Windows2000WindowsXP网络安全

SEC400:Windows®2000/WindowsXP网络安全张执玉系统工程师微软（中国）有限公司大纲企业网络客户端威胁和防范InternetconnectionfirewallIPsecurity企业网络客户端LargegroupsoftrustedusersandcomputersTypically…InsecuresystemsUsedbytrustedusersUsersarelocaladministratorsLittlecentralcontroloversecurityUsersinstalluntrusted,possiblyinfectedsoftwareMobile–connecttomanypublicnetworks,thenbacktobusinessnetwork企业网络客户端“Ourfirewallwillprotectus”Wrong!NoprotectionfrominternalsystemsWhere’sthedefenseindepth?Infectede-mailspreadseasilywithinBack-doorTrojansleapfrommachinetomachineOftenconnectedtopublicnetworksdirectlyTrojansAndViriiDeliveredthroughe-mailorinfectedprogramsRunasloggedonuserVerybadifit’sacorp-trusteduser!DeadlyifuserislocaladminSendpersonaldatatoattackersIdentitytheftofuserIDandpasswordSensitivedatatheftSendmaliciousdatatoattackothersOpenholesforaccessfromInternetEnableattackertocontrolyourPCEnableyourmachinetostoreandserve“bad”data系统安全危机AttackeraccessfromInternetPortscanisn’tanattack,butprobingforweaknesses,oncein:RunscriptsscanningforknownweaknessesStealyourdata,passwordsInfectyourcomputerwithtrojanstospreadinfectionBackupswon’thelpifnot“clean”NetworktrafficisvisibleNetworkaddresses,e-mail,WebpageURLs,Webpagecontent,datafiles,passwordformsPassivecollectionleadstodatabasetrackingPortScan防范DefenseindepthNetworkPlatformApplicationUsersDefinepoliciesWithoutthese,everythingelseisuselessTestenforcementMonitoradherence防范Principleofleastprivilege(POLP)Usersaren’tlocaladministratorsTrustthosewhoareadmins,thoughConfiguretrustrelationshipsonlywherethereisabusinessneedAppropriateaccesslistsandrights,againfollowingbusinessneeds防范TrustedplatformfortrustedusersAnti-virusprogramsUp-to-datepatchesandservicespacksAdministrator-managedandsecuredClientmachinesjoinedtoWindows2000orWindowsXPDomainmakesclientadminscalableUsersarepowerusersandmaybenetworkoperators(WindowsXP),don’tloginwithadministratorrights防范防止不必要的网络访问Perimeterprotection(firewalls,routers)End-systemfirewallAuthenticated,authorizednetworkconnectionsTousenetwork–802.1x(seewirelesstalk)IPsecurityOutboundrestrictions,tooEndsystemfilteringwithIPSecPerimeterfiltering防范经过保护的通信DigitallysignandencryptApp:SSL/TLSconnectionsAdmin:IPSectransportmodeAdmin/User:VPNTunnels–PPTP,L2TP/IPSecMaylimitabilitytoinspect,butcanyoureally?AnonymousaccessisfineforpublicinformationConsiderwhat’struly“public”Ifyouhavetologontogetinfo,thenit’snot“public”WindowsXPInternetConnectionFirewallAddressesthreatofun-solicitednetworkaccessInternetConnectionFirewallInWindowsXPHome,WindowsProfessional,WindowsServerEnabledonaper-interfacebasisDropsallIPunicasttrafficinboundExemptsmulticast,broadcastUnlessamappingexistsNo“danger”dialogsUsersdon’tunderstandUsersunabletotakeactionInternetConnectionFirewallStatefulper-connectionflowentryUsessourceanddestinationportsonoutboundconnectiontocreateflowentryConnectionsclosedbyTCP:ACK-FINandRSTUDP:Time-outICF激活要点Outofboxexperience(OOBE)WizardOnfirst-bootonHomeEditionNetworksetupwizardSetsuphomeandsmallofficenetworksAvailableonHomeandProfessionalNewconnectionwizardEnabledbydefaultforDUN,PPPoEOptiontoenableonVPNNetworkconnectionsfolderPropertiessheetofnetworkconnectionICF使用场景HomeEnableonsinglePCdirectlyconnectedtotheInternetviabroadbandEnabledwhenInternetConnectionSharingusedforhomenetworkingBusinessandmobileGrouppolicyflagcandisableforenterpriseLocationawarenessallowsusertotakelaptopandprotectitwhileoutsidetheofficeICF服务选项AllowsuserswhorunservicesonlocalPCorhomenetworktocreateportmappingsProvidesetofpre-definedservicesUsercancreatenewmappingsICF日志选项NologgingbydefaultOptiontologunsuccessfulconnectionsOptiontologsuccessfulconnectionsOptionforlogfilename,location,andsizeICFICMP选项DisabledICMPoptionsType3Type4Type5Type8Type10Type11Type12Type13Type17ICFProtectionWindows2000和WindowsXPInternet协议安全Addressesthreats:Un-solicitednetworkaccessPassiveinterceptionofsensitivenetworktrafficTrustedusershavingtoomuchnetworkaccessIPSec功能IPPacketFilteringPermit,block,negotiatesecuritySecurecommunicationMutualauthenticationSenderandreceiverknoweachother,trustPacketconfidentiality=EncryptionOnlysenderandreceiverknowcontentsPacketintegrity=CryptographicChecksumTamperedpacketsarediscardedAdministrativelyappliedbelowapplicationsNochangeinapplicationsneededNochangeinnetworkneeded,exceptportfilters如何应用IPSecNetworkadministratordesignsagroupofconfigurationsettingsCalledan“ipsecpolicy”NeedtounderstandIPtrafficrequiredbyapplications,bysystemLikeafirewallorrouterACLUsetheIPSecpolicymanagementMMCsnapinUse“LocalSecurityPolicy”tocreatestaticpoliciesstoredinregistryUseActiveDirectory™grouppoliciesforcentralizedmanagementUseIPSECPOL.EXE(Windows2000)orIPSECCMD.EXE(WindowsXP)tocreatestaticanddynamicpoliciesatcommandlineWindowsXPTCP/IP架构IPPacketFilterdriverIPHOOKDriver(DDK)TCPRawICMPUDPWinSockWinsockLayeredServiceProvidersIPSecFilters,TransportandTunnelOffload:TCPchecksum,largesend,IPSecIPFrag/ReassemblyPPTPL2T