Presentation is loading. Please wait.

Presentation is loading. Please wait.

Richard Henson University of Worcester November 2016

Published byLee Robinson Modified over 7 years ago

Similar presentations

Presentation on theme: "Richard Henson University of Worcester November 2016"— Presentation transcript:

1 Richard Henson University of Worcester November 2016
COMP3371 Cyber Security Richard Henson University of Worcester November 2016

2 Week 6: A Closer look at Client-Server, Backup, & Active Directory Security
Objectives Client-Server, Peer-Peer & Domains Analyse Windows active directory as an x500 standard & explain security features associated with active directory Investigate actual security policies and how they can be applied to Windows Server domain(s) to protect an organisation’s data

3 Peer-Peer or Client-Server?
Depends on number of devices in theory, 8-10…realistic limit for peer-peer for an organisation with data management responsibilities… 5 is the tipping point Transition to client-server may be a major change from being a “start up” to a growing SME also means systematic data management but a bigger financial outlay

4 Peer-Peer or Client-Server?
Which is best? single user? home network? organisation?

5 Logon on Local/Remote OSI 7 layer connectivity software!
Local boot (peer-peer) logon at layer 5 session layer allocated a session ID Remote boot (client-server) logon also at layer 5 redirector seeks resources from the network check Active Directory database to find resources…

6 The Redirector (OSI Level 5)
may be logged on Client-server service Provides file and print connectivity between computers one end must be “server” provides the service… redirector requests service Server process Client process Server Provides service

7 Client Service, Server Service
Client service works with redirector to allow access to remote objects Server end of redirector: implemented as a file system driver supplies the network connections requested by the client redirector receives requests via adapter card drivers and TCP/IP TCP/IP connection client process server process filestore

8 Network Resource Sharing
Easy! Requires use of UNC names, redirector & server service… Multiple Provider Router supports multiple redirectors (!) Theoretically possible to connect to any resource on any computer that supports UNC Universal Naming Convention) names Files \\server\shared folder[\sub-folder]\filename) Printers \\server\shared printer Access needs to be controlled… (!)

9 Access Controls Set of security mechanisms used to control what a user (or group of users) can do as a result of logging on to a secured environment enforce “authorisation” “identification” and “authentication” may also be associated with logging on Effect includes: access to systems, services & resources interactions users can perform

10 Web Apps & Service Sharing
Client-Server Web Apps executed as services (on TCP ports): e.g. FTP, HTTP, SNMP On Windows networks, services implemented through Active Directory e.g. Terminal, www service, DHCP (IP addressing to clients)

11 Terminal Services Allows any PC running a version of Windows to remotely run a Windows server uses a copy of the server’s desktop on the client machine Client tools must be installed first, but the link can run with very little bandwidth possible to remotely manage a server thousands of miles away using a phone connection…

12 www service Provided by Microsoft’s Web Server (IIS)
links to TCP port 80 can also provide: ftp service (port 21) smtp service (port 25) Purpose of www service: Works with http protocol make html pages available: across the network as an Intranet across trusted external users/domains as an Extranet

13 Data Storage/Backup? “Network Directories”… & the PKI
Windows Active Directory defined as a “network directory” “directories” not to be confused with “folders”… former generally a data store that changes only infrequently… e.g. a telephone directory to avoid confusion, computer-based directories also called “repositories” Lots of different “network databases” on the web often contain same info... (but not linked!) one updated (e.g. someone’s address) all should be updated - but unlikely to be the case with separate databases… Single DISTRIBUTED database a more effective solution!

