Active Directory Authentication and Security - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

Active Directory Authentication and Security

Description:

Specifies the SID of user object. Unique value used to identify user as ... Owner of object can always gain access to object by resetting its permissions ... – PowerPoint PPT presentation

Number of Views:241
Avg rating:3.0/5.0
Slides: 41
Provided by: pbcc
Category:

less

Transcript and Presenter's Notes

Title: Active Directory Authentication and Security


1
Active Directory Authentication and Security
  • Chapter Nine

2
Security Principles
  • User object
  • inetOrgPerson object
  • Computer object
  • Security group object
  • Have an SID
  • Windows security subsystem uses to identify
    security principals

3
Security Identifiers
  • Attribute as binary value
  • Specifies the SID of user object
  • Unique value used to identify user as security
    principal
  • Number of formats
  • Hexadecimal notation
  • Security Descriptor Definition Language (SDDL)

4
Security Descriptor Definition Language (SDDL)
  • Begins with S
  • Followed by three to seven numbers
  • Separated by hyphens
  • First number is revision level of SDDL format
  • Next identifier authority
  • Next subauthority identifier
  • Well-known SIDs
  • Identify certain users or groups
  • Recognized by OS

5
Domain and Relative Identifiers
  • Domain identifier
  • Calculated when domain created
  • 3 32-bit numbers
  • Guaranteed to be unique
  • Relative Identifier (RID)
  • 32 bits
  • Identifies object within domain

6
Access Tokens
  • Contains several important pieces of information
  • Users SID
  • SID for every group of which user is member
  • Security subsystem
  • Examines users access token
  • Determines if user or one of groups of which user
    is member has access to resource
  • Generated based on authentication protocol used
  • Use whoami command to view access token

7
Permissions and Rights
  • Used to control access on system
  • Permissions
  • Rules associated with object
  • Define which users can gain access to object
  • What actions users can perform on object
  • Rights
  • Define what tasks or operations user can perform
    on computer system or domain

8
Active Directory Authentication
  • Authentication methods used in Windows Server
    2003
  • NT LAN Manager (NTLM)
  • Kerberos

9
NTLM Authentication
  • Supported for backward compatibility
  • For Windows NT 4.0 client computers
  • Not primary means of authentication in Windows
    Server 2003
  • Based on older authentication protocol called LAN
    Manager

10
NTLM Authentication Example
11
NTLM Issues
  • Each time user wants to access resource user must
    be reauthenticated by domain controller
  • Only provides client authentication
  • Easy to capture NTLM challenge and use hacking
    tools to discover password

12
Kerberos Authentication
  • Default protocol for network authentication for
    all Windows Server 2003 computers
  • Components
  • Security principal requesting access
  • Key Distribution Center (KDC)
  • Server holding resource or service being requested

13
Kerberos Authentication (continued)
  • KDC services
  • Authentication
  • Ticket-granting Service
  • Authentication Service
  • Ticket-granting ticket (TGT)
  • Issued to user when first authenticated during
    successful logon
  • Allows user to request session tickets

14
Kerberos Authentication (continued)
  • Authentication Service
  • Ticket-granting ticket (TGT)
  • Valid for 10 hours
  • Ticket-granting Service
  • TGT is submitted to Ticket-granting Service on
    KDC
  • Sends two copies of session ticket back to users
    machine

15
Kerberos in Action
16
Down-level Client Authentication
  • Older clients referred to as down-level clients
  • Pre-Windows 2000
  • Create security concern
  • Directory Services Client
  • Available as add-on component to Windows 95/98
  • Enables these clients to use NTLMv2 on Windows
    2000/2003 network

17
Two-factor Authentication
  • Factors that help identify you for
    authentication
  • Something you know
  • Something you have
  • Something you are
  • More of these factors used, more secure resource
    is
  • Increase security of network or computer system
    by introducing second factor
  • Called two-factor authentication

18
Public Key Infrastructure for Authentication with
Smart Cards
  • Active Directory supports use of smart cards
  • Part of Public Key Infrastructure (PKI)
  • Cryptography terms
  • Symmetric keys
  • Public key cryptography
  • Private/public key pair
  • X.509 digital certificate

19
Public Key Infrastructure for Authentication with
Smart Cards (continued)
  • Use Active Directory as repository for X.509
    certificates
  • Smart card
  • Provides nonvolatile memory
  • Stores owners certificate and private key
  • Small amount of computing power to perform
    encryption and decryption requiring private key
    on card itself

