Tools in this category are used to manage the following Windows features
Security Management Tools
Tools in this category are used to manage the
following Windows features
Access control
Authentication
Encrypting File System
Public Key Infrastructure
Software restriction policies
Windows Time service
Access Control Access control is the ability to
permit or deny the use of a particular resource by a particular entity. Access
control mechanisms can be used in managing physical resources (such as a movie
theater, to which only ticketholders should be admitted), logical resources (a
bank account, with a limited number of people authorized to make a withdrawal),
or digital resources (for example, a private text document on a computer, which
only certain users should be able to read).
Item control or electronic key management is an
area within (and possibly integrated with) an access control system which
concerns the managing of possession and location of small assets or physical
(mechanical) keys.
Access control models used by current systems
tend to fall into one of two classes those based on capabilities and those
based on access control lists (ACLs). In a capability-based model, holding an
unforgeable reference or capability
to an object provides access to the object (roughly analogous to how possession
of your house key grants you access to your house); access is conveyed to
another party by transmitting such a capability over a secure channel. In an
ACL-based model, a subject’s access to an object depends on whether its
identity is on a list associated with the object (roughly analogous to how a
bouncer at a private party would check your ID to see if your name is on the
guest list); access is conveyed by editing the list. (Different ACL systems
have a variety of different conventions regarding who or what is responsible
for editing the list and how it is edited.)
Both capability-based and ACL-based models have
mechanisms to allow access rights to be granted to all members of a group of subjects (often the group is
itself modeled as a subject).
Access control systems provide the essential
services of identification and authentication (I&A), authorization,
and accountability where
➢ identification and authentication
determine who can log on to a system, and the association of users with the
software subjects that they are able to control as a result of logging in;
➢ Aauthorization determines what a subject
can do;
➢ Accountability identifies what a subject
(or all subjects associated with a user) did.
Authentication
Authenticators are commonly based on at least
one of these four factors
➢ Something you know, such as a password or a personal
identification number (PIN). This
assumes that only the owner of the account knows the password or PIN needed to
access the account.
➢ Something one have, such as a smart card or security token. This
assumes that only the owner of the
account has the necessary smart card or token needed to unlock the account.
➢ Something’s are, such as fingerprint, voice, retina, or iris
characteristics.
➢ Where one is, for example inside or outside a company
firewall, or proximity of login
location to a personal GPS device.
Encrypting File System
The Encrypting File System (EFS) is a file
system driver that provides file system-level encryption in Microsoft Windows
(2000 and later) operating systems, except Windows XP Home Edition, Windows
Vista Basic, and Windows Vista Home Premium. The technology enables files to be
transparently encrypted on NTFS file systems to protect confidential data from
attackers with physical access to the computer.
User authentication and access control lists
can protect files from unauthorized access while the operating system is running,
but are easily circumvented if an attacker gains physical access to the
computer. One solution is to store the files encrypted on the disks of the
computer. EFS does this using public key cryptography, and aims to ensure that
decrypting the files is extremely difficult without the correct key. However,
EFS is in practice susceptible to brute force attacks against the user account
passwords. In other words, encryption of files is only as strong as the
password to unlock the decryption key.