操作系統(tǒng)安全

NT的安全性UNIX的安全性1 23二、NT1、NT包括：文件（夾，打印機，I/OSIDRID。創(chuàng)建時根據(jù)計算機明、系統(tǒng)時間、進CPU的時間進行創(chuàng)建。S-1-5-<domain>-500S-1-5-<domain>-501S-1-5-32- S-1-5-32-

Auseraccountforthesystemadministrator.Thisaccountisthefirstaccountcreatedduringoperatingsysteminstallation.Theaccountcannotbedeletedorlockedout.ItisamemberoftheAdministratorsgroupandcannotberemovedfromthatgroup.Auseraccountforpeoplewhodonothaveindividualaccounts.Thisuseraccountdoesnotrequireapassword.Bydefault,theGuestaccountisdisabled.Abuilt-ingroup.Aftertheinitialinstallationoftheoperatingsystem,theonlymemberofthegroupistheAdministratoraccount.Whenacomputerjoinsadomain,theDomainAdminsgroupisaddedtotheAdministratorsgroup.Whenaserverbecomesadomaincontroller,theEnterpriseAdminsgroupalsoisaddedtotheAdministratorsgroup.TheAdministratorsgrouphasbuilt-incapabiltiesthatgiveitsmembersfullcontroloverthesystem.Thegroupisthedefaultownerofanyobjectthatiscreatedbyamemberofthegroup.Abuilt-ingroup.Aftertheinitialinstallationoftheoperatingsystem,theonlymemberistheAuthenticatedUsersgroup.Whenacomputerjoinsadomain,theDomainUsersgroupisaddedtotheUsersgroupontheUserscanperformtaskssuchasapplications,usinglocalandnetworkprinters,shuttingdownthecomputer,andlockingthecomputer.Userscaninstallapplicationsthatonlytheyareallowedtouseiftheinstallationprogramoftheapplicationsupportsper-userinstallation.訪問控制列表：ACEACEFigure WindowsNTSecurity三、UNIX12crond,wu-ftp,3、/etc/passwd和/etc/shadow4、non-rootuseraccesstosensitivecommands:poweroff,reboot,Pluggableauthenticationmodules:PAMs,createadditionalauthenticationparameterswithoutaffectingexistingauthenticationsystemsPAMdirectory: determinewhatmustoccurbeforeausercanlogged setlimitsconcerningusersanddaemonsoncetheyhaveloggedontothesystem theactuallocationofthePAMmodulesPAMentryformat:Moduletype Moduletype:determineauthenticationtypeFlags:determinemoduletypePath:determinemodulelocationinthesystemArgs:optional,customizePAMbehavior/etc/securityaccess.conf:determineswhocanaccessthemachineandfromwheregroup.conf:determineswhichgroupcanlogintime.conf:setlogontimelimits.conf:setlimitsbaseduponpercentageofprocessorusageornumberofprocessesausercanrunsimultaneouslyNT賬號的安全性UNIX賬號的安全性12二、NT122000中賬號策略必須在域的級別來進行設(shè)置Kerberos區(qū)別：2000127位密碼，NT147位為單位，所7的整數(shù)倍NT缺省不禁用管理員賬戶，2000可以遠程禁用34567SYSKEYSAM三、UNIX1/etc/passwd：everyonecanread,butonlyrootcanownitandchange/etc/shadow：onlyrootcanreadandwrite23Solaris: console=Linux:/etc/securitylistthedevicenamewhererootcanloginLog:/etc/default/sucanincludesulog=/var/adm/sulog4shell:rkshWindows2000:looksincurrentdirectoryforapplicationlooksatpathstatementUnix:onlylooksatpathDonotsetthecurrentdirectoryinthefirstplaceoftheDonotallowwritepermissionfornormalusersaboutdirectoryinPATHofroot7syslogd:使用/etc/syslog.confinetd:使用-t選項激活日志功能，可以記錄相應(yīng)服務(wù)的運行情況第三章文件系統(tǒng)安全性概述：windowsLinux一、windows1FAT16,FAT32,NTFS4.0,NTFS5.0,2、NTFS權(quán)限：權(quán)限的繼承：ACL列表的拷貝erveryoneauthenticateduserseveryonefullread3、IPSecNTFS外,45Administrators、ServerOperators、PowerUsersgroup有權(quán)利設(shè)置共享新建共享后，EveryonegroupFC所能接受的最大用戶數(shù)：Win2kProfessional Win2kServe DenyAllowsharesecurity取并集FAT、FAT32、NTFS上設(shè)置共享6NTFS安全性和共享安全性：NTFSattrib+HNTFS文件分流：不需要重新共建文件系統(tǒng)就能夠給一個文件添加屬性和信息的機制，Macintosh的文件兼容特性。