Larry Lieberman
NT Support Engineer
Premier Enterprise Support
Microsoft Corporation





Active Directory
Microsoft DNS
Distributed Security
System Management




Architecture
Components
Planning AD Design






X.500 derived data model
Directory stored schema
Windows 2000 Trusted Computing
Base security model
Delegated Administration Model
DNS integration







Objects
Organizational Units (OUs)
Domains
Sites
Trees & Forests
Global Catalog

Objects
Attributes
Object
Class
An object instance is created in the
Directory
Defined in the schema
Directory
Object
Data storage is allocated as necessary

Object Access ACEs can apply to specific attributes
ACE
ACL
Directory
Object
Sales Managers read access
 Access to directory objects is controlled via Access Control Lists
(ACLs)
 Fine granularity is provided by Access
Control Entries (ACEs) that apply to specific attributes

Organizing the Directory
 A hierarchy of objects can be created using Organizational Units (OUs)
 Although OUs are the primary containers used to create the hierarchy, all directory objects are potential containers ou ou ou ou ou ou ou ou
Deep or flat structure?
ou ou

OUs
Sales Managers read access UK Users
Read Volume objects
ACL
UK User Admins
Create Users
OU
ACL
ACL
ACL
Location1 Admins
Reset passwords
Inheritable ACLs
 OU security provides the mechanism for controlling object visibility and delegating administration

Domains
Directory hosted on all DCs
Sites
Schema
Configuration
Domain directory


One or more domain controllers
Multi-master replication
 One or more sites

Intra-site replication
Sites automatically configured
Schedule Inter-site replication
One or more subnets
One or more subnets


Controls Active Directory replication
Site knowledge used



Logon locator
Printer locator and pruner
Dfs and more

Trees And Forests


Configuration and schema common to all domains
Transitive trusts link domains

Boundaries




Replication
Administration
Security Policy
Group Policy

Global Catalog
GC
Partial replica of all domain objects
Hosted on one or more DCs


Enterprise wide searches
Resolves enterprise queries

Considerations
 Defining a logical hierarchy of resources






Administrative architectures
Allocation of physical resources and budget
Current infrastructure and upgrade strategies
Data availability requirements
Network bandwidth
Politics

One Or More Forests
 All domains in a forest share a common schema and global catalog
 Create multiple forests if:



Separate schemas are required
One or more domains are required to be isolated from the spanning tree of transitive trusts
Total administrative autonomy is required

Domain Structure
 Where possible use a single domain


Use OUs to delegate administration
Use sites to tune replication
 Use multiple domains when there is a requirement for



Scalability across WANs
Autonomous administrative entities
Different security account policies
 password, lockout and Kerberos ticket

Multiple Domains(1/3)


Containment of network traffic


Directory replication
Policies (FRS)
In-place upgrades from
Windows NT domains



Autonomous divisions with separate names
No technical reasons, only politics
Names are not important

Multiple Domains(2/3)
 Each domain has an incremental overhead


Increased administration
Increased hardware
 Separate DCs are required for each domain
 Try to avoid creating divisional or departmental domains for purely political reasons
 Change is inevitable, they are easy to create and hard to retire

Multiple Domains(3/3)


Separate the production forest from development and testing
 Prevents unwanted schema changes propagating through the enterprise
Create a separate forest to restrict access for business partners




Windows 2000 DNS Requirements
MS DNS Features
DNS Design



A DNS server that is authoritative for a
Windows 2000 domain MUST support
SRV records (RFC 2052)
It also should support dynamic updates (RFC 2136)
 The NETLOGON service on the domain controller automatically registers all of the domain services and the site that it supports






Active Directory integration
Dynamic Update
Aging
Administrative tools
Caching resolver

Active Directory Integration
 AD-integrated DNS zone is multi-master

Active Directory integration
1) Receive update
2) Write to ADS
4) Read from
ADS
ADS
DNS
3) ADS replicates
ADS
DNS
“Primary” zones

Active Directory integration
 AD-integrated DNS zone is multi-master


High availability of write, as well as read
Doesn’t require separate from
AD replication

Active Directory integration



ADS replication is loosely consistent
Name-level collision
 Two hosts create same name simultaneously (first writer wins)
Attribute-level collision
 Two hosts modify A RRset for microsoft.com simultaneously (lastwriter wins)

Dynamic Update




Based on RFC 2136
Client discovers primary server for the zone where the record should be added/deleted
Client sends a dynamic update package to the primary server
Primary server processes the update

