📄 8-1.htm
字号:
lang=EN-US><span style='mso-spacerun:yes'> </span>1. 安全特性</span></span></h4>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>Windows</span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>为用户提供了一套广泛的安全性防卫措施,以确保系统能够阻止非法访问、故意破坏和错误操作等的侵害。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>(1) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>安全区域</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>在计算机领域,网络操作系统的安全性定义为用来阻止未授权用户的使用、访问、修改或毁坏,也就是对客户的信息进行保密,以防止他人的窥视和破坏。通常所说的数据安全大部分是指数据在网络上的安全。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>如果将网络按区域划分,可分为</span><span lang=EN-US>4</span></span><span
style='mso-bookmark:_Toc16587483'><span style='font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"'>大区域。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>1) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>本地企业网区域:该区域包括不需要代理服务器的地址,其中包含的地址由系统管理员用</span><span
lang=EN-US>Internet Explorer</span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>管理工具包定义。本地企业网区域的默认安全级为中级。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>2) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>可信站点区域:该区域包含可信的站点,即可以直接从该站点下载或运行文件而不用担心会危害到用户的计算机或数据的安全,因此用户可以将某些站点分配到该区域。可信站点区域的默认安全级为低级。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>3) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>受限站点区域:该区域包括不可信站点,即不能确认下载或运行程序是否会危害到用户的计算机或数据,用户也可以将某些站点分配到该区域。受限站点区域的默认安全级别为高级。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>4) Internet</span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>区域:在默认情况下,该区域包括用户的计算机或</span><span lang=EN-US>Internet</span></span><span
style='mso-bookmark:_Toc16587483'><span style='font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"'>上的全部站点,</span><span
lang=EN-US>Internet</span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>区域的默认安全级别为中级。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>另外,本地计算机上所有文件都认为是安全的,不需进行安全设置。这样,打开和运行本机上的文件和程序时不会出现任何提示,而且用户也无法将本机上的文件夹或驱动器分配到所谓安全区域。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>(2) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>安全模型</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>Windows</span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>安全模型的主要特性是用户验证和访问控制。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>1) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>用户验证:它检查尝试登录到域或访问网络资源的所有用户的身份。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>2) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>基于对象的访问控制:允许管理员控制对网络中资源或对象的访问。管理员通过对存储在活动目录中的对象指定安全描述符的方式来执行访问控制。安全描述符将列出获得访问许可权限的用户和组以及指定给这些用户和组的特殊权限。安全描述符还指定了针对对象审核的各类访问事件,对象实例包括文件、打印机和服务等。通过管理对象属性,管理员可以设置权限、指定所有权和监视用户访问。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>3) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>活动目录和安全性:活动目录通过使用对象的访问控制和用户凭据提供用户账户和组信息的保护存储。由于活动目录不仅存储用户凭据,还包括访问控制信息,所以登录到网络的用户可同时获得访问系统资源的验证和授权。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>(3) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>公用密钥</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>公用密钥加密技术是保证认证和完整性的安全质量最高的加密方法,是用来确定某一特定电子文档,确认其是否来自于某一特定客户机的最佳系统。公用密钥基本系统简称</span><span
lang=EN-US>DKI</span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>,是一个进行数字认证、证书授权和其他注册授权的系统。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>通过公用系统密钥基本体系,管理员验证访问信息人员的身份,并在验证身份的前提下控制其访问信息的范围,在组织中方便安全地分配和管理识别凭据等安全问题。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>Windows</span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>公用密钥基本体系的组件包括:</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>1) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>证书:一个由权威部门颁布的电子声明,其作用在于担保证书持有者的身份,证书将公用密码与持有相应私有密钥的个人、机器或服务的身份绑定在一起,供各种公用密钥安全服务和应用程序使用,并在诸如</span><span
lang=EN-US> Internet</span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>等非安全网上提供验证数据完整性和安全通信的程序。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>2) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>智能卡支持:</span><span lang=EN-US>Windows</span></span><span
style='mso-bookmark:_Toc16587483'><span style='font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"'>支持智能卡上的证书登录,同时还支持使用智能卡存储用户上网证书、安全</span><span
lang=EN-US>E-Mail</span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>和其他与公用密钥密码活动相关的证书。智能卡是一种为一系列任务提供安全解决方案的方法,其中包括了客户机验证、登录到</span><span
lang=EN-US>Windows</span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>域、代码签名和保护</span><span lang=EN-US>E-Mail</span></span><span
