Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Presentation8

advertisement 
COMP2221
Networks in Organisations
Richard Henson
March 2014
Week 8: Active Directory
and Security

Objectives
– Apply active directory group policies across
one/more domain using active directory
– Explain security features associated with
active directory
– Apply secure file system principles and
active directory to controlling access for
groups of network users
Security Features of
Active Directory (1)
 SSL (secure OSI level 5) emerged thanks
to Netscape and IETF
 made e-commerce possible…
 Internet Information Server (IIS) soon supported
creation of websites accessible only via https/SSL
 LDAP over SSL
 LDAP important for internet lookup
 used with secure sockets layer (SSL) for checking
server credentials for extranet and e-commerce
applications
Security Features of
Active Directory (2)

Transitive Domain Trust
 default trust between
contiguous Windows
domains in a domain tree
 greatly reduces
management overhead
 Attempt to mirror DNS
on Windows networks
Security Features of
Active Directory (3)
 Support for Kerberos Authentication
 authentication of users on remote domains
not part of the same DNS zone
 Smart Card Support
 logon via smart card for strong
authentication to sensitive resources
Protecting Local Passwords



Early Microsoft systems didn’t bother with
usernames/passwords
Still true with Windows 8… sold by vendors
with one “open” user/administrator (i.e. no
password)
Client-end systems using
username/password login saved passwords
quite primitively in the early days
– Strong password protection only started with
Windows 2000
Strengthening Windows
Passwords

“Challenge-response” encryption (NTLMv2)
was available to all systems from Windows
2000 on…
– until Vista arrived this was turned off by default
» for “compatibility reasons”
– unless NTLMv2 enabled, passwords on XP
systems, for example, easy to “hack” with right tools
(!)

Any client network user should make sure this
password protection feature is turned on…
– can be added for domain users through group policy
Active Directory and
“controlling” Users


“Groups” already well established for
managing network users
Active directory centrally organised resources
including all computers
– allowed groups to become more powerful for user
management
– exploited by enabling the organisation of users
and groups of users into:
» organisational units
» sites
» domains
Managing Domain Users with
Active Directory
Same user information stored on all
domain controllers
 Users can be administered at or by
secure access to administrator on any
domain controller for that domain

– flexibility but potential danger!
Making Sure Users don’t get
the Administrator Password!

File security assumes that only the
network manager can log on as
administrator
– but if a user can guess the password… (!)

Strategies:
– rename the administrator account to something
more obscure
– only give administrator password to one other
person
– change administrator password regularly
How AD Provides Security

Manages which “security principal(s)”
have access to each specific resource
– i.e. users, computers, groups, or services
(via service accounts)
» each has a unique identifier (SID)

Validates the authentication process…
– for computers, at startup
– for users, at logon
More about the SID

The SID (Security ID) comprises:
– domain ID
» common to all security principals
within the domain
– unique relative identifier (RID)
Access Tokens


Generated when a user logs on to the
network
Contains:
– user’s SID
– SIDs for each group to which the user is a
member
– assigned user rights or privileges as a result of
processing the IDs in the specified order
ACE (Access Control Entries)

Each object or resource has an access
control list (ACL) e.g.
– objects and their properties
– shared folders and printer shares
– folders and files within the NTFS file system

ACEs contained within ACL
– protects resource against unauthorised users
More on ACLs

Two distinct ACLs each object or
resource:
– discretionary access control list (DACL)
» list of the SIDs that are either granted or denied
access and the degree of access that is allowed
– systems access control list (SACL)
» list of all the SIDs whose access or manipulation of
the object or resource needs to be audited, and the
type of auditing that needs to be performed
Mechanism of AD security


Users are usually assigned to several groups
When a user attempts to access a directory
object or network resource…
– the security subsystem…
» looks at the SID for the user and the SIDs of the security
groups to which the user is a member
» checks to see whether it/they match the security descriptors
assigned to the resource

If there is a match…
– user is granted the degree of access to the
resource that is specified in the ACL
Power of Group IDs in
Policy-based Security

Group Policy…
 allows groups of users to be granted or denied
access to or control over entire classes of objects
and sets of resources
 allows security & usage policies to be established
separately for:
» computer accounts
» user accounts
 can be applied at multiple levels:
» users or computers residing in a specific OU
» computers or users in a specific AD site
» an entire AD domain
Active Directory and
Group Policy

Power of Group Policy:
– allows network administrators to define and
control the policies governing:
» groups of computers
» groups of users
– administrators can set group policy for any
of the sites, domains, or organizational units
in the Active Directory Domain Tree
Monitoring Group Policy

Policies, like permissions, are ADDITIVE
– watch simulation… (AGAIN!)

