Securing and Protecting the Network

1
Chapter 6

• Securing and Protecting the Network

2
Objectives

• Explain basic security concepts in an Active
  Directory computer network, including
  discretionary access control lists (DACLs),
  system access control lists (SACLs), and security
  principals
• Demonstrate the use of DACLs to control access to
  objects in Active Directory
• Demonstrate the use of DACLs to control access to
  network resources
• Describe the user authentication process in an
  Active Directory domain

3
Security Concepts in Active Directory

• A security principal is an account that is
  automatically assigned a security identifier to
  control access to resources
• A SID is a value that uniquely identifies
  principals on a network
• A DACL specifies the access that particular users
  or groups can have to the object
• A SACL controls the generation of audit messages
  for attempts to access a securable object

4
Security Concepts in Active Directory (continued)

• An access control list (ACL) is a list of
  security protections that apply to an object
• An access control entry (ACE) is an entry in an
  ACL
• A SID contains a relative identifier (RID) and a
  domain identifier
• User present an access token containing their SID
  when accessing a resource

5
Security Principals

• Security principals can be given permissions to
  access a resource
• Groups can also be granted permissions
• A security principal can be a user, an
  InetOrgPerson object, a computer, or a security
  group
• A contact is not a security principal

6
Security Identifiers

• Unique binary value
• Often expressed in Security Descriptor Definition
  Language (SDDL) format
• S-1-identifier authority-subauthority
  identifier-domain identifier-relative identifier

7
Kerberos Tickets and Access Tokens

• Presented by the users OS to access network
  resources
• Kerberos used when all computers in the domain
  can support compatible implementations
• NTLM used when Kerberos authentication is not
  available
• Includes users SID and the SID for every group
  of which the user is a member

8
Discretionary Access Control Lists (DACL)

• Associated with all resources that can be secured
• List of ACEs specifying who and permissions
• Permissions are denied if the information doesnt
  match
• ACEs can be very specific

9
System Access Control Lists (SACL)

• Same structure as a DACL
• Determines if the access is audited
• Can track changes and log ons

10
ACEs That Allow or Deny

• Implicit deny occurs when no ACE is found
• ACEs are normally used to grant access
• Deny is used to override an allow as a member of
  a group
• Owners always have access

11
Inheritance

• Permissions can be inherited from parent objects
  such as OUs
• Each ACE is marked to indicate whether it was
  directly applied or inherited

12
Groups in Security

• There is no good reason to grant permissions
  explicitly to individual users
• In a single-domain forest, use global groups

13
Groups in Security (continued)

• If using machine local accounts, use machine
  local groups

14
Groups in Security (continued)

• If using a small number of domains and one site
• Assign users to global groups
• Assign global groups to domain local groups
• Grant permissions to the domain local groups

15
Groups in Security (continued)

• Using only universal groups works well in
  single-domain environments, but not in a large
  forest
• Using domain local, global, and universal groups
  is the best approach for the same group to access
  resources in different domains

16
Protecting Objects in Active Directory

• Each object has an owner, a DACL, and a SACL
• Default permissions are not adequate in a large
  forest

17
Delegation of Control

• Data owners are given the ability to modify only
  certain objects or attributes
• Control can be delegated manually
• How to use the Delegation of Control wizard
• Organize so that all objects in an OU have the
  same data owner
• Create ACEs in the DACL of the OU
• Allow them to be inherited to the objects in the
  OU

18
Granular Control

• Control can be delegated with precision using
  Active Directory

19
Standard Permissions

• Used for every tasks

20
Special Permissions

• The exact and granular permissions available

21
Protecting Network Resources

• Protecting objects is essential
• Most protected resources use a DACL similar in
  format to Active Directory objects

22
The NT File System (NTFS)

• Recommended over FAT format for Windows 2003
  servers
• Uses a logging system to keep track of changes to
  a file
• Uses similar structure for security descriptors
  as Active Directory
• File permissions include full control, modify,
  read and execute, read, and write, as well as
  some special permissions
• Files can inherit permissions set in the parent
  folder

23
The NT File System (NTFS) (continued)

• Standard printer permissions include who can
  print, change printer settings, and manage
  documents
• Standard files share permissions are allow full
  control, change, or read access
• Standard and special permissions can be set in
  registry keys
• Organized into registry hives
• Used by the OS to control the operation of the
  computer
• Other applications can be given access control by
  setting permissions on their executable files
• Some applications perform authentication and
  authorization internally

24
Understanding the User Authentication Process

• Kerberos v5 authentication is the default for all
  Windows Server 2003 computers
• Used for both network authentication and
  authorization for access to network resources
• Several components are involved in Kerberos
• The security principal who is requesting access
• The Key Distribution Center (KDC), which is the
  Active Directory DC
• The server holding the requested resource or the
  service

25
Kerberos Version 5

• The KDC provides the authentication and
  ticket-granting services
• The authentication service authenticates and
  issues ticket granting tickets (TGTs) to users
• The ticket-granting service issues session
  tickets for access to network resources
• The TGT is used to request session tickets for
  the users machine and the resources host machine

