1 / 42

COMP3123 Internet Security

COMP3123 Internet Security. Richard Henson University of Worcester October 2011. Week 4 Access Controls: Network Directories & the PKI. Objectives: Explain the components of a network directory service

naasir
Download Presentation

COMP3123 Internet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP3123 Internet Security Richard Henson University of Worcester October2011

  2. Week 4 Access Controls: Network Directories & the PKI • Objectives: • Explain the components of a network directory service • Explain how the use of security policies can help prevent network internal security breaches • Analyse Windows active directory and compare it with an x500 standard service • Prepare a Windows active directory tree with two contiguously named domain controllers

  3. “Network Directories” • Directories not to be confused with “folders”… • generally a data store that changes only infrequently… • e.g. a telephone directory • to avoid confusion, computer-based directories also called “repositories” • Lots of different “network databases” have evolved on the web • not a good idea! • often contain approx. the same info... • Problem: one updated, all should be • but unlikely in practice unless a managed solution

  4. Meta-Directory • Simple idea of putting all information about any one entity or object in one place… • information about those entities and objects can then be presented in a consistent way • simplifies collection and distribution of info on an Intranet covering the whole organisation • Examples of Directory-enabled applications • enforce network policies! • across the network • between networks • digital signature verification • remote dial-in access authorization • signing in to a network

  5. Network Directories & the PKI • Needs to avoid multiple-directories problem… • Solution: • use the meta directory approach • provide digital certificate information on the web as a “directory service” • use LDAP applications to directly access that info

  6. Distributed Directory • Another way of keeping entity information consistent if it does need to appear in multiple locations • entry may appear in multiple directories • e.g. one for each email system (if more than one) • e.g. one for gaining access to the network by logging on • Paper-based equivalent – series of telephone directories each covering a clearly define area • collectively cover a wide geographical region • serve a variety of purposes • all part of the same system for communication • Regular directory synchronisation essential for maintaining consistency of information

  7. Development of Internet Directories and IESG • IESG (Internet Engineering Steering Group) provides technical management of IETF activities • As approp, translate RFC proposals into RFC standards • Procedure: • draft RFC submitted • if accepted: IESG elevates it to RFC “draft” status • RFC then given consideration as a standard… • draft RFC eventually may become a true Internet standard • Example of successful evolution: x500 -> LDAP

  8. X500 Architecture • Internet database based on the OSI model • RFC 1006 • allows OSI applications to run over an IP network • Full X500 Architecture: • DMD (directory management domain) • DSA (directory system agent) • DUA (directory user agents) • DIB (directory information base – object oriented!) • e.g.: a directory service database • DIT (directory information tree) • e.g.: Windows 2000 Active Directory

  9. X500 Protocols • DAP (Directory Access protocol) • DSP (Directory System protocol) • DISP (Directory Information Shadowing Protocol) • DOP (Directory operational binding management protocol) • Collectively, these protocols give X500 a wide range of functionality, but the structure is cumbersome…

  10. Simplifying X500 - LDAP • Known as Lightweight Directory Access Protocol • Thanks to University of Michigan Researchers, early 1990s • gave up on the complexities of X.500 • came up with a scheme that: • retained the X.500 directory structure • gave it a streamlined access protocol based on standard TCP/IP instead of ISO • Other improvements: • pared-down referral mechanism • more flexible security model • no fixed replication protocol

  11. Microsoft and x500 • In 1996, Microsoft launched version 4 of its mailserver software, Exchange • Designed also to provide the infrastructure to enable DAP clients to access Microsoft Exchange directory service information… • client served as an X.500 DAP client to DAP-compliant directories • e.g. U.S. Government Defense Messaging System (DMS) • Also designed to manage table entries efficiently using a new obj oriented database engine called ESE (Extensible Storage engine)

  12. Microsoft and LDAP • Microsoft wanted to use X500 in its directory service planned for next version of NT • Like Michigan Uni, found X500 cumbersome, and adapted LDAP • Supporting the Open Directory Services Interface (ODSI), Microsoft helped build a PKI service provider (Verisign) that supports the LDAP protocol • allowed developers to build applications that register with, access, and manage multiple directory services with a single set of well-defined interfaces • Microsoft Exchange Server 4 supported LDAP • Internet Explorer supported LDAP from v4 onwards

