ACTIVE DIRECTORY AUTHENTICATION AND SECURITY

Part Four
Prepared by Computer Engineering Technology Dept.
References:http://www.pbcc.edu/faculty/horvathe/AD/

Security Principles
User object

inetOrgPerson object
Computer object Security group object Have an SID:

Windows security subsystem uses to identify security principals

Security Identifiers
Attribute as binary value

Specifies the SID of user object

Unique value used to identify user as security

principal Number of formats:

Hexadecimal notation Security Descriptor Definition Language (SDDL)

Security Descriptor Definition Language (SDDL)

Begins with S

Followed by three to seven numbers:

Separated by hyphens First number is revision level of SDDL format Next identifier authority Next subauthority identifier

Well-known SIDs:

Identify certain users or groups Recognized by OS

4

Domain and Relative Identifiers

Domain identifier

Calculated when domain created 3 32-bit numbers Guaranteed to be unique

32 bits Identifies object within domain

Relative Identifier (RID)

Access Tokens
Contains several important pieces of

information

Users SID SID for every group of which user is member

Security subsystem Examines users access token Determines if user or one of groups of which user is member has access to resource Generated based on authentication protocol

used Use whoami command to view access token

6

Permissions and Rights

Used to control access on system

Permissions

Rules associated with object Define which users can gain access to object What actions users can perform on object Define what tasks or operations user can perform on computer system or domain

Rights

Active Directory Authentication

Authentication methods used in Windows

Server 2003:

NT LAN Manager (NTLM) Kerberos

NTLM Authentication
Supported for backward compatibility

For Windows NT 4.0 client computers

Not primary means of authentication in

Windows Server 2003 Based on older authentication protocol called LAN Manager

NTLM Authentication Example

10

NTLM Issues
Each time user wants to access resource

user must be reauthenticated by domain controller Only provides client authentication Easy to capture NTLM challenge and use hacking tools to discover password

11

Kerberos Authentication
Default protocol for network authentication for

all Windows Server 2003 computers Components:

Security principal requesting access Key Distribution Center (KDC) Server holding resource or service being requested

12

Kerberos Authentication (continued)

KDC services:

Authentication Ticket-granting Service Ticket-granting ticket (TGT) Issued to user when first authenticated during successful logon Allows user to request session tickets

Authentication Service

13

Kerberos Authentication (continued)

Authentication Service

Ticket-granting ticket (TGT) Valid for 10 hours TGT is submitted to Ticket-granting Service on KDC Sends two copies of session ticket back to users machine

Ticket-granting Service

14

Kerberos in Action

15

Down-level Client Authentication

Older clients referred to as down-level clients

Pre-Windows 2000 Create security concern Available as add-on component to Windows 95/98 Enables these clients to use NTLMv2 on Windows 2000/2003 network

Directory Services Client

16

Two-factor Authentication
Factors that help identify you for

authentication:

Something you know Something you have Something you are

More of these factors used, more secure

resource is

Increase security of network or computer system by introducing second factor Called two-factor authentication
17

Public Key Infrastructure for Authentication with Smart Cards

Active Directory supports use of smart cards Part of Public Key Infrastructure (PKI) Cryptography terms: Symmetric keys Public key cryptography Private/public key pair X.509 digital certificate

18

Public Key Infrastructure for Authentication with Smart Cards (continued)

Use Active Directory as repository for X.509

certificates Smart card:

Provides nonvolatile memory Stores owners certificate and private key Small amount of computing power to perform encryption and decryption requiring private key on card itself

19

Public Key Infrastructure for Authentication with Smart Cards (continued)

Use smart cards and certificates to increase

security of the Windows-authentication process

System uses users private key KDC employs public key of user to decrypt it

Can configure domain to require smart cards

for logons:

Can make them optional Require them for some users, but not others
20

Active Directory Authorization

Used to determine what actions user can or

cannot do Discretionary access control list (DACL)

Defined as: an access control list that is controlled by the owner of an object and that specifies the access that particular users or groups can have to the object

21

Discretionary Access Control List (DACL)

Associated with resources

List of access control entries (ACEs)

Specifies a who and a permission Can be very specific Allow or deny access

If no match is found between access token

and DACL

Access is not permitted

22

Discretionary Access Control List (DACL) (continued)

Most access control entries allow access

Deny ACEs used to change effect of

permissions that user would otherwise have as member of group Owner of object can always gain access to object by resetting its permissions

Owner of most Active Directory objects is Domain Admins Group

23

Inheritance
Permissions can be inherited from parent

objects Referred to as inheritance Each ACE marked to indicate whether it is directly applied or inherited

24

Groups in Security
Security group

Container object used to organize collection into single security principal Can contain: Users Computers Other groups

Simplify administration by assigning rights

and permissions to group rather than to individual users

25

Groups in Security (continued)

No good reason to grant rights and

permissions explicitly to individual users

26

Delegation of Control
Giving data owners ability to manage their

own objects To delegate control:

Organize directory so that all objects in organizational unit have same data owner Use Delegation of Control Wizard to create appropriate ACEs in DACL on the organizational unit Allow them to be inherited to objects in organizational unit
27

Granular Control
Can delegate control with precision

Important part of flexibility of Active Directory

Advanced Security Settings dialog box

In Active Directory Users and Computers Tab to display effective permissions

28

Permission Types
Standard

Used for everyday tasks Found on main Security tab of object Represent exact and granular permissions available Can be very specific

Special permissions

29

Active Directory Auditing

System access control list (SACL)

Used for auditing object access Very similar to DACLs

30

System Access Control List (SACL)

Same basic structure as DACL
Determines if access is audited

31

Auditing Event Categories

Audit account logon Audit policy change

events Audit account management Audit directory service access Audit logon events Audit object access

Audit privilege use

Audit process tracking Audit system events

32

Protecting Network Resources

Number of other resources on network also

rely on Active Directory for security

Use DACLs

Objects:

NTFS Printers Shares Registry keys

33

NT File System (NTFS)

Assigns security descriptor to each object

Object in file system has: Owner DACL SACL

NTFS DACL permissions relate to what users

can do with the files and folders

34

Standard File Permissions in NTFS

35

Printers
Have security descriptor with:

Owner DACL SACL

Who can print to printer Who can change printer settings Who can manage documents

Standard permissions:

36

File Shares
User must first be allowed access to share,

and then access to file Very few choices

Allow or deny

Full control Change Read access

Use NTFS permissions to further restrict

access to folder
37

Registry Keys
Values stored in registry control how

computer system operates Each registry key has typical Windows 2003 security descriptor with:

SACL DACL Specified owner

38

Other Applications
Many applications do not perform any

authentication or authorization

Can be given access control by setting NTFS permissions on executable files or directory

Some applications perform authentication

and authorization internally

Can also gain added protection using NTFS permissions

39

Other Applications (continued)

More sophisticated applications often use

Active Directory for authentication

But provide own authorization

A few applications use Active Directory for

authentication and authorization

40