450 likes | 533 Views
COMP2221 Networks in Organisations. Richard Henson April 2013. Week 9: Closer look at Active Directory. Objectives Explain new security features brought in with active directory Apply secure file system principles and active directory to controlling access for groups of network users
E N D
COMP2221Networks in Organisations Richard Henson April 2013
Week 9: Closer look at Active Directory • Objectives • Explain new security features brought in with active directory • Apply secure file system principles and active directory to controlling access for groups of network users • Apply active directory group policies across one/more domain using active directory
The Active Directory “store” • Global Catalog • stored as file NTFS.DIT when the first domain controller is created • distributed across alldomain controllers • covers all “objects” on domain controllers • e.g. shared resources such as servers, files, printers; network user and computer accounts • directory changes automatically replicated to all domain controllers
Group Policies and Network Access • Active directory controls access to all network resources • Achieved through giving the right users the right group policies • How can the network administrator know what policies to allocate to which user(s)… • groups must have appropriate settings
Managing Group Policy • Group Policy Management Console (Windows 2003 onwards…) • Applies principles of MMC (Microsoft Management Console) to managing group profiles • particularly useful for testing/viewing the resultant profile of interaction between several group profiles in a particular order
Security Features of Active Directory (1) • SSL (secure OSI level 5) • for e-commerce… • Internet Information Server (IIS) supports websites accessible only via https/SSL • LDAP over SSL • LDAP important for internet lookup • used with secure sockets layer (SSL) for checking server credentials for extranet and e-commerce applications
Security Features of Active Directory (2) • Transitive Domain Trust • default trust between contiguous Windows domains in a domain tree • greatly reduces management overhead
Security Features of Active Directory (3) • Kerberos Authentication • authentication of users on remote domains not part of the same DNS zone • Smart Card Support • logon via smart card for strong authentication to sensitive resources
Protecting Local Passwords • More sophisticated challenge-response encryption (NTLMv2) was available to all systems from Windows 2000 on… • until Vista arrived this was turned off by default • for “compatibility reasons” • nnless NTLMv2 enabled, passwords on XP systems easy to “hack” with right tools (!) • Any client network user should make sure this password protection feature is turned on… • can be added for domain users through group policy
Active Directory and “controlling” Users • “Groups” already well established for managing network users • Active directory centrally organised resources including all computers • allowed groups to become more powerful for user management • exploited by enabling the organisation of users and groups of users into: • organisational units • sites • domains
Managing Domain Users with Active Directory • Same user information stored on all domain controllers • Users can be administered at or by secure access to administrator on any domain controller for that domain • flexibility but potential danger!
Making Sure Users don’t get the Administrator Password! • File security assumes that only the network manager can log on as administrator • but if a user can guess the password… (!) • Strategies: • rename the administrator account to something more obscure • only give administrator password to one other person • change administrator password regularly
How AD Provides Security • Manages which “security principal(s)” have access to each specific resource • i.e. users, computers, groups, or services (via service accounts) • each has a unique identifier (SID) • Validates the authentication process… • for computers, at startup • for users, at logon
More about the SID • The SID (Security ID) comprises: • domain ID • common to all security principals within the domain • unique relative identifier (RID)
Access Tokens • Generated when a user logs on to the network • Contains: • user’s SID • SIDs for each group to which the user is a member • assigned user rights or privileges as a result of processing the IDs in the specified order
ACE (Access Control Entries) • Each object or resource has an access control list (ACL) e.g. • objects and their properties • shared folders and printer shares • folders and files within the NTFS file system • ACEs contained within ACL • protects resource against unauthorised users
More on ACLs • Two distinct ACLs each object or resource: • discretionary access control list (DACL) • list of the SIDs that are either granted or denied access and the degree of access that is allowed • systems access control list (SACL) • list of all the SIDs whose access or manipulation of the object or resource needs to be audited, and the type of auditing that needs to be performed
