Kerberos protocol has three heads: a client, a server, and a trusted third client, a server, and a trusted third party to mediate between them. The party to mediate between them. The trusted intermediary in this protocol is trusted intermediary in this protocol is the Key Distribution Center (KDC). the Key Distribution Center (KDC). (Key (Key 发布中心发布中心 ))
Microsoft Kerberos (Cont.)Microsoft Kerberos (Cont.)
KDC: client’s and server’s KDC: client’s and server’s master keys.master keys. (Key Distribution Center)(Key Distribution Center)
ClientClient ServerServer
Msg1Msg1
Msg1: client’s copy of session key encrypted by client’sMsg1: client’s copy of session key encrypted by client’s master key.master key. ticket: (server’s copy of session key + authorizationticket: (server’s copy of session key + authorization data of the client) – encrypted by server’sdata of the client) – encrypted by server’s master keymaster key
KDCKDC
Microsoft Kerberos (Cont.)Microsoft Kerberos (Cont.)
KDC: client’s and server’s KDC: client’s and server’s master keys.master keys.
ClientClient ServerServer
Msg1Msg1
Credentials: TicketCredentials: Ticket Authenticator message encrypted with sessionAuthenticator message encrypted with session key.key.
KDCKDC
CredentialsCredentials
Microsoft Kerberos (Cont.)Microsoft Kerberos (Cont.)
KDC: client’s and server’s KDC: client’s and server’s master keys.master keys.
ClientClient ServerServer
Msg1Msg1
Mutual Authentication: timestamp of Mutual Authentication: timestamp of authenticator messageauthenticator message encrypted by session key.encrypted by session key.
KDCKDC
CredentialsCredentials
TimestampTimestamp
Microsoft Kerberos (cont.)Microsoft Kerberos (cont.)
Assumptions:Assumptions: An open network where most clients and An open network where most clients and
many servers are not physically secure. many servers are not physically secure. (( 开放的网络开放的网络 ))
Packets traveling along the network can Packets traveling along the network can be monitored and modified at will. be monitored and modified at will. (Packets (Packets 可以被监视和修改可以被监视和修改 ))
Microsoft Kerberos (cont.)Microsoft Kerberos (cont.)
The KDC (Key Distribution Center) only The KDC (Key Distribution Center) only provides a ticket-granting service. provides a ticket-granting service.
The client and server are responsible The client and server are responsible for keeping their respective master for keeping their respective master keys secure. (Client and server keys secure. (Client and server 各自保各自保存它们的 存它们的 master key)master key)
Microsoft Kerberos (cont.)Microsoft Kerberos (cont.)
A client does not need to access the A client does not need to access the KDC each time it wants to access this KDC each time it wants to access this particular server. Tickets can be particular server. Tickets can be reused. Tickets have an expiration reused. Tickets have an expiration time. (Ticket time. (Ticket 的有效期的有效期 ))
Ticket-granting ticket (TGT).Ticket-granting ticket (TGT).
AuthenticationAuthentication
Cluster Service Account Password Cluster Service Account Password Change: Cluster service on all cluster Change: Cluster service on all cluster nodes are using the same cluster nodes are using the same cluster service account, which is a domain service account, which is a domain account. account.
Cluster nodes:Cluster nodes:
AuthenticationAuthentication
Cluster Service Account Password Cluster Service Account Password Change: different DCs.Change: different DCs.
Cluster nodesCluster nodes
DCDC DCDC DCDC
Cluster nodesCluster nodes Cluster nodesCluster nodes
AuthenticationAuthentication Cluster Service Account Password Change.Cluster Service Account Password Change.
Cluster nodesCluster nodes
DCDC DCDC DCDC
Cluster nodesCluster nodes Cluster nodesCluster nodes
Change password on: Change password on: DCDCSCM and LSA on each cluster node.SCM and LSA on each cluster node.
AuthenticationAuthentication Cluster Service Account Password Change.Cluster Service Account Password Change.
Cluster nodesCluster nodes
DCDC DCDC DCDC
Cluster nodesCluster nodes Cluster nodesCluster nodesClientClient
AuthenticationAuthentication Cluster Service Account Password Change.Cluster Service Account Password Change.
Cluster nodesCluster nodes
DCDC DCDC DCDC
Cluster nodesCluster nodes Cluster nodesCluster nodesClientClient
N3N3 N4N4
AuthenticationAuthentication Cluster Service Account Password Change.Cluster Service Account Password Change.
Cluster nodesCluster nodesCluster nodesCluster nodes Cluster nodesCluster nodesClientClient
N3N3 N4N4N1N1 N2N2 N5N5 N6N6 N7N7 N8N8 N9N9
GUM: Global Update ManagerGUM: Global Update Manager
AuthenticationAuthentication
Global Update ManagerGlobal Update Manager Propagates updates to all nodes in clusterPropagates updates to all nodes in cluster Updates are atomic and totally orderedUpdates are atomic and totally ordered Tolerates all benign failuresTolerates all benign failures Depends on membership engineDepends on membership engine
AuthorizationAuthorization ( ( 授权授权 ))
ACL (Access Control List)ACL (Access Control List)
CryptographyCryptography (( 加密加密 // 解密解密 )) Cluster Service Account Password Change.Cluster Service Account Password Change.
Cluster nodesCluster nodes
DCDC DCDC DCDC
Cluster nodesCluster nodes Cluster nodesCluster nodesClientClient
N3N3 N4N4
Cryptography (Cont.)Cryptography (Cont.) General information about using General information about using
thethe Crypto APICrypto API Agreed base dataAgreed base data MACMAC SaltSalt
AuditingAuditing ( ( 审计审计 ))
Security audit recordsSecurity audit records
Windows Security PushWindows Security Push
Entire Windows Team: ~7000 people.Entire Windows Team: ~7000 people. February and March 2002.February and March 2002. ProcessProcess
Threat Analysis (PM, Dev, Tester)Threat Analysis (PM, Dev, Tester) Fixing Security HolesFixing Security Holes TestingTesting Sign offSign off
Windows Security Push (cont.)Windows Security Push (cont.)
