1、 安全協(xié)議與標準 2022, 10 W i n d o w s 安 全 Windows體系結構 用戶與登錄 文件與NTFS 系統(tǒng)文件保護 事件與審計 防火墻ICF IIS 漏洞與補丁 Vista安全 域安全 ISA Office安全 Apix: DDK/WDK Windows體系結構 Windows 2000 architecture Windows 2022 with Hyper-V Windows安全性 設計目標 一致的、健壯的、基于對象的安全模型 滿足商業(yè)用戶的安全需求 一臺機器上多個用戶之間安全地共享資源 進程，內存，設備，文件，網(wǎng)絡 安全模型 服務器管理和保護各種對象 客戶通過服務器

2、訪問對象 服務器扮演客戶，訪問對象 訪問的結果返回給服務器 用戶與登錄 商業(yè)系統(tǒng)的最高安全等級一般是C2兼顧易用性和安全性 Windows NT具有C2級安全等級認證 C2權限控制保護： 用戶對自己的行為負責； 系統(tǒng)可以跟蹤所有過程和記錄某個用戶的行為。防止對象 重引用，并保證系統(tǒng)安全性監(jiān)視器的效力。 用戶可以設定別人對自己數(shù)據(jù)的權限。 *Trusted Computer System Evaluation Criteria The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD R

3、ainbow Series publications. TCSEC was replaced with the development of the Common Criteria international standard originally published in 2022. 帳戶與組 帳戶 user accounts 定義一個用戶所必要的信息，包括口令、組成 員關系、登錄限制、安全ID(SID)、 組 groups Administrators、guests、backup operators、 remote desktop users、users、power users、 Acco

4、unt Identifier: Security identifier (SID) 時間和空間唯一 S-1-N-Y1-Y2-Y3-Y4 字符串形式和二進制形式的SID “sysprep.exe” 用戶組 用戶密碼 口令、通行字（password/passwd） 選擇合適的口令 要便于記憶，但是不能讓別人猜到 不要使用常用單詞、短語、縮寫、生日、證件號碼、默認口令 等等 要足夠長，否則容易被窮舉攻擊 8位字符以上 不要不同的帳號使用一個口令 關于空白口令，以及自動登錄 智能卡 USB token 9、 人的價值，在招收誘惑的一瞬間被決定。21.7.1921.7.19Monday, July 19

5、, 2021 10、低頭要有勇氣，抬頭要有低氣。21:24:3521:24:3521:247/19/2021 9:24:35 PM 11、人總是珍惜為得到。21.7.1921:24:3521:24Jul-2119-Jul-21 12、人亂于心，不寬余請。21:24:3521:24:3521:24Monday, July 19, 2021 13、生氣是拿別人做錯的事來懲罰自己。21.7.1921.7.1921:24:3521:24:35July 19, 2021 14、抱最大的希望，作最大的努力。2021年7月19日星期一下午9時24分35秒21:24:3521.7.19 15、一個人炫耀什么，

6、說明他內心缺少什么。2021年7月下午9時24分21.7.1921:24July 19, 2021 16、業(yè)余生活要有意義，不要越軌。2021年7月19日星期一21時24分35秒21:24:3519 July 2021 17、一個人即使已登上頂峰，也仍要自強不息。下午9時24分35秒下午9時24分21:24:3521.7.19 9、 人的價值，在招收誘惑的一瞬間被決定。21.7.1921.7.19Monday, July 19, 2021 10、低頭要有勇氣，抬頭要有低氣。21:24:3521:24:3521:247/19/2021 9:24:35 PM 11、人總是珍惜為得到。21.7.19

7、21:24:3521:24Jul-2119-Jul-21 12、人亂于心，不寬余請。21:24:3521:24:3521:24Monday, July 19, 2021 13、生氣是拿別人做錯的事來懲罰自己。21.7.1921.7.1921:24:3521:24:35July 19, 2021 14、抱最大的希望，作最大的努力。2021年7月19日星期一下午9時24分35秒21:24:3521.7.19 15、一個人炫耀什么，說明他內心缺少什么。2021年7月下午9時24分21.7.1921:24July 19, 2021 16、業(yè)余生活要有意義，不要越軌。2021年7月19日星期一21時24

