安全协议与标准08-Windows安全

《安全协议与标准08-Windows安全》由会员分享，可在线阅读，更多相关《安全协议与标准08-Windows安全（110页珍藏版）》请在装配图网上搜索。

1、 安全协议与标准2011, 10 Windows安全 Windows体系结构 用户与登录 文件与NTFS 系统文件保护 事件与审计 防火墙ICF IIS 漏洞与补丁 Vista安全 域安全 ISA Office安全 Apix: DDK/WDK Windows体系结构 Windows 2000 architecture Windows 2008 with Hyper-V Windows安全性 设计目标 一致的、健壮的、基于对象的安全模型 满足商业用户的安全需求 一台机器上多个用户之间安全地共享资源 进程，内存，设备，文件，网络 安全模型 服务器管理和保护各种对象 客户通过服务器访问对象 服务器扮

2、演客户，访问对象 访问的结果返回给服务器 用户与登录 商业系统的最高安全等级一般是C2兼顾易用性和安全性 Windows NT具有C2级安全等级认证 C2权限控制保护： 用户对自己的行为负责； 系统可以跟踪所有过程和记录某个用户的行为。防止对象重引用，并保证系统安全性监视器的效力。 用户可以设定别人对自己数据的权限。* Trusted Computer System Evaluation Criteria The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Ser

3、ies publications. TCSEC was replaced with the development of the Common Criteria international standard originally published in 2005. 帐户与组 帐户 user accounts 定义一个用户所必要的信息，包括口令、组成员关系、登录限制、安全ID(SID)、 组 groups Administrators、guests、backup operators、remote desktop users、users、power users、 Account Identifi

4、er: Security identifier (SID) 时间和空间唯一 S-1-N-Y1-Y2-Y3-Y4 字符串形式和二进制形式的SID “sysprep.exe” 用户组 用户密码 口令、通行字（password/passwd） 选择合适的口令 要便于记忆，但是不能让别人猜到 不要使用常用单词、短语、缩写、生日、证件号码、默认口令等等 要足够长，否则容易被穷举攻击 8位字符以上 不要不同的帐号使用一个口令 关于空白口令，以及自动登录 智能卡 USB token 一种口令攻击方法：利用Google MD5 CTL-ALT-DEL 为了安全 为了方便，可以从策略中禁止 其他安全策略 in

5、“本地安全设置” 输入法漏洞 第一次 Windows 2000 系列 标准输入法 远程桌面登录时亦存在 第二次 Vista Google输入法 锁定状态时 远程桌面连接 RDP - remote desktop protocol 连接到XP 只能单用户 连接到Windows Server 用户权限：组Remote Desktop Users 支持多用户 速度和颜色 可以调整到32位颜色(gpedit.msc) 可以从Linux中连接到Windows桌面 文件与NTFS FAT：FAT16，FAT32，VFAT NTFS 长文件名、加密与压缩、安全性、能力与性能 stream 扩展名 查看扩展名

6、 隐藏文件 查看隐藏文件 图标 文件安全属性 用户之间文件访问隔离 实验验证 管理员的全能权限 日常使用不应该以管理员权限 系统文件保护 系统文件 windows/system32 *.sys/.dll/.ocx/.ttf/.fon/.exe等 文件校验机制(签名) sigverif.exe 监控 恢复 D:WINDOWSsystem32dllcache 光盘 使用 SignTool 对安装文件进行签名为 Windows Installer 文件 (.msi) 签名 在开发计算机上，安装您希望用于对文件进行签名的证书。 打开 Visual Studio 命令提示。 转到包含 .msi 文件的目

7、录。 利用以下命令为 .msi 文件签名： signtool sign /sha1 CertificateHash SetupFile.msi FinalData 1. Improve Data Protection and Integrity by Pre-Installing FINALDATA Delete Protection : Protects against the deletion of important files and directories File Delete Manager : Automatic Backup of files being deleted 2.

8、 Easy and Useful Recovery Tools File Preview : Check the contents of Images files, MS Office documents, or HTML files before recovering File Viewer : Extract the text contained in a damaged file 3. Damaged CD-ROM Recovery Recover data from damaged sectors of CD-RW and CD-R media Support CDFS, UDF 4.

