Migrating to Kerberos 5 Steve Devine Manager, Storage Systems Academic Computing and Network Services Michigan State University.

Slides:

Advertisements

Similar presentations

Information Systems. Who to Call Data and Reports Helen Chang, Graduate Education Researcher David Lock, Student & Administrative Systems Support.

Advertisements

●June 17 th, :15 AM – 09:15 AM ●Barry Phelps ●Support Engineer – ArtiosCAD Esko FlexNet Licensing.

Discovering SQL all rights reserved (c) 2010 agilitator.com INSTALLING MS SQL Server 2008 R2 Express Edition.

Thoughts on Technology Issues for Small Business Implementing Technical Safeguards to support Your Policies.

SITS:Vision Annual the Hilton Deansgate Hotel, Manchester Mike Fisher – Technical Services Team Leader Security and Hosting July 2011.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Johnson Logistics Solutions Office of Systems and Information Technology.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.

Password?. Project CLASP: Common Login and Access rights across Services Plan

Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Imaging Services, WebNow and ImageNow are provided by MAIS - Document Imaging Services. Presentation originally developed by Michigan Business Services.

Tom Parker Project Manager Identity Management Team IT Security Group.

University of Michigan Administrative Information Services Upgrade to Citrix Presentation Server 4.0 & Resulting Changes Aaron Landy Michigan Administrative.

1May 2006 – Unit Liaison Meeting Two-Factor Authentication Project MToken Distribution Bill Wrobleski MAIS Joint UL Meeting May 24, 2006.

Enterprise Imaging University of Michigan Administrative Information Services Enterprise Imaging Financial Unit Liaisons Mike Easter 1/18/06.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

Gale D. Fritsche Lehigh University Library and Technology Services Client Service Insanity A Campus-wide Novell to Active Directory Migration EDUCAUSE.

So You Want to Switch Course Management Systems? We Have! Come Find Out What We’ve Learned. Copyright University of Okahoma This work is the intellectual.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Page 1 CITS Active Directory Implementation UMass Dartmouth.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

CASE STUDY: Implementing and Administering SAS® Enterprise Guide® Across the Enterprise As a Solution for Data Access Security Ulf Borjesson Evangeline.

CERN - European Organization for Nuclear Research Windows 2000 at CERN HepNT- Orsay, France April 24 th, 2001.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.

Microsoft ® Virtual Academy Module 3 Understanding Security Policies Christopher Chapman | Content PM, Microsoft Thomas Willingham | Content Developer,

SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.

W2K Server Installation It is very important that before you begin to install Windows 2000 Server, you must prepare for the installation by gathering specific.

Active Directory Windows2003 Server. Agenda What is Active Directory What is Active Directory Building an Active Directory Building an Active Directory.

September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.

Configuring Directory Certificate Services Lesson 13.

Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.

Module 11: Implementing ISA Server 2004 Enterprise Edition.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

SCC Student Technology Access Student Login Guide SCC College Computer Press Ctrl-Alt-Delete keys on the keyboard to access network login User name – this.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

DC-B312 BitLocker Improvements in Windows 8 MBAM 2.0 Investment Areas and Key New Features Deploying MBAM 2.0MBAM 2.0 End User Experience.

FSU Metadirectory Project The Issue of Identity Management Executive Overview

Guide to MCSE , Enhanced1 Activity 1-1: Determining the Windows Server 2003 Edition Installed on a Server Objective is to determine the edition of.

Technology Update TSAG Meeting 6/10/04. Old Voic System New Voic System installed on May 17 Remaining Issues:  Migrating calling trees  Some.

OVERVIEW OF ACTIVE DIRECTORY

CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

1 Overview of Microsoft Windows 2000 Multipurpose OS Reduces total cost of ownership (TCO)

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.

Systems and Network Design Professional Services for NT Server and NetWare Networks.

NT File Systems by Eunice Swinson Southeastern University Professor: Mort Anvari June 3, 2000.

SCC Student Technology Access Student Login Guide Log on a SCC College Computer Press Ctrl-Alt-Delete keys on the keyboard to access network login Enter.

Internet2 Base CAMP Topics in Middleware: Authentication.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

CEG 2400 FALL 2012 Windows Servers Network Operating Systems.

CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.

Unified Address Book Security Implications. Unified Address Book Overview –What are we talking about –What is the Risk –What are we doing to minimize.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

SY0-401 COMPTIA Security+ Certification Exam Vcepracticetest.com.

KERBEROS. Introduction trusted key server system from MIT.Part of project Athena (MIT).Developed in mid 1980s. provides centralised private-key third-party.

Understanding Security Policies Lesson 3. Objectives.

Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Security on Peer-to-Peer Networks.

Understanding Security Policies

Basharat Institute of Higher Education

Data security OCR Cambridge Nationals in ICT Level 1/2 © Hodder & Stoughton 2013.

Chapter 5 : Designing Windows Server-Level Security Processes

Presentation transcript:

Migrating to Kerberos 5 Steve Devine Manager, Storage Systems Academic Computing and Network Services Michigan State University

About Kerberos and AFS  Kerberos 5 –Network authentication protocol developed at MIT –Widely used –MS Windows Active Directory  AFS –Andrew File System developed at Carnegie- Mellon Named for Andrew Carnegie

Andrew File System (AFS)  In use at MSU since 1994  Serves as our campus-wide file system  afsdb0.cl.msu.edu serves as our campus Kerberos authentication service  Dozens of MSU services rely on for authentication services –Mail.msu.edu, ANGEL, etc. –AIS’ Sentinel service is common front-end  Encryption is loosely based on Kerberos 4.

Why Convert?  Kerberos 5 is the industry standard.  Far more secure than current system.  Windows Active Directory and other enterprise level services are designed to use Kerberos 5.  Flexibility and dependability are greatly increased.  At some point in time we will be forced into conversion.

Testing and Notification  MIT Kerberos 5 test server open- afsdb2.cl.msu.edu was online June  Notices sent to network administrators (NAG) and ACNS Staff  Migration info appears at: :  created for department representatives.  Test accounts where converted from current MSU database and testusers began testing in July 2004.

Backward Compatibility –New service will run a 'fakeka' server that allows afs authentication to continue  Kerberos server will run in Kerberos 4 mode to allow services to migrate

Single DES, Triple DES, and Passwords  DES = Data Encryption Standard, developed in 1970s  Original standard is now “crackable” with modern hardware  Triple DES uses three 56 bit keys  Existing MSU Kerberos uses single DES  Industry is moving towards Triple DES –For instance, MS Active Directory demands Triple DES –If your Kerberos password is still single DES, you can’t use Active Directory services

Password Implications  We will implement a new password policy with this migration  Minimum 8 characters  Must include at least 3 of the following character classes: lower-case letters upper-case letters digits punctuation, and all other characters (e.g., control characters)  This will greatly enhance password effectiveness

Migration Timeline  May 11, 2005:  New server installed and 218,000 users loaded into Kerberos 5 database.  Media campaign to educate users and get them to reset password begins.  New password policy begins –Your old password will continue to work for existing systems. –When you change it, you must conform to new rules.

Timeline  September 27, 2005:  Disable access for any user who has not reset their password.  Official support for Kerberos 5 begins.  New users are created in Triple Des only

Timeline  Date TBA, 2006?  Kerberos 4 support ends.  All services must support Kerberos 5

Communications Needs  Must document new password policy ASAP –Techbase, Help/Status, etc  Prepare the help desks for questions  Plan campaign for Fall  As September 27 approaches, users who have not changed their password