Transcript the directory - University Of Worcester

COMP3123
Internet Security
Richard Henson
University of Worcester
October 2010
Week 4 Access Controls:
Network Directories & the PKI

Objectives:
 Explain the components of a network directory
service
 Explain how the use of security policies can help
prevent network internal security breaches
 Analyse Windows active directory and compare it
with an x500 standard service
 Apply security policies to a Windows 2000 setup
 Identify and use secure username/password
protocols based on the TCP/IP stack
“Network Directories” & the PKI

Directories not to be confused with “folders”…
 former is generally a data store that changes only infrequently…
» e.g. a telephone directory


 to avoid confusion, computer-based directories also called
“repositories”
Lots of different “network databases” have evolved on the web
 not a good idea!
 often contain same info... one updated (e.g. someone’s
address, all should be updated - but unlikely to be the case in
practice
Total solution:
 use just one repository (meta directory) for that type of info
(e.g. global telephone directory)
 provide it on the web as a “directory service”
 Use LDAP applications to directly access that info
Meta-directory

Popular approach resulting from the simple idea of putting all
information about any one entity or object in one place…
 information about those entities and objects can then be presented
in a consistent way
 simplifies collection and distribution of info on an Intranet covering
the whole organisation


Directory Services
 provide access protocols that allow software tools to access
directory info
Examples of Directory-enabled applications
 enforce network policies!
» across the network
» between networks
 digital signature verification
 remote dial-in access authorization
 signing in to a network
Distributed Directory

Paper-based equivalent – series of telephone
directories each covering a clearly define area
 collectively cover a wide geographical region
 serve a variety of purposes
 all part of the same system for communication

Distributed directory on a computer network
 Entry for an entity may appear in multiple directories
 For example, one for each email system (if more than one)
 For example, one for gaining access to the network by
logging on

Directory synchronisation essential for tying the
distributed directories together
Development of Internet
Directories and the roles of
IETF and IESG

IESG (Internet Engineering Steering Group) provides
technical management of IETF activities
 power to translate RFC proposals into RFC standards

Procedure:





draft RFC submitted
if accepted: IESG elevates it to RFC “draft” status
RFC then given consideration as a standard…
draft RFC eventually may become a true Internet standard
Example of successful evolution: x500 to LDAP
X500 Architecture

Based on the OSI model & became RFC
1006
 allows OSI applications to run over IP network

Full X500 Architecture:
 DMD (directory management domain)
 DSA (directory system agent)
 DUA (directory user agents)
 DIB (directory information base – object oriented!)
» Example: a directory service database
 DIT (directory information tree)
» Example: Windows 2000 Active Directory
X500 Protocols





DAP (Directory Access protocol)
DSP (Directory System protocol)
DISP (Directory Information Shadowing
Protocol)
DOP (Directory operational binding
management protocol)
Collectively, these protocols give
X500 a wide range of functionality,
but the structure is cumbersome…
Simplifying X500 - LDAP


Known as Lightweight Directory Access
Protocol
Thanks to University of Michigan
Researchers, early 1990s
 gave up on the complexities of X.500
 came up with a scheme that:
» retained the X.500 directory structure
» gave it a streamlined access protocol based on standard
TCP/IP instead of ISO
 Other improvements:
» pared-down referral mechanism
» more flexible security model
» no fixed replication protocol
Microsoft and x500


In 1996, Microsoft launched version 4 of its
mailserver software, Exchange
Designed also to provide the infrastructure to
enable DAP clients to access Microsoft
Exchange directory service information…
 client served as an X.500 DAP client to DAPcompliant directories
» e.g. U.S. Government Defense Messaging System (DMS)

Also designed to manage table entries
efficiently using a new obj oriented database
engine called ESE (Extensible Storage engine)
Microsoft and LDAP

Microsoft wanted to use X500 in its directory service
planned for next version of NT
 Like Michigan Uni, found X500 cumbersome, and adapted
LDAP

Supporting the Open Directory Services Interface
(ODSI), Microsoft helped build a PKI service provider
(Verisign) that supports the LDAP protocol
 allowed developers to build applications that register with,
access, and manage multiple directory services with a single
set of well-defined interfaces
 Microsoft Exchange Server 4 supported LDAP
 Internet Explorer supported LDAP from v4 onwards
LDAP, ESE, and Active directory

Windows 2000 “active directory” service was
a successful commercial roll out of an X500
compliant directory service
 used LDAP…
 also used (uses) ESE to manage data tables
 and DNS to integrate with www locations