style='mso-bookmark:_Toc16587483'><span style='font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"'>等安全机制。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>3) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>公用密钥策略:公用密钥策略可使用</span><span lang=EN-US>Windows</span></span><span
style='mso-bookmark:_Toc16587483'><span style='font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"'>的组策略向计算机自动颁发证书,建立证书信任列表和公用委托证书颁发机构,此外还可以管理加密文件系统的恢复策略。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>(4) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>数据保护</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>数据的保密性和完整性从网络验证开始,用户可以使用正确的凭据登录到网络,并在该过程中获得访问存储数据的权限。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>Windows</span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>支持两种数据保护类型——存储数据和网络数据:</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>1) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>存储数据保护:用户可以使用加密文件系统</span><span lang=EN-US> (EFS) </span></span><span
style='mso-bookmark:_Toc16587483'><span style='font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"'>和数字签名方法存储数据。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>2) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>网络数据保护:站点内的网络数据由验证协议保护。用户可以用来保护传入和传出站点网络数据的实用工具包括:</span><span
lang=EN-US style='color:black'>IP Security</span></span><span style='mso-bookmark:
_Toc16587483'><span style='font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman";color:black'>、路由和远程访问、代理服务器。</span><span
lang=EN-US style='color:black'><o:p></o:p></span></span></p>
<h4><span style='mso-bookmark:_Toc16587483'><a name="_2._账户和组的安全性"></a><span
lang=EN-US><span style='mso-spacerun:yes'> </span>2. 账户和组的安全性</span></span></h4>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>在</span><span lang=EN-US>Windows</span></span><span
style='mso-bookmark:_Toc16587483'><span style='font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"'>计算机上建立安全体系需要一个管理员。管理员为访问</span><span
lang=EN-US>Windows</span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>计算机的用户建立账户,否则此用户将无法对网络进行访问。建立了账户的用户其使用权限和特权都由他所在的组决定。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>在域内建立安全体系需要域管理员。域管理员首先需要为用户和计算机建立账户,然后把用户和计算机进行分组并放入账户数据库中。域管理员还可以选择哪一个组被包括进哪一个安全策略之中,并将这些操作的结果放进安全策略数据库。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>在</span><span lang=EN-US>Windows 2000</span></span><span
style='mso-bookmark:_Toc16587483'><span style='font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"'>中,组内可以包含任何用户、计算机和组账户,而不用顾及这些用户和账户在域目录中的什么位置。另外,动态目录服务把域详细地划分成组织单元</span><span
lang=EN-US> (OU) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>,分别管理域中的一些用户、计算机、组、文件和打印机等资源对象。</span></span></p>
<h4><span style='mso-bookmark:_Toc16587483'><a name="_3._域的安全性"></a><span
lang=EN-US><span style='mso-spacerun:yes'> </span>3. 域的安全性</span></span></h4>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>域在活动目录中是用来定义安全边界的。活动目录由一个或多个域组成。每个域均拥有与其他域相关的安全策略和安全关系。域提供以下便利:</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>1) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>两个不同域的安全策略和设置</span><span lang=EN-US> (</span></span><span
style='mso-bookmark:_Toc16587483'><span style='font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"'>诸如管理权限和访问控制列表</span><span
lang=EN-US>) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>不能相互交叉。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>2) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>分派管理权限消除了需要大量具有广泛管理权限的管理员的必要。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>3) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>将对象分成不同的组放入域中有助于在网络中反映公司的组织结构。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
lang=EN-US>4) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>每个域只存储有关该域中对象的信息。活动目录可通过拆分目录信息的存储组织扩展成数量庞大的对象。</span></span></p>
<p class=MsoNormal style='text-indent:21.0pt'><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>域通常分为两种类型:主域</span><span lang=EN-US> (</span></span><span
style='mso-bookmark:_Toc16587483'><span style='font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"'>存储用户和组账户</span><span
lang=EN-US>) </span></span><span style='mso-bookmark:_Toc16587483'><span
style='font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"'>和资源域</span><span lang=EN-US> (</span></span><span
style='mso-bookmark:_Toc16587483'><span style='font-family:宋体;mso-ascii-font-family:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -