45
COMP2221 COMP2221 Networks in Networks in Organisations Organisations Richard Henson Richard Henson April 2013 April 2013
| Date post: | 04-Jan-2016 |
| Category: |
Documents |
| Upload: | quinlan-gregory |
| View: | 20 times |
| Download: | 1 times |
COMP2221COMP2221
Networks in OrganisationsNetworks in Organisations
Richard HensonRichard Henson
April 2013April 2013
Week 9: Closer look at Active Week 9: Closer look at Active DirectoryDirectory
ObjectivesObjectives– Explain new security features brought in Explain new security features brought in
with active directorywith active directory– Apply secure file system principles and Apply secure file system principles and
active directory to controlling access for active directory to controlling access for groups of network usersgroups of network users
– Apply active directory group policies across Apply active directory group policies across one/more domain using active directoryone/more domain using active directory
The Active Directory “store”The Active Directory “store” Global Catalog Global Catalog
– stored as file NTFS.DIT when the first stored as file NTFS.DIT when the first domain controller is createddomain controller is created
– distributed across alldistributed across all domain controllersdomain controllers» covers all “objects” on domain controllerscovers all “objects” on domain controllers
e.g.e.g. shared resources such as servers, files, printers; shared resources such as servers, files, printers; network user and computer accountsnetwork user and computer accounts
– directory changes automatically replicated directory changes automatically replicated to all domain controllersto all domain controllers
Group Policies and Group Policies and Network AccessNetwork Access
Active directory controls access to all Active directory controls access to all network resourcesnetwork resources
Achieved through giving the right users Achieved through giving the right users the right group policiesthe right group policies
How can the network administrator How can the network administrator know what policies to allocate to which know what policies to allocate to which user(s)… user(s)… – groups must have appropriate settingsgroups must have appropriate settings
Managing Group PolicyManaging Group Policy
Group Policy Management Console Group Policy Management Console (Windows 2003 onwards…)(Windows 2003 onwards…)
Applies principles of MMC (Microsoft Applies principles of MMC (Microsoft Management Console) to managing Management Console) to managing group profilesgroup profiles– particularly useful for testing/viewing the particularly useful for testing/viewing the
resultant profile of interaction between resultant profile of interaction between several group profiles in a particular orderseveral group profiles in a particular order
Security Features of Security Features of Active Directory (1)Active Directory (1)
SSL (secure OSI level 5)SSL (secure OSI level 5) for e-commerce…for e-commerce… Internet Information Server (IIS) supports Internet Information Server (IIS) supports
websites accessible only via https/SSLwebsites accessible only via https/SSL
LDAP over SSLLDAP over SSL LDAP important for internet lookupLDAP important for internet lookup used with secure sockets layer (SSL) for used with secure sockets layer (SSL) for
checking server credentials for extranet and e-checking server credentials for extranet and e-commerce applicationscommerce applications
Security Features of Security Features of Active Directory (2)Active Directory (2)
Transitive Domain TrustTransitive Domain Trust default trust between default trust between
contiguous Windows contiguous Windows domains in a domain treedomains in a domain tree
greatly reduces management greatly reduces management overheadoverhead
Security Features of Security Features of Active Directory (3)Active Directory (3)
Kerberos AuthenticationKerberos Authentication authentication of users on remote domains authentication of users on remote domains
not part of the same DNS zonenot part of the same DNS zone
Smart Card SupportSmart Card Support logon via smart card for strong logon via smart card for strong
authentication to sensitive resourcesauthentication to sensitive resources
Protecting Local PasswordsProtecting Local Passwords More sophisticated challenge-response More sophisticated challenge-response
encryption (NTLMv2) was available to all encryption (NTLMv2) was available to all systems from Windows 2000 on…systems from Windows 2000 on…– until Vista arrived this was turned off by default until Vista arrived this was turned off by default
» for “compatibility reasons”for “compatibility reasons”
– nnless NTLMv2 enabled, passwords on XP nnless NTLMv2 enabled, passwords on XP systems easy to “hack” with right tools (!)systems easy to “hack” with right tools (!)
