Post on 12-Jan-2016
transcript
Security Seminar ‘06
Security Seminar ‘06
Building Identity Building Identity Management SolutionsManagement Solutions
Michael KleefMichael KleefIT Pro EvangelistIT Pro Evangelist
MicrosoftMicrosofthttp://blogs.technet.com/mkleefhttp://blogs.technet.com/mkleef
Security Seminar ‘06
Session OverviewSession OverviewWhats now available?Whats now available?
Has the SSO landscape changed?Has the SSO landscape changed?
Kerberos Federation with UNIX/LinuxKerberos Federation with UNIX/Linux
How to provision with MIISHow to provision with MIIS
Other stuff you should think ofOther stuff you should think ofWorkflowWorkflow
Policy CompliancePolicy Compliance
Sync’ing passwordsSync’ing passwords
InfoCardInfoCard
Security Seminar ‘06
Access Access ManagementManagement
Directory Directory ServicesServices
Identity Identity LifecycleLifecycle
Provide access Provide access based on policybased on policy Manage identity Manage identity
lifecyclelifecycle
Ensure users are Ensure users are who they claim who they claim
to beto be
Directory ServicesDirectory Services Lifecycle ManagementLifecycle Management Strong AuthenticationStrong Authentication Federated IdentityFederated Identity Certificate ServicesCertificate Services
Role-based Access ControlRole-based Access Control Audit Collections ServicesAudit Collections Services Group Policy Management Group Policy Management
ConsoleConsole
Allow only legitimate users secure, policy-based Allow only legitimate users secure, policy-based access to machines, applications and dataaccess to machines, applications and data
Identity Management ServicesIdentity Management Services
Identity and credential data Identity and credential data Identity SelectorIdentity Selector Provisioning and workflow Provisioning and workflow Entity/relationship analyticsEntity/relationship analytics
Security Seminar ‘06
UNIX Interop functionality in R2UNIX Interop functionality in R2
Tools/Utils/SDK
Enhanced Telnet
NFS Gateway
NFS Client
NFS Server
Server for NIS
Password Sync
User/Name Mapping
Interix Subsystem
“Services for UNIX”
Top-level OCM Components (optional install)Top-level OCM Components (optional install) Windows Subsystem for UNIX-based Applications (SUA)Windows Subsystem for UNIX-based Applications (SUA)
Next generation of Interix functionalityNext generation of Interix functionality Active Directory ServicesActive Directory Services
NIS schema and Kerberos authentication extensionsNIS schema and Kerberos authentication extensions Identity Management for UNIXIdentity Management for UNIX
Administration ComponentsAdministration Components Password SynchronizationPassword Synchronization Server For NISServer For NIS
Other Network File and Print ServicesOther Network File and Print Services Microsoft Services for NFSMicrosoft Services for NFS
Mapping ServerMapping Server NFS Auth, AdminUI, client and serverNFS Auth, AdminUI, client and server PortmapPortmap RpcXdrRpcXdr
RFC2307 Schema AttributesRFC2307 Schema Attributes
Deprecated AS PerlNFS GatewayPCNFSCDFS, FAT, FAT32 support
Web DownloadWeb Download Utilities and SDK for UNIX-based ApplicationUtilities and SDK for UNIX-based Application
Base UtilitiesBase Utilities SVR-5 UtilitiesSVR-5 Utilities Base SDKBase SDK GNU SDKGNU SDK GNU UtilitiesGNU Utilities UNIX PerlUNIX Perl Visual Studio Debugger Add-inVisual Studio Debugger Add-in
Security Seminar ‘06
Security Tokens & ClaimsSecurity Tokens & ClaimsDistributed Distributed authentication/authorizationauthentication/authorization
Secret KeySecret Key
PasswordPassword
Proof ofProof ofPossessionPossession
Security tokens assert claimsClaims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc).
SignedSigned
X.509X.509 KerberosKerberos
XrMLXrMLSAMLSAML
Security Seminar ‘06
ADFS Federated Web SSO ADFS Federated Web SSO ExampleExample
1.1. User accesses A. Datum portal to Trey Research order processing applicationUser accesses A. Datum portal to Trey Research order processing application
Trey Research Inc.Trey Research Inc.A.Datum Corp.A.Datum Corp.
2.2. User redirected to A.Datum STSUser redirected to A.Datum STS• Seamlessly authenticated using Active Directory & Windows integrated Seamlessly authenticated using Active Directory & Windows integrated
authentication (Kerberos security token)authentication (Kerberos security token)
3.3. User obtains SAML security token from A.Datum STS for Trey Research STSUser obtains SAML security token from A.Datum STS for Trey Research STS• Federation claims per A.Datum and Trey Research business agreement Federation claims per A.Datum and Trey Research business agreement
4.4. User obtains SAML security token from Trey Research STS for application User obtains SAML security token from Trey Research STS for application • Claims specific to Trey ResearchClaims specific to Trey Research
5.5. User accesses Trey Research order processing applicationUser accesses Trey Research order processing application
ActiveActiveDirectoryDirectory
FederationFederationSTSSTS
FederationFederationSTSSTS
SIDsSIDs
FederationFederationClaimsClaims
ApplicationApplicationClaimsClaims
Order Entry ApplicationOrder Entry Application
Order EntryOrder EntryPortalPortal
Security Seminar ‘06
Federated IdM in ActionFederated IdM in ActionX-organization, X-platform Web SSOX-organization, X-platform Web SSO
ExchangeExchange WebWeb ServiceService
CollaborationCollaboration
Intranet ApplicationsIntranet Applications
ActiveActiveDirectoryDirectory
1. Alice needs access to Plant app2. Authenticates to STS with Kerberos3. Gets security token for Plant STS4. Authenticates to Plant STS with token5. Gets security token for Plant app
Web InventoryWeb InventoryApplicationApplication
IIS + Partner IIS + Partner Web SSOWeb SSO
Web PurchasingWeb PurchasingApplicationApplication
UNIX/LinuxUNIX/LinuxPlatformPlatform
1. Alice needs access to Supplier app2. Authenticates to STS with Kerberos3. Gets security token for Supplier STS4. Authenticates to Supplier STS with token5. Gets security token for Supplier app
A.Datum CorpAssembly Plant
Trey ResearchWarehouse
Security Token ServiceSecurity Token Service
A.Datum CorpA.Datum CorpHead OfficeHead Office
Alice (Purchaser)Alice (Purchaser)
Security Seminar ‘06
Solution Demonstration 1: Solution Demonstration 1: Kerberos Federation using Kerberos Federation using LinuxLinux Understand how Kerberos federation Understand how Kerberos federation
works and where you can use it works and where you can use it
Internal Network10.10.0.0/16
Internet
London.nwtraders.msftDomain Controller
Exchange Server 2003IIS 6.0 ServerDNS Server
Enterprise CA Server10.10.0.2/16
Vancouver.nwtraders.msftISA Server 2004
10.10.0.1/16131.107.0.1/16
Denver.nwtraders.msftWindows XP SP2
Office 2003131.107.0.1/16
Glasgow.nwtraders.msftMIIS Server
ADAM Server10.10.0.3
131.107.0.8
Denver.nwtraders.msftWindows XP SP2
Office 200310.10.0.10/16
Brisbane.northwindtraders.msftDomain Controller
IIS 6.0 Server10.10.0.20
Security Seminar ‘06
Remember the Identity Life Remember the Identity Life CycleCycle
22
Change User-Promotions-Transfers-Entitlement changes
Change User-Promotions-Transfers-Entitlement changes
11New User-User ID creation-Credential issuance-Entitlements
New User-User ID creation-Credential issuance-Entitlements
33
Help Desk-Password reset-New entitlements
Help Desk-Password reset-New entitlements
44
Retire User-Delete accounts-Remove entitlements
Retire User-Delete accounts-Remove entitlements
Security Seminar ‘06
Identity and Access Identity and Access Management SeriesManagement Series
Lots of how to stuffLots of how to stuffPolicy CompliancePolicy Compliance
Desired Configuration MonitoringDesired Configuration MonitoringEnforcement and ReportingEnforcement and ReportingAuditing (Management and Monitoring Auditing (Management and Monitoring tools)tools)Microsoft Solutions for Security and Microsoft Solutions for Security and Compliance (MSSC)Compliance (MSSC)
WorkflowWorkflowBasic: MIISWorkflow Res Kit toolBasic: MIISWorkflow Res Kit toolAdvanced: Use Ultimus, K2 or Windows WF Advanced: Use Ultimus, K2 or Windows WF
http://www.microsoft.com/technet/security/topics/identitymanagement/http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspxidmanage/default.mspx
Security Seminar ‘06
Understanding Identity and Access Understanding Identity and Access Management TechnologiesManagement Technologies
Directory Services
Users, AttributesCredentials, and Groups
Active DirectoryActive Directory Application Mode
Identity Life Cycle
ManagementIdentity Integration
Provisioning/DeprovisioningDelegated Administration
Self-Service AdministrationCredential and Password
Management
AccessManagement
AuthenticationAuthorizationTrust Security Auditing
Security Seminar ‘06
Understanding Identity Understanding Identity Integration Using MIISIntegration Using MIIS
Synchronizes multiple repositories
Agentless connection to other systems
Attribute level control
Manage global address lists
Automate group and DL management
Synchronizes multiple repositories
Agentless connection to other systems
Attribute level control
Manage global address lists
