COMP3122COMP3122Network ManagementNetwork Management

Richard HensonRichard Henson

March 2011March 2011

Week 5 – Active Directory & Week 5 – Active Directory & Domain SecurityDomain Security

ObjectivesObjectives– Explain the essential features of a secure Explain the essential features of a secure

networked systemnetworked system– Use W2K group policies to implement network-Use W2K group policies to implement network-

wide securitywide security

– Identify the weak links in a networked Identify the weak links in a networked system and take steps to reduce/eliminate system and take steps to reduce/eliminate the possibility of unauthorised accessthe possibility of unauthorised access

The Nature of The Nature of Security within Networks Security within Networks

Data held on a single workstation in an open Data held on a single workstation in an open office is unlikely to be truly secureoffice is unlikely to be truly secure– operating system itself may be secure… operating system itself may be secure…   – still possible for the hard disk to be removed and still possible for the hard disk to be removed and

the data extracted in a different environment!!the data extracted in a different environment!!

Two Protection issues to be addressed:Two Protection issues to be addressed:   – unauthorised system accessunauthorised system access

» network configuration & monitoringnetwork configuration & monitoring

– undesirable physical accessundesirable physical access» keeping people away… & locking it down…keeping people away… & locking it down…

Physical Security of the NetworkPhysical Security of the Network

What to do with sensitive dataWhat to do with sensitive data– hold in an encrypted formhold in an encrypted form– on a computer in a secure roomon a computer in a secure room

» only network administrators can gain accessonly network administrators can gain access» no chance of an outsider physically getting hold of the hard disk no chance of an outsider physically getting hold of the hard disk

containing the datacontaining the data

– in the highly unlikely event that an outsider/rogue in the highly unlikely event that an outsider/rogue insider did get hold of the data, they wouldn’t be able insider did get hold of the data, they wouldn’t be able to make sense of itto make sense of it

Data should also be backed up in another Data should also be backed up in another location in case of fire, earthquakes, etclocation in case of fire, earthquakes, etc

Physical Security Physical Security of copied dataof copied data

Typically on CD or memory stickTypically on CD or memory stick– could also be removable hard diskcould also be removable hard disk

Simple way to keep copied data secure:Simple way to keep copied data secure:– password protection not enough…password protection not enough…– use strong encryption over all filesuse strong encryption over all files

» previous, deleted data might still be accessibleprevious, deleted data might still be accessible

Accessing Data on a Accessing Data on a Secure ComputerSecure Computer

Users should only be able to access Users should only be able to access organisational data via network from the organisational data via network from the serverserver   

Even then, potential physical & system Even then, potential physical & system vulnerabilities:vulnerabilities:   – physical security of data as it travels along physical security of data as it travels along

a cablea cable   – unauthorised access to downloaded dataunauthorised access to downloaded data

» at rest on the client machine at rest on the client machine » whilst being accessed by an authorised userwhilst being accessed by an authorised user

Vodafone (and how not to Vodafone (and how not to do network security…)do network security…)

Yesterday morning, 100,000 people couldn’t Yesterday morning, 100,000 people couldn’t use the Vodafone networkuse the Vodafone network– thieves broke into the operator's Basingstoke thieves broke into the operator's Basingstoke

exchange and stole their switches (i.e. routers)exchange and stole their switches (i.e. routers)– the police were quickly notifiedthe police were quickly notified

Vodafone noticed its own network collapsingVodafone noticed its own network collapsing– assembled its "War Room" which is supposed to assembled its "War Room" which is supposed to

deal with network outagesdeal with network outages It took 12 hours to fix the problemIt took 12 hours to fix the problem

– why was such critical kit so vulnerable? why was such critical kit so vulnerable?

User ResponsibilityUser Responsibility Rule of the network:Rule of the network:

– all users MUST bear responsibility for data they all users MUST bear responsibility for data they accessaccess

– should enter a signed agreement when they get should enter a signed agreement when they get their log ontheir log on

To support this, network software should To support this, network software should make sure that:make sure that:– users have appropriate access through allocation users have appropriate access through allocation

to groupsto groups– user activities can be monitored and loggeduser activities can be monitored and logged– sufficient auditing is undertaken to scrutinise the sufficient auditing is undertaken to scrutinise the

activity of individual users…activity of individual users…

Accessing Data on a Accessing Data on a Secure ComputerSecure Computer

Typical user errors:Typical user errors:   – giving other employees/outsiders their passwordgiving other employees/outsiders their password   – using an easily guessed passwordusing an easily guessed password

