Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
K binkowski metody_uwierzytelnienia_windows_7
1. Metody i sposoby bezpiecznego
uwierzytelnienia w Windows 7
Krzysztof Bińkowski
Trener MCT Security/Forensics
28.04.2011
2. Agenda
• o mnie słów kilka
• Authentication = Uwierzytelnienie
• Authentication / Authorization
• Metody uwierzytelnienia 1FA/2FA/3FA
• SmartCard Authentication
• SmartCard + Biometric Authentication
• Biometric Authentication
• Face Authentication
• Online Identity Integration
3. o mnie słów kilka
Posiadam kilka certyfikatów: Na co dzień:
• MCT, • Trener technologii • Społeczny notariusz CA
MCSA/MCSE+Security, Microsoft / security / Cert / StartSSL
MCITP SA/EA forensic s w firmie
• ACE (Accessdata Certified COMPENDIUM Centrum • Członek organizacji:
Examiner) Edukacyjne
• ISSA Polska,
• ACI (Accessdata Certified • SIIS (Stowarzyszenie
Instructor) • Specjalizacja: systemy Instytut Informatyki
• Novell CNA/CNE Windows / Śledczej )
Bezpieczeostwo / PKI /
• SEClub
Forensics
• Współlider grupy MSSUG
• Specjalizuje się w
informatyce śledczej
5. Authentication / Authorization?
Are you on the list?
Who are you?
Authentication: Czy Authorization: Czy masz nadane
jesteś tym za kogo się uprawnienia do zasobów do których
podajesz ? próbujesz się dostać np. ACL
User Resource
What does the list say you can do?
Access: Na jakie działania pozwalają Ci
nadane uprawnienia.
6. Authentication and
Authorization Process
Windows authentication methods include:
Windows
Description
Authentication Method
Kerberos version 5 Used by Windows 7 clients and servers running Microsoft
protocol Windows Server 2000 or later
Used for backward compatibility with computers running
NTLM pre-Windows 2000 operating systems and some
applications
Certificate mapping Certificates are used as authentication credentials
7. SECURE AUTHENTICATION
What
You
Biometrics Convenient
Are Two-Factor
Smart Authentication Most Secure
cards 2FA Three-Factor
What You
Have & Tokens Traditional Authentication
Two-Factor 3FA
Authentication
Passwords 2FA
& PINs
What You Know
8. New Authentication Features in Windows 7
New Authentication
Description
Features
Several new authentication features are available for
use with Smart cards, including:
•Kerberos support for Smart card logon
Smart cards
•Encrypt removable media using BitLocker and using
the Smart card option to unlock the drive
•Document and e-mail signing
Windows Biometric Framework (WBF) provides support
Biometrics for fingerprint biometric devices through a new set of
components
Online Identity A new group policy setting is available that controls the
Integration ability of online IDs to authenticate to a computer
9. Smart Card w języku polskim
Karta inteligentna ?
Karta elektroniczna ?
Karta chipowa ?
Karta kryptograficzna ?
Karta mikroprocesorowa ?
10. Budowa Smart Card
- Posiada wbudowany procesor
- Jest programowalna
- Dostarcza bezpieczny magazyn dla kluczy prywatnych
- Oddziela krytyczne dla bezpieczeństwa operacje od
komputera
Karta przechowuje:
Klucz prywatny
Klucz publiczny
Powiązany certyfikat
14. Smart Cards
Smart card-related Plug and Play
Kerberos support for Smart card logon
Encrypt removable media using BitLocker and using the
Smart card option to unlock the drive
Document and e-mail signing
Used with line-of-business applications to enable
certificate use with no additional middleware
17. 4 Tryby– 4 sposoby uwierzytelnienia
Fingerprint Authentication
Biometric Verification
Please swipe your finger on the biometric reader.
Biometric Authentication
SWIPE FINGER
Select Finger Click here for more information
OK Cance
l
PIN or Fingerprint Authentication PIN and Fingerprint Authentication
Biometric Verification Biometric Verification
Please swipe your finger OR enter your PIN Please swipe your finger first, then enter your PIN
Biometric Authentication Biometric Authentication
SWIPE FINGER SWIPE FINGER
PIN Authentication PIN Authentication
PIN PIN
Select Finger Click here for more information Select Finger Click here for more information
OK Cance OK Cance
l l
19. Biometric
Windows Biometric Framework (WBF) provides
support for fingerprint biometric devices through a
new set of components
A common API facilitates development of applications
using biometrics
Through a new Control Panel item, users can control
the availability and use of biometric devices
Device Manager support for managing drivers for
biometric devices
Group Policy settings to enable, disable, or limit the
use of biometric data for a local computer or domain
23. Online Identity Integration
A new group policy setting is available that controls
the ability of online IDs to authenticate to a computer
Online IDs can be used to identify individuals within a
network
Users must link their Windows user account to an
online ID to facilitate authentication
Authentication occurs through the use of certificates
Does not affect domain accounts or local user
accounts from logging on to the computer
24. Online Identity Integration
• What's the benefit of linking my online IDs with my Windows user account?
• If you have an online account, such as an e-mail account, you can link that
account with your Windows user account. Linking these accounts provides
the following benefits:
• People can share files with you on a homegroup using your online ID
instead of having to create a Windows user account for you on their
computer.
• You can use your online ID to access your information on other computers
on a network, such as accessing files on a home computer from your work
computer.
• Linking your account is a two-part process. First, you need to add your
online ID provider, and then you need to link your online ID with your
Windows user account.