Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation
Agenda Why should you care about security? What are the security aspects of Directory Operations? How can you leverage Directory Security ? Finally… some tips to remember
Question One Why should you care about security? What are the security aspects of Directory Operations? How can you leveraging Directory Security ? Finally… some tips to remember
If You Are Writing… Client applications that browse the directory Client applications that modify the directory Service applications that publish to the directory Service applications that store data in the directory THEN YOU SHOULD CARE
Because… Active Directory is Windows NT’s security database Not everyone is allowed to read or write everything from everywhere Not everyone is allowed to read or write everything from everywhere Directory may reject certain requests with authorization failure errors Handle these gracefully! Handle these gracefully!
Question Two Why should you care about security when building a directory enabled application? What are the security aspects of Directory Operations? How can you leveraging Directory Security ? Finally… some tips to remember
Active Directory Operations Locating an Active Directory Server (DC) Connecting and binding Searching and browsing Publishing and modifications
Directory Operations Locating AD Server (DC) Windows ® platforms (NT, 95/98) DsGetDCName DsGetDCName Non-Windows platforms DNS SRV Record Lookup DNS SRV Record Lookup Locating a DC is not secure, nor restricted Lookup is handled automatically
Directory Operations Connecting and binding Basics Always authenticate to do anything meaningful! Always authenticate to do anything meaningful! Make no assumptions… Make no assumptions… Use user’s default credentials when possible Use user’s default credentials when possible Connect, bind and forget! Connect, bind and forget! Never cache when using alternate credentials Never cache when using alternate credentials
Directory Operations Code example using ADSI Open Interface - IADsOpenDSObject Interface - IADsOpenDSObject Method - OpenDSObject Method - OpenDSObject Credentials in OpenDSObject UserName, Password, Type UserName, Password, Type Use Defaults -- NULL, NULL Use Defaults -- NULL, NULL If needed, always prompt for alternate If needed, always prompt for alternate Never cache passwords Never cache passwords
Directory Operations Searching and browsing in ADSI Interfaces and methods E.g. IADs - Get, GetEx, GetInfo E.g. IADs - Get, GetEx, GetInfo Handle errors E_ADS_INVALID_DOMAIN_OBJECT, E_ADS_INVALID_DOMAIN_OBJECT, E_ADS_PROPERTY_NOT_SUPPORTED, E_ADS_PROPERTY_NOT_SUPPORTED, E_ADS_PROPERTY_NOT_FOUND E_ADS_PROPERTY_NOT_FOUND
Directory Operations Publishing and modifications ADSI E.g. IADs -- Put, PutEx, SetInfo E.g. IADs -- Put, PutEx, SetInfo Handle errors E_ADS_PROPERTY_NOT_SET, E_ADS_PROPERTY_NOT_SET, E_ADS_PROPERTY_NOT_MODIFIED E_ADS_PROPERTY_NOT_MODIFIED
Question Three Why should you care about security when building a directory enabled application? What are the security aspects of Directory Operations? How can you leverage Directory Security ? Finally… some tips to remember
Leveraging AD Security Application server configurations Services on Domain Controllers Running under Local System Running under Local System Running under Service Accounts - Recommended Running under Service Accounts - Recommended Services on Member Servers or Workstations Running under Local System - Recommended Running under Local System - Recommended Running under Service Accounts Running under Service Accounts
Leveraging AD Security Access control Object security descriptors Per property access control Per property access control Object type access control Object type access control Operation specific permissions Operation specific permissions Delegation of administration Delegation of administration Manipulating security descriptors Using security groups
Property 1 Property 2 Property 3 Telephone # ntSecurityDescriptor Group Owner System ACL Discretionary ACL ACLHeader ACE 1 ACE i ACE n Header: (ALLOWED_OBJECT_ACE) No Inherit Flags, Size= Mask (Read,Write Property) ObjectTypeGuid (Telephone# Prop. GUID) InheritedObjectTypeGuid(NULL) Security ID (group/user) Leveraging AD Security Per property access - code sample
Leveraging AD Security Object type access - code sample ntSecurityDescriptor Group Owner System ACL Discretionary ACL ACLHeader ACE 1 ACE i ACE n Header: (ALLOWED_OBJECT_ACE) No Inherit Flags, Size= Mask (Create, Delete Child) InheritedObjectTypeGuid(NULL) Security ID (group/user) OU OU Group ObjectTypeGuid (User Object GUID) User
Leveraging AD Security Operation specific permissions Specialized operations Change Password, Apply Group Policy Change Password, Apply Group Policy Instantiate a “Control Access Right” Publish under Extended Rights container Publish under Extended Rights container ObjectTypeGuid =Right GUID Mask = CONTROL_ACCESS Use AccessCheckByType AuditAlarm variation AuditAlarm variation
Leveraging AD Security Code sample to use operation specific rights
