windows 2000: concepts & deployment larry lieberman nt support engineer premier enterprise...
TRANSCRIPT
Windows 2000: Windows 2000: Concepts & DeploymentConcepts & Deployment
Larry LiebermanLarry LiebermanNT Support EngineerNT Support EngineerPremier Enterprise SupportPremier Enterprise SupportMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Active DirectoryActive Directory Microsoft DNSMicrosoft DNS Distributed SecurityDistributed Security System ManagementSystem Management
Active DirectoryActive Directory
ArchitectureArchitecture ComponentsComponents Planning AD DesignPlanning AD Design
AD ArchitectureAD Architecture
X.500 X.500 derived data modelderived data model Directory stored schemaDirectory stored schema Windows 2000 Trusted Computing Windows 2000 Trusted Computing
Base Base security modelsecurity model Delegated Delegated Administration ModelAdministration Model DNS integrationDNS integration
AD Components (1/10)AD Components (1/10)
ObjectsObjects Organizational Units (OUs)Organizational Units (OUs) DomainsDomains SitesSites Trees & ForestsTrees & Forests Global CatalogGlobal Catalog
AD Components (2/10)AD Components (2/10)ObjectsObjects
ObjectObjectClassClass
ObjectObjectClassClass
Attributes
Defined in the schemaDefined in the schema
Data storage is allocated as necessaryData storage is allocated as necessary
DirectoryDirectoryObjectObject
DirectoryDirectoryObjectObject
An object instanceAn object instanceis created in theis created in theDirectoryDirectory
AD Components (3/10)AD Components (3/10)Object AccessObject Access
Access to directory objects is Access to directory objects is controlled via Access Control Lists controlled via Access Control Lists (ACLs)(ACLs)
DirectoryObject
DirectoryObject
Fine granularity is provided by Access Fine granularity is provided by Access Control Entries (ACEs) that apply to Control Entries (ACEs) that apply to specific attributes specific attributes
ACL
Sales Managersread access
Sales Managersread access
ACE
ACEs can apply to specific attributes
AD Components (4/10)AD Components (4/10)Organizing the DirectoryOrganizing the Directory A hierarchy of objects can be created A hierarchy of objects can be created
using Organizational Units (OUs)using Organizational Units (OUs) Although OUs are the primary containers Although OUs are the primary containers
used to create the hierarchy, all directory used to create the hierarchy, all directory objects are potential containersobjects are potential containers
ou ou
ou ou
ouou
Deep or flat structure?
ouou ouou
AD Components (5/10)AD Components (5/10)OUsOUs
OU security provides the mechanism OU security provides the mechanism for controlling object visibility and for controlling object visibility and delegating administrationdelegating administration
OUOU
ACL
Sales Managersread access
Sales Managersread access
ACLACLUK User Admins
Create Users
UK User AdminsCreate Users
ACLACL Location1 AdminsReset passwords
Location1 AdminsReset passwords
ACL
UK UsersRead Volume objects
UK UsersRead Volume objects
Inheritable ACLs
AD Components (6/10)AD Components (6/10)DomainsDomains
One or more domain controllersOne or more domain controllers
SitesDomain directory
Directoryhosted on all DCs
Multi-master replicationMulti-master replication One or more sitesOne or more sites
Configuration
Schema
AD Components (7/10)AD Components (7/10)SitesSites
Controls Active Directory replicationControls Active Directory replication
Schedule Inter-site replication
Intra-site replicationautomatically configured
One or moresubnets
One or moresubnets
Site knowledge usedSite knowledge used Logon locatorLogon locator Printer locator and prunerPrinter locator and pruner Dfs and moreDfs and more
AD Components (8/10)AD Components (8/10)Trees And ForestsTrees And Forests
Configuration and schema common Configuration and schema common to all domains to all domains
Transitive trusts link domainsTransitive trusts link domains
AD Components (9/10)AD Components (9/10)Boundaries Boundaries
ReplicationReplication AdministrationAdministration Security PolicySecurity Policy Group PolicyGroup Policy
AD Components (10/10)AD Components (10/10)Global CatalogGlobal Catalog
Enterprise wide searchesEnterprise wide searches Resolves enterprise queriesResolves enterprise queries
GCPartial replica of all domain objectsHosted on one or more DCs
Planning AD Design (1/6)Planning AD Design (1/6)ConsiderationsConsiderations Defining a logical hierarchy of Defining a logical hierarchy of
resources resources Administrative architecturesAdministrative architectures Allocation of physical resources Allocation of physical resources
and budgetand budget Current infrastructure and Current infrastructure and
upgrade strategiesupgrade strategies Data availability requirementsData availability requirements Network bandwidth Network bandwidth PoliticsPolitics
Planning AD Design (2/6) Planning AD Design (2/6) One Or More ForestsOne Or More Forests All domains in a forest share a All domains in a forest share a
common schema and global catalogcommon schema and global catalog Create multiple forests if:Create multiple forests if:
