Windows 2000: Concepts

1
Windows 2000 Concepts DeploymentLarry
LiebermanNT Support EngineerPremier Enterprise
SupportMicrosoft Corporation
2
Agenda

• Active Directory
• Microsoft DNS
• Distributed Security
• System Management

3
Active Directory

• Architecture
• Components
• Planning AD Design

4
AD Architecture

• X.500 derived data model
• Directory stored schema
• Windows 2000 Trusted Computing Base security
  model
• Delegated Administration Model
• DNS integration

5
AD Components (1/10)

• Objects
• Organizational Units (OUs)
• Domains
• Sites
• Trees Forests
• Global Catalog

6
AD Components (2/10)Objects
ObjectClass
Defined in the schema
Data storage is allocated as necessary
7
AD Components (3/10)Object Access
DirectoryObject

• Access to directory objects is controlled via
  Access Control Lists (ACLs)

• Fine granularity is provided by Access Control
  Entries (ACEs) that apply to specific attributes

8
AD Components (4/10)Organizing the Directory

• A hierarchy of objects can be created using
  Organizational Units (OUs)
• Although OUs are the primary containers used to
  create the hierarchy, all directory objects are
  potential containers

9
AD Components (5/10)OUs
OU

• OU security provides the mechanism for
  controlling object visibility and delegating
  administration

10
AD Components (6/10)Domains
Configuration

• One or more domain controllers

• Multi-master replication
• One or more sites

11
AD Components (7/10)Sites

• Controls Active Directory replication

• Site knowledge used
• Logon locator
• Printer locator and pruner
• Dfs and more

12
AD Components (8/10)Trees And Forests

• Configuration and schema common to all domains

• Transitive trusts link domains

13
AD Components (9/10)Boundaries

• Replication

• Administration

• Security Policy

• Group Policy

14
AD Components (10/10)Global Catalog

• Enterprise wide searches
• Resolves enterprise queries

15
Planning AD Design (1/6)Considerations

• Defining a logical hierarchy of resources
• Administrative architectures
• Allocation of physical resources and budget
• Current infrastructure and upgrade strategies
• Data availability requirements
• Network bandwidth
• Politics

16
Planning AD Design (2/6) One Or More Forests

• All domains in a forest share a common schema and
  global catalog
• Create multiple forests if
• Separate schemas are required
• One or more domains are required to be isolated
  from the spanning tree of transitive trusts
• Total administrative autonomy is required

17
Planning AD Design (3/6)Domain Structure

• Where possible use a single domain
• Use OUs to delegate administration
• Use sites to tune replication
• Use multiple domains when there is a requirement
  for
• Scalability across WANs
• Autonomous administrative entities
• Different security account policies
• password, lockout and Kerberos ticket

18
Planning AD Design (4/6)Multiple Domains(1/3)

• Containment of network traffic
• Directory replication
• Policies (FRS)
• In-place upgrades from Windows NT domains
• Autonomous divisions with separate names
• No technical reasons, only politics
• Names are not important

19
Planning AD Design (5/6)Multiple Domains(2/3)

• Each domain has an incremental overhead
• Increased administration
• Increased hardware
• Separate DCs are required for each domain
• Try to avoid creating divisional or departmental
  domains for purely political reasons
• Change is inevitable, they are easy to create
  and hard to retire

20
Planning AD Design (6/6)Multiple Domains(3/3)

• Separate the production forest from development
  and testing
• Prevents unwanted schema changes propagating
  through the enterprise
• Create a separate forest to restrict access for
  business partners

21
Microsoft DNS

• Windows 2000 DNS Requirements
• MS DNS Features
• DNS Design

22
DNS Requirements

• A DNS server that is authoritative for a Windows
  2000 domain MUST support SRV records (RFC 2052)
• It also should support dynamic updates (RFC 2136)
• The NETLOGON service on the domain controller
  automatically registers all of the domain
  services and the site that it supports