20
Public Key Infrastructure for Authentication with
Smart Cards (continued)
  • Use smart cards and certificates to increase
    security of the Windows-authentication process
  • System uses users private key
  • KDC employs public key of user to decrypt it
  • Can configure domain to require smart cards for
    logons
  • Can make them optional
  • Require them for some users, but not others

21
Active Directory Authorization
  • Used to determine what actions user can or cannot
    do
  • Discretionary access control list (DACL)
  • Defined as an access control list that is
    controlled by the owner of an object and that
    specifies the access that particular users or
    groups can have to the object

22
Discretionary Access Control List (DACL)
  • Associated with resources
  • List of access control entries (ACEs)
  • Specifies a who and a permission
  • Can be very specific
  • Allow or deny access
  • If no match is found between access token and
    DACL
  • Access is not permitted

23
Discretionary Access Control List (DACL)
(continued)
  • Most access control entries allow access
  • Deny ACEs used to change effect of permissions
    that user would otherwise have as member of group
  • Owner of object can always gain access to object
    by resetting its permissions
  • Owner of most Active Directory objects is Domain
    Admins Group

24
Inheritance
  • Permissions can be inherited from parent objects
  • Referred to as inheritance
  • Each ACE marked to indicate whether it is
    directly applied or inherited

25
Groups in Security
  • Security group
  • Container object used to organize collection into
    single security principal
  • Can contain
  • Users
  • Computers
  • Other groups
  • Simplify administration by assigning rights and
    permissions to group rather than to individual
    users

26
Groups in Security (continued)
  • No good reason to grant rights and permissions
    explicitly to individual users

27
Delegation of Control
  • Giving data owners ability to manage their own
    objects
  • To delegate control
  • Organize directory so that all objects in
    organizational unit have same data owner
  • Use Delegation of Control Wizard to create
    appropriate ACEs in DACL on the organizational
    unit
  • Allow them to be inherited to objects in
    organizational unit

28
Granular Control
  • Can delegate control with precision
  • Important part of flexibility of Active Directory
  • Advanced Security Settings dialog box
  • In Active Directory Users and Computers
  • Tab to display effective permissions

29
Permission Types
  • Standard
  • Used for everyday tasks
  • Found on main Security tab of object
  • Special permissions
  • Represent exact and granular permissions
    available
  • Can be very specific

30
Active Directory Auditing
  • System access control list (SACL)
  • Used for auditing object access
  • Very similar to DACLs

31
System Access Control List (SACL)
  • Same basic structure as DACL
  • Determines if access is audited

32
Auditing Event Categories
  • Audit account logon events
  • Audit account management
  • Audit directory service access
  • Audit logon events
  • Audit object access
  • Audit policy change
  • Audit privilege use
  • Audit process tracking
  • Audit system events

33
Protecting Network Resources
  • Number of other resources on network also rely on
    Active Directory for security
  • Use DACLs
  • Objects
  • NTFS
  • Printers
  • Shares
  • Registry keys

34
NT File System (NTFS)
  • Assigns security descriptor to each object
  • Object in file system has
  • Owner
  • DACL
  • SACL
  • NTFS DACL permissions relate to what users can do
    with the files and folders

35
Standard File Permissions in NTFS
36
Printers
  • Have security descriptor with
  • Owner
  • DACL
  • SACL
  • Standard permissions
  • Who can print to printer
  • Who can change printer settings
  • Who can manage documents

37
File Shares
  • User must first be allowed access to share, and
    then access to file
  • Very few choices
  • Allow or deny
  • Full control
  • Change
  • Read access
  • Use NTFS permissions to further restrict access
    to folder

38
Registry Keys
  • Values stored in registry control how computer
    system operates
  • Each registry key has typical Windows 2003
    security descriptor with
  • SACL
  • DACL
  • Specified owner

39
Other Applications
  • Many applications do not perform any
    authentication or authorization
  • Can be given access control by setting NTFS
    permissions on executable files or directory
  • Some applications perform authentication and
    authorization internally
  • Can also gain added protection using NTFS
    permissions

40
Other Applications (continued)
  • More sophisticated applications often use Active
    Directory for authentication
  • But provide own authorization
  • A few applications use Active Directory for
    authentication and authorization
Write a Comment
User Comments (0)
About PowerShow.com