安全协议与标准讲义PPT通用课件

1、安全协议与标准讲义Windows安全Windows体系结构用户与登录文件与NTFS系统文件保护事件与审计防火墙ICFIIS漏洞与补丁Vista安全域安全ISAOffice安全Apix: DDK/WDKWindows体系结构 Windows 2000 architecture Windows 2008 with Hyper-V Windows安全性设计目标一致的、健壮的、基于对象的安全模型满足商业用户的安全需求一台机器上多个用户之间安全地共享资源进程，内存，设备，文件，网络安全模型服务器管理和保护各种对象客户通过服务器访问对象服务器扮演客户，访问对象访问的结果返回给服务器用户与登录商业系统的最高

2、安全等级一般是C2兼顾易用性和安全性Windows NT具有C2级安全等级认证C2权限控制保护：用户对自己的行为负责；系统可以跟踪所有过程和记录某个用户的行为。防止对象重引用，并保证系统安全性监视器的效力。用户可以设定别人对自己数据的权限。*Trusted Computer System Evaluation CriteriaThe TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications.TCSEC was replaced with

3、the development of the Common Criteria international standard originally published in 2005.帐户与组帐户 user accounts定义一个用户所必要的信息，包括口令、组成员关系、登录限制、安全ID(SID)、 组 groupsAdministrators、guests、backup operators、remote desktop users、users、power users、Account Identifier: Security identifier (SID)时间和空间唯一S-1-N-Y1-Y2

4、-Y3-Y4字符串形式和二进制形式的SID“sysprep.exe”用户组 用户密码口令、通行字（password/passwd）选择合适的口令要便于记忆，但是不能让别人猜到不要使用常用单词、短语、缩写、生日、证件号码、默认口令等等要足够长，否则容易被穷举攻击8位字符以上不要不同的帐号使用一个口令关于空白口令，以及自动登录智能卡USB token一种口令攻击方法：利用GoogleMD5CTL-ALT-DEL为了安全为了方便，可以从策略中禁止其他安全策略in “本地安全设置”输入法漏洞第一次Windows 2000 系列标准输入法远程桌面登录时亦存在第二次VistaGoogle输入法锁定状态时远

5、程桌面连接RDP - remote desktop protocol连接到XP只能单用户连接到Windows Server用户权限：组Remote Desktop Users支持多用户速度和颜色可以调整到32位颜色(gpedit.msc)可以从Linux中连接到Windows桌面文件与NTFSFAT：FAT16，FAT32，VFATNTFS长文件名、加密与压缩、安全性、能力与性能stream扩展名查看扩展名隐藏文件查看隐藏文件图标文件安全属性用户之间文件访问隔离实验验证管理员的全能权限日常使用不应该以管理员权限系统文件保护系统文件windows/system32*.sys/.dll/.ocx/

6、.ttf/.fon/.exe等文件校验机制(签名)sigverif.exe监控恢复D:WINDOWSsystem32dllcache光盘使用 SignTool 对安装文件进行签名为 Windows Installer 文件 (.msi) 签名在开发计算机上，安装您希望用于对文件进行签名的证书。打开 Visual Studio 命令提示。转到包含 .msi 文件的目录。利用以下命令为 .msi 文件签名：signtool sign /sha1 CertificateHash SetupFile.msiFinalData1. Improve Data Protection and Integrit

7、y by Pre-Installing FINALDATADelete Protection : Protects against the deletion of important files and directories File Delete Manager : Automatic Backup of files being deleted2. Easy and Useful Recovery ToolsFile Preview : Check the contents of Images files, MS Office documents, or HTML files before

8、 recoveringFile Viewer : Extract the text contained in a damaged file3. Damaged CD-ROM RecoveryRecover data from damaged sectors of CD-RW and CD-R mediaSupport CDFS, UDF4. Fully Compatible with Microsoft Windows OSFully compatible with Windows 9x/ME/NT4.0/2000/XPSupport for FAT 12/16/32 and NTFS EFS

9、 - Encrypting File SystemEFS的机制在磁盘上密文存储（而不仅仅靠访问限制）EFS的证书和私钥管理创建、备份、恢复EFS文件加密的教训加密的文件和分区在系统重装后将不可用，除非恢复先前的证书和私钥EFS中的关系：用户、管理员、备份员Windows DefenderWindows Defender，曾用名Microsoft AntiSpyware，是一个用来移除、隔离和预防间谍软件的程序，可以运行在Windows 2000、Windows XP和Windows Server 2003操作系统上，并已内置在Windows Vista。它的测试版于2005年1月6日发布，在2

