comp2221 networks in organisations richard henson march 2014
TRANSCRIPT
COMP2221COMP2221
Networks in OrganisationsNetworks in Organisations
Richard HensonRichard Henson
MarchMarch 20142014
Week 5: The Windows Registry, Week 5: The Windows Registry, Principles of Network SecurityPrinciples of Network Security Objectives:Objectives:
Explain confidentiality, integrity, and availability Explain confidentiality, integrity, and availability principles for networksprinciples for networks
Explain why user and system settings need to be Explain why user and system settings need to be controlled on networked machinescontrolled on networked machines
Explain the role of the registry in Windows desktop Explain the role of the registry in Windows desktop and network configuration, user settings, and and network configuration, user settings, and securitysecurity
Select appropriate software tools for backup and Select appropriate software tools for backup and fault tolerancefault tolerance
What is a “platform”What is a “platform” Hardware that will support a CPUHardware that will support a CPU
motherboard (or eq1uiv)motherboard (or eq1uiv) ROM and RAMROM and RAM hard disk and controllerhard disk and controller
Software that executes through the CPU to Software that executes through the CPU to provide a stable user environmentprovide a stable user environment low-level operating system functionslow-level operating system functions utilitiesutilities user interfaceuser interface
Connectivity between Connectivity between platformsplatforms
OSI: Seven Layer modelOSI: Seven Layer model As far as the user is concerned…As far as the user is concerned…
layer 7 is all that matterslayer 7 is all that matters But there should be access control…But there should be access control…
user needs to log on (via level 5)user needs to log on (via level 5)achieved through level 7 pop up and achieved through level 7 pop up and
input coupled to interrogation of local or input coupled to interrogation of local or LAN databaseLAN database
BIOS DevelopmentsBIOS Developments
Earlier motherboards had a single chip Earlier motherboards had a single chip containing the BIOS on ROM and a writeable containing the BIOS on ROM and a writeable CMOS areaCMOS area the command line interface invoked was 16-bitthe command line interface invoked was 16-bit
More recent motherboards use EFI More recent motherboards use EFI (Extensible Firmware Interface)(Extensible Firmware Interface) uses a uses a 32-bit command line32-bit command line only really exploited with Windows 7, and 2008 only really exploited with Windows 7, and 2008
Server…Server…
Why “access control”?Why “access control”? Organisations have responsibilities, and Organisations have responsibilities, and
confidentialityconfidentialitynowadays, these are delivered through the nowadays, these are delivered through the
networknetwork /ConfidentialityIntegrity:/ConfidentialityIntegrity:
e.g. Personal data held under the Data e.g. Personal data held under the Data Protection ActProtection Act
Availability:Availability:those who need access to files & services those who need access to files & services
must have it…must have it…
Platforms: booting Platforms: booting to an Intel/Windows platformto an Intel/Windows platform
BIOS should “point” to selected medium BIOS should “point” to selected medium that contains a “boot loader” programthat contains a “boot loader” program
» contains “master boot record” (MBR)contains “master boot record” (MBR)» points to the boot partition points to the boot partition
containing the operating systemcontaining the operating system
Different media prepared in different Different media prepared in different waysways
» hard disk still the conventional boot mediumhard disk still the conventional boot medium number of partitions so potential choice of bootable number of partitions so potential choice of bootable
mediamedia
» CDs & USBs only have one partitionCDs & USBs only have one partition
Partitions, Hard Disks and Partitions, Hard Disks and Multiple Operating SystemsMultiple Operating Systems
MBR must be on the first (C:) partitionMBR must be on the first (C:) partition Possible to have different operating systems Possible to have different operating systems
on the same hard disk…on the same hard disk… varieties of Windowsvarieties of Windows varieties of Unix…varieties of Unix…
BUT…BUT… Master Boot Record systems different on Unix and Master Boot Record systems different on Unix and
WindowsWindows still possible to have ONE Unix partition…still possible to have ONE Unix partition…
LogonLogon
Once the operating system has been Once the operating system has been loaded…loaded…user logon screen presenteduser logon screen presented
Rapid local boot is fine…Rapid local boot is fine…but most organisational computers are on but most organisational computers are on
networks…networks…» why? why?
why does network logon take so long?why does network logon take so long?
