1 / 48

COMP2221 Networks in Organisations

Learn about the new security features brought in with Active Directory and how to apply secure file system principles and active directory to control access for groups of network users. Apply active directory group policies across one or more domains using active directory.

brucej
Download Presentation

COMP2221 Networks in Organisations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP2221Networks in Organisations Richard Henson April 2012

  2. Week 9 – Closer look at W2K etc. Architecture • Objectives • Explain new security features brought in with active directory • Apply secure file system principles and active directory to controlling access for groups of network users • Apply active directory group policies across one/more domain using active directory

  3. Origins of Active Directory… • US President Clinton, May 1998: • “e-commerce” directive • Objective to use the Internet for doing business • Internet therefore had to be capable of secure data transfer…

  4. Microsoft new Strategy • Desire/need to engage with the architecture of the “new” Internet • DNS system • Public Key Infrastructure • LDAP for engaging with object-oriented directories • Secure remote authentication through • Domain trees based on DNS • Kerberos naming • Virtual Private Networks

  5. Launch of Active Directory • Gave Windows networks…. “credibility” • “global catalog” (object-oriented database for whole domain) • all network users, groups of users, devices, services centrally controlled by domain controller cluster • and “kudos…” • distributed database, means to access it, and security features all developed with RFCs • stark contrast with rival Novell’s NDS - proprietary protocols; not in compliance with standards

  6. The Active Directory “store” • Global Catalog • stored as file NTFS.DIT when the first domain controller is created • distributed across alldomain controllers • covers all “objects” on domain controllers • e.g. shared resources such as servers, files, printers; network user and computer accounts • directory changes automatically replicated to all domain controllers

  7. Active Directory and Domain Trees • Organisational names chosen for AD can logically link domains into a tree • called the DNS Zone • each domain identified by its DNS domain name • hierarchy needs carefully planning • very useful for organisation networks that may require more than one domain (e.g. old campus and new campus?)

  8. Evolution from Exchange Server… • “Schema” database model evolved from Microsoft Exchange Server • properties of mailbox holders • Extended to all objects/properties in the domain • holds DNS names for all objects in the domain • allows “search” by selected attributes to find an object easily, regardless of where it is in the tree • All managed through Microsoft Management Console (MMC) interface

  9. Managing Group Policy • Group Policy Management Console • Biggest improvement in Windows Servers since 2000 • Applies principles of MMC to managing group profiles • particularly useful for testing/viewing the resultant profile of interaction between several group profiles in a particular order

  10. Security Features of Active Directory (1) • SSL (Secure OSI level 5) • Internet Information Server (IIS) used to create websites accessible only via https/SSL • LDAP over SSL • LDAP important for internet lookup • used with secure sockets layer (SSL) for checking server credentials for extranet and e-commerce applications • Transitive Domain Trust • default trust between contiguous Windows domains greatly reduces management overhead

  11. Security and Active Directory (2) • Kerberos Authentication • authentication of users on remote domains not part of the same DNS zone • Smart Card Support • logon via smart card for strong authentication to sensitive resources

  12. Protecting Local Passwords • From Windows 2000 onwards (actually, available in NT 4 from SP4), more sophisticated challenge-response encryption (NTLMv2) was available to all systems… • until Vista arrived this was turned off by default • for “compatibility reasons” • passwords on XP systems therefore usually easy to “hack” (!) • Any network user on a pre-Vista client system should make should make sure this password protection feature is turned on… • can be added for domain users through group policy

  13. Active Directory and “controlling” Users • “Groups” already well established for managing network users • Active directory centrally organised resources including all computers • allowed groups to become more powerful for user management • exploited by enabling the organisation of users and groups of users into: • organisational units • sites • domains

  14. Managing Domain Users with Active Directory • Same user information stored on all domain controllers • Users can be administered at or by secure access to administrator on any domain controller for that domain • flexibility but potential danger!

  15. Making Sure Users don’t get the Administrator Password! • File security assumes that only the network manager can log on as administrator • but if a user can guess the password… • Strategies: • rename the administrator account to something more obscure • only give administrator password to one other person • change administrator password regularly

  16. How AD Provides Security • Manages which “security principal(s)” have access to each specific resource • i.e. users, computers, groups, or services (via service accounts) • each has a unique identifier (SID) • Validates the authentication process… • for computers, at startup • for users, at logon

  17. More about the SID • The SID (Security ID) comprises: • domain ID • common to all security principals within the domain • unique relative identifier (RID)

  18. Access Tokens • Generated when a user logs on to the network • Contains: • user’s SID • SIDs for each group to which the user is a member • assigned user rights or privileges as a result of processing the IDs in the specified order