Separate schemas are requiredSeparate schemas are required One or more domains are required to be One or more domains are required to be
isolated from the spanning tree of isolated from the spanning tree of transitive truststransitive trusts
Total administrative autonomy is Total administrative autonomy is required required
Planning AD Design (3/6)Planning AD Design (3/6)Domain StructureDomain Structure Where possible use a single domainWhere possible use a single domain
Use OUs to delegate administrationUse OUs to delegate administration Use sites to tune replicationUse sites to tune replication
Use multiple domains when there is a Use multiple domains when there is a requirement for requirement for Scalability across WANsScalability across WANs Autonomous administrative entitiesAutonomous administrative entities Different security account policiesDifferent security account policies
password, lockout and Kerberos ticketpassword, lockout and Kerberos ticket
Planning AD Design (4/6)Planning AD Design (4/6)Multiple Domains(1/3)Multiple Domains(1/3) Containment of network trafficContainment of network traffic
Directory replicationDirectory replication Policies (FRS)Policies (FRS)
In-place upgrades from In-place upgrades from Windows NT domainsWindows NT domains Autonomous divisions with Autonomous divisions with
separate namesseparate names No technical reasons, only politicsNo technical reasons, only politics Names are not importantNames are not important
Each domain has an incremental Each domain has an incremental overheadoverhead Increased administrationIncreased administration Increased hardwareIncreased hardware
Separate DCs are required for Separate DCs are required for each domaineach domain
Try to avoid creating divisional or Try to avoid creating divisional or departmental domains for purely departmental domains for purely political reasonspolitical reasons Change is inevitable, they are Change is inevitable, they are
easy to create and hard to retire easy to create and hard to retire
Planning AD Design (5/6)Planning AD Design (5/6)Multiple Domains(2/3)Multiple Domains(2/3)
Separate the production forest from Separate the production forest from development and testingdevelopment and testing Prevents unwanted schema changes Prevents unwanted schema changes
propagating through the enterprisepropagating through the enterprise
Create a separate forest to restrict Create a separate forest to restrict access for business partnersaccess for business partners
Planning AD Design (6/6)Planning AD Design (6/6)Multiple Domains(3/3)Multiple Domains(3/3)
Microsoft DNSMicrosoft DNS
Windows 2000 DNS RequirementsWindows 2000 DNS Requirements MS DNS FeaturesMS DNS Features DNS DesignDNS Design
DNS RequirementsDNS Requirements
A DNS server that is authoritative for a A DNS server that is authoritative for a Windows 2000 domain MUST support Windows 2000 domain MUST support SRV records (RFC 2052)SRV records (RFC 2052)
It also should support dynamic It also should support dynamic updates (RFC 2136)updates (RFC 2136) The NETLOGON service on the domain The NETLOGON service on the domain
controller automatically registers all of controller automatically registers all of the domain services and the site that it the domain services and the site that it supports supports
MS DNS Features (1/12)MS DNS Features (1/12)
Active Directory integrationActive Directory integration Dynamic UpdateDynamic Update AgingAging Administrative toolsAdministrative tools Caching resolverCaching resolver
MS DNS Features (2/12) MS DNS Features (2/12) Active Directory IntegrationActive Directory Integration
AD-integrated DNS zone AD-integrated DNS zone is multi-masteris multi-master
1) Receive 1) Receive updateupdate
3) ADS replicates3) ADS replicates
4) Read from 4) Read from ADSADS2) Write to ADS2) Write to ADS
ADSADSDNSDNS
ADSADSDNSDNS
““Primary” zonesPrimary” zones
MS DNS Features (3/12) MS DNS Features (3/12) Active Directory integrationActive Directory integration
MS DNS Features (4/12) MS DNS Features (4/12) Active Directory integrationActive Directory integration
AD-integrated DNS zone AD-integrated DNS zone is multi-masteris multi-master High availability of write, as well as readHigh availability of write, as well as read Doesn’t require separate from Doesn’t require separate from
AD replicationAD replication
MS DNS Features (5/12) MS DNS Features (5/12) Active Directory integrationActive Directory integration
ADS replication is loosely consistentADS replication is loosely consistent Name-level collisionName-level collision
Two hosts create same name Two hosts create same name simultaneously (first writer wins)simultaneously (first writer wins)
Attribute-level collisionAttribute-level collision Two hosts modify A RRset for Two hosts modify A RRset for
microsoft.com simultaneously (last-microsoft.com simultaneously (last-writer wins)writer wins)
MS DNS Features (6/12) MS DNS Features (6/12) Dynamic UpdateDynamic Update
Based on RFC 2136Based on RFC 2136 Client discovers primary server for the Client discovers primary server for the
zone where the record should be zone where the record should be added/deletedadded/deleted
