70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory...
-
Upload
ashley-underwood -
Category
Documents
-
view
222 -
download
3
Transcript of 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory...
70-294: MCSE Guide to Microsoft Windows Server 2003 Active
Directory
Chapter 9: Active Directory
Authentication and Security
Guide to MCSE 70-294, Enhanced 2
Objectives
• Describe security principles and how they are identified
• Describe the user authentication process in an Active Directory domain using the NTLM and Kerberos authentication protocols
• Demonstrate the use of DACLs to control access to objects in Active Directory
Guide to MCSE 70-294, Enhanced 3
Objectives (continued)
• Demonstrate the use of SACLs to control auditing of objects in Active Directory
• Describe how network resources can be protected using security based on Active Directory
Guide to MCSE 70-294, Enhanced 4
Security Principles
• User object• inetOrgPerson object• Computer object• Security group object• Have an SID:
• Windows security subsystem uses to identify security principals
Guide to MCSE 70-294, Enhanced 5
Security Identifiers
• Attribute as binary value • Specifies the SID of user object
• Unique value used to identify user as security principal
• Number of formats:• Hexadecimal notation
• Security Descriptor Definition Language (SDDL)
Guide to MCSE 70-294, Enhanced 6
Security Descriptor Definition Language (SDDL)
• Begins with S• Followed by three to seven numbers:
• Separated by hyphens
• First number is revision level of SDDL format
• Next identifier authority
• Next subauthority identifier
• “Well-known” SIDs:• Identify certain users or groups
• Recognized by OS
Guide to MCSE 70-294, Enhanced 7
Domain and Relative Identifiers
• Domain identifier• Calculated when domain created
• 3 32-bit numbers
• Guaranteed to be unique
• Relative Identifier (RID)• 32 bits
• Identifies object within domain
Guide to MCSE 70-294, Enhanced 8
Access Tokens
• Contains several important pieces of information• User’s SID
• SID for every group of which user is member
• Security subsystem • Examines user’s access token
• Determines if user or one of groups of which user is member has access to resource
• Generated based on authentication protocol used
Guide to MCSE 70-294, Enhanced 9
Activity 9-1: Access Tokens
• Objective: View the contents of an access token• Use whoami command to view access token
Guide to MCSE 70-294, Enhanced 10
Permissions and Rights
• Used to control access on system• Permissions
• Rules associated with object
• Define which users can gain access to object
• What actions users can perform on object
• Rights• Define what tasks or operations user can perform on
computer system or domain
Guide to MCSE 70-294, Enhanced 11
Active Directory Authentication
• Authentication methods used in Windows Server 2003: • NT LAN Manager (NTLM)
• Kerberos
Guide to MCSE 70-294, Enhanced 12
NTLM Authentication
• Supported for backward compatibility • For Windows NT 4.0 client computers
• Not primary means of authentication in Windows Server 2003
• Based on older authentication protocol called LAN Manager
Guide to MCSE 70-294, Enhanced 13
NTLM Authentication Example
Guide to MCSE 70-294, Enhanced 14
NTLM Issues
• Each time user wants to access resource user must be reauthenticated by domain controller
• Only provides client authentication• Easy to capture NTLM challenge and use hacking
tools to discover password
Guide to MCSE 70-294, Enhanced 15
Kerberos Authentication
• Default protocol for network authentication for all Windows Server 2003 computers
• Components:• Security principal requesting access
• Key Distribution Center (KDC)
• Server holding resource or service being requested
Guide to MCSE 70-294, Enhanced 16
Kerberos Authentication (continued)
• KDC services:• Authentication
• Ticket-granting Service
• Authentication Service• Ticket-granting ticket (TGT)
• Issued to user when first authenticated during successful logon
• Allows user to request session tickets
Guide to MCSE 70-294, Enhanced 17
Kerberos Authentication (continued)
• Authentication Service• Ticket-granting ticket (TGT)
• Valid for 10 hours
• Ticket-granting Service• TGT is submitted to Ticket-granting Service on KDC
• Sends two copies of session ticket back to user’s machine
Guide to MCSE 70-294, Enhanced 18
Kerberos in Action
Guide to MCSE 70-294, Enhanced 19
Down-level Client Authentication
• Older clients referred to as down-level clients• Pre-Windows 2000
• Create security concern
• Directory Services Client • Available as add-on component to Windows 95/98
• Enables these clients to use NTLMv2 on Windows 2000/2003 network
Guide to MCSE 70-294, Enhanced 20
Two-factor Authentication
• Factors that help identify you for authentication:• Something you know
• Something you have
• Something you are
• More of these factors used, more secure resource is• Increase security of network or computer system by
introducing second factor
• Called two-factor authentication
Guide to MCSE 70-294, Enhanced 21
Public Key Infrastructure for Authentication with Smart Cards
• Active Directory supports use of smart cards• Part of Public Key Infrastructure (PKI)• Cryptography terms:
• Symmetric keys• Public key cryptography• Private/public key pair• X.509 digital certificate
Guide to MCSE 70-294, Enhanced 22
Public Key Infrastructure for Authentication with Smart Cards
(continued)
• Use Active Directory as repository for X.509 certificates
• Smart card: • Provides nonvolatile memory • Stores owner’s certificate and private key• Small amount of computing power to perform
encryption and decryption requiring private key on card itself
Guide to MCSE 70-294, Enhanced 23
Public Key Infrastructure for Authentication with Smart Cards
(continued)
• Use smart cards and certificates to increase security of the Windows-authentication process• System uses user’s private key
• KDC employs public key of user to decrypt it
• Can configure domain to require smart cards for logons:• Can make them optional
• Require them for some users, but not others
Guide to MCSE 70-294, Enhanced 24