23
MS DNS Features (1/12)

• Active Directory integration
• Dynamic Update
• Aging
• Administrative tools
• Caching resolver

24
MS DNS Features (2/12) Active Directory
Integration

• AD-integrated DNS zone is multi-master

25
MS DNS Features (3/12) Active Directory
integration
Primary zones
26
MS DNS Features (4/12) Active Directory
integration

• AD-integrated DNS zone is multi-master
• High availability of write, as well as read
• Doesnt require separate from AD replication

27
MS DNS Features (5/12) Active Directory
integration

• ADS replication is loosely consistent
• Name-level collision
• Two hosts create same name simultaneously (first
  writer wins)
• Attribute-level collision
• Two hosts modify A RRset for microsoft.com
  simultaneously (last-writer wins)

28
MS DNS Features (6/12) Dynamic Update

• Based on RFC 2136
• Client discovers primary server for the zone
  where the record should be added/deleted
• Client sends a dynamic update package to the
  primary server
• Primary server processes the update

29
MS DNS Features (7/12) Dynamic Update

• Windows 2000 computer registers
• A RR with
• Hostname.PrimaryDnsSuffix (default)
• and Hostname.AdapterSpecificDnsSuffix (if
  configured)
• PTR RR if adapter is not DHCP configured or DHCP
  server doesnt support DNS RR registration

30
MS DNS Features (8/12) Dynamic Update

• Windows 2000 DHCP server registers (based on
  draft-ietf-dhc-dhcp-dns-.txt)
• PTR records on behalf of upgraded
  clients (default)
• A and PTR records on behalf of downlevel clients
  (default)
• A and PTR records on behalf of upgraded clients
  (if configured)
• Windows 2000 DHCP server removes records that it
  registered upon lease expiration

31
MS DNS Features (9/12) Secure Dynamic Update

• Based on draft-skwan-gss-tsig-04.txt
• Available only on AD-integrated zones
• Per -zone and -name granularity
• ACL on each zone and name

32
MS DNS Features (10/12) Aging/Scavenging

• Enables deletion of the stale records in
  AD-integrated zones
• Requires periodic refreshes of the records

33
MS DNS Features (12/12) Caching Resolver

• Windows 2000 service
• Caches RRs according to TTL
• Negative caching
• Tracks transient/PnP adapters
• Reorders servers according to responsiveness
• Fewer round-trips, fewer timeouts, faster
  response time

34
DNS Design (1/11)To support DC locator

• DNS server authoritative for the DC records MUST
  support SRV RRs
• Support for Dynamic Updates is recommended

35
DNS Design (2/11)

• Delegate a DNS zone for each AD domain to the DNS
  servers running on the DCs in that AD domain

36
DNS Design (3/11)
corp.example.com
Zones Primary AD-int corp.example.com
37
DNS Design (4/11)
corp.example.com
Zones Primary AD-int corp.example.com
Domain1.corp.example.com
Zones Primary AD-int Domain1.corp.example.com
38
DNS Design (5/11)

• Delegate a DNS zone for each AD domain to the DNS
  servers running on a DC in that AD domain
• Install a DNS server on at least two DCs in each
  AD domain and one DC in each site

39
DNS Design (6/11)
corp.example.com
Zones Primary AD-int corp.example.com
Domain1.corp.example.com
Site3
Site2
Site1
Zones Primary AD-int Domain1.corp.example.com
40
DNS Design (7/11)

• Delegate a DNS zone for each AD domain to the DNS
  servers running on a DC in that AD domain
• Install a DNS server on at least two DCs in each
  AD domain and one DC in each site
• If different sites in the forest are connected
  over slow link, delegate the zone
  _msdcs.ltForestNamegt and make at least one DNS
  server in every site secondary for this zone

41
DNS Design (8/11)
corp.example.com
Zones Primary AD-int corp.example.com Primary
AD-int _msdcs.corp.example.com.
Domain1.corp.example.com
Site3
Site2
Site1
Zones Primary AD-int Domain1.corp.example.com S
econdary _msdcs.corp.example.com.
42
DNS Design (9/11)

