Presentation5 - University Of Worcester
Download
Report
Transcript Presentation5 - University Of Worcester
COMP3371
Cyber Security
Richard Henson
University of Worcester
November 2016
Week 6: A Closer look
at Client-Server, Backup, &
Active Directory Security
Objectives
– Client-Server, Peer-Peer & Domains
– Analyse Windows active directory as an
x500 standard & explain security features
associated with active directory
– Investigate actual security policies and how
they can be applied to Windows Server
domain(s) to protect an organisation’s data
Peer-Peer or Client-Server?
Depends on number of devices
– in theory, 8-10…realistic limit for peer-peer
– for an organisation with data management
responsibilities… 5 is the tipping point
Transition to client-server may be a
major change from being a “start up” to
a growing SME
– also means systematic data management
– but a bigger financial outlay
Peer-Peer or Client-Server?
Which is best?
– single user?
– home network?
– organisation?
Logon on Local/Remote
OSI 7 layer connectivity software!
Local boot (peer-peer)
– logon at layer 5
» session layer
» allocated a session ID
Remote boot (client-server)
– logon also at layer 5
» redirector seeks resources from the network
» check Active Directory database to find resources…
The Redirector
(OSI Level 5)
Client-server
service
Provides file and
print connectivity
between
computers
– one end must be
“server”
– provides the
service…
may be
redirector logged on
requests
service
Server
Client
process
process
Server
Provides
service
Client Service, Server Service
Client service works with redirector to
allow access to remote objects
client process
TCP/IP
connection
Server end of redirector:
server process
filestore
– implemented as a file system driver
– supplies the network connections requested
by the client redirector
– receives requests via adapter card drivers
and TCP/IP
Network Resource Sharing
Easy! Requires use of
– UNC names, redirector & server service…
– Multiple Provider Router supports multiple redirectors (!)
Theoretically possible to connect to any
resource on any computer that supports UNC
Universal Naming Convention) names
– Files \\server\shared folder[\sub-folder]\filename)
– Printers \\server\shared printer
Access needs to be controlled… (!)
Access Controls
Set of security mechanisms used to control
what a user (or group of users) can do as a
result of logging on to a secured
environment
– enforce “authorisation”
– “identification” and “authentication” may also be
associated with logging on
Effect includes:
– access to systems, services & resources
– interactions users can perform
Web Apps & Service Sharing
Client-Server Web Apps executed as
services (on TCP ports):
– e.g. FTP, HTTP, SNMP
On Windows networks, services
implemented through Active Directory
– e.g. Terminal, www service, DHCP (IP addressing
to clients)
Terminal Services
Allows any PC running a version of
Windows to remotely run a Windows
server
– uses a copy of the server’s desktop on the
client machine
Client tools must be installed first, but the
link can run with very little bandwidth
– possible to remotely manage a server
thousands of miles away using a phone
connection…
www service
Provided by Microsoft’s Web Server (IIS)
– links to TCP port 80
– can also provide:
» ftp service (port 21)
» smtp service (port 25)
Purpose of www service:
– Works with http protocol make html pages
available:
» across the network as an Intranet
» across trusted external users/domains as an Extranet
Data Storage/Backup?
“Network Directories”… & the PKI
Windows Active Directory defined as a “network
directory”
– “directories” not to be confused with “folders”…
» former generally a data store that changes only infrequently…
e.g. a telephone directory
» to avoid confusion, computer-based directories also called
“repositories”
Lots of different “network databases” on the web
– often contain same info... (but not linked!)
» one updated (e.g. someone’s address) all should be updated - but unlikely to be
the case with separate databases…
– Single DISTRIBUTED database a more effective solution!
A Distributed Directory for
the whole Internet?
Public Key “look up” provides..:
– use just one repository (meta directory) for all of that
category of info (like a global telephone directory!)
– on the web as a “directory service”
– Applications directly access that info using LDAP
Can same principles be applied to other
information?
– Yes… e.g. Active Directory!
» used for organizational information
Internet Development via
(RFCs)
Method of applying new software to the
Internet (including PKI)
– RFC = Requests for Comments
– similar in practice to “de jure” standards
New protocol idea?
– proposal sent to IESG (who?)
» rejected or becomes draft protocol
» draft protocol implemented in appropriate language
(usually C, C++ or C#)
RFCs and X509
(Digital Certificate Lookup)
Repository had to follow X500 standard
to be “Internet compatible”
– original X509 specification: RFC1422 (1993)
– first draft of LDAP interface protocol
submitted to RFC1823 (1995)
Refined through new RFCs many
times…
– current version RFC5280 (2008)
Who are IESG
(and IETF?)
