LSA Local Security Authority a process >the Local Security Authority Subsystem Service >lsass.exe 1958 The primary security gateway into Windows of Science and Technolo 嵌入式系统实验室 17/90 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
17/90 LSA ❖Local Security Authority ❖a process ➢the Local Security Authority Subsystem Service ➢lsass.exe ❖The primary security gateway into Windows
The sAM and Active Directory On all Windows computers,the SAM contains user account name and password information. >口令,以密文形式存放(scrambled value) >The scrambling procedure one-way function >采用哈希算法,密文就是一个哈希值 On Windows Server 2000 and later domain controllers,user account/hash data for the domain is kept in the Active Directory Science and Technol 嵌入式系统实验室 18/90 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
18/90 The SAM and Active Directory ❖On all Windows computers, the SAM contains user account name and password information. ➢口令,以密文形式存放(scrambled value) ➢The scrambling procedure:one-way function ➢采用哈希算法,密文就是一个哈希值 ❖On Windows Server 2000 and later domain controllers, user account/hash data for the domain is kept in the Active Directory
Active Directory (AD) '从windows server2000开始 provides a variety of network services,including: >LDAP-like Directory services >Kerberos based authentication > DNS based naming and other network information 冬采用层次结构来组织对象 3种对象种类 >resources (e.g.,printers) services (e.g.,email) >and users (user accounts and groups) 19/90 嵌入式系统实验室 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
19/90 Active Directory (AD) ❖从windows server 2000开始 ❖provides a variety of network services, including: ➢LDAP-like Directory services ➢Kerberos based authentication ➢DNS based naming and other network information ❖采用层次结构来组织对象 ❖3种对象种类 ➢resources (e.g., printers) ➢services (e.g., email) ➢and users (user accounts and groups)
The AD provides information on the objects >organizes the objects 术 controls access and sets security 1958 of Scicnce and Technoloovarchn Forests,trees,and domains the logical parts in an AD network 嵌入式系统实验室 20/90 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
20/90 ❖The AD provides ➢information on the objects ➢organizes the objects ➢controls access and sets security ❖Forests, trees, and domains ➢the logical parts in an AD network
P Forest Tree Two-way transitive trusts 11 11 throughout forest 11 11 11 1 1 corp.com 11 (Forest Root,first domain forest) division.com 1 branch.corp.com secure.corp.com branch.division.com Domain Figure 2-4 The structure of Windows forests 21190 厥入式糸统实验室 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
21/90