Mechanism of AD security • Users are usually assigned to several groups • When a user attempts to access a directory object or network resource… • the security subsystem… • looks at the SID for the user and the SIDs of the security groups to which the user is a member • checks to see whether it/they match the security descriptors assigned to the resource • If there is a match… • user is granted the degree of access to the resource that is specified in the ACL
Power of Group IDs in Policy-based Security • Group Policy… • allows groups of users to be granted or denied access to or control over entire classes of objects and sets of resources • allows security & usage policies to be established separately for: • computer accounts • user accounts • can be applied at multiple levels: • users or computers residing in a specific OU • computers or users in a specific AD site • an entire AD domain
Active Directory and Group Policy • Power of Group Policy: • allows network administrators to define and control the policies governing: • groups of computers • groups of users • administrators can set group policy for any of the sites, domains, or organizational units in the Active Directory Domain Tree
Monitoring Group Policy • Policies, like permissions, are ADDITIVE • watch simulation… (AGAIN!) • Windows 2000 policies • need to assess which specific cumulative set of policies were controlling the environment for a specific user or computer • Windows 2003 GPMC • tracking and reporting the Resultant Set of Policy (RSoP): • net effect of each of the overlapping policies on a specific user or computer within the domain
Extending User/Group Permissions beyond a domain • Possible for user permissions to be safely applied beyond the local domain • so users on one network can gain access to files on another network • authentication controlled between servers on the local and trusted domains • Normally achieved through “adding” groups from a trusted domain • NOT the same as “remote logon” • needs special username/password authorisation…
Enterprise Networks • Multiple Domains in a tree • Transitive Domain Trust • Single enterprise administrator • “enterprise admin” • greatly reduces management overhead
Managing Users & Their Profiles • Once they get the hang of it, users save all sorts of rubbish to their user areas • may well include lots of downloaded web pages and images • Problem! • 5000 users • each user takes 1 Gb of space... • total disk space required is 5000 Gbytes!
Managing User Profiles • Windows 2003 Server “Disk Quotas”: • allows administrators to track and control user NTFS disk usage • coupled with Group Policy and Active Directory technology • easy to manage user space • even enterprise-wide… • users find this irritating but stops them keeping data they’re never likely to use again…
User Rights • Users MUST NOT have access to sensitive parts of the system (e.g. network servers, local system software) • operating system can enforce this • Users SHOULD: • have access to basic software tools • NOT be denied on the grounds that the software could be misused… • c.f. no-one is allowed to drive a car because some drivers cause accidents!
Controlling/Monitoring Group Policy across Domains • AD across a distributed enterprise… • “enterprise” administrators have the authority to implement and alter Group Policies anywhere • important to manage and restrict their number... • Enterprise admins need to inform domain admins: • what has changed • when it changed • the implications of the change for directory and network operations… • Otherwise… • a change to Group Policies affecting a domain might occur with distastrous consequences
Network Threats, Vulnerabilities, and Attacks • Protection implemented should relate to the IMPACT if the threat became a reality • i.e. the value to the enterprise of the information or operation that would be compromised • Example: • most networks probably wouldn’t need or want to implement fingerprint and retinal scanning to control access to the average user’s workstation • might, however, want to implement smart cards to control access to critical domain controllers
Threat • Someone or something that has the capability or potential to compromise the security of a directory, network, or information • Three factors involved: • Motive • Method • Opportunity • Threats do not involve people and do not have motive e.g. : • fire • flood
Threat (2) • ANY action by a user, condition, or process that has the potential to disclose, damage, or disrupt operations or information: • attempted unauthorized entry into your network • fire that breaks out in the building that houses the network servers • virus that attempts to corrupt or delete needed information are all examples of viable threats to the security of the directory and the network • people internal to the organization! • internal threats more threatening than external ones!!!