Any client network user should make sure Any client network user should make sure this password protection feature is turned this password protection feature is turned on…on…– can be added for domain users through group can be added for domain users through group
policypolicy
Active Directory and Active Directory and “controlling” Users“controlling” Users
““Groups” already well established for Groups” already well established for managing network users managing network users
Active directory centrally organised resources Active directory centrally organised resources including all computers including all computers – allowed groups to become more powerful for user allowed groups to become more powerful for user
managementmanagement– exploited by enabling the organisation of users exploited by enabling the organisation of users
and groups of users into:and groups of users into:» organisational unitsorganisational units» sitessites» domainsdomains
Managing Domain Users with Managing Domain Users with Active DirectoryActive Directory
Same user information stored on all Same user information stored on all domain controllersdomain controllers
Users can be administered at or by Users can be administered at or by secure access to administrator on any secure access to administrator on any domain controller for that domaindomain controller for that domain– flexibility but potential danger!flexibility but potential danger!
Making Sure Users don’t get Making Sure Users don’t get the Administrator Password!the Administrator Password! File security assumes that only the File security assumes that only the
network manager can log on as network manager can log on as administratoradministrator– but if a user can guess the password… (!)but if a user can guess the password… (!)
Strategies:Strategies:– rename the administrator account to something rename the administrator account to something
more obscuremore obscure– only give administrator password to one other only give administrator password to one other
personperson– change administrator password regularlychange administrator password regularly
How AD Provides SecurityHow AD Provides Security Manages which “security principal(s)” Manages which “security principal(s)”
have access to each specific resourcehave access to each specific resource– i.e. users, computers, groups, or services i.e. users, computers, groups, or services
(via service accounts)(via service accounts)» each has a unique identifier (SID) each has a unique identifier (SID)
Validates the authentication process…Validates the authentication process…– for computers, at startupfor computers, at startup– for users, at logonfor users, at logon
More about the SIDMore about the SID
The SID (Security ID) comprises:The SID (Security ID) comprises:– domain IDdomain ID
» common to all security principals common to all security principals within the domainwithin the domain
– unique relative identifier (RID)unique relative identifier (RID)
Access TokensAccess Tokens
Generated when a user logs on to the Generated when a user logs on to the networknetwork
Contains:Contains:– user’s SIDuser’s SID– SIDs for each group to which the user is a SIDs for each group to which the user is a
membermember– assigned user rights or privileges as a result of assigned user rights or privileges as a result of
processing the IDs in the specified orderprocessing the IDs in the specified order
ACE (Access Control Entries)ACE (Access Control Entries)
Each object or resource has an access Each object or resource has an access control list (ACL) e.g.control list (ACL) e.g.– objects and their propertiesobjects and their properties– shared folders and printer sharesshared folders and printer shares– folders and files within the NTFS file systemfolders and files within the NTFS file system
ACEs contained within ACLACEs contained within ACL– protects resource against unauthorised usersprotects resource against unauthorised users
More on ACLsMore on ACLs Two distinct ACLs each object or Two distinct ACLs each object or
resource:resource:– discretionary access control list (DACL) discretionary access control list (DACL)
» list of the SIDs that are either granted or denied list of the SIDs that are either granted or denied access and the degree of access that is allowed access and the degree of access that is allowed
– systems access control list (SACL)systems access control list (SACL)» list of all the SIDs whose access or manipulation of list of all the SIDs whose access or manipulation of
the object or resource needs to be audited, and the the object or resource needs to be audited, and the type of auditing that needs to be performedtype of auditing that needs to be performed
Mechanism of AD securityMechanism of AD security Users are usually assigned to several groupsUsers are usually assigned to several groups When a user attempts to access a directory When a user attempts to access a directory
object or network resource…object or network resource…– the security subsystem…the security subsystem…
» looks at the SID for the user and the SIDs of the security looks at the SID for the user and the SIDs of the security groups to which the user is a membergroups to which the user is a member
» checks to see whether it/they match the security descriptors checks to see whether it/they match the security descriptors assigned to the resourceassigned to the resource
