450 likes | 611 Views
COMP3122 Network Management. Richard Henson February 2012. Week 5 – Active Directory & Domain Security. Objectives Explain the essential features of a secure networked system Use W2K3 group policies to implement network-wide security
E N D
COMP3122Network Management Richard Henson February 2012
Week 5 – Active Directory & Domain Security • Objectives • Explain the essential features of a secure networked system • Use W2K3 group policies to implement network-wide security • Identify the weak links in a networked system and take steps to reduce/eliminate the possibility of unauthorised access
The Nature of Security within Networks • Data held on a single workstation in an open office is unlikely to be truly secure • operating system itself may be secure… • still possible for the hard disk to be removed and the data extracted in a different environment!! • Two Protection issues to be addressed: • unauthorised system access • network configuration & monitoring • undesirable physical access • keeping people away… & locking it down…
Physical Security of the Network • What to do with sensitive data • hold in an encrypted form • on a computer in a secure room • only network administrators can gain access • no chance of an outsider physically getting hold of the hard disk containing the data • in the highly unlikely event that an outsider/rogue insider did get hold of the data, they wouldn’t be able to make sense of it • Data should also be backed up in another location in case of fire, earthquakes, etc
Physical Security of copied data • Typically on CD or memory stick • could also be removable hard disk • Simple way to keep copied data secure: • password protection not enough… • use strong encryption over all files • previous, deleted data might still be accessible
Accessing Data on a Secure Computer • Users should only be able to access organisational data via network from the server • Even then, potential physical & system vulnerabilities: • physical security of data as it travels along a cable • unauthorised access to downloaded data • at rest on the client machine • whilst being accessed by an authorised user
Vodafone (and how not to do network security…) • On the first Monday of March 2011, 100,000 people couldn’t use the Vodafone network • thieves broke into the operator's Basingstoke exchange and stole their switches (i.e. routers) • the police were quickly notified • Vodafone noticed its own network collapsing • assembled its "War Room" which is supposed to deal with network outages • It took 12 hours to fix the problem… • why was such critical kit so vulnerable?
User Responsibility • Fundamental rule of any network: • all users MUST bear responsibility for data they access • should enter a signed agreement when they get their log on • To support this, network software should make sure that: • users have appropriate access through allocation to groups • user activities can be monitored and logged • sufficient auditing is undertaken to scrutinise the activity of individual users…
Accessing Data on a Secure Computer • Typical user errors: • giving other employees/outsiders their password • using an easily guessed password • Typical administrator errors: • leaving username on display after log off • not enforcing long (8 character min, inc caps/lower, number, punct. mark) passwords • not ensuring that the downloaded data is physically no longer available once that user has logged off
Accessing Data on a Secure Computer • Client machine MUST use an operating system that allows file/folder level security • Suitable secure desktop file systems: • UNIX file system • NTFS • Alternative is to use dumb terminals • no local storage • impossible to get at the electronic data from the client end
Accessing Data on a Secure Computer • BUT even with a secure file system, other users could still see the screen! • Even with no local storage: • the data will be displayed on a screen • with poor user technique: • data could even be left on the screen • the screen contents could be photographed by someone… • Answer: • use screen savers that cut in very quickly when a mouse button is not being clicked
Printing or Emailing Accessed Data • If someone has security rights to access the data, they will also be able to: • print it out • email it to someone else • Anyone with such rights must therefore be completely trustworthy…
How File Systems Manage Security (revision?) • Several different levels of permissions • Particular folder permissions allocated to groups of users, starting from the root e.g. • managers may have read, execute, and write • students may have read and execute only • Files inherit the permissions of the folder that contains them • Subfolders inherit the characteristics of the parent folder • Inheritance can be overridden
Security Policy • Responsibilities of network users and administrators needs to be clearly defined as a matter of organisational policy • objective: ensure that AT ALL TIMES company data is only being accessed by an authorised user
Security Policies • Define expectations for: • proper computer usage • procedures for preventing and responding to security incidents • Can be imposed in two ways: • Local system policy • security policy file held on individual computers • Group policy • uses active directory to impose policy across the domain • not possible for computers running NT • not possible if partitions are formatted using FAT or FAT-32
Enforcement of Policy on Windows networks • Local system policy • security policy file held on individual computers • Group policy • uses active directory to impose policy across the domain • not possible for pre-Windows 2000 operating systems • not possible if partitions are formatted using FAT or FAT-32
Security Template Files • “one I prepared earlier…” • quicker to customise to needs than start over… • Implementation of security policy on • Individuals & groups on Windows networks • 600+ settings in Windows 2000, now many more… • Stored as a text file (.inf) • predefined templates are “ready to use” e.g. : • basic (default) • compatible (all applications still run) • secure • high (testing high security applications only)
Using Security Templates • SAM (security accounts manager) crucial to setting up user security: • controls security during logon process • During logon, security templates imported into the relevant SAM of: • each individual computer (system policy) • the domain controller of a Windows domain (group policy)
Analysing/Changing Local Security • Templates & SAM combine: • default security configuration of the local computer compared with a configuration imported from a template • configuration then changed to become like the template • Changes to template settings achieved by • GUI: security configuration “snap in” • Or: • command line tool (secedit.exe)
Implementing Policy • Group Policy settings are really powerful • only administrators have access to manage these on a system or domain • As with computer policy… • usually more convenient to edit an existing policy template than create a new one from scratch
