COMP 3122 Network Management Richard Henson February 2012

Week 4 – Managing Network/Domain Users using Active Directory n Objectives – Explain architecture and administrative roles of active directory – Apply secure file system principles and active directory to controlling access for groups of network users – Apply active directory group policies across one/more domain using active directory

Windows Networks pre-2000 n Before active directory: – Novell & Unix had network directory systems » all network devices on the LAN (or WAN) categorised and centrally listed – Microsoft networks just had categorisation of devices at the server level » each domain controller had an independent configuration » user database saved separately on each domain controller n Consequence: Microsoft networks not considered to be sufficiently scalable to be used by large organisations…

Windows Naming Prior to Active Directory (AD) n One-dimensional system called WINS named the components of a Windows network – used NETBIOS names – mapped to IP addresses of components n AD allowed Microsoft to progressively embrace DNS naming for network components

AD, Network Naming, and DNS n Network Names based on DNS names – 2 dimensional structure – DNS is hierarchical… n n AD Creates a DNS zone, which should fit into the Internet’s DNS Naming of each component added to AD carefully planned to fit with DNS zones rules

More Wonders of Active Directory… n Gave Windows networks…. “credibility” – “global catalog” (central database) » all network users, groups of users, devices, services centrally controlled by domain controller cluster n and “kudos…” – distributed database, means to access it, and security features all developed with RFCs » stark contrast with Novell’s NDS - proprietary protocols; not in compliance with standards

The Active Directory store n Global Catalog – stored as file NTFS. DIT when the first domain controller is created – distributed across all domain controllers » covers all “objects” on domain controllers n e. g. shared resources such as servers, files, printers; network user and computer accounts – directory changes automatically replicated to all domain controllers

More about Active Directory n Global Catalog (hierarchical/tree) – not only holds DNS names for all objects in the domain » also stores each object's “properties” » allows network users search by selected attributes to find an object easily, regardless of where it is in the tree n Centralised Management of everything to do with the network… – Microsoft Management Console (MMC) interface centrally manages users, clients, and servers through a single consistent screen display

Active Directory and Domain Trees n AD names easily logically links domains – very useful for organisation networks that may require more than one domain (e. g. old campus and new campus? ) – each domain identified by its DNS domain name » hierarchy needs carefully planning » allocate names within DNS zone

Domain Trees and DNS naming n Advantage of a single DNS zone… – multiple domains can make up a parentchild structure » domain tree n Separate DNS zones… – logically non-contiguous – form separate domain trees – user/resource management across trees/zones more difficult

Security and Active Directory n Some features (first two already covered in COMP 3123) – Kerberos Authentication Smart Card Support » Supports logon via smart cards for strong authentication to sensitive resources – LDAP over SSL » Support for LDAP over secure sockets layer (SSL) for secure directory transactions for extranet and e-commerce applications – Transitive Domain Trust » Transitive trust agreements greatly reduce the number of trust relationships to manage between Windows domains

Active Directory and “controlling” Users n n “Groups” already well established for managing network users Active directory centrally organised resources including all computers – allowed groups to become more powerful for user management – exploited by enabling the organisation of users and groups of users into: » » » organisational units sites domains

Managing Domain Users with Active Directory n Only administrators can set up and manage user accounts n Should use a standard naming system when setting up usernames – e. g. first three-six letters of surname followed by one or more initials – each username must be unique!

Storage Needs of Users n Windows NT option to generate user space with username as folder name – easy automation of multiple user area creation… – %username could be used (variable) n AD uses/enhances this facility

“Intermediate” Users (but NOT administrators) n Greater access to aspects of the network, to perform particular tasks: – manage services (e. g. printing) – manage particular files and directories (e. g. dept matters) – manage cluster housekeeping (e. g. backups of server data)

Protecting Passwords n n Earlier versions on Windows used a relatively weak method of password protection, which could be hacked with the right equipment From Windows 2000 onwards (in fact, NT 4 SP 2), more sophisticated encryption was used… – until Vista arrived this was turned off by default for “compatibility reasons” n Any network user on a pre-Vista client system should make sure this password’s feature offered in group policy is turned on… – “passwords must meet complexity requirements”

Making Sure Users don’t get the Administrator Password! n File security assumes that only the network manager can log on as administrator – but if a user can guess the password… n Strategies: – rename the administrator account to something more obscure – only give administrator password to one other person – change administrator password regularly

How AD Provides Security n Manages which security principals have access to each specific resource – security principals can be users, computers, groups, or services (via service accounts) – each have a unique identifier (SID) validated the authentication process » for users, at logon » for computers, at startup