““Policies”: Controlling User Policies”: Controlling User and System Settingsand System Settings
The Windows user’s desktop is controlled with The Windows user’s desktop is controlled with policiespolicies user policiesuser policies system policiessystem policies
Configuring and using policies - essential part Configuring and using policies - essential part of any network administrator’s job! of any network administrator’s job! could be 100s or 1000s of systems, & userscould be 100s or 1000s of systems, & users
Storage of User/System Storage of User/System Settings: Windows RegistrySettings: Windows Registry
Early Windows extended DOS text files of Early Windows extended DOS text files of system & user settings:system & user settings: SYSTEM.INI enhanced CONFIG.SYSSYSTEM.INI enhanced CONFIG.SYS WIN.INI enhanced AUTOEXEC.BATWIN.INI enhanced AUTOEXEC.BAT
Windows 95 created a two dimensional Windows 95 created a two dimensional structure… known as The Registrystructure… known as The Registry principles later extended in Windows NT v4 to principles later extended in Windows NT v4 to
allow system and user settings to be downloaded allow system and user settings to be downloaded to local registry to local registry across the networkacross the network
Viewing/Editing the RegistryViewing/Editing the Registry
REGEDT32 from command prompt…REGEDT32 from command prompt…look but don’t touch!look but don’t touch! contents should not be changed manually unless contents should not be changed manually unless
you really know what you are doing!!!you really know what you are doing!!!
Registry data that is loaded into Registry data that is loaded into memory can also be overwritten by memory can also be overwritten by data:data:from local profilesfrom local profilesdownloaded across the network…downloaded across the network…
System SettingsSystem Settings
For configuration of hardware and For configuration of hardware and softwaresoftwaredifferent types of system need different different types of system need different
settingssettingssystem settings for a given computer may system settings for a given computer may
need to be changed for particular users e.g. need to be changed for particular users e.g. to change screen refresh rate for epilepticsto change screen refresh rate for epileptics
User SettingsUser Settings
More a matter of convenience for the userMore a matter of convenience for the user mandatory profilesmandatory profiles
» users all get the same desktop settings!users all get the same desktop settings!» anything added is lost during logoff!anything added is lost during logoff!
roaming profiles - desktop settings preserved roaming profiles - desktop settings preserved between user sessionsbetween user sessions» saved across the network…saved across the network…
What is The Registry?What is The Registry? A hierarchical store of system and user A hierarchical store of system and user
settingssettings Five basic subtrees:Five basic subtrees:
HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE : local computer info. : local computer info. Does not change no matter which user is logged onDoes not change no matter which user is logged on
HKEY_USERSHKEY_USERS : default user settings : default user settings HKEY_CURRENT_USERHKEY_CURRENT_USER : current user settings : current user settings HKEY_CLASSES_ROOTHKEY_CLASSES_ROOT : software config data : software config data HKEY_CURRENT_CONFIGHKEY_CURRENT_CONFIG : “active” hardware : “active” hardware
profileprofile Each subtree contains one or more subkeys…Each subtree contains one or more subkeys…
Location of the Windows RegistryLocation of the Windows Registry In XP…In XP…
c:\windows\system32\config folderc:\windows\system32\config folder
Six files (no extensions):Six files (no extensions): SoftwareSoftware System – hardware settingsSystem – hardware settings Sam, SecuritySam, Security
» not viewable through regedt32not viewable through regedt32
Default – default userDefault – default user Sysdiff – HKEY USERS subkeysSysdiff – HKEY USERS subkeys Also to be considered: ntuser.datAlso to be considered: ntuser.dat
» user settings that override default useruser settings that override default user
Registry Files in Windows 7Registry Files in Windows 7 HKEY_LOCAL_MACHINE \SYSTEM:HKEY_LOCAL_MACHINE \SYSTEM:
\system32\config\system\system32\config\system HKEY_LOCAL_MACHINE \SAM:HKEY_LOCAL_MACHINE \SAM:
\system32\config\sam\system32\config\sam HKEY_LOCAL_MACHINE \SECURITY HKEY_LOCAL_MACHINE \SECURITY
\system32\config\security\system32\config\security HKEY_LOCAL_MACHINE \SOFTWAREHKEY_LOCAL_MACHINE \SOFTWARE