10、005年6月23日、2006年2月17日微软又发布了更新的测试版本。Windows Defender的定义库更新很频繁。Windows Defender不像其他同类免费产品一样只能扫描系统，它还可以对系统进行实时监控，移除已安装的ActiveX插件，清除大多数微软的程序和其他常用程序的历史纪录。Advanced featuresReal-time protectionInternet Explorer integrationSoftware ExplorerWindows Vista-specific functionalityblocks all startup items that req

11、uire administrator privilegesWindows Live OneCareWindows Live OneCare（或onecare、LIVE ONECARE。中文名称未定，Onecare意一份关心）是微软Windows Live旗下的杀毒软件，也是微软进入安全防护领域的第一个杀毒软件。其功能包括ProtectionPlus (杀毒，防间谍，防火墙，自动更新)，PerformancePlus(硬盘整理，垃圾清理，自动备份)，Backup and Restore(备份+回复)。同时OneCare也与Windows Update 合作，以提供自动视窗系统更新。OneCare

12、也备有即时帮助(24小时/7天)。discontinuedMicrosoft Security EssentialsMicrosoft Security Essentials (MSE) is a free antivirus software product for Microsoft Windows operating systems that provides protection against different types of malware such as computer virus, spyware, rootkits and trojan horses. Unlike t

13、he Microsoft Forefront family of enterprise-oriented security products, Microsoft Security Essentials is geared for consumer use.Microsoft Security Essentials received positive reviews upon its release. In September 2011, it was the most popular antivirus software product in North America and the se

14、cond most popular in the world.Autorun自动播放机制autorun.inf自动播放的安全问题关闭自动播放事件与审计日志服务启动 Windows 时，EventLog 服务会自动启动。所有用户都可以查看应用程序和系统日志。只有管理员才能访问安全日志。在默认情况下，安全日志是关闭的。可以使用组策略来启用安全日志。管理员也可在注册表中设置审核策略，以便当安全日志满出时使系统停止响应。事件查看器留意特殊的事件，如登录、登录失败。定制要记录的安全事件“本地安全设置”三类事件/日志应用程序日志 由应用程序或系统程序记录的事件。例如，数据库程序可在应用日志中记录文件错误。

15、程序开发员决定记录哪一个事件。系统日志包含 Windows的系统组件记录的事件。例如，在启动过程将加载的驱动程序或其他系统组件的失败记录在系统日志中。Windows预先确定由系统组件记录的事件类型。安全日志记录安全事件，如有效的和无效的登录尝试，以及与创建、打开或删除文件等资源使用相关联的事件。管理器可以指定在安全日志中记录什么事件。例如，如果您已启用登录审核，登录系统的尝试将记录在安全日志里。四种类型错误重要的问题，如数据丢失或功能丧失。例如，如果在启动过程中某个服务加载失败，这个错误将会被记录下来。警告并不是非常重要，但有可能说明将来的潜在问题的事件。例如，当磁盘空间不足时，将会记录警告。

16、信息描述了应用程序、驱动程序或服务的成功操作的事件。例如，当网络驱动程序加载成功时，将会记录一个信息事件。成功审核成功的审核安全访问尝试。例如，用户试图登录系统成功会被作为成功审核事件记录下来。失败审核失败的审核安全登录尝试。例如，如果用户试图访问网络驱动器并失败了，则该尝试将会作为失败审核事件记录下来。任务管理器留意异常进程svch0st.exewsript.exetaskmgr / tasklist / taskkilltasklist /m注册表RegisterC:WindowsSystem32ConfigUsers home dirRegedit.exe对注册表的修改手工修改hack/

17、crack方式优化调整自动运行的程序启动点Documents and Settings“开始”菜单程序启动 Documents and SettingsAll Users“开始”菜单程序启动 HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindowsload HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun*H

18、KEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonUserinit HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun*HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsHKEY_LOCAL_MACHINESOFTWA

19、REMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks其他工具: Winternals several freeware tools to administer and monitor computers running Microsoft Windows. Sysinternal，Microsoft acquired Sysinternals in July, 2006.procexpregmonfilemondiskmomtcpviewportmonRootkitRevealerSysinternalsThe Sysinterna

20、ls web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Microsoft acquired Sysinternals in July, 2006. Whether youre an IT Pro or a developer, youll find Sysinternals utilities to help you manage, troubleshoot and diag

21、nose your Windows systems and applications. Sony, Gone Too Far“Sony, Rootkits and Digital Rights Management Gone Too Far”Mark RussinovichLast week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits a

22、re cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for m

23、ore information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application: FileMonThis monitoring tool lets you see all file system activity in real-time.RegMonThis monitoring tool lets you see all Registry activity in real-time.TCPView

24、Active socket command-line stat.exeDiskMonThis utility captures all hard disk activity or acts like a software disk activity light in your system tray.PsFileSee what files are opened remotely.Process MonitorMonitor file system, Registry, process, thread and DLL activity in real-time.Process Explorer