  19. ACE (Access Control Entries) • Each object or resource has an access control list (ACL) e.g. • objects and their properties • shared folders and printer shares • folders and files within the NTFS file system • ACEs contained within ACL • protects resource against unauthorised users

  20. More on ACLs • Two distinct ACLs each object or resource: • discretionary access control list (DACL) • list of the SIDs that are either granted or denied access and the degree of access that is allowed • systems access control list (SACL) • list of all the SIDs whose access or manipulation of the object or resource needs to be audited, and the type of auditing that needs to be performed

  21. Mechanism of AD security • Users are usually assigned to security groups within AD • When a user attempts to access a directory object or network resource… • the security subsystem looks at the SID for the user and the SIDs of the security groups to which the user is a member • checks to see whether it/they match the security descriptors assigned to the resource • If there is a match… • user is granted the degree of access to the resource that is specified in the ACL

  22. Power of Group IDs in Policy-based Security • Groups of users can be granted or denied access to or control over entire classes of objects and sets of resources • Group Policy feature allows security & usage policies to be established separately for: • computer accounts • user accounts • Group Policy be applied at multiple levels: • users or computers residing in a specific OU • computers or users in a specific AD site • an entire AD domain

  23. Active Directory and Group Policy • Power of Group Policy: • allows network administrators to define and control the policies governing: • groups of computers • groups of users • administrators can set group policy for any of the sites, domains, or organizational units in the Active Directory Domain Tree

  24. Monitoring Group Policy • Policies are ADDITIVE • watch simulation… (AGAIN!) • Windows 2000 policies • need to assess which specific cumulative set of policies were controlling the environment for a specific user or computer • Windows 2003 GPMC • tracking and reporting the Resultant Set of Policy (RSoP): • net effect of each of the overlapping policies on a specific user or computer within the domain

  25. Extending User/Group Permissions beyond a domain • Possible for user permissions to be safely applied beyond the local domain • so users on one network can gain access to files on another network • authentication controlled between servers on the local and trusted domains • Normally achieved through “adding” groups from a trusted domain • NOT the same as “remote logon” • needs special username/password authorisation…

  26. Managing Users & Their Profiles • Once they get the hang of it, users save all sorts of rubbish to their user areas • may well include lots of downloaded web pages and images • Problem! • 5000 users • each user takes 1 Gb of space... • total disk space required is 5000 Gbytes!

  27. Managing User Profiles • Back to the issue of “information pollution” discussed last week… • Windows 2000 Disk Quotas: • allowed administrators to track and control user NTFS disk usage • coupled with Group Policy and Active Directory technology • only problem: not easy to manage disk quotas • needed scripting, reporting and remote usage methods • Windows 2003 Disk Quotas: • better all round functionality and easier enterprise-wide disk quota manageability

  28. Third Party User Space for Administrators • Plenty of third party software available to manage user quotas • e.g. Quota Manager • One strategy: • set max disk space per user to 100 Mbytes • send warning message at 100 Mbytes • disable user’s home area at 105 Mbytes • Also - software to automatically delete stored web pages in user folders

  29. User Rights • Users MUST NOT have access to sensitive parts of the system (e.g. network servers, local system software) • operating system can enforce this • Users SHOULD: • have access to basic software tools • NOT be denied on the grounds that the software could be misused… • c.f. no-one is allowed to drive a car because some drivers cause accidents!

  30. Controlling/Monitoring Group Policy across Domains • AD across a distributed enterprise… • “enterprise” administrators have the authority to implement and alter Group Policies anywhere • important to manage and restrict their number... • Enterprise admins need to inform domain admins: • what has changed • when it changed • the implications of the change for directory and network operations… • Otherwise… • a change to Group Policies affecting a domain might occur with distastrous consequences

  31. Network Threats, Vulnerabilities, and Attacks • Protection implemented should relate to the IMPACT if the threat became a reality • i.e. the value to the enterprise of the information or operation that would be compromised • Example: • most networks probably wouldn’t need or want to implement fingerprint and retinal scanning to control access to the average user’s workstation • might, however, want to implement smart cards to control access to critical domain controllers

  32. Threat • Someone or something that has the capability or potential to compromise the security of a directory, network, or information • Three factors involved: • Motive • Method • Opportunity • Threats do not involve people and do not have motive e.g. : • fire • flood

  33. Threat (2) • ANY action by a user, condition, or process that has the potential to disclose, damage, or disrupt operations or information: • attempted unauthorized entry into your network • fire that breaks out in the building that houses the network servers • virus that attempts to corrupt or delete needed information are all examples of viable threats to the security of the directory and the network • people internal to the organization! • internal threats more threatening than external ones!!!

