SSL PKI EFS STPP - PDF Free Download

.NET

SSL PKI EFS STPP

Windows NTLM (KDC) SSL/TLS, NTLM, SSL/TLS,

Active Active Directory Directory PKI PKI CRL CRL ( NTLM, NTLM,, PKI, PKI, ) DNS DNS Windows Windows ACL ACL

Active Directory (AD)

AD GUI LDAP

OU OU

AD PKI CA ACL CRL CTL

NTLM Kerberos Version 5

COM+ ADSI,,, IIS CIFS/SMB Secure RPC NTLM HTTP LDAP SChannel SSL/TLS POP3, NNTP SSPI MSV1_0/ SAM KDC/DS

SSPI( Security Support Provider Interface ) SSPI SSPI SSP

3. 4. KDC 1. KDC Windows 2000 Active Directory Key Distribution Center (KDC) 2. KDC Windows 2000

Windows 2000 (Authentication) KDC Active Directory Ticket (Authorization) Request Windows 2000 Domain Controller Ticket ACL Files Devices ACL Application ACL 4. Resource Client Machine Windows 2000 Server(s)

Server 1 Server 2 Windows NT Directory Server Key Distribution Center (KDC) Windows NT domain controller

Windows 2000 - company.com est.company.com east.company.com KDC TGT 2 TGT 3 KDC TGT 1 TICKET 4 srv1.east.company.com Windows 2000 Professional Windows 2000 Server

Windows 2000 Unix KDC OMPANY.REALM nt.company.com Unix KDC TGT 2 Windows 2K KDC TGT 1 TICKET 3 Name Mapping to 2K account Unix Workstation With 2K Auth Data Windows 2K Server

CryptoAPI Authenticode CryptoAPI API Reader SSPI (PKCS) Crypto CSP CSP

Applications GetOpenCardName Common UI SCard* COM SCSP CryptoAPI SCCP Service Providers S D K System Services Device Drivers Driver Driver Driver D D K Hardware

Windows 2000 Reader Reader SC 1 Card insertion causes Winlogon to display GINA 4 LSA accesses smart card and retrieves cert from card 2 User inputs PIN 8 Smart card decrypts the TGT using private key allowing LSA to log user on 3 GINA passes PIN to LSA LSA Kerberos 5 Kerberos sends certificate in a PKINIT login request to the KDC 7 KDC returns TGT, encrypted with a session key which is in turn encrypted using user s public key Kerberos 6 KDC verifies certificate then looks up principal in DS KDC

Windows

API Windows

SSL

IIS Windows DS [ ] UPN CA 1 1

DS Web Cert SSL/TLS Active Directory

PKI

Windows 2000 PKI PKI PKI

Windows 2000 PKI MMC IE MMC CRL

Windows 2000 PKI CryptoAPI 1.0 CryptoAPI 2.0 SSPI

Cert Reader SC Windows 2000 PKI Root CA Client Certificate Request and Authentication Active Directory Subordinate CA Publish Certificate?

Reader Cert SC Client Windows 2000 PKI SSL Secure Web Server HTTP with SSL/TLS Certificate Enrollment Subject Lookup Certification Authority Active Directory

Windows 2000 PKI (S/MIME) Active Directory Outlook Express Retrieve user s certificate (LDAP) Internet S/MIME Cert Reader SC Outlook Exchange

Windows 2000 PKI E (SSL ) HTTP with SSL/TLS Secure Web Server Client Trust Relationship Certification Authority Certificate Enrollment

Windows 2000 PKI (Authenticode) HTTP Web Server User Code Signing Process Code Signing Cert Reader SC Code Publishing Developer

EFS

NTFS EFS

Launch key for nuclear missile RedHeat is... User s public key (in certificate) Randomly- generated file encryption key (FEK) File encryption (e.g., DES) RNG Data Decryption Field generation (e.g., RSA) Data Recovery Field generation (e.g., RSA) *#$fjda^j u539!3t t389e *& @ 5e%32 ^kd DDF DRF Recovery agent s public key (in certificate) in recovery policy

*#$fjda^j u539!3t t389e *& @ 5e%32 ^kd User s private key DDF contains file encryption key (FEK) encrypted under user s public key File decryption (e.g., DES) DDF extraction (e.g., RSA) DDF File encryption key (FEK) Launch key for nuclear missile RedHeat is... DDF is decrypted using the private key to get to the file encryption key (FEK)

*#$fjda^j u539!3t t389e *& @ 5e%32 ^kd Recovery agent s private key DRF contains file encryption key (FEK) encrypted under recovery agent s public key File decryption (e.g., DES) DRF extraction (e.g., RSA) DRF File encryption key (FEK) Launch key for nuclear missile RedHeat is... DRF is decrypted using the private key of recovery agent to get to the file encryption key (FEK)

CA PKI

JP273856 [ ] [ ] EFS (1.3.6.1.4.1.311.10.3.4)

JP281245 CA [ ] [ ] (1.3.6.1.5.5.7.3.2) (1.3.6.1.4.1.311.20.2.2)

SSL PKI EFS STPP

STPP Strategic Technology Protection Program 1. 2. 3. Get Secure. Stay Secure.

STPP MCS E-mail Rating System Microsoft Security Tool Kit

Secure Windows Initiative SWI

Security Tool Kit Guide Windows Windows 2000, Windows NT 4.0, Windows NT 4.0 TSE, Step by Step Guide Software Updates Service Pack Windows 2000 Service Pack 2, Windows NT 4.0 SRP Deployment and Management Tools Windows HFNetChk,, IIS Lockdown Wizard Online Resources TechNet

Security Tool Kit Software Update IIS Lockdown Tool HFNetChk Tool Rating System Security Rollup Patches

Windows Update- - Service Pack Security Rollup Internet Windows Update Corporate Edition Microsoft Windows Update Site

Windows Update Windows 3 rd

0120-69 69-0196 ( 9:30-12:00,13:00 12:00,13:00-19:00) 19:00) Security Tool Kit

www.microsoft.com/japan japan/security E-mail Microsoft Security Tool Kit SWI MCS

Windows, VS.NET CD 9000 Windows,ISA,.NET Windows, ISA,.NET

初期設定におけるセキュリティ対策 Office.exeの受取 scriptへのアクセス無効 XP インターネット接続にファイアウォールを設定 Windows.NET Server 初期設定でIIS6を無効化ウィザードによる不要なサービスの無効化

Get Secure. Stay Secure. STPP MSRC Windows 2000 Security Rollup Package Windows 2000 SP3 VS.NET Windows Update

TRUSTe BBBOnline Deloitte Price Waterhouse Foundstone 1997 GLB MSN XP Kids Passport pre-coppa COPPA.NET My Services

IT IT

Get Secure. Stay Secure.