Client sends a dynamic update Client sends a dynamic update package to the primary serverpackage to the primary server
Primary server processes the updatePrimary server processes the update
MS DNS Features (7/12) MS DNS Features (7/12) Dynamic UpdateDynamic Update
Windows 2000 computer registersWindows 2000 computer registers A RR with:A RR with:
Hostname.PrimaryDnsSuffix Hostname.PrimaryDnsSuffix (default)(default) and and
Hostname.AdapterSpecificDnsSuffix Hostname.AdapterSpecificDnsSuffix (if configured)(if configured)
PTR RR if adapter is not DHCP PTR RR if adapter is not DHCP configured or DHCP server doesn’t configured or DHCP server doesn’t support DNS RR registrationsupport DNS RR registration
MS DNS Features (8/12) MS DNS Features (8/12) Dynamic UpdateDynamic Update
Windows 2000 DHCP server registers Windows 2000 DHCP server registers (based on draft-ietf-dhc-dhcp-dns-*.txt)(based on draft-ietf-dhc-dhcp-dns-*.txt) PTR records on behalf of upgraded PTR records on behalf of upgraded
clients (default)clients (default) A and PTR records on behalf of downlevel A and PTR records on behalf of downlevel
clients (default)clients (default) A and PTR records on behalf of upgraded A and PTR records on behalf of upgraded
clients (if configured)clients (if configured)
Windows 2000 DHCP server removes Windows 2000 DHCP server removes records that it registered upon records that it registered upon lease expirationlease expiration
MS DNS Features (9/12) MS DNS Features (9/12) Secure Dynamic UpdateSecure Dynamic Update
Based on draft-skwan-gss-tsig-04.txtBased on draft-skwan-gss-tsig-04.txt Available only on AD-integrated zonesAvailable only on AD-integrated zones Per -zone and -name granularityPer -zone and -name granularity ACL on each zone and nameACL on each zone and name
MS DNS Features (10/12) MS DNS Features (10/12) Aging/ScavengingAging/Scavenging
Enables deletion of the stale records Enables deletion of the stale records in AD-integrated zonesin AD-integrated zones
Requires periodic refreshes Requires periodic refreshes of the recordsof the records
MS DNS Features (12/12) MS DNS Features (12/12) Caching ResolverCaching Resolver
Windows 2000 serviceWindows 2000 service Caches RRs according to TTLCaches RRs according to TTL Negative cachingNegative caching Tracks transient/PnP adaptersTracks transient/PnP adapters Reorders servers according Reorders servers according
to responsivenessto responsiveness
Fewer round-trips, fewer timeouts, Fewer round-trips, fewer timeouts, faster response timefaster response time
DNS Design (1/11)DNS Design (1/11)To support DC locatorTo support DC locator
DNS server authoritative for the DC DNS server authoritative for the DC records MUST support SRV RRsrecords MUST support SRV RRs
Support for Dynamic Updates Support for Dynamic Updates is recommendedis recommended
DNS Design (2/11)DNS Design (2/11)
Delegate a DNS zone for each AD Delegate a DNS zone for each AD domain to the DNS servers running domain to the DNS servers running on the DCs in that AD domainon the DCs in that AD domain
DNS Design (3/11)DNS Design (3/11)
corp.example.comcorp.example.com
Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”
DNS Design (4/11)DNS Design (4/11)corp.example.comcorp.example.com
Domain1.corp.example.comDomain1.corp.example.com
Zones:Zones:Primary AD-int “Domain1.corp.example.com”Primary AD-int “Domain1.corp.example.com”
Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”
DNS Design (5/11)DNS Design (5/11)
Delegate a DNS zone for each AD Delegate a DNS zone for each AD domain to the DNS servers running domain to the DNS servers running on a DC in that AD domainon a DC in that AD domain
Install a DNS server on at least two Install a DNS server on at least two DCs in each AD domain and one DC DCs in each AD domain and one DC in each sitein each site
DNS Design (6/11)DNS Design (6/11)corp.example.comcorp.example.com
Domain1.corp.example.comDomain1.corp.example.com
Site1Site1 Site2Site2 Site3Site3
Zones:Zones:Primary AD-int “Domain1.corp.example.com”Primary AD-int “Domain1.corp.example.com”
Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”
DNS Design (7/11)DNS Design (7/11)
Delegate a DNS zone for each AD Delegate a DNS zone for each AD domain to the DNS servers running domain to the DNS servers running on a DC in that AD domainon a DC in that AD domain
Install a DNS server on at least two Install a DNS server on at least two DCs in each AD domain and one DC DCs in each AD domain and one DC in each sitein each site
If different sites in the forest are If different sites in the forest are connected over slow link, delegate the connected over slow link, delegate the zone “_msdcs.<ForestName>” and zone “_msdcs.<ForestName>” and make at least one DNS server in every make at least one DNS server in every site secondary for this zonesite secondary for this zone
DNS Design (8/11)DNS Design (8/11)corp.example.comcorp.example.com
Domain1.corp.example.comDomain1.corp.example.com
Site1Site1 Site2Site2 Site3Site3
Zones:Zones:Primary AD-int “Domain1.corp.example.com”Primary AD-int “Domain1.corp.example.com”Secondary “_msdcs.corp.example.com.”Secondary “_msdcs.corp.example.com.”
Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”Primary AD-int “_msdcs.corp.example.com.”Primary AD-int “_msdcs.corp.example.com.”
DNS Design (9/11)DNS Design (9/11)
Install a DNS server on at least two DCs Install a DNS server on at least two DCs in each AD domain and one DC in each sitein each AD domain and one DC in each site
Delegate a DNS zone for each AD domain Delegate a DNS zone for each AD domain to the DNS servers running on a DC in that to the DNS servers running on a DC in that AD domainAD domain
If different domains of the forest are If different domains of the forest are connected over slow links, delegate the connected over slow links, delegate the zone _msdcs.<ForestName> and make zone _msdcs.<ForestName> and make at least one DNS server in every site at least one DNS server in every site secondary for this zonesecondary for this zone
Each client should be configured to query Each client should be configured to query at least two DNS servers one of which is at least two DNS servers one of which is in the same sitein the same site
DNS Design (10/11)DNS Design (10/11)corp.example.comcorp.example.com
Domain1.corp.example.comDomain1.corp.example.com
Site1Site1 Site2Site2 Site3Site3
Zones:Zones:Primary AD-int “Domain1.corp.example.com”Primary AD-int “Domain1.corp.example.com”Secondary “_msdcs.corp.example.com.”Secondary “_msdcs.corp.example.com.”
Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”Primary AD-int “_msdcs.corp.example.com.”Primary AD-int “_msdcs.corp.example.com.”
DNS Design (11/11)DNS Design (11/11)Hardware planningHardware planning
Memory usageMemory usage No zones loadedNo zones loaded ~4 MB~4 MB Each record requires Each record requires ~100 bytes~100 bytes
PerformancePerformance Alpha 533 MHz dual-processor with 25% Alpha 533 MHz dual-processor with 25%
Processor utilizationProcessor utilization 1600 queries and 200 dynupd/second1600 queries and 200 dynupd/second
Intel P-II 400 MHz dual-processor with Intel P-II 400 MHz dual-processor with 30% Processor utilization30% Processor utilization 900 queries and 100 dynupd/second900 queries and 100 dynupd/second
Security TopicsSecurity Topics
Kerberos Integration with Windows NTKerberos Integration with Windows NT Security Provider ArchitectureSecurity Provider Architecture Public Key Security ComponentsPublic Key Security Components Smart card logon and authenticationSmart card logon and authentication Encrypting File SystemEncrypting File System Security Policies and Domain TrustSecurity Policies and Domain Trust Secure Windows NT ConfigurationSecure Windows NT Configuration
Security GoalsSecurity Goals
Single enterprise logonSingle enterprise logon Integrated security services with Integrated security services with
Windows NT Directory ServiceWindows NT Directory Service Delegated administrationDelegated administration
and scalability for large domainsand scalability for large domains Strong networkStrong network
authentication protocolsauthentication protocols Standard protocols for interoperability Standard protocols for interoperability
of authenticationof authentication
Authentication/ Authentication/ AuthorizationAuthorization Authenticate using domain credentialsAuthenticate using domain credentials
User account defined in Active DirectoryUser account defined in Active Directory
Authorization based on group Authorization based on group membershipmembership Centralize management of access rightsCentralize management of access rights
Distributed security tied to the Distributed security tied to the Windows NT Security ModelWindows NT Security Model Network services use impersonationNetwork services use impersonation Object-based access control listsObject-based access control lists
One Security Model: One Security Model: Multiple Security ProtocolsMultiple Security Protocols
Shared key protocolsShared key protocols Windows NTLM authentication: Windows NTLM authentication:
compatibility in mixed domainscompatibility in mixed domains Kerberos V5 for enterprise networksKerberos V5 for enterprise networks
Public key certificate protocolsPublic key certificate protocols Secure Sockets Layer (SSL) / Secure Sockets Layer (SSL) /
Transport Layer Security (TLS)Transport Layer Security (TLS) IP SecurityIP Security
Multiple forms of credentials in the Multiple forms of credentials in the Active DirectoryActive Directory
1.1. NTLM challenge/responseNTLM challenge/response
Application server Application server
