3 系统安全

••cui_bj@sina.com.cn13611330827•••1.•2.NTFSEFS•3.•4.•5.•6.Web•7.Windows••Windows•1.ˆˆˆˆadministratorˆguestˆsyskey••Windows•1.ˆ€Guest€administrator€••Windows•1.ˆ€815€€€€123••AccountIdentifier:Securityidentifier(SID)•(useraccounts)ˆWindowsID(SID)…ˆuniversalgroupsglobalgroupslocalgroups•AccountIdentifier:Securityidentifier(SID)ˆ,48ˆS-1-5-21-1507001333-1204550764-1011284298-500ˆSIDSˆ(1)ˆ(Windows20005)ˆ4(213)(RelativeIdentifierRID500)••RID•RIDˆRID500AdministratorˆRID501Guest•1000RID(RID101514)•Windows2000()RID500••SID•C:\user2sidAdministratorS-1-5-21-1507001333-1204550764-1011284298-500Numberofsubauthoritiesis5DomainisCORP•C:\sid2user521150700133312045507641011284298500NameisAdministratorDomainisCORPTypeofSIDisSidTypeUser••SAM(SecurityAccountsManager)•Windows•()•SAM5%systemroot%\system32\config\sam•Windows2000(%systemroot%\ntds\ntds.dit)••.WindowsWinlogonGINALSASecurityAccountManagementNetlogonAuthenticationPackagesSecuritySupportProviderSSPIGINA••.WindowsˆWinlogonˆGINAˆLSAˆAuthenticationPackagesˆNetlogonˆSAM••LanManNTLM•Windows•WindowsNTLMNTLM20002000KerberosKerberosNTLMNTLMNT4/2000NT4/2000NT4+SP4NT4+SP420002000NTLMv2NTLMv2LANManLANManNT4NT420002000NTLMNTLMWFWWFWWin9xWin9xLANManLANMan•••LanManager--LMwin9X•NTLM--NTwinNTSP3•NTLMv2–winNTSP4•KerberosV5–win2K••LM•LMˆ14014ˆˆ7ˆ78DESKEYˆ8DESKEY64ˆ64128••LanMan•ˆ8-1377•••NTLM•NTLMWindowsNT4.0•Windows3.11Windows95/98WindowsNT4.0Windows2000NTLM•WindowsNT4.0NT4.0Windows2000NTLM••NTLM-NT•NTLM(NT)unicodeMD4ˆLANmanagerˆNTLMNTLMv2••NTLM128hash1SAM(SecurityAccountManager)hashchallenge2challengechallenge••Windows•1.ˆ€815€€€€123••Windows•1.ˆadministrator€€€administratorguest™1™2€••Windows•1.ˆguest€€guestguest••Windows•1.ˆsyskey€SAMSAM:SecurityAccountsManager,™samsam™••Windows•1.ˆ€Winternalslocksmith€Elcomsoftadancedntsecurityexplorer€L0phtcrack5€OffineNTpassword®istryeditor€WindowsXP/2000/NTkey€Johntheripper••Windows•1.ˆsyskey€syskey€••128bitHASHsam••SYSKEYNT4sp3128syskeySAMSAM•••1.•2.NTFSEFS•3.•4.•5.•6.Web•7.Windows••Windows•2.NTFSEFSˆNTFS€NTFS€€€€Everyone••Windows•2.NTFSEFSˆNTFS€€SpecialNTFS€™everyone€cacls.exe€programfiles€cmd.exe••Windows•2.NTFSEFSˆEFS€™NTFS™™™™™••WindowsCryptoAPICryptoAPII/OI/OEFSDriverEFSDriverNTFSNTFSKernelKernelWin32Win32EFSEFSEFSEFSNTFSNTFSEFSEFSEFSEFSEFS••Windows•2.NTFSEFSˆEFS€™™cipher.exe€€€•••1.