Extrocluster communication:Extrocluster communication: Extrocluster Communication refers to data Extrocluster Communication refers to data transfer across the cluster boundary. transfer across the cluster boundary. Examples include clusapi, the extrocluster Examples include clusapi, the extrocluster RPC interface, the join-version RPC RPC interface, the join-version RPC interface, etc.interface, etc.
MSCS (Microsoft Cluster Service): 30 to 40 MSCS (Microsoft Cluster Service): 30 to 40 componentscomponents
Windows Security Push (cont.)Windows Security Push (cont.)
Intracluster communication:Intracluster communication: Intracluster Intracluster communication refers to data transfer communication refers to data transfer within the cluster but across node within the cluster but across node boundaries. Examples include ClusNet boundaries. Examples include ClusNet traffic, regroup traffic, the intracluster RPC traffic, regroup traffic, the intracluster RPC interface, SMB traffic to MNS shares, etc.interface, SMB traffic to MNS shares, etc.
Windows Security Push (cont.)Windows Security Push (cont.)
Intranode communication: Intranode communication: Intranode Intranode communication refers to data transfer communication refers to data transfer within a node. Examples include resapi, within a node. Examples include resapi, ClusNet ioctls, the event log, the MNS ClusNet ioctls, the event log, the MNS named pipe, the NetCon API, etc.named pipe, the NetCon API, etc.
Windows Security Push (cont.)Windows Security Push (cont.)
Internal data:Internal data: Internal data refers to data Internal data refers to data objects local to a node that are accessed objects local to a node that are accessed by the component. Examples include by the component. Examples include registry keys, named objects, the quorum registry keys, named objects, the quorum disk, MNS shares, etc.disk, MNS shares, etc.
External data:External data: External data refers to External data refers to data objects located outside of the cluster data objects located outside of the cluster that are accessed by the component. that are accessed by the component. Examples include computer objects in Examples include computer objects in Active Directory. Active Directory.
Windows Security Push (cont.)Windows Security Push (cont.)
All uses of cryptographyAll uses of cryptography All operations that require the All operations that require the
membership in the local admin groupmembership in the local admin group All operations that require elevated All operations that require elevated
privilege (e.g. TCB a.k.a. “Act as part of privilege (e.g. TCB a.k.a. “Act as part of the operating system”)the operating system”)
Windows Security Push Windows Security Push (Cont.)(Cont.) Security Holes:Security Holes:
Buffer overrunBuffer overrun Client spoofingClient spoofing Server spoofingServer spoofing Encryption by obfuscationEncryption by obfuscation Home-grown cryptographyHome-grown cryptography Storing secret in memory: DPAPIStoring secret in memory: DPAPI Access check: Who can issue password-Access check: Who can issue password-
change command?change command?
如果您有任何问题,请上微软如果您有任何问题,请上微软中文新闻组中文新闻组
继续讨论继续讨论
加入微软中文新闻组加入微软中文新闻组 http://www.microsoft.com/china/http://www.microsoft.com/china/
communitycommunity
For More InformationFor More Information Microsoft resourcesMicrosoft resources
IPSec, PKI step-by-step walkthroughsIPSec, PKI step-by-step walkthroughs http://www.microsoft.com/windows2000/library/technologies/securityhttp://www.microsoft.com/windows2000/library/technologies/security
IPSec protection for AD site replication through firewallsIPSec protection for AD site replication through firewalls http://www.microsoft.com/ISN/Columnists/P63623.asphttp://www.microsoft.com/ISN/Columnists/P63623.asp
““Lockdown” IPSec protection for serverLockdown” IPSec protection for server http://www.microsoft.com/ISN/columnists/p66703.asphttp://www.microsoft.com/ISN/columnists/p66703.asp
Using IPSec to build trusted computing infrastructuresUsing IPSec to build trusted computing infrastructures ““Ask Us About Security 12/15/2001” on TechNetAsk Us About Security 12/15/2001” on TechNet
Security focus site: Security focus site: http://www.microsoft.com/securityhttp://www.microsoft.com/security Networking focus site: Networking focus site: http://www.microsoft.com/communicationshttp://www.microsoft.com/communications ISA: ISA: http://www.microsoft.com/isahttp://www.microsoft.com/isa
http://www.isaserver.orghttp://www.isaserver.org http://www.aspelle.comhttp://www.aspelle.com (few details; dude lives in MPSC with customer-ready demos) (few details; dude lives in MPSC with customer-ready demos)
Other Internet resourcesOther Internet resources IETF IPSec Standards - IETF IPSec Standards - http://www.ietf.org/html.charters/ipsec-charter.htmlhttp://www.ietf.org/html.charters/ipsec-charter.html IETF L2TP Standard - IETF L2TP Standard - http://www.ietf.org/html.charters/pppext-charter.htmlhttp://www.ietf.org/html.charters/pppext-charter.html IETF L2TP Working Group: IETF L2TP Working Group: http://www.ietf.org/html.charters/l2tpext-charter.htmlhttp://www.ietf.org/html.charters/l2tpext-charter.html
Technology books:Technology books: Doraswamy, Harkins – “IPSec: The New Security Standard for the Internet, Intranets and Doraswamy, Harkins – “IPSec: The New Security Standard for the Internet, Intranets and
Virtual Private Networks”Virtual Private Networks”
© 2002 Microsoft Corporation. All rights reserved.© 2002 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