Windows NT domain controllerWindows NT domain controller
MSV1_0MSV1_0
NetlogonNetlogon
NTLM AuthenticationNTLM Authentication
4. Server4. Server impersonates impersonates client client
2.2. Uses LSA Uses LSA to log onto log onto domainto domain
3.3. NetlogonNetlogonservice returnsservice returnsuser and groupuser and groupSIDs from domainSIDs from domaincontrollercontroller
Windows NTWindows NTDirectory ServiceDirectory Service
Kerberos IntegrationKerberos Integration
KDC relies on the KDC relies on the Active Directory as Active Directory as the store for security the store for security principals and policyprincipals and policy
Kerberos SSPI providerKerberos SSPI providermanages credentials andmanages credentials andsecurity context;security context;LSA manages ticket cacheLSA manages ticket cache
Server Server
Session ticket Session ticket authorization authorization data supports data supports NT access NT access control modelcontrol model
ClientClient
Windows NTWindows NTDirectory ServerDirectory Server
Key DistributionKey DistributionCenter (KDC)Center (KDC)
Windows NT Domain ControllerWindows NT Domain Controller
Kerberos Protocol Kerberos Protocol AdvantagesAdvantages Faster connection authenticationFaster connection authentication
Server scalability for high-volume connectionsServer scalability for high-volume connections Reuse session tickets from cacheReuse session tickets from cache
Mutual authentication of both client, serverMutual authentication of both client, server Delegation of authentication Delegation of authentication
Impersonation in three-tier Impersonation in three-tier client/server architecturesclient/server architectures
Transitive trust between domainsTransitive trust between domains Simplify inter-domain trust managementSimplify inter-domain trust management
Mature IETF standard for interoperabilityMature IETF standard for interoperability Testing with MIT Kerberos V5 ReleaseTesting with MIT Kerberos V5 Release
Kerberos Unix Kerberos Unix InteroperabilityInteroperability Based on Kerberos V5 ProtocolBased on Kerberos V5 Protocol
RFC 1510 and RFC 1964 token format RFC 1510 and RFC 1964 token format Testing with MIT Kerb V5 ReleaseTesting with MIT Kerb V5 Release
Windows NT DS hosts the KDCWindows NT DS hosts the KDC UNIX clients to Unix ServersUNIX clients to Unix Servers UNIX clients to NT ServersUNIX clients to NT Servers NT clients to UNIX ServersNT clients to UNIX Servers
Simple cross-realm authenticationSimple cross-realm authentication UNIX realm to NT domainUNIX realm to NT domain
Application Server (target)Application Server (target)
3.3. Verifies session Verifies session
ticket issuedticket issuedby KDCby KDC
Kerberos AuthKerberos AuthNetwork Server connectionNetwork Server connection
Windows NTWindows NTDirectory ServerDirectory Server
Key DistributionKey DistributionCenter (KDC)Center (KDC)
Windows NT domain controllerWindows NT domain controller
1.1. Send TGTSend TGTand request and request session session ticket from KDC ticket from KDC for target serverfor target server
TGTTGT
2.2. Present session ticketPresent session ticketat connection setupat connection setup
TargetTarget
TargetTarget Auth data:Auth data: User SIDUser SID Group SIDsGroup SIDs PrivilegesPrivileges
KerberosKerberos
LSALSA
Session Session ticketticket
Server applicationServer application
Building An Building An Access Token with Kv5Access Token with Kv5 Kerberos package Kerberos package
gets auth data gets auth data from session from session ticketticket
Impersonation Impersonation tokentoken
TokenToken LSA buildsLSA buildsaccess token for access token for security contextsecurity context
Server thread Server thread impersonates impersonates client contextclient context
Remote File Access Remote File Access CheckCheck
RdrRdrServerServer
Kerberos Kerberos SSPSSP
Kerberos Kerberos SSPSSP
File File applicationapplication
SMB protocolSMB protocol
NTFSNTFS
SSPISSPI
\\infosrv\share\\infosrv\share
FileFile
TokenToken
KDCKDC
TicketTicket
AccessAccesscheckcheck
SDSD
TokenToken
ClientClient
Secure RPCSecure RPC HTTPHTTP
SSPISSPI
Internet Explorer,Internet Explorer,
Internet InformationInternet InformationServerServer
NTLMNTLM KerberosKerberos SChannelSChannelSSL/TLSSSL/TLS
MSV1_0/MSV1_0/ SAM SAM KDC/DSKDC/DS
DCOM DCOM applicationapplication
DPADPA
MembershipMembershipservicesservices
POP3, NNTPPOP3, NNTP
Mail, Mail, Chat, Chat, NewsNews
CIFS/SMBCIFS/SMB