More about the SID The SID (Security ID) is assigned to a security principal that object is created in the directory n It comprises: n – domain identifier » common to all security principals within the domain – unique relative identifier (RID)

Access Tokens Created when a user logs on to the network n Consists of: n – the user’s SID – the SIDs for each group to which the user is a member – the assigned user rights or privileges

ACE (Access Control Entries) n Protect all resources within AD – objects and their properties – network folder and printer shares – folders and files within the NTFS file system n Contained within access control lists (ACLs) – associated with each object or resource

Security Descriptors n Made up of two distinct ACLs assigned to each object or resource: – discretionary access control list (DACL) » list of the SIDs that are either granted or denied access and the degree of access that is allowed – systems access control list (SACL) » list of all the SIDs whose access or manipulation of the object or resource needs to be audited, and the type of auditing that needs to be performed

Mechanism n When a user attempts to access a directory object or network resource – the security subsystem checks to see whether the SIDs for the user (or security groups to which the user is a member) match the security descriptors assigned to the resource – match: user is granted the degree of access to the resource that is specified in the ACL n Most commonly, users are assigned to security groups within AD

Power of Group IDs in Policy-based Security n n Groups of users can be granted or denied access to or control over entire classes of objects and sets of resources Group Policy feature allows security & usage policies to be established separately for: – computer accounts – user accounts n Group Policy be applied at multiple levels: – – – users or computers residing in a specific OU computers or users in a specific AD site an entire AD domain

Active Directory and Group Policy n Power of Group Policy: – allows network administrators to define and control the policies governing: » groups of computers » groups of users – administrators can set group policy for any of the sites, domains, or organizational units in the Active Directory Domain Tree

Monitoring Group Policy n Policies are ADDITIVE – watch simulation… n n With Windows 2000 policies it was a headache assessing which specific cumulative set of policies were controlling the environment for a specific user or computer Windows 2003 allows tracking and reporting the Resultant Set of Policy (RSo. P): – net effect of each of the overlapping policies on a specific user or computer within the domain

User/Group Permissions and Trusted Domains n Possible for user permissions to be safely applied beyond the local domain – so users on one network can gain access to files on another network – authentication controlled between servers on the local and trusted domains n n Normally achieved through “adding” groups from a trusted domain This is NOT the same as “remote logon” – which needs special username/password authorisation…

Managing Users & Their Profiles n Once they get the hang of it, users save all sorts of rubbish to their user areas – may well include lots of downloaded web pages and images n Problem! – – – 5000 users each user takes 1 Gb of space. . . total disk space required is 5000 Gbytes!

Managing User Profiles n n Back to the issue of “information pollution” discussed last week… Windows 2000 Disk Quotas: – allowed administrators to track and control user NTFS disk usage » coupled with Group Policy and Active Directory technology » only problem: not easy to manage disk quotas n n needed scripting, reporting and remote usage methods Windows 2003 Disk Quotas: – better all round functionality and easier enterprise-wide disk quota manageability

Third Party User Space for Administrators n Plenty of third party software available to manage user quotas – e. g. Quota Manager n One strategy: – – – n set max disk space per user to 100 Mbytes send warning message at 100 Mbytes disable user’s home area at 105 Mbytes Also - software to automatically delete stored web pages in user folders

User Rights n Users MUST NOT have access to sensitive parts of the system (e. g. network servers, local system software) – all NOSs can enforce this n Users SHOULD: – have access to basic software tools – NOT be denied on the grounds that the software could be misused… » c. f. no-one is allowed to drive a car because some drivers cause accidents!

Monitoring Group Policy across Domains n When AD is managed across a distributed enterprise: – multiple administrators have the authority to implement and alter Group Policies – important to restrict no. of administrators… n Without such control, changes to Group Policies might well occur without all administrators being aware of: – what has changed – when it changed – the implications of the change for directory and network operations…

Network Threats, Vulnerabilities, and Attacks n n Degree of protection implemented against such things should be related to the value of the enterprise information or operations Example: – most networks probably wouldn’t need or want to implement fingerprint and retinal scanning to control access to the average user’s workstation – might, however, want to implement smart cards to control access to critical domain controllers

Threat (1) n n Someone or something that has the capability or potential to compromise the security of a directory, network, or information Three factors involved: – Motive – Method – Opportunity n Threats that do not involve people do not have motive: – fire – flood

Threat (2) n Any action by a user, condition, or process that has the potential to disclose, damage, or disrupt operations or information – user attempting unauthorized entry into your network – a fire that breaks out in the building that houses the network servers – a virus that attempts to corrupt or delete needed information are all examples of viable threats to the security of the directory and the network – people internal to the organization! n Internal threats more prevalent than external ones!!!

