Directory Services Account Provisioning

1
Directory Services Account Provisioning

• June 12th, 2007
• Bill Claycomb
• Computer Systems Analyst
• Infrastructure Computing Systems Department

Sandia is a multiprogram laboratory operated by
Sandia Corporation, a Lockheed Martin
Company,for the United States Department of
Energys National Nuclear Security
Administration under contract DE-AC04-94AL85000.
2
Agenda

• Introduction
• Motivation
• Implementation
• Challenges faced
• Additional capabilities
• Future work
• Questions

3
Introduction

• Directory Services
• A directory service is a software application
  or a set of applications that stores and
  organizes information about a computer network's
  users and network resources - Wikipedia
• Popular Varieties
• Microsoft Active Directory
• Apple Open Directory
• Novell eDirectory
• OpenLDAP
• Fedora Directory Server
• Sun Directory Services

4
Our Implementation

• Infrastructure Computing Systems/Services
• Manages corporate Windows domains
• User accounts
• Corporate Windows-based services
• Web services
• Corporate storage system (SDSS)
• Email (Microsoft Exchange)
• Database (Microsoft SQL)
• Application Servers
• Miscellaneous Services
• Migrated from NTDS to Active Directory in 2003

5
Motivation

• Provide user account provisioning and
  de-provisioning in a timely, reliable manner.
• Manage account changes in a way that reduces the
  impact on the user
• Monitor for and react to unauthorized accounts
  within the directory.

6
Account Provisioning

• Process of creating a new user account
• Seems simple, but is actually quite complex
• System of interconnected services
• Exchange
• Corporate Storage System
• Terminal Services
• Other account restrictions
• Some systems are Microsoft-based, some are not

7
Infrastructure

• Authoritative data source for user accounts
• Network Information System (NWIS)
• Populated from various sources based on
  information gathered during employee/contractor/vi
  sitor account creation
• Badge office
• HR
• Etc.
• Authoritative repository for user accounts
• Active Directory
• All user accounts are managed by a single process
• Unauthorized accounts are not permitted

8
Process

• Compare users from NWIS to users in AD
• Every 5 minutes
• Add new users
• Disable old users
• Modify existing users
• Perform other administrative tasks as required
• Administrative reporting
• Rename processing

9
Implementation

• Custom application
• Developed using Microsoft .NET (C)
• Interoperability with Active Directory
• Portable to Microsoft user management
  applications
• Other options considered
• Microsoft MIIS
• Not flexible enough to meet non-Microsoft
  interoperability needs
• Radiant Logic RadiantOne
• Did not provide enforcement capability
• Difficult to configure and maintain

10
Challenges Faced

• Time constraints
• Goal New user accounts created in AD within 5
  minutes of population in NWIS

11
Challenges Faced

• Enforcement
• Detect, disable, and notify administrators of
  unauthorized accounts found in the directory
• Allow for accounts to be manually disabled by
  system administrators

12
Challenges Faced

• Account identification
• Unique identifier
• How to prevent tampering

13
Challenges Faced

• Preventing account tampering
• Enforce certain attributes
• Encode sensitive account information

14
Challenges Faced

• Administrative notification
• Different categories of notification
• Different notification recipients
• Metrics
• Gathering provisioning metrics
• Distributing metrics reports to appropriate users
• Exception process for accounts created outside
  acceptable limits

15
Challenges Faced

• Account Restrictions
• Foreign National Accounts
• Email-only Accounts
• Visitor Accounts

16
Challenges Faced

• Account Maintenance
• User renames are tricky
• Corporate storage system is based on usernames
• Usernames are based on actual names
• Email addresses are based on username
• Properly notifying users of pending changes
• Account removal does not happen immediately

17
Challenges Faced

• Entity accounts
• Accounts used for administrative purposes,
  automated tasks, etc.
• Associated with a regular user account
• Some attributes are handled differently
• Must inherit restrictions from associated account

18
Challenges Faced

• Attribute application issues
• Some attributes need to be applied after accounts
  are created
• Some attributes only need to be applied once
• Some attributes need to be enforced under certain
  circumstances only.

19
Challenges Faced

• Cross-Domain Services
• Authoritative data source exists on one domain
• Provisioning service runs on multiple domains

20
Challenges Faced

• Interfacing with non-Microsoft products
• Quota management application
• Related but separate provisioning needs
• Applying new folder permissions on corporate file
  share directory

21
Challenges Faced

• Finicky users
• Information from AD is used in other applications
• Web portal
• Email
• Name formatting issues
• Display name issues
• Nickname issues

22
Challenges Faced

• Evolving security structure
• User account control is necessary to
  implement/enforce two-factor authentication
• Requires enforcement of two-factor authentication
  requirements, as specified by NWIS
• Account restrictions change as services either
  change or are migrated to new systems.

23
Other Applications

• Easily portable across domains
• Open network, Classified network, external
  networks (DMZ, YMP)
• Requires secure data transfer mechanism
• Applies to other initiatives as well
• LOFTS
• Automatically restrict accounts to access only
  required resources
• Computer account management
• Enforce computer account membership, based on
  corporate business rules

24
Future Work

• Enhance secure transfer mechanism for
  cross-domain use
• Implement encryption techniques to protect
  sensitive data
• Update to .NET Framework 3.0 to fully utilize
  improved features such as object security
• Computer account management

25
Questions