SEC310: SEC310: Windows Windows ® ® Network Network Security (Windows Security (Windows 的的的的 的的的的 的的 的的 ) ) Rui Hu ( Rui Hu ( [email protected][email protected]) ) Software Design Engineer Software Design Engineer Windows Clustering Windows Clustering Scale Out & Enterprise Servers Scale Out & Enterprise Servers Group Group Windows Division Windows Division Microsoft Corporation Microsoft Corporation
41
Embed
SEC310: Windows ® Network Security (Windows 的网络安全性 ) Rui Hu ( [email protected] ) Software Design Engineer Windows Clustering Scale Out & Enterprise.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
NTLM non-interactive authentication:NTLM non-interactive authentication: Step 0: A user accesses a client Step 0: A user accesses a client
machine and provides a domain name, machine and provides a domain name, user name, and password. The client user name, and password. The client computes a cryptographic computes a cryptographic hashhash of the of the password and discards the actual password and discards the actual password. (Interactive authentication password. (Interactive authentication only) only)
Step 1: The client sends the user name Step 1: The client sends the user name to the server (in to the server (in plaintextplaintext). ).
Step 2: The server generates a 16-byte Step 2: The server generates a 16-byte random number, called a random number, called a challengechallenge or or noncenonce, and sends it to the client. , and sends it to the client.
Microsoft NTLM (Cont.)Microsoft NTLM (Cont.)
NTLM non-interactive authentication:NTLM non-interactive authentication: Step 3: The client encrypts this Step 3: The client encrypts this
challenge with the hash of the user's challenge with the hash of the user's password and returns the result to the password and returns the result to the server. This is called the server. This is called the responseresponse. .
Step 4: The server sends the following Step 4: The server sends the following three items to the domain controller: three items to the domain controller: the user name, the challenge sent to the user name, the challenge sent to the client, and the response received the client, and the response received from the client. from the client.
Microsoft NTLM (Cont.)Microsoft NTLM (Cont.)
NTLM non-interactive authentication:NTLM non-interactive authentication: Step 5: The domain controller uses the Step 5: The domain controller uses the
user name to retrieve the hash of the user name to retrieve the hash of the user's password from the Security user's password from the Security Account Manager database. It uses this Account Manager database. It uses this password hash to encrypt the password hash to encrypt the challenge. challenge.
Step 6: The domain controller Step 6: The domain controller compares the encrypted challenge it compares the encrypted challenge it computed (in step 5) to the response computed (in step 5) to the response computed by the client (in step 3). If computed by the client (in step 3). If they are identical, authentication is they are identical, authentication is successful. successful.
Microsoft NTLM (Cont.)Microsoft NTLM (Cont.)
No mutual authentication: server No mutual authentication: server authenticates the client, but not vice authenticates the client, but not vice versa. versa. (( 没有相互验证:没有相互验证: server server 验证 验证 client, client client, client 无法验证 无法验证 server.)server.)
Microsoft KerberosMicrosoft Kerberos
Mutual authentication: server Mutual authentication: server authenticates client, and client authenticates client, and client authenticates server. authenticates server. (( 相互验证:相互验证:server server 验证 验证 client, client client, client 验证 验证 server.)server.)
Microsoft Kerberos (Cont.)Microsoft Kerberos (Cont.)
Authenticator MessageAuthenticator Message
Session KeySession Key Session KeySession Key
ClientClient ServerServer
Microsoft Kerberos (Cont.)Microsoft Kerberos (Cont.)
Kerberos (or Cerberus) was a figure in Kerberos (or Cerberus) was a figure in classical Greek mythology—a fierce, classical Greek mythology—a fierce, three-headed dog who kept living three-headed dog who kept living intruders from entering the intruders from entering the Underworld. Underworld. ((KerberosKerberos: : 希腊神话中的三希腊神话中的三头怪物头怪物 ))
Kerberos protocol has three heads: a Kerberos protocol has three heads: a client, a server, and a trusted third client, a server, and a trusted third party to mediate between them. The party to mediate between them. The trusted intermediary in this protocol is trusted intermediary in this protocol is the Key Distribution Center (KDC). the Key Distribution Center (KDC). (Key (Key 发布中心发布中心 ))
Microsoft Kerberos (Cont.)Microsoft Kerberos (Cont.)