IETF: representatives of the super geek technical
wizards who create and update Internet software
IESG provides technical management (via RFCs) of
IETF activities
– power to translate RFC proposals into RFC standards
– RFC then given consideration as a standard…
– draft RFC eventually may become a true Internet standard
LDAP protocol & x509 database standard
– good e.g. of successful evolution
X500 Architecture
Implementation of data management adhering
to the OSI model…
– X500 agreed database spec: RFC 1006
– universal standard for apps using TCP/IP networks
Full X500 Architecture:
Many protocols: DMD, DUA, DIB, DIT, DSA,
DAP, DSP, DISP, DOP
» DIT… implemented as Active Directory(directory information
base – object oriented!)
» DSA… works with DIT to distribute data across servers
Microsoft Exchange and x500
Exchange v4
X500 compliant email server
enabled DAP clients to access its directory
service information…
Client-end X500 DAP-compliant
– Outlook as network client
– Outlook Express as Internet client)
– client for US gov. defence messaging
Database for Exchange Server
ESENT (Extensible Storage
Engine… NT)
» single file organised in a balanced B-tree
hierarchical structure
db engine ESE (JET blue)
» uses ISAM (Indexed and Sequential Access)
» manages data efficiently
crash recovery mechanism ensures data consistency
maintained even in the event of a system crash
– Available in Windows as ESENT.DLL
LDAP, ESE, and Active Directory
According to Microsoft…
– “Active Directory incorporates decades of
communication technologies…”
Commercial (as opposed to open source)
roll out of X500 compliant directory service
using
– ESE to manage data
– DNS to integrate with www locations
– LDAP to manage PKI requests…
Continuous Development of AD
Windows 2000 only the beginning…
Continued work with IETF
– Group Policies managed through AD
– Exchange v5 also used the ESE/LDAP/DNS
enhancement…
Each new version of Windows Server
extends AD resources, services, and
access control further…
Directory Services and AD
Active Directory… one data store
– stored as NTFS.DIT
Distributed across ALL domain controllers
– links to objects on/controlled by each dc
– changes automatically replicated to all dcs
– details of:
» stored objects
» shared resources
» network user and computer accounts
AD, DNS, and Domain Trees
AD perfectly Internet-compatible (designed
that way!)
Can logically link multiple domain systems
together
– domains with contiguous DNS domain names,
make up a parent-child structure known as a
domain tree
– each domain in the directory is identified by that
DNS domain name
But if Domain Names are non-contiguous, they
would form separate domain trees
“Trust Relationships” between
Windows Domains
AD enables trust relationships through
DNS naming of domains within a tree (ie
contiguous domains)
– users and computers can be authenticated
between any contiguous domains
Active Directory
Trust Relationships
Trust relationships automatically created
between adjacent domains (parent and child
domains) in the tree by AD
– users and computers can be authenticated
between ANY domains in the domain tree
So how does this all work securely in
practice, across an entire enterprise????
– use of DNS, of course!
Active Directory
and IP addresses
DNS (Domain Name System)
– Internet-based system for naming host
computers, linked to IP addresses
Active Directory
– each server has a unique IP address
– only domains have unique DNS identity
Managing Security Across a
Directory Tree
Different admin levels:
– domain admin: look after domain
– enterprise admin: control all domains
in the organisation!
» justification of those large salaries?
Implemented through Group Policies…
– users have different needs
– policies need to be right (!)