Remote Remote filefile
Architecture For Architecture For Multiple Authentication Multiple Authentication ServicesServices
LDAPLDAP
DirectoryDirectoryenabled appsenabled appsusing ADSIusing ADSI
Windows NT 4.0 - 5.0 Windows NT 4.0 - 5.0 InteroperabilityInteroperability
Windows NT 4.0 clients and serversWindows NT 4.0 clients and servers Use NTLM authenticationUse NTLM authentication
Windows NT 5.0 clientsWindows NT 5.0 clients Locate NT 5.0 Active Directory and KDCLocate NT 5.0 Active Directory and KDC Support smart card logonSupport smart card logon Use Kerberos or NTLM protocol Use Kerberos or NTLM protocol
Windows NT 5.0 ServersWindows NT 5.0 Servers Accept both NTLM or Kerberos protocolAccept both NTLM or Kerberos protocol
Public Key ComponentsPublic Key ComponentsX.509 and PKCS StandardsX.509 and PKCS Standards
Windows NT Windows NT Directory ServerDirectory Server
Certificate Certificate ServerServer
For clientsFor clients User key and User key and
certificate mgmtcertificate mgmt Secure channelSecure channel Secure storageSecure storage Auto enrollmentAuto enrollment
For serversFor servers Key and certificate Key and certificate
managementmanagement Secure channelSecure channel Client authenticationClient authentication Auto enrollmentAuto enrollment
EnterpriseEnterprise Certificate Certificate
servicesservices Trust policyTrust policy
Crypto API ArchitectureCrypto API Architecture
Crypto API 1.0Crypto API 1.0
RSA baseRSA baseCSPCSP
FortezzaFortezzaCSPCSP
Application Application
SmartCard SmartCard CSPCSP
CryptographicCryptographicService ProvidersService Providers
Certificate management servicesCertificate management services
Secure channelSecure channel
KeyKeydatabasedatabase
CertificateCertificatestorestore
SSL Client AuthenticationSSL Client AuthenticationIntegrated Security AdministrationIntegrated Security Administration
Strong authentication using X.509 Strong authentication using X.509 certificatescertificates Single user ID for multiple protocolsSingle user ID for multiple protocols
Security account managementSecurity account management Use existing infrastructure: ccount Use existing infrastructure: ccount
admin and access controladmin and access control
Accept third-party X.509 certificates Accept third-party X.509 certificates from trusted Certificate Authoritiesfrom trusted Certificate Authorities
Inter-business authenticationInter-business authentication
SSL Client AuthenticationSSL Client Authentication
SChannel SSPSChannel SSP
Client certificateClient certificate
Œ
ServerServer
Certificate StoreCertificate Storeof Trusted CAsof Trusted CAs
AuthenticationAuthenticationserviceservice
DomainDomain
Org (OU)Org (OU)
UsersUsers
2. Locate user object in directory by subject name2. Locate user object in directory by subject name
Access tokenAccess token
Ž
3. Build NT access token based on group membership 3. Build NT access token based on group membership
1. Verify user certificate based on trusted CA, CRL1. Verify user certificate based on trusted CA, CRL
Server Server resourcesresources
ACLACL
4. Impersonate client, object access verification4. Impersonate client, object access verification
Internet Explorer 4.0Internet Explorer 4.0
ReaderReader
Crypto APICrypto API
SmartCard SmartCard CSPCSP
ReaderReaderdriverdriver
Secure channelSecure channel
SSPISSPI
Client AuthenticationClient AuthenticationUsing SmartCardsUsing SmartCards Secure channel between Secure channel between
Internet Explorer and Internet Explorer and Internet Information Internet Information ServerServer
Keys and certificates Keys and certificates managed by managed by Crypto APICrypto API
SmartCard CSP gets SmartCard CSP gets certificate and protocol certificate and protocol signature from cardsignature from card
ICCICC
Smart Card LogonSmart Card Logon
Private key and Private key and certificate on cardcertificate on card
Public key domain Public key domain authenticationauthentication
PK KerberosPK Kerberos
ProfileProfile
CertsCerts KeysKeys
Internet ExplorerInternet Explorer User profile for User profile for
other keys and other keys and certificatescertificates
RAS supportRAS support
Domain credentialsDomain credentials Obtain Kerberos Obtain Kerberos
TGT and NTLM TGT and NTLM credentialscredentials
TGTTGT
Management Of TrustManagement Of Trust
Trust policy decisionsTrust policy decisions What CAs are trusted?What CAs are trusted? What are they trusted for? What are they trusted for?
