.NET
SSL PKI EFS STPP
Windows NTLM (KDC) SSL/TLS, NTLM, SSL/TLS,
Active Active Directory Directory PKI PKI CRL CRL ( NTLM, NTLM,, PKI, PKI, ) DNS DNS Windows Windows ACL ACL
Active Directory (AD)
AD GUI LDAP
OU OU
AD PKI CA ACL CRL CTL
NTLM Kerberos Version 5
COM+ ADSI,,, IIS CIFS/SMB Secure RPC NTLM HTTP LDAP SChannel SSL/TLS POP3, NNTP SSPI MSV1_0/ SAM KDC/DS
SSPI( Security Support Provider Interface ) SSPI SSPI SSP
3. 4. KDC 1. KDC Windows 2000 Active Directory Key Distribution Center (KDC) 2. KDC Windows 2000
Windows 2000 (Authentication) KDC Active Directory Ticket (Authorization) Request Windows 2000 Domain Controller Ticket ACL Files Devices ACL Application ACL 4. Resource Client Machine Windows 2000 Server(s)
Server 1 Server 2 Windows NT Directory Server Key Distribution Center (KDC) Windows NT domain controller
Windows 2000 - company.com est.company.com east.company.com KDC TGT 2 TGT 3 KDC TGT 1 TICKET 4 srv1.east.company.com Windows 2000 Professional Windows 2000 Server
Windows 2000 Unix KDC OMPANY.REALM nt.company.com Unix KDC TGT 2 Windows 2K KDC TGT 1 TICKET 3 Name Mapping to 2K account Unix Workstation With 2K Auth Data Windows 2K Server
CryptoAPI Authenticode CryptoAPI API Reader SSPI (PKCS) Crypto CSP CSP
Applications GetOpenCardName Common UI SCard* COM SCSP CryptoAPI SCCP Service Providers S D K System Services Device Drivers Driver Driver Driver D D K Hardware
Windows 2000 Reader Reader SC 1 Card insertion causes Winlogon to display GINA 4 LSA accesses smart card and retrieves cert from card 2 User inputs PIN 8 Smart card decrypts the TGT using private key allowing LSA to log user on 3 GINA passes PIN to LSA LSA Kerberos 5 Kerberos sends certificate in a PKINIT login request to the KDC 7 KDC returns TGT, encrypted with a session key which is in turn encrypted using user s public key Kerberos 6 KDC verifies certificate then looks up principal in DS KDC
Windows
API Windows
SSL
IIS Windows DS [ ] UPN CA 1 1
DS Web Cert SSL/TLS Active Directory
PKI
PKI
PKI
Windows 2000 PKI PKI PKI
Windows 2000 PKI MMC IE MMC CRL
Windows 2000 PKI CryptoAPI 1.0 CryptoAPI 2.0 SSPI
Cert Reader SC Windows 2000 PKI Root CA Client Certificate Request and Authentication Active Directory Subordinate CA Publish Certificate?
Reader Cert SC Client Windows 2000 PKI SSL Secure Web Server HTTP with SSL/TLS Certificate Enrollment Subject Lookup Certification Authority Active Directory
Windows 2000 PKI (S/MIME) Active Directory Outlook Express Retrieve user s certificate (LDAP) Internet S/MIME Cert Reader SC Outlook Exchange
Windows 2000 PKI E (SSL ) HTTP with SSL/TLS Secure Web Server Client Trust Relationship Certification Authority Certificate Enrollment
Windows 2000 PKI (Authenticode) HTTP Web Server User Code Signing Process Code Signing Cert Reader SC Code Publishing Developer
EFS
NTFS EFS
Launch key for nuclear missile RedHeat is... User s public key (in certificate) Randomly- generated file encryption key (FEK) File encryption (e.g., DES) RNG Data Decryption Field generation (e.g., RSA) Data Recovery Field generation (e.g., RSA) *#$fjda^j u539!3t t389e *& @ 5e%32 ^kd DDF DRF Recovery agent s public key (in certificate) in recovery policy
*#$fjda^j u539!3t t389e *& @ 5e%32 ^kd User s private key DDF contains file encryption key (FEK) encrypted under user s public key File decryption (e.g., DES) DDF extraction (e.g., RSA) DDF File encryption key (FEK) Launch key for nuclear missile RedHeat is... DDF is decrypted using the private key to get to the file encryption key (FEK)
*#$fjda^j u539!3t t389e *& @ 5e%32 ^kd Recovery agent s private key DRF contains file encryption key (FEK) encrypted under recovery agent s public key File decryption (e.g., DES) DRF extraction (e.g., RSA) DRF File encryption key (FEK) Launch key for nuclear missile RedHeat is... DRF is decrypted using the private key of recovery agent to get to the file encryption key (FEK)
CA PKI
JP273856 [ ] [ ] EFS (1.3.6.1.4.1.311.10.3.4)
JP281245 CA [ ] [ ] (1.3.6.1.5.5.7.3.2) (1.3.6.1.4.1.311.20.2.2)
SSL PKI EFS STPP
STPP Strategic Technology Protection Program 1. 2. 3. Get Secure. Stay Secure.
STPP MCS E-mail Rating System Microsoft Security Tool Kit
Secure Windows Initiative SWI
Security Tool Kit Guide Windows Windows 2000, Windows NT 4.0, Windows NT 4.0 TSE, Step by Step Guide Software Updates Service Pack Windows 2000 Service Pack 2, Windows NT 4.0 SRP Deployment and Management Tools Windows HFNetChk,, IIS Lockdown Wizard Online Resources TechNet
Security Tool Kit Software Update IIS Lockdown Tool HFNetChk Tool Rating System Security Rollup Patches
Windows Update- - Service Pack Security Rollup Internet Windows Update Corporate Edition Microsoft Windows Update Site
Windows Update Windows 3 rd
0120-69 69-0196 ( 9:30-12:00,13:00 12:00,13:00-19:00) 19:00) Security Tool Kit
www.microsoft.com/japan japan/security E-mail Microsoft Security Tool Kit SWI MCS
Windows, VS.NET CD 9000 Windows,ISA,.NET Windows, ISA,.NET
初期設定におけるセキュリティ対策 Office.exeの受取 scriptへ のアクセス無効 XP インターネット接続にファ イアウォールを設定 Windows.NET Server 初期設定でIIS6を無効化 ウィザードによる 不要なサービスの無効化
Get Secure. Stay Secure. STPP MSRC Windows 2000 Security Rollup Package Windows 2000 SP3 VS.NET Windows Update
TRUSTe BBBOnline Deloitte Price Waterhouse Foundstone 1997 GLB MSN XP Kids Passport pre-coppa COPPA.NET My Services
IT IT
Get Secure. Stay Secure.