26
Overview of the Kerberos Process
27
Kerberos in Action

• After logon, the client computer sends a packet
  to the KDC containing
• The username
• A secret key, derived from a hash of the users
  password
• A timestamp
• A request for a TGT
• The packet is encrypted with the users password
• The server decrypts the packet with the users
  password stored in the database
• Authentication fails if decryption fails, the
  timestamp is invalid, or the user cannot be found

28
Kerberos in Action (continued)

• The KDC generates a TGT containing
• The users access token
• An AS session key
• A timestamp
• The TGT is encrypted with the KDCs secret key
• The KDC generates a reply packet containing
• The TGT
• Another copy of the AS session key
• A timestamp
• The reply packet is encrypted with the users
  secret key
• The reply packet is decrypted on the user machine
  and the TGT is cached

29
Kerberos in Action (continued)

• The client requests a session ticket to access
  resources
• Service request packets include
• The TGT
• The client name
• The server name for which access is desired
• A timestamp encrypted with the AS session key
• The KDC decrypts the TGT with its master key, and
  uses the contained AS session key to decrypt the
  timestamp

30
Kerberos in Action (continued)

• The KDC returns a session ticket (ST) to the
  client containing
• The users access token
• A CS session key
• The ST is encrypted with a key known only to the
  KDC and the server with the requested service
• The client uses the ST to access the server
  resource
• The ST is presented to the Local Security
  Authority (LSA) to access the local workstation

31
The NTLM Authentication Process
32
NTLM Authentication

• Used in the following scenarios
• A Windows 95/98/NT-based computer authenticates
  to a Windows 2000 or Windows Server 2003 DC
• A Windows 2000/XP/2003 computer authenticates to
  a Windows NT-based server
• A log-on request is sent to a Windows 2000 or
  2003 standalone server
• A security principal needs to be authenticated by
  a DC that is running as part of a Windows 2000
  cluster server environment
• A security principal needs to be authenticated
  for access to a resource in a different forest,
  using an external trust relationship between
  forests (or between a forest and a Windows NT
  domain)
• The NTLM protocol is less secure than Kerberos

33
NTLM Authentication (continued)

• An NTLM challenge and response is sent from the
  client computer to the server holding the desired
  resource
• The server application logs on to the domain by
  contacting the netlogon process on a DC
• The netlogon process queries the Active Directory
  database to verify of the users existence and
  correct password
• The authenticating DC sends the users SID and
  group SIDs back to the server

34
Down-level Client Authentication

• Down-level clients are pre-Windows 2000,
  including Windows 95/98/Me and NT
• Down-level clients create a security concern when
  implemented within a Windows 2000/2003 network
• The Directory Services Client add-on enables
  Windows 95/98/NT 4.0 clients to use NTLMv2 on the
  Windows 2000/2003 network
• The Directory Services Client implements
  additional features, such as
• Active Directory site awareness
• Search capabilities in Active Directory
• The ability to connect to any DC to change
  passwords

35
Two-factor Authentication

• Three possible identification factors for
  authentication
• Something you know
• Something you have
• Something you are
• Two-factor authentication uses a password and an
  additional factor to increase security, such as
• SecurID
• Biometric devices
• Smart cards

36
Public Key Infrastructure for Authentication with
Smart Cards

• In symmetric key cryptography, the same secret
  key can be used to encode and decode a message.
• In public key cryptography, a private/public key
  pair is used, one for encryption and the other
  for decryption
• An X.509 digital certificate contains the public
  key and a digital signature of the person who
  issued the certificate
• Active Directory can store X.509 certificates

37
Public Key Infrastructure for Authentication with
Smart Cards (continued)

• Private keys can be stored on a smart card that
  has
• Storage for the owners certificate and private
  key
• Computing power to perform the encryption and
  decryption
• Including smart cards and PKI adds complexity and
  cost

38
Chapter Summary

• Security principals have a SID that works with
  ACEs in DACLs and SACLs
• Security principals can be granted specific
  permissions to access resources
• DACLs are a list of ACEs, specifying a SID and
  the type of permission being granted or denied
• If each SID in a users access token matches the
  SID in each ACE, the defined action is taken
• Always grant permissions to groups instead of
  individual users

39
Chapter Summary (continued)

• Delegation of control allows data owners to
  manage their own objects
• NTFS provides the same security descriptor
  structure for files and folders as for Active
  Directory objects
• Permissions in NTFS and Active Directory can be
  inherited from a parent level to a child level
  for simpler administration
• Other applications may use Active Directory for
  authentication, authorization, both, or neither

40
Chapter Summary (continued)

• Applications can be made more secure by
  protecting their executables and data files with
  NTFS permissions
• NTLM and Kerberos are the two primary user
  authentication methods in a Windows Server 2003
  network
• Active Directory supports smart cards and X.509
  certificates with extensions to the Kerberos
  protocol