Alternative UPN Suffixes

Download Report

Transcript Alternative UPN Suffixes

Bezpečnost Windows pro
pokročilé: uživatelské účty
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker |
CHFI: Computer Hacking Forensic Investigator
[email protected] | www.sevecek.com |
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Local and domain user accounts
Advanced Windows Security
Local User Accounts
 Stored in local registry
• HKLM\SAM\Domains\Account
 Password hashed (MD4)
• can be stored in full
• Policy: Store passwords using reversible encryption
 Can enforce password complexity and history
• Policy: Password complexity requirements
• Policy: Enforce password history
 Single login: COMPUTER\username
Domain User Accounts
 Stored in Active Directory database
 Password Hashes (MD4)
• stores Digest (MD5) since Windows 2003
• stored AES (SHA-1) since Windows 2008
 Two logins
• user principal name ([email protected])
• SAM account name (GPS\kamil)
 Can enforce password policies
• Domain-wide using Group Policy
• Per users/groups using Granular Password Policies
Logins
 User Principal Name ([email protected])
•
•
•
•
userPrincipalName attribute
up to 64 characters
configurable UPN suffixes
must be unique forest-wide
 SAM Account Name (GPS\kamil)
• sAMAccountName attribute
• up to 20 characters
• always bound to NetBIOS domain name
Alternative UPN Suffixes
Account vs. Password Expiration
 Password expiration
• after policy configured time
• User Must Change Password at Next Logon
• Cannot log on in fact
 may not be able to change password remotely over VPN or
web applications
• Does not affect smart cards
 Account expiration
• Cannot log on after a specific time regardles of password
validity
• Affect smart cards
Account vs. Password Expiration
Děkuji za pozornost
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker |
CHFI: Computer Hacking Forensic Investigator
[email protected] | www.sevecek.com |
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS