Security Overview
The object of security is to protect data and it’s availability being compromised by malice or by accident. In Windows there are two main strands to security – specific access permissions and authentication. Specific permissions can be applied to users, groups, or resources. Authentication confirms to the machine or network that a user has an account with permissions to log on.
Use the buttons below to navigate through the lesson
Individual servers and workstations need protection. As do the connections between them – especially if the connection is over the internet. In addition to making organisational precautions through software settings, attention should be given to the physical security of the system. The items illustrated can all be physically removed from a machine or indeed a building and therefore may require physical security.
A last theme of security is that of Auditing. This allows the administrator to view the history of who has attempted to access a resource and whether they succeeded. Security can be set at the level of the individual machine or across a wider unit such as a domain. In each case the principles of securing the hardware, software and user access apply.
Security Considerations
Passwords are a principal device for restricting access to a machine or network. However, passwords can be guessed or stolen. To guard against theft or discovery, passwords should be changed frequently. Windows can enforce a password changing policy upon its users. To counter guessing, quite simply, the passwords need to be made as long and as complex as is practicable.
A single letter password chosen from a…z might be guessed after 26 attempts. A two – letter password has 26 times more possibilities (676). The following table shows this sequence of increasing complexity:
1 – 26 possibilities
2 – 676 possibilities
4 – 456976 possibilities
8 – 208827064576 possibilities
For passwords using a…z
Windows permits passwords of up to 127 characters, but recommends at least 7 for a password.
A single letter password chosen from a to z gives a base of 26 elements, but if the choice of elements includes upper-case letters and other symbols, thus the complexity level is increased significantly, and the password integrity is strengthened. The length and the composition of a user’s password can be specified in a security policy, either for an individual machine or for a domain. The lifetime of a password can also be set by this policy and the reuse of old passwords may also be prevented.
In summary, for a password to be strong and difficult to crack, it should:
- Be at least seven characters long.
- Be significantly different from your previous passwords.
- Not contain your own name or user name. (Nor the name of spouse, children, pets etc.)
- Not be a common word or name.
- Have at least one symbol character in the second through sixth positions.
- Contain Letters a-z, A-Z, Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 and Symbols` ~ ! @ # $ % ^ & * ( ) _ + – = { } | [ ] \ : ” ; ‘ < > ? , . /
There are many facets of computer operation which need protection from unwarranted interference.
Files
Files need to be read by some users, modified by other users, backed up by yet other users, encrypted by owners and hidden from most! This is apart from needing to create files, delete files and share them across a network. Each of these is possible simultaneously in Windows because of the facility to set individual detailed permissions.
Granting Permissions
There is a permission for viewing and changing permissions on files and folders. When new resources are created, this permission needs to be configured carefully.
Domains And Sites
Permissions for access to larger units such as a domain are separate from those granted for local resources. Changes to one aren’t reflected in the other. For example if a user’s account is disabled for a local resource, the domain account may still be active.
Configuration
Settings for users or sites can be made so that such things as Control Panel and Administrative Tools are not available to a user or range of users. This is used to enhance security, but it can also be used to enforce corporate themes and identities across users’ desktops.
Installing Applications
The facility to install applications should not be distributed lightly. Non-standard, unsupported or defective applications can be a drain upon available technical support time, and interfere with multi-layer processes. This facility can be controlled quite closely with Windows.
Network Access
Rogue servers and users can attach themselves to a network, pretending to be something they’re not and gain access to private data. Long cable runs and internet links are weak points for the monitoring of traffic – hence a need for encryption.
Kerberos v5
Kerberos V5 is the primary security protocol for authentication within a domain. (Windows can use others such as SSL, TLS & NTLM.) The Kerberos V5 protocol verifies both the identity of the user to the network services and the service to the user. This form of verification is known as mutual authentication. Kerberos is named after the legendary 3-headed hound which guarded the gateway to Hades, the ancient Greek version of Hell.
The Kerberos V5 authentication mechanism issues tickets for accessing network services. These tickets contain encrypted data, including a users encrypted password and unique SID that confirms the user’s identity to the requested service. Except for possibly entering an additional password or smart card credentials, the entire authentication process is invisible to the user. Kerberos v5 authentication is automatically enabled when you install Windows 2000/XP and Server 2003. For Kerberos to work, both the client and the machine the resource resides upon must be running Windows 2000 or later.
Tickets that are successfully Authenticated against the records in Active Directory grants the user access to the various resources in the domain for which he has permission without him having to identify himself with a user name and password each time. All this is invisible to the user and also largely, to the administrator. However, it is useful to be able to understand the authentication procedure Kerberos uses.
NTLM Authentication
Pre-Windows 2000 clients use a protocol called NTLM (NT LAN Manager) to authenticate on the network. For backward compatibility Windows Server 2003 continues to support NTLM authentication. NTLM uses less secure authentication and is not as preferable as Kerberos however for NT 4.0 and Windows 9x/Me it is the only available authentication protocol.