Active Directory Authorization
• Used to determine what actions user can or cannot do
• Discretionary access control list (DACL) • Defined as: “an access control list that is controlled by
the owner of an object and that specifies the access that particular users or groups can have to the object”
Guide to MCSE 70-294, Enhanced 25
Discretionary Access Control List (DACL)
• Associated with resources• List of access control entries (ACEs)
• Specifies a “who” and a permission
• Can be very specific
• Allow or deny access
• If no match is found between access token and DACL• Access is not permitted
Guide to MCSE 70-294, Enhanced 26
Discretionary Access Control List (DACL) (continued)
• Most access control entries allow access• Deny ACEs used to change effect of permissions
that user would otherwise have as member of group
• Owner of object can always gain access to object by resetting its permissions• Owner of most Active Directory objects is Domain
Admins Group
Guide to MCSE 70-294, Enhanced 27
Inheritance
• Permissions can be inherited from parent objects• Referred to as inheritance• Each ACE marked to indicate whether it is
directly applied or inherited
Guide to MCSE 70-294, Enhanced 28
Groups in Security• Security group
• Container object used to organize collection into single security principal
• Can contain:• Users
• Computers
• Other groups
• Simplify administration by assigning rights and permissions to group rather than to individual users
Guide to MCSE 70-294, Enhanced 29
Groups in Security (continued)
• No good reason to grant rights and permissions explicitly to individual users
Guide to MCSE 70-294, Enhanced 30
Delegation of Control
• Giving data owners ability to manage their own objects
• To delegate control:• Organize directory so that all objects in organizational
unit have same data owner
• Use Delegation of Control Wizard to create appropriate ACEs in DACL on the organizational unit
• Allow them to be inherited to objects in organizational unit
Guide to MCSE 70-294, Enhanced 31
Activity 9-4: Using the Delegation of Control Wizard
• Objective: Set the permissions on an organizational unit using the Delegation of Control Wizard
• Follow instructions to delegate control
Guide to MCSE 70-294, Enhanced 32
Granular Control
• Can delegate control with precision• Important part of flexibility of Active Directory• Advanced Security Settings dialog box
• In Active Directory Users and Computers
• Tab to display effective permissions
Guide to MCSE 70-294, Enhanced 33
Permission Types
• Standard • Used for everyday tasks
• Found on main Security tab of object
• Special permissions • Represent exact and granular permissions available
• Can be very specific
Guide to MCSE 70-294, Enhanced 34
Active Directory Auditing
• System access control list (SACL)• Used for auditing object access
• Very similar to DACLs
Guide to MCSE 70-294, Enhanced 35
System Access Control List (SACL)
• Same basic structure as DACL• Determines if access is audited
Guide to MCSE 70-294, Enhanced 36
Activity 9-7: Auditing Object Access
• Objective: Create a SACL on an Active Directory object so that access to the object can be monitored. Part of this activity requires you to work with a partner
• Follow instructions to create a SACL
Guide to MCSE 70-294, Enhanced 37
Auditing Event Categories
• Audit account logon events
• Audit account management
• Audit directory service access
• Audit logon events
• Audit object access
• Audit policy change
• Audit privilege use
• Audit process tracking
• Audit system events
Guide to MCSE 70-294, Enhanced 38
Protecting Network Resources
• Number of other resources on network also rely on Active Directory for security• Use DACLs
• Objects:• NTFS
• Printers
• Shares
• Registry keys
Guide to MCSE 70-294, Enhanced 39
NT File System (NTFS)
• Assigns security descriptor to each object• Object in file system has:
• Owner
• DACL
• SACL
• NTFS DACL permissions relate to what users can do with the files and folders
Guide to MCSE 70-294, Enhanced 40
Standard File Permissions in NTFS
Guide to MCSE 70-294, Enhanced 41
Printers
• Have security descriptor with: • Owner
• DACL
• SACL
• Standard permissions:• Who can print to printer
• Who can change printer settings
• Who can manage documents
Guide to MCSE 70-294, Enhanced 42
File Shares
• User must first be allowed access to share, and then access to file
• Very few choices• Allow or deny
• Full control
• Change
• Read access
• Use NTFS permissions to further restrict access to folder
Guide to MCSE 70-294, Enhanced 43
Registry Keys
• Values stored in registry control how computer system operates
• Each registry key has typical Windows 2003 security descriptor with:• SACL
• DACL
• Specified owner
Guide to MCSE 70-294, Enhanced 44
Other Applications
• Many applications do not perform any authentication or authorization• Can be given access control by setting NTFS
permissions on executable files or directory
• Some applications perform authentication and authorization internally• Can also gain added protection using NTFS
permissions
Guide to MCSE 70-294, Enhanced 45
Other Applications (continued)
• More sophisticated applications often use Active Directory for authentication• But provide own authorization
• A few applications use Active Directory for authentication and authorization
Guide to MCSE 70-294, Enhanced 46
Summary
• SIDs work with ACEs in DACLs to control access to resources or objects and with ACEs in SACLs to control auditing of resource use
• DACLs are list of ACEs used to define permission• SACLs are list of ACEs used to define auditing• Delegation of control refers to assigning
permissions on Active Directory objects so that data owners can manage their own objects
Guide to MCSE 70-294, Enhanced 47
Summary (continued)
• The two primary user authentication methods in Windows Server 2003 network are NTLM and Kerberos
• Active Directory supports smart cards and X.509 certificates with extensions to the Kerberos protocol, enabling asymmetric encryption during the exchange
• Other applications may use Active Directory for authentication, authorization, both, or neither