Active Directory

Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer the computing facilities easily and centrally such as Granting access to a computer Give permission to use a printer Read and write files to a certain folder And to ensure the security of the system

Active Directory: What is it? Active Directory (AD) is an implementation of LDAP directory services by Microsoft for use primarily in Windows environments. Its main purpose is to provide central authentication and authorization services for Windows based computers. Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an entire organization.

What is it Active Directory stores information and settings relating to an organization in a central, organized, accessible database. Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects.

What is it An Active Directory (AD) structure is a hierarchical framework of objects. The objects fall into three broad categories: resources (e.g. computers), services (e.g. e- mail) and users (user accounts and groups). The AD provides information on the objects, organizes the objects, controls access and sets security.

AD Structure Domain based Hierarchical tree structure Network resources are objects Containers for grouping Objects have attributes, allow security to build

Elements of AD Domain Organization Unit Group User

Elements of AD Site Computer Print Queue Contact

Elements of AD PolicyLicense Site

AD as centre of network

Domain Each AD must has at least one Domain Controller which is the central management of the system. The other computers, computing resources including people (users) are joined to the AD by the administrator The Domain Naming System as used in Internet is used to name the resources in the AD.

LDAP The Lightweight Directory Access Protocol, or LDAP is used to add, modify and delete information stored in Active Directory as well as to query and retrieve data over TCP/IP. LDAP is used as a source of information for authorization.

Directory Service

Directory Services Telecommunication companies introduced the concept of directory services to information technology and computer networking, as their understanding of directory requirements was well-developed after some 70 years of producing and managing telephone directories.

Directory Services The X500, protocol for directory services was created in the 1960s. X.500 directory services were traditionally accessed via the X.500 Directory Access Protocol (DAP), which required the Open Systems Interconnection (OSI) protocol stack. The LDAP is a light weight alternative that uses the TCP/IP stack.

Application of Directory Service Part of Network OS Stores and organizes information about a computer network's users and network resources Acts as a central/common authority that can securely authenticate the system resources that manage the directory data

Example MS Active Directory Sun Java System Directory Server IBM Tivoli Directory Server

Domain Name System Domain Name/ IP Address resolution system, used chiefly in Internet A distribution systems contains a no. of root domain servers and each domain has its own domain server The domain name follows a certain structure, the namespace

AD and DNS DNS domains are for finding resources. AD domains are for organizing resources. Work together in AD

AD and DNS work together

Structure in AD Forest Tree Domain Organization Unit (OU) Group

Domain Tree

AD Forest When different namespace is required Must share common schema and Global Catalog Server

Organizational Unit Contains the following units for easy management Users Computers Groups Printers Applications Security Policies File shares

Group Policy Group policy is a feature of Microsoft Windows NT family of operating systems that provides centralized management and configuration of computers and remote users in an Active Directory environment to restrict certain actions that may pose potential security risks. It can also be applied to offline computers and roaming users

Group Policy Group Policies are rules to define user or computer settings for an entire group of users or computers at one time. The settings that you configure are stored in a Group Policy Object (GPO), which is then associated with Active Directory containers such as sites, domains, or organizational units.

Group Policy Many different aspects of the network, desktop, and software configuration environments can be managed through Group Policies. registry settings for both users and computers file system permissions, Internet Explorer settings, registry permissions, software distribution, etc.

Group Policy Group Policies are analyzed and applied at startup for computers and during logon for users. The client machine refreshes most of the Group Policy settings periodically.

Group Policy Multiple group policies can be created and distributed. User and computers accounts can have more than one policy applicable to them based upon the site, domain, or OU they are in, security groups, or any combination.

Group Policy Processing Order LSDOU Local Computer Policy Site Domain OU Organization Unit (Sub-OU) The policy processed last will take precedence (win)

Logon procedure in AD Client makes a RPC and passes its configuration (domain membership, IP) to Netlogin service Netlogin makes query to DNS server Query changed to a form of LDAP DNS Server returns a list of domain controller to client Client sends request to individual controller

Logon procedure in AD Domain controllers respond by sending Netlogin of client operational status Client establishes LDAP session with domain controller at its site Login and authentication follows

Authentication procedure Authentication request to domain controller Domain controller verifies credential Domain controller sends user ’ s System Identifier (SID) to client computer as a token Resource compares SID with its ACL when a user requests use of the resource

Use of Access token

Authentication Protocol Windows NT: NT Lan Manager (NTLM) Aged protocol Relatively easy to crack Windows 2000/2003: Kerberos

AD at work

Active Directory Security Industry-standard secure protocols Kerberos (Authentication) LDAP over SSL (Authorization) X.509 (Cert-based Authentication) Smart cards Public Key Infrastructure (PKI) Domain trusts Security groups and permissions

Kerberos for authentication

Advantages of using Kerberos Central authentication with service tickets for resources No need to authenticate with the resources one by one Saving of bandwidth Session key encrypted with timestamp, save from eavesdropping and replay attack

AD and Certificates A Certificate Authority can be installed within the AD to provide additional security such as using L2TP for remote VPN services Enrollment to certificate can be easily done through a web browser