comp2221 networks in organisations richard henson april 2014
TRANSCRIPT
COMP2221COMP2221
Networks in OrganisationsNetworks in Organisations
Richard HensonRichard Henson
April 2014April 2014
Week 7: A Closer look Week 7: A Closer look at Active Directoryat Active Directory
ObjectivesObjectives– Explain client-server network logonExplain client-server network logon– Explain security features associated with Explain security features associated with
active directoryactive directory– Apply secure file system principles and Apply secure file system principles and
active directory to controlling access for active directory to controlling access for groups of network usersgroups of network users
– Apply active directory group policies across Apply active directory group policies across one/more domain using active directoryone/more domain using active directory
Logon on Local/RemoteLogon on Local/Remote
Computers boot up locallyComputers boot up locally– includes OSI 7 layer connectivity softwareincludes OSI 7 layer connectivity software– Logon happens at layer 5Logon happens at layer 5
» session layersession layer» allocated a sessionIDallocated a sessionID
– Remote logon also at layer 5Remote logon also at layer 5» software called redirector seeks resources from the software called redirector seeks resources from the
networknetwork» can also look at Active Directory database to find can also look at Active Directory database to find
resources…resources…
The Redirector The Redirector (OSI Level 5)(OSI Level 5)
Client-server Client-server serviceservice
Provides file and Provides file and print connectivity print connectivity between between computerscomputers– one end must be one end must be
“server”“server”– provides the provides the
service…service…
server client
may be logged on
Server Providesservice
redirector requests service
Redirector Redirector (“Workstation” i.e. client-end)(“Workstation” i.e. client-end)
Implemented as a “file system driver”Implemented as a “file system driver”– Invoked “if”:Invoked “if”:
» local file system cannot find the file or servicelocal file system cannot find the file or service
– ““then”… then”… » sends request to active directorysends request to active directory
» locates the data object via next OSI layer (4): locates the data object via next OSI layer (4): Transport Driver Interface (TDI)Transport Driver Interface (TDI)
communicates directly with protocols communicates directly with protocols » independent of OSI layers 2-4 networking componentsindependent of OSI layers 2-4 networking components
Redirector Redirector (Workstation Service)(Workstation Service)
Adherence to OSI layers…Adherence to OSI layers…– Can independently add or remove: Can independently add or remove:
» transport protocols (layers 3 & 4)transport protocols (layers 3 & 4)
» network cards (layers 1 & 2)network cards (layers 1 & 2)
without reconfiguring the whole systemwithout reconfiguring the whole system
Completely transparent in redirection of i/o Completely transparent in redirection of i/o calls not serviced locallycalls not serviced locally– esp. important when applications are being usedesp. important when applications are being used
Server ServiceServer Service
Server end of redirector:Server end of redirector:– implemented as a file system driverimplemented as a file system driver– communicates with lower layers via TDIcommunicates with lower layers via TDI
Supplies the network connections Supplies the network connections requested by the client redirectorrequested by the client redirector
Receives requests via adapter card Receives requests via adapter card drivers, transport protocol (e.g. TCP/IP), drivers, transport protocol (e.g. TCP/IP), and TDIand TDI
Running Client-Server Running Client-Server ApplicationsApplications
Client process & server process provide a Client process & server process provide a mechanism for:mechanism for:– pipes to link processes that need bi-directional pipes to link processes that need bi-directional
communicationcommunication– mailslots to link processes only requiring one-mailslots to link processes only requiring one-
directional communicationdirectional communication– running Winsock to manage the communication running Winsock to manage the communication
channelchannel– RPCs (Remote Procedure Calls) allowing RPCs (Remote Procedure Calls) allowing
distributed applications to call procedures distributed applications to call procedures anywhere on the networkanywhere on the network
File and Print SharingFile and Print Sharing
Shared resource access requires use ofShared resource access requires use of– redirectorredirector– server service…server service…
Multiple UNC Provider allows connection to a Multiple UNC Provider allows connection to a resource on any computer that supports UNC resource on any computer that supports UNC Universal Naming Convention) namesUniversal Naming Convention) names– FilesFiles \\server\shared folder[\sub-folder]\filename))– PrintersPrinters \\server\shared printer
