Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Published byMiranda Adela Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |"— Presentation transcript:

1 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com |

2 Windows Authentication

3 The topics The hell of windows authentication mechanisms Basic, NTLM, Kerberos Certificates and smart cards or tokens How they work differently What is better or worse Weird and weirder things that you may not know

4 And the environment Windows 2000 and newer Active Directory domains Maybe some trusts or multidomain forests Connections to SMB, LDAP, Exchange, SQL, HTTP, WMI, remote administration, RDP and other servers Ideally SSO

5 Windows Authentication

6 Local Logon DC 2000+ Client 2000+ Kerberos LDAP SMB TGT: User GPO List GPO Download TGS: LDAP, CIFS

7 CTRL-ALT-DEL Password Password is stored in memory only LSASS process In the form of MD4 hash never given out

8 Authentication Interactions in General DC 2000+ Client 2000+ Kerberos Server 2000+ App Traffic DC 2000+ SMB D/COM TGT: User In-band TGS: Server NTLM Occasional PAC Validation TGS: Server D/COM Dynamic TCP NTLM Pass-through

9 The three authentication methods Basic plain-text password results in Kerberos authentication NTLM hashed password (MD4) method from the past LM (DES), NTLM (DES), NTLMv2 (MD5) Kerberos hashed password (MD4) plus RC4/DES or AES mutual authentication and delegation can use certificates instead of passwords

10 Basic and RDP Network Logon DC 2000+ Client 2000+ Server 2000+ App Traffic DC 2000+ In-band clear text Kerberos TGT: User

11 NTLM Network Logon DC 2000+ Client 2000+ Server 2000+ App Traffic DC 2000+ SMB D/COM In-band NTLM hash Pass-through NTLM hash D/COM Dynamic TCP

12 Kerberos Network Logon (basic principle) DC 2000+ Client 2000+ Kerberos Server 2000+ App Traffic TGT: User In-band TGS: Server

13 Kerberos Network Logon (complete) DC 2000+ Client 2000+ Kerberos Server 2000+ App Traffic DC 2000+ SMB D/COM TGT: User In-band TGS: Server Occasional PAC Validation TGS: Server D/COM Dynamic TCP

14 Windows Authentication

15 NTLM Network Logon DC 2000+ Client 2000+ Server 2000+ DC 2000+ 60 % CPU 55 % CPU

16 Kerberos Network Logon, no PAC Validation DC 2000+ Client 2000+ Server 2000+ DC 2000+ 60 % CPU 0 % CPU

17 Kerberos Network Logon with PAC Validation DC 2000+ Client 2000+ Server 2000+ DC 2000+ 60 % CPU 0 % CPU14 % CPU

18 Basic Authentication DC 2000+ Client 2000+ Server 2000+ DC 2000+ 5 % CPU 0 % CPU

19 NTLM Performance Issues DC ClientServer 7 concurrent Client 40 sec.

20 NTLM Trusts DC B D\UserA\Server DC A DC CDC D

21 Kerberos Trusts DC B D\UserA\Server DC A DC CDC D

22 Windows Authentication

23 Basic Facts Do not use IP addresses Configure SPN (service principal name) Have time in sync Use trusted identities to run services on Windows 2008 and newer instead of AD user accounts no PAC validation Enable AES with Windows 2008 DFL

24 Trusted Identities – Network Service

25 Trusted Identities – Service Accounts

26 Trusted Identities – AppPoolIdentity

27 Trusted Identities – Managed Service Account

28 Windows Authentication

29 Identity Isolation Services on a single machine Services that access other back-end services

30 Windows Identities IdentityPasswordPAC Validation Local IsolationNetwork Isolation Operating System SYSTEMrandom changed 30 days noAdministrators no isolation no2000 AD User Accountadministrator changed??? yesUsers isolated yes2000 Network Servicerandom changed 30 days noUsers no isolation noXP Local Serviceno network credentialsnoUsers no isolation noXP Service Accountrandom changed 30 days noUsers isolated noVista 2008 Managed Service Account random changed 30 days noUsers isolated yes7 2008 R2

31 Kerberos Underworld

32 Smart Card Logon DC 2000+ Client 2000+ Kerberos PKINIT Server 2000+ App Traffic DC 2000+ TGT: User TGS: Server

33 Smart Card Logon and NTLM DC 2000+ Client 2000+ Server 2000+ NTLM Hash DC 2000+ TGT: User TGS: Server NTLM Hash

34 Smart Card Logon and NTLM DC 2000+ Client 2000+ Server 2000+ NTLM Hash DC 2000+ TGT: User TGS: Server NTLM Hash

35 Windows Authentication

36 Kerberos Delegation  GeekRoom  Úterý 14:15  Úterý 15:45

37 Windows Authentication

38 Group Membership Limits AD Group in forest with 2000 FFL 5000 direct members limit AD Group in forest with 2003+ FFL unlimited membership Kerberos Ticket network transport limited to 8 kB on 2000 and XP up to 12 kB on 2003+ HTTP.SYS header limits 16 kB of Base-64 encoded tickets Access Token local representation of a logon up to 1025 groups including local and system

39 Kerberos Ticket (PAC) KamilS-1-5-Prague-1158 Prague MarketingGlobal30828 Bytes Prague SalesGlobal30838 Bytes Paris VisitorsDomain Local Paris S-1-5-Paris-211540 Bytes Roma ISDomain Local Roma S-1-5-Roma-171740 Bytes Prague DocumentsDomain Local Prague S-1-5-Prague-308440 Bytes Business OwnersUniversal Prague 30858 Bytes EmployeesUniversal Paris S-1-5-Paris-211640 Bytes

40 Windows Authentication

41 Takeaway Kerberos is the most secure, flexible and performance efficient Don’t be afraid and play with them!

42 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com |

Download ppt "Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |"

Similar presentations

GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |

GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.

Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.

Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.

Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.
Understanding Active Directory

Understanding Active Directory
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.

Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

Similar presentations

Ads by Google