Structure of an
Active Directory Tree
Hierarchical
system of
organisational
data objects
A Tree can be
» single domain
with org. units
» group of
domains
Domain, Trees & Forests
Domain objects divide into organisational units
(OUs)
– Microsoft recommend using OUs in preference to
domains for imposing structure for admin purposes
» flexibility to use either one domain or several…
“Forest” contains data needed to connect all
objects in the tree even connect different trees
Logical linking creates “trusts” for remote
users
Remote Logon
(outside the tree)
MIT (remember them?) Developed Kerberos
authentication
– Series of KDC (Kerberos Distribution Centres)
– each a secure database of authorised users,
passwords
– uses strong encryption & freely available…
Active Directory + Kerberos = Very
Powerful combination
– Even used to authenticate across mobile &
wireless networks
Components of “Enterprise wide”
Login with kerberos authentication
Active Directory tree logical connects and
“trusts” servers throughout the enterprise
Servers in their turn control access to users
within domains
Group(s) selected during the user
authentication process
Group Policy Objects invoked which rewrite
registry settings and control client desktops
Groups and Group Policy
May be convenient for managers and
administrators to put users into groups
– settings for group provides particular
access to data & services
Problems…
– user in wrong group(s)
– group has wrong settings
Group Policy in practice on
Windows Networks
Group Policy settings
– define components of the user's desktop environment
that a system administrator needs to manage:
» programs that are available to users
» programs that appear on the user's desktop
» Start menu options
Group Policy Objects
– used with authenticated users to enhance flexibility and scalability of
security beyond “domains”, and “trusted domains”
Required level of trust to share policy achieved through:
– Active directory “trees” based on DNS
– Kerberos authentication
Implementation of Group
Policy Objects
Group Policy Objects (GPO) are EXTREMELY
POWERFUL…
– contain all specified settings to give a group of users
their desktop with agreed security levels applied
– template editing tool available as a “snap-in” with
Windows Servers
» Policy provides a specific desktop configuration for a particular
group of users
The GPO is in turn associated with selected
Active Directory objects:
– Sites, Domains, organizational units
Combined Power of Group
Policies and Active Directory
Enables written user/group policies to be
easily implemented in software
Enables policies to be applied across whole
domains:
– beyond in trusted contiguous domains in the
domain tree
– Or, using kerberos, even across any noncontiguous domains in the same forest
The Registry and User Control
Simple data store…
– very many user settings
Settings uploaded into memory on bootup
– easily overwritten by settings from group
policy files
– resultant policy controls user’s desktop
What is The Registry?
A hierarchical and “active” store of system and
user settings viewable using REGEDT32.exe
Five basic subtrees:
– HKEY_LOCAL_MACHINE : local computer info.
Does not change no matter which user is logged on
– HKEY_USERS : default user settings
– HKEY_CURRENT_USER : current user settings
– HKEY_CLASSES_ROOT : software config data
– HKEY_CURRENT_CONFIG : “active” hardware
profile
Each subtree contains one or more subkeys
Location of the Windows Registry
c:\windows\system32\config
– “users” may be denied access
Six files (no extensions):
– Software
– System – hardware settings
– Sam, Security
» not viewable through regedt32
– Default – default user
– Sysdiff – HKEY USERS subkeys
Also: ntuser.dat file
– user settings that override default user
Web Server: IIS (or Apache…)
Provides server end program execution
environment:
– runs server-scripts
Sets up its own directory structure on the
Server for developing Intranets, Extranets,
etc.
Sets up http communication via TCP port 80
in response to client request
Client end:
– browser HTML display environment on client
“Static” web page service
client (browser) requests information (HTML page)
server (IIS, web server) processes the request, sends
HTML page back to the client…
CLIENT
Client
Program
SERVER
REQUEST
RESPONSE
Send Request
Read Results
Server
Program
Process Request
Send Back Results
How a Static Web Page
gets displayed
First of all, the
relevant HTML
document must be
retrieved:
1. user types the
URL into a oneline text window
in browser
2. browser passes
the text to the
remote web
server (via default
Internet gateway)
How a Static Web Page gets
displayed (2)
3.
Web server locates
the file for that web
page in its own
storage folders
4.
File containing
HTML etc code
copied back to
default gateway
5.
then routed to the
IP address of the
local computer
How a Static Web Page gets
displayed (3)
6.
File suffix checked
by browser…
7.
If .htm or .html
suffix:
– HTML etc. code is
read & processed by
local CPU using a
program called an
interpreter
How a Static Web Page gets
displayed (4)
8.
Results of
processing passed
to graphics card
CPU
– converted into binary
display signals by the CPU
and graphics card
9.
Signals transmitted
to screen; web page
displayed…
More Features of Web Servers
Access to any client-server service can
be restricted using username/password
security at the server end
– or could bypass security with “anonymous
login
» uses a “guest” account – access granted only
to files that make up the Intranet
» prevents worries about hacking in through
guessing passwords of existing users
Client-Server Web
Applications
Associated with “dynamic” web pages
Web servers provides a server-side
environment that can allow browser data to
query remote online databases using
SQL…
– processing takes place at the server end…
» usually .aspx or .php
– centralised and secure!
Secure Web Pages &
Applications
SSL (Secure Sockets Layer)
– layer 5 protocol, sandwiched between
Transport Layer and screen
– provides functionality for secure viewing of
a web page e.g. via username/password
Some recent challenges to
client-server applications
apps (especially phone apps…) using
local processing, even storage (!)