Multiple Provider Router supports multiple Multiple Provider Router supports multiple redirectorsredirectors
Network BindingNetwork Binding
Binding is about linking network components Binding is about linking network components working at different OSI levels together to working at different OSI levels together to enable communicationenable communication
Windows binding is about linking the Windows binding is about linking the redirector & server service with the transport redirector & server service with the transport protocol and (via NDIS) adapter card driversprotocol and (via NDIS) adapter card drivers– happens automatically when:happens automatically when:
» there is a change of protocol, or protocol settingsthere is a change of protocol, or protocol settings
» different network adapter drivers are installeddifferent network adapter drivers are installed
» existing adapter card settings are alteredexisting adapter card settings are altered
Terminal ServicesTerminal Services
Allows any PC running a version of Allows any PC running a version of Windows to remotely run a Windows Windows to remotely run a Windows serverserver– uses a copy of the server’s desktop on the uses a copy of the server’s desktop on the
client machineclient machine Client tools must be installed first, but Client tools must be installed first, but
the link can run with very little bandwidththe link can run with very little bandwidth– possible to remotely manage a server possible to remotely manage a server
thousands of miles away using a phone thousands of miles away using a phone connection…connection…
The www service Provided by Microsoft’s Web Server (IIS)Provided by Microsoft’s Web Server (IIS)
– links to TCP port 80links to TCP port 80– can also provide:can also provide:
» ftp service (port 21)ftp service (port 21)
» smtp service (port 25)smtp service (port 25)
Purpose of www service:Purpose of www service:– Works with http protocol make html pages Works with http protocol make html pages
available:available:» across the network as an Intranetacross the network as an Intranet
» across trusted external users/domains as an Extranetacross trusted external users/domains as an Extranet
Features of IISFeatures of IIS
Provides server end program execution Provides server end program execution environment:environment:– runs server-scriptsruns server-scripts
Sets up its own directory structure on the Sets up its own directory structure on the Server for developing Intranets, Extranets, Server for developing Intranets, Extranets, etc.etc.
Sets up communication via TCP port 80 in Sets up communication via TCP port 80 in response to client requestresponse to client request
Client end:Client end:– browser HTML display environment on clientbrowser HTML display environment on client
““Static” web page serviceStatic” web page service
client (browser) requests information (HTML page)
server (IIS, web server) processes the request, sends HTML page back to the client…
CLIENT SERVER
RESPONSE
Send RequestRead Results
Process RequestSend Back Results
ClientProgram
REQUEST
ServerProgram
More Features of IISMore Features of IIS
Access to any client-server service can Access to any client-server service can be restricted using username/password be restricted using username/password security at the server endsecurity at the server end– or could bypass security with “anonymous or could bypass security with “anonymous
loginlogin» uses a “guest” account – access granted only to files uses a “guest” account – access granted only to files
that make up the Intranetthat make up the Intranet
» prevents worries about hacking in through guessing prevents worries about hacking in through guessing passwords of existing userspasswords of existing users
Client-Server Web Client-Server Web ApplicationsApplications
Associated with “dynamic” web pagesAssociated with “dynamic” web pages Web servers provides a server-side Web servers provides a server-side
environment that can allow browser data to environment that can allow browser data to query remote online databases using query remote online databases using SQL…SQL…– processing takes place at the server end…processing takes place at the server end…
» usually .aspx or .phpusually .aspx or .php
– centralised and secure!centralised and secure!
Some recent challenges to Some recent challenges to client-server applicationsclient-server applications
apps (especially phone apps…) using apps (especially phone apps…) using local processing, even storage (!)local processing, even storage (!)– open to wireless retrieval?open to wireless retrieval?– again…issue of availability v securityagain…issue of availability v security
Server with logically attached database Server with logically attached database can be wide open to attack by SQL can be wide open to attack by SQL injection….injection….