Automate group and DL management
Legend
CS=Connector Space
MA=Management Agent
MV=Metaverse
Legend
CS=Connector Space
MA=Management Agent
MV=Metaverse
Intranet Active Directory
Lotus NotesMIIS 2003
Sun ONEDirectory
HR Identity Source
CS
CS
CS
CS MV MAMA
MA
MA
Security Seminar ‘06
Solution Demonstration 2: Solution Demonstration 2: Identity Integration Using MIIS Identity Integration Using MIIS 20032003 Understand how MIIS can address the Understand how MIIS can address the
challenges of maintaining digital challenges of maintaining digital identity information among various identity information among various data stores data stores
Internal Network10.10.0.0/16
Internet
London.nwtraders.msftDomain Controller
Exchange Server 2003IIS 6.0 ServerDNS Server
Enterprise CA Server10.10.0.2/16
Vancouver.nwtraders.msftISA Server 2004
10.10.0.1/16131.107.0.1/16
Denver.nwtraders.msftWindows XP SP2
Office 2003131.107.0.1/16
Glasgow.nwtraders.msftMIIS Server
ADAM Server10.10.0.3
131.107.0.8
Denver.nwtraders.msftWindows XP SP2
Office 200310.10.0.10/16
Brisbane.northwindtraders.msftDomain Controller
IIS 6.0 Server10.10.0.20
Security Seminar ‘06
Managing PasswordsManaging Passwords
MIIS 2003 provides the ability to manage passwords through:MIIS 2003 provides the ability to manage passwords through:
Help desk reset
Windows-initiated changes
Web-initiated changes
Other system–initiated changes through non-Microsoft software
Help desk reset
Windows-initiated changes
Web-initiated changes
Other system–initiated changes through non-Microsoft software
Security Seminar ‘06
PCNSPCNSSupported by defaultSupported by default
AD/ADAMAD/ADAMIBM Directory ServerIBM Directory ServerLotus NotesLotus NotesNovell eDirectoryNovell eDirectorySun/Netscape directory (iPlanet)Sun/Netscape directory (iPlanet)
Supported through password extensionSupported through password extensionAttribute-Value Pair FilesAttribute-Value Pair FilesDelimited Text FilesDelimited Text FilesDSMLDSMLSQL, Oracle and DB2SQL, Oracle and DB2LDIFLDIFFixed Width Text FilesFixed Width Text FilesExtensible Connectivity Extensible Connectivity
Security Seminar ‘06
Internal Network10.10.0.0/16
Glasgow.nwtraders.msftMIIS Server
Password Management10.10.0.3
Brisbane.nwtraders.msftDomain Controller
IIS 6.0 Server10.10.0.20
Brisbane.nwtraders.msftWindows XP SP2
Office 200310.10.0.10/16
Managing PasswordsManaging Passwords
Lotus NotesLotus Notes
iPlanetiPlanet
Security Seminar ‘06
Password Portal Password Portal
PasswordPassword
ApplicationApplication
DatabaseDatabase
IdentityIdentity
IntegrationIntegration
ServerServer
AD
ADAM
SunONE
Self Self ServicServic
e e ResetReset
Help Help DeskDesk
Self Self Service Service Change Change
and and RegistratiRegistrati
onon
DB DB MAMA
AdminAdmin
PasswordPassword
PortalPortal
ServiceServiceWMIWMI
Security Seminar ‘06
Solution Demonstration 3: Solution Demonstration 3: Password ManagementPassword Management
Understand how MIIS Password Portal Understand how MIIS Password Portal worksworks
Internal Network10.10.0.0/16
Internet
London.nwtraders.msftDomain Controller
Exchange Server 2003IIS 6.0 ServerDNS Server
Enterprise CA Server10.10.0.2/16
Vancouver.nwtraders.msftISA Server 2004
10.10.0.1/16131.107.0.1/16
Denver.nwtraders.msftWindows XP SP2
Office 2003131.107.0.1/16
Glasgow.nwtraders.msftMIIS Server
ADAM Server10.10.0.3
131.107.0.8
Denver.nwtraders.msftWindows XP SP2
Office 200310.10.0.10/16
Brisbane.northwindtraders.msftDomain Controller
IIS 6.0 Server10.10.0.20
Security Seminar ‘06
InfoCard – future internet InfoCard – future internet identityidentity
Security Seminar ‘06
BenefitsBenefitsConsistent user experience for controlling release Consistent user experience for controlling release of personal informationof personal information
Across self-issued and managed cardsAcross self-issued and managed cards
Across home and work scenarios (domain and non-domain)Across home and work scenarios (domain and non-domain)
Helps users assess risk, minimize exposureHelps users assess risk, minimize exposureValidate site identity, site reputation (optional)Validate site identity, site reputation (optional)
Distinguish first visit from return visitDistinguish first visit from return visit
Establishes mutual trust between users and Establishes mutual trust between users and servicesservices
Mitigates phishing and identity theftMitigates phishing and identity theft
Common, platform-based solutionCommon, platform-based solutionAvoid litany of per-site toolbars, app-specific solutionsAvoid litany of per-site toolbars, app-specific solutions
Predictable, spoof resistant client side UX not under control Predictable, spoof resistant client side UX not under control of attacker – raises bar on difficulty of attackof attacker – raises bar on difficulty of attack
http://msdn.microsoft.com/windowsvista/building/infocard/default.aspx?pull=/library/en-us/dnwebsrv/html/http://msdn.microsoft.com/windowsvista/building/infocard/default.aspx?pull=/library/en-us/dnwebsrv/html/identitymetasystem.aspidentitymetasystem.asp
Security Seminar ‘06
What’s in a Card?What’s in a Card?