Group Group Header: (ALLOWED_OBJECT_ACE) ContainerInherit, Size= Mask (Read,Write Property) ObjectTypeGuid (Members Prop. GUID) InheritedObjectTypeGuid (Group GUID) Security ID (group/user) OU OU Header: (ALLOWED_OBJECT_ACE) InheritOnly, ContainerInherit, Size= Mask (Read,Write Property) ObjectTypeGuid (Members Prop. GUID) InheritedObjectTypeGuid (Group GUID) Security ID (group/user) Leveraging AD Security Delegation of administration
Leveraging AD Security Default security descriptors Object classes in schema DefaultSecurityDescriptor DefaultSecurityDescriptor Security Descriptor Definition Language (SDDL) Security Descriptor Definition Language (SDDL) ConvertSecurityDescriptorToText- SecurityDescriptor ConvertSecurityDescriptorToText- SecurityDescriptor Object instantiations (Default Security Descriptor) + (Inherited Security Descriptor from parent) (Default Security Descriptor) + (Inherited Security Descriptor from parent) Exception Object specific inherited security descriptor from parent Object specific inherited security descriptor from parent
Leveraging AD Security Manipulating security descriptors Reading and writing with ADSI Entire NTSecurityDescriptor attribute Entire NTSecurityDescriptor attribute Granular interfaces Granular interfaces IADsSecurityDescriptor Rev, Control, Owner, Group, DACL, SACL Rev, Control, Owner, Group, DACL, SACL IADsAccessControlList Revision, Count, Add/Remove ACE Revision, Count, Add/Remove ACE IADsAccessControlEntry Type, Flags, Mask, ObjectType, InheritedObjectType, Trustee Type, Flags, Mask, ObjectType, InheritedObjectType, Trustee
UniverseofUsers UniverseofResources Universal Groups DomainLocalGroups GlobalGroups Leveraging AD Security Use security groups
Identify needed default authorizations Identify “roles” to grant default authorizations Application Servers - machines the server is running on Application Servers - machines the server is running on Application Server Admins - administrators for the application server Application Server Admins - administrators for the application server Create groups associated with the roles
And… Why should you care about security when building a directory enabled application? What are the security aspects of Directory Operations? How can you leveraging Directory Security ? Finally… some guidelines to remember
Guidelines For All - One Credentials for binding Use user’s default credentials when possible Use user’s default credentials when possible Connect, bind and forget Connect, bind and forget Expect and gracefully handle errors Never assume who the user is Never assume who the user is Only subset of reads and searches may succeed Only subset of reads and searches may succeed Entire write may fail Entire write may fail
Guidelines For All - Two Need-to-know User Interfaces Use allowedAttributesEffective Use allowedAttributesEffective Use allowedChildClassesEffective Use allowedChildClassesEffective Honor granularity of permissions Batching multiple reads is OK Batching multiple reads is OK Batching multiple writes may not be Batching multiple writes may not be Commit object creation as single operation Commit object creation as single operation
Guidelines For Services - One Plan for multi-tier setup Schema setup needs to be done by schema administrators Schema setup needs to be done by schema administrators Configuration container setup needs to be done by Enterprise administrators Configuration container setup needs to be done by Enterprise administrators Domain setup needs to be done by Domain Administrators Domain setup needs to be done by Domain Administrators
Guidelines For Services - Two Be least privileged Can you run on a non-DC under Local System? Can you run on a non-DC under Local System? Can you run under a service account on a DC? Can you run under a service account on a DC? Use security groups to Define machine roles running the service Define machine roles running the service Delegate administration of service specific objects Delegate administration of service specific objects
Guidelines For Services - Three Impersonate clients Remember clients can talk to DS directly -- leverage that where you can Remember clients can talk to DS directly -- leverage that where you can Impersonate client when binding to DS on their behalf Impersonate client when binding to DS on their behalf Manage multiple DS connections cleanly! Manage multiple DS connections cleanly! Use Active Directory Object Security Define sensible default security descriptors Define sensible default security descriptors Support manipulating security Support manipulating security
Call To Action Care about security Active Directory is a secured data store and Windows NT’s security accounts database Active Directory is a secured data store and Windows NT’s security accounts database Know about security Every directory object is secured by a security descriptor Every directory object is secured by a security descriptor Use AD Security Define default security and leverage object specific delegation of administration Define default security and leverage object specific delegation of administration Follow the guidelines