9、 Fully Compatible with Microsoft Windows OS Fully compatible with Windows 9x/ME/NT4.0/2000/XP Support for FAT 12/16/32 and NTFS EFS - Encrypting File System EFS的机制 在磁盘上密文存储（而不仅仅靠访问限制） EFS的证书和私钥管理 创建、备份、恢复 EFS文件加密的教训 加密的文件和分区在系统重装后将不可用，除非恢复先前的证书和私钥 EFS中的关系：用户、管理员、备份员 Windows Defender Windows Defender

10、，曾用名Microsoft AntiSpyware，是一个用来移除、隔离和预防间谍软件的程序，可以运行在Windows 2000、Windows XP和Windows Server 2003操作系统上，并已内置在Windows Vista。它的测试版于2005年1月6日发布，在2005年6月23日、2006年2月17日微软又发布了更新的测试版本。Windows Defender的定义库更新很频繁。 Windows Defender不像其他同类免费产品一样只能扫描系统，它还可以对系统进行实时监控，移除已安装的ActiveX插件，清除大多数微软的程序和其他常用程序的历史纪录。 Advanced f

11、eatures Real-time protection Internet Explorer integration Software Explorer Windows Vista-specific functionality blocks all startup items that require administrator privileges Windows Live OneCare Windows Live OneCare（或onecare、LIVE ONECARE。中文名称未定，Onecare意一份关心）是微软Windows Live旗下的杀毒软件，也是微软进入安全防护领域的第一个

12、杀毒软件。 其功能包括ProtectionPlus (杀毒，防间谍，防火墙，自动更新)，PerformancePlus(硬盘整理，垃圾清理，自动备份)，Backup and Restore(备份+回复)。同时OneCare也与Windows Update 合作，以提供自动视窗系统更新。OneCare也备有即时帮助(24小时/7天)。 discontinued Microsoft Security Essentials Microsoft Security Essentials (MSE) is a free antivirus software product for Microsoft Wi

13、ndows operating systems that provides protection against different types of malware such as computer virus, spyware, rootkits and trojan horses. Unlike the Microsoft Forefront family of enterprise-oriented security products, Microsoft Security Essentials is geared for consumer use. Microsoft Securit

14、y Essentials received positive reviews upon its release. In September 2011, it was the most popular antivirus software product in North America and the second most popular in the world. Autorun 自动播放机制 autorun.inf 自动播放的安全问题 关闭自动播放 事件与审计 日志服务 启动 Windows 时，EventLog 服务会自动启动。 所有用户都可以查看应用程序和系统日志。只有管理员才能访问

15、安全日志。 在默认情况下，安全日志是关闭的。可以使用组策略来启用安全日志。管理员也可在注册表中设置审核策略，以便当安全日志满出时使系统停止响应。 事件查看器 留意特殊的事件，如登录、登录失败。 定制要记录的安全事件 “本地安全设置” 三类事件/日志 应用程序日志 由应用程序或系统程序记录的事件。例如，数据库程序可在应用日志中记录文件错误。程序开发员决定记录哪一个事件。 系统日志 包含 Windows的系统组件记录的事件。例如，在启动过程将加载的驱动程序或其他系统组件的失败记录在系统日志中。Windows预先确定由系统组件记录的事件类型。 安全日志 记录安全事件，如有效的和无效的登录尝试，以及与

16、创建、打开或删除文件等资源使用相关联的事件。管理器可以指定在安全日志中记录什么事件。例如，如果您已启用登录审核，登录系统的尝试将记录在安全日志里。 四种类型 错误 重要的问题，如数据丢失或功能丧失。例如，如果在启动过程中某个服务加载失败，这个错误将会被记录下来。 警告 并不是非常重要，但有可能说明将来的潜在问题的事件。例如，当磁盘空间不足时，将会记录警告。 信息 描述了应用程序、驱动程序或服务的成功操作的事件。例如，当网络驱动程序加载成功时，将会记录一个信息事件。 成功审核 成功的审核安全访问尝试。例如，用户试图登录系统成功会被作为成功审核事件记录下来。 失败审核 失败的审核安全登录尝试。例如

17、，如果用户试图访问网络驱动器并失败了，则该尝试将会作为失败审核事件记录下来。 任务管理器 留意异常进程 svch0st.exe wsript.exe taskmgr / tasklist / taskkill tasklist /m 注册表 Register C:WindowsSystem32Config Users home dir Regedit.exe 对注册表的修改 手工修改 hack/crack方式 优化调整 自动运行的程序启动点Documents and Settings“开始”菜单程序启动 Documents and SettingsAll Users“开始”菜单程序启动 HKE

18、Y_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindowsload HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun*HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonUserinit HKEY_LOCAL_MACHINESOFTWAR

19、EMicrosoftWindowsCurrentVersionPoliciesExplorerRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun*HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks 其他工具: Winternals several freeware tools t

