Class 11: Security and Access Controls I

1
Class 11 Security and Access Controls I
2
Objectives

• Describe the Windows XP security model, and the
  key role of logon authentication
• Work with access control and customize the logon
  process
• Disable the default username
• Discuss domain security concepts

3
The Windows XP Security Model

• User must logon with
• Valid user ID
• Password
• User receives access token
• Access token
• String of bits representing user
• Attached to processes

4
The Windows XP Security Model (continued)

• Access token
• Compared with ACL (Access Control List)
• Domain security
• Centered on Active Directory

5
Active Directory

• Centralized database containing
• Security
• Configuration
• Communication information
• Manages
• Information about domain
• Resources shared by network

6
Logon Authentication

• Logon is mandatory
• Logon process components
• Identification
• Authentication
• Password authentication typically used
• Access token attached to shell process

7
Shell

• Defines environment inside which user executes
  programs or spawns other processes
• Default
• Windows Explorer
• Defines desktop, start menu, etc.

8
Resources as Objects

• Access to individual resources controlled at
  object level
• Everything in environment is an object
• Identified by type
• Type determines
• Permitted range of contents
• Kinds of operations

9
Resources as Objects (continued)

• Service
• How object can be manipulated
• Attributes
• Named characteristics

10
Access Control

• Logon process
• Initiated with CtrlAltDelete
• Hardware interrupt cannot be imitated
• Mandatory logon
• Restricted user mode
• Physical logon
• User profiles

11
Customizing the Logon Process

• Administrator can alter default process
• Winlogon process
• Produces logon dialog box
• Controls automated logon
• Warning text
• Display of Shutdown button
• Display of last user to log onto system

12
Disabling the Default Username

• Logon window
• Displays name of the last user to logon
• Can be unsecure
• DontDisplayLastUserName Regisry setting
• Edit with
• Local Computer Policy utility

13
Adding a Security Warning Message

• Might be legally obligated to add a warning
  message
• Settings in Registry
• LegalNoticeCaption
• LegalNoticeText

14
Changing the Shell

• Default shell
• Windows Explorer
• Change Registry setting

15
Disabling the Shutdown Button

• Windows XP logon window includes Shutdown button
• Potential for unwanted system shutdowns
• ShutdownWithoutLogon Registry setting
• Users can still physically power-off machine
• Winlogon settings for
• Laptop Sleep mode
• Other advanced shutdown settings

16
Automating Logons

• Values for username and password can be coded
  into Registry to automate logons
• Registry settings
• DefaultDomainName
• DefaultUserName
• DefaultPassword
• AutoAdminLogon

17
Automatic Account Lockout

• Disables account
• Predetermined number of failed logins
• Predetermined amount of time
• Default
• Unlimited number of attempts

18
Domain Security Concepts and Systems

• Domain
• Collection of computers with centrally managed
  security and activities
• Offers
• Increased security
• Centralized control
• Broader access to resources

19
Domain Security Overview

• Control of
• User accounts
• Group memberships
• Resource access
• for all members of a network instead of only a
  single computer

20
Domain Controller

• Windows 2000 Server
• Windows Server 2003 system
• Active Directory support services installed and
  configured