Date post: | 06-Apr-2018 |
Category: |
Documents |
Upload: | entangankidal |
View: | 221 times |
Download: | 0 times |
of 40
8/3/2019 3-4 AD Authentication
1/40
ACTIVE DIRECTORYAUTHENTICATION
AND SECURITYPart Four
Prepared byComputer Engineering Technology Dept.References:http://www.pbcc.edu/faculty/horvathe/AD/
8/3/2019 3-4 AD Authentication
2/40
2
Security Principles User object
inetOrgPerson object
Computer object
Security group object
Have an SID:
Windows security subsystem uses to identify
security principals
8/3/2019 3-4 AD Authentication
3/40
3
Security Identifiers Attribute as binary value
Specifies the SID of user object
Unique value used to identify user as security
principal
Number of formats:
Hexadecimal notation
Security Descriptor Definition Language(SDDL)
8/3/2019 3-4 AD Authentication
4/40
4
Security Descriptor Definition
Language (SDDL)
Begins with S
Followed by three to seven numbers:
Separated by hyphens
First number is revision level of SDDL format
Next identifier authority
Next subauthority identifier
Well-known SIDs: Identify certain users or groups
Recognized by OS
8/3/2019 3-4 AD Authentication
5/40
5
Domain and Relative Identifiers Domain identifier
Calculated when domain created
3 32-bit numbers
Guaranteed to be unique
Relative Identifier (RID)
32 bits
Identifies object within domain
8/3/2019 3-4 AD Authentication
6/40
6
Access Tokens Contains several important pieces of
information
Users SID
SID for every group of which user is member Security subsystem
Examines users access token
Determines if user or one of groups of which
user is member has access to resource Generated based on authentication protocol
used
Use whoami command to view access token
8/3/2019 3-4 AD Authentication
7/40
7
Permissions and Rights Used to control access on system
Permissions
Rules associated with object
Define which users can gain access to object
What actions users can perform on object
Rights
Define what tasks or operations user canperform on computer system or domain
8/3/2019 3-4 AD Authentication
8/40
8
Active Directory Authentication Authentication methods used in Windows
Server 2003:
NT LAN Manager (NTLM)
Kerberos
8/3/2019 3-4 AD Authentication
9/40
9
NTLM Authentication Supported for backward compatibility
For Windows NT 4.0 client computers
Not primary means of authentication in
Windows Server 2003
Based on older authentication protocol calledLAN Manager
8/3/2019 3-4 AD Authentication
10/40
10
NTLM Authentication Example
8/3/2019 3-4 AD Authentication
11/40
11
NTLM Issues
Each time user wants to access resourceuser must be reauthenticated by domaincontroller
Only provides client authentication Easy to capture NTLM challenge and use
hacking tools to discover password
8/3/2019 3-4 AD Authentication
12/40
12
Kerberos Authentication Default protocol for network authentication for
all Windows Server 2003 computers
Components:
Security principal requesting access
Key Distribution Center (KDC)
Server holding resource or service beingrequested
8/3/2019 3-4 AD Authentication
13/40
13
Kerberos Authentication
(continued) KDC services:
Authentication
Ticket-granting Service
Authentication Service
Ticket-granting ticket (TGT)
Issued to user when first authenticated during
successful logon Allows user to request session tickets
8/3/2019 3-4 AD Authentication
14/40
14
Kerberos Authentication
(continued) Authentication Service
Ticket-granting ticket (TGT)
Valid for 10 hours
Ticket-granting Service TGT is submitted to Ticket-granting Service on
KDC
Sends two copies of session ticket back tousers machine
8/3/2019 3-4 AD Authentication
15/40
15
Kerberos in Action
8/3/2019 3-4 AD Authentication
16/40
16
Down-level Client Authentication Older clients referred to as down-level clients
Pre-Windows 2000
Create security concern
Directory Services Client
Available as add-on component to Windows95/98
Enables these clients to use NTLMv2 onWindows 2000/2003 network
8/3/2019 3-4 AD Authentication
17/40
17
Two-factor Authentication Factors that help identify you for
authentication:
Something you know
Something you have Something you are
More of these factors used, more secure
resource is Increase security of network or computer
system by introducing second factor
Called two-factor authentication
8/3/2019 3-4 AD Authentication
18/40
18
Public Key Infrastructure for
Authentication with Smart Cards Active Directory supports use of smart cards
Part of Public Key Infrastructure (PKI)
Cryptography terms:
Symmetric keys Public key cryptography
Private/public key pair
X.509 digital certificate
8/3/2019 3-4 AD Authentication
19/40
19
Public Key Infrastructure for Authentication
with Smart Cards (continued)
Use Active Directory as repository for X.509certificates
Smart card:
Provides nonvolatile memory Stores owners certificate and private key
Small amount of computing power to performencryption and decryption requiring private key
on card itself
8/3/2019 3-4 AD Authentication
20/40
20
Public Key Infrastructure for Authentication
