安全协议与标准讲义

安全协议与标准2011,10 Windows安全Windows体系结构用户与登录文件与NTFS系统文件保护事件与审计防火墙ICFIIS漏洞与补丁Vista安全域安全ISAOffice安全Apix:DDK/WDK Windows体系结构 Windows 2000 architecture Windows 2008 with Hyper-V Windows安全性设计目标一致的、健壮的、基于对象的安全模型满足商业用户的安全需求一台机器上多个用户之间安全地共享资源进程，内存，设备，文件，网络安全模型服务器管理和保护各种对象客户通过服务器访问对象服务器扮演客户，访问对象访问的结果返回给服务器 用户与登录商业系统的最高安全等级一般是C2兼顾易用性和安全性Windows NT具有C2级安全等级认证C2权限控制保护：用户对自己的行为负责；系统可以跟踪所有过程和记录某个用户的行为。防止对象重引用，并保证系统安全性监视器的效力。用户可以设定别人对自己数据的权限。*Trusted Computer System Evaluation CriteriaThe TCSEC,frequently referred to as the Orange Book,is the centerpiece of the DoD Rainbow Series publications.TCSEC was replaced with the development of the Common Criteria international standard originally published in 2005.帐户与组帐户 user accounts定义一个用户所必要的信息，包括口令、组成员关系、登录限制、安全ID(SID)、组 groupsAdministrators、guests、backup operators、remote desktop users、users、power users、Account Identifier:Security identifier(SID)时间和空间唯一S-1-N-Y1-Y2-Y3-Y4字符串形式和二进制形式的SID“sysprep.exe”用户组 用户密码口令、通行字（password/passwd）选择合适的口令要便于记忆，但是不能让别人猜到不要使用常用单词、短语、缩写、生日、证件号码、默认口令等等要足够长，否则容易被穷举攻击8位字符以上不要不同的帐号使用一个口令关于空白口令，以及自动登录智能卡USB token 一种口令攻击方法：利用GoogleMD5 CTL-ALT-DEL为了安全为了方便，可以从策略中禁止其他安全策略in“本地安全设置”输入法漏洞第一次Windows 2000 系列标准输入法远程桌面登录时亦存在第二次VistaGoogle输入法锁定状态时 远程桌面连接RDP-remote desktop protocol连接到XP只能单用户连接到Windows Server用户权限：组Remote Desktop Users支持多用户速度和颜色可以调整到32位颜色(gpedit.msc)可以从Linux中连接到Windows桌面 文件与NTFSFAT：FAT16，FAT32，VFATNTFS长文件名、加密与压缩、安全性、能力与性能stream扩展名查看扩展名隐藏文件查看隐藏文件图标 文件安全属性用户之间文件访问隔离实验验证管理员的全能权限日常使用不应该以管理员权限 系统文件保护系统文件windows/system32*.sys/.dll/.ocx/.ttf/.fon/.exe等文件校验机制(签名)sigverif.exe监控恢复D:WINDOWSsystem32dllcache光盘 使用 SignTool 对安装文件进行签名为 Windows Installer 文件(.msi)签名在开发计算机上，安装您希望用于对文件进行签名的证书。打开 Visual Studio 命令提示。转到包含.msi 文件的目录。利用以下命令为.msi 文件签名：signtool sign/sha1 CertificateHash SetupFile.msi FinalData1.Improve Data Protection and Integrity by Pre-Installing FINALDATADelete Protection:Protects against the deletion of important files and directories File Delete Manager:Automatic Backup of files being deleted2.Easy and Useful Recovery ToolsFile Preview:Check the contents of Images files,MS Office documents,or HTML files before recoveringFile Viewer:Extract the text contained in a damaged file3.Damaged CD-ROM RecoveryRecover data from damaged sectors of CD-RW and CD-R mediaSupport CDFS,UDF4.Fully Compatible with Microsoft Windows OSFully compatible with Windows 9x/ME/NT4.0/2000/XPSupport for FAT 12/16/32 and NTFS EFS-Encrypting File SystemEFS的机制在磁盘上密文存储（而不仅仅靠访问限制）EFS的证书和私钥管理创建、备份、恢复EFS文件加密的教训加密的文件和分区在系统重装后将不可用，除非恢复先前的证书和私钥EFS中的关系：用户、管理员、备份员 Windows DefenderWindows Defender，曾用名Microsoft AntiSpyware，是一个用来移除、隔离和预防间谍软件的程序，可以运行在Windows 2000、Windows XP和Windows Server 2003操作系统上，并已内置在Windows Vista。它的测试版于2005年1月6日发布，在2005年6月23日、2006年2月17日微软又发布了更新的测试版本。Windows Defender的定义库更新很频繁。Windows Defender不像其他同类免费产品一样只能扫描系统，它还可以对系统进行实时监控，移除已安装的ActiveX插件，清除大多数微软的程序和其他常用程序的历史纪录。Advanced featuresReal-time protectionInternet Explorer integrationSoftware ExplorerWindows Vista-specific functionalityblocks all startup items that require administrator privileges Windows Live OneCareWindows Live OneCare（或onecare、LIVE ONECARE。中文名称未定，Onecare意一份关心）是微软Windows Live旗下的杀毒软件，也是微软进入安全防护领域的第一个杀毒软件。其功能包括ProtectionPlus(杀毒，防间谍，防火墙，自动更新)，PerformancePlus(硬盘整理，垃圾清理，自动备份)，Backup and Restore(备份+回复)。同时OneCare也与Windows Update 合作，以提供自动视窗系统更新。OneCare也备有即时帮助(24小时/7天)。