Troubleshooting Local ResourcesTroubleshooting Local Resources Task ManagerTask Manager
– Applications tab just gives the name and status of Applications tab just gives the name and status of each application that is loaded into memoryeach application that is loaded into memory
– Processes tab:Processes tab:» all system processesall system processes» Memory usage of eachMemory usage of each» % CPU time for each% CPU time for each» Total CPU time since boot upTotal CPU time since boot up
– Performance tabPerformance tab» Total no. of threads, processes, handles runningTotal no. of threads, processes, handles running» % CPU usage% CPU usage
Kernel modeKernel mode User modeUser mode
» Physical memory available/usagePhysical memory available/usage» Virtual memory available/usageVirtual memory available/usage
Troubleshooting Local ResourcesTroubleshooting Local Resources Event viewerEvent viewer
– System events recorded into “event log” files System events recorded into “event log” files » Three by default: system, auditing, applicationThree by default: system, auditing, application» customisable customisable
– Three types of events:Three types of events:» InformationInformation» WarningWarning» ErrorError
– More information for each event obtained by More information for each event obtained by double-clickingdouble-clicking
– Event management also required…Event management also required…» E.g. new files daily, old ones archived? dumped? when? E.g. new files daily, old ones archived? dumped? when? » how often to check event files?how often to check event files?» Important to detect security issues and potential failures Important to detect security issues and potential failures
Troubleshooting Local ResourcesTroubleshooting Local Resources System Monitor (perfmon.msc)System Monitor (perfmon.msc)
– monitormonitor many aspects of system performance many aspects of system performance– e.g. capture, filter, or analyses frames or packets sent over the e.g. capture, filter, or analyses frames or packets sent over the
network, or capture data from hardware devicesnetwork, or capture data from hardware devices» either display current data graphically, in real-timeeither display current data graphically, in real-time» or log data at regular intervals to get a longer term pictureor log data at regular intervals to get a longer term picture
– AlertsAlerts» notify when a particular threshold value has been reachednotify when a particular threshold value has been reached
System Recovery…System Recovery…– If a fatal error occurs:If a fatal error occurs:
» immediate dump of system memory is madeimmediate dump of system memory is made can be used for identifying the cause of the problemcan be used for identifying the cause of the problem
» alerts are sent to usersalerts are sent to users» system is restarted automaticallysystem is restarted automatically
The Active Directory “store”The Active Directory “store” Global Catalog Global Catalog
– stored as file NTFS.DIT when the first stored as file NTFS.DIT when the first domain controller is createddomain controller is created
– distributed across alldistributed across all domain controllersdomain controllers» covers all “objects” on domain controllerscovers all “objects” on domain controllers
e.g.e.g. shared resources such as servers, files, printers; shared resources such as servers, files, printers; network user and computer accountsnetwork user and computer accounts
– directory changes automatically replicated directory changes automatically replicated to all domain controllersto all domain controllers
Group Policies and Group Policies and Network AccessNetwork Access
Active directory controls access to all Active directory controls access to all network resourcesnetwork resources
Achieved through giving the right users Achieved through giving the right users the right group policiesthe right group policies
How can the network administrator How can the network administrator know what policies to allocate to which know what policies to allocate to which user(s)… user(s)… – groups must have appropriate settingsgroups must have appropriate settings
Managing Group PolicyManaging Group Policy
Group Policy Management Console Group Policy Management Console (Windows 2003 onwards…)(Windows 2003 onwards…)
Applies principles of MMC (Microsoft Applies principles of MMC (Microsoft Management Console) to managing Management Console) to managing group profilesgroup profiles– particularly useful for testing/viewing the particularly useful for testing/viewing the
resultant profile of interaction between resultant profile of interaction between several group profiles in a particular orderseveral group profiles in a particular order
Security Features of Security Features of Active Directory (1)Active Directory (1)
SSL (secure OSI level 5)SSL (secure OSI level 5) for e-commerce…for e-commerce… Internet Information Server (IIS) supports Internet Information Server (IIS) supports
websites accessible only via https/SSLwebsites accessible only via https/SSL
LDAP over SSLLDAP over SSL LDAP important for internet lookupLDAP important for internet lookup used with secure sockets layer (SSL) for used with secure sockets layer (SSL) for
checking server credentials for extranet and e-checking server credentials for extranet and e-commerce applicationscommerce applications
Security Features of Security Features of Active Directory (2)Active Directory (2)
Transitive Domain TrustTransitive Domain Trust default trust between default trust between
contiguous Windows contiguous Windows domains in a domain treedomains in a domain tree
greatly reduces management greatly reduces management overheadoverhead
Security Features of Security Features of Active Directory (3)Active Directory (3)
Kerberos AuthenticationKerberos Authentication authentication of users on remote domains authentication of users on remote domains
not part of the same DNS zonenot part of the same DNS zone
Smart Card SupportSmart Card Support logon via smart card for strong logon via smart card for strong
authentication to sensitive resourcesauthentication to sensitive resources
Protecting Local PasswordsProtecting Local Passwords More sophisticated challenge-response More sophisticated challenge-response
encryption (NTLMv2) was available to all encryption (NTLMv2) was available to all systems from Windows 2000 on…systems from Windows 2000 on…– until Vista arrived this was turned off by default until Vista arrived this was turned off by default
» for “compatibility reasons”for “compatibility reasons”
– nnless NTLMv2 enabled, passwords on XP nnless NTLMv2 enabled, passwords on XP systems easy to “hack” with right tools (!)systems easy to “hack” with right tools (!)