  13. LDAP, ESE, and Active directory • Windows 2000 “active directory” service was a successful commercial roll out of an X500 compliant directory service • used LDAP… • also used (uses) ESE to manage data tables • and DNS to integrate with www locations • Next version of Microsoft Exchange also used the ESE/LDAP/DNS combination…

  14. Directory Services and “Active Directory” • Active Directory has just one data store, known as the directory • Stored as NTFS.DIT • where does “.dit” originate from? • distributed across ALL domain controllers (dcs) • links to objects on/controlled by each dc • changes automatically replicated to all dcs • Contains details of: • stored objects • shared resources • network user and computer accounts

  15. Directory Services and Domain Trees • Active Directory logically links domains together • very useful for networks with more than one domain • each domain is identified in the directory by a DNS domain name • Multiple domains with contiguous DNS domain names, make up adomain tree • if domain names are non-contiguous, structures form separate domain trees

  16. “Trust Relationships” between (legacy) NT Domains • Account authentication between domains was first established in the Windows NT architecture • Allowed users and computers can be authenticated between any domains • Problem: Windows NT trust relationships were isolated and individual

  17. Active Directory Trust Relationships • Automatically created between adjacent domains (parent and child domains) in the tree • users and computers can be authenticated between ANY domains in the domain tree • So how does this all work securely in practice, across an entire enterprise????

  18. Access to Network Resources and Security Controls • The set of security mechanisms used to define what a user can access after logging on to a secured environment • enforce “authorisation” • “identification” and “authentication” may also be associated with logging on • Effect includes: • access to systems & resources • interactions users can perform

  19. Mechanism of Access ControlIn Windows • User management level: • pre-defined Groups for Users to belong to • control of file and service access permissions • trusted relationships across domains • Translated down to system level by… • System Policies and Group Policies • Control of user and system desktop settings

  20. Control of End User and System Settings • In Windows, ultimately, controls user access through the local Windows registry • first made available to simplify configuration in Windows 95 • effectively replaced CONFIG.SYS, AUTOEXEC.BAT, SYSTEM.INI and WIN.INI by a single structure • all settings saved into a hierarchical data file called SYSTEM.DAT • Principles later extended to networks…

  21. The local registry and Windows networks • Like Windows 95, Windows NT v4 allowed system and user settings to be configured locally by registry overwrite files • However, it also made it possible for files within a network to overwrite the local registry as well… • facility available on any Windows client machine that used a Windows registry

  22. What is The Registry? • Five basic subtrees: • HKEY_LOCAL_MACHINE : local computer info. Does not change no matter which user is logged on • HKEY_USERS : default user settings • HKEY_CURRENT_USER : current user settings • HKEY_CLASSES_ROOT : software config data • HKEY_CURRENT_CONFIG : “active” hardware profile • Each subtree contains one or more subkeys

  23. Editing Registry Settings • Generally…. DON’T!!! Contents of the registry should not be changed in any way unless you really know what you are doing!!! • Special tools available e.g. REGEDT32 for those with experience: • used to edit local registry settings on Windows NT systems • Bearing in mind, however, that registry settings can also be overwritten in memory by data downloaded across the network…

  24. System Policy File • Consists of a collection of registry settings • Can apply different system settings to a computer, depending on the user or group logging on • Can overwrite: • local machine registry settings • current user registry settings • Should therefore only be used by those who know what they are doing!!!

  25. System Policy File • NTCONFIG.POL • provides a list of desktop settings, and therefore can be used to control aspects of appearance of the desktop • held on Domain Controllers • read during logon procedure • Different NTCONFIG.POL files can be applied to: • groups • users • computers

  26. What is a Security Policy? • A set of rules and procedures that state the access rights and privileges of a particular user/group of users • Should also: • confirm the identity of the people that are attempting to access the network • prevent imposters from accessing, stealing, or damaging system resources

  27. Implementation of Security Policy • Intention: • create a computing environment that provides users with all of the information and resources they need to be successful • protect the information and resources on the network from damage and unauthorized access

  28. Group Policy in Windows 2000 (and subsequent) Networks • Group Policy settings • define access to local and network resources from the user's desktop environment: • e.g. Startmenu options • provide access to programs/resources that user needs to use • Group Policy Objects • used with authenticated users to enhance flexibility and scalability of security beyond “domains”, and “NT trusted domains” • trust achieved through: • Active directory – establishment of “trees” • Kerberos authentication