with Smart Cards (continued) Use smart cards and certificates to increase
security of the Windows-authenticationprocess
System uses users private key KDC employs public key of user to decrypt it
Can configure domain to require smart cards
for logons: Can make them optional
Require them for some users, but not others
8/3/2019 3-4 AD Authentication
21/40
21
Active Directory Authorization Used to determine what actions user can or
cannot do
Discretionary access control list (DACL)
Defined as: an access control list that iscontrolled by the owner of an object and thatspecifies the access that particular users orgroups can have to the object
8/3/2019 3-4 AD Authentication
22/40
22
Discretionary Access Control List
(DACL) Associated with resources
List of access control entries (ACEs)
Specifies a who and a permission
Can be very specific
Allow or deny access
If no match is found between access token
and DACL Access is not permitted
8/3/2019 3-4 AD Authentication
23/40
23
Discretionary Access Control List
(DACL) (continued) Most access control entries allow access
Deny ACEs used to change effect ofpermissions that user would otherwise have
as member of group Owner of object can always gain access to
object by resetting its permissions
Owner of most Active Directory objects is
Domain Admins Group
8/3/2019 3-4 AD Authentication
24/40
24
Inheritance Permissions can be inherited from parent
objects
Referred to as inheritance
Each ACE marked to indicate whether it isdirectly applied or inherited
8/3/2019 3-4 AD Authentication
25/40
25
Groups in Security Security group
Container object used to organize collectioninto single security principal
Can contain: Users
Computers
Other groups
Simplify administration by assigning rightsand permissions to group rather than toindividual users
8/3/2019 3-4 AD Authentication
26/40
26
Groups in Security (continued) No good reason to grant rights and
permissions explicitly to individual users
8/3/2019 3-4 AD Authentication
27/40
27
Delegation of Control Giving data owners ability to manage their
own objects
To delegate control:
Organize directory so that all objects inorganizational unit have same data owner
Use Delegation of Control Wizard to createappropriate ACEs in DACL on the
organizational unit
Allow them to be inherited to objects inorganizational unit
8/3/2019 3-4 AD Authentication
28/40
28
Granular Control Can delegate control with precision
Important part of flexibility of Active Directory
Advanced Security Settings dialog box
In Active Directory Users and Computers
Tab to display effective permissions
8/3/2019 3-4 AD Authentication
29/40
29
Permission Types
Standard
Used for everyday tasks
Found on main Security tab of object
Special permissions Represent exact and granular permissions
available
Can be very specific
8/3/2019 3-4 AD Authentication
30/40
30
Active Directory Auditing System access control list (SACL)
Used for auditing object access
Very similar to DACLs
8/3/2019 3-4 AD Authentication
31/40
31
System Access Control List
(SACL) Same basic structure as DACL
Determines if access is audited
8/3/2019 3-4 AD Authentication
32/40
32
Auditing Event Categories Audit account logon
events
Audit accountmanagement
Audit directory serviceaccess
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
8/3/2019 3-4 AD Authentication
33/40
33
Protecting Network Resources Number of other resources on network also
rely on Active Directory for security
Use DACLs
Objects: NTFS
Printers
Shares Registry keys
8/3/2019 3-4 AD Authentication
34/40
34
NT File System (NTFS) Assigns security descriptor to each object
Object in file system has:
Owner
DACL SACL
NTFS DACL permissions relate to what userscan do with the files and folders
8/3/2019 3-4 AD Authentication
35/40
35
Standard File Permissions in NTFS
8/3/2019 3-4 AD Authentication
36/40
36
Printers Have security descriptor with:
Owner
DACL
SACL
Standard permissions:
Who can print to printer
Who can change printer settings Who can manage documents
8/3/2019 3-4 AD Authentication
37/40
37
File Shares User must first be allowed access to share,
and then access to file
Very few choices
Allow or deny Full control
Change
Read access
Use NTFS permissions to further restrictaccess to folder
8/3/2019 3-4 AD Authentication
38/40
38
Registry Keys Values stored in registry control how
computer system operates
Each registry key has typical Windows 2003
security descriptor with: SACL
DACL
Specified owner
8/3/2019 3-4 AD Authentication
39/40
39
Other Applications Many applications do not perform any
authentication or authorization
Can be given access control by setting NTFS
permissions on executable files or directory Some applications perform authentication
and authorization internally
Can also gain added protection using NTFS
permissions
8/3/2019 3-4 AD Authentication
40/40
40
Other Applications (continued) More sophisticated applications often use
Active Directory for authentication
But provide own authorization
A few applications use Active Directory forauthentication and authorization