Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation.

Slides:

Advertisements

Similar presentations

Active Directory: Beyond The Basics

Advertisements

Managing User, Computer and Group Accounts

MOAC : Installing and Configuring Windows Server 2012

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

7.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

CS603 Active Directory February 1, 2001.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Administering Active Directory

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Chapter 4 Introduction to Active Directory and Account Management

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

Group Accounts; Securing Resources with Permissions

Understanding Active Directory

Chapter 7 WORKING WITH GROUPS.

Chapter 7 Managing OUs and Active Directory Accounts

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

Chapter 5 File and Printer Services

Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.

BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.

 Name: Hatem elbuhaisi  Name no:  University of Palestine  Miss : yasmen elboboo  Chairing Information Technology Hands-On Microsoft Windows.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

Working with Workgroups and Domains

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

CN1276 Server (V3) Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

8.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 8: Introducing Computer Accounts.

Module 6: Designing Active Directory Security in Windows Server 2008.

Chapter 7: WORKING WITH GROUPS

7.3. Windows Security Descriptors

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

IOS110 Introduction to Operating Systems using Windows Session 8 1.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

Active Directory Operations Masters. Overview  Active Directory updates generally multimaster Changes can be made on any DC  Some exceptions — single.

Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.

Active Directory Travis Favors Ryan Manuel Robert Rayer.

Module 11: Read-Only Domain Controllers. Overview Describe the Read-Only Domain Controllers role Use Read-Only Domain Controllers.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.

Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

Managing Local Users & Groups. OVERVIEW Configure and manage user accounts Manage user account properties Manage user and group rights Configure user.

1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Windows NT ® Security Management: Extending Windows NT 5.0 Security Management Tools, Part 2 Praerit Garg Program Manager Windows NT Security Microsoft.

Configuring and Managing Resource Access Lecture 5.

Windows Server 2003 檔案分享管理林寶森

Windows 2003 Architecture, Active Directory & DNS Lecture # 3 Hassan Shuja 02/14/2006.

MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition (70-294) Chapter 1: Overview of the Active.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

Assignment # 8.

Module 6: Delegating Administrative Control

Overview of Active Directory Domain Services

Overview of Active Directory Domain Services

Active Directory and Group Policy

Active Directory Administration

Chapter 4: Planning the Active Directory and Security

Chapter 9: Managing Groups, Folders, Files, and Object Security

Presentation transcript:

Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation

Agenda  Why should you care about security?  What are the security aspects of Directory Operations?  How can you leverage Directory Security ?  Finally… some tips to remember

Question One  Why should you care about security?  What are the security aspects of Directory Operations?  How can you leveraging Directory Security ?  Finally… some tips to remember

If You Are Writing…  Client applications that browse the directory  Client applications that modify the directory  Service applications that publish to the directory  Service applications that store data in the directory THEN YOU SHOULD CARE

Because…  Active Directory is Windows NT’s security database Not everyone is allowed to read or write everything from everywhere Not everyone is allowed to read or write everything from everywhere  Directory may reject certain requests with authorization failure errors Handle these gracefully! Handle these gracefully!

Question Two  Why should you care about security when building a directory enabled application?  What are the security aspects of Directory Operations?  How can you leveraging Directory Security ?  Finally… some tips to remember

Active Directory Operations  Locating an Active Directory Server (DC)  Connecting and binding  Searching and browsing  Publishing and modifications

Directory Operations Locating AD Server (DC)  Windows ® platforms (NT, 95/98) DsGetDCName DsGetDCName  Non-Windows platforms DNS SRV Record Lookup DNS SRV Record Lookup  Locating a DC is not secure, nor restricted  Lookup is handled automatically

Directory Operations Connecting and binding  Basics Always authenticate to do anything meaningful! Always authenticate to do anything meaningful! Make no assumptions… Make no assumptions… Use user’s default credentials when possible Use user’s default credentials when possible Connect, bind and forget! Connect, bind and forget! Never cache when using alternate credentials Never cache when using alternate credentials