Windows 2000 policies
– need to assess which specific cumulative set of
policies were controlling the environment for a
specific user or computer

Windows 2003 GPMC
– tracking and reporting the Resultant Set of Policy
(RSoP):
» net effect of each of the overlapping policies on a specific user
or computer within the domain
Extending User/Group
Permissions beyond a domain

Possible for user permissions to be safely
applied beyond the local domain
– so users on one network can gain access to files on another
network
– authentication controlled between servers on the local
and trusted domains


Normally achieved through “adding” groups from
a trusted domain
NOT the same as “remote logon”
– needs special username/password authorisation…
Enterprise Networks

Multiple Domains in a tree
– Transitive Domain Trust
 Single enterprise
administrator
 “enterprise admin”
 greatly reduces
management overhead
Managing Users
& Their Profiles

Once they get the hang of it, users save
all sorts of rubbish to their user areas
– may well include lots of downloaded web
pages and images

Problem!
– 5000 users
– each user takes 1 Gb of space...
– total disk space required is 5000 Gbytes!
Managing User Profiles

Windows 2003 Server “Disk Quotas”:
– allows administrators to track and control user
NTFS disk usage
» coupled with Group Policy and Active Directory
technology
» easy to manage user space
» even enterprise-wide…
– users find this irritating but stops them keeping
data they’re never likely to use again…
User Rights

Users MUST NOT have access to
sensitive parts of the system (e.g.
network servers, local system software)
– operating system can enforce this

Users SHOULD:
– have access to basic software tools
– NOT be denied on the grounds that the
software could be misused…
» c.f. no-one is allowed to drive a car because some
drivers cause accidents!
Controlling/Monitoring Group
Policy across Domains

AD across a distributed enterprise…
– “enterprise” administrators have the authority to
implement and alter Group Policies anywhere
– important to manage and restrict their number...

Enterprise admins need to inform domain admins:
– what has changed
– when it changed
– the implications of the change for directory and network
operations…

Otherwise…
– a change to Group Policies affecting a domain might
occur with disastrous consequences
More on Secure Development
of software

Main problem…
– Functional requirements explained at
planning/analysis/design phases
– Non-functional requirements less well
discussed
» may be left out altogether
» big mistake
» System won’t meet users needs
NFR Example:
Possible Security Features





















Information labelling and handling
Equipment siting and protection
Supporting utilities
Cabling security
Maintenance
Secure disposal or re-use
Separation of development, test and operational
facilities
Controls against malicious code
Controls against mobile code
Information back-up
Network controls
Security of network services
Electronic messaging
On-line transactions
Publicly available information
Audit logging
Auditing system use
Protection of log information
Clock synchronisation
Privilege management
Equipment identification in networks




















Remote diagnostic and configuration port
protection
Segregation in networks
Network connection control
Network routing control
Secure log-on procedures
User identification and authentication
Password management system
Use of system utilities
Session time-out
Limitation of connection time
Information access restriction
Sensitive system isolation
Input data Verification
Control of internal processing, including Least
Privilege
Message integrity
Output data Verification
Cryptographic controls
Key management
Technical vulnerability management (patches and
updates)
Collection of evidence
A Checklist of areas to consider, abtracted from ISO/IEC 27001 / 27002 Control Sets
[TSI/2012/183]
© Copyright 2003-2012
Related documents
reading
reading
Program Associate - Exponent Philanthropy
Program Associate - Exponent Philanthropy
Construction Check List for The Preserve, Delwood Point, and
Construction Check List for The Preserve, Delwood Point, and
Network Services
Network Services
Target List Identifier & Directory
Target List Identifier & Directory
Download
advertisement