COMP2221 Networks in Organisations Richard Henson April 2014

Week 7: A Closer look at Active Directory n Objectives –Explain client-server network logon –Explain security features associated with active directory –Apply secure file system principles and active directory to controlling access for groups of network users –Apply active directory group policies across one/more domain using active directory

Logon on Local/Remote n Computers boot up locally –includes OSI 7 layer connectivity software –Logon happens at layer 5 »session layer »allocated a sessionID –Remote logon also at layer 5 »software called redirector seeks resources from the network »can also look at Active Directory database to find resources…

The Redirector (OSI Level 5) n Client-server service n Provides file and print connectivity between computers –one end must be “server” –provides the service… serverclient may be logged on Server Provides service redirector requests service

Redirector (“Workstation” i.e. client-end) n Implemented as a “file system driver” –Invoked “if”: » local file system cannot find the file or service –“then”… »sends request to active directory »locates the data object via next OSI layer (4): Transport Driver Interface (TDI) n communicates directly with protocols »independent of OSI layers 2-4 networking components

Redirector (Workstation Service) n Adherence to OSI layers… –Can independently add or remove: »transport protocols (layers 3 & 4) »network cards (layers 1 & 2) without reconfiguring the whole system without reconfiguring the whole system n Completely transparent in redirection of i/o calls not serviced locally –esp. important when applications are being used

Server Service n Server end of redirector: –implemented as a file system driver –communicates with lower layers via TDI n Supplies the network connections requested by the client redirector n Receives requests via adapter card drivers, transport protocol (e.g. TCP/IP), and TDI

Running Client-Server Applications n Client process & server process provide a mechanism for: –pipes to link processes that need bi-directional communication –mailslots to link processes only requiring one- directional communication –running Winsock to manage the communication channel –RPCs (Remote Procedure Calls) allowing distributed applications to call procedures anywhere on the network

File and Print Sharing n Shared resource access requires use of –redirector –server service… n Multiple UNC Provider allows connection to a resource on any computer that supports UNC Universal Naming Convention) names –Files \\server\shared folder[\sub-folder]\filename) \\server\shared folder[\sub-folder]\filename\\server\shared folder[\sub-folder]\filename –Printers \\server\shared printer \\server\shared printer\\server\shared printer n Multiple Provider Router supports multiple redirectors

Network Binding n Binding is about linking network components working at different OSI levels together to enable communication n Windows binding is about linking the redirector & server service with the transport protocol and (via NDIS) adapter card drivers –happens automatically when: »there is a change of protocol, or protocol settings »different network adapter drivers are installed »existing adapter card settings are altered

Terminal Services n Allows any PC running a version of Windows to remotely run a Windows server –uses a copy of the server’s desktop on the client machine n Client tools must be installed first, but the link can run with very little bandwidth –possible to remotely manage a server thousands of miles away using a phone connection…

The www service n Provided by Microsoft’s Web Server (IIS) –links to TCP port 80 –can also provide: »ftp service (port 21) »smtp service (port 25) n Purpose of www service: –Works with http protocol make html pages available: »across the network as an Intranet »across trusted external users/domains as an Extranet

Features of IIS n Provides server end program execution environment: –runs server-scripts n Sets up its own directory structure on the Server for developing Intranets, Extranets, etc. n Sets up communication via TCP port 80 in response to client request n Client end: –browser HTML display environment on client

“Static” web page service client (browser) requests information (HTML page) server (IIS, web server) processes the request, sends HTML page back to the client…

More Features of IIS n Access to any client-server service can be restricted using username/password security at the server end –or could bypass security with “anonymous login »uses a “guest” account – access granted only to files that make up the Intranet »prevents worries about hacking in through guessing passwords of existing users

Client-Server Web Applications n Associated with “dynamic” web pages n Web servers provides a server-side environment that can allow browser data to query remote online databases using SQL… –processing takes place at the server end… »usually.aspx or.php –centralised and secure!

Some recent challenges to client-server applications n apps (especially phone apps…) using local processing, even storage (!) –open to wireless retrieval? –again…issue of availability v security n Server with logically attached database can be wide open to attack by SQL injection….

