About Computers, Software Development & Information Technology
-> Table of Contents
Control Access to Your Computer Itself
Only authorized people should be able to get to the machine. Remember, if someone can get physical access to the machine they can get administrative access to it. Machines that are public workstations should have a trusted person watching them.
1. Protect your file directories
Passwords can be used to protect directories within your PC, just make sure to follow the standard guidelines in creating and using passwords.�Do do this in Windows, right click on the directory name in Windows Explorer and select properties. Then click on the Security tab and look at the Permissions granted. Check the boxes under Deny to deny access to the folder.2. Put machines behind doors that are locked when the machine is unattended
3. Require logins and passwords for all access to the machine.
4. Put as many parts of the machine in locked cabinets as possible.
Secure the machines to non-movable furniture (such as nearby desks). Many computers can be locked so that they can not be opened up. Security is as much about preventing computers from being stolen as it is about preventing access to the operating system.
5. Keep the systems and peripherals in a secure area accessible by only those who must access them for administration.An adequate security to the hardware and data can be provided by restricting the access to the equipments only to those who need it. And in case of servers it is important that only a system administrator or the technical staff is allowed to have an access. Furthermore, servers could be kept in a separate locked room, with only technical personnel having access to the keys. Most corporations maintain very strict control over who can enter their datacenters and who can't. They use card key or keypad systems, log books and human security to limit unauthorized access.
6. Lock workstation when not in use.
It's a good idea to restrict physical access and limit potential damage but someone's got to be able to use the computers so the next level of a security plan could be limiting the chances of workstation being used by unauthorized person. In systems like Windows NT, Windows 2000, or Windows XP, there is a great security feature of locking the computer. Users should make a practice of locking their workstations when they are not on their seats. This can be done by simply pressing Ctrl+Alt+Delete and clicking Lock Computer. An expert and a fast typing attacker can get to a machine and share its disk drives with no passwords in under 10 seconds, but not if the machine's locked.
7. Don't put machines behind glass walls where people can watch passwords being typed in.
If machines are behind glass walls, avoid having the monitor or keyboard in a location where they can be seen from the outside.8. Have a way to detect penetration of the physical area (e.g. swipe cards that log who comes and goes or video cameras).
Remote access means using any of the resources of a network (file server, printers, workstations) from a remote location-that is, a location not directly attached to the network. Remote access presents particular security risks of unauthorized system access. In remote access, the remote computer takes over a computer connected to the network and operates that computer remotely. Actual data traffic remains on the network between the PC that is being controlled and the rest of the network. Only screen images, keystrokes, and mouse motion are sent across the remote link. In a remote access, as the remote user is invisible, any formal or informal security measures operating at the workplace is not effective. The remote user has access not only to network resources, but also to local resources on the controlled workstation.
Simple password protection is not at all reliable for remote access systems. Over the modem all users are equally unknown. And also remote access typically occurs during off hours when the intruder has plenty of time to experiment, try multiple passwords and avenues of access, all unnoticed. Some systems erect extensive barriers to penetration, including modem access to a limited set of programs and files. A system with external access is, however, never fully secure against smart intruders. External access can be restricted by means of automatic callback systems. With such systems users must provide the system with pre-authorized telephone numbers from which they can call the system. Under this mechanism when a user calls and identifies him to the system, the system calls him back at one of the pre-authorized numbers before the access is allowed.
User Specific IDs
This is used in the situation where there are several users with same name and similar information. In such a situation Windows uses Security ID (SID) for each account. SID is a unique key, which is generated when an account is being created. When an account is deleted and recreated then a new account with a new SID is created along with this all rights and permission have to be re-established.
Physical access to a computer or network can allow access to sensitive data to unauthorized persons. To protect certain data from being released inappropriately, it should be encrypted before transmission. Encryption means translating the data into a secret code reversible only by an authorized user with the required key (or password). This process of recovering the encrypted data is known as decryption. Unencrypted data is called plain text and encrypted data is referred to as cipher text. However it should be noted that data encryption is a compute intensive process and should be used only when necessary.
