Presentation is loading. Please wait.

Presentation is loading. Please wait.

Staying Secure During an NT to Windows 2000 Migration Paul Hinsberg, MCSE, MBA CEO, CRSD Inc

Published byIlene Robinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Staying Secure During an NT to Windows 2000 Migration Paul Hinsberg, MCSE, MBA CEO, CRSD Inc"— Presentation transcript:

1 Staying Secure During an NT to Windows 2000 Migration Paul Hinsberg, MCSE, MBA CEO, CRSD Inc http://www.crsdinc.com

2 2 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Introduction Sources of Risk Points of Risk During Migration Understanding the Tools Risks related to Services

3 3 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Sources of Risk Lack of Direction Lack of Planning/Testing Lack of Knowledge

4 4 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Points of Risk During Migration Planning Phase PreparationImplementationPost-Implementation

5 5 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Planning Phase Clear understanding of direction Knowing what the Domain and OU structure will look like in the end Established Group Policies Understand the Business Objectives

6 6 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Preparation Evaluation of Systems Review of the types of Services in your enterprise Review of the types of Services in your enterprise Separation of client facing and internal Separation of client facing and internal Evaluation of Security Review of the Permissions, roles, and measures Review of the Permissions, roles, and measures

7 7 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Evaluation of Systems Identify all Servers and services RAS, DHCP, Exchange, IIS, Terminal Services… RAS, DHCP, Exchange, IIS, Terminal Services… RAS will often require Windows 2000 security to be relaxed in order to accommodate users. DHCP servers will need to be authorized in order to function correctly and depending on configuration carries risks. Exchange 5.5 has its own directory and will need special care in order to migrate to Exchange 2000. IIS implies outside access. Security should already be a focus here. Terminal Services/Citrix will need some attention to maintain user access.

8 8 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Evaluation of Security Understand the current security model completely User group memberships Understanding SID History will be paramount Understanding SID History will be paramount File Server DACL Cleaning this up will be tedious, but there are tools to help! Cleaning this up will be tedious, but there are tools to help! System Policies You’ve created your own personal nightmare. You’ve created your own personal nightmare.

9 9 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Security Evaluation Tools SCM – Security Configuration Manager NT 4.0 SP 4+ NT 4.0 SP 4+ Careful ! Q195509 Careful ! Q195509 AddUsers.exe – Resource Kit ADMT for DACL Cleanup Timing is important on this one! Timing is important on this one!

10 10 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Implementation Migration Types have different Risks Groups/User Accounts How other services influence security

11 11 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Migration Types In-place Restructure-migration combination Moving to a pristine environment

12 12 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Inplace PDC/BDC is upgraded “as is” Offers benefits of reduced migration time Carries all of the old infrastructure baggage from old NT domain Operation and security are different then a new build!

13 13 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Inplace Security Issues NT 4.0 User groups are moved as is. Everyone group exists and allows unauthenticated users Physical security of DCs is often missed

14 14 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Restructure-migration combination Reorganization of Domains/Users/Groups is done before or after migration Preparation of NT 4.0 domain is required Or Reorganization of domains afterward Multiple phases can lead to disorganization Best when building a pristine is not an option

15 15 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Restructure Security Issues From a security standpoint requires the most diligence Inadvertent access to Administrative level accounts is often missed Frustration levels can be high leading to relaxed security Switch to Native Mode can cause operation issues.

16 16 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Pristine Building a Windows 2000 AD and then migrate users Allows for the least impact on users and reduces outage risks Takes longer! User Migration opens security risks

17 17 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Pristine Security Issues Planning is a big key, and may often be rushed through ADMT and Cloning of user accounts carries inherent security issues Post-Migration cleanup is critical

18 18 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Groups/User Accounts Clean up the groups and user accounts on DCs prior to any migration (ADDUSERS/NET USERS) Must be done before AND after migration Must be done before AND after migration Special Attention to Administrators and Domain Admins groups SID History

19 19 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com SID History Windows 2000 eases migration by allowing a SID History to Exist Pre-Migration PaulHins User SID 1-5-46-4562654-23423523-33.. Groups 1-5-46-243623-346234626-44.. 1-5-46-454982-132423423-43.. Post-Migration PaulHins User SID 1-5-46-4326256-45236356-44… OLD USER SID 1-5-46-4562654-23423523-33.. (treated as a group) Groups 1-5-46-243623-346234626-44.. (old NT 4.0 groups) 1-5-46-454982-132423423-43.. 1-5-46-456456-234123421-86.. (win2k groups) 1-5-46-346456-53453453-99..

