presentation4
Download
Report
Transcript presentation4
COMP3122
Network Management
Richard Henson
February 2012
Week 4 – Managing
Network/Domain Users using
Active Directory
Objectives
– Explain architecture and administrative
roles of active directory
– Apply secure file system principles and
active directory to controlling access for
groups of network users
– Apply active directory group policies across
one/more domain using active directory
Windows Networks pre-2000
Before active directory:
– Novell & Unix had network directory systems
» all network devices on the LAN (or WAN) categorised and
centrally listed
– Microsoft networks just had categorisation of
devices at the server level
» each domain controller had an independent configuration
» user database saved separately on each domain controller
Consequence: Microsoft networks not
considered to be sufficiently scalable to be
used by large organisations…
Windows Naming
Prior to Active Directory
(AD)
One-dimensional system called WINS
named the components of a Windows
network
– used NETBIOS names
– mapped to IP addresses of components
AD allowed Microsoft to progressively
embrace DNS naming for network
components
AD, Network Naming, and DNS
Network Names based on DNS names
– 2 dimensional structure
– DNS is hierarchical…
AD Creates a DNS zone, which should fit
into the Internet’s DNS
Naming of each component added to AD
carefully planned to fit with DNS zones
rules
More Wonders of
Active Directory…
Gave Windows networks…. “credibility”
– “global catalog” (central database)
» all network users, groups of users, devices, services
centrally controlled by domain controller cluster
and “kudos…”
– distributed database, means to access it, and
security features all developed with RFCs
» stark contrast with Novell’s NDS - proprietary
protocols; not in compliance with standards
The Active Directory store
Global Catalog
– stored as file NTFS.DIT when the first
domain controller is created
– distributed across all domain controllers
» covers all “objects” on domain controllers
e.g. shared resources such as servers, files, printers;
network user and computer accounts
– directory changes automatically replicated
to all domain controllers
More about Active Directory
Global Catalog (hierarchical/tree)
– not only holds DNS names for all objects in the
domain
» also stores each object's “properties”
» allows network users search by selected attributes to find
an object easily, regardless of where it is in the tree
Centralised Management of everything to do
with the network…
– Microsoft Management Console (MMC) interface
centrally manages users, clients, and servers
through a single consistent screen display
Active Directory and
Domain Trees
AD names easily logically links domains
– very useful for organisation networks that
may require more than one domain (e.g.
old campus and new campus?)
– each domain identified by its DNS domain
name
» hierarchy needs carefully planning
» allocate names within DNS zone
Domain Trees and
DNS naming
Advantage of a single DNS zone…
– multiple domains can make up a parentchild structure
» domain tree
Separate DNS zones…
– logically non-contiguous
– form separate domain trees
– user/resource management across
trees/zones more difficult
Security and Active Directory
Some features (first two already covered in
COMP3123)
– Kerberos Authentication Smart Card Support
» Supports logon via smart cards for strong authentication to
sensitive resources
– LDAP over SSL
» Support for LDAP over secure sockets layer (SSL) for secure
directory transactions for extranet and e-commerce applications
– Transitive Domain Trust
» Transitive trust agreements greatly reduce the number of
trust relationships to manage between Windows domains
Active Directory and
“controlling” Users
“Groups” already well established for
managing network users
Active directory centrally organised resources
including all computers
– allowed groups to become more powerful for user
management
– exploited by enabling the organisation of users
and groups of users into:
» organisational units
» sites
» domains
Managing Domain Users with
Active Directory
Only
administrators can set up and
manage user accounts
Should use a standard naming
system when setting up usernames
– e.g. first three-six letters of surname
followed by one or more initials
– each username must be unique!
Storage Needs of Users
Windows NT option to generate user
space with username as folder name
– easy automation of multiple user area
creation…
– %username could be used (variable)
AD uses/enhances this facility
“Intermediate” Users (but
NOT administrators)
Greater
access to aspects of the
network, to perform particular
tasks:
– manage services (e.g. printing)
– manage particular files and
directories (e.g. dept matters)
– manage cluster housekeeping (e.g.
backups of server data)
Protecting Passwords
Earlier versions on Windows used a relatively
weak method of password protection, which
could be hacked with the right equipment
From Windows 2000 onwards (in fact, NT 4
SP2), more sophisticated encryption was used…
– until Vista arrived this was turned off by default for
“compatibility reasons”
Any network user on a pre-Vista client system
should make should make sure this password’s
feature offered in group policy is turned on…
– “passwords must meet complexity requirements”
Making Sure Users don’t get
the Administrator Password!