8、分35秒21:24:3519 July 2021 17、一個人即使已登上頂峰，也仍要自強不息。下午9時24分35秒下午9時24分21:24:3521.7.19 一種口令攻擊方法：利用Google MD5 CTL-ALT-DEL 為了安全 為了方便，可以從策略中禁止 其他安全策略 in “本地安全設置” 輸入法漏洞 第一次 Windows 2000 系列 標準輸入法 遠程桌面登錄時亦存在 第二次 Vista Google輸入法 鎖定狀態(tài)時 遠程桌面連接 RDP - remote desktop protocol 連接到XP 只能單用戶 連接到Windows Server 用戶權限：組Remote

9、 Desktop Users 支持多用戶 速度和顏色 可以調整到32位顏色(gpedit.msc) 可以從Linux中連接到Windows桌面 文件與NTFS FAT：FAT16，F(xiàn)AT32，VFAT NTFS 長文件名、加密與壓縮、安全性、能力與性能 stream 擴展名 查看擴展名 隱藏文件 查看隱藏文件 圖標 文件安全屬性 用戶之間文件訪問隔離 實驗驗證 管理員的全能權限 日常使用不應該以管理員權限 系統(tǒng)文件保護 系統(tǒng)文件 windows/system32 *.sys/.dll/.ocx/.ttf/.fon/.exe等 文件校驗機制(簽名) sigverif.exe 監(jiān)控 恢復 D:WI

10、NDOWSsystem32dllcache 光盤 使用 SignTool 對安裝文件進行簽名 為 Windows Installer 文件 (.msi) 簽名 在開發(fā)計算機上，安裝您希望用于對文件 進行簽名的證書。 打開 Visual Studio 命令提示。 轉到包含 .msi 文件的目錄。 利用以下命令為 .msi 文件簽名： signtool sign /sha1 CertificateHash SetupFile.msi FinalData 1. Improve Data Protection and Integrity by Pre-Installing FINALDATA Dele

11、te Protection : Protects against the deletion of important files and directories File Delete Manager : Automatic Backup of files being deleted 2. Easy and Useful Recovery Tools File Preview : Check the contents of Images files, MS Office documents, or HTML files before recovering File Viewer : Extra

12、ct the text contained in a damaged file 3. Damaged CD-ROM Recovery Recover data from damaged sectors of CD-RW and CD-R media Support CDFS, UDF 4. Fully Compatible with Microsoft Windows OS Fully compatible with Windows 9x/ME/NT4.0/2000/XP Support for FAT 12/16/32 and NTFS EFS - Encrypting File Syste

13、m EFS的機制 在磁盤上密文存儲（而不僅僅靠訪問限制） EFS的證書和私鑰管理 創(chuàng)建、備份、恢復 EFS文件加密的教訓 加密的文件和分區(qū)在系統(tǒng)重裝后將不可用， 除非恢復先前的證書和私鑰 EFS中的關系：用戶、管理員、備份員 Windows Defender Windows Defender，曾用名Microsoft AntiSpyware， 是一個用來移除、隔離和預防間諜軟件的程序， 可以運行在Windows 2000、Windows XP和 Windows Server 2021操作系統(tǒng)上，并已內置在 Windows Vista。它的測試版于2022年1月6日發(fā)布， 在2022年6月23日

14、、2022年2月17日微軟又發(fā)布了 更新的測試版本。Windows Defender的定義庫更 新很頻繁。 Windows Defender不像其他同類免費產品一樣只 能掃描系統(tǒng)，它還可以對系統(tǒng)進行實時監(jiān)控，移 除已安裝的ActiveX插件，清除大多數(shù)微軟的程序 和其他常用程序的歷史紀錄。 Advanced features Real-time protection Internet Explorer integration Software Explorer Windows Vista-specific functionality blocks all startup items that

15、require administrator privileges Windows Live OneCare Windows Live OneCare（或onecare、LIVE ONECARE。中文名稱未定，Onecare意一份關心） 是微軟Windows Live旗下的殺毒軟件，也是微軟 進入安全防護領域的第一個殺毒軟件。 其功能包括ProtectionPlus (殺毒，防間諜，防火墻， 自動更新)，PerformancePlus(硬盤整理，垃圾清理， 自動備份)，Backup and Restore(備份+回復)。同 時OneCare也與Windows Update 合作，以提供自 動視窗

16、系統(tǒng)更新。OneCare也備有即時幫助(24小 時/7天)。 discontinued Microsoft Security Essentials Microsoft Security Essentials (MSE) is a free antivirus software product for Microsoft Windows operating systems that provides protection against different types of malware such as computer virus, spyware, rootkits and trojan