• Install a DNS server on at least two DCs in each
  AD domain and one DC in each site
• Delegate a DNS zone for each AD domain to the DNS
  servers running on a DC in that AD domain
• If different domains of the forest are connected
  over slow links, delegate the zone
  _msdcs.ltForestNamegt and make at least one DNS
  server in every site secondary for this zone
• Each client should be configured to query at
  least two DNS servers one of which is in the same
  site

43
DNS Design (10/11)
corp.example.com
Zones Primary AD-int corp.example.com Primary
AD-int _msdcs.corp.example.com.
Domain1.corp.example.com
Site3
Site2
Site1
Zones Primary AD-int Domain1.corp.example.com S
econdary _msdcs.corp.example.com.
44
DNS Design (11/11)Hardware planning

• Memory usage
• No zones loaded 4 MB
• Each record requires 100 bytes
• Performance
• Alpha 533 MHz dual-processor with 25 Processor
  utilization
• 1600 queries and 200 dynupd/second
• Intel P-II 400 MHz dual-processor with 30
  Processor utilization
• 900 queries and 100 dynupd/second

45
Security Topics

• Kerberos Integration with Windows NT
• Security Provider Architecture
• Public Key Security Components
• Smart card logon and authentication
• Encrypting File System
• Security Policies and Domain Trust
• Secure Windows NT Configuration

46
Security Goals

• Single enterprise logon
• Integrated security services with Windows NT
  Directory Service
• Delegated administrationand scalability for
  large domains
• Strong networkauthentication protocols
• Standard protocols for interoperability of
  authentication

47
Authentication/ Authorization

• Authenticate using domain credentials
• User account defined in Active Directory
• Authorization based on group membership
• Centralize management of access rights
• Distributed security tied to the Windows NT
  Security Model
• Network services use impersonation
• Object-based access control lists

48
One Security Model Multiple Security Protocols

• Shared key protocols
• Windows NTLM authentication compatibility in
  mixed domains
• Kerberos V5 for enterprise networks
• Public key certificate protocols
• Secure Sockets Layer (SSL) / Transport Layer
  Security (TLS)
• IP Security
• Multiple forms of credentials in the Active
  Directory

49
NTLM Authentication
Application server
1. NTLM challenge/response
4. Server impersonates client
Windows NTDirectory Service
Netlogon
MSV1_0
Windows NT domain controller
50
Kerberos Integration
Client
Server
Kerberos SSPI providermanages credentials
andsecurity contextLSA manages ticket cache
Session ticket authorization data supports NT
access control model
Windows NTDirectory Server
KDC relies on the Active Directory as the store
for security principals and policy
Key DistributionCenter (KDC)
Windows NT Domain Controller
51
Kerberos Protocol Advantages

• Faster connection authentication
• Server scalability for high-volume connections
• Reuse session tickets from cache
• Mutual authentication of both client, server
• Delegation of authentication
• Impersonation in three-tier client/server
  architectures
• Transitive trust between domains
• Simplify inter-domain trust management
• Mature IETF standard for interoperability
• Testing with MIT Kerberos V5 Release

52
Kerberos Unix Interoperability

• Based on Kerberos V5 Protocol
• RFC 1510 and RFC 1964 token format
• Testing with MIT Kerb V5 Release
• Windows NT DS hosts the KDC
• UNIX clients to Unix Servers
• UNIX clients to NT Servers
• NT clients to UNIX Servers
• Simple cross-realm authentication
• UNIX realm to NT domain

53
Kerberos AuthNetwork Server connection
Application Server (target)
3. Verifies session ticket issuedby KDC
1. Send TGTand request session ticket from KDC
for target server
Windows NTDirectory Server
TGT
Key DistributionCenter (KDC)
Windows NT domain controller
54
Building An Access Token with Kv5

