Click here to load reader
Upload
reyna
View
51
Download
0
Embed Size (px)
DESCRIPTION
Windows 伺服器安全問題. Windows 伺服器安全問題. 本機安全原則設定( Local Security Policy Settings ) 系統組態設定( System Configuration Settings )之中。 Windows 2003 特殊的設定問題. 本機安全原則設定. Windows 是採用圖形化介面( GUI )的本機原則編輯器。 點選 『 控制台 』 / 『 系統管理工具 』 / 『 本機安全原則 』 (詳見圖 15-1 ),即可開啟本機原則編輯器視窗。 工具程式除了允許管理員設定帳戶原則之外,也允許設定本機安全性原則。. - PowerPoint PPT Presentation
Citation preview
Windows
Windows Local Security Policy SettingsSystem Configuration Settings Windows 2003
Windows GUI15-1
15-1 GUI
GUIRegistryregeditregedit32Windows 2000
15-2
Windows
Windows 2000
LAN Manager LAN ManageerWindows 2000Windows 9598WindowsLAN ManagerWindows NTWindows 2000NTLM v2
NTLM v21.LAN Manager2. LMNTLMLMNTLMNTLM v2
LMNTLMNTLMv2NTLMNTLM v2NTLM v2LMNTLM v2LMNTLM
Windows95Windows98LAN Manager
SAM
Windows 2003 Windows 2003Windows 2000Software Restriction PoliciesSRP15-3SRP
15-3
Service pack
Windows 2000NTFSFATNTFSFATCONVERTNTFS
Windows 2000 NTFS NTFS-5NTFS-5
Woindows 2000
Encrypting File SystemDOSWindows 2000Windows NTNTFSDOSNTFSWindows NTWindows 2000NTFSWindows 2000Encrypting File SystemEFS
EFS EFS EFSAdministratorEFSEncrypting File System
EFSNTFS 5.0 Encrypting File System
ShareWindows NTWindows 2000C$D$IPC$ADMIN$NETLOGON15-4Administrator
15-4
Windows135137139Windows2000Kerberos88SMB over IP445Kerberos kpasswd464 Key ExchangeIKE500UDP
NetBIOSWindows 2000NetBIOSFile and Printer Sharing for Mircosoft Networks15-5
NetBIOS15-5 NetBIOS
Windows 2000AdministratorGuestGuestGeuestWindows 2000Administrator
15-6Active Directory
PASSFILT.DLL
15-6
15-7AdministratorAdministratorconsole
15-7
Service packUpdate
Windows 2003Windows 2000.NET framework
Windows 2003Windows 2000sessionProperties15-8
15-8
56128FIPS140-1
15-9
15-9
.NET Framework .NET framework15-10.NET framework 1.1
.NET Framework 15-10 .NET
.NET Framework
15-2 Windows 200015-2-1 15-2-2 15-2-3
15-2-1 15-11
Windows NTID
15-11
15-1215-13Administrators
15-12
15-2-2 GuestsGuestGuest
15-2-3
30EFS30
15-13
15-3 Windows 2000
15-3-1 secedit15-3-2 15-3-3 15-3-4
15-3-1 seceditWindows 2000secedit.exesecedit
seceditWindows 2000secedit /analyze [/DB filename] [/CFG filename] [/log filename] [/verbose] [/quiet]/DB filenamefilename/CFG filename
/CFG filename/log filename/verbosesecedit/quietsecedit
seceditsecedit /configure [/DB filename] [/CFG filename] [/overwrite] [/areas area1 area2] [/log filename] [/verbose] [/quiet]/DB filename/CFG filename
/overwrite/CFG/areasSecuritypolicyGroup_mgmtUser_rightsRegkeysFilestoreServices/log filename
/verbosesecedit/quietsecedit
secedit secedit /validate filename
secedit:secedit /refreshpolicy [machine_policy or user_policy] [/enforce]machine_policyuser_policy
/enforce
seceditsecedit /export [/MergedPolicy] [/DB filename] [/CFG filename] [/areas area1 area2] [/log filename] [/verbose] [/quiet]/MergedPolicysecedit
/DB filename/CFG filename/areasSecuritypolicyGroup_mgmtUser_rightsRegkeysFilestoreServices/log filename
/verbosesecedit/quietsecedit
15-3-2 Windows 200015-14
15-14 Windows 2000
15-3-3 Windows 2000\%systemroot%\system32\config
*.txtCSV
15-3-4 Windows 200O
Windows 2000
Windows 200015-15CPU
15-15 Windows 2000
CMDCMDDOSCMDCMD
Windows 2000Windows 2003Group PolicyGPOUADGP
GP
Group PolicyGPUser ConfigurationscriptGP
Computer ConfigurationGPbootGPGPOU
GPOUGP
GPO Default Domain PolicyDefault Domain Controller Policydomain container
GPOGroup Policy ObjecttreeGroup Policy Object Editor
SMBLAN40
IPWindows Explorer AuthenticodeWindows
Windows Windows Windows Installer
Windows Update Active DesktopActive Desktop
ADM
Windows 2003 Windows 2003ADSoftware Restriction PoliciesIEEE 802.11OU
IEEE 802.11802.1XOUGPOWindows XPWindows
802.11802.1x15-17EAPPEAPPEAPEAP-MSCHAP v2
15-17 IEEE 802.1x
1.2.3.4.OUOUOU
1.2.3.4.OU
Loopback GPMicrosoftLoopbackGPGP
mergeGPreplace
ACLGPOUblock policy inheritanceGPOUGPOUGPstart fresh from here, and work down
child containerGPGPOOU
Group Policy Management ConsoleGPMCMicrosoftMicrosoft Management ConsoleMMC GP15-18jiloa.com GPMCMicrosoft Windows 2003http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=C355B04F-50CE-42C7-A401-30BE1EF647EA
15-18
15-19
15-20 Administratorjiloa.comIHS
15-20 IHS Administrator
Resultant Set of PolicyRSoPOU
15-21IHSRSoPRSoPMMC MicrosoftActive DirectoryActive Directory
15-21 IHS RSoP
15-4-4 AD
Activate Directory
Activate Directory Aactivate DirectoryActivate Directory15-22OUDC
MMC