\system32\config\software\system32\config\software HKEY_USERS \UserProfileHKEY_USERS \UserProfile
\winnt\profiles\username\winnt\profiles\username HKEY_USERS.DEFAULTHKEY_USERS.DEFAULT
\system32\config\default\system32\config\default
Emergency Recovery if Emergency Recovery if Registry lost or badly damagedRegistry lost or badly damaged Backup registry files created during text-based Backup registry files created during text-based
part of windows installationpart of windows installation alsoalso stored in: stored in:
» c:\windows\system32\configc:\windows\system32\config» have .sav suffixhave .sav suffix
only updated if “R” option is chosen during a only updated if “R” option is chosen during a windows recovery/reinstallwindows recovery/reinstall
NEVER UPDATED backup is saved toNEVER UPDATED backup is saved to C:\windows\repair folderC:\windows\repair folder no user and software settingsno user and software settings reboots back to reboots back to “Windows is now setting up”“Windows is now setting up”
Backing up the RegistryBacking up the Registry Much forgotten… an oversight that may later Much forgotten… an oversight that may later
be much regretted!!!be much regretted!!! can copy to tape, USB stick CD/DVD, or diskcan copy to tape, USB stick CD/DVD, or disk rarely more than 100 Mbrarely more than 100 Mb
Two options;Two options; Use third-party backup toolUse third-party backup tool
» e.g e.g http://www.acronis.co.uk Use windows “backup”Use windows “backup”
» not recommended by experts!not recommended by experts!» but already there & does work!but already there & does work!» to copy the registry if this tool is chosen, a “system state” to copy the registry if this tool is chosen, a “system state”
backup option should be selectedbackup option should be selected
System Policy FileSystem Policy File
A collection of registry settings downloaded A collection of registry settings downloaded from the domain controller during logonfrom the domain controller during logon
Can apply different system settings to a Can apply different system settings to a computer, depending on the user or group computer, depending on the user or group logging onlogging on
Can overwrite:Can overwrite: local machine registry settingslocal machine registry settings current user registry settingscurrent user registry settings
Should therefore only be used by those who Should therefore only be used by those who know what they are doing!!!know what they are doing!!!
System Policy FileSystem Policy File Saved as NTCONFIG.POLSaved as NTCONFIG.POL Normally held on Domain ControllersNormally held on Domain Controllers
read by local machine during logon procedureread by local machine during logon procedure provides desktop settings, and therefore used to provides desktop settings, and therefore used to
control aspects of appearance of the desktopcontrol aspects of appearance of the desktop Different NTCONFIG.POL settings can be Different NTCONFIG.POL settings can be
applied according to:applied according to: UserUser GroupGroup ComputerComputer
Users with roaming profiles additionally save Users with roaming profiles additionally save desktop settings to their profile foldersdesktop settings to their profile folders
Active DirectoryActive Directory Microsoft equivalent of Novell’s NDS (Network Microsoft equivalent of Novell’s NDS (Network
Directory Structure)Directory Structure) An LDAP network-wide directory service for An LDAP network-wide directory service for
providing paths to files and servicesproviding paths to files and services Available from Windows 2000 onwardsAvailable from Windows 2000 onwards
of limited use on earlier Windows networksof limited use on earlier Windows networks
Windows Windows Workgroups and Domains...Workgroups and Domains...
Workgroup = peer-peerWorkgroup = peer-peer Domain = client-serverDomain = client-server Client machines can logonClient machines can logon
Locally (i.e. peer-peer)Locally (i.e. peer-peer)To domain (client in a client-server networkTo domain (client in a client-server network
Servers and Domain Servers and Domain ControllersControllers
Client server networks use clients only Client server networks use clients only for usersfor usersclients need to log on to the domain to clients need to log on to the domain to
access network resourcesaccess network resourcesdomain access managed by domain domain access managed by domain
controllerscontrollers Member servers used to provide and Member servers used to provide and
manage servicesmanage services
What is Active Directory?What is Active Directory?
