Upload
luke-casey
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Computers in organizations Computers are linked together for
communication and sharing of resources There is always a need to administer the
computing facilities easily and centrally such as Granting access to a computer Give permission to use a printer Read and write files to a certain folder
And to ensure the security of the system
Aims of Active Directory
Enable users to find network resources easily Central and easy administration of users and
resources in a domain Improve security by controlling access on
resources and restrictions placed on user and computer configuration
Active Directory: What is it? An implementation of LDAP directory
services by Microsoft for use primarily in Windows environments.
Provide central authentication and authorization services for Windows based computers.
Allow administrators to assign policies, deploy software, and apply critical updates to an entire organization.
What is it
Active Directory stores information and settings relating to an organization in a central, organized, accessible database.
Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects.
What is it It is a hierarchical framework of objects. The
objects fall into three broad categories: resources (e.g. computers), services (e.g. e-mail) and users (user accounts and groups).
The AD provides information on the objects, organizes the objects, controls access and sets security.
Necessary components
Domain controller(s) as central repository of the domain and provides access control
DNS server for locating resources Other computers: servers and workstations
added to domain by domain administrator
Protocols used
Kerberos for network authentication Lightweight Directory Access Protocol
(LDAP) to provide directory service (to get information about objects)
AD Structure
Domain based Hierarchical tree structure Network resources are objects Containers for grouping Objects have attributes, allow security to
build
Domain Each AD must has at least one Domain
Controller which is the central management of the system.
The other computers, computing resources including people (users) are joined to the AD by the administrator
The Domain Naming System as used in Internet is used to name the resources in the AD.
LDAP
The Lightweight Directory Access Protocol, or LDAP is used to add, modify and delete information stored in Active Directory as well as to query and retrieve data over TCP/IP.
LDAP is used as a source of information for authorization.
Directory Services
Telecommunication companies introduced the concept of directory services to information technology and computer networking, as their understanding of directory requirements was well-developed after some 70 years of producing and managing telephone directories.
Directory Services The X500, protocol for directory services was
created in the 1960s. X.500 directory services were traditionally
accessed via the X.500 Directory Access Protocol (DAP), which required the Open Systems Interconnection (OSI) protocol stack.
The LDAP is a light weight alternative that uses the TCP/IP stack.
Application of Directory Service
Part of Network OS Stores and organizes information about a
computer network's users and network resources
Acts as a central/common authority that can securely authenticate the system resources that manage the directory data
Domain Name System
Domain Name/ IP Address resolution system, used chiefly in Internet
A distribution systems contains a no. of root domain servers and each domain has its own domain server
The domain name follows a certain structure, the namespace
AD and DNS
DNS domains are for finding resources. AD domains are for organizing resources. Work together in AD
Entry in AD dn: cn=John Doe,dc=example,dc=com cn: John Doe givenName: John sn: Doe telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1234 mail: [email protected] manager: cn=Barbara Doe,dc=example,dc=com objectClass:
inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top
Organizational Unit
Contains the following units for easy management Users Computers Groups Printers Applications Security Policies File shares
Group Policy
Group Policies are rules to define user or computer settings for an entire group of users or computers at one time.
The settings that you configure are stored in a Group Policy Object (GPO), which is then associated with Active Directory containers such as sites, domains, or organizational units.
Group Policy Many different aspects of the network,
desktop, and software configuration environments can be managed through Group Policies. registry settings for both users and
computers file system permissions, Internet Explorer settings, registry permissions, software distribution, etc.
Group Policy
Group Policies are analyzed and applied at startup for computers and during logon for users. The client machine refreshes most of the Group Policy settings periodically.
It can also be applied to offline computers and roaming users
Group Policy Hundreds of settings can be defined Each setting has 3 possible states:
Not configured Disabled Enabled
Group Policy
Multiple group policies can be created and distributed.
User and computers accounts can have more than one policy applicable to them based upon the site, domain, or OU they are in, security groups, or any combination.
Property of Group Policy
Policy setting inherited by child containers A container can have multiple policies being
applied Which policy setting comes into effect
depends on it precedence of the policy
Group Policy Processing OrderLSDOU Local Computer Policy Site Domain OU Organization Unit (Sub-OU) The policy processed last will take
precedence (win)
Logon procedure in AD Client makes a RPC and passes its
configuration (domain membership, IP) to Netlogin service
Netlogin makes query to DNS server Query changed to a form of LDAP DNS Server returns a list of domain
controller to client Client sends request to domain controller
Authentication and Authorisation procedure
Authentication request to domain controller Domain controller verifies credential using the
Kerberos protocol AD gathers all group policy applied to the
user and computer and returns a list of SID to user’s computer
The LSA uses the SIDs to form an access token
Advantages of using Kerberos
Central authentication with service tickets for resources
No need to authenticate with the resources one by one
Saving of bandwidth Session key encrypted with timestamp, save
from eavesdropping and replay attack
Authentication Protocol
Windows NT: NT Lan Manager (NTLM) Aged protocol Relatively easy to crack
Windows 2000/2003: Kerberos
Content of Access Token
To show identity and privilege Name SID of user Groups SID of groups user belongs Logon SID (valid for a certain duration)
Content of Security Descriptor
SID of owner SID of group (seldom used in Windows) DACL
SID, Rights Deny on top
System ACL
Request for use of network resources
The user’s request is authenticated by comparing the Access Token to the Security Descriptor of an object
(The SID on the access token is compared with the ACL on the Security Descriptor)
Active Directory Security
Industry-standard secure protocols Kerberos (Authentication) LDAP over SSL (Authorization) X.509 (Cert-based Authentication) Smart cards Public Key Infrastructure (PKI)
Domain trusts Security groups and permissions
AD and Certificates
A Certificate Authority can be installed within the AD to provide additional security such as using L2TP for remote VPN services
Enrollment to certificate can be easily done through a web browser