File security assumes that only the
network manager can log on as
administrator
– but if a user can guess the password…
Strategies:
– rename the administrator account to something
more obscure
– only give administrator password to one other
person
– change administrator password regularly
How AD Provides Security
Manages which security principals
have
access to each specific resource
– security principals can be users,
computers, groups, or services (via service
accounts)
– each have a unique identifier (SID)
validated the authentication process
» for users, at logon
» for computers, at startup
More about the SID
The SID (Security ID) is assigned to a
security principal that object is created
in the directory
It comprises:
– domain identifier
» common to all security principals
within the domain
– unique relative identifier (RID)
Access Tokens
Created when a user logs on to the
network
Consists of:
– the user’s SID
– the SIDs for each group to which the user
is a member
– the assigned user rights or privileges
ACE (Access Control Entries)
Protect all resources within AD
– objects and their properties
– network folder and printer shares
– folders and files within the NTFS file
system
Contained within access control lists
(ACLs)
– associated with each object or resource
Security Descriptors
Made up of two distinct ACLs assigned
to each object or resource:
– discretionary access control list (DACL)
» list of the SIDs that are either granted or denied
access and the degree of access that is allowed
– systems access control list (SACL)
» list of all the SIDs whose access or manipulation of
the object or resource needs to be audited, and the
type of auditing that needs to be performed
Mechanism
When a user attempts to access a directory
object or network resource
– the security subsystem checks to see whether the
SIDs for the user (or security groups to which the
user is a member) match the security descriptors
assigned to the resource
– match: user is granted the degree of access to the
resource that is specified in the ACL
Most commonly, users are assigned to
security groups within AD
Power of Group IDs in
Policy-based Security
Groups of users can be granted or denied
access to or control over entire classes of
objects and sets of resources
Group Policy feature allows security & usage
policies to be established separately for:
– computer accounts
– user accounts
Group Policy be applied at multiple levels:
– users or computers residing in a specific OU
– computers or users in a specific AD site
– an entire AD domain
Active Directory and
Group Policy
Power of Group Policy:
– allows network administrators to define and
control the policies governing:
» groups of computers
» groups of users
– administrators can set group policy for any
of the sites, domains, or organizational units
in the Active Directory Domain Tree
Monitoring Group Policy
Policies are ADDITIVE
– watch simulation…
With Windows 2000 policies it was a
headache assessing which specific
cumulative set of policies were controlling the
environment for a specific user or computer
Windows 2003 allows tracking and reporting
the Resultant Set of Policy (RSoP):
– net effect of each of the overlapping policies on a
specific user or computer within the domain
User/Group Permissions
and Trusted Domains
Possible for user permissions to be safely
applied beyond the local domain
– so users on one network can gain access to files on another
network
– authentication controlled between servers on the local
and trusted domains
Normally achieved through “adding” groups from
a trusted domain
This is NOT the same as “remote logon”
– which needs special username/password authorisation…
Managing Users
& Their Profiles
Once they get the hang of it, users save
all sorts of rubbish to their user areas
– may well include lots of downloaded web
pages and images
Problem!
– 5000 users
– each user takes 1 Gb of space...
– total disk space required is 5000 Gbytes!
Managing User Profiles
Back to the issue of “information pollution”
discussed last week…
Windows 2000 Disk Quotas:
– allowed administrators to track and control user NTFS
disk usage
» coupled with Group Policy and Active Directory technology
» only problem: not easy to manage disk quotas
needed scripting, reporting and remote usage methods
Windows 2003 Disk Quotas:
– better all round functionality and easier enterprise-wide
disk quota manageability
Third Party User
Space for Administrators
Plenty of third party software available to
manage user quotas
– e.g. Quota Manager
One strategy:
– set max disk space per user to 100 Mbytes
– send warning message at 100 Mbytes
– disable user’s home area at 105 Mbytes
Also - software to automatically delete stored
web pages in user folders
User Rights
Users MUST NOT have access to
sensitive parts of the system (e.g.
network servers, local system software)
– all NOSs can enforce this
Users SHOULD:
– have access to basic software tools
– NOT be denied on the grounds that the
software could be misused…
» c.f. no-one is allowed to drive a car because some
drivers cause accidents!
Monitoring Group Policy
across Domains
When AD is managed across a distributed
enterprise:
– multiple administrators have the authority to
implement and alter Group Policies
– important to restrict no. of administrators…
Without such control, changes to Group
Policies might well occur without all
administrators being aware of:
– what has changed
– when it changed
– the implications of the change for directory and
network operations…
Network Threats, Vulnerabilities,
and Attacks
Degree of protection implemented against
such things should be related to the value of
the enterprise information or operations
Example:
– most networks probably wouldn’t need or want to
implement fingerprint and retinal scanning to
control access to the average user’s workstation
– might, however, want to implement smart cards to
control access to critical domain controllers
Threat (1)
Someone or something that has the capability
or potential to compromise the security of a
directory, network, or information
Three factors involved:
– Motive
– Method
– Opportunity
Threats that do not involve people do not
have motive:
– fire
– flood
Threat (2)
Any action by a user, condition, or process
that has the potential to disclose, damage, or
disrupt operations or information
– user attempting unauthorized entry into your
network
– a fire that breaks out in the building that houses
the network servers
– a virus that attempts to corrupt or delete needed
information are all examples of viable threats to
the security of the directory and the network
– people internal to the organization!
Internal threats more prevalent than external
ones!!!