If there is a match…If there is a match…– user is granted the degree of access to the user is granted the degree of access to the
resource that is specified in the ACLresource that is specified in the ACL
Power of Group IDs in Power of Group IDs in Policy-based SecurityPolicy-based Security
Group Policy…Group Policy… allows groups of users to be granted or denied allows groups of users to be granted or denied
access to or control over entire classes of objects access to or control over entire classes of objects and sets of resourcesand sets of resources
allows security & usage policies to be established allows security & usage policies to be established separately for:separately for:
» computer accountscomputer accounts» user accountsuser accounts
can be applied at multiple levels: can be applied at multiple levels: » users or computers residing in a specific OUusers or computers residing in a specific OU» computers or users in a specific AD sitecomputers or users in a specific AD site» an entire AD domainan entire AD domain
Active Directory and Active Directory and Group PolicyGroup Policy
Power of Group Policy:Power of Group Policy:– allows network administrators to define and allows network administrators to define and
control the policies governing:control the policies governing:» groups of computersgroups of computers
» groups of usersgroups of users
– administrators can set group policy for any administrators can set group policy for any of the sites, domains, or organizational units of the sites, domains, or organizational units in the Active Directory Domain Treein the Active Directory Domain Tree
Monitoring Group Policy Monitoring Group Policy
Policies, like permissions, are ADDITIVEPolicies, like permissions, are ADDITIVE– watch simulation… (AGAIN!)watch simulation… (AGAIN!)
Windows 2000 policiesWindows 2000 policies– need to assess which specific cumulative set of need to assess which specific cumulative set of
policies were controlling the environment for a policies were controlling the environment for a specific user or computerspecific user or computer
Windows 2003 GPMCWindows 2003 GPMC– tracking and reporting the Resultant Set of Policy tracking and reporting the Resultant Set of Policy
(RSoP):(RSoP):» net effect of each of the overlapping policies on a specific user net effect of each of the overlapping policies on a specific user
or computer within the domainor computer within the domain
Extending User/Group Extending User/Group Permissions beyond a domainPermissions beyond a domain Possible for user permissions to be safely Possible for user permissions to be safely
applied beyond the local domainapplied beyond the local domain– so users on one network can gain access to files on another so users on one network can gain access to files on another
networknetwork
– authentication controlled between servers on the local authentication controlled between servers on the local and trusted domainsand trusted domains
Normally achieved through “adding” groups from Normally achieved through “adding” groups from a trusted domaina trusted domain
NOT the same as “remote logon”NOT the same as “remote logon”– needs special username/password authorisation…needs special username/password authorisation…
Enterprise NetworksEnterprise Networks
Multiple Domains in a treeMultiple Domains in a tree– Transitive Domain TrustTransitive Domain Trust
Single enterprise Single enterprise administratoradministrator ““enterprise admin”enterprise admin” greatly reduces greatly reduces
management overheadmanagement overhead
Managing Users Managing Users & Their Profiles& Their Profiles
Once they get the hang of it, users save Once they get the hang of it, users save all sorts of rubbish to their user areasall sorts of rubbish to their user areas– may well include lots of downloaded web may well include lots of downloaded web
pages and imagespages and images Problem!Problem!
– 5000 users5000 users– each user takes 1 Gb of space...each user takes 1 Gb of space...– total disk space required is 5000 Gbytes!total disk space required is 5000 Gbytes!
Managing User ProfilesManaging User Profiles
Windows 2003 Server “Disk Quotas”:Windows 2003 Server “Disk Quotas”:– allows administrators to track and control user allows administrators to track and control user
NTFS disk usageNTFS disk usage» coupled with Group Policy and Active Directory coupled with Group Policy and Active Directory
technologytechnology
» easy to manage user spaceeasy to manage user space
» even enterprise-wide…even enterprise-wide…
– users find this irritating but stops them keeping users find this irritating but stops them keeping data they’re never likely to use again…data they’re never likely to use again…
User RightsUser Rights Users MUST NOT have access to Users MUST NOT have access to
sensitive parts of the system (e.g. sensitive parts of the system (e.g. network servers, local system software) network servers, local system software) – operating system can enforce thisoperating system can enforce this
Users SHOULD:Users SHOULD:– have access to basic software toolshave access to basic software tools– NOT be denied on the grounds that the NOT be denied on the grounds that the
software could be misused…software could be misused…» c.f. no-one is allowed to drive a car because some c.f. no-one is allowed to drive a car because some
drivers cause accidents!drivers cause accidents!
