1. Why is password lockout an effective deterrent to cracking attempts? B
A. Passwords cannot be changed through brute-force methods
B. A limited number of login attempts before lockout reduces the number of guesses the potential
cracker can made
C. Passwords protected in this manner are impossible to find because they are locked out of the main
flow of information on the WAN
D. Password lockout provides no real improvement over traditional locking methods.
从网络安全的课程学习中,我们了解了密码的重要性。对来说要攻克一个系统的完全管理权限,他需要破解密码(尽管还有其他的办法来获得管理员的权限,但是这里我们暂时只讨论密码),黑客常用的破解密码的方法有字典和穷举法,最常用的软件著名的John the Ripper (可以从www.openwall.com/john/免费下载)它可以用来破解Linux的shadow和WindowsNT/2000的密码。只要得到了SAM或者Shadow文件,破解密码只是时间问题。因此,为了防止黑客轻易的破解密码,我们需要增加密码的强度(长度、复杂性),更重要的一点是设置密码策略,防止对密码的猜测。在Windows2000中我们通过帐户锁定策略来防止对密码的猜测(mmc-->添加/删除管理单元-->帐户策略-->帐户锁定策略,通过计算机管理工具来解除对密码的锁定。请注意,当改变了安全策略后我们要运行secedit /refreshpolicy machine_policy和
secedit /refreshpolicy user_policy来使策略更改生效!!)
记住,在黑客之前用John来测试你的系统中口令的强壮性。
Q. 2
Which of the following choices best defines the Windows NT security account manager? B
A. It is the portion of the GINA DLL that controls security
B. It is the database containing the identity of the users and their credentials
C. It is the name of the machine responsible for the management of all the security of the LAN
D. It is the interface that is responsible for logging on and user IDs
security account manager看上去比较陌生,如果大家有心去查查C:\WINNT\system32\config下的SAM和SAM.log中SAM的英文意思,这道题就不难了。实际上Windows系统是通过下面的方法进行认证的:
例如:用户mytheory想要登陆系统
使用帐户名称/口令进行认证(与SAM数据库进行比较)
mytheory ==========================================================>> WinLogon
|成功
|
拿到令牌
user:mytheory的SID=S-1-5-21-1229272821-651377827-725345543-1004
Group=Everyone S-1-1-0
|
允许
|
想查看的文件----------------->> ACL(比较访问控制列表中的数据,看看mytheory是否有权限查看文件)
READ=mytheory S-1-5-21-1229272821-651377827-725345543-1004
WRITE=Administrators S-1-5-32-544
注:SAM数据库的功能与Linux中的passwd(或者shadow)文件功能相似.
Q. 3
Under the level C2 security classification, what does “discretionary (自由决定)access control” mean?A
A. Discretionary access control means that the owner of a resource must be able to use that resource
B. Discretionary access control is the ability of the system administrator to limit the time any user
spends on a computer
C. Discretionary access control is a policy that limits the use of any resource to a group or a security
profile
D. Discretionary access control is a rule set by the security auditor to prevent others from downloading
unauthorized scripts or programs.
Q. 4
Michel wants to write a computer virus that will cripple UNIX systems. What is going to be the main
obstacle(障碍) preventing him from success?B
A. UNIX computers are extremely difficult to access illicitly over the internet, and therefore computer
viruses are not an issue with UNIX systems
B. Due to the file permission structure and the number of variations in the UNIX hardware architectures, a
virus would have to gain root privileges as well as identify the hardware and UNIX flavor in use.
C. Due to availability of effective free anti-virus tools, computer viruses are caught early and often.
Michel’s virus would have to evade detection for it to succeed.
D. Due to the extensive use of ANSI “C” in the programming of UNIX, the virus would have to mimic
some of the source code used in the infected iteration of the UNIX operating system
UNIX和类UNIX系统对用户.组.文件所有权有明确的定义.在这类系统中只影响运行它的用户,这一点与Windows不同,在Windows中,运行任何的程序对机器都有完全的控制权,甚至能够读写机器的启动扇区(MBR),这一点使得开发UNIX系统的病毒相当困难,但是已经出现了一些概念性的病毒,但他们只有当以root运行时才能够传播(所以我们只有在必须使用root权限的情况下使用root登陆,否则不要使用root),最著名的Internet蠕虫病毒是1988年11月由Robert Morris,一个美国安全官员的儿子创建.
Q. 5
Which of the following best describes the problem with share permissions and share points in Windows
NT?D
A. Share points must be the same value as the directory that serves the share point
B. Share points contains permissions; and any file under the share point must possess the same permissions
C. Share permissions are exclusive to root directories and files; they do not involve share points, which
define user permissions
D. Share points are set when connection is established, therefore the static nature of file permissions can
conflict with share points if they are not set with read and write permissions for everyone.
在WindowsNT/2000中,当共享权限和NTFS权限冲突时,取最小的权限。例如对于一个共享文件夹的共享权限是读写,而NTFS权限是读,那么用户最终得到的权限是只读。
Q. 6
What do the discretionary ACL (access control list) and the system ACL in Windows NT have in
common? A
A. Both share properties for storing object identifiers
B. Both can grant or deny permissions to parts of the system
C. Both are installed by default on the system in different sections of the client/server model
D. Both are responsible for creation of the master access control list
WindowsNT安全子系统由五个关键部分组成:安全标致符、访问令牌、安全描述符、 访问控制列表、和访问控制条目。利用这些组件的交互作用来控制用户的活动。
安全标识符
安全标识符(SID)是统计上地唯一的数组分配给所有的用户、组、和计算机。统计上的唯一指的是两个数组发生重复的可能性是极为罕见的。每次当一个新用户或组被建立的时候,它们都会接收到一个唯一的SID。每当WindowsNT安装完毕并启动的时候,也会有一个新的SID分配给这台计算机。SID标识了用户、组和计算机的唯一性,不仅仅是在某台特定的电脑上还包括和其它计算机交互的时候。 为了确保SID的唯一性,它们是综合计算机名字,当前时间、以及处理当前用户模式线程所花费CUP的时间所建立起来的。一个SID看上去就像这样:
S-1-5-163499331-18283675290-12989372637-500
SID是WindowsNT安全结构的基础。
访问令牌
登陆的过程主要目的-部分是在用户被验证之后分配给他们访问令牌。访问令牌是由用户的SID、用户所属于组的SID、用户名、用户所在组的组名构成的。访问令牌就好比用户能够访问计算机资源的入场券。无论何时用户企图进行访问,都要向WindowsNT出示访问令牌。Windows NT检查访问令牌之间的对于对象请求访问控制列表。如果用户使用此对象的认证通过,将赋予相关的权限访问。 访问令牌只有在登陆的过程中才会发布,所以一旦对用户的访问权限作了改动的话就要重新登陆后才能收到一个更新后的访问令牌。