14 A Distributed Directory for the whole Internet?
Public Key “look up” provides..: use just one repository (meta directory) for all of that category of info (like a global telephone directory!) on the web as a “directory service” Applications directly access that info using LDAP Can same principles be applied to other information? Yes… e.g. Active Directory! used for organizational information

15 Internet Development via (RFCs)
Method of applying new software to the Internet (including PKI) RFC = Requests for Comments similar in practice to “de jure” standards New protocol idea? proposal sent to IESG (who?) rejected or becomes draft protocol draft protocol implemented in appropriate language (usually C, C++ or C#)

16 RFCs and X509 (Digital Certificate Lookup)
Repository had to follow X500 standard to be “Internet compatible” original X509 specification: RFC1422 (1993) first draft of LDAP interface protocol submitted to RFC1823 (1995) Refined through new RFCs many times… current version RFC5280 (2008)

17 Who are IESG (and IETF?) IETF: representatives of the super geek technical wizards who create and update Internet software IESG provides technical management (via RFCs) of IETF activities power to translate RFC proposals into RFC standards RFC then given consideration as a standard… draft RFC eventually may become a true Internet standard LDAP protocol & x509 database standard good e.g. of successful evolution

18 X500 Architecture Implementation of data management adhering to the OSI model… X500 agreed database spec: RFC 1006 universal standard for apps using TCP/IP networks Full X500 Architecture: Many protocols: DMD, DUA, DIB, DIT, DSA, DAP, DSP, DISP, DOP DIT… implemented as Active Directory(directory information base – object oriented!) DSA… works with DIT to distribute data across servers

19 Microsoft Exchange and x500
Exchange v4 X500 compliant server enabled DAP clients to access its directory service information… Client-end X500 DAP-compliant Outlook as network client Outlook Express as Internet client) client for US gov. defence messaging

20 Database for Exchange Server
ESENT (Extensible Storage Engine… NT) single file organised in a balanced B-tree hierarchical structure db engine ESE (JET blue) uses ISAM (Indexed and Sequential Access) manages data efficiently crash recovery mechanism ensures data consistency maintained even in the event of a system crash Available in Windows as ESENT.DLL

21 LDAP, ESE, and Active Directory
According to Microsoft… “Active Directory incorporates decades of communication technologies…” Commercial (as opposed to open source) roll out of X500 compliant directory service using ESE to manage data DNS to integrate with www locations LDAP to manage PKI requests…

22 Continuous Development of AD
Windows 2000 only the beginning… Continued work with IETF Group Policies managed through AD Exchange v5 also used the ESE/LDAP/DNS enhancement… Each new version of Windows Server extends AD resources, services, and access control further…

23 Directory Services and AD
Active Directory… one data store stored as NTFS.DIT Distributed across ALL domain controllers links to objects on/controlled by each dc changes automatically replicated to all dcs details of: stored objects shared resources network user and computer accounts

24 AD, DNS, and Domain Trees AD perfectly Internet-compatible (designed that way!) Can logically link multiple domain systems together domains with contiguous DNS domain names, make up a parent-child structure known as a domain tree each domain in the directory is identified by that DNS domain name But if Domain Names are non-contiguous, they would form separate domain trees

25 “Trust Relationships” between Windows Domains
AD enables trust relationships through DNS naming of domains within a tree (ie contiguous domains) users and computers can be authenticated between any contiguous domains

26 Active Directory Trust Relationships
Trust relationships automatically created between adjacent domains (parent and child domains) in the tree by AD users and computers can be authenticated between ANY domains in the domain tree So how does this all work securely in practice, across an entire enterprise???? use of DNS, of course!

27 Active Directory and IP addresses
DNS (Domain Name System) Internet-based system for naming host computers, linked to IP addresses Active Directory each server has a unique IP address only domains have unique DNS identity

28 Managing Security Across a Directory Tree
Different admin levels: domain admin: look after domain enterprise admin: control all domains in the organisation! justification of those large salaries? Implemented through Group Policies… users have different needs policies need to be right (!)

29 Structure of an Active Directory Tree
Hierarchical system of organisational data objects A Tree can be single domain with org. units group of domains

30 Domain, Trees & Forests Domain objects divide into organisational units (OUs) Microsoft recommend using OUs in preference to domains for imposing structure for admin purposes flexibility to use either one domain or several… “Forest” contains data needed to connect all objects in the tree even connect different trees Logical linking creates “trusts” for remote users

31 Remote Logon (outside the tree)
MIT (remember them?) Developed Kerberos authentication Series of KDC (Kerberos Distribution Centres) each a secure database of authorised users, passwords uses strong encryption & freely available… Active Directory + Kerberos = Very Powerful combination Even used to authenticate across mobile & wireless networks