discontinued Microsoft Security EssentialsMicrosoft Security Essentials(MSE)is a free antivirus software product for Microsoft Windows operating systems that provides protection against different types of malware such as computer virus,spyware,rootkits and trojan horses.Unlike the Microsoft Forefront family of enterprise-oriented security products,Microsoft Security Essentials is geared for consumer use.Microsoft Security Essentials received positive reviews upon its release.In September 2011,it was the most popular antivirus software product in North America and the second most popular in the world.Autorun自动播放机制autorun.inf自动播放的安全问题关闭自动播放 事件与审计日志服务启动 Windows 时，EventLog 服务会自动启动。所有用户都可以查看应用程序和系统日志。只有管理员才能访问安全日志。在默认情况下，安全日志是关闭的。可以使用组策略来启用安全日志。管理员也可在注册表中设置审核策略，以便当安全日志满出时使系统停止响应。事件查看器留意特殊的事件，如登录、登录失败。定制要记录的安全事件“本地安全设置”三类事件/日志应用程序日志 由应用程序或系统程序记录的事件。例如，数据库程序可在应用日志中记录文件错误。程序开发员决定记录哪一个事件。系统日志包含 Windows的系统组件记录的事件。例如，在启动过程将加载的驱动程序或其他系统组件的失败记录在系统日志中。Windows预先确定由系统组件记录的事件类型。安全日志记录安全事件，如有效的和无效的登录尝试，以及与创建、打开或删除文件等资源使用相关联的事件。管理器可以指定在安全日志中记录什么事件。例如，如果您已启用登录审核，登录系统的尝试将记录在安全日志里。四种类型错误重要的问题，如数据丢失或功能丧失。例如，如果在启动过程中某个服务加载失败，这个错误将会被记录下来。警告并不是非常重要，但有可能说明将来的潜在问题的事件。例如，当磁盘空间不足时，将会记录警告。信息描述了应用程序、驱动程序或服务的成功操作的事件。例如，当网络驱动程序加载成功时，将会记录一个信息事件。成功审核成功的审核安全访问尝试。例如，用户试图登录系统成功会被作为成功审核事件记录下来。失败审核失败的审核安全登录尝试。例如，如果用户试图访问网络驱动器并失败了，则该尝试将会作为失败审核事件记录下来。任务管理器留意异常进程svch0st.exewsript.exetaskmgr/tasklist/taskkilltasklist/m 注册表RegisterC:WindowsSystem32ConfigUsers home dirRegedit.exe对注册表的修改手工修改hack/crack方式优化调整 自动运行的程序启动点Documents and Settings“开始”菜单程序启动 Documents and SettingsAll Users“开始”菜单程序启动 HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindowsload HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun*HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonUserinit HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun*HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks 其他工具:Winternals several freeware tools to administer and monitor computers running Microsoft Windows.Sysinternal，Microsoft acquired Sysinternals in July,2006.procexpregmonfilemondiskmomtcpviewportmonRootkitRevealer SysinternalsThe Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information.Microsoft acquired Sysinternals in July,2006.Whether youre an IT Pro or a developer,youll find Sysinternals utilities to help you manage,troubleshoot and diagnose your Windows systems and applications.Sony,Gone Too Far“Sony,Rootkits and Digital Rights Management Gone Too Far”Mark RussinovichLast week when I was testing the latest version of RootkitRevealer(RKR)I ran a scan on one of my systems and was shocked to see evidence of a rootkit.Rootkits are cloaking technologies that hide files,Registry keys,and other system objects from diagnostic and security software,and they are usually employed by malware attempting to keep their implementation hidden(see my“Unearthing Rootkits”article from thre June issue of Windows IT Pro Magazine for more information on rootkits).The RKR results window reported a hidden directory,several hidden device drivers,and a hidden application:FileMonThis monitoring tool lets you see all file system activity in real-time.RegMonThis monitoring tool lets you see all Registry activity in real-time.TCPViewActive socket command-line stat.exe DiskMonThis utility captures all hard disk activity or acts like a software disk activity light in