Any client network user should make sure Any client network user should make sure this password protection feature is turned this password protection feature is turned on…on…– can be added for domain users through group can be added for domain users through group
policypolicy
Active Directory and Active Directory and “controlling” Users“controlling” Users
““Groups” already well established for Groups” already well established for managing network users managing network users
Active directory centrally organised resources Active directory centrally organised resources including all computers including all computers – allowed groups to become more powerful for user allowed groups to become more powerful for user
managementmanagement– exploited by enabling the organisation of users exploited by enabling the organisation of users
and groups of users into:and groups of users into:» organisational unitsorganisational units» sitessites» domainsdomains
Managing Domain Users with Managing Domain Users with Active DirectoryActive Directory
Same user information stored on all Same user information stored on all domain controllersdomain controllers
Users can be administered at or by Users can be administered at or by secure access to administrator on any secure access to administrator on any domain controller for that domaindomain controller for that domain– flexibility but potential danger!flexibility but potential danger!
Making Sure Users don’t get Making Sure Users don’t get the Administrator Password!the Administrator Password! File security assumes that only the File security assumes that only the
network manager can log on as network manager can log on as administratoradministrator– but if a user can guess the password… (!)but if a user can guess the password… (!)
Strategies:Strategies:– rename the administrator account to something rename the administrator account to something
more obscuremore obscure– only give administrator password to one other only give administrator password to one other
personperson– change administrator password regularlychange administrator password regularly
How AD Provides SecurityHow AD Provides Security Manages which “security principal(s)” Manages which “security principal(s)”
have access to each specific resourcehave access to each specific resource– i.e. users, computers, groups, or services i.e. users, computers, groups, or services
(via service accounts)(via service accounts)» each has a unique identifier (SID) each has a unique identifier (SID)
Validates the authentication process…Validates the authentication process…– for computers, at startupfor computers, at startup– for users, at logonfor users, at logon
More about the SIDMore about the SID
The SID (Security ID) comprises:The SID (Security ID) comprises:– domain IDdomain ID
» common to all security principals common to all security principals within the domainwithin the domain
– unique relative identifier (RID)unique relative identifier (RID)
Access TokensAccess Tokens
Generated when a user logs on to the Generated when a user logs on to the networknetwork
Contains:Contains:– user’s SIDuser’s SID– SIDs for each group to which the user is a SIDs for each group to which the user is a
membermember– assigned user rights or privileges as a result of assigned user rights or privileges as a result of
processing the IDs in the specified orderprocessing the IDs in the specified order
ACE (Access Control Entries)ACE (Access Control Entries)
Each object or resource has an access Each object or resource has an access control list (ACL) e.g.control list (ACL) e.g.– objects and their propertiesobjects and their properties– shared folders and printer sharesshared folders and printer shares– folders and files within the NTFS file systemfolders and files within the NTFS file system
ACEs contained within ACLACEs contained within ACL– protects resource against unauthorised usersprotects resource against unauthorised users
More on ACLsMore on ACLs Two distinct ACLs each object or Two distinct ACLs each object or
resource:resource:– discretionary access control list (DACL) discretionary access control list (DACL)
» list of the SIDs that are either granted or denied list of the SIDs that are either granted or denied access and the degree of access that is allowed access and the degree of access that is allowed
– systems access control list (SACL)systems access control list (SACL)» list of all the SIDs whose access or manipulation of list of all the SIDs whose access or manipulation of
the object or resource needs to be audited, and the the object or resource needs to be audited, and the type of auditing that needs to be performedtype of auditing that needs to be performed