Directory Operations Code example using ADSI  Open Interface - IADsOpenDSObject Interface - IADsOpenDSObject Method - OpenDSObject Method - OpenDSObject  Credentials in OpenDSObject UserName, Password, Type UserName, Password, Type Use Defaults -- NULL, NULL Use Defaults -- NULL, NULL If needed, always prompt for alternate If needed, always prompt for alternate Never cache passwords Never cache passwords

Directory Operations Searching and browsing in ADSI  Interfaces and methods E.g. IADs - Get, GetEx, GetInfo E.g. IADs - Get, GetEx, GetInfo  Handle errors E_ADS_INVALID_DOMAIN_OBJECT, E_ADS_INVALID_DOMAIN_OBJECT, E_ADS_PROPERTY_NOT_SUPPORTED, E_ADS_PROPERTY_NOT_SUPPORTED, E_ADS_PROPERTY_NOT_FOUND E_ADS_PROPERTY_NOT_FOUND

Directory Operations Publishing and modifications  ADSI E.g. IADs -- Put, PutEx, SetInfo E.g. IADs -- Put, PutEx, SetInfo  Handle errors E_ADS_PROPERTY_NOT_SET, E_ADS_PROPERTY_NOT_SET, E_ADS_PROPERTY_NOT_MODIFIED E_ADS_PROPERTY_NOT_MODIFIED

Question Three  Why should you care about security when building a directory enabled application?  What are the security aspects of Directory Operations?  How can you leverage Directory Security ?  Finally… some tips to remember

Leveraging AD Security Application server configurations  Services on Domain Controllers Running under Local System Running under Local System Running under Service Accounts - Recommended Running under Service Accounts - Recommended  Services on Member Servers or Workstations Running under Local System - Recommended Running under Local System - Recommended Running under Service Accounts Running under Service Accounts

Leveraging AD Security Access control  Object security descriptors Per property access control Per property access control Object type access control Object type access control Operation specific permissions Operation specific permissions Delegation of administration Delegation of administration  Manipulating security descriptors  Using security groups

Property 1 Property 2 Property 3 Telephone # ntSecurityDescriptor Group Owner System ACL Discretionary ACL ACLHeader ACE 1 ACE i ACE n Header: (ALLOWED_OBJECT_ACE) No Inherit Flags, Size= Mask (Read,Write Property) ObjectTypeGuid (Telephone# Prop. GUID) InheritedObjectTypeGuid(NULL) Security ID (group/user) Leveraging AD Security Per property access - code sample

Leveraging AD Security Object type access - code sample ntSecurityDescriptor Group Owner System ACL Discretionary ACL ACLHeader ACE 1 ACE i ACE n Header: (ALLOWED_OBJECT_ACE) No Inherit Flags, Size= Mask (Create, Delete Child) InheritedObjectTypeGuid(NULL) Security ID (group/user) OU OU Group ObjectTypeGuid (User Object GUID) User

Leveraging AD Security Operation specific permissions  Specialized operations Change Password, Apply Group Policy Change Password, Apply Group Policy  Instantiate a “Control Access Right” Publish under Extended Rights container Publish under Extended Rights container  ObjectTypeGuid =Right GUID  Mask = CONTROL_ACCESS  Use AccessCheckByType AuditAlarm variation AuditAlarm variation

Leveraging AD Security  Code sample to use operation specific rights

Group Group Header: (ALLOWED_OBJECT_ACE) ContainerInherit, Size= Mask (Read,Write Property) ObjectTypeGuid (Members Prop. GUID) InheritedObjectTypeGuid (Group GUID) Security ID (group/user) OU OU Header: (ALLOWED_OBJECT_ACE) InheritOnly, ContainerInherit, Size= Mask (Read,Write Property) ObjectTypeGuid (Members Prop. GUID) InheritedObjectTypeGuid (Group GUID) Security ID (group/user) Leveraging AD Security Delegation of administration