20、o administer and monitor computers running Microsoft Windows. Sysinternal，Microsoft acquired Sysinternals in July, 2006. procexp regmon filemon diskmom tcpview portmon RootkitRevealer Sysinternals The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their adva

21、nced system utilities and technical information. Microsoft acquired Sysinternals in July, 2006. Whether youre an IT Pro or a developer, youll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications. Sony, Gone Too Far “Sony, Rootkits and Digita

22、l Rights Management Gone Too Far” Mark Russinovich Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from

23、 diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, seve

24、ral hidden device drivers, and a hidden application: FileMon This monitoring tool lets you see all file system activity in real-time. RegMon This monitoring tool lets you see all Registry activity in real-time. TCPView Active socket command-line viewer. netstat.exe DiskMon This utility captures all

25、hard disk activity or acts like a software disk activity light in your system tray. PsFile See what files are opened remotely. Process Monitor Monitor file system, Registry, process, thread and DLL activity in real-time. Process Explorer Find out what files, registry keys and other objects processes

26、 have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process. ListDLLs List all the DLLs that are currently loaded, including where they are loaded and their version numbers. Version 2.0 prints the full path names of loaded modules. PsLis

27、t Show information about processes and threads. tasklist / taskkill Autoruns See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings. Hand

28、le This handy command-line utility will show you what files are open by which processes, and much more. RootkitRevealer Scan your system for rootkit-based malware EFSDump View information for encrypted files. SDelete Securely overwrite your sensitive files and cleanse your free space of previously d

29、eleted files using this DoD-compliant secure delete program. Streams Reveal NTFS alternate streams. Sigcheck Dump file version information and verify that images on your system are digitally signed. sigverif.exe File and Disk Utilities Junction Create Win2K NTFS symbolic links. linkd.exe MoveFile Sc

30、hedule file rename and delete commands for the next reboot. This can be useful for cleaning stubborn or in-use malware files. PendMoves See what files are scheduled for delete or rename the next time the system boots. Streams Reveal NTFS alternate streams. The PsTools suite PsExec - execute processe

31、s remotely PsFile - shows files opened remotely PsGetSid - display the SID of a computer or a user PsInfo - list information about a system PsKill - kill processes by name or process ID PsList - list detailed information about processes PsLoggedOn - see whos logged on locally and via resource sharin

32、g (full source is included) PsLogList - dump event log records PsPasswd - changes account passwords PsService - view and control services PsShutdown - shuts down and optionally reboots a computer PsSuspend - suspends processes Desktops This new utility enables you to create up to four virtual deskto

33、ps and to use a tray interface or hotkeys to preview whats on each desktop and easily switch between them. 防火墙ICF ICF Internet Connection Firewall ICS Internet Connection Sharing 其他防火墙 个人防火墙 金山网镖 天网个人防火墙 商业产品 硬件 vs. 软件 Netfliter/Iptable in Linux N-ByteN-Byte 网络守望者,NBFW.zip NDIS Network Driver Interf

34、ace Specification by MS and 3Com, in Windows and also in Linux and FreeBSD (NdisWrapper) “wrapper”功能，即隐藏了2层LLC的差异，服务于3层网络层（另一个抽象LLC是ODI - Open Data-Link Interface） hook IIS IIS 7.0, in Vista and Windows Server 2008 The servers currently include FTP, SMTP, NNTP, and HTTP/HTTPS. behind Apache HTTP Ser

35、ver the infamous Code Red worm IIS日志 Logs in C:WINDOWSsystem32Logfiles IIS支持的认证机制 IIS 5.0 and higher support the following authentication mechanisms: Basic access authentication: 明文口令 Digest access authentication: 使用HASH Integrated Windows Authentication refers to the SPNEGO, Kerberos, and NTLMSSP a

36、uthentication protocols with respect to SSPI functionality introduced with the Microsoft Windows 2000 operating system. .NET Passport Authentication Windows Live ID IIS认证配置界面 HTTPS实验演示 HTTPS CA，Certificate，IE，SSL+HTTP 配置CA 个人证书给IE 服务器证书给IIS 证书的其他应用 漏洞与补丁 update 功能性更新 vs. 安全性更新 IE7 / WMPlayer 11 patc

37、hes hotfix service packs incoming xp sp3 / vista sp1 patches for Linux/Unix 这就是不装补丁的后果发信人: at2011518 (win7坏了，用回xp，顿觉天地间豁然开朗), 信区: ITExpress 标 题: 靠，昨晚4点多有人黑了我的电脑 发信站: 水木社区 (Fri May 4 11:02:51 2012), 站内 这就是不装补丁的后果啊 昨晚在下载东西，把我电脑的ip映射到了公网，结果就中招了。 黑客在我电脑搞了个s扫描器的东西，但好像老是被我的诺顿杀毒软件删掉，于是它竟然把我的诺顿给卸载了！ 早上我想给刚下