Controlling/Monitoring Group Controlling/Monitoring Group Policy across DomainsPolicy across Domains
AD across a distributed enterprise…AD across a distributed enterprise…– ““enterprise” administrators have the authority to enterprise” administrators have the authority to
implement and alter Group Policies anywhere implement and alter Group Policies anywhere – important to manage and restrict their number... important to manage and restrict their number...
Enterprise admins need to inform domain admins:Enterprise admins need to inform domain admins:– what has changedwhat has changed– when it changedwhen it changed– the implications of the change for directory and network the implications of the change for directory and network
operations…operations… Otherwise…Otherwise…
– a change to Group Policies affecting a domain might a change to Group Policies affecting a domain might occur with distastrous consequencesoccur with distastrous consequences
Network Threats, Network Threats, Vulnerabilities, and AttacksVulnerabilities, and Attacks
Protection implemented should relate to the Protection implemented should relate to the IMPACT if the threat became a realityIMPACT if the threat became a reality– i.e. the value to the enterprise of the information or i.e. the value to the enterprise of the information or
operation that would be compromisedoperation that would be compromised Example:Example:
– most networks probably wouldn’t need or want to most networks probably wouldn’t need or want to implement fingerprint and retinal scanning to control implement fingerprint and retinal scanning to control access to the average user’s workstationaccess to the average user’s workstation
– might, however, want to implement smart cards to might, however, want to implement smart cards to control access to critical domain controllerscontrol access to critical domain controllers
ThreatThreat Someone or something that has the capability Someone or something that has the capability
or potential to compromise the security of a or potential to compromise the security of a directory, network, or informationdirectory, network, or information
Three factors involved:Three factors involved:– MotiveMotive– MethodMethod– OpportunityOpportunity
Threats do not involve people and do not Threats do not involve people and do not have motive e.g. :have motive e.g. :– firefire– floodflood
Threat (2)Threat (2) ANY action by a user, condition, or process ANY action by a user, condition, or process
that has the potential to disclose, damage, or that has the potential to disclose, damage, or disrupt operations or information:disrupt operations or information:– attempted unauthorized entry into your attempted unauthorized entry into your
networknetwork– fire that breaks out in the building that houses the fire that breaks out in the building that houses the
network serversnetwork servers– virus that attempts to corrupt or delete needed virus that attempts to corrupt or delete needed
information are all examples of viable threats to information are all examples of viable threats to the security of the directory and the networkthe security of the directory and the network
– people internal to the organization!people internal to the organization!» internal threats more threatening than external ones!!!internal threats more threatening than external ones!!!
