Active Directory
Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer the computing facilities easily and centrally such as Granting access to a computer Give permission to use a printer Read and write files to a certain folder And to ensure the security of the system
Aims of Active Directory Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve security by controlling access on resources and restrictions placed on user and computer configuration
Active Directory: What is it? An implementation of LDAP directory services by Microsoft for use primarily in Windows environments. Provide central authentication and authorization services for Windows based computers. Allow administrators to assign policies, deploy software, and apply critical updates to an entire organization.
What is it Active Directory stores information and settings relating to an organization in a central, organized, accessible database. Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects.
What is it It is a hierarchical framework of objects. The objects fall into three broad categories: resources (e.g. computers), services (e.g. e- mail) and users (user accounts and groups). The AD provides information on the objects, organizes the objects, controls access and sets security.
Necessary components Domain controller(s) as central repository of the domain and provides access control DNS server for locating resources Other computers: servers and workstations added to domain by domain administrator
Protocols used Kerberos for network authentication Lightweight Directory Access Protocol (LDAP) to provide directory service (to get information about objects)
AD Structure Domain based Hierarchical tree structure Network resources are objects Containers for grouping Objects have attributes, allow security to build
Elements of AD Domain Organization Unit Group User
Elements of AD Site Computer Print Queue Contact
Elements of AD PolicyLicense Site
AD as centre of network
Domain Each AD must has at least one Domain Controller which is the central management of the system. The other computers, computing resources including people (users) are joined to the AD by the administrator The Domain Naming System as used in Internet is used to name the resources in the AD.
LDAP The Lightweight Directory Access Protocol, or LDAP is used to add, modify and delete information stored in Active Directory as well as to query and retrieve data over TCP/IP. LDAP is used as a source of information for authorization.
Information obtained from LDAP
Directory Service
Directory Services Telecommunication companies introduced the concept of directory services to information technology and computer networking, as their understanding of directory requirements was well-developed after some 70 years of producing and managing telephone directories.
Directory Services The X500, protocol for directory services was created in the 1960s. X.500 directory services were traditionally accessed via the X.500 Directory Access Protocol (DAP), which required the Open Systems Interconnection (OSI) protocol stack. The LDAP is a light weight alternative that uses the TCP/IP stack.
Application of Directory Service Part of Network OS Stores and organizes information about a computer network's users and network resources Acts as a central/common authority that can securely authenticate the system resources that manage the directory data
Example MS Active Directory Sun Java System Directory Server IBM Tivoli Directory Server
Domain Name System Domain Name/ IP Address resolution system, used chiefly in Internet A distribution systems contains a no. of root domain servers and each domain has its own domain server The domain name follows a certain structure, the namespace
AD and DNS DNS domains are for finding resources. AD domains are for organizing resources. Work together in AD
AD and DNS work together
Entry in AD dn: cn=John Doe,dc=example,dc=com cn: John Doe givenName: John sn: Doe telephoneNumber: telephoneNumber: mail: manager: cn=Barbara Doe,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top
Search information in AD
Structure in AD Forest Tree Domain Organization Unit (OU) Group
Domain Tree
AD Forest When different namespace is required Must share common schema and Global Catalog Server
Organizational Unit Contains the following units for easy management Users Computers Groups Printers Applications Security Policies File shares
Group Policy Group Policies are rules to define user or computer settings for an entire group of users or computers at one time. The settings that you configure are stored in a Group Policy Object (GPO), which is then associated with Active Directory containers such as sites, domains, or organizational units.
Group Policy Apply to
Group Policy Many different aspects of the network, desktop, and software configuration environments can be managed through Group Policies. registry settings for both users and computers file system permissions, Internet Explorer settings, registry permissions, software distribution, etc.
Group Policy Group Policies are analyzed and applied at startup for computers and during logon for users. The client machine refreshes most of the Group Policy settings periodically. It can also be applied to offline computers and roaming users
Group Policy Hundreds of settings can be defined Each setting has 3 possible states: Not configured Disabled Enabled
Group Policy Multiple group policies can be created and distributed. User and computers accounts can have more than one policy applicable to them based upon the site, domain, or OU they are in, security groups, or any combination.
Property of Group Policy Policy setting inherited by child containers A container can have multiple policies being applied Which policy setting comes into effect depends on it precedence of the policy
Group Policy Processing Order LSDOU Local Computer Policy Site Domain OU Organization Unit (Sub-OU) The policy processed last will take precedence (win)
Group Policy Management Tool Download from Microsoft for easy management of group policy
Logon procedure in AD Client makes a RPC and passes its configuration (domain membership, IP) to Netlogin service Netlogin makes query to DNS server Query changed to a form of LDAP DNS Server returns a list of domain controller to client Client sends request to domain controller
Authentication and Authorisation procedure Authentication request to domain controller Domain controller verifies credential using the Kerberos protocol AD gathers all group policy applied to the user and computer and returns a list of SID to user’s computer The LSA uses the SIDs to form an access token
Kerberos for authentication
Advantages of using Kerberos Central authentication with service tickets for resources No need to authenticate with the resources one by one Saving of bandwidth Session key encrypted with timestamp, save from eavesdropping and replay attack
Authentication Protocol Windows NT: NT Lan Manager (NTLM) Aged protocol Relatively easy to crack Windows 2000/2003: Kerberos
Content of Access Token To show identity and privilege Name SID of user Groups SID of groups user belongs Logon SID (valid for a certain duration)
Content of Security Descriptor SID of owner SID of group (seldom used in Windows) DACL SID, Rights Deny on top System ACL
Request for use of network resources The user’s request is authenticated by comparing the Access Token to the Security Descriptor of an object (The SID on the access token is compared with the ACL on the Security Descriptor)
Use of Access token for authorisation
AD at work
Active Directory Security Industry-standard secure protocols Kerberos (Authentication) LDAP over SSL (Authorization) X.509 (Cert-based Authentication) Smart cards Public Key Infrastructure (PKI) Domain trusts Security groups and permissions
AD and Certificates A Certificate Authority can be installed within the AD to provide additional security such as using L2TP for remote VPN services Enrollment to certificate can be easily done through a web browser
Samples of Group Policy A package called Common Scenario provided by Microsoft Lightly managed Mobile Multi-user App station Task station Kiosk