3-4 AD Authentication

8/3/2019 3-4 AD Authentication

1/40

ACTIVE DIRECTORYAUTHENTICATION

AND SECURITYPart Four

Prepared byComputer Engineering Technology Dept.References:http://www.pbcc.edu/faculty/horvathe/AD/


2/40

2

Security Principles User object

inetOrgPerson object

Computer object

Security group object

Have an SID:

Windows security subsystem uses to identify

security principals


3/40

3

Security Identifiers Attribute as binary value

Specifies the SID of user object

Unique value used to identify user as security

principal

Number of formats:

Hexadecimal notation

Security Descriptor Definition Language(SDDL)


4/40

4

Security Descriptor Definition

Language (SDDL)

Begins with S

Followed by three to seven numbers:

Separated by hyphens

First number is revision level of SDDL format

Next identifier authority

Next subauthority identifier

Well-known SIDs: Identify certain users or groups

Recognized by OS


5/40

5

Domain and Relative Identifiers Domain identifier

Calculated when domain created

3 32-bit numbers

Guaranteed to be unique

Relative Identifier (RID)

32 bits

Identifies object within domain


6/40

6

Access Tokens Contains several important pieces of

information

Users SID

SID for every group of which user is member Security subsystem

Examines users access token

Determines if user or one of groups of which

user is member has access to resource Generated based on authentication protocol

used

Use whoami command to view access token


7/40

7

Permissions and Rights Used to control access on system

Permissions

Rules associated with object

Define which users can gain access to object

What actions users can perform on object

Rights

Define what tasks or operations user canperform on computer system or domain


8/40

8

Active Directory Authentication Authentication methods used in Windows

Server 2003:

NT LAN Manager (NTLM)

Kerberos


9/40

9

NTLM Authentication Supported for backward compatibility

For Windows NT 4.0 client computers

Not primary means of authentication in

Windows Server 2003

Based on older authentication protocol calledLAN Manager


10/40

10

NTLM Authentication Example


11/40

11

NTLM Issues

Each time user wants to access resourceuser must be reauthenticated by domaincontroller

Only provides client authentication Easy to capture NTLM challenge and use

hacking tools to discover password


12/40

12

Kerberos Authentication Default protocol for network authentication for

all Windows Server 2003 computers

Components:

Security principal requesting access

Key Distribution Center (KDC)

Server holding resource or service beingrequested


13/40

13

Kerberos Authentication

(continued) KDC services:

Authentication

Ticket-granting Service

Authentication Service

Ticket-granting ticket (TGT)

Issued to user when first authenticated during

successful logon Allows user to request session tickets


14/40

14

Kerberos Authentication

(continued) Authentication Service

Ticket-granting ticket (TGT)

Valid for 10 hours

Ticket-granting Service TGT is submitted to Ticket-granting Service on

KDC

Sends two copies of session ticket back tousers machine


15/40

15

Kerberos in Action


16/40

16

Down-level Client Authentication Older clients referred to as down-level clients

Pre-Windows 2000

Create security concern

Directory Services Client

Available as add-on component to Windows95/98

Enables these clients to use NTLMv2 onWindows 2000/2003 network


17/40

17

Two-factor Authentication Factors that help identify you for

authentication:

Something you know

Something you have Something you are

More of these factors used, more secure

resource is Increase security of network or computer

system by introducing second factor

Called two-factor authentication


18/40

18

Public Key Infrastructure for

Authentication with Smart Cards Active Directory supports use of smart cards

Part of Public Key Infrastructure (PKI)

Cryptography terms:

Symmetric keys Public key cryptography

Private/public key pair

X.509 digital certificate


19/40

19

Public Key Infrastructure for Authentication

with Smart Cards (continued)

Use Active Directory as repository for X.509certificates

Smart card:

Provides nonvolatile memory Stores owners certificate and private key

Small amount of computing power to performencryption and decryption requiring private key

on card itself


20/40

20

Public Key Infrastructure for Authentication

with Smart Cards (continued) Use smart cards and certificates to increase

security of the Windows-authenticationprocess

System uses users private key KDC employs public key of user to decrypt it

Can configure domain to require smart cards

for logons: Can make them optional

Require them for some users, but not others


21/40

21

Active Directory Authorization Used to determine what actions user can or

cannot do

Discretionary access control list (DACL)

Defined as: an access control list that iscontrolled by the owner of an object and thatspecifies the access that particular users orgroups can have to the object


22/40

22

Discretionary Access Control List

(DACL) Associated with resources

List of access control entries (ACEs)

Specifies a who and a permission

Can be very specific

Allow or deny access

If no match is found between access token

and DACL Access is not permitted


23/40

23

Discretionary Access Control List

(DACL) (continued) Most access control entries allow access

Deny ACEs used to change effect ofpermissions that user would otherwise have

as member of group Owner of object can always gain access to

object by resetting its permissions

Owner of most Active Directory objects is

Domain Admins Group


24/40

24

Inheritance Permissions can be inherited from parent

objects

Referred to as inheritance

Each ACE marked to indicate whether it isdirectly applied or inherited


25/40

25

Groups in Security Security group

Container object used to organize collectioninto single security principal

Can contain: Users

Computers

Other groups

Simplify administration by assigning rightsand permissions to group rather than toindividual users


26/40

26

Groups in Security (continued) No good reason to grant rights and

permissions explicitly to individual users


27/40

27

Delegation of Control Giving data owners ability to manage their

own objects

To delegate control:

Organize directory so that all objects inorganizational unit have same data owner

Use Delegation of Control Wizard to createappropriate ACEs in DACL on the

organizational unit

Allow them to be inherited to objects inorganizational unit


28/40

28

Granular Control Can delegate control with precision

Important part of flexibility of Active Directory

Advanced Security Settings dialog box

In Active Directory Users and Computers

Tab to display effective permissions


29/40

29

Permission Types

Standard

Used for everyday tasks

Found on main Security tab of object

Special permissions Represent exact and granular permissions

available

Can be very specific


30/40

30

Active Directory Auditing System access control list (SACL)

Used for auditing object access

Very similar to DACLs


31/40

31

System Access Control List

(SACL) Same basic structure as DACL

Determines if access is audited


32/40

32

Auditing Event Categories Audit account logon

events

Audit accountmanagement

Audit directory serviceaccess

Audit logon events

Audit object access

Audit policy change

Audit privilege use

Audit process tracking

Audit system events


33/40

33

Protecting Network Resources Number of other resources on network also

rely on Active Directory for security

Use DACLs

Objects: NTFS

Printers

Shares Registry keys


34/40

34

NT File System (NTFS) Assigns security descriptor to each object

Object in file system has:

Owner

DACL SACL

NTFS DACL permissions relate to what userscan do with the files and folders


35/40

35

Standard File Permissions in NTFS


36/40

36

Printers Have security descriptor with:

Owner

DACL

SACL

Standard permissions:

Who can print to printer

Who can change printer settings Who can manage documents


37/40

37

File Shares User must first be allowed access to share,

and then access to file

Very few choices

Allow or deny Full control

Change

Read access

Use NTFS permissions to further restrictaccess to folder


38/40

38

Registry Keys Values stored in registry control how

computer system operates

Each registry key has typical Windows 2003

security descriptor with: SACL

DACL

Specified owner


39/40

39

Other Applications Many applications do not perform any

authentication or authorization

Can be given access control by setting NTFS

permissions on executable files or directory Some applications perform authentication

and authorization internally

Can also gain added protection using NTFS

permissions


40/40

40

Other Applications (continued) More sophisticated applications often use

Active Directory for authentication

But provide own authorization

A few applications use Active Directory forauthentication and authorization

Date post:	06-Apr-2018
Category:	Documents
Upload:	entangankidal
View:	221 times
Download:	0 times

3-4 AD Authentication

Documents