KDC: client’s and server’s KDC: client’s and server’s master keys.master keys. (Key Distribution Center)(Key Distribution Center)
ClientClient ServerServer
Msg1Msg1
Msg1: client’s copy of session key encrypted by client’sMsg1: client’s copy of session key encrypted by client’s master key.master key. ticket: (server’s copy of session key + authorizationticket: (server’s copy of session key + authorization data of the client) – encrypted by server’sdata of the client) – encrypted by server’s master keymaster key
KDCKDC
Microsoft Kerberos (Cont.)Microsoft Kerberos (Cont.)
KDC: client’s and server’s KDC: client’s and server’s master keys.master keys.
ClientClient ServerServer
Msg1Msg1
Credentials: TicketCredentials: Ticket Authenticator message encrypted with sessionAuthenticator message encrypted with session key.key.
KDCKDC
CredentialsCredentials
Microsoft Kerberos (Cont.)Microsoft Kerberos (Cont.)
KDC: client’s and server’s KDC: client’s and server’s master keys.master keys.
ClientClient ServerServer
Msg1Msg1
Mutual Authentication: timestamp of Mutual Authentication: timestamp of authenticator messageauthenticator message encrypted by session key.encrypted by session key.
KDCKDC
CredentialsCredentials
TimestampTimestamp
Microsoft Kerberos (cont.)Microsoft Kerberos (cont.)
Assumptions:Assumptions: An open network where most clients and An open network where most clients and
many servers are not physically secure. many servers are not physically secure. (( 开放的网络开放的网络 ))
Packets traveling along the network can Packets traveling along the network can be monitored and modified at will. be monitored and modified at will. (Packets (Packets 可以被监视和修改可以被监视和修改 ))
Microsoft Kerberos (cont.)Microsoft Kerberos (cont.)
The KDC (Key Distribution Center) only The KDC (Key Distribution Center) only provides a ticket-granting service. provides a ticket-granting service.
The client and server are responsible The client and server are responsible for keeping their respective master for keeping their respective master keys secure. (Client and server keys secure. (Client and server 各自保各自保存它们的 存它们的 master key)master key)
Microsoft Kerberos (cont.)Microsoft Kerberos (cont.)
A client does not need to access the A client does not need to access the KDC each time it wants to access this KDC each time it wants to access this particular server. Tickets can be particular server. Tickets can be reused. Tickets have an expiration reused. Tickets have an expiration time. (Ticket time. (Ticket 的有效期的有效期 ))
Cluster Service Account Password Cluster Service Account Password Change: Cluster service on all cluster Change: Cluster service on all cluster nodes are using the same cluster nodes are using the same cluster service account, which is a domain service account, which is a domain account. account.
Cluster nodes:Cluster nodes:
AuthenticationAuthentication
Cluster Service Account Password Cluster Service Account Password Change: different DCs.Change: different DCs.
GUM: Global Update ManagerGUM: Global Update Manager
AuthenticationAuthentication
Global Update ManagerGlobal Update Manager Propagates updates to all nodes in clusterPropagates updates to all nodes in cluster Updates are atomic and totally orderedUpdates are atomic and totally ordered Tolerates all benign failuresTolerates all benign failures Depends on membership engineDepends on membership engine
AuthorizationAuthorization ( ( 授权授权 ))
ACL (Access Control List)ACL (Access Control List)
CryptographyCryptography (( 加密加密 // 解密解密 )) Cluster Service Account Password Change.Cluster Service Account Password Change.
Windows Security Push (cont.)Windows Security Push (cont.)
Extrocluster communication:Extrocluster communication: Extrocluster Communication refers to data Extrocluster Communication refers to data transfer across the cluster boundary. transfer across the cluster boundary. Examples include clusapi, the extrocluster Examples include clusapi, the extrocluster RPC interface, the join-version RPC RPC interface, the join-version RPC interface, etc.interface, etc.