• Kerberos package gets auth data from session
  ticket

Server application
LSA
Kerberos

• Auth data
• User SID
• Group SIDs
• Privileges

Target
Session ticket
55
Remote File Access Check
Client
File application
\\infosrv\share
SMB protocol
Server
Rdr
SSPI
Kerberos SSP
Kerberos SSP
NTFS
File
56
Architecture For Multiple Authentication Services
Internet Explorer, Internet InformationServer
Directoryenabled appsusing ADSI
Mail, Chat, News
DCOM application
Remote file
LDAP
HTTP
POP3, NNTP
Secure RPC
CIFS/SMB
SSPI
NTLM
Kerberos
DPA
SChannelSSL/TLS
MSV1_0/ SAM
KDC/DS
Membershipservices
57
Windows NT 4.0 - 5.0 Interoperability

• Windows NT 4.0 clients and servers
• Use NTLM authentication
• Windows NT 5.0 clients
• Locate NT 5.0 Active Directory and KDC
• Support smart card logon
• Use Kerberos or NTLM protocol
• Windows NT 5.0 Servers
• Accept both NTLM or Kerberos protocol

58
Public Key ComponentsX.509 and PKCS Standards

• For servers
• Key and certificate management
• Secure channel
• Client authentication
• Auto enrollment

• For clients
• User key and certificate mgmt
• Secure channel
• Secure storage
• Auto enrollment

Windows NT Directory Server
Certificate Server

• Enterprise
• Certificate services
• Trust policy

59
Crypto API Architecture
Application
Secure channel
Certificate management services
Crypto API 1.0
Certificatestore
SmartCard CSP
RSA base CSP
Fortezza CSP
Keydatabase

• CryptographicService Providers

60
SSL Client AuthenticationIntegrated Security
Administration

• Strong authentication using X.509 certificates
• Single user ID for multiple protocols
• Security account management
• Use existing infrastructure ccount admin and
  access control
• Accept third-party X.509 certificates from
  trusted Certificate Authorities
• Inter-business authentication

61
SSL Client Authentication
Server
Client certificate
SChannel SSP
Œ
Certificate Storeof Trusted CAs
1. Verify user certificate based on trusted CA,
CRL
62
Client AuthenticationUsing SmartCards

• Secure channel between Internet Explorer and
  Internet Information Server
• Keys and certificates managed by Crypto API
• SmartCard CSP gets certificate and protocol
  signature from card

Internet Explorer 4.0
SSPI
Secure channel
Crypto API
SmartCard CSP
Readerdriver
Reader
ICC
63
Smart Card Logon

• Private key and certificate on card
• Public key domain authentication

PK Kerberos
64
Management Of Trust

• Trust policy decisions
• What CAs are trusted?
• What are they trusted for?
• Client Authentication,
• Server Authentication,
• Authenticode
• Trust determination made locally
• Certificate path verification
• Configure trust policy centrally
• Define trust policy in Policy Editor
• Signed by an authorized user

65
Encrypting File System

• Privacy of data that goes beyond access control
• Protect confidential data on laptops
• Configurable approach to data recovery
• Integrated with core operating system components
  
• Windows NT File System - NTFS
• Crypto API key management
• LSA security policy
• Transparent and very high performance

66
EFS Architecture
Applications
EFS service
Win32 layer
Crypto API
User mode
Kernel mode
I/O manager
LPC communication for all key management support
EFS.sys
NTFS
FSRTL callouts
Encrypted on-disk data storage
67
File Encryption
File decryption (e.g., DES)
A quick brown foxjumped...
fjdaj u539!3t t389E
Data decryption field generation (e.g., RSA)
DDF
Users public key
Data recovery field generation (e.g., RSA)
DRF
Randomly- generated file encryption key
Recovery agents public key in recovery policy
RNG
68
File Decryption
fjdaj u539!3t t389E
A quick brown fox jumped...
File decryption (e.g., DES)
File encryption key
Users privatekey
DDF is decrypted using the private key to get to
the file encryption key
DDF extraction (e.g., RSA)
DDF contains file encryption key encrypted under
users public key
DDF
69
Active Directory Security Features