25、Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.ListDLLsList all the DLLs that are currently loaded, including where they are loaded and their version numbers. Ver

26、sion 2.0 prints the full path names of loaded modules.PsListShow information about processes and threads.tasklist / taskkillAutorunsSee what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations whe

27、re applications can configure auto-start settings.HandleThis handy command-line utility will show you what files are open by which processes, and much more.RootkitRevealerScan your system for rootkit-based malwareEFSDumpView information for encrypted files.SDeleteSecurely overwrite your sensitive fi

28、les and cleanse your free space of previously deleted files using this DoD-compliant secure delete program.StreamsReveal NTFS alternate streams.SigcheckDump file version information and verify that images on your system are digitally signed.sigverif.exeFile and Disk UtilitiesJunctionCreate Win2K NTF

29、S symbolic links.linkd.exeMoveFileSchedule file rename and delete commands for the next reboot. This can be useful for cleaning stubborn or in-use malware files.PendMovesSee what files are scheduled for delete or rename the next time the system boots.StreamsReveal NTFS alternate streams.The PsTools

30、suitePsExec - execute processes remotelyPsFile - shows files opened remotelyPsGetSid - display the SID of a computer or a userPsInfo - list information about a systemPsKill - kill processes by name or process IDPsList - list detailed information about processesPsLoggedOn - see whos logged on locally

31、 and via resource sharing (full source is included)PsLogList - dump event log recordsPsPasswd - changes account passwordsPsService - view and control servicesPsShutdown - shuts down and optionally reboots a computerPsSuspend - suspends processesDesktopsThis new utility enables you to create up to fo

32、ur virtual desktops and to use a tray interface or hotkeys to preview whats on each desktop and easily switch between them.防火墙ICFICF Internet Connection FirewallICS Internet Connection Sharing其他防火墙个人防火墙金山网镖天网个人防火墙 商业产品硬件 vs. 软件Netfliter/Iptable in LinuxN-ByteGoogle（N-Byte，网络守望者）/soft/23149.htm/ NDIS

33、Network Driver Interface Specificationby MS and 3Com, in Windows and also in Linux and FreeBSD (NdisWrapper)“wrapper”功能，即隐藏了2层LLC的差异，服务于3层网络层（另一个抽象LLC是ODI - Open Data-Link Interface）hook IISIIS 7.0, in Vista and Windows Server 2008The servers currently includeFTP,SMTP,NNTP, andHTTP/HTTPS.behind Apac

34、he HTTP Serverthe infamous Code Red wormIIS日志Logsin C:WINDOWSsystem32LogfilesIIS支持的认证机制IIS 5.0 and higher support the following authentication mechanisms:Basic access authentication: 明文口令Digest access authentication: 使用HASHIntegrated Windows Authentication refers to the SPNEGO, Kerberos, and NTLMSSP

35、 authentication protocols with respect to SSPI functionality introduced with the Microsoft Windows 2000 operating system.NET Passport AuthenticationWindows Live IDIIS认证配置界面 HTTPS实验演示HTTPSCA，Certificate，IE，SSL+HTTP配置CA个人证书给IE服务器证书给IIS证书的其他应用漏洞与补丁update功能性更新 vs. 安全性更新IE7 / WMPlayer 11patcheshotfixserv

36、ice packsincoming xp sp3 / vista sp1patches for Linux/Unix这就是不装补丁的后果发信人: at2011518 (win7坏了，用回xp，顿觉天地间豁然开朗), 信区: ITExpress 标 题: 靠，昨晚4点多有人黑了我的电脑 发信站: 水木社区 (Fri May 4 11:02:51 2012), 站内 这就是不装补丁的后果啊 昨晚在下载东西，把我电脑的ip映射到了公网，结果就中招了。 黑客在我电脑搞了个s扫描器的东西，但好像老是被我的诺顿杀毒软件删掉，于是它竟然把我的诺顿给卸载了！ 早上我想给刚下载的东西扫描一下病毒，才发现诺顿没了

37、。于是看事件记录，才发现这些事。 WUSWin9x共享漏洞分析Vredir.vxd.docVista安全UAC - User Account ControlIt aims to improve the security of the operating system by limiting applications to standard user privileges until an administrator authorizes an increase in privilege level.In this way, only applications that the user tru

38、sts receive higher privileges, and malware is kept from receiving the privileges necessary to compromise the operating system.UAC Tasks that will trigger a UAC prompt * Right-clicking and clicking Run as administrator * Changes to files in %SystemRoot% or %ProgramFiles% * Installing and uninstalling

39、 applications * Installing device drivers * Installing ActiveX controls * Changing settings for Windows Firewall * Changing UAC settings * Configuring Windows Update * Adding or removing user accounts * Changing a users account type * Configuring Parental Controls * Running Task Scheduler * Restorin

