Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP1321 Digital Infrastructure

Published byΜέντωρ Πυλαρινός Modified over 5 years ago

Similar presentations

Presentation on theme: "COMP1321 Digital Infrastructure"— Presentation transcript:

1 COMP1321 Digital Infrastructure
Richard Henson March 2014

2 Week 16: Active Directory and Network Security
Objectives: Explain how Active directory can provide trust across multiple domains Explain how Active Directory is used to control login and access to network resources Explain the mechanism for network resource security and desktop control

3 Security features of Active Directory
Not exhaustive… PKI will be covered later LDAP over SSL support for LDAP over secure sockets layer (SSL) for secure directory transactions for extranet/ e-commerce Kerberos Authentication Smart Card Support supports logon via smart cards for strong authentication to sensitive resources Transitive Domain Trust Transitive trust agreements greatly reduce the number of trust relationships to manage between Windows domains

4 Controlling Users with Active Directory
AD database organises domain resources including all computers groups (and group policies) are the main tools for user management groups exploited by enabling the organisation of users and groups of users into: organisational units (prev lecture) domains enterprises

5 Managing Domain Users with Active Directory
Simple rules for user management: Only administrators can set up and manage user accounts Adopt a standard naming system when setting up usernames e.g. first three-six letters of surname followed by one or more initials each username must be unique!

6 Managing Storage Needs of Users
Domain Controller option to generate user space with username as folder name easy automation of multiple user area creation… Good integration with Active directory %username could be used (variable)

7 “Intermediate” or “privileged” users
Allowed greater access to aspects of the network, to perform particular tasks: manage services (e.g. printing) manage particular files and directories (e.g. dept matters) manage cluster housekeeping (e.g. backups of server data) Can’t do as much damage as administrators!!

8 Protecting Passwords Earlier versions on Windows used a fairly weak method of password protection with the right equipment, could be hacked From Windows 2000 onwards (actually, NT 4 SP2), more sophisticated encryption… until Vista arrived this was turned off by default for “compatibility reasons” any network user on a pre-Vista client system should make should make sure this password’s feature offered in group policy is turned on…

9 Sensible Choice of Password
Options for making passwords secure… make passwords expire regularly (e.g. every 28 days) select “passwords must meet complexity requirements” option ensures use of upper & lower case, numbers and punctuation marks don’t use dictionary words vulnerable to attack by comparing with a dictionary list

10 Making Sure Users don’t get the Administrator Password!
File security assumes that only the network manager can log on as administrator but if a user can guess the password… Strategies: rename the administrator account to something more obscure only give administrator password to one other person change administrator password regularly

11 How AD Provides Security
Based on security principals can be users, computers, groups, or services (via service accounts) manages which security principals have access to each specific resource each security process given a unique identifier (SID) once validated by the authentication process generated for users, at logon for computers, at startup

12 More about the SID The SID (Security ID) is assigned to a security principal that object is created in the directory It comprises: domain identifier common to all security principals within the domain unique relative identifier (RID)

13 Access Tokens Created when a user logs on to the network Consists of:
the user’s SID the SIDs for each group to which the user is a member the assigned user rights or privileges

14 ACE (Access Control Entries)
Protect all resources within AD objects and their properties network folder and printer shares folders and files within the NTFS file system Contained within access control lists (ACLs) associated with each object or resource

15 Security Descriptors Made up of two distinct ACLs assigned to each object or resource: discretionary access control list (DACL) list of the SIDs that are either granted or denied access and the degree of access that is allowed systems access control list (SACL) list of all the SIDs whose access or manipulation of the object or resource needs to be audited, and the type of auditing that needs to be performed

16 Mechanism When a user attempts to access a directory object or network resource the security subsystem checks to see whether the SIDs for the user (or security groups to which the user is a member) match the security descriptors assigned to the resource match: user is granted the degree of access to the resource that is specified in the ACL Most commonly, users are assigned to security groups within AD

17 Power of Group IDs in Policy-based Security
Groups of users can be granted or denied access to or control over entire classes of objects and sets of resources Group Policy feature allows security & usage policies to be established separately for: computer accounts user accounts Group Policy be applied at multiple levels: users or computers residing in a specific OU computers or users in a specific AD site an entire AD domain

18 Active Directory and Group Policy – next week…
Power of Group Policy: allows network administrators to define and control the policies governing: groups of computers groups of users administrators can set group policy for any of the sites, domains, or organizational units in the Active Directory Domain Tree

