Presentation8
advertisement
COMP2221 Networks in Organisations Richard Henson March 2014 Week 8: Active Directory and Security Objectives – Apply active directory group policies across one/more domain using active directory – Explain security features associated with active directory – Apply secure file system principles and active directory to controlling access for groups of network users Security Features of Active Directory (1) SSL (secure OSI level 5) emerged thanks to Netscape and IETF made e-commerce possible… Internet Information Server (IIS) soon supported creation of websites accessible only via https/SSL LDAP over SSL LDAP important for internet lookup used with secure sockets layer (SSL) for checking server credentials for extranet and e-commerce applications Security Features of Active Directory (2) Transitive Domain Trust default trust between contiguous Windows domains in a domain tree greatly reduces management overhead Attempt to mirror DNS on Windows networks Security Features of Active Directory (3) Support for Kerberos Authentication authentication of users on remote domains not part of the same DNS zone Smart Card Support logon via smart card for strong authentication to sensitive resources Protecting Local Passwords Early Microsoft systems didn’t bother with usernames/passwords Still true with Windows 8… sold by vendors with one “open” user/administrator (i.e. no password) Client-end systems using username/password login saved passwords quite primitively in the early days – Strong password protection only started with Windows 2000 Strengthening Windows Passwords “Challenge-response” encryption (NTLMv2) was available to all systems from Windows 2000 on… – until Vista arrived this was turned off by default » for “compatibility reasons” – unless NTLMv2 enabled, passwords on XP systems, for example, easy to “hack” with right tools (!) Any client network user should make sure this password protection feature is turned on… – can be added for domain users through group policy Active Directory and “controlling” Users “Groups” already well established for managing network users Active directory centrally organised resources including all computers – allowed groups to become more powerful for user management – exploited by enabling the organisation of users and groups of users into: » organisational units » sites » domains Managing Domain Users with Active Directory Same user information stored on all domain controllers Users can be administered at or by secure access to administrator on any domain controller for that domain – flexibility but potential danger! Making Sure Users don’t get the Administrator Password! File security assumes that only the network manager can log on as administrator – but if a user can guess the password… (!) Strategies: – rename the administrator account to something more obscure – only give administrator password to one other person – change administrator password regularly How AD Provides Security Manages which “security principal(s)” have access to each specific resource – i.e. users, computers, groups, or services (via service accounts) » each has a unique identifier (SID) Validates the authentication process… – for computers, at startup – for users, at logon More about the SID The SID (Security ID) comprises: – domain ID » common to all security principals within the domain – unique relative identifier (RID) Access Tokens Generated when a user logs on to the network Contains: – user’s SID – SIDs for each group to which the user is a member – assigned user rights or privileges as a result of processing the IDs in the specified order ACE (Access Control Entries) Each object or resource has an access control list (ACL) e.g. – objects and their properties – shared folders and printer shares – folders and files within the NTFS file system ACEs contained within ACL – protects resource against unauthorised users More on ACLs Two distinct ACLs each object or resource: – discretionary access control list (DACL) » list of the SIDs that are either granted or denied access and the degree of access that is allowed – systems access control list (SACL) » list of all the SIDs whose access or manipulation of the object or resource needs to be audited, and the type of auditing that needs to be performed Mechanism of AD security Users are usually assigned to several groups When a user attempts to access a directory object or network resource… – the security subsystem… » looks at the SID for the user and the SIDs of the security groups to which the user is a member » checks to see whether it/they match the security descriptors assigned to the resource If there is a match… – user is granted the degree of access to the resource that is specified in the ACL Power of Group IDs in Policy-based Security Group Policy… allows groups of users to be granted or denied access to or control over entire classes of objects and sets of resources allows security & usage policies to be established separately for: » computer accounts » user accounts can be applied at multiple levels: » users or computers residing in a specific OU » computers or users in a specific AD site » an entire AD domain Active Directory and Group Policy Power of Group Policy: – allows network administrators to define and control the policies governing: » groups of computers » groups of users – administrators can set group policy for any of the sites, domains, or organizational units in the Active Directory Domain Tree Monitoring Group Policy Policies, like permissions, are ADDITIVE – watch simulation… (AGAIN!) Windows 2000 policies – need to assess which specific cumulative set of policies were controlling the environment for a specific user or computer Windows 2003 GPMC – tracking and reporting the Resultant Set of Policy (RSoP): » net effect of each of the overlapping policies on a specific user or computer within the domain Extending User/Group Permissions beyond a domain Possible for user permissions to be safely applied beyond the local domain – so users on one network can gain access to files on another network – authentication controlled between servers on the local and trusted domains Normally achieved through “adding” groups from a trusted domain NOT the same as “remote logon” – needs special username/password authorisation… Enterprise Networks Multiple Domains in a tree – Transitive Domain Trust Single enterprise administrator “enterprise admin” greatly reduces management overhead Managing Users & Their Profiles Once they get the hang of it, users save all sorts of rubbish to their user areas – may well include lots of downloaded web pages and images Problem! – 5000 users – each user takes 1 Gb of space... – total disk space required is 5000 Gbytes! Managing User Profiles Windows 2003 Server “Disk Quotas”: – allows administrators to track and control user NTFS disk usage » coupled with Group Policy and Active Directory technology » easy to manage user space » even enterprise-wide… – users find this irritating but stops them keeping data they’re never likely to use again… User Rights Users MUST NOT have access to sensitive parts of the system (e.g. network servers, local system software) – operating system can enforce this Users SHOULD: – have access to basic software tools – NOT be denied on the grounds that the software could be misused… » c.f. no-one is allowed to drive a car because some drivers cause accidents! Controlling/Monitoring Group Policy across Domains AD across a distributed enterprise… – “enterprise” administrators have the authority to implement and alter Group Policies anywhere – important to manage and restrict their number... Enterprise admins need to inform domain admins: – what has changed – when it changed – the implications of the change for directory and network operations… Otherwise… – a change to Group Policies affecting a domain might occur with disastrous consequences More on Secure Development of software Main problem… – Functional requirements explained at planning/analysis/design phases – Non-functional requirements less well discussed » may be left out altogether » big mistake » System won’t meet users needs NFR Example: Possible Security Features Information labelling and handling Equipment siting and protection Supporting utilities Cabling security Maintenance Secure disposal or re-use Separation of development, test and operational facilities Controls against malicious code Controls against mobile code Information back-up Network controls Security of network services Electronic messaging On-line transactions Publicly available information Audit logging Auditing system use Protection of log information Clock synchronisation Privilege management Equipment identification in networks Remote diagnostic and configuration port protection Segregation in networks Network connection control Network routing control Secure log-on procedures User identification and authentication Password management system Use of system utilities Session time-out Limitation of connection time Information access restriction Sensitive system isolation Input data Verification Control of internal processing, including Least Privilege Message integrity Output data Verification Cryptographic controls Key management Technical vulnerability management (patches and updates) Collection of evidence A Checklist of areas to consider, abtracted from ISO/IEC 27001 / 27002 Control Sets [TSI/2012/183] © Copyright 2003-2012