Mechanism of AD securityMechanism of AD security Users are usually assigned to several groupsUsers are usually assigned to several groups When a user attempts to access a directory When a user attempts to access a directory
object or network resource…object or network resource…– the security subsystem…the security subsystem…
» looks at the SID for the user and the SIDs of the security looks at the SID for the user and the SIDs of the security groups to which the user is a membergroups to which the user is a member
» checks to see whether it/they match the security descriptors checks to see whether it/they match the security descriptors assigned to the resourceassigned to the resource
If there is a match…If there is a match…– user is granted the degree of access to the user is granted the degree of access to the
resource that is specified in the ACLresource that is specified in the ACL
Power of Group IDs in Power of Group IDs in Policy-based SecurityPolicy-based Security
Group Policy…Group Policy… allows groups of users to be granted or denied allows groups of users to be granted or denied
access to or control over entire classes of objects access to or control over entire classes of objects and sets of resourcesand sets of resources
allows security & usage policies to be established allows security & usage policies to be established separately for:separately for:
» computer accountscomputer accounts» user accountsuser accounts
can be applied at multiple levels: can be applied at multiple levels: » users or computers residing in a specific OUusers or computers residing in a specific OU» computers or users in a specific AD sitecomputers or users in a specific AD site» an entire AD domainan entire AD domain
Active Directory and Active Directory and Group PolicyGroup Policy
Power of Group Policy:Power of Group Policy:– allows network administrators to define and allows network administrators to define and
control the policies governing:control the policies governing:» groups of computersgroups of computers
» groups of usersgroups of users
– administrators can set group policy for any administrators can set group policy for any of the sites, domains, or organizational units of the sites, domains, or organizational units in the Active Directory Domain Treein the Active Directory Domain Tree
Monitoring Group Policy Monitoring Group Policy
Policies, like permissions, are ADDITIVEPolicies, like permissions, are ADDITIVE– watch simulation… (AGAIN!)watch simulation… (AGAIN!)
Windows 2000 policiesWindows 2000 policies– need to assess which specific cumulative set of need to assess which specific cumulative set of
policies were controlling the environment for a policies were controlling the environment for a specific user or computerspecific user or computer
Windows 2003 GPMCWindows 2003 GPMC– tracking and reporting the Resultant Set of Policy tracking and reporting the Resultant Set of Policy
(RSoP):(RSoP):» net effect of each of the overlapping policies on a specific user net effect of each of the overlapping policies on a specific user
or computer within the domainor computer within the domain
Extending User/Group Extending User/Group Permissions beyond a domainPermissions beyond a domain Possible for user permissions to be safely Possible for user permissions to be safely
applied beyond the local domainapplied beyond the local domain– so users on one network can gain access to files on another so users on one network can gain access to files on another
networknetwork
– authentication controlled between servers on the local authentication controlled between servers on the local and trusted domainsand trusted domains
Normally achieved through “adding” groups from Normally achieved through “adding” groups from a trusted domaina trusted domain
NOT the same as “remote logon”NOT the same as “remote logon”– needs special username/password authorisation…needs special username/password authorisation…
Enterprise NetworksEnterprise Networks
Multiple Domains in a treeMultiple Domains in a tree– Transitive Domain TrustTransitive Domain Trust
Single enterprise Single enterprise administratoradministrator ““enterprise admin”enterprise admin” greatly reduces greatly reduces
management overheadmanagement overhead
Managing Users Managing Users & Their Profiles& Their Profiles
Once they get the hang of it, users save Once they get the hang of it, users save all sorts of rubbish to their user areasall sorts of rubbish to their user areas– may well include lots of downloaded web may well include lots of downloaded web
pages and imagespages and images Problem!Problem!