your system tray.PsFileSee what files are opened remotely.Process MonitorMonitor file system,Registry,process,thread and DLL activity in real-time.Process ExplorerFind out what files,registry keys and other objects processes have open,which DLLs they have loaded,and more.This uniquely powerful utility will even show you who owns each process.ListDLLsList all the DLLs that are currently loaded,including where they are loaded and their version numbers.Version 2.0 prints the full path names of loaded modules.PsListShow information about processes and threads.tasklist/taskkill AutorunsSee what programs are configured to startup automatically when your system boots and you login.Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.HandleThis handy command-line utility will show you what files are open by which processes,and much more.RootkitRevealerScan your system for rootkit-based malware EFSDumpView information for encrypted files.SDeleteSecurely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure delete program.StreamsReveal NTFS alternate streams.SigcheckDump file version information and verify that images on your system are digitally signed.sigverif.exe File and Disk UtilitiesJunctionCreate Win2K NTFS symbolic links.linkd.exeMoveFileSchedule file rename and delete commands for the next reboot.This can be useful for cleaning stubborn or in-use malware files.PendMovesSee what files are scheduled for delete or rename the next time the system boots.StreamsReveal NTFS alternate streams.The PsTools suitePsExec-execute processes remotelyPsFile-shows files opened remotelyPsGetSid-display the SID of a computer or a userPsInfo-list information about a systemPsKill-kill processes by name or process IDPsList-list detailed information about processesPsLoggedOn-see whos logged on locally and via resource sharing(full source is included)PsLogList-dump event log recordsPsPasswd-changes account passwordsPsService-view and control servicesPsShutdown-shuts down and optionally reboots a computerPsSuspend-suspends processes DesktopsThis new utility enables you to create up to four virtual desktops and to use a tray interface or hotkeys to preview whats on each desktop and easily switch between them.防火墙ICFICF Internet Connection FirewallICS Internet Connection Sharing 其他防火墙个人防火墙金山网镖天网个人防火墙 商业产品硬件 vs.软件Netfliter/Iptable in Linux N-ByteGoogle（N-Byte，网络守望者）http:/ Driver Interface Specificationby MS and 3Com,in Windows and also in Linux and FreeBSD(NdisWrapper)“wrapper”功能，即隐藏了2层LLC的差异，服务于3层网络层（另一个抽象LLC是ODI-Open Data-Link Interface）hook IISIIS 7.0,in Vista and Windows Server 2008The servers currently includeFTP,SMTP,NNTP,andHTTP/HTTPS.behind Apache HTTP Serverthe infamous Code Red worm IIS日志Logsin C:WINDOWSsystem32Logfiles IIS支持的认证机制IIS 5.0 and higher support the following authentication mechanisms:Basic access authentication:明文口令Digest access authentication:使用HASHIntegrated Windows Authentication refers to the SPNEGO,Kerberos,and NTLMSSP authentication protocols with respect to SSPI functionality introduced with the Microsoft Windows 2000 operating system.NET Passport AuthenticationWindows Live ID IIS认证配置界面 HTTPS实验演示HTTPSCA，Certificate，IE，SSL+HTTP配置CA个人证书给IE服务器证书给IIS证书的其他应用 漏洞与补丁update功能性更新 vs.