Presentation is loading. Please wait.

Presentation is loading. Please wait.

W2k Security At FNAL Jack Schmidt FNAL W2K Migration Working Group Chair April 16.

Published byLambert Bruce Modified over 9 years ago

Similar presentations

Presentation on theme: "W2k Security At FNAL Jack Schmidt FNAL W2K Migration Working Group Chair April 16."— Presentation transcript:

1 W2k Security At FNAL Jack Schmidt FNAL W2K Migration Working Group Chair April 16

2 Background W2K Migration working group –Existing NT4 Domain Admins and Division/Section representatives –Initially chartered to propose domain design only - but presently implementing design –Pressure to migrate but also to do things right!

3 Background win.fnal.gov –Top level domain. Apply site wide security policies –Limited number of Administrators –Contains no users or resources. fermi.win.fnal.gov –Child domain. Contains all users and most resources. –Limited number of Domain Administrators. ‘resource’.win.fnal.gov –Child domain(s). Controls systems, members of other critical systems. –No user accounts allowed.

4 Lab Policy Kerberos authentication Domain Controllers are ‘critical systems’ Centralized accounts/ou administration No shared accounts

5 Authentication Kerberos and NTLMv2 –95/98/NT and non-domain w2k systems use NTLM –No ‘kerberos-only’ setting 2 central kerberos servers –MIT Can’t change password Long incorrect password timeout –Active Directory –2 way trust

6 Critical System Definition “Computer security incidents involving certain systems could seriously impact the laboratory’s science programmatic operations. Such systems may be designated “critical systems” and may be subject to additional computer security policies and procedures” Plan Identify systems Identify possible weaknesses and solutions

7 Critical System Plan 4 Domain Admins for win and fermi domains appointed by Computing Division and CSExec DCs in locked cabinets Remote administration using IPSEC and terminal server Services monitored for state change and additions Backup policy and domain disaster recovery One password policy Identification of OU Admin Rights Define W2K Policy Committee

8 Centralized Accounts Single user account –One per realm. Same username. create/disable –Security able to flip a ‘switch’ –Admins not allowed to create accounts User accounts only in 1 domain win.fnal.gov fermi.win.fnal.gov controls.win.fnal.gov NT4 Domain Admins -> OU Admins

9 OU Administration Requirements: –Reset passwords –Define print/disk shares in AD –Change allowed user account information –Add/Delete/Move machine accounts –Add/Delete/Modify global groups –Enable/Disable user accounts –Move user accounts to ‘terminated’ OU –Retrieve user accounts from New- User OU

10 OU Administration Requirements (cont) –Set and Define policy for the OU –Create sub-OUs –Delegate control of sub-OUs

11 OU Administration Implementation Issues Admins can: –Reset passwords –Define printers/shares –Change allowed user account settings –Add/Delete/Move machine accounts –Add/Delete/Modify global groups –Enable/Disable User accounts

12 OU Administration Implementation Issues Admins CAN’T: –Create/Delete OUs below their top OU –Move users within their OU structure –Delegate control of sub-OUs Why? AD does not provide a ‘move’ permission - only create/delete! AD does not provide a basic security setting to prevent Admins for changing subOU permissions

13 OU Administration Possible Solutions Domain Admins perform function –Not acceptable to group Explore commercial products –None that fit our security requirements Write a service program –Time consuming Combination GPO and Audit Policy –Implementable now

14 OU Administration GPO Implementation: OU Creator Group –Domain Admins control membership username-Creator-OU –Full Control over OU –Only found in top-level OU –Limited membership (3 per OU) OU Admin Group –Domain Admins or OU creators control membership username-Admin-OU –Limited control over OU/sub-OU

15 OU Administration OU Creator Rights: This object and all child objects- –Full control This object only- –Deny Delete –Deny Modify Permissions –Deny Modify Owner The Creator group provides all requested admin rights – but also can create/delete users

16 OU Administration OU Admin Rights: This object and all child objects- –Full Control –Deny Modify Permissions –Deny Modify Owner –Deny Create OU Objects –Deny Create User Objects –Deny Delete User Objects This object only- –Deny Delete

17 OU Administration OU Admin Rights: (cont) User Objects- –Deny Write Division, Last Name, Logon Name, etc.. 18 total The OU Admins group have basic rights but cannot create sub-OUs or move users

18 OU Administration Audit Policy Monitor DC event logs for violations in security policy –Create/delete users Notify appropriate personnel Auditing done on external computer(s) –Harder for hackers to cover tracks

19 OU Administration Audit Policy Implementation: Configure DCs to log proper events Install software on DCs to forward events to unix syslog server –Event Reporter ($49) –ELM (price varies) –Ntsyslog (free) Central syslog unix server –Uses syslog-ng and swatch Violation notification –Sends email to archived list

20 OU Administration Present status –Testing design –Needs Computer Security Review

21 No Shared Accounts Existing NT4 Shared accounts: –Administrative accounts –Test accounts –Console/Demo accounts –Data logging accounts –Monitoring Accounts –Service Accounts

22 No Shared Accounts Progress so far: –No shared admin or test accounts. –Service Accounts: Examples: tape backup, anti-virus management, web server anonymous account Waiver request form –Approval by Policy committee and computer security Requires annual review

23 Future Shared accounts Terminal servers Home Users

Download ppt "W2k Security At FNAL Jack Schmidt FNAL W2K Migration Working Group Chair April 16."

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
ASU Windows 2000 AD Environment OU Presentation. Agenda OU structure Domain Admin Support OU Administrator Control/Access Migration from NT to W2K OU.

ASU Windows 2000 AD Environment OU Presentation. Agenda OU structure Domain Admin Support OU Administrator Control/Access Migration from NT to W2K OU.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
ManageEngine ADAudit Plus A detailed walkthrough.

ManageEngine ADAudit Plus A detailed walkthrough.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
FNAL Configuration Management Jack Schmidt Cyber Security Workshop May 23-24 th 2006.

FNAL Configuration Management Jack Schmidt Cyber Security Workshop May th 2006.
Working with Workgroups and Domains

Working with Workgroups and Domains
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
Implementing Secure Shared File Access

Implementing Secure Shared File Access
Corso referenti S.I.R.A. – Modulo 2 07 – Group Policy 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Corso referenti S.I.R.A. – Modulo 2 07 – Group Policy 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Similar presentations

Ads by Google