32 Components of “Enterprise wide” Login with kerberos authentication
Active Directory tree logical connects and “trusts” servers throughout the enterprise Servers in their turn control access to users within domains Group(s) selected during the user authentication process Group Policy Objects invoked which rewrite registry settings and control client desktops

33 Groups and Group Policy
May be convenient for managers and administrators to put users into groups settings for group provides particular access to data & services Problems… user in wrong group(s) group has wrong settings

34 Group Policy in practice on Windows Networks
Group Policy settings define components of the user's desktop environment that a system administrator needs to manage: programs that are available to users programs that appear on the user's desktop Start menu options Group Policy Objects used with authenticated users to enhance flexibility and scalability of security beyond “domains”, and “trusted domains” Required level of trust to share policy achieved through: Active directory “trees” based on DNS Kerberos authentication

35 Implementation of Group Policy Objects
Group Policy Objects (GPO) are EXTREMELY POWERFUL… contain all specified settings to give a group of users their desktop with agreed security levels applied template editing tool available as a “snap-in” with Windows Servers Policy provides a specific desktop configuration for a particular group of users The GPO is in turn associated with selected Active Directory objects: Sites, Domains, organizational units

36 Combined Power of Group Policies and Active Directory
Enables written user/group policies to be easily implemented in software Enables policies to be applied across whole domains: beyond in trusted contiguous domains in the domain tree Or, using kerberos, even across any non-contiguous domains in the same forest

37 The Registry and User Control
Simple data store… very many user settings Settings uploaded into memory on boot-up easily overwritten by settings from group policy files resultant policy controls user’s desktop

38 What is The Registry? A hierarchical and “active” store of system and user settings viewable using REGEDT32.exe Five basic subtrees: HKEY_LOCAL_MACHINE : local computer info. Does not change no matter which user is logged on HKEY_USERS : default user settings HKEY_CURRENT_USER : current user settings HKEY_CLASSES_ROOT : software config data HKEY_CURRENT_CONFIG : “active” hardware profile Each subtree contains one or more subkeys

39 Location of the Windows Registry
c:\windows\system32\config “users” may be denied access Six files (no extensions): Software System – hardware settings Sam, Security not viewable through regedt32 Default – default user Sysdiff – HKEY USERS subkeys Also: ntuser.dat file user settings that override default user

40 Web Server: IIS (or Apache…)
Provides server end program execution environment: runs server-scripts Sets up its own directory structure on the Server for developing Intranets, Extranets, etc. Sets up http communication via TCP port 80 in response to client request Client end: browser HTML display environment on client

41 “Static” web page service
client (browser) requests information (HTML page) server (IIS, web server) processes the request, sends HTML page back to the client…

42 How a Static Web Page gets displayed
First of all, the relevant HTML document must be retrieved: user types the URL into a one-line text window in browser browser passes the text to the remote web server (via default Internet gateway)

43 How a Static Web Page gets displayed (2)
Web server locates the file for that web page in its own storage folders File containing HTML etc code copied back to default gateway then routed to the IP address of the local computer

44 How a Static Web Page gets displayed (3)
File suffix checked by browser… If .htm or .html suffix: HTML etc. code is read & processed by local CPU using a program called an interpreter

45 How a Static Web Page gets displayed (4)
Results of processing passed to graphics card CPU converted into binary display signals by the CPU and graphics card Signals transmitted to screen; web page displayed…

46 More Features of Web Servers
Access to any client-server service can be restricted using username/password security at the server end or could bypass security with “anonymous login uses a “guest” account – access granted only to files that make up the Intranet prevents worries about hacking in through guessing passwords of existing users

47 Client-Server Web Applications
Associated with “dynamic” web pages Web servers provides a server-side environment that can allow browser data to query remote online databases using SQL… processing takes place at the server end… usually .aspx or .php centralised and secure!

48 Secure Web Pages & Applications
SSL (Secure Sockets Layer) layer 5 protocol, sandwiched between Transport Layer and screen provides functionality for secure viewing of a web page e.g. via username/password

49 Some recent challenges to client-server applications
apps (especially phone apps…) using local processing, even storage (!) open to wireless retrieval? issue of availability v security Server with logically attached database can be wide open to attack by SQL injection…(e.g. Talktalk website, 2015!)