Vulnerability Vulnerability Any weakness in security that provides an Any weakness in security that provides an
opportunity for an attack and that, by its opportunity for an attack and that, by its utilization, can allow an attack to succeedutilization, can allow an attack to succeed
Could be:Could be:– softwaresoftware– hardwarehardware– social or physical environmentsocial or physical environment
Requires constant vigilance on many frontsRequires constant vigilance on many fronts– e.g.: if running Windows on servers, the latest e.g.: if running Windows on servers, the latest
service pack and patches neededservice pack and patches needed– requires monitoring Microsoft Web site for updates requires monitoring Microsoft Web site for updates
AttackAttack Any action by a user or software process that, Any action by a user or software process that,
if successful, results in the disruption, if successful, results in the disruption, disclosure, or damage to enterprise disclosure, or damage to enterprise information, services, or operationsinformation, services, or operations
Shares the characteristics of motive, method, Shares the characteristics of motive, method, and opportunity:and opportunity:– assume the intent on the part of the attacker to assume the intent on the part of the attacker to
deliberately be:deliberately be:» attempting to damage or steal informationattempting to damage or steal information» disrupt operationsdisrupt operations» uses or exploits the directory to gain access to or uses or exploits the directory to gain access to or
deny service from the directory or network resourcedeny service from the directory or network resource
User-Based AttacksUser-Based Attacks Most common source of attacks are those Most common source of attacks are those
initiated by people:initiated by people:– anonymous usersanonymous users attempting external attempting external
penetration of the enterprise networkpenetration of the enterprise network– an an authenticated userauthenticated user working working
from inside the networkfrom inside the network Can be either of:Can be either of:
– physical attacksphysical attacks on the equipment supporting the on the equipment supporting the directory or networkdirectory or network
» e.g. stealing/damaging equipment or physical network itselfe.g. stealing/damaging equipment or physical network itself
– based on based on using the networkusing the network or directory or directory environmentenvironment
» anonymous users, authenticated users, or even administratorsanonymous users, authenticated users, or even administrators
Threat: Anonymous UsersThreat: Anonymous Users Usually attempts to use vulnerabilities in Usually attempts to use vulnerabilities in
the network, service, or application the network, service, or application softwaresoftware– e.g. via scanning toolse.g. via scanning tools– e.g exploiting a well-known but not patched e.g exploiting a well-known but not patched
error conditionerror condition» when a known vulnerability is patched, the software when a known vulnerability is patched, the software
update usually provides a description of the weakness, update usually provides a description of the weakness, providing all the information needed to hackproviding all the information needed to hack
» therefore critical to stay on top of released patches and therefore critical to stay on top of released patches and security updates…security updates…
Exploitation of LDAPExploitation of LDAP LDAP spec known at all LDAP spec known at all
defined through RFCdefined through RFC
An anonymous user might be able to use An anonymous user might be able to use LDAP to:LDAP to:– flood domain controllers with lookup flood domain controllers with lookup
queriesqueries– read domain informationread domain information– identify user account security policiesidentify user account security policies– find account names and SIDsfind account names and SIDs– identify shares on domain computersidentify shares on domain computers
Thwarting DoS attacksThwarting DoS attacks
SOME anonymous attacks can be SOME anonymous attacks can be mitigated by tightening security settingsmitigated by tightening security settings
Further action against anonymous DoS Further action against anonymous DoS attacks:attacks:– monitoring domain controllers for monitoring domain controllers for
unreasonably high levels of LDAP queriesunreasonably high levels of LDAP queries– renaming default file shares such C$, D$, renaming default file shares such C$, D$,
etc. and renaming the administrator etc. and renaming the administrator accountaccount
Threat: Authenticated UsersThreat: Authenticated Users
Examples:Examples:– spoofed-account access (via spoofed-account access (via
hacking/cracking tools)hacking/cracking tools)– illicit use of a valid account (obtained illicit use of a valid account (obtained
through some social engineering scheme)through some social engineering scheme)– valid user who has decided to attack valid user who has decided to attack
information, services, or operations for information, services, or operations for some personal or professional reasonsome personal or professional reason
Headache for administrators:Headache for administrators:
Accounts have legitimate access to a range Accounts have legitimate access to a range of resources and informationof resources and information
More difficult to detect the attacks More difficult to detect the attacks Can validly start processes that will have the Can validly start processes that will have the
effect of creating DoS conditions by effect of creating DoS conditions by consuming inordinate amounts of service consuming inordinate amounts of service resourcesresources– flood of LDAP queries or connectionsflood of LDAP queries or connections– filling disk space (for example, storing many filling disk space (for example, storing many
extremely large objects in the directory)extremely large objects in the directory)
Threats: AdministratorsThreats: Administrators Network Administrators themselves….Network Administrators themselves….
– potentially HUGE threats to the directory, network, & potentially HUGE threats to the directory, network, & enterprise information accessible via the network….enterprise information accessible via the network….