Vulnerability n n Can be defined as any weakness in security that provides an opportunity for an attack and that, by its utilization, can allow an attack to succeed Can occur in many different aspects of the network: – software – Hardware – social or physical environment n Requires constant vigilance on many fronts – e. g. : if running Windows on servers, the latest service pack and patches needed – requires monitoring Microsoft Web site for updates

Attack n n Any action by a user or software process that, if successful, results in the disruption, disclosure, or damage to enterprise information, services, or operations Shares the characteristics of motive, method, and opportunity: – assume the intent on the part of the attacker to deliberately be: » » » attempting to damage or steal information disrupt operations uses or exploits the directory to gain access to or deny service from the directory or network resource

User-Based Attacks n Most common source of attacks are those initiated by people: – anonymous users attempting external penetration of the enterprise network – an authenticated user working from inside the network n Can either be: – physical attacks on the equipment supporting the directory or network » e. g. stealing/damaging equipment or physical network itself – based on using the network or directory environment » anonymous users, authenticated users, or even administrators

Threat: Anonymous Users n Usually attempts to use vulnerabilities in the network, service, or application software – might gain access via scanning tools or by exploiting a well-known but not patched error condition in operating software n Also, when a known vulnerability is patched, the software update usually provides a description of the weakness, often providing all the information needed to hack an unpatched system – therefore critical to stay on top of released patches and security updates…

Exploitation of LDAP n n LDAP spec known at all (an RFC) An anonymous user might be able to use LDAP to: – – – flood domain controllers with lookup queries read domain information identify user account security policies find account names and SIDs identify shares on domain computers

Thwarting Do. S attacks SOME anonymous attacks can be mitigated by tightening security settings n Further action against anonymous Do. S attacks: n – monitoring domain controllers for unreasonably high levels of LDAP queries – renaming default file shares such C$, D$, etc. and renaming the administrator account

Threat: Authenticated Users n Examples: – spoofed-account access (via hacking/cracking tools) – illicit use of a valid account (obtained through some social engineering scheme) – valid user who has decided to attack information, services, or operations for some personal or professional reason

Headache for administrators: n n n Accounts have legitimate access to a range of resources and information More difficult to detect the attacks Can validly start processes that will have the effect of creating Do. S conditions by consuming inordinate amounts of service resources – flood of LDAP queries or connections – filling disk space (for example, storing many extremely large objects in the directory)

Security Precautions n n A lot of monitoring, analysis, responsiveness to anomalies occurring in the directory… Authenticated users permissions allocated by default: – identify members of sensitive security groups & determine sensitive account information (names, addresses, phone numbers, password, etc…) – discover linkage of Group Policies – identify sites – Identify the OSs of the domain controllers – discover and disclose much additional information stored in the directory – read most objects in the directory

Threats: Administrators n Network Administrators themselves…. – potentially HUGE threats to the directory, network, & enterprise information accessible via the network…. – must always be a highly responsible/accountable job n Threat could be – “spoofing” an administers account – an account with invalidly elevated privileges – a trusted administrator who has for some reason decided to attack the directory or network…

Administrators & associated personnel… n n Not just administrators… Accounts with some administrative rights can: – – – modify permissions on objects within their scope enable accounts to be trusted for delegation change passwords on other user accounts to be used for further (spoofing & repudiation) attacks – change security settings causing Do. S conditions

Software-Based Attacks n The AD forest and domain directory structure are based on a correctly specified schema – therefore any software application that corrupts the schema could: » compromise the entire directory » make the enterprise network inoperative – likewise, automated attacks via viruses or worms that are not necessarily directed against your company that might affect the schema could nevertheless have a damaging or disruptive effect

Email attachments n Present a huge risk – user education doesn’t seem to stop people from opening every attachment that shows up in their inboxes n Can users be trusted? If not – a whole messaging system can be configured to block, or at least scan, all attachments – additional measures can be adopted, such as: » » » turning off preview panes that automatically display messages converting HTML mail to plain text blocking email clients from accessing the Internet

Environment-Based Attacks n n Any condition that damages or destroys the server hardware (fire, flood, tornado, hurricane, lightning, etc) could also render the AD environment inoperative Consistent threat across platforms – usually well addressed by IT management in planning and implementing strict backup and restoration procedures – disaster preparedness and recovery plans MUST include provisions for offsite data backups » make sure that the backups are actually taken offsite » consider a secondary physical site that is ready to go in case the worst happens

Network: Service to Self or Service to Others? n Two huge responsibilities for the network manager… – Provide facilities and services that users need – Protect the network against abuse by naïve or malign users n General perception (of users!) that network managers are more concerned with “protecting the network” to become more important than servicing the needs of users