Leveraging AD Security Default security descriptors  Object classes in schema DefaultSecurityDescriptor DefaultSecurityDescriptor Security Descriptor Definition Language (SDDL) Security Descriptor Definition Language (SDDL) ConvertSecurityDescriptorToText- SecurityDescriptor ConvertSecurityDescriptorToText- SecurityDescriptor  Object instantiations (Default Security Descriptor) + (Inherited Security Descriptor from parent) (Default Security Descriptor) + (Inherited Security Descriptor from parent)  Exception Object specific inherited security descriptor from parent Object specific inherited security descriptor from parent

Leveraging AD Security Manipulating security descriptors  Reading and writing with ADSI Entire NTSecurityDescriptor attribute Entire NTSecurityDescriptor attribute Granular interfaces Granular interfaces  IADsSecurityDescriptor Rev, Control, Owner, Group, DACL, SACL Rev, Control, Owner, Group, DACL, SACL  IADsAccessControlList Revision, Count, Add/Remove ACE Revision, Count, Add/Remove ACE  IADsAccessControlEntry Type, Flags, Mask, ObjectType, InheritedObjectType, Trustee Type, Flags, Mask, ObjectType, InheritedObjectType, Trustee

UniverseofUsers UniverseofResources Universal Groups DomainLocalGroups GlobalGroups Leveraging AD Security Use security groups

 Identify needed default authorizations  Identify “roles” to grant default authorizations Application Servers - machines the server is running on Application Servers - machines the server is running on Application Server Admins - administrators for the application server Application Server Admins - administrators for the application server  Create groups associated with the roles

And…  Why should you care about security when building a directory enabled application?  What are the security aspects of Directory Operations?  How can you leveraging Directory Security ?  Finally… some guidelines to remember

Guidelines For All - One  Credentials for binding Use user’s default credentials when possible Use user’s default credentials when possible Connect, bind and forget Connect, bind and forget  Expect and gracefully handle errors Never assume who the user is Never assume who the user is Only subset of reads and searches may succeed Only subset of reads and searches may succeed Entire write may fail Entire write may fail

Guidelines For All - Two  Need-to-know User Interfaces Use allowedAttributesEffective Use allowedAttributesEffective Use allowedChildClassesEffective Use allowedChildClassesEffective  Honor granularity of permissions Batching multiple reads is OK Batching multiple reads is OK Batching multiple writes may not be Batching multiple writes may not be Commit object creation as single operation Commit object creation as single operation

Guidelines For Services - One  Plan for multi-tier setup Schema setup needs to be done by schema administrators Schema setup needs to be done by schema administrators Configuration container setup needs to be done by Enterprise administrators Configuration container setup needs to be done by Enterprise administrators Domain setup needs to be done by Domain Administrators Domain setup needs to be done by Domain Administrators

Guidelines For Services - Two  Be least privileged Can you run on a non-DC under Local System? Can you run on a non-DC under Local System? Can you run under a service account on a DC? Can you run under a service account on a DC?  Use security groups to Define machine roles running the service Define machine roles running the service Delegate administration of service specific objects Delegate administration of service specific objects

Guidelines For Services - Three  Impersonate clients Remember clients can talk to DS directly -- leverage that where you can Remember clients can talk to DS directly -- leverage that where you can Impersonate client when binding to DS on their behalf Impersonate client when binding to DS on their behalf Manage multiple DS connections cleanly! Manage multiple DS connections cleanly!  Use Active Directory Object Security Define sensible default security descriptors Define sensible default security descriptors Support manipulating security Support manipulating security

Call To Action  Care about security Active Directory is a secured data store and Windows NT’s security accounts database Active Directory is a secured data store and Windows NT’s security accounts database  Know about security Every directory object is secured by a security descriptor Every directory object is secured by a security descriptor  Use AD Security Define default security and leverage object specific delegation of administration Define default security and leverage object specific delegation of administration  Follow the guidelines