  29. Implementation of Group Policy Objects • Group Policy objects are EXTREMELY POWERFUL… • contain all specified settings to give a group of users their desktop with agreed security levels applied • template editing tool available as a “snap-in” with Windows 2000 • creates a specific desktop configuration for a particular group of users • The GPO is in turn associated with selected Active Directory objects: • Sites • Domains • organizational units

  30. Combined Power of Group Policies and Active Directory • Enables written user/group policies to be easily implemented in software • Enables policies to be applied across whole domains: • beyond in trusted contiguous domains in the domain tree • or even across any non-contiguous domains in the same forest • Because Active directory is x500 compliant, all the principles of directory services apply

  31. Authentication Factors • Classified as type 1, type 2, or type 3: • Type 1: Knowledge based (what user knows) • information provided based on unique knowledge of the individual being authenticated • Type 2: Token based (what user has/does) • information comes from a token generated by a particular system • token is tied in some way to the user logging on • generally not considered a good idea on its own because someone else could have stolen/copied it • Type 3: Characteristic based (what user is) • biometric data from the person logging in

  32. One time Passwords (OTP) • Can only be used once… • If user gets it wrong, becomes invalid… • locked out • has to contact administrator to reset • Implemented as a type 2 factor • password characters randomly generated • If used properly… • very secure indeed • problem: degree of randomness…

  33. Single Sign On (SSO) • Logon once… • authenticated for all servers in that environment • More a convenience matter than a security issue • only one set of authentication factors needed • single username/authentication factor database covering all servers • SOME very secure environments have dropped SSO in favour of separate logon for each server • arguable whether this is necessary but avoids the “all eggs in one basket” argument

  34. Password Administration • Three aspects: • Selection • should be a company IS policy that includes choice of password • generally no. of characters is a good match with strength – the higher the better • Management • selection & expiration period must comply with policy • Control • policy should be enforced by the network itself • usually achieved through use of “group policies”

  35. Access Control Techniques • Discretionary (DAC) • access to files/resources controlled by administrator • Achieved through ACLs (Access Control Lists) • consist of ACEs (Access Control Entries) • the granting of access can be audited • Mandatory (MAC) • access dependent on rules/classifications • classification dependent on security clearance levels • hierarchical or compartmentalised, or hybrids

  36. Remote Logon and Kerberos Authentication • KDC can maintain a secure database of authorised users,passwords & domain names maintained throughout an active directory domain tree using Kerberos V5 security protocol • uses strong encryption • freely available from its inventor, MIT • Active Directory + Kerberos = Very Powerful combination • can even be used to authenticate across mobile & wireless networks

  37. Components of “Enterprise wide” Login with kerberos authentication • Active Directory tree logical connects and “trusts” servers throughout the enterprise • Servers in their turn control access to users within domains • Group(s) selected during the user authentication process • Group Policy Objects invoked which rewrite registry settings and control client desktops

  38. How much security should be applied to domain users? • General rule: don’t give a user more rights than they actually need • Think carefully… • identify security privileges appropriate to different types of user • create a group based on each type of user • Allocate each new user to an appropriate group • automatically will have appropriate access rights…

  39. Users, Groups, Security, and NTFS partitions • Any file or folder on an NTFS partition will have file permissions imposed • Typical permissions: • No Access • Read only • Read and Execute • Write • Modify • Ownership/Full Control • Much wider range of permissions available

  40. Point for debate: is “read only” access dangerous? • If information held on server, and accessed by dumb terminals… • secure enough! • this was the case in the days of centralised networks with no distributed processing • With client-server networking, read only means “the user can take a copy” • is this dangerous, from an organisational security point of view?

  41. What if the network goes wrong? Accountability • The broad security concept of being able to hold a human to account for their actions using … • a strong authentication environment so one user cannot masquerade as another • strict imposition of “least privilege” • regular monitoring of the network environment • rigorous inspection of audit logs

  42. What if the network goes wrong? Auditing • Essential component of security monitoring • A network can generate lots of data on a wide variety of network functions and results they return • this is readily customisable to focus on, for example, the behaviour of particular users or resources • data normally saved as timestamped .log files • audit files help to ensure accountability for user behaviour

More Related