Client Authentication, Client Authentication, Server Authentication, Server Authentication, AuthenticodeAuthenticode
Trust determination made locallyTrust determination made locally Certificate path verificationCertificate path verification
Configure trust policy centrallyConfigure trust policy centrally Define trust policy in Policy EditorDefine trust policy in Policy Editor
Signed by an authorized userSigned by an authorized user
Encrypting File System Encrypting File System Privacy of data that goes beyond Privacy of data that goes beyond
access controlaccess control Protect confidential data on laptops Protect confidential data on laptops Configurable approach to data recoveryConfigurable approach to data recovery
Integrated with core operating Integrated with core operating system components system components Windows NT File System - NTFSWindows NT File System - NTFS Crypto API key managementCrypto API key management LSA security policyLSA security policy
Transparent and very high Transparent and very high performanceperformance
Crypto APICrypto API
I/O managerI/O manager
EFS.sysEFS.sys
NTFSNTFS
User modeUser mode
Kernel modeKernel mode
Win32 layerWin32 layer
ApplicationsApplications
LPC communicationLPC communicationfor all key for all key management supportmanagement support
FSRTL calloutsFSRTL callouts
Encrypted on-disk data storageEncrypted on-disk data storage
EFSEFSserviceservice
EFS ArchitectureEFS Architecture
RNGRNG
Data decryptionData decryptionfield generationfield generation
(e.g., RSA)(e.g., RSA)
Data recoveryData recoveryfield generationfield generation
(e.g., RSA)(e.g., RSA)
DDFDDF
DRFDRF
User’sUser’spublicpublic key key
Recovery agent’sRecovery agent’spublicpublic key keyin recovery policyin recovery policy
Randomly-Randomly-generatedgeneratedfile encryption keyfile encryption key
File EncryptionFile Encryption
File decryptionFile decryption(e.g., DES)(e.g., DES)
A quickA quick brown fox brown foxjumped...jumped...
*#$fjda^j*#$fjda^ju539!3tu539!3tt389E *&t389E *&
*#$fjda^j*#$fjda^ju539!3tu539!3tt389E *&t389E *&
DDFDDF
A quick A quick brown foxbrown foxjumped...jumped...
A quick A quick brown foxbrown foxjumped...jumped...
DDF extractionDDF extraction(e.g., RSA)(e.g., RSA)
File decryptionFile decryption(e.g., DES)(e.g., DES)
File encryptionFile encryptionkeykey
DDF is decrypted DDF is decrypted using the using the private private keykey to get to the file to get to the file encryption keyencryption key
File DecryptionFile Decryption
DDF contains file DDF contains file encryption key encryption key encrypted under encrypted under user’s user’s public keypublic key
User’s User’s privateprivatekeykey
Active Directory Active Directory Security FeaturesSecurity Features
Organization Units (OU) to organize Organization Units (OU) to organize the directory name spacethe directory name space Users, groups, computers in separate Users, groups, computers in separate
containerscontainers
Directory object securityDirectory object security Per property access controlPer property access control Per property auditingPer property auditing
Delegation of administrationDelegation of administration Who can create, manage users, groups, Who can create, manage users, groups,
computer accounts, other objects computer accounts, other objects
DomainDomain
DomainDomain DomainDomain
DomainDomain
DownlevelDownleveldomaindomain
Explicit Windows NT 4.0-style trustsExplicit Windows NT 4.0-style trusts
DomainDomain
microsoft.commicrosoft.com
europe. microsoft. comeurope. microsoft. com
Kerberos trustKerberos trust
fareast. microsoft. comfareast. microsoft. com
Domain TrustDomain Trust
Managing SecurityManaging Security
Security Configuration Editor (SCE)Security Configuration Editor (SCE) Defines security configuration templatesDefines security configuration templates
Group Policy EditorGroup Policy Editor Defines hierarchy of user or computer Defines hierarchy of user or computer
policy templates for OUs up to the policy templates for OUs up to the DomainDomain
Security configuration is part of Security configuration is part of Group PolicyGroup Policy Group Policy for a computer includes the Group Policy for a computer includes the
security configurationsecurity configuration Security configuration applied at startupSecurity configuration applied at startup
A Security ConfigurationA Security Configuration
Covers various security areasCovers various security areas Account Policies -- password, Account Policies -- password,
lockout, kerberoslockout, kerberos Local Policies -- auditing, user Local Policies -- auditing, user
rights,...rights,... Restricted Groups -- Restricted Groups --
Administrators, Power Users,…Administrators, Power Users,… Registry & File System -- security Registry & File System -- security
descriptorsdescriptors Services -- startup mode and Services -- startup mode and
security descriptorssecurity descriptors
Summary (1/2)Summary (1/2)
Kerberos for domain authentication Kerberos for domain authentication for the Enterprisefor the Enterprise Mutual authentication, transitive trustMutual authentication, transitive trust
Public key security componentsPublic key security components Certificate Services to issue organization Certificate Services to issue organization
certificatescertificates Personal key and certificate managementPersonal key and certificate management Public key credentials for serversPublic key credentials for servers
Directory-based SSL/TLS client Directory-based SSL/TLS client authentication using X.509 certificatesauthentication using X.509 certificates
SummarySummary
Crypto API enhancementsCrypto API enhancements Smart card logon and dialup accessSmart card logon and dialup access Message encryption using SSPIMessage encryption using SSPI SMB data encryption using IPsecSMB data encryption using IPsec Encrypting File SystemEncrypting File System DS Security Administration and PolicyDS Security Administration and Policy Security Configuration Editor Security Configuration Editor Cross-platform authentication Cross-platform authentication
interoperabilityinteroperability
Group Policy ObjectsGroup Policy Objects
Group Policy DefinitionGroup Policy Definition
““The ability for the administrator to The ability for the administrator to state a wish about the state of their state a wish about the state of their users’ environment once, and then rely users’ environment once, and then rely on the system to enforce that wish!”on the system to enforce that wish!”