20 20 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com SID History Issues ADMT/Clone can allow a properly authorized user to insert SID of one account into the username of another. Objects can only have 1,024 SIDs associated. Companies with many nested groups could run into a problem. Post-Migration Cleanup is required

21 21 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Other Services Services sometimes need administrative access (more often they are given the access although not required) Service accounts will need to be treated separately during migration Some systems that will need special attention: SMS, RAS, Exchange

22 22 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com RAS RAS (including VPN, Dialup, etc) may require some relaxed security on Windows 2000 in order to operate during the migration (Mixed Mode) The general solution is to allow the EVERYONE group to read user attributes. Thus, unauthenticated users can see user accounts. Upgrading RAS systems to Windows 2000 as soon as possible is best

23 23 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com DHCP Has the ability to dynamically update machine records If installed on a Domain Controller can lead to security holes – Q255134, Q309625 Requires authorization to operate correctly.

24 24 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com DNS Windows 2000 DNS allows for Dynamic Updates. Until the Domain is in Native Mode Dynamic Updates may not be an option This can permit unauthorized updates to the DNS or force you to perform manual entries. Understanding this vulnerability and monitoring the changes is key

25 25 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Post Implementation DACL Cleanup Access Control Lists are the most tedious task, but a required one. The SIDs from the previous domains may still exist and need to be cleared. Access Control Lists are the most tedious task, but a required one. The SIDs from the previous domains may still exist and need to be cleared. SID History Old SIDs represent clutter and a security issue. The ADSI Edit Tool can find and cleans these out. Old SIDs represent clutter and a security issue. The ADSI Edit Tool can find and cleans these out. Native Mode Transition

26 26 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Tools of the Trade Active Directory Migration Tool (ADMT) ClonePrincipalADSI NT Resource Kit Windows 2000 Support Tools

27 27 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com ADMT/Clone In a migration the Active Directory Migration Tool is going to be one of the main weapons https://www.microsoft.com/windows2000/d ownloads/tools/default.asp https://www.microsoft.com/windows2000/d ownloads/tools/default.asp

28 28 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com ADMT Reports Migrated Users and Groups Report This report summarizes the results of the user and group migration operations. This report summarizes the results of the user and group migration operations. Migrated Computers Report This report summarizes the results of the computer migration operations. This report summarizes the results of the computer migration operations. Expired Computers Report This report lists the computer accounts with expired passwords. This report lists the computer accounts with expired passwords. Impact Analysis Report This report lists the user accounts and groups that will be affected by computer migration operations. This report lists the user accounts and groups that will be affected by computer migration operations. Name Conflicts Report This report lists the user accounts and groups that exist in both the source and target domains. This report lists the user accounts and groups that exist in both the source and target domains.

29 29 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com ADMT Use Only local Administrators on the DCs will be able to use the tool Only install the tool on Windows 2000 DC that will be used to migrate the users. Use NTFS permissions to further restrict the running of the tool on the system.

30 30 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com ADSI Edit An MMC Snap-in that is used to search for the SID History for the users. To Perform the Search Connect to a domain. To Perform the Search Connect to a domain. Create a query, cut and paste this… (&(objectCategory=user)(SIDhistory=*)) Create a query, cut and paste this… (&(objectCategory=user)(SIDhistory=*)) Then Run it Then Run it ADSI Scripting allows for the removal of SID History (the GUI Does NOT).

31 31 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Don’t Let Frustration Rule You! Planning, Testing and Patience will be your best defense against the pressure and complexities of the migration!

32 32 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com Questions! Please click the Ask a Question link in the lower left part of the screen to submit a question.

Download ppt "Staying Secure During an NT to Windows 2000 Migration Paul Hinsberg, MCSE, MBA CEO, CRSD Inc"

Similar presentations

70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
15.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,

HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,

Similar presentations

Ads by Google