1 / 36

COMP3371 Cyber Security

COMP3371 Cyber Security. Richard Henson University of Worcester October 2015. Week 5: Access Control using Active Directory. Objectives: Explain the components of a network directory service Analyse Windows active directory and compare it with an x500 standard service

delapazd
Download Presentation

COMP3371 Cyber Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. COMP3371 Cyber Security Richard Henson University of Worcester October2015

  2. Week 5: Access Control using Active Directory • Objectives: • Explain the components of a network directory service • Analyse Windows active directory and compare it with an x500 standard service • Explain how the use of security policies can help prevent network internal security breaches • Apply security policies to a Windows Server setup

  3. “Network Directories” & the PKI • Directories not to be confused with “folders”… • former is generally a data store that changes only infrequently… • e.g. a telephone directory • to avoid confusion, computer-based directories also called “repositories” • Lots of different “network databases” have evolved on the web • not a good idea! • often contain same info... one updated (e.g. someone’s address, all should be updated - but unlikely to be the case in practice

  4. A Directory for the whole Internet? • Total solution: • use just one repository (meta directory) for that type of info (e.g. global telephone directory) • provide it on the web as a “directory service” • Use LDAP applications to directly access that info • Achieved through Distributed Directory…

  5. Distributed Directory • Paper-based equivalent – series of telephone directories each covering a clearly define area • collectively cover a wide geographical region • serve a variety of purposes • all part of the same system for communication • Distributed directory on a computer network • Entry for an entity may appear in multiple directories • For example, one for each email system (if more than one) • For example, one for gaining access to the network by logging on • Directory synchronisation essential for tying the distributed directories together

  6. Development of Internet Protocols: roles of IETF and IESG • IESG provides technical management of IETF activities • power to translate RFC proposals into RFC standards • Procedure: • draft RFC submitted • if accepted: IESG elevates it to RFC “draft” status • RFC then given consideration as a standard… • draft RFC eventually may become a true Internet standard • LDAP -> x509 good e.g. of successful evolution

  7. X500 Architecture • Based on the OSI model • X500 agreed database spec: RFC 1006 • allows OSI applications to run over IP network • Full X500 Architecture: • DMD (directory management domain) • DUA (directory user agents) • DIB (directory information base – object oriented!) • e.g: a directory service database • DIT (directory information tree) • a hierarchical organization of entries which are distributed across one or more servers • DSA (directory system agent[s]) • works with DIT across servers

  8. X500 Protocols • DAP (Directory Access protocol) • DSP (Directory System protocol) • DISP (Directory Information Shadowing Protocol) • DOP (Directory operational binding management protocol) • Collectively: • wide range of functionality • structure cumbersome

  9. Simplifying X500 - LDAP • Developed by University of Michigan Researchers, early 1990s • gave up on the complexities of X.500 • came up with a scheme that: • retained the X.500 directory structure • gave it a streamlined access protocol based on standard TCP/IP instead of ISO • Other improvements: • pared-down referral mechanism • more flexible security model • no fixed replication protocol

  10. Microsoft and LDAP • Microsoft wanted to get into the database server market, realised that Internet-compatibility was needed • needed X500 in its directory service planned for next version of NT • adapted Michigan Uni LDAP… • Microsoft helped build the original PKI service provider (Verisign) using the LDAP protocol • Also ODSI (Open Directory Services Interface): • allowed developers to build applications that register with, access, and manage multiple directory services with a single set of well-defined interfaces

  11. Microsoft and x500 • 1996: launched Exchange v4 • email server • provided the infrastructure to enable DAP clients to access its directory service information… • Client-end X.500 DAP-compliant • Outlook as network client • Outlook Express as Internet client) • client for US gov defence messaging

  12. Database for Exchange Server • Microsoft adopted/devised ESENT (Extensible Storage Engine… NT) database • arranged as a single file organised in a balanced B-tree hierarchical structure • Also used a new db engine ESE (JET blue) • uses ISAM (Indexed and Sequential Access) • manages data efficiently; crash recovery mechanism ensures data consistency is maintained even in the event of a system crash • in Windows as ESENT.DLL

  13. X509 (Digital Certificates) • Digital Certificate store had to follow X500 standard to be “Internet compatible” • original X509 specification: RFC1422 (1993) • LDAP protocol for the “look up” • Refined many times… • current version RFC5280 (2008)

  14. LDAP, ESE, and Active Directory • According to Microsoft… • “Active Directory incorporates decades of communication technologies into the overarching Active Directory concept…” • Certainly a very successful commercial roll out of an X500 compliant directory service • also used (uses) ESE to manage data • and DNS to integrate with www locations • and LDAP to manage PKI requests…

  15. Continuous Development of AD • Continued to work with IETF • Exchange v5 also used the ESE/LDAP/DNS enhancement… • each version of Windows Server extended the Active Directory services further… • even Group Policies managed through AD • Development continues…

  16. Directory Services and AD • Active Directory has just one data store, known as the directory • stored as NTFS.DIT • where does “.dit” originate from? • distributed across ALL thedomain controllers • links to objects on/controlled by each of the dc • changes automatically replicated to all dcs • Contains details of: • stored objects • shared resources • network user and computer accounts

  17. AD, DNS, and Domain Trees • One great thing bout being Internet-compatible is that Active Directory can also logically link domains together • very useful for networksusing > one domain • each domain in the directory is identified by a DNS domain name and requires one or more domain controllers • Multiple domains with contiguous DNS domain names, make up a parent-child structure known as a domain tree • If Domain names are non-contiguous, they form separate domain trees

  18. “Trust Relationships” between Windows Domains & using DNS • System of account authentication between domains was established in the Windows NT architecture • but Windows NT trust relationships were isolated and individual • Active Directory enables trust relationships through DNS naming • users and computers can be authenticated between any domains

  19. Active Directory Trust Relationships • Extends the principle… • domains can link together in a schematic way • To form “domain trees” • Trust relationships are automatically created between adjacent domains (parent and child domains) in the tree • users and computers can now be authenticated between ANY domains in the domain tree • So how does this all work securely in practice, across an entire enterprise????