Group Policy ReviewGroup Policy Review
Policies Are Not ProfilesPolicies Are Not Profiles A A profileprofile is a collection of user environment settings that is a collection of user environment settings that
the the user may changeuser may change Group PolicyGroup Policy is a collection of user environment settings, is a collection of user environment settings,
specified by the administratorspecified by the administrator
Group Policy is more than simple “lockdown”Group Policy is more than simple “lockdown” Group Policy enhances the “Follow Me!” experience by Group Policy enhances the “Follow Me!” experience by
enabling organizations to:enabling organizations to: Set registry settings securely and without fear of Set registry settings securely and without fear of
tattooing tattooing (Administrative Templates)(Administrative Templates) Specify security oriented settings Specify security oriented settings (Security Settings)(Security Settings) Install software Install software (Software Installation)(Software Installation) Re-direct “My Documents,” “Desktop,” etc. to the Re-direct “My Documents,” “Desktop,” etc. to the
network network (Folder redirection)(Folder redirection) Implement tiered scripts Implement tiered scripts (Scripts)(Scripts)
Sites are described by Sites are described by Subnet address’s and may Subnet address’s and may cross Domain boundaries, cross Domain boundaries, normally they would notnormally they would not
SiteSite
OU’sOU’s
A1A1 A2A2
GPO’sGPO’sA1A1
A2A2
A3A3
A5A5A4A4
The affect of a GPO may be The affect of a GPO may be filtered based on security filtered based on security group membership (ACLs)group membership (ACLs)
AADomainDomain
GPOs are per DomainGPOs are per Domain
Group Policy Group Policy is NOT inheritedis NOT inheritedacross Domainsacross Domains
Any SDOU may be Any SDOU may be associated with any GPO, associated with any GPO, even across Domains even across Domains (slower - maybe very slow)(slower - maybe very slow)
OU’sOU’s
B1B1 B2B2
B3B3
BB
GPO’sGPO’sB1B1
B2B2
DomainDomain
Multiple SDOUs may use Multiple SDOUs may use a single GPOa single GPO
Multiple GPOs may Multiple GPOs may be associated with be associated with a single SDOUa single SDOU
What is What is my policy?my policy?
Sites are described by Sites are described by Subnet address’s and Subnet address’s and may cross Domain may cross Domain boundaries, normally they boundaries, normally they would notwould not
GPOs are per DomainGPOs are per Domain
Multiple GPOs may Multiple GPOs may be associated with be associated with a single SDOUa single SDOU
Multiple SDOUs may use Multiple SDOUs may use a single GPOa single GPO
Any SDOU may be Any SDOU may be associated with any GPO, associated with any GPO, even across Domains even across Domains (slower - maybe very (slower - maybe very slow)slow)
The affect of a GPO may The affect of a GPO may be filtered based on be filtered based on security group security group membership (ACLs)membership (ACLs)
Group Policy And The Active DirectoryGroup Policy And The Active Directory
Group Policy Linked To OUsGroup Policy Linked To OUs
The OU structure is your The OU structure is your administrative structureadministrative structure
Group Policy configuration must be Group Policy configuration must be tuned to fit your OUs structuretuned to fit your OUs structure
Design for the most stable and Design for the most stable and maintainable solutionmaintainable solution
FilteringFiltering
Security Groups may be used to filter Security Groups may be used to filter the effect of Group Policythe effect of Group Policy Any Group Policy may have it’s scope Any Group Policy may have it’s scope
modified by setting ACL permissionsmodified by setting ACL permissions
Read and Apply Group Policy (AGP) Read and Apply Group Policy (AGP) ACEs are required for Group Policy to ACEs are required for Group Policy to be appliedbe applied
Only filter if necessaryOnly filter if necessary Keep simple if possibleKeep simple if possible
GP applied to virtual group
ExampleExample
Filtering can be inclusionary or using Filtering can be inclusionary or using “deny” exclusionary“deny” exclusionary
ou
ou
ou
ouououou
GP
ACL
Read &APG
Read &APG
ConclusionConclusion
Active DirectoryActive Directory DNSDNS Security FeaturesSecurity Features Group PolicyGroup Policy