Typical administrator errors:Typical administrator errors:   – leaving username on display after log offleaving username on display after log off– not enforcing long (8 character min, inc not enforcing long (8 character min, inc

caps/lower, number, punct. mark) passwordscaps/lower, number, punct. mark) passwords   – not ensuring that the downloaded data is not ensuring that the downloaded data is

physically no longer available once that user has physically no longer available once that user has logged offlogged off

Accessing Data on Accessing Data on a Secure Computera Secure Computer

Client machine MUST use an operating Client machine MUST use an operating system that allows file/folder level securitysystem that allows file/folder level security   

Suitable secure desktop file systems:Suitable secure desktop file systems:   – UNIX file systemUNIX file system   – NTFSNTFS   

Alternative is to use dumb terminalsAlternative is to use dumb terminals   – no local storageno local storage   – impossible to get at the electronic data from the impossible to get at the electronic data from the

client endclient end   

Accessing Data on a Accessing Data on a Secure ComputerSecure Computer

BUT even with a secure file system, other users BUT even with a secure file system, other users could still see the screen!could still see the screen!

Even with no local storage:Even with no local storage:– the data will be displayed on a screenthe data will be displayed on a screen– with poor user technique:with poor user technique:

» data could even be left on the screendata could even be left on the screen» the screen contents could be photographed by someone…the screen contents could be photographed by someone…

Answer:Answer:– use screen savers that cut in very quickly when a use screen savers that cut in very quickly when a

mouse button is not being clickedmouse button is not being clicked

Printing or Emailing Printing or Emailing Accessed DataAccessed Data

If someone has security rights to access If someone has security rights to access the data, they will also be able to:the data, they will also be able to:– print it outprint it out– email it to someone elseemail it to someone else

Anyone with such rights must therefore Anyone with such rights must therefore be completely trustworthy…be completely trustworthy…

How File Systems How File Systems Manage Security (revision?)Manage Security (revision?)

Several different levels of permissions Several different levels of permissions Particular folder permissions allocated to Particular folder permissions allocated to

groups of users, starting from the root e.g.groups of users, starting from the root e.g.– managers may have read, execute, and writemanagers may have read, execute, and write– students may have read and execute onlystudents may have read and execute only

Files inherit the permissions of the folder that Files inherit the permissions of the folder that contains themcontains them

Subfolders inherit the characteristics of the Subfolders inherit the characteristics of the parent folderparent folder

Inheritance can be overriddenInheritance can be overridden

Security PolicySecurity Policy

Responsibilities of network users and Responsibilities of network users and administrators needs to be clearly administrators needs to be clearly defined as a matter of organisational defined as a matter of organisational policypolicy   – objective: ensure that AT ALL TIMES objective: ensure that AT ALL TIMES

company data is only being accessed by company data is only being accessed by an authorised useran authorised user

Security PoliciesSecurity Policies Define expectations for:Define expectations for:

– proper computer usageproper computer usage– procedures for preventing and responding to security procedures for preventing and responding to security

incidentsincidents

Can be imposed in two ways:Can be imposed in two ways:– Local system policyLocal system policy

» security policy file held on individual computerssecurity policy file held on individual computers

– Group policyGroup policy» uses active directory to impose policy across the domainuses active directory to impose policy across the domain

» not possible for computers running NTnot possible for computers running NT

» not possible if partitions are formatted using FAT or FAT-32not possible if partitions are formatted using FAT or FAT-32

Enforcement of Policy on Enforcement of Policy on Windows networksWindows networks

Local system policyLocal system policy– security policy file held on individual computerssecurity policy file held on individual computers

Group policyGroup policy– uses active directory to impose policy across the uses active directory to impose policy across the

domaindomain – not possible for pre-Windows 2000 operating not possible for pre-Windows 2000 operating

systemssystems– not possible if partitions are formatted using FAT not possible if partitions are formatted using FAT

or FAT-32or FAT-32

Security Template FilesSecurity Template Files ““one I prepared earlier…”one I prepared earlier…”

– quicker to customise to needs than start over…quicker to customise to needs than start over… Implementation of security policy onImplementation of security policy on

– Individuals & groups on Windows networksIndividuals & groups on Windows networks– 600+ settings in Windows 2000, now many 600+ settings in Windows 2000, now many

more…more… Stored as a text file (.inf)Stored as a text file (.inf)

– predefined templates are “ready to use” e.g. :predefined templates are “ready to use” e.g. :» basic (default)basic (default)» compatible (all applications still run)compatible (all applications still run)» securesecure» high (testing high security applications only)high (testing high security applications only)

Using Security TemplatesUsing Security Templates SAM (security accounts manager) SAM (security accounts manager)

crucial to setting up user security:crucial to setting up user security:– controls security during logon processcontrols security during logon process