50 The Active Directory “store”
Global Catalog stored as file NTFS.DIT when the first domain controller is created distributed across all domain controllers covers all “objects” on domain controllers e.g. shared resources such as servers, files, printers; network user and computer accounts directory changes automatically replicated to all domain controllers

51 Group Policies and Network Access
Active directory controls access to all network resources Achieved through giving the right users the right group policies How can the network administrator know what policies to allocate to which user(s)… groups must have appropriate settings

52 Managing Group Policy Group Policy Management Console (Windows 2003 onwards…) used to create group policies and upload them into Active Directory particularly useful for testing/viewing the resultant profile of interaction between several group profiles in a particular order

53 Security Features of Active Directory (1)
SSL (secure OSI level 5) for e-commerce… Internet Information Server (IIS) supports websites accessible only via https/SSL LDAP over SSL LDAP important for internet lookup used with secure sockets layer (SSL) for checking server credentials for extranet and e-commerce applications

54 Security Features of Active Directory (2)
Transitive Domain Trust default trust between contiguous Windows domains in a domain tree greatly reduces management overhead

55 Security Features of Active Directory (3)
Kerberos Authentication authentication of users on remote domains not part of the same DNS zone Smart Card Support logon via smart card for strong authentication to sensitive resources

56 Active Directory and “controlling” Users
“Groups” already well established for managing network users Active directory centrally organised resources including all computers allowed groups to become more powerful for user management exploited by enabling the organisation of users and groups of users into: organisational units sites domains

57 Managing Domain Users with Active Directory
Same user information stored on all domain controllers Users can be administered at or by secure access to administrator on any domain controller for that domain flexibility but potential danger!

58 How AD Provides Security
Arranged through “security principal(s)” i.e. users, computers, groups, or services (via service accounts) each has a unique identifier (SID) Manage which SIDs have access to what through “access tokens” Validates the authentication process… for computers, at startup for users, at logon

59 Access Tokens Generated when a user logs on to the network Contents:
user’s SID SIDs for each group to which the user is a member assigned user rights or privileges as a result of processing the IDs in the specified order

60 ACE (Access Control Entries)
Each object or resource has an access control list (ACL) e.g. objects and their properties shared folders and printer shares folders and files within the NTFS file system ACEs contained within ACL protects resource against unauthorised users

61 More on ACLs Two distinct ACLs each object or resource:
discretionary access control list (DACL) list of the SIDs that are either granted or denied access and the degree of access that is allowed systems access control list (SACL) list of all the SIDs whose access or manipulation of the object or resource needs to be audited, and the type of auditing that needs to be performed

62 Mechanism of AD security
Users are usually assigned to several groups When a user attempts to access a directory object or network resource… the security subsystem… looks at the SID for the user and the SIDs of the security groups to which the user is a member checks to see whether it/they match the security descriptors assigned to the resource If there is a match… user is granted the degree of access to the resource that is specified in the ACL

63 Power of Group IDs in Policy-based Security
Group Policy… allows groups of users to be granted or denied access to or control over entire classes of objects and sets of resources allows security & usage policies to be established separately for: computer accounts user accounts can be applied at multiple levels: users or computers residing in a specific OU computers or users in a specific AD site an entire AD domain

64 Active Directory and Group Policy
Power of Group Policy: allows network administrators to define and control the policies governing: groups of computers groups of users administrators can set group policy for any of the sites, domains, or organizational units in the Active Directory Domain Tree

65 Monitoring Group Policy
Policies, like permissions, are ADDITIVE watch simulation… (AGAIN!) Windows Network client logon need to assess which specific cumulative set of policies were controlling the environment for a specific user or computer Windows 2003 GPMC tracking and reporting the Resultant Set of Policy (RSoP): net effect of each of the overlapping policies on a specific user or computer within the domain

66 Protecting the network administrator password!
File security assumes that only the network manager can log on as administrator but if a user can guess the password… (!) Strategies: rename the administrator account to something more obscure only give administrator password to one other person change administrator password regularly