MSCS (Microsoft Cluster Service): 30 to 40 MSCS (Microsoft Cluster Service): 30 to 40 componentscomponents
Windows Security Push (cont.)Windows Security Push (cont.)
Intracluster communication:Intracluster communication: Intracluster Intracluster communication refers to data transfer communication refers to data transfer within the cluster but across node within the cluster but across node boundaries. Examples include ClusNet boundaries. Examples include ClusNet traffic, regroup traffic, the intracluster RPC traffic, regroup traffic, the intracluster RPC interface, SMB traffic to MNS shares, etc.interface, SMB traffic to MNS shares, etc.
Windows Security Push (cont.)Windows Security Push (cont.)
Intranode communication: Intranode communication: Intranode Intranode communication refers to data transfer communication refers to data transfer within a node. Examples include resapi, within a node. Examples include resapi, ClusNet ioctls, the event log, the MNS ClusNet ioctls, the event log, the MNS named pipe, the NetCon API, etc.named pipe, the NetCon API, etc.
Windows Security Push (cont.)Windows Security Push (cont.)
Internal data:Internal data: Internal data refers to data Internal data refers to data objects local to a node that are accessed objects local to a node that are accessed by the component. Examples include by the component. Examples include registry keys, named objects, the quorum registry keys, named objects, the quorum disk, MNS shares, etc.disk, MNS shares, etc.
External data:External data: External data refers to External data refers to data objects located outside of the cluster data objects located outside of the cluster that are accessed by the component. that are accessed by the component. Examples include computer objects in Examples include computer objects in Active Directory. Active Directory.
Windows Security Push (cont.)Windows Security Push (cont.)
All uses of cryptographyAll uses of cryptography All operations that require the All operations that require the
membership in the local admin groupmembership in the local admin group All operations that require elevated All operations that require elevated
privilege (e.g. TCB a.k.a. “Act as part of privilege (e.g. TCB a.k.a. “Act as part of the operating system”)the operating system”)
Windows Security Push Windows Security Push (Cont.)(Cont.) Security Holes:Security Holes:
Buffer overrunBuffer overrun Client spoofingClient spoofing Server spoofingServer spoofing Encryption by obfuscationEncryption by obfuscation Home-grown cryptographyHome-grown cryptography Storing secret in memory: DPAPIStoring secret in memory: DPAPI Access check: Who can issue password-Access check: Who can issue password-
IPSec protection for AD site replication through firewallsIPSec protection for AD site replication through firewalls http://www.microsoft.com/ISN/Columnists/P63623.asphttp://www.microsoft.com/ISN/Columnists/P63623.asp
““Lockdown” IPSec protection for serverLockdown” IPSec protection for server http://www.microsoft.com/ISN/columnists/p66703.asphttp://www.microsoft.com/ISN/columnists/p66703.asp
Using IPSec to build trusted computing infrastructuresUsing IPSec to build trusted computing infrastructures ““Ask Us About Security 12/15/2001” on TechNetAsk Us About Security 12/15/2001” on TechNet
http://www.isaserver.orghttp://www.isaserver.org http://www.aspelle.comhttp://www.aspelle.com (few details; dude lives in MPSC with customer-ready demos) (few details; dude lives in MPSC with customer-ready demos)
Other Internet resourcesOther Internet resources IETF IPSec Standards - IETF IPSec Standards - http://www.ietf.org/html.charters/ipsec-charter.htmlhttp://www.ietf.org/html.charters/ipsec-charter.html IETF L2TP Standard - IETF L2TP Standard - http://www.ietf.org/html.charters/pppext-charter.htmlhttp://www.ietf.org/html.charters/pppext-charter.html IETF L2TP Working Group: IETF L2TP Working Group: http://www.ietf.org/html.charters/l2tpext-charter.htmlhttp://www.ietf.org/html.charters/l2tpext-charter.html
Technology books:Technology books: Doraswamy, Harkins – “IPSec: The New Security Standard for the Internet, Intranets and Doraswamy, Harkins – “IPSec: The New Security Standard for the Internet, Intranets and