Troubleshooting Local Resources n Task Manager –Applications tab just gives the name and status of each application that is loaded into memory –Processes tab: »all system processes »Memory usage of each »% CPU time for each »Total CPU time since boot up –Performance tab »Total no. of threads, processes, handles running »% CPU usage n Kernel mode n User mode »Physical memory available/usage »Virtual memory available/usage

Troubleshooting Local Resources n Event viewer –System events recorded into “event log” files »Three by default: system, auditing, application »customisable –Three types of events: »Information »Warning »Error –More information for each event obtained by double-clicking –Event management also required… »E.g. new files daily, old ones archived? dumped? when? »how often to check event files? »Important to detect security issues and potential failures

Troubleshooting Local Resources n System Monitor (perfmon.msc) –monitor many aspects of system performance –e.g. capture, filter, or analyses frames or packets sent over the network, or capture data from hardware devices »either display current data graphically, in real-time »or log data at regular intervals to get a longer term picture –Alerts »notify when a particular threshold value has been reached n System Recovery… –If a fatal error occurs: »immediate dump of system memory is made n can be used for identifying the cause of the problem »alerts are sent to users »system is restarted automatically

The Active Directory “store” n Global Catalog –stored as file NTFS.DIT when the first domain controller is created –distributed across all domain controllers »covers all “objects” on domain controllers n e.g. shared resources such as servers, files, printers; network user and computer accounts –directory changes automatically replicated to all domain controllers

Group Policies and Network Access n Active directory controls access to all network resources n Achieved through giving the right users the right group policies n How can the network administrator know what policies to allocate to which user(s)… –groups must have appropriate settings

Managing Group Policy n Group Policy Management Console (Windows 2003 onwards…) n Applies principles of MMC (Microsoft Management Console) to managing group profiles –particularly useful for testing/viewing the resultant profile of interaction between several group profiles in a particular order

Security Features of Active Directory (1)  SSL (secure OSI level 5)  for e-commerce…  Internet Information Server (IIS) supports websites accessible only via https/SSL  LDAP over SSL  LDAP important for internet lookup  used with secure sockets layer (SSL) for checking server credentials for extranet and e- commerce applications

Security Features of Active Directory (2) n Transitive Domain Trust  default trust between contiguous Windows domains in a domain tree  greatly reduces management overhead

Security Features of Active Directory (3)  Kerberos Authentication  authentication of users on remote domains not part of the same DNS zone  Smart Card Support  logon via smart card for strong authentication to sensitive resources

Protecting Local Passwords n More sophisticated challenge-response encryption (NTLMv2) was available to all systems from Windows 2000 on… –until Vista arrived this was turned off by default »for “compatibility reasons” –nnless NTLMv2 enabled, passwords on XP systems easy to “hack” with right tools (!) n Any client network user should make sure this password protection feature is turned on… –can be added for domain users through group policy

Active Directory and “controlling” Users n “Groups” already well established for managing network users n Active directory centrally organised resources including all computers –allowed groups to become more powerful for user management –exploited by enabling the organisation of users and groups of users into: »organisational units »sites »domains

Managing Domain Users with Active Directory n Same user information stored on all domain controllers n Users can be administered at or by secure access to administrator on any domain controller for that domain –flexibility but potential danger!

Making Sure Users don’t get the Administrator Password! n File security assumes that only the network manager can log on as administrator –but if a user can guess the password… (!) n Strategies: –rename the administrator account to something more obscure –only give administrator password to one other person –change administrator password regularly

How AD Provides Security n Manages which “security principal(s)” have access to each specific resource –i.e. users, computers, groups, or services (via service accounts) »each has a unique identifier (SID) n Validates the authentication process… –for computers, at startup –for users, at logon

More about the SID n The SID (Security ID) comprises: –domain ID »common to all security principals within the domain –unique relative identifier (RID)

Access Tokens n Generated when a user logs on to the network n Contains: –user’s SID –SIDs for each group to which the user is a member –assigned user rights or privileges as a result of processing the IDs in the specified order

ACE (Access Control Entries) n Each object or resource has an access control list (ACL) e.g. –objects and their properties –shared folders and printer shares –folders and files within the NTFS file system n ACEs contained within ACL –protects resource against unauthorised users