17、horses. Unlike the Microsoft Forefront family of enterprise- oriented security products, Microsoft Security Essentials is geared for consumer use. Microsoft Security Essentials received positive reviews upon its release. In September 2022, it was the most popular antivirus software product in North

18、America and the second most popular in the world. Autorun 自動播放機制 autorun.inf 自動播放的安全問題 關閉自動播放 事件與審計 日志服務 啟動 Windows 時，EventLog 服務會自動啟動。 所有用戶都可以查看應用程序和系統(tǒng)日志。只 有管理員才能訪問安全日志。 在默認情況下，安全日志是關閉的?？梢允褂?組策略來啟用安全日志。管理員也可在注冊表 中設置審核策略，以便當安全日志滿出時使系 統(tǒng)停止響應。 事件查看器 留意特殊的事件，如登錄、登錄失敗。 定制要記錄的安全事件 “本地安全設置” 三類事件/日志 應用程序日志

19、由應用程序或系統(tǒng)程序記錄的事件。例如，數(shù)據(jù)庫程序可在應用 日志中記錄文件錯誤。程序開發(fā)員決定記錄哪一個事件。 系統(tǒng)日志 包含 Windows的系統(tǒng)組件記錄的事件。例如，在啟動過程將加載 的驅動程序或其他系統(tǒng)組件的失敗記錄在系統(tǒng)日志中。Windows 預先確定由系統(tǒng)組件記錄的事件類型。 安全日志 記錄安全事件，如有效的和無效的登錄嘗試，以及與創(chuàng)建、打開 或刪除文件等資源使用相關聯(lián)的事件。管理器可以指定在安全日 志中記錄什么事件。例如，如果您已啟用登錄審核，登錄系統(tǒng)的 嘗試將記錄在安全日志里。 四種類型 錯誤 重要的問題，如數(shù)據(jù)丟失或功能喪失。例如，如果在啟動過程中 某個服務加載失敗，這個錯誤將會

20、被記錄下來。 警告 并不是非常重要，但有可能說明將來的潛在問題的事件。例如， 當磁盤空間不足時，將會記錄警告。 信息 描述了應用程序、驅動程序或服務的成功操作的事件。例如，當 網(wǎng)絡驅動程序加載成功時，將會記錄一個信息事件。 成功審核 成功的審核安全訪問嘗試。例如，用戶試圖登錄系統(tǒng)成功會被作 為成功審核事件記錄下來。 失敗審核 失敗的審核安全登錄嘗試。例如，如果用戶試圖訪問網(wǎng)絡驅動器 并失敗了，則該嘗試將會作為失敗審核事件記錄下來。 任務管理器 留意異常進程 svch0st.exe wsript.exe taskmgr / tasklist / taskkill tasklist /m 注冊表

21、Register C:WindowsSystem32Config Users home dir Regedit.exe 對注冊表的修改 手工修改 hack/crack方式 優(yōu)化調整 自動運行的程序啟動點 Documents and Settings“開始”菜單程序啟動 Documents and SettingsAll Users“開始”菜單程序啟動 HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWind owsload HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersi

22、onPolicies ExplorerRun HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersion WinlogonUserinit HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPol iciesExplorerRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRu n* HK

23、EY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionE xplorerShellExecuteHooks 其他工具: Winternals several freeware tools to administer and monitor computers running Microsoft Windows. Sysinternal，Microsoft acquired Sysinternals in Ju

24、ly, 2022. procexp regmon filemon diskmom tcpview portmon RootkitRevealer Sysinternals The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Microsoft acquired Sysinternals in July, 2022. Whether youre a

25、n IT Pro or a developer, youll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications. Sony, Gone Too Far “Sony, Rootkits and Digital Rights Management Gone Too Far” Mark Russinovich Last week when I was testing the latest version of RootkitRe

26、vealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementa

27、tion hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application: FileMon This monitoring tool lets you see all file system

28、activity in real-time. RegMon This monitoring tool lets you see all Registry activity in real-time. TCPView Active socket command-line viewer. netstat.exe DiskMon This utility captures all hard disk activity or acts like a software disk activity light in your system tray. PsFile See what files are o

29、pened remotely. Process Monitor Monitor file system, Registry, process, thread and DLL activity in real-time. Process Explorer Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns e

30、ach process. ListDLLs List all the DLLs that are currently loaded, including where they are loaded and their version numbers. Version 2.0 prints the full path names of loaded modules. PsList Show information about processes and threads. tasklist / taskkill Autoruns See what programs are configured t

