Staying Secure During an NT to Windows 2000 Migration

Staying Secure During an Staying Secure During an NT to Windows 2000 NT to Windows 2000

MigrationMigration

Paul Hinsberg, MCSE, MBAPaul Hinsberg, MCSE, MBA

CEO, CRSD Inc CEO, CRSD Inc

http://www.crsdinc.comhttp://www.crsdinc.com

22Questions! Look to the Questions! Look to the lower left to submit a qlower left to submit a question.uestion.

Staying Secure During an NT to Staying Secure During an NT to Windows 2000 Migration PaulhinWindows 2000 Migration [email protected]@crsdinc.com

IntroductionIntroduction

Sources of RiskSources of Risk

Points of Risk During Migration Points of Risk During Migration

Understanding the Tools Understanding the Tools

Risks related to Services Risks related to Services



Sources of RiskSources of Risk

Lack of DirectionLack of Direction

Lack of Planning/Testing Lack of Planning/Testing

Lack of KnowledgeLack of Knowledge



Points of Risk During Migration Points of Risk During Migration

Planning PhasePlanning Phase

Preparation Preparation

Implementation Implementation

Post-Implementation Post-Implementation



Planning Phase Planning Phase

Clear understanding of direction Clear understanding of direction

Knowing what the Domain and OU Knowing what the Domain and OU structure will look like in the end structure will look like in the end

Established Group PoliciesEstablished Group Policies

Understand the Business ObjectivesUnderstand the Business Objectives



Preparation Preparation

Evaluation of SystemsEvaluation of Systems Review of the types of Services in your Review of the types of Services in your

enterprise enterprise Separation of client facing and internalSeparation of client facing and internal

Evaluation of Security Evaluation of Security Review of the Permissions, roles, and Review of the Permissions, roles, and

measuresmeasures



Evaluation of Systems Evaluation of Systems

Identify all Servers and services Identify all Servers and services RAS, DHCP, Exchange, IIS, Terminal Services…RAS, DHCP, Exchange, IIS, Terminal Services…

RAS will often require Windows 2000 security to be relaxed in order to accommodate users.

DHCP servers will need to be authorized in order to function correctly and depending on configuration carries risks.

Exchange 5.5 has its own directory and will need special care in order to migrate to Exchange 2000.

IIS implies outside access. Security should already be a focus here.

Terminal Services/Citrix will need some attention to maintain user access.



Evaluation of SecurityEvaluation of Security

Understand the current security model completely Understand the current security model completely

User group memberships User group memberships Understanding SID History will be paramountUnderstanding SID History will be paramount

File Server DACL File Server DACL Cleaning this up will be tedious, but there are Cleaning this up will be tedious, but there are

tools to help!tools to help!

System Policies System Policies You’ve created your own personal nightmare.You’ve created your own personal nightmare.



Security Evaluation Tools Security Evaluation Tools

SCM – Security Configuration Manager SCM – Security Configuration Manager NT 4.0 SP 4+ NT 4.0 SP 4+ Careful ! Q195509 Careful ! Q195509

AddUsers.exe – Resource KitAddUsers.exe – Resource Kit

ADMT for DACL Cleanup ADMT for DACL Cleanup Timing is important on this one!Timing is important on this one!



Implementation Implementation

Migration Types have different RisksMigration Types have different Risks

Groups/User Accounts Groups/User Accounts

How other services influence securityHow other services influence security



Migration Types Migration Types

In-place In-place

Restructure-migration Restructure-migration combinationcombination

Moving to a pristine Moving to a pristine environment environment



InplaceInplace

PDC/BDC is upgraded “as is” PDC/BDC is upgraded “as is”

Offers benefits of reduced migration time Offers benefits of reduced migration time

Carries all of the old infrastructure Carries all of the old infrastructure baggage from old NT domain baggage from old NT domain

Operation and security are different then a Operation and security are different then a new build! new build!



Inplace Security Issues Inplace Security Issues

NT 4.0 User groups are moved as is. NT 4.0 User groups are moved as is.