Next version of Microsoft Exchange also
used the ESE/LDAP/DNS combination…
Directory Services and
“Active Directory”

With Active Directory, there is just one data
store, known as the directory
 Stored as NTFS.DIT
» where does “.dit” originate from?
 distributed across ALL the domain controllers
 links to objects on/controlled by each of the dc
 changes automatically replicated to all dcs
 Contains details of:
» stored objects
» shared resources
» network user and computer accounts
Directory Services and
Domain Trees

Active Directory can also logically link domains
together
 very useful for networks requiring more than one
domain
 each domain in the directory is identified by a DNS
domain name and requires one or more domain
controllers


Multiple domains with contiguous DNS domain
names, make up a parent-child structure
known as a domain tree
If Domain names are non-contiguous, they
form separate domain trees
“Trust Relationships”
between NT Domains
This system of account authentication
between domains was established in the
Windows NT architecture
 Trust relationships are transitive

users and computers can be authenticated
between any domains

However, Windows NT trust relationships
were isolated and individual
Active Directory
Trust Relationships

Extends the principle…
 domains can link together in a schematic way
 To form “domain trees”

Trust relationships are automatically created
between adjacent domains (parent and child
domains) in the tree
 users and computers can now be authenticated
between ANY domains in the domain tree

So how does this all work securely in
practice, across an entire enterprise????
Access Controls

The set of security mechanisms used to
define controls what a user can do as a
result of logging on to a secured
environment
 enforce “authorisation”
 “identification” and “authentication” may also be
associated with logging on

Effect includes:
 access to systems & resources
 interactions users can perform
Accountability

The broad security concept of being able to
hold a human to account for their actions
using …
 a strong authentication environment so one user
cannot masquerade as another
 strict imposition of “least privilege”
 regular monitoring of the network environment
 rigorous inspection of audit logs
Auditing



Essential component of security monitoring
A network can generate lots of data on a wide
variety of network functions and results they
return
this is readily customisable to focus on, for
example, the behaviour of particular users or
resources
 data normally saved as timestamped .log files
 audit files help to ensure accountability for user
behaviour
Authentication Factors


Classified as type 1, type 2, or type 3:
Type 1: Knowledge based (what user knows)
 information provided based on unique knowledge of the
individual being authenticated

Type 2: Token based (what user has/does)
 information comes from a token generated by a particular
system
 token is tied in some way to the user logging on
 generally not considered a good idea on its own because
someone else could have stolen/copied it

Type 3: Characteristic based (what user is)
 biometric data from the person logging in
One time Passwords (OTP)

Can only be used once…
 If user gets it wrong, becomes invalid…
» locked out
» has to contact administrator to reset

Implemented as a type 2 factor
 password characters randomly generated

If used properly…
 very secure indeed
 problem: degree of randomness…
Single Sign On (SSO)

Logon once…
 authenticated for all servers in that environment

More a convenience matter than a security
issue
 only one set of authentication factors needed
 single username/authentication factor database
covering all servers

SOME very secure environments have
dropped SSO in favour of separate logon for
each server
 arguable whether this is necessary but avoids the
“all eggs in one basket” argument
Password Administration

Three aspects:
 Selection
» should be a company IS policy that includes choice of
password
» generally no. of characters is a good match with strength
– the higher the better
 Management
» selection & expiration period must comply with policy
 Control
» policy should be enforced by the network itself
» usually achieved through use of “group policies”
Access Control Techniques

Discretionary (DAC)
 access to files/resources controlled by
administrator
 Achieved through ACLs (Access Control Lists)
» consist of ACEs (Access Control Entries)
 the granting of access can be audited

Mandatory (MAC)
 access dependent on rules/classifications
 classification dependent on security clearance
levels
 hierarchical or compartmentalised, or hybrids
Remote Logon and
Kerberos Authentication

KDC can maintain a secure database of
authorised users,passwords & domain names
maintained throughout an active directory
domain tree using Kerberos V5 security
protocol
 uses strong encryption
 freely available from its inventor, MIT

Active Directory + Kerberos = Very Powerful
combination
 can even be used to authenticate across mobile &
wireless networks
Components of “Enterprise wide”
Login with kerberos authentication




Active Directory tree logical connects and
“trusts” servers throughout the enterprise
Servers in their turn control access to users
within domains
Group(s) selected during the user
authentication process
Group Policy Objects invoked which rewrite
registry settings and control client desktops
How much security should be
applied to domain users?