Encryption can limit disclosure of sensitive information, but distribution of encryption keys can be a burden and the data may be compromised if key distribution is not handled appropriately. An encryption or decryption key may be distributed via a user authentication system. When a program provides inadequate security or extra protection is needed for some data or documents, an encryption/decryption program may be a useful tool.
Encrypting File System
Windows 2000 Encrypting File System (EFS) allows users to encrypt designated files or folders, so that unauthorized users can't access those files. EFS is useful for protecting data on a computer that can be physically stolen. Windows encrypts the files using the public key and symmetric encryption algorithms available through the CryptoAPI when the user enables EFS for a file or folder on an NTFS file system. EFS encrypts the files when they are saved and decrypt s them when the user opens it.
A randomly generated file encryption key (FEK) is used to encrypt data stored within the file system. An asymmetric cryptosystem is used to encrypt the FEK using the user's public key component. The user's private key component is used to decrypt the FEK so that it can be unlocked to decrypt the data. NTFS stores a list of encrypted FEKs with the encrypted file in special EFS attributes known as Data Decryption Fields (DDFs) and Data Recovery Fields (DRFs).
EFS encrypt a file using a symmetric encryption key unique to each file. Then it encrypts the encryption key as well, using the public key from the file owner's EFS certificate. Since the file owner is the only person with access to the private key, that person is the only one who can decrypt the key. The file cannot be decrypted without first logging on to the network as the appropriate user.
Security audits should be performed by larger organizations periodically to ensure that the organization and its users are following the security policy and preparing adequately for disaster recovery. A security audit also determines the issues such as risk to a business, breach in information security, etc. Security audit checks whether the computer/network is vulnerable to the intruders (both insider and outsiders) or not; through in-depth series of interviews and configuration checks. If audit identifies any weaknesses in company's security status, then it recommends pragmatic ways of implementing a security policy that would help in protecting personnel and vital data.
Active directory provides a directory service designed for distributed computing environment. It allows organization to act as the central authority for security and to centrally manage resources and share information with users. It also includes transitive trusts, which allows user account authentication to be distributed across the organizations.
Some of the features of Active Directory service are as follows:
Active Directory manages clients and servers through a single consistent management interface. This reduces redundancy and maintenance costs. It allows for delegation of rights in such a way that some of the administrative tasks can be delegated but the security is not compromised.
Administrators define and control the rules that manage group of computers and users with the help of group policy. They can set group policy for any of the sites, domains in Active directory. Group policy once defined is retained by the system.
Active Directory Service Interfaces (ADSI)
ADSI makes simpler the development of directory-enabled applications and administration of distributed systems. This is very popular amongst developers and administrators. ADSI supports interfaces for ActiveX/COM, LDAP, MAPI and JADSI.
Active Directory is implemented as a native LDAP server that doesn't require request translation to ensure interoperability in extranet environments and e-commerce applications.
LDAP over SSL
LDAP enables cross-network operating system interoperability between directory services that support it; over secure sockets layer (SSL) for secure directory transactions for extranet and e-commerce applications.
LDAP ACL Support
Consistent interpretation of access control lists through LDAP ensures interoperability for secure extranets and e-commerce applications.
Active Directory Connectors (ADC)
ADC provides directory synchronization and import/export tools. It lets administrators replicate a hierarchy of directory objects between a Microsoft Exchange Server 5.5 directory and Active Directory. It also lets Active Directory connect to Novell Directory Services.
All Active Directory functions are available through LDAP, ADSI and MAPI for extending and integrating with other applications, directories, and devices.
Public Key Infrastructure
PKI uses a combination of software, encryption technologies, and services. This is done to protect the security of organization when they communicate on the Internet.