Everyone group exists and allows Everyone group exists and allows unauthenticated usersunauthenticated users

Physical security of DCs is often missedPhysical security of DCs is often missed



Restructure-migration combinationRestructure-migration combination

Reorganization of Domains/Users/Groups is Reorganization of Domains/Users/Groups is done before or after migration done before or after migration

Preparation of NT 4.0 domain is required Preparation of NT 4.0 domain is required

Or Reorganization of domains afterward Or Reorganization of domains afterward

Multiple phases can lead to disorganization Multiple phases can lead to disorganization

Best when building a pristine is not an optionBest when building a pristine is not an option



Restructure Security IssuesRestructure Security Issues

From a security standpoint requires the most From a security standpoint requires the most diligencediligence

Inadvertent access to Administrative level Inadvertent access to Administrative level accounts is often missedaccounts is often missed

Frustration levels can be high leading to Frustration levels can be high leading to relaxed security relaxed security

Switch to Native Mode can cause operation Switch to Native Mode can cause operation issues.issues.



PristinePristine

Building a Windows 2000 AD and then Building a Windows 2000 AD and then migrate users migrate users

Allows for the least impact on users and Allows for the least impact on users and reduces outage risks reduces outage risks

Takes longer! Takes longer!

User Migration opens security risks User Migration opens security risks



Pristine Security IssuesPristine Security Issues

Planning is a big key, and may often be Planning is a big key, and may often be rushed through rushed through

ADMT and Cloning of user accounts ADMT and Cloning of user accounts carries inherent security issues carries inherent security issues

Post-Migration cleanup is critical Post-Migration cleanup is critical



Groups/User AccountsGroups/User Accounts

Clean up the groups and user accounts on Clean up the groups and user accounts on DCs prior to any migration DCs prior to any migration (ADDUSERS/NET USERS)(ADDUSERS/NET USERS) Must be done before AND after migration Must be done before AND after migration

Special Attention to Administrators and Special Attention to Administrators and Domain Admins groupsDomain Admins groups

SID HistorySID History



SID History SID History Windows 2000 eases migration by allowing a SID History to ExistWindows 2000 eases migration by allowing a SID History to Exist

Pre-Migration

PaulHins

User SID 1-5-46-4562654-23423523-33..

Groups 1-5-46-243623-346234626-44..

1-5-46-454982-132423423-43..

Post-Migration

PaulHins

User SID 1-5-46-4326256-45236356-44…

OLD USER SID 1-5-46-4562654-23423523-33.. (treated as a group)Groups 1-5-46-243623-346234626-44.. (old NT 4.0 groups)

1-5-46-454982-132423423-43..1-5-46-456456-234123421-86.. (win2k groups)1-5-46-346456-53453453-99..



SID History Issues SID History Issues

ADMT/Clone can allow a properly ADMT/Clone can allow a properly authorized user to insert SID of one authorized user to insert SID of one account into the username of another. account into the username of another.

Objects can only have 1,024 SIDs Objects can only have 1,024 SIDs associated. Companies with many nested associated. Companies with many nested groups could run into a problem. groups could run into a problem.

Post-Migration Cleanup is requiredPost-Migration Cleanup is required



Other ServicesOther Services

Services sometimes need administrative Services sometimes need administrative access (more often they are given the access (more often they are given the access although not required) access although not required)

Service accounts will need to be treated Service accounts will need to be treated separately during migrationseparately during migration

Some systems that will need special Some systems that will need special attention: SMS, RAS, Exchange attention: SMS, RAS, Exchange



RAS RAS

RAS (including VPN, Dialup, etc) may require RAS (including VPN, Dialup, etc) may require some relaxed security on Windows 2000 in order some relaxed security on Windows 2000 in order to operate during the migration (Mixed Mode) to operate during the migration (Mixed Mode)

The general solution is to allow the EVERYONE The general solution is to allow the EVERYONE group to read user attributes. Thus, group to read user attributes. Thus, unauthenticated users can see user accounts. unauthenticated users can see user accounts.

Upgrading RAS systems to Windows 2000 as Upgrading RAS systems to Windows 2000 as soon as possible is best soon as possible is best



DHCPDHCP

Has the ability to dynamically update Has the ability to dynamically update machine records machine records

If installed on a Domain Controller can If installed on a Domain Controller can lead to security holes – Q255134, lead to security holes – Q255134, Q309625Q309625

Requires authorization to operate Requires authorization to operate correctly.correctly.