40、g backed-up system files * Viewing or changing another users folders and filesBitLockerAnother significant new feature is BitLocker Drive Encryption, a data protection technology included in the Enterprise and Ultimate editions of Vista that provides encryption for the entire operating system volume

41、.Bitlocker can work in conjunction with a Trusted Platform Module chip (version 1.2) that is on a computers motherboard, or with a USB key.BitLocker provides three modes of operationThe first two modes require a cryptographic hardware chip called a Trusted Platform Module (version 1.2 or later) and

42、a compatible BIOS:* Transparent operation mode: This mode exploits the capabilities of the TPM 1.2 hardware to provide for a transparent user experiencethe user logs onto Windows Vista as normal.* User authentication mode: This mode requires that the user provide some authentication to the pre-boot

43、environment in order to be able to boot the OS. The final mode does not require a TPM chip:* USB Key: The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS. Note that this mode requires that the BIOS on the protected machine supports the

44、reading of USB devices in the pre-OS environment.Trusted Platform ModuleThe TPM specificationis the work of the Trusted Computing Group. The current version of the TPM specification is 1.2 Revision 103, published on July 9, 2007TCG - Trusted Computing Groupsuccessor to the Trusted Computing Platform

45、 Alliance (TCPA), is an initiative started by AMD, Hewlett-Packard, IBM, Infineon, Intel, Microsoft, and Sun Microsystems to implement Trusted Computing.TC - Trusted ComputingDigital rights managementProtection from viruses and spywareIdentity theft protection IE 7IE7s new security and safety featur

46、es includea phishing filter, IDN with anti-spoofing capabilities, and integration with system-wide parental controls. cipher strength: 256-bit (Only for Vista, for XP only supports 128-bit)support for Extended Validation Certificates (EV)Protected Mode (available in Vista only), whereby the browser

47、runs in a sandbox with even lower rights than a limited user account.IE 8 IE9Internet Explorer 9 Security Part 1: Enhanced Memory ProtectionsSecurity Part 2: Protection from Socially Engineered AttacksSecurity Part 3: Browse More Securely with Pinned SitesSecurity Part 4: Protecting Consumers from M

48、alicious Mixed ContentIE10的安全特性DEP/NX，IE8+/GS编译选项，在运行时向应用程序的堆栈边界添加安全标记ASLR地址空间布局随机化技术在Vista 中初次引入，并在 Windows 8 中得到增强。 ASLR在应用程序载入内存时为其分配随机的内存基地址。进程环境块 (PEB)、线程环境块 (TEB)、堆栈和堆等其他内存结构也将分配到内存中的随机位置。ForceASLRIE 11 IE11 Reduces Use of Vulnerable RC4 Cipher SuiteTurning on TLS 1.2 by Defaultinteresting new

49、 security feature: support for the WebCryptoAPI, a JavaScript API for performing basic cryptographic functions.FW in VistaAs part of the redesign of the network stack, Windows Firewall has been upgradedwith new support for filtering both incoming and outgoing traffic. Advanced packet filter rules ca

50、n be created which can grant or deny communications to specific services.Before 域安全Domain的元素：资源组织方式对象：主题 subject对象：客体 object对象间的逻辑关系访问access：读、写、执行、管理员和用户记录和日志登录和凭证对象标识安全token口令、口令衍生密钥、指纹、智能卡、usb key、公钥/证书/私钥、资源和认证服务分开跨域认证和资源访问Domain alike文件共享smb文件共享samba文件共享NFS本机OS：Windows，注册表/sam，kerberos本机OS：linu

51、x，/etc/passwd网络域：AD，kerberos+ldap+dns网络域：Linux/kerberos集群和云平台Linux集群Windows集群云计算GAE、AWS、AzureSAE BAE Web Service中的域机制WSDLUDDISAMLXML Sig/Sec群件Groupware（Collaborative software）Office OneNoteSharePointGrooveLotus Domino/NotesExchange server / outlookOA(Windows)域安全域控制器：active directory域成员(计算机/用户)域用户域用户

52、：配置漫游，(网络)主目录进阶：集群做好网管，从使用Windows域开始某电力公司的信息主管打电话过来问：“有没有好一点的网管软件？现在机子多了，人手一机，问题越来越多了，相互猜密码的、丢资料的、丢账号的、系统整天崩溃的、在工位上玩游戏的、乱用打印机的总之很乱，也不好管理。就算自己看见了，因为平时关系不错，也不好意思说，就是说了也起不到多大作用。我这个信息主管实在是有名无实啊。”我听完以后十分感慨，微软的桌面系统进入中国市场这么久，竟然还有这么多人不知道Windows域服务才是管理桌面的利器。/cio22/20080421113506.shtml域控制器Active Directory 建议使用“配置您的服务器向导”，自动使用.lo