Dynamic Update
 Windows 2000 computer registers


A RR with:


Hostname.PrimaryDnsSuffix (default) and
Hostname.AdapterSpecificDnsSuffix
(if configured)
PTR RR if adapter is not DHCP configured or DHCP server doesn’t support DNS RR registration

Dynamic Update


Windows 2000 DHCP server registers
(based on draft-ietf-dhc-dhcp-dns-*.txt)
 PTR records on behalf of upgraded clients (default)


A and PTR records on behalf of downlevel clients (default)
A and PTR records on behalf of upgraded clients (if configured)
Windows 2000 DHCP server removes records that it registered upon lease expiration

Secure Dynamic Update




Based on draft-skwan-gss-tsig-04.txt
Available only on AD-integrated zones
Per -zone and -name granularity
ACL on each zone and name

Aging/Scavenging


Enables deletion of the stale records in AD-integrated zones
Requires periodic refreshes of the records

Caching Resolver


Windows 2000 service




Caches RRs according to TTL
Negative caching
Tracks transient/PnP adapters
Reorders servers according to responsiveness
Fewer round-trips, fewer timeouts, faster response time

To support DC locator


DNS server authoritative for the DC records MUST support SRV RRs
Support for Dynamic Updates is recommended

 Delegate a DNS zone for each AD domain to the DNS servers running on the DCs in that AD domain

corp.example.com
Zones:
Primary ADint “corp.example.com”

corp.example.com
Zones:
Primary ADint “corp.example.com”
Domain1.corp.example.com
Zones:
Primary ADint “Domain1.corp.example.com”



Delegate a DNS zone for each AD domain to the DNS servers running on a DC in that AD domain
Install a DNS server on at least two
DCs in each AD domain and one DC in each site

corp.example.com
Zones:
Primary ADint “corp.example.com”
Domain1.corp.example.com
Site1 Site2 Site3
Zones:
Primary ADint “Domain1.corp.example.com”




Delegate a DNS zone for each AD domain to the DNS servers running on a DC in that AD domain
Install a DNS server on at least two
DCs in each AD domain and one DC in each site
If different sites in the forest are connected over slow link, delegate the zone “_msdcs.<ForestName>” and make at least one DNS server in every site secondary for this zone

corp.example.com
Zones:
Primary ADint “corp.example.com”
Primary ADint “_msdcs.corp.example.com.”
Domain1.corp.example.com
Site1 Site2 Site3
Zones:
Primary ADint “Domain1.corp.example.com”
Secondary “_msdcs.corp.example.com.”





Install a DNS server on at least two DCs in each AD domain and one DC in each site
Delegate a DNS zone for each AD domain to the DNS servers running on a DC in that
AD domain
If different domains of the forest are connected over slow links, delegate the zone _msdcs.<ForestName> and make at least one DNS server in every site secondary for this zone
Each client should be configured to query at least two DNS servers one of which is in the same site

corp.example.com
Zones:
Primary ADint “corp.example.com”
Primary ADint “_msdcs.corp.example.com.”
Domain1.corp.example.com
Site1 Site2 Site3
Zones:
Primary ADint “Domain1.corp.example.com”
Secondary “_msdcs.corp.example.com.”

Hardware planning


Memory usage


No zones loaded
Each record requires
~4 MB
~100 bytes
Performance


Alpha 533 MHz dual-processor with 25%
Processor utilization
 1600 queries and 200 dynupd/second
Intel P-II 400 MHz dual-processor with
30% Processor utilization
 900 queries and 100 dynupd/second








Kerberos Integration with Windows NT
Security Provider Architecture
Public Key Security Components
Smart card logon and authentication
Encrypting File System
Security Policies and Domain Trust
Secure Windows NT Configuration






Single enterprise logon
Integrated security services with
Windows NT Directory Service
Delegated administration and scalability for large domains
Strong network authentication protocols
Standard protocols for interoperability of authentication

 Authenticate using domain credentials
 User account defined in Active Directory
 Authorization based on group membership
 Centralize management of access rights
 Distributed security tied to the
Windows NT Security Model


Network services use impersonation
Object-based access control lists

Multiple Security Protocols
 Shared key protocols


Windows NTLM authentication: compatibility in mixed domains
Kerberos V5 for enterprise networks
 Public key certificate protocols