Vulnerability • Any weakness in security that provides an opportunity for an attack and that, by its utilization, can allow an attack to succeed • Could be: • software • hardware • social or physical environment • Requires constant vigilance on many fronts • e.g.: if running Windows on servers, the latest service pack and patches needed • requires monitoring Microsoft Web site for updates
Attack • Any action by a user or software process that, if successful, results in the disruption, disclosure, or damage to enterprise information, services, or operations • Shares the characteristics of motive, method, and opportunity: • assume the intent on the part of the attacker to deliberately be: • attempting to damage or steal information • disrupt operations • uses or exploits the directory to gain access to or deny service from the directory or network resource
User-Based Attacks • Most common source of attacks are those initiated by people: • anonymous users attempting external penetration of the enterprise network • an authenticated user working from inside the network • Can be either of: • physical attacks on the equipment supporting the directory or network • e.g. stealing/damaging equipment or physical network itself • based on using the network or directory environment • anonymous users, authenticated users, or even administrators
Threat: Anonymous Users • Usually attempts to use vulnerabilities in the network, service, or application software • e.g. via scanning tools • e.g exploiting a well-known but not patched error condition • when a known vulnerability is patched, the software update usually provides a description of the weakness, providing all the information needed to hack • therefore critical to stay on top of released patches and security updates…
Exploitation of LDAP • LDAP spec known at all • defined through RFC • An anonymous user might be able to use LDAP to: • flood domain controllers with lookup queries • read domain information • identify user account security policies • find account names and SIDs • identify shares on domain computers
Thwarting DoS attacks • SOME anonymous attacks can be mitigated by tightening security settings • Further action against anonymous DoS attacks: • monitoring domain controllers for unreasonably high levels of LDAP queries • renaming default file shares such C$, D$, etc. and renaming the administrator account
Threat: Authenticated Users • Examples: • spoofed-account access (via hacking/cracking tools) • illicit use of a valid account (obtained through some social engineering scheme) • valid user who has decided to attack information, services, or operations for some personal or professional reason
Headache for administrators: • Accounts have legitimate access to a range of resources and information • More difficult to detect the attacks • Can validly start processes that will have the effect of creating DoS conditions by consuming inordinate amounts of service resources • flood of LDAP queries or connections • filling disk space (for example, storing many extremely large objects in the directory)
Threats: Administrators • Network Administrators themselves…. • potentially HUGE threats to the directory, network, & enterprise information accessible via the network…. • must always be a highly responsible/accountable job • Threat could be • “spoofing” an administers account • an account with invalidly elevated privileges • a trusted administrator who has for some reason decided to attack the directory or network…
Administrators & associated personnel… • Not just administrators… • Accounts with some administrative rights can: • modify permissions on objects within their scope • enable accounts to be trusted for delegation • change passwords on other user accounts to be used for further (spoofing & repudiation) attacks • change security settings causing DoS conditions
Security Precautions (1) • Monitoring, analysis, responsiveness to anomalies in authenticated users permissions allocated by default • a massive amount to monitor… • need to prioritise • and/or use SIEM tools • analysis will detect anomalies • quick response will minimise the damage…
Security Precautions (2) • What to monitor… • members of sensitive security groups & determine sensitive account information (names, addresses, phone numbers, password, etc…) • How to analyse… • discover linkage of Group Policies • identify sites • identify the OSs of the domain controllers • discover and disclose much additional information stored in the directory • read most objects in the directory
Software-Based Attacks • The whole AD forest and domain directory structure are based on the schema • any software application that corrupts the schema could: • compromise the entire directory • make the enterprise network inoperative • Automated attacks via viruses or worms that might “accidentally” affect the schema could have a damaging or disruptive effect on AD
Email attachments • HUGE risk • user education doesn’t seem to stop people from opening every attachment that shows up in their inboxes • Can users be trusted? If not • a whole messaging system can be configured to block, or at least scan, all attachments • additional measures can be adopted, such as: • turning off preview panes that automatically display messages • converting HTML mail to plain text • blocking email clients from accessing the Internet
Environment-Based Attacks • Damage or destruction to the server hardware (via fire, flood, tornado, hurricane, lightning, etc) • could potentially render the AD environment inoperative (strict backup and restoration procedures are vital) • Consistent threat across platforms • disaster preparedness and recovery plans MUST include provisions for offsite data backups • make sure that the backups are actually taken offsite • consider a secondary physical site that is ready to go in case the worst happens