on Microsoft Based Platforms - GSE Young …...Access Control List / System ACL, AC list Entries,...
Transcript of on Microsoft Based Platforms - GSE Young …...Access Control List / System ACL, AC list Entries,...
on Microsoft Based Platforms
The problem description
Some Windows security terminology Security Descriptor, Security Identifier, Discretionary Access Control List / System ACL, AC list Entries, Mandatory Integrity Check, Security boundaries, User Account Control, Managed Service Accounts, Security Groups
Privileges, Access & Authorization
Active directory
Forefront Identity Manager 2010
The problem description
Some Windows security terminology Security Descriptor, Security Identifier, Discretionary Access Control List / System ACL, AC list Entries, Mandatory Integrity Check, Security boundaries, User Account Control, Managed Service Accounts, Security Groups
Privileges, Access & Authorization
Active directory
Forefront Identity Manager 2010
Owner SID:
REDMOND\BillB
DACL
SACL
Header
REDMOND\DavidJo
Access Denied
RWX
REDMOND\MSTE
Access Allowed
RX
REDMOND\BillB
Access Allowed
WD
Access token for
BDEvent.doc
ACE
ACE
ACE
DACL
Code, Data Code, Data Policy
1. CAD
2. Collect Credential
3. Enter Credentials
Winlogon LSASS.EXE
NTLM
Credential Providers
Kerberos
Negotiate
Netlogon
4. LsaLogonUser
LSA Secrets Store
KDC + AD
Admin
Process
Standard
User
Process ?
• Change Time Zone
• Run Standard User Compliant
Applications
• Install Fonts
• Run MSN Messenger
• IE
Impersonation
The problem description
Some Windows security terminology Security Descriptor, Security Identifier, Discretionary Access Control List / System ACL, AC list Entries, Mandatory Integrity Check, Security boundaries, User Account Control, Managed Service Accounts, Security Groups
Privileges, Access & Authorization
Active directory
Forefront Identity Manager 2010
Microsoft Authorization Manager (AzMan) is part of Windows Server and allows role-based access control to provide separation-of-duties.
Separation of duties with Microsoft Authorization Manager
The problem description
Some terminology SD, SID, DACL / SACL, ACE, MIC, Security boundaries, UAC, MSA, Security groups
Privileges, Access & Authorization
Active directory
Forefront Identity Manager 2010
3
4
New auditing categories:
Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service
Replication
The problem description
Some Windows security terminology Security Descriptor, Security Identifier, Discretionary Access Control List / System ACL, AC list Entries, Mandatory Integrity Check, Security boundaries, User Account Control, Managed Service Accounts, Security Groups
Privileges, Access & Authorization
Active directory
Forefront Identity Manager 2010
FIM group management provides the ability to perform the
following:
• Create and manage Security Groups
• Add and remove members from Groups
• Join and leave from Groups
• Perform extensive searches on groups
• View a history of actions taken on specific groups
• Workflows (delegation, escalation…)
• View request status as the requestor, or group owner
• Assign co-owners to assist in managing your Groups
• Dynamic (Calculated) groups based on attributes (query
builder or Xpath)
Manage the Identity Lifecycle