General rule: don’t give a user more rights
than they actually need
Think carefully…
 identify security privileges appropriate to different
types of user
 create a group based on each type of user

Allocate each new user to an appropriate
group
 automatically will have appropriate access rights…
Users, Groups, Security, and
NTFS partitions


Any file or folder on an NTFS partition will
have file permissions imposed
Typical permissions:
 No Access
 Read only
 Read and Execute
 Write
 Modify
 Ownership/Full Control

Much wider range of permissions available
Point for debate: is “read only”
access dangerous?

If information held on server, and accessed
by dumb terminals…
 secure enough!
 this was the case in the days of centralised
networks with no distributed processing

With client-server networking, read only
means “the user can take a copy”
 is this dangerous, from an organisational security
point of view?
Mechanism of Windows
“access control”

User management level:
 pre-defined Groups for Users to belong to (prev
slides)
 control of file and service access permissions
(prev)
 trusted relationships across domains (prev)

Translated down to system level by…
 System Policies and Group Policies
 Control of user and system desktop settings
Control of End User
and System Settings

Ultimately, happens through the Windows
registry
 First made available to simplify configuration in
Windows 95
» effectively replaced CONFIG.SYS, AUTOEXEC.BAT,
SYSTEM.INI and WIN.INI by a single structure
 All settings saved into a hierarchical data file called
SYSTEM.DAT

Principles extended in Windows NT v4 to allow
system and user settings to be configured
within a network
What is The Registry?

Five basic subtrees:
 HKEY_LOCAL_MACHINE : local computer info.
Does not change no matter which user is logged
on
 HKEY_USERS : default user settings
 HKEY_CURRENT_USER : current user settings
 HKEY_CLASSES_ROOT : software config data
 HKEY_CURRENT_CONFIG : “active” hardware
profile

Each subtree contains one or more subkeys
Editing Registry Settings


Contents of the registry should not be
changed in any way unless you really know
what you are doing!!!
Special tools available for editing individual
system settings:
 REGEDT32 is used to edit registry settings on
Windows NT systems

Registry settings can also be overwritten in
memory by data downloaded across the
network…
System Policy File



Consists of a collection of registry settings
Can apply different system settings to a
computer, depending on the user or group
logging on
Can overwrite:
 local machine registry settings
 current user registry settings

Should therefore only be used by those who
know what they are doing!!!
System Policy File





Known as NTCONFIG.POL
Normally held on Domain Controllers
Read during logon procedure
Provides desktop settings, and therefore can
be used to control aspects of appearance of
the desktop
Different NTCONFIG.POL settings can be
applied according to:
 User/group
 Computer

Users can still save their own desktop
settings, such as shortcuts
What is a Security Policy?

A set of rules and procedures that lay down
the access rights and privileges of a particular
user/group of users
 should confirm the identity of the people that are
attempting to access the network
 Should prevent imposters from accessing, stealing,
or damaging system resources

Proper implementation of system security:
 creates a computing environment that provides
your users with all of the information and resources
they need to be successful
 protects the information and resources from
damage and unauthorized access
Principle of Least Privilege

Providing users with sufficient access to do
their work…
 but no more than that!


Privileges can also be applied temporarily to
provide controlled flexibility
Even individual administrators can have the
principle applied to them
 if they have responsibility for particular resources…
 shouldn’t have privileges relating to other resources
not within their work remit
Group Policy in Windows 2000
(and subsequent) Networks



Group Policy settings define the various components
of the user's desktop environment that a system
administrator needs to manage:
 programs that are available to users
 programs that appear on the user's desktop
 Start menu options
Group Policy Objects – used with authenticated users to
enhance flexibility and scalability of security beyond “domains”,
and “trusted domains”
Required level of trust achieved through:
 Active directory – establishment of “trees”
 Kerberos authentication
Implementation of Group
Policy Objects

Group Policy objects are EXTREMELY
POWERFUL…
 contain all specified settings to give a group of users
their desktop with agreed security levels applied
 template editing tool available as a “snap-in” with
Windows 2000
 creates a specific desktop configuration for a
particular group of users

The GPO is in turn associated with selected
Active Directory objects:
 Sites
 Domains
 organizational units
Combined Power of Group
Policies and Active Directory


Enables written user/group policies to be
easily implemented in software
Enables policies to be applied across whole
domains:
 beyond in trusted contiguous domains in the
domain tree
 or even across any non-contiguous domains in the
same forest

Because Active directory is x500 compliant,
all the principles of directory services apply