19 Monitoring Group Policy
Policies are ADDITIVE watch simulation… Windows 2000 policies need to assess which specific cumulative set of policies were controlling the environment for a specific user or computer Windows 2003 etc… tracking and reporting the Resultant Set of Policy (RSoP): net effect of each of the overlapping policies on a specific user or computer within the domain

20 User/Group Permissions and Trusted Domains
Possible for user permissions to be safely applied beyond the local domain so users on one network can gain access to files on another network authentication controlled between servers on the local and trusted domains Normally achieved through “adding” groups from a trusted domain NOT the same as “remote logon” needs special username/password authorisation…

21 Managing Users & Their Profiles
Once they get the hang of it, users save all sorts of rubbish to their user areas may well include lots of downloaded web pages and images Problem! 5000 users each user takes 1 Gb of space... total disk space required is 5000 Gbytes!

22 Managing User Profiles
Back to the issue of “information pollution” discussed last week… Windows 2000 Disk Quotas: allowed administrators to track and control user NTFS disk usage coupled with Group Policy and Active Directory technology only problem: not easy to manage disk quotas needed scripting, reporting and remote usage methods Windows 2003 Disk Quotas: better all round functionality and easier enterprise-wide disk quota manageability

23 Third Party User Space for Administrators
Plenty of third party software available to manage user quotas e.g. Quota Manager One strategy: set max disk space per user to 100 Mbytes send warning message at 100 Mbytes disable user’s home area at 105 Mbytes Also - software to automatically delete stored web pages in user folders

24 User Rights Users MUST NOT have access to sensitive parts of the system e.g. network servers, local system software operating system can enforce… Users SHOULD: have access to basic software tools NOT be denied on the grounds that the software could be misused… c.f. no-one is allowed to drive a car because some drivers cause accidents!

25 Monitoring Group Policy across Domains
AD across a distributed enterprise… multiple administrators may have the authority to implement and alter Group Policies important to manage and restrict this… Otherwise… a change to Group Policies might well occur without administrators all being told: what has changed when it changed the implications of the change for directory and network operations…

26 Network Threats, Vulnerabilities, and Attacks
Degree of protection implemented against such things should be related to the value of the enterprise information or operations Example: most networks probably wouldn’t need or want to implement fingerprint and retinal scanning to control access to the average user’s workstation might, however, want to implement smart cards to control access to critical domain controllers

27 Threat Someone or something that has the capability or potential to compromise the security of a directory, network, or information Three factors involved: Motive Method Opportunity Threats do not involve people and do not have motive e.g. : fire flood

28 Threat (2) Any action by a user, condition, or process that has the potential to disclose, damage, or disrupt operations or information user attempting unauthorized entry into your network fire that breaks out in the building that houses the network servers virus that attempts to corrupt or delete needed information are all examples of viable threats to the security of the directory and the network people internal to the organization! internal threats more threatening than external ones!!!

29 Vulnerability Any weakness in security that provides an opportunity for an attack and that, by its utilization, can allow an attack to succeed Could be: software hardware social or physical environment Requires constant vigilance on many fronts e.g.: if running Windows on servers, the latest service pack and patches needed requires monitoring Microsoft Web site for updates

30 Attack Any action by a user or software process that, if successful, results in the disruption, disclosure, or damage to enterprise information, services, or operations Shares the characteristics of motive, method, and opportunity: assume the intent on the part of the attacker to deliberately be: attempting to damage or steal information disrupt operations uses or exploits the directory to gain access to or deny service from the directory or network resource

31 User-Based Attacks Most common source of attacks are those initiated by people: anonymous users attempting external penetration of the enterprise network an authenticated user working from inside the network Can either be: physical attacks on the equipment supporting the directory or network e.g. stealing/damaging equipment or physical network itself based on using the network or directory environment anonymous users, authenticated users, or even administrators

32 Threat: Anonymous Users
Usually attempts to use vulnerabilities in the network, service, or application software might gain access via scanning tools or by exploiting a well-known but not patched error condition in operating software Also, when a known vulnerability is patched, the software update usually provides a description of the weakness, often providing all the information needed to hack an unpatched system therefore critical to stay on top of released patches and security updates…

33 Network: Service to Self or Service to Others?
Two huge responsibilities for the network manager… provide facilities and services that users need protect the network against abuse by naïve or malign users, etc… General perception (by users!) that network managers are more concerned with “protecting the network” than servicing the needs of its users what do you think?....

Download ppt "COMP1321 Digital Infrastructure"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Similar presentations

Ads by Google