– 5000 users5000 users– each user takes 1 Gb of space...each user takes 1 Gb of space...– total disk space required is 5000 Gbytes!total disk space required is 5000 Gbytes!
Managing User ProfilesManaging User Profiles
Windows 2003 Server “Disk Quotas”:Windows 2003 Server “Disk Quotas”:– allows administrators to track and control user allows administrators to track and control user
NTFS disk usageNTFS disk usage» coupled with Group Policy and Active Directory coupled with Group Policy and Active Directory
technologytechnology
» easy to manage user spaceeasy to manage user space
» even enterprise-wide…even enterprise-wide…
– users find this irritating but stops them keeping users find this irritating but stops them keeping data they’re never likely to use again…data they’re never likely to use again…
User RightsUser Rights Users MUST NOT have access to Users MUST NOT have access to
sensitive parts of the system (e.g. sensitive parts of the system (e.g. network servers, local system software) network servers, local system software) – operating system can enforce thisoperating system can enforce this
Users SHOULD:Users SHOULD:– have access to basic software toolshave access to basic software tools– NOT be denied on the grounds that the NOT be denied on the grounds that the
software could be misused…software could be misused…» c.f. no-one is allowed to drive a car because some c.f. no-one is allowed to drive a car because some
drivers cause accidents!drivers cause accidents!
Controlling/Monitoring Group Controlling/Monitoring Group Policy across DomainsPolicy across Domains
AD across a distributed enterprise…AD across a distributed enterprise…– ““enterprise” administrators have the authority to enterprise” administrators have the authority to
implement and alter Group Policies anywhere implement and alter Group Policies anywhere – important to manage and restrict their number... important to manage and restrict their number...
Enterprise admins need to inform domain admins:Enterprise admins need to inform domain admins:– what has changedwhat has changed– when it changedwhen it changed– the implications of the change for directory and network the implications of the change for directory and network
operations…operations… Otherwise…Otherwise…
– a change to Group Policies affecting a domain might a change to Group Policies affecting a domain might occur with distastrous consequencesoccur with distastrous consequences
NFR Example:NFR Example:Possible Security FeaturesPossible Security Features
Information labelling and handlingInformation labelling and handling Equipment siting and protectionEquipment siting and protection Supporting utilitiesSupporting utilities Cabling securityCabling security MaintenanceMaintenance Secure disposal or re-useSecure disposal or re-use Separation of development, test and operational Separation of development, test and operational
facilitiesfacilities Controls against malicious codeControls against malicious code Controls against mobile codeControls against mobile code Information back-upInformation back-up Network controlsNetwork controls Security of network servicesSecurity of network services Electronic messagingElectronic messaging On-line transactionsOn-line transactions Publicly available informationPublicly available information Audit loggingAudit logging Auditing system useAuditing system use Protection of log informationProtection of log information Clock synchronisationClock synchronisation Privilege managementPrivilege management Equipment identification in networksEquipment identification in networks
Remote diagnostic and configuration port protectionRemote diagnostic and configuration port protection Segregation in networksSegregation in networks Network connection controlNetwork connection control Network routing controlNetwork routing control Secure log-on proceduresSecure log-on procedures User identification and authentication User identification and authentication Password management systemPassword management system Use of system utilitiesUse of system utilities Session time-outSession time-out Limitation of connection time Limitation of connection time Information access restrictionInformation access restriction Sensitive system isolationSensitive system isolation Input data VerificationInput data Verification Control of internal processing, including Least Control of internal processing, including Least
PrivilegePrivilege Message integrityMessage integrity Output data VerificationOutput data Verification Cryptographic controlsCryptographic controls Key managementKey management Technical vulnerability management (patches and Technical vulnerability management (patches and
updates)updates) Collection of evidenceCollection of evidence
A Checklist of areas to consider, abtracted from ISO/IEC 27001 / 27002 Control Sets [TSI/2012/183]© Copyright 2003-2012