More on ACLs n Two distinct ACLs each object or resource: –discretionary access control list (DACL) »list of the SIDs that are either granted or denied access and the degree of access that is allowed –systems access control list (SACL) »list of all the SIDs whose access or manipulation of the object or resource needs to be audited, and the type of auditing that needs to be performed

Mechanism of AD security n Users are usually assigned to several groups n When a user attempts to access a directory object or network resource… –the security subsystem… »looks at the SID for the user and the SIDs of the security groups to which the user is a member »checks to see whether it/they match the security descriptors assigned to the resource n If there is a match… –user is granted the degree of access to the resource that is specified in the ACL

Power of Group IDs in Policy-based Security n Group Policy… nallows groups of users to be granted or denied access to or control over entire classes of objects and sets of resources nallows security & usage policies to be established separately for: »computer accounts »user accounts ncan be applied at multiple levels: »users or computers residing in a specific OU »computers or users in a specific AD site »an entire AD domain

Active Directory and Group Policy n Power of Group Policy: –allows network administrators to define and control the policies governing: »groups of computers »groups of users –administrators can set group policy for any of the sites, domains, or organizational units in the Active Directory Domain Tree

Monitoring Group Policy n Policies, like permissions, are ADDITIVE –watch simulation… (AGAIN!) n Windows 2000 policies –need to assess which specific cumulative set of policies were controlling the environment for a specific user or computer n Windows 2003 GPMC –tracking and reporting the Resultant Set of Policy (RSoP): »net effect of each of the overlapping policies on a specific user or computer within the domain

Extending User/Group Permissions beyond a domain n Possible for user permissions to be safely applied beyond the local domain –so users on one network can gain access to files on another network –authentication controlled between servers on the local and trusted domains n Normally achieved through “adding” groups from a trusted domain n NOT the same as “remote logon” –needs special username/password authorisation…

Enterprise Networks n Multiple Domains in a tree –Transitive Domain Trust  Single enterprise administrator  “enterprise admin”  greatly reduces management overhead

Managing Users & Their Profiles n Once they get the hang of it, users save all sorts of rubbish to their user areas –may well include lots of downloaded web pages and images n Problem! –5000 users –each user takes 1 Gb of space... –total disk space required is 5000 Gbytes!

Managing User Profiles n Windows 2003 Server “Disk Quotas”: –allows administrators to track and control user NTFS disk usage »coupled with Group Policy and Active Directory technology »easy to manage user space »even enterprise-wide… –users find this irritating but stops them keeping data they’re never likely to use again…

User Rights n Users MUST NOT have access to sensitive parts of the system (e.g. network servers, local system software) –operating system can enforce this n Users SHOULD: –have access to basic software tools –NOT be denied on the grounds that the software could be misused… »c.f. no-one is allowed to drive a car because some drivers cause accidents!

Controlling/Monitoring Group Policy across Domains n AD across a distributed enterprise… –“enterprise” administrators have the authority to implement and alter Group Policies anywhere –important to manage and restrict their number... n Enterprise admins need to inform domain admins: –what has changed –when it changed –the implications of the change for directory and network operations… n Otherwise… –a change to Group Policies affecting a domain might occur with distastrous consequences

NFR Example: Possible Security Features n Information labelling and handling n Equipment siting and protection n Supporting utilities n Cabling security n Maintenance n Secure disposal or re-use n Separation of development, test and operational facilities n Controls against malicious code n Controls against mobile code n Information back-up n Network controls n Security of network services n Electronic messaging n On-line transactions n Publicly available information n Audit logging n Auditing system use n Protection of log information n Clock synchronisation n Privilege management n Equipment identification in networks n Remote diagnostic and configuration port protection n Segregation in networks n Network connection control n Network routing control n Secure log-on procedures n User identification and authentication n Password management system n Use of system utilities n Session time-out n Limitation of connection time n Information access restriction n Sensitive system isolation n Input data Verification n Control of internal processing, including Least Privilege n Message integrity n Output data Verification n Cryptographic controls n Key management n Technical vulnerability management (patches and updates) n Collection of evidence A Checklist of areas to consider, abtracted from ISO/IEC / Control Sets [TSI/2012/183] © Copyright