A object-oriented database (Internet-A object-oriented database (Internet-approved x500 standard)approved x500 standard)a hierarchy of data objects (& their a hierarchy of data objects (& their
properties)properties)» domain controllersdomain controllers» computerscomputers» users & groups of usersusers & groups of users» network resourcesnetwork resources
Domain Controllers and Domain Controllers and Active DirectoryActive Directory
Good practice to have backupsGood practice to have backupsdomain controller should have a backup….domain controller should have a backup….managed as part of the Active Directory managed as part of the Active Directory
systemsystem data on network resources, services & users all data on network resources, services & users all
stored in a single filestored in a single file» ntds.ditntds.dit
tools available for AD system managementtools available for AD system management» e.g. ntdsutile.g. ntdsutil
Backing up the DatabaseBacking up the Database
Goes without saying that the loss of Goes without saying that the loss of Active Directory will be very bad for Active Directory will be very bad for the network (!)the network (!)people won’t even be able to log on/off!people won’t even be able to log on/off!
AD should be backed up…AD should be backed up…regularly!regularly!preferably on another computer…preferably on another computer…In another location…In another location…
Managing Risks…Managing Risks…
TSI approach predicated on whole-life view (ISO/IEC 12207 & 15288), covering Specification, Realisation and Use
[TSI/2012/253]© Copyright 2003-2012
28
TrustworthinessTrustworthiness: DefinitionDefinition
[TSI/2012/183]© Copyright 2003-2012
29
Trustworthy Software AudiencesTrustworthy Software Audiences MainstreamMainstream
» ““The Industry” (e.g. The Industry” (e.g. Microsoft, Oracle, ...)Microsoft, Oracle, ...)
NicheNiche» Specialist Industries (e.g. Specialist Industries (e.g.
Aviation, “Security”)Aviation, “Security”)
DisbursedDisbursed» Small scale developers Small scale developers
(e.g. SmartPhone Apps)(e.g. SmartPhone Apps)
CollateralCollateral» developers don’t consider developers don’t consider
themselves as such (e.g. themselves as such (e.g. embedded components, embedded components, website CMS users, website CMS users, spreadsheets, …)spreadsheets, …)
Corpus Supply
Demand
Produce - Niche
Produce - Mainstream
Produce - Collateral
Produce - Disbursed
EducateResearch
Professionalise
Specify
Respond Assure
ConfigureOperate
Use
[TSI/2012/183]© Copyright 2003-2012
30
Fault Tolerance and Fault Tolerance and AvailabilityAvailability
General engineering principle…General engineering principle…if it can go wrong… it will!if it can go wrong… it will!
Trustworthy software should detect Trustworthy software should detect failure and trigger a backupfailure and trigger a backup
EssentialEssential for Business Continuity for Business Continuity
Managing Fault ToleranceManaging Fault Tolerance
Whole domain controller should be Whole domain controller should be backed up!backed up!active directory designed as a distributed active directory designed as a distributed
database that backs up all domain database that backs up all domain controllers to each othercontrollers to each other
backup domain controller software set up backup domain controller software set up using same active directory wizardusing same active directory wizard
Fault Tolerance Fault Tolerance (data storage fault)(data storage fault)
e.g. Hard disk crashe.g. Hard disk crash System needed for a backup to take System needed for a backup to take
over “seamlessly” over “seamlessly” i.e. without the user even noticing…i.e. without the user even noticing…
Trustworthy software system: Trustworthy software system: disk mirroringdisk mirroringexact copy available to take over at a exact copy available to take over at a
moment’s noticemoment’s notice
““Trust”Trust”
About people!About people! In this case:In this case:
network users on different domainsnetwork users on different domains By default: do not trust strangers By default: do not trust strangers
with your data!with your data!