– open to wireless retrieval?
– issue of availability v security
Server with logically attached database
can be wide open to attack by SQL
injection…(e.g. Talktalk website, 2015!)
The Active Directory “store”
Global Catalog
– stored as file NTFS.DIT when the first
domain controller is created
– distributed across all domain controllers
» covers all “objects” on domain controllers
e.g. shared resources such as servers, files, printers;
network user and computer accounts
– directory changes automatically replicated
to all domain controllers
Group Policies and
Network Access
Active directory controls access to all
network resources
Achieved through giving the right users
the right group policies
How can the network administrator
know what policies to allocate to which
user(s)…
– groups must have appropriate settings
Managing Group Policy
Group Policy Management Console
(Windows 2003 onwards…)
– used to create group policies and upload
them into Active Directory
– particularly useful for testing/viewing the
resultant profile of interaction between
several group profiles in a particular order
Security Features of
Active Directory (1)
SSL (secure OSI level 5)
for e-commerce…
Internet Information Server (IIS) supports
websites accessible only via https/SSL
LDAP over SSL
LDAP important for internet lookup
used with secure sockets layer (SSL) for
checking server credentials for extranet and ecommerce applications
Security Features of
Active Directory (2)
Transitive Domain Trust
default trust between
contiguous Windows
domains in a domain tree
greatly reduces
management overhead
Security Features of
Active Directory (3)
Kerberos Authentication
authentication of users on remote domains
not part of the same DNS zone
Smart Card Support
logon via smart card for strong
authentication to sensitive resources
Active Directory and
“controlling” Users
“Groups” already well established for
managing network users
Active directory centrally organised resources
including all computers
– allowed groups to become more powerful for user
management
– exploited by enabling the organisation of users
and groups of users into:
» organisational units
» sites
» domains
Managing Domain Users with
Active Directory
Same user information stored on all
domain controllers
Users can be administered at or by
secure access to administrator on any
domain controller for that domain
– flexibility but potential danger!
How AD Provides Security
Arranged through “security principal(s)”
– i.e. users, computers, groups, or services
(via service accounts)
» each has a unique identifier (SID)
» Manage which SIDs have access to what through
“access tokens”
Validates the authentication process…
– for computers, at startup
– for users, at logon
Access Tokens
Generated when a user logs on to the
network
Contents:
– user’s SID
– SIDs for each group to which the user is a
member
– assigned user rights or privileges as a result of
processing the IDs in the specified order
ACE (Access Control Entries)
Each object or resource has an access
control list (ACL) e.g.
– objects and their properties
– shared folders and printer shares
– folders and files within the NTFS file system
ACEs contained within ACL
– protects resource against unauthorised users
More on ACLs
Two distinct ACLs each object or
resource:
– discretionary access control list (DACL)
» list of the SIDs that are either granted or denied
access and the degree of access that is allowed
– systems access control list (SACL)
» list of all the SIDs whose access or manipulation of
the object or resource needs to be audited, and the
type of auditing that needs to be performed
Mechanism of AD security
Users are usually assigned to several groups
When a user attempts to access a directory
object or network resource…
– the security subsystem…
» looks at the SID for the user and the SIDs of the security
groups to which the user is a member
» checks to see whether it/they match the security descriptors
assigned to the resource
If there is a match…
– user is granted the degree of access to the
resource that is specified in the ACL
Power of Group IDs in
Policy-based Security
Group Policy…
allows groups of users to be granted or denied
access to or control over entire classes of objects
and sets of resources
allows security & usage policies to be established
separately for:
» computer accounts
» user accounts
can be applied at multiple levels:
» users or computers residing in a specific OU
» computers or users in a specific AD site
» an entire AD domain
Active Directory and
Group Policy
Power of Group Policy:
– allows network administrators to define and
control the policies governing:
» groups of computers
» groups of users
– administrators can set group policy for any
of the sites, domains, or organizational units
in the Active Directory Domain Tree
Monitoring Group Policy
Policies, like permissions, are ADDITIVE
– watch simulation… (AGAIN!)
Windows Network client logon
– need to assess which specific cumulative set of
policies were controlling the environment for a
specific user or computer
Windows 2003 GPMC
– tracking and reporting the Resultant Set of Policy
(RSoP):
» net effect of each of the overlapping policies on a specific user
or computer within the domain
Protecting the network
administrator password!