During logon, security templates During logon, security templates imported into the relevant SAM of:imported into the relevant SAM of:– each individual computer (system policy)each individual computer (system policy)– the domain controller of a Windows domain the domain controller of a Windows domain

(group policy)(group policy)

Analysing/Changing Analysing/Changing Local SecurityLocal Security

Templates & SAM combine:Templates & SAM combine:– default security configuration of the local default security configuration of the local

computer compared with a configuration imported computer compared with a configuration imported from a templatefrom a template

– configuration then changed to become like the configuration then changed to become like the templatetemplate

Changes to template settings achieved byChanges to template settings achieved by– GUI: security configuration “snap in”GUI: security configuration “snap in”

Or:Or:– command line tool (secedit.exe)command line tool (secedit.exe)

Implementing PolicyImplementing Policy

Group Policy settings are really Group Policy settings are really powerfulpowerful– only administrators have access to only administrators have access to

manage these on a system or domainmanage these on a system or domain As with computer policy…As with computer policy…

– usually more convenient to edit an existing usually more convenient to edit an existing policy template than create a new one from policy template than create a new one from scratchscratch

Auditing Access to Auditing Access to System/Network ResourcesSystem/Network Resources

Auditing - the process of tracking predefined Auditing - the process of tracking predefined eventsevents   

Many events can be tracked on a computer Many events can be tracked on a computer and computer network…and computer network…   – a record of each event is written to an “event file”a record of each event is written to an “event file”

Contents of a Windows network Audit record:Contents of a Windows network Audit record:– ActionAction   – UserUser   – Success or failureSuccess or failure   – Additional infoAdditional info

» e.g. computer ID where event occurred/failede.g. computer ID where event occurred/failed

Access to Audit EntriesAccess to Audit Entries

All recent Windows systems are capable of All recent Windows systems are capable of recording a wide range of eventsrecording a wide range of events– saved in Security Event Log saved in Security Event Log – as a structured text fileas a structured text file

Contents easily viewedContents easily viewed– service called Event Viewerservice called Event Viewer– available from menusavailable from menus

The Importance of AuditThe Importance of Audit

Essential in the case of:Essential in the case of:– network failurenetwork failure– server failureserver failure– breach of securitybreach of security

Extremely useful for troubleshooting:Extremely useful for troubleshooting:– what failedwhat failed– what went wrongwhat went wrong– finding who’s username was used to hack finding who’s username was used to hack

into the systeminto the system

What to AuditWhat to Audit Audit files can grow very large, very quickly,Audit files can grow very large, very quickly,

– only essential information should be storedonly essential information should be stored Examples: Examples:   

– Account logonAccount logon   – Account ManagementAccount Management   – Active Directory object accessActive Directory object access   – LogonLogon   – Object accessObject access   – Policy ChangePolicy Change   – Privilege UsePrivilege Use   – Process TrackingProcess Tracking

Audit PolicyAudit Policy

Part of Information Security PolicyPart of Information Security Policy– Again, implemented through Group PolicyAgain, implemented through Group Policy

Planning:Planning:– which computers need events auditing?which computers need events auditing?– which events to audit?which events to audit?– whether to audit success or failure (or both!)whether to audit success or failure (or both!)– whether to track trends of system usage?whether to track trends of system usage?– when to schedule review of security logs?when to schedule review of security logs?

Set up:Set up:– security template for Group Policysecurity template for Group Policy

Auditing Access to Auditing Access to “file object” resources“file object” resources

– failure for read operationsfailure for read operations– success and failure for deletesuccess and failure for delete– success and failure for:success and failure for:

» change permissionschange permissions

» take ownershiptake ownership

– success and failure of all operations success and failure of all operations attempted by “guests” groupattempted by “guests” group

– file and folder access on sharesfile and folder access on shares

Auditing Access to Auditing Access to Windows Windows “print object” “print object” resourcesresources

Reminder from COMP2122:Reminder from COMP2122:– Windows “printer” = printing management systemWindows “printer” = printing management system– Print device = physical printerPrint device = physical printer

Auditing specified printers:Auditing specified printers:– failure events for print operations on restricted failure events for print operations on restricted

printersprinters   success and failure for full control operationssuccess and failure for full control operations   

– success events for delete so incomplete print jobs success events for delete so incomplete print jobs can be trackedcan be tracked   

– success and failure for change permissions and take success and failure for change permissions and take control on restricted printerscontrol on restricted printers

Implementing an Audit Policy Implementing an Audit Policy on a Systemon a System

Typical Policy Settings:Typical Policy Settings:   – Password policyPassword policy   – Account Lockout policyAccount Lockout policy   – Audit policyAudit policy   – IP Security policyIP Security policy   – user rights assignmentuser rights assignment   – recovery agents for encrypted datarecovery agents for encrypted data