38、载的东西扫描一下病毒，才发现诺顿没了。于是看事件记录，才发现这些事。 WUS Win9x共享漏洞分析 Vredir.vxd.doc Vista安全 UAC - User Account Control It aims to improve the security of the operating system by limiting applications to standard user privileges until an administrator authorizes an increase in privilege level. In this way, only applic

39、ations that the user trusts receive higher privileges, and malware is kept from receiving the privileges necessary to compromise the operating system. UAC Tasks that will trigger a UAC prompt * Right-clicking and clicking Run as administrator * Changes to files in %SystemRoot% or %ProgramFiles% * In

40、stalling and uninstalling applications * Installing device drivers * Installing ActiveX controls * Changing settings for Windows Firewall * Changing UAC settings * Configuring Windows Update * Adding or removing user accounts * Changing a users account type * Configuring Parental Controls * Running

41、Task Scheduler * Restoring backed-up system files * Viewing or changing another users folders and files BitLocker Another significant new feature is BitLocker Drive Encryption, a data protection technology included in the Enterprise and Ultimate editions of Vista that provides encryption for the ent

42、ire operating system volume. Bitlocker can work in conjunction with a Trusted Platform Module chip (version 1.2) that is on a computers motherboard, or with a USB key. BitLocker provides three modes of operation The first two modes require a cryptographic hardware chip called a Trusted Platform Modu

43、le (version 1.2 or later) and a compatible BIOS:* Transparent operation mode: This mode exploits the capabilities of the TPM 1.2 hardware to provide for a transparent user experiencethe user logs onto Windows Vista as normal.* User authentication mode: This mode requires that the user provide some a

44、uthentication to the pre-boot environment in order to be able to boot the OS. The final mode does not require a TPM chip:* USB Key: The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS. Note that this mode requires that the BIOS on the p

45、rotected machine supports the reading of USB devices in the pre-OS environment. Trusted Platform Module The TPM specification is the work of the Trusted Computing Group. The current version of the TPM specification is 1.2 Revision 103, published on July 9, 2007 TCG - Trusted Computing Group successo

46、r to the Trusted Computing Platform Alliance (TCPA), is an initiative started by AMD, Hewlett-Packard, IBM, Infineon, Intel, Microsoft, and Sun Microsystems to implement Trusted Computing. TC - Trusted Computing Digital rights management Protection from viruses and spyware Identity theft protection

47、IE 7 IE7s new security and safety features include a phishing filter, IDN with anti-spoofing capabilities, and integration with system-wide parental controls. cipher strength: 256-bit (Only for Vista, for XP only supports 128-bit) support for Extended Validation Certificates (EV) Protected Mode (ava

48、ilable in Vista only), whereby the browser runs in a sandbox with even lower rights than a limited user account. IE 8 IE9 Internet Explorer 9 Security Part 1: Enhanced Memory Protections Security Part 2: Protection from Socially Engineered Attacks Security Part 3: Browse More Securely with Pinned Si

49、tes Security Part 4: Protecting Consumers from Malicious Mixed Content IE10的安全特性 DEP/NX，IE8+ /GS编译选项，在运行时向应用程序的堆栈边界添加安全标记 ASLR地址空间布局随机化技术在Vista 中初次引入，并在 Windows 8 中得到增强。 ASLR在应用程序载入内存时为其分配随机的内存基地址。进程环境块 (PEB)、线程环境块 (TEB)、堆栈和堆等其他内存结构也将分配到内存中的随机位置。 ForceASLR IE 11 IE11 Reduces Use of Vulnerable RC4 Ci

50、pher Suite Turning on TLS 1.2 by Default interesting new security feature: support for the WebCryptoAPI, a JavaScript API for performing basic cryptographic functions. FW in Vista As part of the redesign of the network stack, Windows Firewall has been upgraded with new support for filtering both inc

51、oming and outgoing traffic. Advanced packet filter rules can be created which can grant or deny communications to specific services. Before 域安全 Domain的元素：资源组织方式 对象：主题 subject 对象：客体 object 对象间的逻辑关系 访问access：读、写、执行、 管理员和用户 记录和日志 登录和凭证 对象标识 安全token 口令、口令衍生密钥、指纹、智能卡、usb key、公钥/证书/私钥、 资源和认证服务分开 跨域认证和资源访问