• Organization Units (OU) to organize the
  directory name space
• Users, groups, computers in separate containers
• Directory object security
• Per property access control
• Per property auditing
• Delegation of administration
• Who can create, manage users, groups, computer
  accounts, other objects

70
Domain Trust
microsoft.com
Downleveldomain
Domain
fareast. microsoft. com
europe. microsoft. com
Explicit Windows NT 4.0-style trusts
Domain
Domain
Kerberos trust
Domain
71
Managing Security

• Security Configuration Editor (SCE)
• Defines security configuration templates
• Group Policy Editor
• Defines hierarchy of user or computer policy
  templates for OUs up to the Domain
• Security configuration is part of Group Policy
• Group Policy for a computer includes the security
  configuration
• Security configuration applied at startup

72
A Security Configuration

• Covers various security areas
• Account Policies -- password, lockout, kerberos
• Local Policies -- auditing, user rights,...
• Restricted Groups -- Administrators, Power
  Users,
• Registry File System -- security descriptors
• Services -- startup mode and security descriptors

73
Summary (1/2)

• Kerberos for domain authentication for the
  Enterprise
• Mutual authentication, transitive trust
• Public key security components
• Certificate Services to issue organization
  certificates
• Personal key and certificate management
• Public key credentials for servers
• Directory-based SSL/TLS client authentication
  using X.509 certificates

74
Summary

• Crypto API enhancements
• Smart card logon and dialup access
• Message encryption using SSPI
• SMB data encryption using IPsec
• Encrypting File System
• DS Security Administration and Policy
• Security Configuration Editor
• Cross-platform authentication interoperability

75
Group Policy Objects
76
Group Policy Definition

• The ability for the administrator to state a
  wish about the state of their users environment
  once, and then rely on the system to enforce that
  wish!

77
Group Policy Review

• Policies Are Not Profiles
• A profile is a collection of user environment
  settings that the user may change
• Group Policy is a collection of user environment
  settings, specified by the administrator
• Group Policy is more than simple lockdown
• Group Policy enhances the Follow Me! experience
  by enabling organizations to
• Set registry settings securely and without fear
  of tattooing (Administrative Templates)
• Specify security oriented settings (Security
  Settings)
• Install software (Software Installation)
• Re-direct My Documents, Desktop, etc. to the
  network (Folder redirection)
• Implement tiered scripts (Scripts)

78
Group Policy And The Active Directory

• Sites are described by Subnet addresss and may
  cross Domain boundaries, normally they would not
• GPOs are per Domain
• Multiple GPOs may be associated with a single
  SDOU
• Multiple SDOUs may use a single GPO
• Any SDOU may be associated with any GPO, even
  across Domains (slower - maybe very slow)
• The affect of a GPO may be filtered based on
  security group membership (ACLs)

• Sites are described by Subnet addresss and may
  cross Domain boundaries, normally they would not

• GPOs are per Domain

• Multiple GPOs may be associated with a single
  SDOU

• Multiple SDOUs may use a single GPO

• Any SDOU may be associated with any GPO, even
  across Domains (slower - maybe very slow)

• The affect of a GPO may be filtered based on
  security group membership (ACLs)

What is my policy?
79
Group Policy Linked To OUs

• The OU structure is your administrative structure
• Group Policy configuration must be tuned to fit
  your OUs structure
• Design for the most stable and maintainable
  solution

80
Filtering

• Security Groups may be used to filter the effect
  of Group Policy
• Any Group Policy may have its scope modified by
  setting ACL permissions
• Read and Apply Group Policy (AGP) ACEs are
  required for Group Policy to be applied
• Only filter if necessary
• Keep simple if possible

81
Example
GP
ou
ou
ou
ou
ou
ou
ou

• Filtering can be inclusionary or using deny
  exclusionary

82
Conclusion

• Active Directory
• DNS
• Security Features
• Group Policy

83
(No Transcript)