31、o startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings. Handle This handy command-line utility will show you what files are open by which processes, and much more. Rootkit

32、Revealer Scan your system for rootkit-based malware EFSDump View information for encrypted files. SDelete Securely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure delete program. Streams Reveal NTFS alternate streams. Sigcheck Du

33、mp file version information and verify that images on your system are digitally signed. sigverif.exe File and Disk Utilities Junction Create Win2K NTFS symbolic links. linkd.exe MoveFile Schedule file rename and delete commands for the next reboot. This can be useful for cleaning stubborn or in-use

34、malware files. PendMoves See what files are scheduled for delete or rename the next time the system boots. Streams Reveal NTFS alternate streams. The PsTools suite PsExec - execute processes remotely PsFile - shows files opened remotely PsGetSid - display the SID of a computer or a user PsInfo - lis

35、t information about a system PsKill - kill processes by name or process ID PsList - list detailed information about processes PsLoggedOn - see whos logged on locally and via resource sharing (full source is included) PsLogList - dump event log records PsPasswd - changes account passwords PsService -

36、 view and control services PsShutdown - shuts down and optionally reboots a computer PsSuspend - suspends processes Desktops This new utility enables you to create up to four virtual desktops and to use a tray interface or hotkeys to preview whats on each desktop and easily switch between them. 防火墻I

37、CF ICF Internet Connection Firewall ICS Internet Connection Sharing 其他防火墻 個人防火墻 金山網(wǎng)鏢 天網(wǎng)個人防火墻 商業(yè)產品 硬件 vs. 軟件 Netfliter/Iptable in Linux N-Byte N-Byte 網(wǎng)絡守望者,NBFW.zip NDIS Network Driver Interface Specification by MS and 3Com, in Windows and also in Linux and FreeBSD (NdisWrapper) “wrapper”功能，即隱藏了2層LLC

38、的差異，服務于3層網(wǎng) 絡層（另一個抽象LLC是ODI - Open Data-Link Interface） hook IIS IIS 7.0, in Vista and Windows Server 2022 The servers currently include FTP, SMTP, NNTP, and HTTP/HTTPS. behind Apache HTTP Server the infamous Code Red worm IIS日志 Logs in C:WINDOWSsystem32Logfiles IIS支持的認證機制 IIS 5.0 and higher support

39、the following authentication mechanisms: Basic access authentication: 明文口令 Digest access authentication: 使用HASH Integrated Windows Authentication refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with the Microsoft Windows 2000 operati

40、ng system. .NET Passport Authentication Windows Live ID IIS認證配置界面 HTTPS實驗演示 HTTPS CA，Certificate，IE，SSL+HTTP 配置CA 個人證書給IE 服務器證書給IIS 證書的其他應用 漏洞與補丁 update 功能性更新 vs. 安全性更新 IE7 / WMPlayer 11 patches hotfix service packs incoming xp sp3 / vista sp1 patches for Linux/Unix 這就是不裝補丁的后果 發(fā)信人: at2022518 (win7壞了

41、，用回xp，頓覺天地間豁然開朗), 信區(qū): ITExpress 標 題: 靠，昨晚4點多有人黑了我的電腦 發(fā)信站: 水木社區(qū) (Fri May 4 11:02:51 2022), 站內 這就是不裝補丁的后果啊 昨晚在下載東西，把我電腦的ip映射到了公網(wǎng)，結果就中招了。 黑客在我電腦搞了個s掃描器的東西，但好像老是被我的諾頓殺毒軟件刪掉 ，于是它竟然把我的諾頓給卸載了！ 早上我想給剛下載的東西掃描一下病毒，才發(fā)現(xiàn)諾頓沒了。于是看事件記錄 ，才發(fā)現(xiàn)這些事。 WUS Win9x共享漏洞分析 Vista安全 UAC - User Account Control It aims to improve t

42、he security of the operating system by limiting applications to standard user privileges until an administrator authorizes an increase in privilege level. In this way, only applications that the user trusts receive higher privileges, and malware is kept from receiving the privileges necessary to com

43、promise the operating system. UAC Tasks that will trigger a UAC prompt * Right-clicking and clicking Run as administrator * Changes to files in %SystemRoot% or %ProgramFiles% * Installing and uninstalling applications * Installing device drivers * Installing ActiveX controls * Changing settings for

44、Windows Firewall * Changing UAC settings * Configuring Windows Update * Adding or removing user accounts * Changing a users account type * Configuring Parental Controls * Running Task Scheduler * Restoring backed-up system files * Viewing or changing another users folders and files BitLocker Another