Local/Domain Security PolicyLocal/Domain Security Policy

Local:Local:– available for all Windows 2000/XP/Vista/7 available for all Windows 2000/XP/Vista/7

computers that are not domain controllerscomputers that are not domain controllers    Domain:Domain:

– local security settings still apply when local security settings still apply when logged on locallylogged on locally» but may well be overridden by policies received but may well be overridden by policies received

from the domain controllerfrom the domain controller, when logging on to , when logging on to the domainthe domain

Policy Files & Tools Policy Files & Tools for editing themfor editing them

Management of Policy:Management of Policy:– MMC (Microsoft Management Console) MMC (Microsoft Management Console) – available via command line (type mmc) to available via command line (type mmc) to

create “console” files for system admincreate “console” files for system admin– user modeuser mode::

» access existing MMC consoles to administer a access existing MMC consoles to administer a systemsystem

– author mode:author mode:» creation of new consoles or modifying existing creation of new consoles or modifying existing

MMC consolesMMC consoles

The “Security Configuration The “Security Configuration and Analysis” options & “Local and Analysis” options & “Local

Policy” MMC snap insPolicy” MMC snap ins ““Analyse computer now” Analyse computer now”

– full run down of the current settings (i.e. settings for the local full run down of the current settings (i.e. settings for the local machine)machine)

– way of checking the “local policy”way of checking the “local policy”

““Select local policies”Select local policies” – lists of settings in categorieslists of settings in categories– e.g. security settingse.g. security settings

» large number of settingslarge number of settings

» control security aspects of local policycontrol security aspects of local policy

» each setting can be set to either enabled, disabled, or not each setting can be set to either enabled, disabled, or not configuredconfigured

““Megatool” GPMCMegatool” GPMC(Group Policy Management Console)(Group Policy Management Console)

One of 2003’s best features…One of 2003’s best features…– ““contains a rich variety of tools for creating, contains a rich variety of tools for creating,

editing, observing, modelling and reporting editing, observing, modelling and reporting on all aspects of Group Policy”on all aspects of Group Policy”

– Also unifies Group Policy management Also unifies Group Policy management across the Active Directory forestacross the Active Directory forest

GPMC Integration GPMC Integration of User Management Toolsof User Management Tools

Administrators of earlier Windows networks Administrators of earlier Windows networks needed multiple tools to do this:needed multiple tools to do this:– Microsoft Active Directory Users and ComputersMicrosoft Active Directory Users and Computers– Delegation WizardDelegation Wizard– ACL EditorACL Editor

The story goes that 'Barking Eddie' spent two The story goes that 'Barking Eddie' spent two weeks documenting all the Group Policies for weeks documenting all the Group Policies for one companyone company– when told about GPMC, he was crestfallen and said when told about GPMC, he was crestfallen and said

he could have done that same job in half an hour…he could have done that same job in half an hour…

GPMC User InterfaceGPMC User Interface Easy creation and editing of Group PolicyEasy creation and editing of Group Policy WMI filtering mechanism allows application of WMI filtering mechanism allows application of

policies:policies:» to a particular machineto a particular machine» only if there is enough disk space only if there is enough disk space

Options to backup, restore, import, and copy Options to backup, restore, import, and copy Group Policy ObjectsGroup Policy Objects

Simplified management of Group Policy-Simplified management of Group Policy-related securityrelated security

Reporting for GPO settings and Resultant Set Reporting for GPO settings and Resultant Set of Policy (RSoP) dataof Policy (RSoP) data

Using GPMCUsing GPMC Available from MMCAvailable from MMC

– Standalone Snap-inStandalone Snap-in dialog box dialog box

Creating a custom console including GPMC:Creating a custom console including GPMC:– select select Group Policy ManagementGroup Policy Management option and click option and click

Add, Add, click click CloseClose, , OKOK

Several sample scripts availableSeveral sample scripts available– found in the %ProgramFiles%\GPMC\Scripts folderfound in the %ProgramFiles%\GPMC\Scripts folder

» use cscript.exe to execute use cscript.exe to execute

– ScriptingReadMe.rtf file in the scripts folderScriptingReadMe.rtf file in the scripts folder

Rolling out a Group PolicyRolling out a Group Policy

Plan the Managed Network Environment:Plan the Managed Network Environment:– consider various Common Desktop Management consider various Common Desktop Management

Scenarios Scenarios – try them out using Group Policy Management try them out using Group Policy Management

Console Console

Design a Group Policy InfrastructureDesign a Group Policy Infrastructure Deploy Group Policy including Security PolicyDeploy Group Policy including Security Policy Troubleshoot…Troubleshoot…