安全性更新IE7/WMPlayer 11patcheshotfixservice packsincoming xp sp3/vista sp1patches for Linux/Unix 这就是不装补丁的后果发信人:at2011518(win7坏了，用回xp，顿觉天地间豁然开朗),信区:ITExpress 标 题:靠，昨晚4点多有人黑了我的电脑 发信站:水木社区(Fri May 4 11:02:51 2012),站内 这就是不装补丁的后果啊 昨晚在下载东西，把我电脑的ip映射到了公网，结果就中招了。黑客在我电脑搞了个s扫描器的东西，但好像老是被我的诺顿杀毒软件删掉，于是它竟然把我的诺顿给卸载了！早上我想给刚下载的东西扫描一下病毒，才发现诺顿没了。于是看事件记录，才发现这些事。WUS Win9x共享漏洞分析Vredir.vxd.doc Vista安全UAC-User Account ControlIt aims to improve the security of the operating system by limiting applications to standard user privileges until an administrator authorizes an increase in privilege level.In this way,only applications that the user trusts receive higher privileges,and malware is kept from receiving the privileges necessary to compromise the operating system.UAC Tasks that will trigger a UAC prompt *Right-clicking and clicking Run as administrator *Changes to files in%SystemRoot%or%ProgramFiles%*Installing and uninstalling applications *Installing device drivers *Installing ActiveX controls *Changing settings for Windows Firewall *Changing UAC settings *Configuring Windows Update *Adding or removing user accounts *Changing a users account type *Configuring Parental Controls *Running Task Scheduler *Restoring backed-up system files *Viewing or changing another users folders and files BitLockerAnother significant new feature is BitLocker Drive Encryption,a data protection technology included in the Enterprise and Ultimate editions of Vista that provides encryption for the entire operating system volume.Bitlocker can work in conjunction with a Trusted Platform Module chip(version 1.2)that is on a computers motherboard,or with a USB key.BitLocker provides three modes of operationThe first two modes require a cryptographic hardware chip called a Trusted Platform Module(version 1.2 or later)and a compatible BIOS:*Transparent operation mode:This mode exploits the capabilities of the TPM 1.2 hardware to provide for a transparent user experiencethe user logs onto Windows Vista as normal.*User authentication mode:This mode requires that the user provide some authentication to the pre-boot environment in order to be able to boot the OS.The final mode does not require a TPM chip:*USB Key:The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS.Note that this mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-OS environment.Trusted Platform ModuleThe TPM specificationis the work of the Trusted Computing Group.The current version of the TPM specification is 1.2 Revision 103,published on July 9,2007TCG-Trusted Computing Groupsuccessor to the Trusted Computing Platform Alliance(TCPA),is an initiative started by AMD,Hewlett-Packard,IBM,Infineon,Intel,Microsoft,and Sun Microsystems to implement Trusted Computing.TC-Trusted ComputingDigital rights managementProtection from viruses and spywareIdentity theft protection IE 7IE7s new security and safety features includea phishing filter,IDN with anti-spoofing capabilities,and integration with system-wide parental controls.cipher strength:256-bit(Only for Vista,for XP only supports 128-bit)support for Extended Validation Certificates(EV)Protected Mode(available in Vista only),whereby the browser runs in a sandbox with even lower rights than a limited user account.IE 8 IE9Internet Explorer 9 Security Part 1:Enhanced Memory ProtectionsSecurity Part 2:Protection from Socially Engineered AttacksSecurity Part 3:Browse More Securely with Pinned SitesSecurity Part 4:Protecting Consumers from Malicious Mixed Content IE10的安全特性DEP/NX，IE8+/GS编译选项，在运行时向应用程序的堆栈边界添加安全标记ASLR地址空间布局随机化技术在Vista 中初次引入，并在 Windows 8 中得到增强。