Transcript Presentation5 - University Of Worcester

COMP3371
Cyber Security
Richard Henson
University of Worcester
October 2015
Week 5: Access Control
using Active Directory

Objectives:
 Explain the components of a network directory
service
 Analyse Windows active directory and compare it
with an x500 standard service
 Explain how the use of security policies can help
prevent network internal security breaches
 Apply security policies to a Windows Server setup
“Network Directories” & the PKI

Directories not to be confused with “folders”…
 former is generally a data store that changes only infrequently…
» e.g. a telephone directory
 to avoid confusion, computer-based directories also called
“repositories”

Lots of different “network databases” have evolved on
the web
 not a good idea!
 often contain same info... one updated (e.g. someone’s
address, all should be updated - but unlikely to be the case in
practice
A Directory for
the whole Internet?

Total solution:
 use just one repository (meta directory) for that type
of info (e.g. global telephone directory)
 provide it on the web as a “directory service”
 Use LDAP applications to directly access that info

Achieved through Distributed Directory…
Distributed Directory

Paper-based equivalent – series of telephone
directories each covering a clearly define area
 collectively cover a wide geographical region
 serve a variety of purposes
 all part of the same system for communication

Distributed directory on a computer network
 Entry for an entity may appear in multiple directories
 For example, one for each email system (if more than one)
 For example, one for gaining access to the network by
logging on

Directory synchronisation essential for tying the
distributed directories together
Development of Internet Protocols:
roles of IETF and IESG

IESG provides technical management of IETF
activities
 power to translate RFC proposals into RFC standards

Procedure:





draft RFC submitted
if accepted: IESG elevates it to RFC “draft” status
RFC then given consideration as a standard…
draft RFC eventually may become a true Internet standard
LDAP -> x509 good e.g. of successful evolution
X500 Architecture

Based on the OSI model
 X500 agreed database spec: RFC 1006
 allows OSI applications to run over IP network

Full X500 Architecture:
» DMD (directory management domain)
» DUA (directory user agents)
» DIB (directory information base – object oriented!)

e.g: a directory service database
» DIT (directory information tree)

a hierarchical organization of entries which are distributed across one or
more servers
» DSA (directory system agent[s])

works with DIT across servers
X500 Protocols





DAP (Directory Access protocol)
DSP (Directory System protocol)
DISP (Directory Information Shadowing
Protocol)
DOP (Directory operational binding
management protocol)
Collectively:
 wide range of functionality
 structure cumbersome
Simplifying X500 - LDAP

Developed by University of Michigan
Researchers, early 1990s
 gave up on the complexities of X.500
 came up with a scheme that:
» retained the X.500 directory structure
» gave it a streamlined access protocol based on standard
TCP/IP instead of ISO
 Other improvements:
» pared-down referral mechanism
» more flexible security model
» no fixed replication protocol
Microsoft and LDAP

Microsoft wanted to get into the database server
market, realised that Internet-compatibility was needed
 needed X500 in its directory service planned for next version
of NT
 adapted Michigan Uni LDAP…

Microsoft helped build the original PKI service provider
(Verisign) using the LDAP protocol

Also ODSI (Open Directory Services Interface):
 allowed developers to build applications that register with,
access, and manage multiple directory services with a single
set of well-defined interfaces
Microsoft and x500

1996: launched Exchange v4



email server
provided the infrastructure to enable DAP clients to
access its directory service information…
Client-end X.500 DAP-compliant
Outlook as network client
Outlook Express as Internet client)
client for US gov defence messaging
Database for Exchange Server
Microsoft adopted/devised ESENT
(Extensible Storage Engine… NT)
database

 arranged as a single file organised in a
balanced B-tree hierarchical structure

Also used a new db engine ESE (JET blue)
» uses ISAM (Indexed and Sequential Access)
» manages data efficiently; crash recovery
mechanism ensures data consistency is
maintained even in the event of a system crash
» in Windows as ESENT.DLL
X509 (Digital Certificates)

Digital Certificate store had to follow
X500 standard to be “Internet
compatible”
original X509 specification: RFC1422 (1993)
LDAP protocol for the “look up”


Refined many times…
current version RFC5280 (2008)
LDAP, ESE, and Active Directory

According to Microsoft…
 “Active Directory incorporates decades of
communication technologies into the overarching
Active Directory concept…”

Certainly a very successful commercial roll
out of an X500 compliant directory service
 also used (uses) ESE to manage data
 and DNS to integrate with www locations
 and LDAP to manage PKI requests…
Continuous Development of AD

Continued to work with IETF
 Exchange v5 also used the ESE/LDAP/DNS
enhancement…
 each version of Windows Server extended the
Active Directory services further…
 even Group Policies managed through AD

Development continues…
Directory Services and AD

Active Directory has just one data store,
known as the directory
 stored as NTFS.DIT
» where does “.dit” originate from?
 distributed across ALL the domain controllers
 links to objects on/controlled by each of the dc
 changes automatically replicated to all dcs
 Contains details of:
» stored objects
» shared resources
» network user and computer accounts
AD, DNS, and Domain Trees

One great thing bout being Internet-compatible
is that Active Directory can also logically link
domains together
 very useful for networks using > one domain
 each domain in the directory is identified by a DNS
domain name and requires one or more domain
controllers


Multiple domains with contiguous DNS domain
names, make up a parent-child structure
known as a domain tree
If Domain names are non-contiguous, they
form separate domain trees
“Trust Relationships” between
Windows Domains & using DNS

