MOF SMFSecurity Administration.docx
《MOF SMFSecurity Administration.docx》由会员分享,可在线阅读,更多相关《MOF SMFSecurity Administration.docx(36页珍藏版)》请在冰豆网上搜索。
MOFSMFSecurityAdministration
SecurityAdministration
ServiceManagementFunction
Published:
October2002
Reformatted:
January2005
Forthelatestinformation,pleasesee
TheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.
Thisdocumentisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISDOCUMENT.
Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser. Withoutlimitingtherightsundercopyright,thisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),butonlyforthepurposesprovidedintheexpresswrittenpermissionofMicrosoftCorporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
Unlessotherwisenoted,theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,places,andeventsdepictedhereinarefictitious,andnoassociationwithanyrealcompany,organization,product,domainname,emailaddress,logo,person,place,oreventisintendedorshouldbeinferred.
©2005MicrosoftCorporation.Allrightsreserved.
MicrosoftandWindowsareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.
Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.
Contents
ExecutiveSummary1
Introduction3
SecurityAdministrationOverview5
GoalsandObjectives5
Scope6
KeyDefinitions6
ProcessesandActivities9
ProcessFlowSummary9
Identification10
Authentication11
BiometricAuthenticationSystems11
SmartCardAuthenticationSystems11
PasswordAuthenticationSystems12
WebAccessAuthentication13
AccessControl14
AuthorizedUsageWarning14
AccountabilityandSharedUserIDs14
AccountLockout15
SettingstoLimitUnauthorizedSessionUseandSystemsAccess15
SettingPrivilegesandPermissiononObjects15
Role-basedAccessControlandDelegationofAuthority15
Confidentiality17
PrivateKeyEncryption17
PublicKeyEncryptionandPKI19
VirtualPrivateNetworks21
FileSystemConfidentiality26
Integrity26
Nonrepudiation26
Auditing27
PlanningAuditing28
ImplementingAuditing28
TestingAuditing28
RolesandResponsibilities29
SecurityManager29
PersonnelSecurityTechnician30
AntivirusTechnician30
ApplicationSecurityTechnician30
DatabaseSecurityTechnician30
MessagingSecurityTechnician30
OperatingSystemSecurityTechnician30
HardwareSecurityTechnician30
NetworkSecurityTechnician31
FacilitiesSecurityTechnician31
EgressSecurityTechnician31
OutsourcingManager31
SecurityComplianceAuditor31
RelationshiptoOtherSMFs33
SystemAdministration33
ServiceMonitoringandControl33
JobScheduling34
NetworkAdministration34
DirectoryServicesAdministration34
StorageManagement34
ConfigurationManagement35
AvailabilityManagement35
CapacityManagement35
ReleaseManagement35
ChangeManagement35
ProblemManagement36
ServiceDesk36
ITServiceContinuityManagement36
WorkforceManagement36
FinancialManagement37
1
ExecutiveSummary
Securityadministrationistheprocessofmaintainingasafecomputingenvironment.Securityisanimportantpartofenterpriseinfrastructure:
Aninformationsystemwithaweaksecurityfoundationwilleventuallyexperienceasecuritybreach.
Securitycanbedividedintosixbasicrequirements,ortenets,thathelpensuredataconfidentiality,integrity,andavailability.Thesixsecuritytenetsare:
∙Identification.Thisdealswithusernamesandhowusersidentifythemselvestothesystem.
∙Authentication.Thisdealswithpasswords,smartcards,biometrics,andsoon.Authenticationishowusersprovetothesystemthattheyarewhotheyclaimtobe.
∙Accesscontrol(alsocalledauthorization).Thisdealswithaccessandtheprivilegesgrantedtouserssothattheymayperformcertainfunctionsonthesystem.
∙Confidentiality.Thisdealswithencryption.Confidentialitymechanismsensurethatonlyauthorizedpeoplecanseedatastoredonortravelingacrossthenetwork.
∙Integrity.Thisdealswithchecksumsanddigitalsignatures.Integritymechanismsensurethatdataisnotgarbled,lost,orchangedwhentravelingacrossthenetwork.
∙Nonrepudiation.Thisisameansofprovidingproofofdatatransmissionorreceiptsothattheoccurrenceofatransactioncannotlaterbedenied.
2
Introduction
ThisguideprovidesdetailedinformationabouttheSecurityAdministrationservicemanagementfunction(SMF)fororganizationsthathavedeployed,orareconsideringdeploying,Microsoft®technologiesinadatacenterorothertypeofenterprisecomputingenvironment.Thisisoneofthemorethan20SMFsdefinedanddescribedinMicrosoftOperationsFramework(MOF).Theguideassumesthatthereaderisfamiliarwiththeintent,background,andfundamentalconceptsofMOFaswellastheMicrosofttechnologiesdiscussed.