ASLR在应用程序载入内存时为其分配随机的内存基地址。进程环境块(PEB)、线程环境块(TEB)、堆栈和堆等其他内存结构也将分配到内存中的随机位置。ForceASLR IE 11 IE11 Reduces Use of Vulnerable RC4 Cipher SuiteTurning on TLS 1.2 by Defaultinteresting new security feature:support for the WebCryptoAPI,a JavaScript API for performing basic cryptographic functions.FW in VistaAs part of the redesign of the network stack,Windows Firewall has been upgradedwith new support for filtering both incoming and outgoing traffic.Advanced packet filter rules can be created which can grant or deny communications to specific services.Before 域安全Domain的元素：资源组织方式对象：主题 subject对象：客体 object对象间的逻辑关系访问access：读、写、执行、管理员和用户记录和日志 登录和凭证对象标识安全token口令、口令衍生密钥、指纹、智能卡、usb key、公钥/证书/私钥、资源和认证服务分开跨域认证和资源访问 Domain alike文件共享smb文件共享samba文件共享NFS本机OS：Windows，注册表/sam，kerberos本机OS：linux，/etc/passwd网络域：AD，kerberos+ldap+dns网络域：Linux/kerberos 集群和云平台Linux集群Windows集群云计算GAE、AWS、AzureSAE BAE Web Service中的域机制WSDLUDDISAMLXML Sig/Sec 群件Groupware（Collaborative software）Office OneNoteSharePointGrooveLotus Domino/NotesExchange server/outlookOA (Windows)域安全域控制器：active directory域成员(计算机/用户)域用户域用户：配置漫游，(网络)主目录进阶：集群 做好网管，从使用Windows域开始某电力公司的信息主管打电话过来问：“有没有好一点的网管软件？现在机子多了，人手一机，问题越来越多了，相互猜密码的、丢资料的、丢账号的、系统整天崩溃的、在工位上玩游戏的、乱用打印机的总之很乱，也不好管理。就算自己看见了，因为平时关系不错，也不好意思说，就是说了也起不到多大作用。我这个信息主管实在是有名无实啊。”我听完以后十分感慨，微软的桌面系统进入中国市场这么久，竟然还有这么多人不知道Windows域服务才是管理桌面的利器。http:/ 域控制器Active Directory 建议使用“配置您的服务器向导”，自动使用.local域名后缀或者使用“管理您的服务器”，自己定义域名 DNS&IP假设本机的名字叫ad，域是，则这个地方貌似应该输入“”。该图中有误导。另外，建议在本机上安装dns服务 工作站(xp或win7)加入域把xp的dns ip修改成域服务器的ip需要域管理员授权 不需要改/etc/hosts文件 域用户从域控制器上添加域用户初始口令必须符合复杂性要求，否则会有莫名其妙的错误 登录到域从任何一台域工作站都可以登录默认配置不能漫游home（）桌面文件收藏夹我的文档等 登录到域漫游配置 serverdhomezhang3共享文件路径serverdhome，注意目录zhang3赋予zhang3完全权限。有本地副本，登录/注销时同步，但是同步是很慢的(大文件时)。主文件夹避免同步操作(大文件时提高了效率)/也可以自行影射 域管理与安全 备份域控制器域控制器（PDC）备份域控制器（BDC）集群一个是AD，其他的加入域准备共享磁盘(仲裁磁盘q和工作数据磁盘z)如果是多节点集群，应该不需要在AD上配置集群，设立集群IP地址在其他节点上加入集群配置IIS，使其网页目录位于z上测试IIS的工作状态停掉一个节点，看IIS是否仍可用 仲裁磁盘(Quorum)说明A机，域控制器外192.168.1.83/24内192.168.8.83/24B机，域成员外192.168.1.84/24内192.168.8.84/24A机和B机共享磁盘Q盘(q.vmdk at scsi1:0)，仲裁盘Z盘(z.vmdk at scsi1:1)，工作数据盘注意“disk.locking=FALSE”in vmx config集群外192.168.1.38 IIS Cluster配置IIS在刷新之间，一个节点挂掉了(由于vmware快照，所以内容不一致)ISAISA Server Microsoft Internet Security and Acceleration Server,originating as Microsoft Proxy ServerISA is a Firewalling&Security productbased on Microsoft Windows primarily designed to securely publish webservers and other server systems,provide Stateful,Application-Layer Firewalling,act as a VPN endpoint,and provide Internet Access for client systems in a Business Networking environment.VPN服务端：RRAS客户端：建立VPN拨号连接修正路由Bridged LAN vs.NAT Office安全Service packOffice 2003 sp2Office 2007宏安全，宏病毒Visual Basic for Applicationsnormal.dotOffice文档的口令office password recovery 其他文件口令zip/rar/pdf文件口令zip password recoveryrar password recoverypdf password recovery演示Advanced ZIP Password Recovery IPv6安全in Windows 2000/XP/2003/Vista/2008参见“IPv6,IPSec导引1-概念.doc”安全部分http:/www.ipv6ready.org/frames.html 其他网络安全相关BT校园网ISP宽带交换机/路由器/NAT网关违规、限速、封杀、无线安全信号辐射访问控制 Apix:DDK/WDKWindows XP/2003/VistaVisual Studio.NET 2003/2005/2008Windows DDK/WDK6000.16386.061101-2205-LRMWDK.A.ISOC:WinDDK6000src*一个例子:google(”filedisk”)BookmarkMS Securityhttp:/ Q&A