Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation.

Published byMarlene Johns Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation."— Presentation transcript:

1 Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation

2 Agenda  Why should you care about security?  What are the security aspects of Directory Operations?  How can you leverage Directory Security ?  Finally… some tips to remember

3 Question One  Why should you care about security?  What are the security aspects of Directory Operations?  How can you leveraging Directory Security ?  Finally… some tips to remember

4 If You Are Writing…  Client applications that browse the directory  Client applications that modify the directory  Service applications that publish to the directory  Service applications that store data in the directory THEN YOU SHOULD CARE

5 Because…  Active Directory is Windows NT’s security database Not everyone is allowed to read or write everything from everywhere Not everyone is allowed to read or write everything from everywhere  Directory may reject certain requests with authorization failure errors Handle these gracefully! Handle these gracefully!

6 Question Two  Why should you care about security when building a directory enabled application?  What are the security aspects of Directory Operations?  How can you leveraging Directory Security ?  Finally… some tips to remember

7 Active Directory Operations  Locating an Active Directory Server (DC)  Connecting and binding  Searching and browsing  Publishing and modifications

8 Directory Operations Locating AD Server (DC)  Windows ® platforms (NT, 95/98) DsGetDCName DsGetDCName  Non-Windows platforms DNS SRV Record Lookup DNS SRV Record Lookup  Locating a DC is not secure, nor restricted  Lookup is handled automatically

9 Directory Operations Connecting and binding  Basics Always authenticate to do anything meaningful! Always authenticate to do anything meaningful! Make no assumptions… Make no assumptions… Use user’s default credentials when possible Use user’s default credentials when possible Connect, bind and forget! Connect, bind and forget! Never cache when using alternate credentials Never cache when using alternate credentials

10 Directory Operations Code example using ADSI  Open Interface - IADsOpenDSObject Interface - IADsOpenDSObject Method - OpenDSObject Method - OpenDSObject  Credentials in OpenDSObject UserName, Password, Type UserName, Password, Type Use Defaults -- NULL, NULL Use Defaults -- NULL, NULL If needed, always prompt for alternate If needed, always prompt for alternate Never cache passwords Never cache passwords

11 Directory Operations Searching and browsing in ADSI  Interfaces and methods E.g. IADs - Get, GetEx, GetInfo E.g. IADs - Get, GetEx, GetInfo  Handle errors E_ADS_INVALID_DOMAIN_OBJECT, E_ADS_INVALID_DOMAIN_OBJECT, E_ADS_PROPERTY_NOT_SUPPORTED, E_ADS_PROPERTY_NOT_SUPPORTED, E_ADS_PROPERTY_NOT_FOUND E_ADS_PROPERTY_NOT_FOUND

12 Directory Operations Publishing and modifications  ADSI E.g. IADs -- Put, PutEx, SetInfo E.g. IADs -- Put, PutEx, SetInfo  Handle errors E_ADS_PROPERTY_NOT_SET, E_ADS_PROPERTY_NOT_SET, E_ADS_PROPERTY_NOT_MODIFIED E_ADS_PROPERTY_NOT_MODIFIED

13 Question Three  Why should you care about security when building a directory enabled application?  What are the security aspects of Directory Operations?  How can you leverage Directory Security ?  Finally… some tips to remember

14 Leveraging AD Security Application server configurations  Services on Domain Controllers Running under Local System Running under Local System Running under Service Accounts - Recommended Running under Service Accounts - Recommended  Services on Member Servers or Workstations Running under Local System - Recommended Running under Local System - Recommended Running under Service Accounts Running under Service Accounts

15 Leveraging AD Security Access control  Object security descriptors Per property access control Per property access control Object type access control Object type access control Operation specific permissions Operation specific permissions Delegation of administration Delegation of administration  Manipulating security descriptors  Using security groups

16 Property 1 Property 2 Property 3 Telephone # ntSecurityDescriptor Group Owner System ACL Discretionary ACL ACLHeader ACE 1 ACE i ACE n Header: (ALLOWED_OBJECT_ACE) No Inherit Flags, Size= Mask (Read,Write Property) ObjectTypeGuid (Telephone# Prop. GUID) InheritedObjectTypeGuid(NULL) Security ID (group/user) Leveraging AD Security Per property access - code sample

17 Leveraging AD Security Object type access - code sample ntSecurityDescriptor Group Owner System ACL Discretionary ACL ACLHeader ACE 1 ACE i ACE n Header: (ALLOWED_OBJECT_ACE) No Inherit Flags, Size= Mask (Create, Delete Child) InheritedObjectTypeGuid(NULL) Security ID (group/user) OU OU Group ObjectTypeGuid (User Object GUID) User

18 Leveraging AD Security Operation specific permissions  Specialized operations Change Password, Apply Group Policy Change Password, Apply Group Policy  Instantiate a “Control Access Right” Publish under Extended Rights container Publish under Extended Rights container  ObjectTypeGuid =Right GUID  Mask = CONTROL_ACCESS  Use AccessCheckByType AuditAlarm variation AuditAlarm variation