PKI helps to protect information in several ways:
Support for Non-repudiation
Digital certificates validate their users' identities, making it nearly impossible to deny a digitally signed transaction.
PKI digital certificates replace user IDs and passwords to streamline Intranet login security.
Digital certificates issued allow validation of the identity of each party in an Internet transaction.
A digital certificate ensures that the message or document the certificate signs has not been corrupted in online transportation.
Digital certificates protect information from interception during Internet transmission.
Enterprises can control access to privileges for specified online transactions.
A public-key certificate binds a public-key value to a set of information that identifies the entity associated with use of the corresponding private key.
A PKI enables users to use an unsecured public network to securely and privately exchange data and money through the use of a key. The public key infrastructure assumes the use of public key cryptography for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted.
A digital signature is created using some secret key. There is a public key that can be used to authenticate the signature and relate it to a private key. The algorithm used to generate the signature must be such that without knowing the secret key it is impossible to create a signature that is termed as valid.
Digital signatures are used to verify the authenticity of the message. They can also be used to timestamp documents. Digital signatures can also be used to testify that a public key belongs to a particular person. This is done by signing the combination of the key and the information about its owner by a trusted key. The digital signature by a third party (owner of the trusted key), the public key and information about the owner of the public key are often called certificates
Windows 2000 PKI provides the framework of services, technology, protocols and standards that enable the deployment and management of a secured information system. Windows 2000 PKI is fully integrated with Active Directory and with the operating system's distributed security services.
In Windows NT, Microsoft Certificate Server provides the basic functionality of a Certificate Authority for requesting, issuing, publishing and managing certificates. In Windows 2000, Certificate Server's name changes slightly to Certificate Services. Certificate Services is more powerful and better integrated into the rest of the operating system. The MMC snap-ins provides GUI tools for both the client side and the server side. Active Directory (AD) is used to store and publish certificates. Common security functions that use public key technology include:
Securing e-mail communications using S/MIME.
Creating digital signatures for secure transactions.
Securing communications over the Web using SSL or TLS.
Signing executable code for delivery over public networks.
Supporting local or remote network logon.
Providing IPSec authentication where Kerberos protocol or shared-secret passwords for IPSec communications is not available.
Encrypting files using Windows 2000 Encrypting File System (EFS).
Securing logon credentials using smart cards.
Smart cards provide tamper proof storage for user's certificates and private keys. The smart card contains a chip that stores the user's private key, logon information, and public key certificate used for various purposes, such as digital signatures and data encryption. Instead of entering a password, the user inserts a card into a reader attached to the PC, and enters the card's PIN. Windows 2000 uses the private key and certificate that is stored on the card to authenticate the user to the KDC (Kerberos Key Distribution Center) on a Windows 2000 domain controller. After authenticating the user, the KDC returns a ticket-granting ticket. Smart cards are more secure than passwords for several reasons:
A physical object is needed to authenticate the user.
The card must be used with a personal identification number (PIN), helping to ensure that the proper person is using the card.
The risk of an attacker using a stolen credential is effectively eliminated, since it is physically impossible to extract the key from the card.
No password or reusable information is transmitted over the network.
Windows 2000 Certificate Services has support built in to perform smart card enrolment with the certificate template that is stored in the Active Directory. This allows the user's smart card to be used for interactive logon and other services. Smart card support has been added to Windows 2000 to provide support for Client Authentication and Smart Card Logon.
Client authentication is the process of verifying a user's identity. Windows 2000 uses this for verification of secure communications channels such as SSL and TLS. The smart card is used to enhance the public key authentication and session key exchange process for establishing the secure session. The user's private key is stored on the smart card and is only accessible to the holder of the card and the PIN.
Public-Key Interactive Logon
Windows 2000 user has an x.509v3 certificate on the smart card along with private key. The user doesn't enter a username and password but would put their smart card into a smart card reader then enters a user PIN. The user is then authenticated to the card.
© 2012 by DeepSearcher Inc. - All rights reserved