System of account authentication
between domains was established in the
Windows NT architecture
but Windows NT trust relationships were
isolated and individual

Active Directory enables trust relationships
through DNS naming
users and computers can be authenticated
between any domains
Active Directory
Trust Relationships

Extends the principle…
 domains can link together in a schematic way
 To form “domain trees”

Trust relationships are automatically created
between adjacent domains (parent and child
domains) in the tree
 users and computers can now be authenticated
between ANY domains in the domain tree

So how does this all work securely in
practice, across an entire enterprise????
Access Controls

Set of security mechanisms used to control
what a user can do as a result of logging on
to a secured environment
 enforce “authorisation”
 “identification” and “authentication” may also be
associated with logging on

Effect includes:
 access to systems, services & resources
 interactions users can perform
Remote Logon and
Kerberos Authentication


Another university: MIT
Series of KDC (Kerberos Distribution
Centres)
 each a secure database of authorised users,
passwords & domain names
 maintained using Kerberos V5 security protocol
 uses strong encryption
 freely available…

Active Directory + Kerberos = Very
Powerful combination
 Even used to authenticate across mobile &
wireless networks
Components of “Enterprise wide”
Login with kerberos authentication




Active Directory tree logical connects and
“trusts” servers throughout the enterprise
Servers in their turn control access to users
within domains
Group(s) selected during the user
authentication process
Group Policy Objects invoked which rewrite
registry settings and control client desktops
Users, Groups, Security, and
NTFS partitions


Any file or folder on an NTFS partition will
have file permissions imposed
Typical permissions:
 No Access
 Read only
 Read and Execute
 Write
 Modify
 Ownership/Full Control

Much wider range of permissions available
Point for debate: is “read only”
access dangerous?

If information held on server, and accessed
by dumb terminals…
 secure enough!
 this was the case in the days of centralised
networks with no distributed processing

With client-server networking, read only
means “the user can take a copy”
 is this dangerous, from an organisational security
point of view?
Principle of Least Privilege

Providing users with sufficient access to do
their work…
 but no more than that!


Privileges can also be applied temporarily to
provide controlled flexibility
Even individual administrators can have the
principle applied to them
 if they have responsibility for particular resources…
 shouldn’t have privileges relating to other resources
not within their work remit
Groups and Group Policy

May be convenient for managers and
administrators to put users into groups
Settings for group provides particular
access to data & services

Problems…
user in wrong group(s)
group has wrong settings
The Registry and User Control

The Registry - a simple data store
has many user settings

Settings uploaded into memory on bootup
easily overwritten by settings from policy
files
policies can be used for groups of users
resultant policy controls the desktop
What is The Registry?


A hierarchical and “active” store of system and
user settings viewable using REGEDT32.exe
Five basic subtrees:
 HKEY_LOCAL_MACHINE : local computer info.
Does not change no matter which user is logged on
 HKEY_USERS : default user settings
 HKEY_CURRENT_USER : current user settings
 HKEY_CLASSES_ROOT : software config data
 HKEY_CURRENT_CONFIG : “active” hardware
profile

Each subtree contains one or more subkeys
Location of the Windows Registry

c:\windows\system32\config

“users” may be denied access
Six files (no extensions):
 Software
 System – hardware settings
 Sam, Security
» not viewable through regedt32
 Default – default user
 Sysdiff – HKEY USERS subkeys

Also: ntuser.dat file
 user settings that override default user
Structure of an
Active Directory Tree
A hierarchical
system of
organisational
data objects
 A Tree can be

» single
domain with
org. units
» group of
domains
Domain, Trees & Forests

Domain objects divide into organisational units
(OUs)
 Microsoft recommend using OUs in preference to
domains for imposing structure for admin purposes
» flexibility to use either one domain or several…

“Forest” contains data needed to connect all
objects in the tree even connect different trees

Logical linking creates “trusts” for remote
users
Active Directory and DNS

DNS (Domain Name System)
Internet-based system for naming host
computers

In Active Directory
each server in the tree has a unique IP
address
» but only domains can have a unique DNS
identity
» potential confusion when setting up domain
structure!!
Managing Security Across a
Directory Tree

Different admin levels:
domain admin: look after domain
enterprise admin: control all domains
in the organisation!
» justification of those large salaries?

Achieved through Group Policies…
 users with different needs
 but they had better be right!
Group Policy in
Windows Networks

Group Policy settings define the various
components of the user's desktop environment
that a system administrator needs to manage:
 programs that are available to users
 programs that appear on the user's desktop
 Start menu options

Group Policy Objects – used with authenticated users to
enhance flexibility and scalability of security beyond
“domains”, and “trusted domains”

Required level of trust achieved through:
 Active directory “trees” based on DNS
 Kerberos authentication
Implementation of Group
Policy Objects

Group Policy Objects (GPO) are EXTREMELY
POWERFUL…
 contain all specified settings to give a group of users
their desktop with agreed security levels applied
 template editing tool available as a “snap-in” with
Windows Servers
» Policy provides a specific desktop configuration for a
particular group of users

The GPO is in turn associated with selected
Active Directory objects:
 Sites, Domains, organizational units
Combined Power of Group
Policies and Active Directory

Enables written user/group policies to be
easily implemented in software

Enables policies to be applied across whole
domains:
 beyond in trusted contiguous domains in the
domain tree
 Or, using kerberos, even across any noncontiguous domains in the same forest