Secure Sockets Layer (SSL) /
Transport Layer Security (TLS)
IP Security
 Multiple forms of credentials in the
Active Directory

Application server
1. NTLM challenge/response
Netlogon
Windows NT
Directory Service
2. Uses LSA to log on to domain
4. Server impersonates client
3. Netlogon service returns user and group
SIDs from domain controller
MSV1_0
Windows NT domain controller

Client
Kerberos SSPI provider manages credentials and security context;
LSA manages ticket cache
Server
Session ticket authorization data supports
NT access control model
Windows NT
Directory Server
KDC relies on the
Active Directory as the store for security principals and policy
Key Distribution
Center (KDC)
Windows NT Domain Controller

 Faster connection authentication
 Server scalability for high-volume connections
 Reuse session tickets from cache




Mutual authentication of both client, server
Delegation of authentication
 Impersonation in three-tier client/server architectures
Transitive trust between domains
 Simplify inter-domain trust management
Mature IETF standard for interoperability
 Testing with MIT Kerberos V5 Release

 Based on Kerberos V5 Protocol


RFC 1510 and RFC 1964 token format
Testing with MIT Kerb V5 Release
 Windows NT DS hosts the KDC



UNIX clients to Unix Servers
UNIX clients to NT Servers
NT clients to UNIX Servers
 Simple cross-realm authentication
 UNIX realm to NT domain

Network Server connection
Application Server (target)
2. Present session ticket at connection setup 3. Verifies session ticket issued by KDC Target
1. Send TGT and request session
TGT ticket from KDC for target server
Windows NT
Directory Server
Key Distribution
Center (KDC)
Windows NT domain controller




Kerberos package gets auth data from session ticket
LSA
Server application
Token LSA builds access token for security context
Server thread impersonates client context
Kerberos
Target
Session ticket
Impersonation token
Auth data:
 User SID


Group SIDs
Privileges

Client
File application
Token
SMB protocol
Rdr
SSPI
Kerberos
SSP
Ticket
\\infosrv\share
Server
Kerberos
SSP
NTFS
Token
Access check
SD
File
KDC

Remote file
DCOM application
Internet Explorer,
Internet Information
Server
Directory enabled apps using ADSI
Mail,
Chat,
News
CIFS/SMB Secure RPC
NTLM
HTTP
Kerberos
LDAP
SChannel
SSL/TLS
POP3, NNTP
SSPI
DPA
MSV1_0/
SAM
KDC/DS
Membership services




Windows NT 4.0 clients and servers
 Use NTLM authentication
Windows NT 5.0 clients



Locate NT 5.0 Active Directory and KDC
Support smart card logon
Use Kerberos or NTLM protocol
Windows NT 5.0 Servers
 Accept both NTLM or Kerberos protocol

X.509 and PKCS Standards
For clients
 User key and certificate mgmt



Secure channel
Secure storage
Auto enrollment
For servers
 Key and certificate management
 Secure channel


Client authentication
Auto enrollment
Windows NT
Directory Server
Enterprise


Certificate services
Trust policy
Certificate
Server

Application
Secure channel
Certificate management services
Certificate store
Crypto API 1.0
RSA base
CSP
Fortezza
CSP
SmartCard
CSP
Key database
 Cryptographic
Service Providers

Integrated Security Administration




Strong authentication using X.509 certificates
 Single user ID for multiple protocols
Security account management
 Use existing infrastructure: ccount admin and access control
Accept third-party X.509 certificates from trusted Certificate Authorities
Inter-business authentication

Server
Client certificate

SChannel SSP
Certificate Store of Trusted CAs

Authentication service

Server resources
ACL
Access token

Domain
Org (OU)
Users
1. Verify user certificate based on trusted CA, CRL
2. Locate user object in directory by subject name
3. Build NT access token based on group membership
4. Impersonate client, object access verification




Secure channel between
Internet Explorer and
Internet Information
Server
Keys and certificates managed by
Crypto API
SmartCard CSP gets certificate and protocol signature from card
Internet Explorer 4.0
SSPI
Secure channel
Crypto API
SmartCard
CSP
Reader driver
Reader
ICC



Private key and certificate on card
Public key domain authentication



Obtain Kerberos
TGT and NTLM credentials
User profile for other keys and certificates
RAS support
PK Kerberos
TGT
Domain credentials
Profile
Internet Explorer
Certs Keys