Domain TrustDomain Trust
This allows users on one domain to log This allows users on one domain to log onto resources on another domainonto resources on another domain
Trusts can be one or two-wayTrusts can be one or two-way
Domain A
Domain B
Enterprise Structure of Enterprise Structure of Active DirectoryActive Directory
A hierarchical A hierarchical system of system of organisational organisational data objectsdata objectsi.e. domains,i.e. domains,
A Tree can be A Tree can be » a single a single
domaindomain» group of group of
domainsdomains
Domain Trees & ForestsDomain Trees & Forests Active Directory provides “trust” between the Active Directory provides “trust” between the
databases of domains that are linked in this databases of domains that are linked in this wayway
A “Tree” is the domains and links between A “Tree” is the domains and links between themthem
A “Forest” contains data needed to connect A “Forest” contains data needed to connect all objects in the tree:all objects in the tree: domain objects in the tree are logically linked domain objects in the tree are logically linked
together in the forest and their users can “trust” together in the forest and their users can “trust” each othereach other
Active Directory and UsersActive Directory and Users Active directory allows set up and Active directory allows set up and
management of domain usersmanagement of domain users Can also define domain groups, and Can also define domain groups, and
allow domain users to become part of allow domain users to become part of domain groupsdomain groupsaids administrationaids administrationpolicy file can be set uppolicy file can be set up
» interacts with user machines registry during logininteracts with user machines registry during login» controls user desktopcontrols user desktop
Organisations, Organisational Organisations, Organisational Units, and DomainsUnits, and Domains
An organisation may:An organisation may: have several locationshave several locations have several functions have several functions
in same locationin same location
Alternative to Alternative to
multiple domains…multiple domains…organisational unitsorganisational unitsgroup policy can be group policy can be
applied selectivelyapplied selectively
Domain Name System & Domain Name System & Active DirectoryActive Directory
Active Directory structures designed to Active Directory structures designed to be able to mirror naming of servers that be able to mirror naming of servers that are part of the Internetare part of the Internet
Systematic Internet server naming Systematic Internet server naming already available for some time as DNS already available for some time as DNS (Domain Name System)(Domain Name System)
Active Directory and DNS Active Directory and DNS In Active directory, each domain in the In Active directory, each domain in the
tree has a unique DNS identitytree has a unique DNS identitytherefore a unique IP address…therefore a unique IP address…can cause confusion when setting up can cause confusion when setting up
domain structure!!domain structure!! Also, each device within a domain can Also, each device within a domain can
also made use of DNS, via its IP also made use of DNS, via its IP address…address…Windows-based naming (WINS) obsoleteWindows-based naming (WINS) obsolete
Microsoft TCP/IP stackMicrosoft TCP/IP stack Differs from UNIX TCP/IP (e.g. no FTP, Differs from UNIX TCP/IP (e.g. no FTP,
SMTP or Telnet)SMTP or Telnet) DNS is available as a network serviceDNS is available as a network service Application layer components:Application layer components:
Windows sockets - to interface with sockets-based Windows sockets - to interface with sockets-based applicationsapplications
NetBT - to interface with NetBIOS applicationsNetBT - to interface with NetBIOS applications
SNMP, TCP, UDP, IP as with Unix protocol SNMP, TCP, UDP, IP as with Unix protocol stackstack
Tips for Configuring Tips for Configuring TCP/IP on Windows clientsTCP/IP on Windows clients
Make sure network card is activeMake sure network card is active Requires local administrator access!!Requires local administrator access!! Access via “properties” after right-Access via “properties” after right-
clicking “LAN connection”clicking “LAN connection” TCP/IP settings then easily changedTCP/IP settings then easily changed
Manual Setting of IP addressManual Setting of IP address
Subnet mask: Subnet mask: 255.255.255.0 for small networks255.255.255.0 for small networks255.255.x.0 for larger networks 255.255.x.0 for larger networks x -> 0 as the network gets largerx -> 0 as the network gets larger
» About optimisation of network performance…
Default gateway is the IP address of the Default gateway is the IP address of the LAN-Internet interface computer…LAN-Internet interface computer…
TCP/IP Configuration via DHCPTCP/IP Configuration via DHCP
Dynamic Host Configuration ProtocolDynamic Host Configuration Protocol Network management of IP Network management of IP