AnoverviewofMOFanditscompanion,MicrosoftSolutionsFramework(MSF),isavailableintheMOFServiceManagementFunctionOverviewguide.ThisguidealsoprovidesabstractsofeachoftheservicemanagementfunctionsdefinedwithinMOF.Detailedinformationabouttheconceptsandprinciplesofeachoftheframeworksiscontainedintechnicalpapersavailableat
3
SecurityAdministrationOverview
Securityisanimportantpartofsysteminfrastructure.Aninformationsystemwithaweaksecurityfoundationwilleventuallyexperienceasecuritybreach.Examplesofsecuritybreachesincludedataloss,datadisclosure,lossofsystemavailability,corruptionofdata,andsoforth.Dependingontheinformationsystemandtheseverityofthebreach,theresultscouldvaryfromembarrassment,tolossofrevenue,tolossoflife.
Securitycanbebrokenupintosixrequirements,ortenets.Allofthetenetsareequallyimportantforhelpingtoensuretheconfidentiality,integrity,andavailabilityofdata.Thetenetsarelistedasfollows:
Identification.Identificationisconcernedwithusernamesandhowusersidentifythemselvestoacomputersystem.
Authentication.Authenticationisconcernedwithpasswords,smartcards,biometrics,andsoforth.Authenticationishowusersdemonstratetothesystemthattheyarewhotheyclaimtobe.
Accesscontrol(alsocalledauthorization).Accesscontrolisconcernedwithaccessandprivilegesgrantedtouserssothattheymayperformcertainfunctionsonacomputersystem.
Confidentiality.Confidentialityisconcernedwithencryption.Confidentialitymechanismshelpensurethatonlyauthorizedpeoplecanseedatastoredonortravelingacrossthenetwork.
Integrity.Integrityisconcernedwithchecksumsanddigitalsignatures.Integritymechanismshelpensurethatdataisnotgarbled,lost,orchangedwhentravelingacrossthenetwork.
Nonrepudiation.Nonrepudiationisameansofprovidingproofofdatatransmissionorreceiptsothattheoccurrenceofatransactioncannotlaterbedenied.
Anotherveryimportantaspectofsecurityisauditing.Auditlogsmaygivetheonlyindicationthatasecuritybreachhasoccurred.Or,ifthebreachisdiscoveredsomeotherway,properauditsettingsgenerateanauditlogthatcanhelpadministratorspinpointthelocationandtheperpetratorofthebreach.
GoalsandObjectives
Theprimarygoalsandobjectivesofsecurityadministrationaretoensure:
∙Dataconfidentiality.Nooneshouldbeabletoviewanorganization’sdatawithoutauthorization.
∙Dataintegrity.Allauthorizedusersshouldfeelconfidentthatthedatapresentedtothemisaccurateandnotimproperlymodified.
∙Dataavailability.Authorizedusersshouldbeabletoaccessthedatatheyneed,whentheyneedit.
Scope
Securityadministrationisconcernedwiththoseaspectsofsecuritynecessaryforhelpingtocreateandmaintainasafercomputingenvironment:
∙Personnelsecurity.Determiningwhetheremployeesareproperlyclearedtohandlethedatathattheyaccessandthatadequatecheckshavebeencompletedbeforeemployeesaregrantedaccesstoasystem.
∙Applicationsecurity.Determiningwhetherbusiness-criticalapplicationsaresecurefromunauthorizedaccess.Thisincludesameansofidentifyingandauthorizingusersofthesystem.
∙Middlewaresecurity.Middlewareincludesmessagesthatpassbetweenpartsofaserviceanddatathatisstoredindatabases.Thesemustbesecuredtoensurethatdataisnotviewed,garbled,ormodifiedinanyway.
∙Operatingsystemsecurity.Theoperatingsystemcontrolsaccesstohardwareandprovidesaccesstohigher-levelservicessuchasdatabases.Iftheoperatingsystemisnotsecure,thenallthesystemsandservicesdependentontheoperatingsystemcanbecompromised.
∙Hardwaresecurity.Securityofthecomputinghardware,storagemedia,andprintoutputmustbeensured.Morethanever,hardwaresuchasportablecomputers(forexample,laptopsornotebooks),backuptapes,andsmartcardscontainorprovideaccesstobusine