Auditing Access to System/Network Resources • Auditing - the process of tracking predefined events • Many events can be tracked on a computer and computer network… • a record of each event is written to an “event file” • Contents of a Windows network Audit record: • Action • User • Success or failure • Additional info • e.g. computer ID where event occurred/failed
Access to Audit Entries • All recent Windows systems are capable of recording a wide range of events • saved in Security Event Log • as a structured text file • Contents easily viewed • service called Event Viewer • available from menus
The Importance of Audit • Essential in the case of: • network failure • server failure • breach of security • Extremely useful for troubleshooting: • what failed • what went wrong • finding who’s username was used to hack into the system
What to Audit • Audit files can grow very large, very quickly, • only essential information should be stored • Examples: • Account logon • Account Management • Active Directory object access • Logon • Object access • Policy Change • Privilege Use • Process Tracking
Audit Policy • Part of Information Security Policy • Again, implemented through Group Policy • Planning: • which computers need events auditing? • which events to audit? • whether to audit success or failure (or both!) • whether to track trends of system usage? • when to schedule review of security logs? • Set up: • security template for Group Policy
“File object” resources that can usefully be audited • “failure for read” operations • success and failure for delete • success and failure for: • change permissions • take ownership • success and failure of all operations attempted by “guests” group • file and folder access on shares
Auditing Access to Windows “print object” resources • Reminder from last year… • Windows “printer” = printing management system • Print device = physical printer • Auditing specified printers: • failure events for print operations on restricted printerssuccess and failure for full control operations • success events for delete so incomplete print jobs can be tracked • success and failure for change permissions and take control on restricted printers
Implementing an Audit Policy on a System • Typical Policy Settings: • Password policy • Account Lockout policy • Audit policy • IP Security policy • user rights assignment • recovery agents for encrypted data
Local/Domain Security Policy • Local: • available for all Windows 2000/XP/Vista/7 computers that are not domain controllers • Domain: • local security settings still apply when users logged on locally • but may well be overridden by (typically) group policies received from domain controller(s), when logging on to the domain
Where IS Active Directory? • On each domain controller… • Schema (database…) • replicated/updated frequently • exact directory used set during installation: • By default: <drive letter>\SYSVOL • group policy container (GPC) found here • Group policy settings (known as GPT) • the list (a long one…) of settings for a particular group policy, saved as a text file (also in \SYSVOL, by default)
Policy Files & Tools for editing them • Most important: • MMC (Microsoft Management Console) • control/administration of local policy/settings • GPMC (Group Policy Management Console) • Control/administration of group policy objects
MMC • Available via command line (type mmc) • Create “console” files for system admin • user mode: • access existing MMC consoles to administer a system • author mode: • creation of new consoles or modifying existing MMC consoles
MMC “Security Configuration and Analysis” options • “Analyse computer now” • full run down of the current settings (i.e. settings for the local machine) • way of checking the “local policy” • “Select local policies” • lists of settings in categories • e.g. security settings • large number of settings • control security aspects of local policy • each setting can be set to either enabled, disabled, or not configured
AD Group Policies • Combine GPC and GPT • resultant settings that can be applied to users across a whole domain… • very powerful, settings to be appropriate • goes beyond “merely” controlling local registry settings… • can include file settings • and application settings…
Effects of Combining Policies on the user… • Policies applied during logon • combined effect of e.g. groupA, groupB, and groupC for particular users will depend on the order in which they are applied to local registry… • computer settings applied as well • CAN GET VERY COMPLICATED!!!
Exploiting the Power of AD… • The AD database covers all resources for the domain • What about “enterprise networks”? • i.e multiple domains in a “domain zone” • Can group policies help control users across a domain zone? • each domain has its own AD “schema”/database • how can AD schemas interact to deliver user control across multiple domains?
Windows 2003 Server and Group Policy • Administrators spent a lot of time setting up group policies for networks… • e.g. Story of “Barking Eddie” • spent a whole two weeks manually documenting all the Group Policies for one company to fulfill their requirements • Main Improvement with Windows 2003… • Microsoft tried to make life easier for administrators • introduced tools and wizards to ease management
“megatool” GPMC(Group Policy Management Console) • One of 2003’s best features… • “contains a rich variety of tools for creating, editing, observing, modelling and reporting on all aspects of Group Policy” • ref: Anas (2009) “Getting started with GPMC” • Also, unifies Group Policy management so a policy can be applied to domains across an AD forest
GPMC Integration of User Management Tools • Administrators of earlier Windows networks needed multiple tools to do this: • Microsoft Active Directory Users and Computers • Delegation Wizard • ACL Editor • Story of 'Barking Eddie' (continued…) • overlooked the availability of GPMC with W2K3 • when told what it could do… • he appeared crestfallen… • later said that with GPMC he could have set up those same group policies that took him two weeks… in half an hour…
GPMC Features • WMI filtering mechanism allows application of policies: • to a particular machine (assuming enough disk space) • Options to backup, restore, import, and copy Group Policy Objects • Simplified management of Group Policy-related security • Reporting for GPO settings and Resultant Set of Policy (RSoP) data
Using GPMC, once installed • Available from MMC • Standalone Snap-in dialog box • Creating a custom console including GPMC: • select Group Policy Management option and click Add, click Close, OK • Several sample scripts available • found in the %ProgramFiles%\GPMC\Scripts folder • use cscript.exe to execute • ScriptingReadMe.rtf file in the scripts folder
Rolling out a Group Policy • Plan the Managed Network Environment: • consider various Common Desktop Management Scenarios • try them out using Group Policy Management Console • Design a Group Policy Infrastructure • if domain tree, policies from one domain can be applied to another… • Deploy Group Policy including Security Policy • is that what was anticipated? • rework as necessary…