Name: Alice’s Book Club CardExpires: 9/15/2006ImageIssuer: FabrikamSupported Claims: {
GivenNameLastNameAddressCity… }
Issuer Token Service EPRsSupported Token Type: { SAML 1.1 }…
Identity Provider
Alice WoodwardAlice Woodward1306 - 25231306 - 2523
Exp 9/15/2006Exp 9/15/2006
Alice’s Book Club Card
Fabrikam
claim values are ownedby Identity Provider
fabrikamfabrikam
Security Seminar ‘06
How does it work?How does it work?
Identity Provider
Relying Party
PolicyPolicy
filter cards that could satisfy RP’s requirements33
22
“I would like to receive a token which contains givenName, lastName and tokenType is SAML1.0, issued by *any*”
request for token55
66
token created
77
token presented
access a resource 11
44 user picks a card
Alice Woodward1306 - 2523
fabrikam My Card State of Victoria State of Victoria IDID
Alice WoodwardExp 6/12/2008
??Anonymous
Security Seminar ‘06
Next StepsNext StepsCommunitiesCommunities
http://www.microsoft.com/australia/technethttp://www.microsoft.com/australia/technetCanberra and Brisbane have Windows Server User GroupsCanberra and Brisbane have Windows Server User GroupsMelbourne scheduled for April startMelbourne scheduled for April start
Identity and Access Management SeriesIdentity and Access Management Serieshttp://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspxdefault.mspxTools, Templates and How To’sTools, Templates and How To’sMy blog: http://blogs.technet.com/mkleef with “BlogCasts By Me” categoryMy blog: http://blogs.technet.com/mkleef with “BlogCasts By Me” category
MIIS websiteMIIS websitehttp://www.microsoft.com/windowsserversystem/miis2003/default.mspxhttp://www.microsoft.com/windowsserversystem/miis2003/default.mspxAt present has the info for the SAP MA betaAt present has the info for the SAP MA betaResource Toolkit 2.0 releaseResource Toolkit 2.0 release
Identity Meta SystemIdentity Meta Systemhttp://msdn.microsoft.com/windowsvista/building/infocard/default.aspx?pull=/library/en-us/dnwebsrv/html/http://msdn.microsoft.com/windowsvista/building/infocard/default.aspx?pull=/library/en-us/dnwebsrv/html/identitymetasystem.aspidentitymetasystem.asp
Quest/VintelaQuest/Vintelahttp://www.vintela.comhttp://www.vintela.comHas free trial incl VAS, VSJ and Group Policy and SMS toolsHas free trial incl VAS, VSJ and Group Policy and SMS tools
Security Seminar ‘06
Security e-forum siteSecurity e-forum site www.microsoft.com.au/eforumwww.microsoft.com.au/eforum
View On demand web casts of all presentations View On demand web casts of all presentations from this event (tell your work colleagues!)from this event (tell your work colleagues!)Online Live chatsOnline Live chats
Have a live chat with Microsoft’s leading security experts. Have a live chat with Microsoft’s leading security experts. Check the e-forum site for the Live Chat schedule.Check the e-forum site for the Live Chat schedule.
Evaluation forms - we value your feedback!Evaluation forms - we value your feedback! Need help with your business’ security?Need help with your business’ security?
Q7 - register your interest on the eval form if you want to Q7 - register your interest on the eval form if you want to meet with Microsoft / a MS Security Solutions Partner to meet with Microsoft / a MS Security Solutions Partner to discuss solutions to address your Security challengesdiscuss solutions to address your Security challenges
Fill in your form to go into the draw to win a HP Fill in your form to go into the draw to win a HP Media Centre PC or Xbox 360Media Centre PC or Xbox 360
Security seminar follow up… Security seminar follow up…
Security Seminar ‘06
Questions and Questions and AnswersAnswers