MOF SMFSecurity Administration.docx

1、MOF SMF Security AdministrationSecurity AdministrationService Management FunctionPublished: October 2002Reformatted: January 2005For the latest information, please see The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the da

2、te of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This document is for informational purpose

3、s only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this document may be reproduced, stored in or introduced into a re

4、trieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), but only for the purposes provided in the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other

5、 intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.Unless otherwis

6、e noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should

7、be inferred. 2005 Microsoft Corporation. All rights reserved.Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective

8、 owners.ContentsExecutive Summary 1Introduction 3Security Administration Overview 5Goals and Objectives 5Scope 6Key Definitions 6Processes and Activities 9Process Flow Summary 9Identification 10Authentication 11Biometric Authentication Systems 11Smart Card Authentication Systems 11Password Authentic

9、ation Systems 12Web Access Authentication 13Access Control 14Authorized Usage Warning 14Accountability and Shared User IDs 14Account Lockout 15Settings to Limit Unauthorized Session Use and Systems Access 15Setting Privileges and Permission on Objects 15Role-based Access Control and Delegation of Au

10、thority 15Confidentiality 17Private Key Encryption 17Public Key Encryption and PKI 19Virtual Private Networks 21File System Confidentiality 26Integrity 26Nonrepudiation 26Auditing 27Planning Auditing 28Implementing Auditing 28Testing Auditing 28Roles and Responsibilities 29Security Manager 29Personn

11、el Security Technician 30Antivirus Technician 30Application Security Technician 30Database Security Technician 30Messaging Security Technician 30Operating System Security Technician 30Hardware Security Technician 30Network Security Technician 31Facilities Security Technician 31Egress Security Techni

12、cian 31Outsourcing Manager 31Security Compliance Auditor 31Relationship to Other SMFs 33System Administration 33Service Monitoring and Control 33Job Scheduling 34Network Administration 34Directory Services Administration 34Storage Management 34Configuration Management 35Availability Management 35Cap

13、acity Management 35Release Management 35Change Management 35Problem Management 36Service Desk 36IT Service Continuity Management 36Workforce Management 36Financial Management 371Executive SummarySecurity administration is the process of maintaining a safe computing environment. Security is an import

14、ant part of enterprise infrastructure: An information system with a weak security foundation will eventually experience a security breach.Security can be divided into six basic requirements, or tenets, that help ensure data confidentiality, integrity, and availability. The six security tenets are: I

15、dentification. This deals with user names and how users identify themselves to the system. Authentication. This deals with passwords, smart cards, biometrics, and so on. Authentication is how users prove to the system that they are who they claim to be. Access control (also called authorization). Th

16、is deals with access and the privileges granted to users so that they may perform certain functions on the system. Confidentiality. This deals with encryption. Confidentiality mechanisms ensure that only authorized people can see data stored on or traveling across the network. Integrity. This deals

17、with checksums and digital signatures. Integrity mechanisms ensure that data is not garbled, lost, or changed when traveling across the network. Nonrepudiation. This is a means of providing proof of data transmission or receipt so that the occurrence of a transaction cannot later be denied.2Introduc

18、tionThis guide provides detailed information about the Security Administration service management function (SMF) for organizations that have deployed, or are considering deploying, Microsoft technologies in a data center or other type of enterprise computing environment. This is one of the more than

19、 20 SMFs defined and described in Microsoft Operations Framework (MOF). The guide assumes that the reader is familiar with the intent, background, and fundamental concepts of MOF as well as the Microsoft technologies discussed.An overview of MOF and its companion, Microsoft Solutions Framework (MSF)

20、, is available in the MOF Service Management Function Overview guide. This guide also provides abstracts of each of the service management functions defined within MOF. Detailed information about the concepts and principles of each of the frameworks is contained in technical papers available at 3Sec

21、urity Administration OverviewSecurity is an important part of system infrastructure. An information system with a weak security foundation will eventually experience a security breach. Examples of security breaches include data loss, data disclosure, loss of system availability, corruption of data,

22、and so forth. Depending on the information system and the severity of the breach, the results could vary from embarrassment, to loss of revenue, to loss of life.Security can be broken up into six requirements, or tenets. All of the tenets are equally important for helping to ensure the confidentiali

23、ty, integrity, and availability of data. The tenets are listed as follows:Identification. Identification is concerned with user names and how users identify themselves to a computer system.Authentication. Authentication is concerned with passwords, smart cards, biometrics, and so forth. Authenticati

24、on is how users demonstrate to the system that they are who they claim to be.Access control (also called authorization). Access control is concerned with access and privileges granted to users so that they may perform certain functions on a computer system.Confidentiality. Confidentiality is concern

25、ed with encryption. Confidentiality mechanisms help ensure that only authorized people can see data stored on or traveling across the network.Integrity. Integrity is concerned with checksums and digital signatures. Integrity mechanisms help ensure that data is not garbled, lost, or changed when trav

26、eling across the network.Nonrepudiation. Nonrepudiation is a means of providing proof of data transmission or receipt so that the occurrence of a transaction cannot later be denied.Another very important aspect of security is auditing. Audit logs may give the only indication that a security breach h

27、as occurred. Or, if the breach is discovered some other way, proper audit settings generate an audit log that can help administrators pinpoint the location and the perpetrator of the breach.Goals and ObjectivesThe primary goals and objectives of security administration are to ensure: Data confidenti

28、ality. No one should be able to view an organizations data without authorization. Data integrity. All authorized users should feel confident that the data presented to them is accurate and not improperly modified. Data availability. Authorized users should be able to access the data they need, when

29、they need it.ScopeSecurity administration is concerned with those aspects of security necessary for helping to create and maintain a safer computing environment: Personnel security. Determining whether employees are properly cleared to handle the data that they access and that adequate checks have b

30、een completed before employees are granted access to a system. Application security. Determining whether business-critical applications are secure from unauthorized access. This includes a means of identifying and authorizing users of the system. Middleware security. Middleware includes messages tha

31、t pass between parts of a service and data that is stored in databases. These must be secured to ensure that data is not viewed, garbled, or modified in any way. Operating system security. The operating system controls access to hardware and provides access to higher-level services such as databases

32、. If the operating system is not secure, then all the systems and services dependent on the operating system can be compromised. Hardware security. Security of the computing hardware, storage media, and print output must be ensured. More than ever, hardware such as portable computers (for example, laptops or notebooks), backup tapes, and smart cards contain or provide access to busine