File security assumes that only the
network manager can log on as
administrator
– but if a user can guess the password… (!)
Strategies:
– rename the administrator account to something
more obscure
– only give administrator password to one other
person
– change administrator password regularly
Extending User/Group
Permissions beyond a domain
Possible for user permissions to be safely
applied beyond the local domain
– so users on one network can gain access to files on another
network
– authentication controlled between servers on the local
and trusted domains
Normally achieved through “adding” groups from
a trusted domain
NOT the same as “remote logon”
– needs special username/password authorisation…
Controlling/Monitoring Group
Policy across Domains
AD across a distributed enterprise…
– “enterprise” administrators have the authority to
implement and alter Group Policies anywhere
– important to manage and restrict their number...
Enterprise admins need to inform domain admins:
– what has changed
– when it changed
– the implications of the change for directory and network
operations…
Otherwise…
– a change to Group Policies affecting a domain might
occur with disastrous consequences
Server-side scripts
& dynamic Web pages
This time, the programming code is sent to
and runs at the web server end…
– creates a web page for the client end
– if database data being returned, needs a table to
display the data
How does this all work?
Server-side scripts etc…
If the data picked up from the server has
been changed (e.g. by use of SQL query)…
– the client display is changed
– web pages become “dynamic”
» i.e. readily changeable without changing the web page code
Effect:
– by triggering SQL commands on the server, a
local web page gives an appearance of interacting
directly with a database
Web Dynamic
Client-Server Model
Server-Side processing
- typical web-based
client-server app:
1. HTML form displayed
on a web browser at
the client end collects
data
2. Using HTTP form data
sent to web server
Web Dynamic
Client-Server Model
3. The web server
processes the data
according to instructions
on a specified server
script
4. Using HTTP, the results
of processing generated
as specified by the
script are sent back to
the client
Web Dynamic
Client-Server model
5.
The web browser on the
client machine displays
the results on a web
page in a specified
position
This gets even more
complex when a
database, and database
programming, are also
involved at the server
end…
Managing User Profiles
Windows Server “Disk Quotas”:
– allows administrators to track and control user
NTFS disk usage
» coupled with Group Policy and Active Directory
technology
» easy to manage user space
» even enterprise-wide…
– users find this irritating but stops them keeping
data they’re never likely to use again…
User Rights
Users MUST NOT have access to
sensitive parts of the system (e.g.
network servers, local system software)
– operating system can enforce this
Users SHOULD:
– have access to basic software tools
– NOT be denied on the grounds that the
software could be misused…
» c.f. no-one is allowed to drive a car because some
drivers cause accidents!
Possible Security Features
of a Network
Information labelling and handling
Equipment siting and protection
Supporting utilities
Cabling security
Maintenance
Secure disposal or re-use
Separation of development, test and operational
facilities
Controls against malicious code
Controls against mobile code
Information back-up
Network controls
Security of network services
Electronic messaging
On-line transactions
Publicly available information
Audit logging
Auditing system use
Protection of log information
Clock synchronisation
Privilege management
Equipment identification in networks
Remote diagnostic and configuration port
protection
Segregation in networks
Network connection control
Network routing control
Secure log-on procedures
User identification and authentication
Password management system
Use of system utilities
Session time-out
Limitation of connection time
Information access restriction
Sensitive system isolation
Input data Verification
Control of internal processing, including Least
Privilege
Message integrity
Output data Verification
Cryptographic controls
Key management
Technical vulnerability management (patches and
updates)
Collection of evidence
A Checklist of areas to consider, abtracted from ISO/IEC 27001 / 27002 Control Sets
[TSI/2012/183]
© Copyright 2003-2012
Network Management
The network manager has two (conflicting?)
responsibilities
– provide facilities and services that users need to
do their jobs
– protect the network against abuse by naïve or
malign users
General perception (by users!)…
– network managers are more concerned with
“protecting the network” than servicing the needs
of its users
The “good insider”.. Threat (?)
Users: employees, who (generally) want to do
their job, and do it well…
Possible conflict with the “security-orientated”
or “nanny-state” approach to network
management
Personal opinion: needs balance
– the network IS there for the benefit of the users…
» fulfill business objectives
– the network MUST be as secure as reasonably
possible
» protect valuable company data
NOT Getting the balance right…
Worrying web page (BBC, 19/11/10):
http://www.bbc.co.uk/news/business11793436
BBC’s own network users so frustrated about
IT restrictions stopping them doing their jobs
that many (typically 41% according to a
CISCO survey) ignore the rules!