addresses…addresses…automatically assign IP addresses from a automatically assign IP addresses from a
Windows 2000 server machine running Windows 2000 server machine running DHCP serverDHCP server
integrates with active directoryintegrates with active directory
Windows TCP/IP utilitiesWindows TCP/IP utilities Not available from the GUI…Not available from the GUI… Only accessible via cmd promptOnly accessible via cmd prompt
PingPing (packet internet groper): (packet internet groper): FTPFTP TelnetTelnet FingerFinger (retrieval of system information from a (retrieval of system information from a
computer running TCP/IP & fingercomputer running TCP/IP & finger ARPARP (displays local IP addresses according to (displays local IP addresses according to
equivalent MAC or “physical” addresses)equivalent MAC or “physical” addresses) ipconfigipconfig (displays local IP configuration) (displays local IP configuration) tracerttracert (checks route to a remote IP address) (checks route to a remote IP address)
Terminal Services (“thin client”)Terminal Services (“thin client”) Allows any PC running a version of Allows any PC running a version of
Windows to remotely run an NT series Windows to remotely run an NT series serverserveruses a copy of the server’s desktop on the uses a copy of the server’s desktop on the
client machineclient machine Client tools must be installed first, but Client tools must be installed first, but
the link can run with very little bandwidththe link can run with very little bandwidthpossible to remotely manage a server possible to remotely manage a server
thousands of miles away using a phone thousands of miles away using a phone connection…connection…
Remote Access Service (RAS)Remote Access Service (RAS) Allows access to an external network through Allows access to an external network through
public/other networkspublic/other networks uses Point to Point protocol (PPP): remember that?uses Point to Point protocol (PPP): remember that? standard username/password authentication standard username/password authentication also PPP Multilink protocol, which allows a combination of also PPP Multilink protocol, which allows a combination of
communications links and multiple links to be usedcommunications links and multiple links to be used
Capability for VPNs (Virtual Private Networks) using Capability for VPNs (Virtual Private Networks) using secure Internet access secure Internet access using L2TP (point-point “tunnelling” protocol) using L2TP (point-point “tunnelling” protocol)
RAS & Secure Remote LoginRAS & Secure Remote Login
To login remotely, user must have a valid To login remotely, user must have a valid username/password and RAS dial-in username/password and RAS dial-in permissionpermission
RAS can use “call back” security:RAS can use “call back” security: Server receives a remote request for accessServer receives a remote request for access Server makes a note of the telephone numberServer makes a note of the telephone number Server calls the remote client back, guaranteeing Server calls the remote client back, guaranteeing
that the connection is made from a trusted sitethat the connection is made from a trusted site
Login information encrypted Login information encrypted by defaultby default All remote connections can be auditedAll remote connections can be audited
Internet Information Server (IIS)Internet Information Server (IIS) Microsoft’s Web ServerMicrosoft’s Web Server
can also provide ftp or smtp publishing servicecan also provide ftp or smtp publishing service Purpose:Purpose:
make html pages available:make html pages available:» as a local www serviceas a local www service» across the network as an Intranetacross the network as an Intranet» across trusted external users/domains as an Extranetacross trusted external users/domains as an Extranet
run server-scripts in communication with client run server-scripts in communication with client browsersbrowsers
Sets up its own directory structure for Sets up its own directory structure for developing Intranets, Extranets, etc.developing Intranets, Extranets, etc.
Access to any IIS service can be restricted Access to any IIS service can be restricted using username/password securityusing username/password security
Internet Information Server (2)Internet Information Server (2)
Can allow anonymous remote login:Can allow anonymous remote login: Uses a “guest” account – access only to files that Uses a “guest” account – access only to files that
make up the Intranetmake up the Intranet Anonymous login prevents trying to hack in Anonymous login prevents trying to hack in
through guessing passwords of existing usersthrough guessing passwords of existing users
Provides the software connectivity for a Provides the software connectivity for a server-side interface that can connect client-server-side interface that can connect client-server Internet applications to online server Internet applications to online databases e.g. .aspx or .phpdatabases e.g. .aspx or .php