Vulnerability
Can be defined as any weakness in security
that provides an opportunity for
an attack and that, by its utilization, can allow
an attack to succeed
Can occur in many different aspects of the
network:
– software
– Hardware
– social or physical environment
Requires constant vigilance on many fronts
– e.g.: if running Windows on servers, the latest
service pack and patches needed
– requires monitoring Microsoft Web site for updates
Attack
Any action by a user or software process that,
if successful, results in the disruption,
disclosure, or damage to enterprise
information, services, or operations
Shares the characteristics of motive, method,
and opportunity:
– assume the intent on the part of the attacker to
deliberately be:
» attempting to damage or steal information
» disrupt operations
» uses or exploits the directory to gain access to or
deny service from the directory or network resource
User-Based Attacks
Most common source of attacks are those
initiated by people:
– anonymous users attempting external
penetration of the enterprise network
– an authenticated user working
from inside the network
Can either be:
– physical attacks on the equipment supporting the
directory or network
» e.g. stealing/damaging equipment or physical network itself
– based on using the network or directory
environment
» anonymous users, authenticated users, or even administrators
Threat: Anonymous Users
Usually attempts to use vulnerabilities in the
network, service, or application software
– might gain access via scanning tools or by
exploiting a well-known but not patched error
condition in operating software
Also, when a known vulnerability is patched,
the software update usually provides a
description of the weakness, often providing
all the information needed to hack an
unpatched system
– therefore critical to stay on top of released
patches and security updates…
Exploitation of LDAP
LDAP spec known at all (an RFC)
An anonymous user might be able to use
LDAP to:
–
–
–
–
–
flood domain controllers with lookup queries
read domain information
identify user account security policies
find account names and SIDs
identify shares on domain computers
Thwarting DoS attacks
SOME anonymous attacks can be
mitigated by tightening security settings
Further action against anonymous DoS
attacks:
– monitoring domain controllers for
unreasonably high levels of LDAP queries
– renaming default file shares such C$, D$,
etc. and renaming the administrator
account
Threat: Authenticated Users
Examples:
– spoofed-account access (via
hacking/cracking tools)
– illicit use of a valid account (obtained
through some social engineering scheme)
– valid user who has decided to attack
information, services, or operations for
some personal or professional reason
Headache for administrators:
Accounts have legitimate access to a range
of resources and information
More difficult to detect the attacks
Can validly start processes that will have the
effect of creating DoS conditions by
consuming inordinate amounts of service
resources
– flood of LDAP queries or connections
– filling disk space (for example, storing many
extremely large objects in the directory)
Security Precautions
A lot of monitoring, analysis, responsiveness
to anomalies occurring in the directory…
Authenticated users permissions allocated by
default:
– identify members of sensitive security groups &
determine sensitive account information (names,
addresses, phone numbers, password, etc…)
– discover linkage of Group Policies
– identify sites
– Identify the OSs of the domain controllers
– discover and disclose much additional information
stored in the directory
– read most objects in the directory
Threats: Administrators
Network Administrators themselves….
– potentially HUGE threats to the directory, network, &
enterprise information accessible via the network….
– must always be a highly responsible/accountable
job
Threat could be
– “spoofing” an administers account
– an account with invalidly elevated privileges
– a trusted administrator who has for some reason
decided to attack the directory or network…
Administrators & associated
personnel…
Not just administrators…
Accounts with some administrative rights can:
– modify permissions on objects within their scope
– enable accounts to be trusted for delegation
– change passwords on other user accounts to be
used for further (spoofing & repudiation) attacks
– change security settings causing DoS
conditions
Software-Based Attacks
The AD forest and domain directory structure
are based on a correctly specified schema
– therefore any software application that
corrupts the schema could:
» compromise the entire directory
» make the enterprise network inoperative
– likewise, automated attacks via viruses or worms
that are not necessarily directed against your
company that might affect the schema could
nevertheless have a damaging or disruptive effect
Email attachments
Present a huge risk
– user education doesn’t seem to stop people from
opening every attachment that shows up in their
inboxes
Can users be trusted? If not
– a whole messaging system can be configured to
block, or at least scan, all attachments
– additional measures can be adopted, such as:
» turning off preview panes that automatically display messages
» converting HTML mail to plain text
» blocking email clients from accessing the Internet
Environment-Based Attacks
Any condition that damages or destroys the
server hardware (fire, flood, tornado, hurricane,
lightning, etc) could also render the AD
environment inoperative
Consistent threat across platforms
– usually well addressed by IT management in
planning and implementing strict backup and
restoration procedures
– disaster preparedness and recovery plans MUST
include provisions for offsite data backups
» make sure that the backups are actually taken offsite
» consider a secondary physical site that is ready to go in case the
worst happens
Network: Service to Self or
Service to Others?
Two huge responsibilities for the network
manager…
– Provide facilities and services that users need
– Protect the network against abuse by naïve or malign
users
General perception (of users!) that network
managers are more concerned with “protecting
the network” to become more important than
servicing the needs of users