  34. Vulnerability • Any weakness in security that provides an opportunity for an attack and that, by its utilization, can allow an attack to succeed • Could be: • software • hardware • social or physical environment • Requires constant vigilance on many fronts • e.g.: if running Windows on servers, the latest service pack and patches needed • requires monitoring Microsoft Web site for updates

  35. Attack • Any action by a user or software process that, if successful, results in the disruption, disclosure, or damage to enterprise information, services, or operations • Shares the characteristics of motive, method, and opportunity: • assume the intent on the part of the attacker to deliberately be: • attempting to damage or steal information • disrupt operations • uses or exploits the directory to gain access to or deny service from the directory or network resource

  36. User-Based Attacks • Most common source of attacks are those initiated by people: • anonymous users attempting external penetration of the enterprise network • an authenticated user working from inside the network • Can be either of: • physical attacks on the equipment supporting the directory or network • e.g. stealing/damaging equipment or physical network itself • based on using the network or directory environment • anonymous users, authenticated users, or even administrators

  37. Threat: Anonymous Users • Usually attempts to use vulnerabilities in the network, service, or application software • e.g. via scanning tools • e.g exploiting a well-known but not patched error condition • when a known vulnerability is patched, the software update usually provides a description of the weakness, providing all the information needed to hack • therefore critical to stay on top of released patches and security updates…

  38. Exploitation of LDAP • LDAP spec known at all (an RFC) • An anonymous user might be able to use LDAP to: • flood domain controllers with lookup queries • read domain information • identify user account security policies • find account names and SIDs • identify shares on domain computers

  39. Thwarting DoS attacks • SOME anonymous attacks can be mitigated by tightening security settings • Further action against anonymous DoS attacks: • monitoring domain controllers for unreasonably high levels of LDAP queries • renaming default file shares such C$, D$, etc. and renaming the administrator account

  40. Threat: Authenticated Users • Examples: • spoofed-account access (via hacking/cracking tools) • illicit use of a valid account (obtained through some social engineering scheme) • valid user who has decided to attack information, services, or operations for some personal or professional reason

  41. Headache for administrators: • Accounts have legitimate access to a range of resources and information • More difficult to detect the attacks • Can validly start processes that will have the effect of creating DoS conditions by consuming inordinate amounts of service resources • flood of LDAP queries or connections • filling disk space (for example, storing many extremely large objects in the directory)

  42. Threats: Administrators • Network Administrators themselves…. • potentially HUGE threats to the directory, network, & enterprise information accessible via the network…. • must always be a highly responsible/accountable job • Threat could be • “spoofing” an administers account • an account with invalidly elevated privileges • a trusted administrator who has for some reason decided to attack the directory or network…

  43. Administrators & associated personnel… • Not just administrators… • Accounts with some administrative rights can: • modify permissions on objects within their scope • enable accounts to be trusted for delegation • change passwords on other user accounts to be used for further (spoofing & repudiation) attacks • change security settings causing DoS conditions

  44. Security Precautions (1) • Monitoring, analysis, responsiveness to anomalies in authenticated users permissions allocated by default • a massive amount to monitor… • need to prioritise • and/or use SIEM tools • analysis will detect anomalies • quick response will minimise the damage…

  45. Security Precautions (2) • What to monitor… • members of sensitive security groups & determine sensitive account information (names, addresses, phone numbers, password, etc…) • How to analyse… • discover linkage of Group Policies • identify sites • identify the OSs of the domain controllers • discover and disclose much additional information stored in the directory • read most objects in the directory

  46. Software-Based Attacks • The whole AD forest and domain directory structure are based on the schema • any software application that corrupts the schema could: • compromise the entire directory • make the enterprise network inoperative • Automated attacks via viruses or worms that might “accidentally” affect the schema could have a damaging or disruptive effect on AD

  47. Email attachments • HUGE risk • user education doesn’t seem to stop people from opening every attachment that shows up in their inboxes • Can users be trusted? If not • a whole messaging system can be configured to block, or at least scan, all attachments • additional measures can be adopted, such as: • turning off preview panes that automatically display messages • converting HTML mail to plain text • blocking email clients from accessing the Internet

  48. Environment-Based Attacks • Damage or destruction to the server hardware (via fire, flood, tornado, hurricane, lightning, etc) • could potentially render the AD environment inoperative (strict backup and restoration procedures are vital) • Consistent threat across platforms • disaster preparedness and recovery plans MUST include provisions for offsite data backups • make sure that the backups are actually taken offsite • consider a secondary physical site that is ready to go in case the worst happens

More Related