– must always be a highly responsible/accountable must always be a highly responsible/accountable jobjob
Threat could be Threat could be – ““spoofing” an administers accountspoofing” an administers account– an account with invalidly elevated privilegesan account with invalidly elevated privileges– a trusted administrator who has for some reason a trusted administrator who has for some reason
decided to attack the directory or network…decided to attack the directory or network…
Administrators & associated Administrators & associated personnel…personnel…
Not just administrators…Not just administrators… Accounts with some administrative rights can:Accounts with some administrative rights can:
– modify permissions on objects within their scopemodify permissions on objects within their scope– enable accounts to be trusted for delegationenable accounts to be trusted for delegation– change passwords on other user accounts to be change passwords on other user accounts to be
used for further (spoofing & repudiation) attacksused for further (spoofing & repudiation) attacks– change security settings causing DoS change security settings causing DoS
conditionsconditions
Security Precautions (1)Security Precautions (1)
Monitoring, analysis, responsiveness to Monitoring, analysis, responsiveness to anomalies in authenticated users anomalies in authenticated users permissions allocated by defaultpermissions allocated by default– a massive amount to monitor…a massive amount to monitor…– need to prioritiseneed to prioritise
» and/or use SIEM toolsand/or use SIEM tools
– analysis will detect anomaliesanalysis will detect anomalies– quick response will minimise the damage…quick response will minimise the damage…
Security Precautions (2)Security Precautions (2) What to monitor…What to monitor…
– members of sensitive security groups & determine members of sensitive security groups & determine sensitive account information (names, addresses, sensitive account information (names, addresses, phone numbers, password, etc…)phone numbers, password, etc…)
How to analyse…How to analyse…– discover linkage of Group Policiesdiscover linkage of Group Policies– identify sitesidentify sites– identify the OSs of the domain controllersidentify the OSs of the domain controllers– discover and disclose much additional information discover and disclose much additional information
stored in the directorystored in the directory– read most objects in the directoryread most objects in the directory
Software-Based Attacks Software-Based Attacks The whole AD forest and domain directory The whole AD forest and domain directory
structure are based on the schemastructure are based on the schema– any software application that any software application that
corrupts the schema could:corrupts the schema could:» compromise the entire directorycompromise the entire directory
» make the enterprise network inoperativemake the enterprise network inoperative
Automated attacks via viruses or worms that Automated attacks via viruses or worms that might “accidentally” affect the schema could might “accidentally” affect the schema could have a damaging or disruptive effect on ADhave a damaging or disruptive effect on AD
Email attachmentsEmail attachments HUGE riskHUGE risk
– user education doesn’t seem to stop people from user education doesn’t seem to stop people from opening every attachment that shows up in their opening every attachment that shows up in their inboxesinboxes
Can users be trusted? If notCan users be trusted? If not– a whole messaging system can be configured to a whole messaging system can be configured to
block, or at least scan, all attachmentsblock, or at least scan, all attachments– additional measures can be adopted, such as:additional measures can be adopted, such as:
» turning off preview panes that automatically display messagesturning off preview panes that automatically display messages
» converting HTML mail to plain textconverting HTML mail to plain text
» blocking email clients from accessing the Internetblocking email clients from accessing the Internet
Environment-Based Attacks Environment-Based Attacks Damage or destruction to the server hardware Damage or destruction to the server hardware
(via fire, flood, tornado, hurricane, lightning, (via fire, flood, tornado, hurricane, lightning, etc) etc) – could potentially render the AD environment could potentially render the AD environment
inoperative (strict backup and restoration inoperative (strict backup and restoration procedures are vital)procedures are vital)
Consistent threat across platformsConsistent threat across platforms– disaster preparedness and recovery plans MUST disaster preparedness and recovery plans MUST
include provisions for offsite data backupsinclude provisions for offsite data backups» make sure that the backups are actually taken offsitemake sure that the backups are actually taken offsite
» consider a secondary physical site that is ready to go in case the consider a secondary physical site that is ready to go in case the worst happensworst happens