67 Extending User/Group Permissions beyond a domain
Possible for user permissions to be safely applied beyond the local domain so users on one network can gain access to files on another network authentication controlled between servers on the local and trusted domains Normally achieved through “adding” groups from a trusted domain NOT the same as “remote logon” needs special username/password authorisation…

68 Controlling/Monitoring Group Policy across Domains
AD across a distributed enterprise… “enterprise” administrators have the authority to implement and alter Group Policies anywhere important to manage and restrict their number... Enterprise admins need to inform domain admins: what has changed when it changed the implications of the change for directory and network operations… Otherwise… a change to Group Policies affecting a domain might occur with disastrous consequences

69 Server-side scripts & dynamic Web pages
This time, the programming code is sent to and runs at the web server end… creates a web page for the client end if database data being returned, needs a table to display the data How does this all work?

70 Server-side scripts etc…
If the data picked up from the server has been changed (e.g. by use of SQL query)… the client display is changed web pages become “dynamic” i.e. readily changeable without changing the web page code Effect: by triggering SQL commands on the server, a local web page gives an appearance of interacting directly with a database

71 Web Dynamic Client-Server Model
Server-Side processing - typical web-based client-server app: HTML form displayed on a web browser at the client end collects data Using HTTP form data sent to web server

72 Web Dynamic Client-Server Model
The web server processes the data according to instructions on a specified server script Using HTTP, the results of processing generated as specified by the script are sent back to the client

73 Web Dynamic Client-Server model
The web browser on the client machine displays the results on a web page in a specified position This gets even more complex when a database, and database programming, are also involved at the server end…

74 Managing User Profiles
Windows Server “Disk Quotas”: allows administrators to track and control user NTFS disk usage coupled with Group Policy and Active Directory technology easy to manage user space even enterprise-wide… users find this irritating but stops them keeping data they’re never likely to use again…

75 User Rights Users MUST NOT have access to sensitive parts of the system (e.g. network servers, local system software) operating system can enforce this Users SHOULD: have access to basic software tools NOT be denied on the grounds that the software could be misused… c.f. no-one is allowed to drive a car because some drivers cause accidents!

76 Possible Security Features of a Network
Information labelling and handling Equipment siting and protection Supporting utilities Cabling security Maintenance Secure disposal or re-use Separation of development, test and operational facilities Controls against malicious code Controls against mobile code Information back-up Network controls Security of network services Electronic messaging On-line transactions Publicly available information Audit logging Auditing system use Protection of log information Clock synchronisation Privilege management Equipment identification in networks Remote diagnostic and configuration port protection Segregation in networks Network connection control Network routing control Secure log-on procedures User identification and authentication Password management system Use of system utilities Session time-out Limitation of connection time Information access restriction Sensitive system isolation Input data Verification Control of internal processing, including Least Privilege Message integrity Output data Verification Cryptographic controls Key management Technical vulnerability management (patches and updates) Collection of evidence A Checklist of areas to consider, abtracted from ISO/IEC / Control Sets [TSI/2012/183] © Copyright

77 Network Management The network manager has two (conflicting?) responsibilities provide facilities and services that users need to do their jobs protect the network against abuse by naïve or malign users General perception (by users!)… network managers are more concerned with “protecting the network” than servicing the needs of its users

78 The “good insider”.. Threat (?)
Users: employees, who (generally) want to do their job, and do it well… Possible conflict with the “security-orientated” or “nanny-state” approach to network management Personal opinion: needs balance the network IS there for the benefit of the users… fulfill business objectives the network MUST be as secure as reasonably possible protect valuable company data

79 NOT Getting the balance right…
Worrying web page (BBC, 19/11/10): BBC’s own network users so frustrated about IT restrictions stopping them doing their jobs that many (typically 41% according to a CISCO survey) ignore the rules!

Download ppt "Richard Henson University of Worcester November 2016"

Similar presentations

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.

SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.

By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Test Review. What is the main advantage to using shadow copies?

Test Review. What is the main advantage to using shadow copies?
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Chapter 7: Using Windows Servers to Share Information.

Chapter 7: Using Windows Servers to Share Information.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

Similar presentations

Ads by Google