45、 significant new feature is BitLocker Drive Encryption, a data protection technology included in the Enterprise and Ultimate editions of Vista that provides encryption for the entire operating system volume. Bitlocker can work in conjunction with a Trusted Platform Module chip (version 1.2) that is

46、on a computers motherboard, or with a USB key. BitLocker provides three modes of operation The first two modes require a cryptographic hardware chip called a Trusted Platform Module (version 1.2 or later) and a compatible BIOS: * Transparent operation mode: This mode exploits the capabilities of the

47、 TPM 1.2 hardware to provide for a transparent user experiencethe user logs onto Windows Vista as normal. * User authentication mode: This mode requires that the user provide some authentication to the pre-boot environment in order to be able to boot the OS. The final mode does not require a TPM chi

48、p: * USB Key: The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS. Note that this mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-OS environment. Trusted Platform Module The TPM specif

49、ication is the work of the Trusted Computing Group. The current version of the TPM specification is 1.2 Revision 103, published on July 9, 2022 TCG - Trusted Computing Group successor to the Trusted Computing Platform Alliance (TCPA), is an initiative started by AMD, Hewlett-Packard, IBM, Infineon,

50、Intel, Microsoft, and Sun Microsystems to implement Trusted Computing. TC - Trusted Computing Digital rights management Protection from viruses and spyware Identity theft protection IE 7 IE7s new security and safety features include a phishing filter, IDN with anti-spoofing capabilities, and integra

51、tion with system-wide parental controls. cipher strength: 256-bit (Only for Vista, for XP only supports 128-bit) support for Extended Validation Certificates (EV) Protected Mode (available in Vista only), whereby the browser runs in a sandbox with even lower rights than a limited user account. IE 8

52、IE9 Internet Explorer 9 Security Part 1: Enhanced Memory Protections Security Part 2: Protection from Socially Engineered Attacks Security Part 3: Browse More Securely with Pinned Sites Security Part 4: Protecting Consumers from Malicious Mixed Content IE10的安全特性 DEP/NX，IE8+ /GS編譯選項，在運行時向應用程序的堆棧 邊界添加

53、安全標記 ASLR地址空間布局隨機化技術在Vista 中 初次引入，并在 Windows 8 中得到增強。 ASLR在應用程序載入內存時為其分配隨機 的內存基地址。進程環(huán)境塊 (PEB)、線程環(huán) 境塊 (TEB)、堆棧和堆等其他內存結構也將 分配到內存中的隨機位置。 ForceASLR IE 11 IE11 Reduces Use of Vulnerable RC4 Cipher Suite Turning on TLS 1.2 by Default interesting new security feature: support for the WebCryptoAPI, a JavaSc

54、ript API for performing basic cryptographic functions. FW in Vista As part of the redesign of the network stack, Windows Firewall has been upgraded with new support for filtering both incoming and outgoing traffic. Advanced packet filter rules can be created which can grant or deny communications to

55、 specific services. Before 域安全 Domain的元素：資源組織方式 對象：主題 subject 對象：客體 object 對象間的邏輯關系 訪問access：讀、寫、執(zhí)行、 管理員和用戶 記錄和日志 登錄和憑證 對象標識 安全token 口令、口令衍生密鑰、指紋、智能卡、usb key 、公鑰/證書/私鑰、 資源和認證服務分開 跨域認證和資源訪問 Domain alike 文件共享smb 文件共享samba 文件共享NFS 本機OS：Windows，注冊表/sam，kerberos 本機OS：linux，/etc/passwd 網(wǎng)絡域：AD，kerberos+lda

56、p+dns 網(wǎng)絡域：Linux/kerberos 集群和云平臺 Linux集群 Windows集群 云計算 GAE、AWS、Azure SAE BAE Web Service中的域機制 WSDL UDDI SAML XML Sig/Sec 群件Groupware（Collaborative software） Office OneNoteSharePointGroove Lotus Domino/Notes Exchange server / outlook OA (Windows)域安全 域控制器：active directory 域成員(計算機/用戶) 域用戶 域用戶：配置漫游，(網(wǎng)絡)主目錄 進階：集群 做好網(wǎng)管，從使用Windows域開始 某電力公司的信息主管打電話過來問：“有沒有好 一點的網(wǎng)管軟件？現(xiàn)在機子多了，人手一機，問題 越來越多了，相互猜密碼的、丟資料的、丟賬號