Trust policy decisions


What CAs are trusted?
What are they trusted for?
 Client Authentication,


Server Authentication,
Authenticode
Trust determination made locally
 Certificate path verification
Configure trust policy centrally
 Define trust policy in Policy Editor
 Signed by an authorized user




Privacy of data that goes beyond access control


Protect confidential data on laptops
Configurable approach to data recovery
Integrated with core operating system components



Windows NT File System - NTFS
Crypto API key management
LSA security policy
Transparent and very high performance

Applications
Win32 layer
Crypto API
EFS service
User mode
Kernel mode I/O manager
EFS.sys
LPC communication for all key management support
NTFS FSRTL callouts
Encrypted on-disk data storage

A quick brown fox jumped...
User’s public key
Randomlygenerated file encryption key
File decryption
(e.g., DES)
RNG
*#$fjda^j u539!3t
t389E *&
Data decryption field generation
(e.g., RSA)
Data recovery field generation
(e.g., RSA)
DDF
DRF
Recovery agent’s public key in recovery policy

*#$fjda^j u539!3t
t389E *&
File decryption
(e.g., DES)
A quick brown fox jumped...
User’s private key
DDF contains file encryption key encrypted under user’s public key
File encryption key
DDF extraction
(e.g., RSA)
DDF is decrypted using the private key to get to the file encryption key
DDF

Security Features
 Organization Units (OU) to organize the directory name space
 Users, groups, computers in separate containers


Directory object security


Per property access control
Per property auditing
Delegation of administration
 Who can create, manage users, groups, computer accounts, other objects

microsoft.com
Downlevel domain europe. microsoft. com
Domain fareast. microsoft. com
Explicit Windows NT 4.0-style trusts
Domain Domain
Kerberos trust
Domain
Domain




Security Configuration Editor (SCE)
 Defines security configuration templates
Group Policy Editor
 Defines hierarchy of user or computer policy templates for OUs up to the
Domain
Security configuration is part of Group
Policy


Group Policy for a computer includes the security configuration
Security configuration applied at startup

 Covers various security areas





Account Policies -- password, lockout, kerberos
Local Policies -- auditing, user rights,...
Restricted Groups --
Administrators, Power Users,…
Registry & File System -- security descriptors
Services -- startup mode and security descriptors




Kerberos for domain authentication for the Enterprise
 Mutual authentication, transitive trust
Public key security components



Certificate Services to issue organization certificates
Personal key and certificate management
Public key credentials for servers
Directory-based SSL/TLS client authentication using X.509 certificates









Crypto API enhancements
Smart card logon and dialup access
Message encryption using SSPI
SMB data encryption using IPsec
Encrypting File System
DS Security Administration and Policy
Security Configuration Editor
Cross-platform authentication interoperability


“The ability for the administrator to state a wish about the state of their users’ environment once, and then rely on the system to enforce that wish!”



Policies Are Not Profiles
 A profile is a collection of user environment settings that the user may change
 Group Policy is a collection of user environment settings, specified by the administrator
Group Policy is more than simple “lockdown”

Group Policy enhances the “Follow Me!” experience by enabling organizations to:
 Set registry settings securely and without fear of tattooing (Administrative Templates)




Specify security oriented settings (Security Settings)
Install software (Software Installation)
Redirect “My Documents,” “Desktop,” etc. to the network (Folder redirection)
Implement tiered scripts (Scripts)

Group Policy And The Active Directory
GPO’s Sites are described by
Subnet address’s and
A1
Domain
A
A2 would not


GPOs are per Domain
GPOs are per Domain
A3
Site
A4 A1
OU’s
A2
A5
Multiple SDOUs may use a single GPO
Domain
B
Group Policy is NOT inherited across Domains
B1
GPO’s
Any SDOU may be associated with any GPO, even across Domains
(slower - maybe very slow) membership (ACLs)
B1
B3
B2
OU’s
B2
What is my policy?




The OU structure is your administrative structure
Group Policy configuration must be tuned to fit your OUs structure
Design for the most stable and maintainable solution




Security Groups may be used to filter the effect of Group Policy

Any Group Policy may have it’s scope modified by setting ACL permissions
Read and Apply Group Policy (AGP)
ACEs are required for Group Policy to be applied
Only filter if necessary
 Keep simple if possible

ou ou ou ou ou ou ou
GP
ACL
GP applied to virtual group
 Filtering can be inclusionary or using
“deny” exclusionary
Read &
APG
Read &
APG





Active Directory
DNS
Security Features
Group Policy