19 Leveraging AD Security  Code sample to use operation specific rights

20 Group Group Header: (ALLOWED_OBJECT_ACE) ContainerInherit, Size= Mask (Read,Write Property) ObjectTypeGuid (Members Prop. GUID) InheritedObjectTypeGuid (Group GUID) Security ID (group/user) OU OU Header: (ALLOWED_OBJECT_ACE) InheritOnly, ContainerInherit, Size= Mask (Read,Write Property) ObjectTypeGuid (Members Prop. GUID) InheritedObjectTypeGuid (Group GUID) Security ID (group/user) Leveraging AD Security Delegation of administration

21 Leveraging AD Security Default security descriptors  Object classes in schema DefaultSecurityDescriptor DefaultSecurityDescriptor Security Descriptor Definition Language (SDDL) Security Descriptor Definition Language (SDDL) ConvertSecurityDescriptorToText- SecurityDescriptor ConvertSecurityDescriptorToText- SecurityDescriptor  Object instantiations (Default Security Descriptor) + (Inherited Security Descriptor from parent) (Default Security Descriptor) + (Inherited Security Descriptor from parent)  Exception Object specific inherited security descriptor from parent Object specific inherited security descriptor from parent

22 Leveraging AD Security Manipulating security descriptors  Reading and writing with ADSI Entire NTSecurityDescriptor attribute Entire NTSecurityDescriptor attribute Granular interfaces Granular interfaces  IADsSecurityDescriptor Rev, Control, Owner, Group, DACL, SACL Rev, Control, Owner, Group, DACL, SACL  IADsAccessControlList Revision, Count, Add/Remove ACE Revision, Count, Add/Remove ACE  IADsAccessControlEntry Type, Flags, Mask, ObjectType, InheritedObjectType, Trustee Type, Flags, Mask, ObjectType, InheritedObjectType, Trustee

23 UniverseofUsers UniverseofResources Universal Groups DomainLocalGroups GlobalGroups Leveraging AD Security Use security groups

24  Identify needed default authorizations  Identify “roles” to grant default authorizations Application Servers - machines the server is running on Application Servers - machines the server is running on Application Server Admins - administrators for the application server Application Server Admins - administrators for the application server  Create groups associated with the roles

25 And…  Why should you care about security when building a directory enabled application?  What are the security aspects of Directory Operations?  How can you leveraging Directory Security ?  Finally… some guidelines to remember

26 Guidelines For All - One  Credentials for binding Use user’s default credentials when possible Use user’s default credentials when possible Connect, bind and forget Connect, bind and forget  Expect and gracefully handle errors Never assume who the user is Never assume who the user is Only subset of reads and searches may succeed Only subset of reads and searches may succeed Entire write may fail Entire write may fail

27 Guidelines For All - Two  Need-to-know User Interfaces Use allowedAttributesEffective Use allowedAttributesEffective Use allowedChildClassesEffective Use allowedChildClassesEffective  Honor granularity of permissions Batching multiple reads is OK Batching multiple reads is OK Batching multiple writes may not be Batching multiple writes may not be Commit object creation as single operation Commit object creation as single operation

28 Guidelines For Services - One  Plan for multi-tier setup Schema setup needs to be done by schema administrators Schema setup needs to be done by schema administrators Configuration container setup needs to be done by Enterprise administrators Configuration container setup needs to be done by Enterprise administrators Domain setup needs to be done by Domain Administrators Domain setup needs to be done by Domain Administrators

29 Guidelines For Services - Two  Be least privileged Can you run on a non-DC under Local System? Can you run on a non-DC under Local System? Can you run under a service account on a DC? Can you run under a service account on a DC?  Use security groups to Define machine roles running the service Define machine roles running the service Delegate administration of service specific objects Delegate administration of service specific objects

30 Guidelines For Services - Three  Impersonate clients Remember clients can talk to DS directly -- leverage that where you can Remember clients can talk to DS directly -- leverage that where you can Impersonate client when binding to DS on their behalf Impersonate client when binding to DS on their behalf Manage multiple DS connections cleanly! Manage multiple DS connections cleanly!  Use Active Directory Object Security Define sensible default security descriptors Define sensible default security descriptors Support manipulating security Support manipulating security

31 Call To Action  Care about security Active Directory is a secured data store and Windows NT’s security accounts database Active Directory is a secured data store and Windows NT’s security accounts database  Know about security Every directory object is secured by a security descriptor Every directory object is secured by a security descriptor  Use AD Security Define default security and leverage object specific delegation of administration Define default security and leverage object specific delegation of administration  Follow the guidelines

32

Download ppt "Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation."

Similar presentations

Active Directory: Beyond The Basics

Active Directory: Beyond The Basics
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
MOAC : Installing and Configuring Windows Server 2012

MOAC : Installing and Configuring Windows Server 2012
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
7.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

7.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
Understanding Active Directory

Understanding Active Directory
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.

Similar presentations

Ads by Google