DNS DNS

Windows 2000 DNS allows for Dynamic Windows 2000 DNS allows for Dynamic Updates.Updates.

Until the Domain is in Native Mode Dynamic Until the Domain is in Native Mode Dynamic Updates may not be an option Updates may not be an option

This can permit unauthorized updates to the This can permit unauthorized updates to the DNS or force you to perform manual entries. DNS or force you to perform manual entries.

Understanding this vulnerability and Understanding this vulnerability and monitoring the changes is keymonitoring the changes is key



Post Implementation Post Implementation DACL Cleanup DACL Cleanup Access Control Lists are the most tedious Access Control Lists are the most tedious

task, but a required one. The SIDs from the task, but a required one. The SIDs from the previous domains may still exist and need to previous domains may still exist and need to be cleared. be cleared.

SID History SID History Old SIDs represent clutter and a security Old SIDs represent clutter and a security

issue. The ADSI Edit Tool can find and issue. The ADSI Edit Tool can find and cleans these out. cleans these out.

Native Mode TransitionNative Mode Transition



Tools of the TradeTools of the Trade

Active Directory Migration Tool (ADMT)Active Directory Migration Tool (ADMT)

ClonePrincipalClonePrincipal

ADSI ADSI

NT Resource Kit NT Resource Kit

Windows 2000 Support Tools Windows 2000 Support Tools



ADMT/Clone ADMT/Clone

In a migration the Active Directory In a migration the Active Directory Migration Tool is going to be one of the Migration Tool is going to be one of the main weaponsmain weapons

https://www.microsoft.com/windows2000/dhttps://www.microsoft.com/windows2000/downloads/tools/default.aspownloads/tools/default.asp



ADMT Reports ADMT Reports Migrated Users and Groups ReportMigrated Users and Groups Report

This report summarizes the results of the user and group This report summarizes the results of the user and group migration operations. migration operations.

Migrated Computers ReportMigrated Computers Report This report summarizes the results of the computer migration This report summarizes the results of the computer migration

operations. operations.

Expired Computers ReportExpired Computers Report This report lists the computer accounts with expired passwords. This report lists the computer accounts with expired passwords.

Impact Analysis ReportImpact Analysis Report This report lists the user accounts and groups that will be This report lists the user accounts and groups that will be

affected by computer migration operations. affected by computer migration operations.

Name Conflicts ReportName Conflicts Report This report lists the user accounts and groups that exist in both This report lists the user accounts and groups that exist in both

the source and target domains. the source and target domains.



ADMT UseADMT Use

Only local Administrators on the DCs will Only local Administrators on the DCs will be able to use the tool be able to use the tool

Only install the tool on Windows 2000 DC Only install the tool on Windows 2000 DC that will be used to migrate the users.that will be used to migrate the users.

Use NTFS permissions to further restrict Use NTFS permissions to further restrict the running of the tool on the system. the running of the tool on the system.



ADSI EditADSI Edit

An MMC Snap-in that is used to search for An MMC Snap-in that is used to search for the SID History for the users. the SID History for the users. To Perform the Search Connect to a domain. To Perform the Search Connect to a domain. Create a query, cut and paste this… Create a query, cut and paste this…

(&(objectCategory=user)(SIDhistory=*)) (&(objectCategory=user)(SIDhistory=*)) Then Run itThen Run it

ADSI Scripting allows for the removal of ADSI Scripting allows for the removal of SID History (the GUI Does NOT).SID History (the GUI Does NOT).



Don’t Let Frustration Rule You! Don’t Let Frustration Rule You!

Planning, Testing and Patience will be Planning, Testing and Patience will be your best defense against the pressure your best defense against the pressure and complexities of the migration! and complexities of the migration!



Questions! Questions!

Please click the Ask a Question link in the lower left part of the screen to submit

a question.

Staying Secure During an NT to Windows 2000 Migration

Documents

Transcript of Staying Secure During an NT to Windows 2000 Migration