52、 Domain alike 文件共享smb 文件共享samba 文件共享NFS 本机OS：Windows，注册表/sam，kerberos 本机OS：linux，/etc/passwd 网络域：AD，kerberos+ldap+dns 网络域：Linux/kerberos 集群和云平台 Linux集群 Windows集群 云计算 GAE、AWS、Azure SAE BAE Web Service中的域机制 WSDL UDDI SAML XML Sig/Sec 群件Groupware（Collaborative software） Office OneNoteSharePointGroove L

53、otus Domino/Notes Exchange server / outlook OA (Windows)域安全 域控制器：active directory 域成员(计算机/用户) 域用户 域用户：配置漫游，(网络)主目录 进阶：集群 做好网管，从使用Windows域开始 某电力公司的信息主管打电话过来问：“有没有好一点的网管软件？现在机子多了，人手一机，问题越来越多了，相互猜密码的、丢资料的、丢账号的、系统整天崩溃的、在工位上玩游戏的、乱用打印机的总之很乱，也不好管理。就算自己看见了，因为平时关系不错，也不好意思说，就是说了也起不到多大作用。我这个信息主管实在是有名无实啊。”我听完以后

54、十分感慨，微软的桌面系统进入中国市场这么久，竟然还有这么多人不知道Windows域服务才是管理桌面的利器。 http:/ 域控制器Active Directory 建议使用“配置您的服务器向导”，自动使用.local域名后缀 或者使用“管理您的服务器”，自己定义域名 DNS & IP 假设本机的名字叫ad，域是，则这个地方貌似应该输入“”。 该图中有误导。 另外，建议在本机上安装dns服务 工作站(xp或win7)加入域 把xp的dns ip修改成域服务器的ip 需要域管理员授权 不需要改/etc/hosts文件 域用户 从域控制器上添加域用户 初始口令必须符合复杂性要求，否则会有莫名其妙的错

55、误 登录到域 从任何一台域工作站都可以登录 默认配置不能漫游 home（） 桌面文件 收藏夹 我的文档 等 登录到域 漫游配置 serverdhomezhang3 共享文件路径serverdhome，注意目录zhang3赋予zhang3完全权限。有本地副本，登录/注销时同步，但是同步是很慢的(大文件时)。 主文件夹 避免同步操作(大文件时提高了效率) / 也可以自行影射 域管理与安全 备份域控制器 域控制器（PDC） 备份域控制器（BDC） 集群 一个是AD，其他的加入域 准备共享磁盘(仲裁磁盘q和工作数据磁盘z) 如果是多节点集群，应该不需要 在AD上配置集群，设立集群IP地址 在其他节点上

56、加入集群 配置IIS，使其网页目录位于z上 测试IIS的工作状态 停掉一个节点，看IIS是否仍可用 仲裁磁盘(Quorum) 说明 A机，域控制器 外192.168.1.83/24 内192.168.8.83/24 B机，域成员 外192.168.1.84/24 内192.168.8.84/24 A机和B机共享磁盘 Q盘(q.vmdk at scsi1:0)，仲裁盘 Z盘(z.vmdk at scsi1:1)，工作数据盘 注意“disk.locking = FALSE” in vmx config 集群 外192.168.1.38 IIS Cluster 配置IIS 在刷新之间，一个节点挂掉了

57、 (由于vmware快照，所以内容不一致) ISA ISA Server Microsoft Internet Security and Acceleration Server, originating as Microsoft Proxy Server ISA is a Firewalling & Security product based on Microsoft Windows primarily designed to securely publish webservers and other server systems, provide Stateful, Application

58、-Layer Firewalling, act as a VPN endpoint, and provide Internet Access for client systems in a Business Networking environment. VPN 服务端：RRAS 客户端：建立VPN拨号连接 修正路由 Bridged LAN vs. NAT Office安全 Service pack Office 2003 sp2 Office 2007 宏安全，宏病毒 Visual Basic for Applications normal.dot Office文档的口令 office pa

59、ssword recovery 其他文件口令 zip/rar/pdf文件口令 zip password recovery rar password recovery pdf password recovery 演示 Advanced ZIP Password Recovery IPv6安全 其他网络安全相关 BT 校园网 ISP宽带 交换机/路由器/NAT网关 违规、限速、封杀、 无线安全 信号辐射 访问控制 Apix: DDK/WDK Windows XP/2003/Vista Visual Studio.NET 2003/2005/2008 Windows DDK/WDK 6000.16386.061101-2205-LRMWDK.A.ISO C:WinDDK6000src* 一个例子: google(”filedisk”) Bookmark Q & A