•2.NTFSEFS•3.•4.•5.•6.Web•7.Windows••Windows•3.ˆˆ€ˆ€€€DWORD••Windows•3.ˆHKEY_CLASSES_ROOTˆHKEY_CURRENT_USERˆHKEY_LOCAL_MACHINEˆHKEY_USERSˆHKEY_CURRENT_CONFIG••Windows•3.ˆˆ€FileMon/RegMon™™€ActiveRegistryMonitor™™•••1.•2.NTFSEFS•3.•4.•5.•6.Web•7.Windows••Windows•4.ˆ€••Windows•4.ˆ€€EventCombMT••Windows•/•/•••R/W‹‹‹‹‹‹‹‹•••1.•2.NTFSEFS•3.•4.•5.•6.Web•7.Windows••.Windows•5.ˆˆˆˆ••.Windows•5.ˆ€IANA(internetassignednumbersauthority)™1~1023™102449151™4915265535FTP21telnet23Smtp25http80Pop31103NNTP119SNMP161HTTPS443HTTPRDP3389Pcanywhere5631/5632PCanywhere7.52••.Windows•5.ˆ€€tasklist™tasklist/svc™tasklist/v™tasklist/mdll€Tlist™Tlist–s™Tlist–t™Tlistpid™Tlist–mdll€netstat–aon••.Windows•5.ˆ€TCP/IP™//€InternetConnectionFirewall™™€IPSecurity™••.Windows•5.ˆ€€Services.msc€™Clipbooksever,..™Computerbrowser,..™NetworkDDEandDDEDSDEdde™TelephonyTAPILANIP™Indexingservicerpc,,™telnet™TCP/IPNetBIOSHelper“TCP/IPNetBIOS(NetBT)”NetBIOS™TaskScheduler™RemoteRegistry™PrintSpooler™MessengerNETSENDAlerter•••1.•2.NTFSEFS•3.•4.•5.•6.Web•7.Windows•••6.Webˆ(1)ˆ(2)Webˆ(3)Web•••(2)WEBˆWeb€€€€ˆWeb€Nikto€Whisker•••(2)Webˆ€aspˆ€ˆ€€IISFTP€ˆIIS€IIS••ˆIISWeb€.idq.ida,.htwHTML.shtml.shtm.stmssiinc.dllWeb.IdcURL.htrASP.printerIIS€IISSamples\IISSamplesIISDocumentation\IISHelpDataAccess\MSADC404.dllC:\WINNT\system32\inetsrv\filename.dll••ˆIISWeb€Web,“Everyone”€(“€IISMetaBase.binAdministratorsLocalSystemEveryone///€IISIISACLeveryone€GuestAdministratorIUSR_ComputerNameIUSR_ComputerNameInternetIISComputerNameIISNetBIOS€€(TCP)SMBNetBIOS(hostenumeration)WebInternet€UrlScanISAPIUrlScanInternet(ISAPI)HTTPWebC:\WINNT\system32\inetsrv\urlscan\UrlScan.ini•••(3)WEBˆWeb€€SQL€€HTTP•••(3)WEBˆWeb€Achilles€ParosProxy€WebSleuth€SPIKEProxy€WebProxy€FormScalpel€FSMax€WASAT•••(3)WEBˆWeb€SPIDynamics™WebInspect™SPITookit€Sanctum/Watchfire™AppSec/WebMX•••1.•2.NTFSEFS•3.•4.•5.•6.Web•7.Windows••.Windows•MBSAˆMBSA(MicrosoftBaselineSecurityAnalyzer)•Windows2000WindowsXP•,ˆWindowsˆInternetInformationServer4.0andInternetInformationServer5.0ˆSQL7.0andSQL2000ˆ€InternetExplorer€Office€Outlook™••.Windows•MBSAˆMBSA••.Windows•MBSAMBSAMBSA••.Windows•SUS(softwareupdateservices)ˆˆˆ••ADMIIS••••••Antigen•ˆExchange/sharepoint/instantmessaging/SMTP•••••SMS2003•ˆˆ•ˆˆˆ••MOM2005•ˆˆ•ˆˆ•ˆ••Q&A