  20. Access Controls • Set of security mechanisms used to control what a user can do as a result of logging on to a secured environment • enforce “authorisation” • “identification” and “authentication” may also be associated with logging on • Effect includes: • access to systems, services & resources • interactions users can perform

  21. Remote Logon and Kerberos Authentication • Another university: MIT • Series of KDC (Kerberos Distribution Centres) • each a secure database of authorised users, passwords & domain names • maintained using Kerberos V5 security protocol • uses strong encryption • freely available… • Active Directory + Kerberos = Very Powerful combination • Even used to authenticate across mobile & wireless networks

  22. Components of “Enterprise wide” Login with kerberos authentication • Active Directory tree logical connects and “trusts” servers throughout the enterprise • Servers in their turn control access to users within domains • Group(s) selected during the user authentication process • Group Policy Objects invoked which rewrite registry settings and control client desktops

  23. Users, Groups, Security, and NTFS partitions • Any file or folder on an NTFS partition will have file permissions imposed • Typical permissions: • No Access • Read only • Read and Execute • Write • Modify • Ownership/Full Control • Much wider range of permissions available

  24. Point for debate: is “read only” access dangerous? • If information held on server, and accessed by dumb terminals… • secure enough! • this was the case in the days of centralised networks with no distributed processing • With client-server networking, read only means “the user can take a copy” • is this dangerous, from an organisational security point of view?

  25. Principle of Least Privilege • Providing users with sufficient access to do their work… • but no more than that! • Privileges can also be applied temporarily to provide controlled flexibility • Even individual administrators can have the principle applied to them • if they have responsibility for particular resources… • shouldn’t have privileges relating to other resources not within their work remit

  26. Groups and Group Policy • May be convenient for managers and administrators to put users into groups • Settings for group provides particular access to data & services • Problems… • user in wrong group(s) • group has wrong settings

  27. The Registry and User Control • The Registry - a simple data store • has many user settings • Settings uploaded into memory on boot-up • easily overwritten by settings from policy files • policies can be used for groups of users • resultant policy controls the desktop

  28. What is The Registry? • A hierarchical and “active” store of system and user settings viewable using REGEDT32.exe • Five basic subtrees: • HKEY_LOCAL_MACHINE : local computer info. Does not change no matter which user is logged on • HKEY_USERS : default user settings • HKEY_CURRENT_USER : current user settings • HKEY_CLASSES_ROOT : software config data • HKEY_CURRENT_CONFIG : “active” hardware profile • Each subtree contains one or more subkeys

  29. Location of the Windows Registry • c:\windows\system32\config • “users” may be denied access • Six files (no extensions): • Software • System – hardware settings • Sam, Security • not viewable through regedt32 • Default – default user • Sysdiff – HKEY USERS subkeys • Also: ntuser.dat file • user settings that override default user

  30. Structure of anActive Directory Tree • A hierarchical system of organisational data objects • A Tree can be • single domain with org. units • group of domains

  31. Domain, Trees & Forests • Domain objects divide into organisational units (OUs) • Microsoft recommend using OUs in preference to domains for imposing structure for admin purposes • flexibility to use either one domain or several… • “Forest” contains data needed to connect all objects in the tree even connect different trees • Logical linking creates “trusts” for remote users

  32. Active Directory and DNS • DNS (Domain Name System) • Internet-based system for naming host computers • In Active Directory • each server in the tree has a unique IP address • but only domains can have a unique DNS identity • potential confusion when setting up domain structure!!

  33. Managing Security Across a Directory Tree • Different admin levels: • domain admin: look after domain • enterprise admin: control all domains in the organisation! • justification of those large salaries? • Achieved through Group Policies… • users with different needs • but they had better be right!

  34. Group Policy in Windows Networks • Group Policy settings define the various components of the user's desktop environment that a system administrator needs to manage: • programs that are available to users • programs that appear on the user's desktop • Start menu options • Group Policy Objects – used with authenticated users to enhance flexibility and scalability of security beyond “domains”, and “trusted domains” • Required level of trust achieved through: • Active directory “trees” based on DNS • Kerberos authentication

  35. Implementation of Group Policy Objects • Group Policy Objects (GPO) are EXTREMELY POWERFUL… • contain all specified settings to give a group of users their desktop with agreed security levels applied • template editing tool available as a “snap-in” with Windows Servers • Policy provides a specific desktop configuration for a particular group of users • The GPO is in turn associated with selected Active Directory objects: • Sites, Domains, organizational units

  36. Combined Power of Group Policies and Active Directory • Enables written user/group policies to be easily implemented in software • Enables policies to be applied across whole domains: • beyond in trusted contiguous domains in the domain tree • Or, using kerberos, even across any non-contiguous domains in the same forest

More Related