NTRKPOSIXcpcpnc.exeoso001.009:nc.execposo001.009:nc.exeoso001.009大小沒有變化，但修改日期可能會有變化分流后不能直接執(zhí)行：startoso001.009:nc.exeFATNTFS分區(qū)ISSStreamfinder.二、linuxfilesystemsecurity:ls–loutput:drwxrwxrwx5james james120Mar2117:22accountd:directory-:normalfile5:link120:fileordirectoryfileeachfilehasitseveryfilebelongstoonegroup,primaryonlyonepermissionissuitableforyouifyouhavethreekindsofpermissionsownermayhavenoanypermissiontothefilethatheownsdirectoryumaskfiledefault:rw-rw-rw-directorydefault:rwxrwxrwx w-rwxchangeumask:umaskchangepermissions:chmodabsolutemode:chmod666filenamesymbolicmode:chmodogw+/-/=rwxsetbits:changeshellduringexecutethecommandsticky:usercancontrolandmanagementthewholedirectoryifuserhaswritepermissionaboutthedirectory,itmeanstheusercandeleteotherusers’files.Youmaysetstickysothatyouassignwritepermissionbutnoadministrativepermissiontothedirectory.Chmodu=rwx,og=wxtdirectory查看危險的setuid和setgid許可權(quán)限： /-perm-4000–print>diff.oldChangefileowner:chownnewownerfilenameChangefilegroup:chgrpnewgroupfilename第四章評估風(fēng)險12二、windows123HKLM\System\CCS\services\lanmanagerserver\parameters\autoshareserver(autosharewks)=04三、UNIX1R*Rps-、采用/etc/hosts.equiv和用戶主目錄下的.rhosts600644的權(quán)限ip、偽造DNSmountdNFS服務(wù)器相關(guān)的緩沖區(qū)溢出條件已被發(fā)現(xiàn)RPC服務(wù)，可以輕易的安裝遠程系統(tǒng)上的文件NFS和相關(guān)服務(wù)實現(xiàn)客戶機和用戶的訪問控制，/etc/exports和/etc/dfs/dfstab能夠控制進行訪在允許安裝某個文件系統(tǒng)的客戶機列表中決不要加上相應(yīng)服務(wù)器的本地iplocalhost.portmapper會打開代理中轉(zhuǎn)，會代理供給者中轉(zhuǎn)連接請Windows1servicespackhotfixes，如果系統(tǒng)沒有相關(guān)服務(wù)，不2win.ini5個配置單元（hivekey）4個存放于winnt\system32\config目錄下：SAM,SYSTEM,SECURITY,SOFTWARE4system賬號訪問。HARDWARE進行硬件檢測，HKEY_LOCAL_MACHINE(HKLM的配置單元。實際上，HKLM保存著注冊表中的大部分信息，因為另外四個配置單元都是HKEY_CURRENT_USER(HKCU配置單元包含著當(dāng)前登錄到由這個注網(wǎng)絡(luò)連接、打印機和應(yīng)用程序首選項(環(huán)境變量在s2000中被用來允許腳本、注冊表條目，以及其它應(yīng)用程序使用通配符來代替可能會發(fā)生改變的重要的系統(tǒng)信息)，存儲于用戶配置文件的ntuser.dat中。優(yōu)先于HKL中相同關(guān)鍵字。這些信息是SS配置單元當(dāng)前登錄用戶的SecurityD(SID)子項的映射。HKEY_USERSHKU置文件。其中一個子項總是映射為HKEY_CURRENT_USER通過用戶的SID值)。另一個子項HKEY_USERS\DEFAULT包含用戶登錄前使用的信息。HKEY_CLASSES_ROOT(HKCR)配置單元包含的子項列出了當(dāng)前已在計算機上注冊的所有COM服務(wù)器和與應(yīng)用程序相關(guān)聯(lián)的所有文件擴展名。這些信息是HKEY_LOCAL_MACHINE\SOFTWARE\Classes子項的映射。HKEY_CURRENT_CONFIG(HKCC)配置單元包含的子項列出了計算機器某個指定的會話中支持哪些設(shè)備驅(qū)動程序。這些信息是HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet子項的映射。HKEY_LOCAL_MACHINE(HKLMWindowsNT：使用C2Config和C2regacl.infWindows2000：使用組策略在web服務(wù)器上禁止serverSMBconnectionEstablishaTCPconnectionnegotiatedialectsetupSMBsessionaccessPcnetworkprogram1.0MicrosoftnetworksLanman1.0LMLanMan2.1WindowsNTLM禁止匿名連接：HKLM\服務(wù)器控制驗證方法：lmcompatibilitylevel0激活SMBHKLM