Скачать презентацию Sec 391 Active Directory Object and Attribute Security Скачать презентацию Sec 391 Active Directory Object and Attribute Security

f2866996eda1b2a268b6c62e14565bdc.ppt

  • Количество слайдов: 42

Sec 391 Active Directory Object and Attribute Security John Craddock Principal Consultant v-jcradd@microsoft. com Sec 391 Active Directory Object and Attribute Security John Craddock Principal Consultant [email protected] com [email protected] co. uk Sally Storey Consultant [email protected] co. uk www. kimberry. co. uk

Session Topics Introduction Explicit Permissions Inheritance ACL Ordering Default Permissions Security Descriptor Definition Language Session Topics Introduction Explicit Permissions Inheritance ACL Ordering Default Permissions Security Descriptor Definition Language (SDDL) Protected Groups Advanced Delegation of Administration

Windows 2000 and Windows Server 2003 The majority of topics apply equally well to Windows 2000 and Windows Server 2003 The majority of topics apply equally well to Windows 2000 and Windows Server 2003 All the demonstrations will be performed on Windows Server 2003

Health Warning!! In this session we will show the use of tools that will Health Warning!! In this session we will show the use of tools that will allow direct access to security on AD objects and attributes Incorrectly changing security can make your system inoperative Always test and approve any changes before implementing them in a production environment You could always make mistakes!

Object Access ACEs can apply to specific attributes ACE ACL Directory Object Sales Managers Object Access ACEs can apply to specific attributes ACE ACL Directory Object Sales Managers read access Access to directory objects is controlled via Access Control Lists (ACLs) Fine granularity is provided by Access Control Entries (ACEs) that apply to specific attributes, property sets and actions (Extended rights)

Why Do We Care? Precise access control is pivotal to Protecting the integrity of Why Do We Care? Precise access control is pivotal to Protecting the integrity of the AD Controlling the visibility of published resources Delegating AD administration Physical security of domain controllers is paramount Without physical security your forest is wide-open to attack

UI Security Tab Do NOT display object %System. Root%System 32dssec. dat [service. Instance] @=7 UI Security Tab Do NOT display object %System. Root%System 32dssec. dat [service. Instance] @=7 admin. Description=7 admin. Display. Name=7 ………………… [user] a. CSPolicy. Name=7 admin. Count=7 allowed. Attributes. Effective=7 allowed. Child. Classes=7 ………………… Displayed attributes controlled by a file [volume] admin. Description=7 admin. Display. Name=7 allowed. Attributes=7 allowed. Child. Classes. Effective=7 Do NOT display attribute

Anatomy of an ACE (simplified) ACE Type Inheritance Allowed Audit Access Success Fail Access Anatomy of an ACE (simplified) ACE Type Inheritance Allowed Audit Access Success Fail Access Mask Object Type Object Inherited Object Type Trustee(SID) Access Denied Applies to Attribute Extended right Identifies security principal to which the ACE applies Specifies type of access Delete Read/Write object security Generic Read/Write – access to object and all attributes Create/Delete child Read/Write property Extended write operation

Extended Rights Only a limited number of operations can be defined through the access Extended Rights Only a limited number of operations can be defined through the access mask Extended rights are used to define special operations and property sets Special operations include resetting passwords, managing replication and changing FSMO roles Extended rights are identified by Control. Access. Right objects created in cn=extended-rights, cn=configuration…

Extended Rights (continued) cn=personal-information user applies. To Rights. GUID ACL Added to attribute. Security. Extended Rights (continued) cn=personal-information user applies. To Rights. GUID ACL Added to attribute. Security. GUID for all members of the property set The objects to which extended rights apply are defined in the applies. To attribute l Access to an extended right is controlled by adding the rights. GUID attribute value to the object’s ACL Ø The rights. GUID also identifies the attributes that are members of a property set

Inheritance ACL applies to OU OU ACL Inheritable ACL Directory Object ACL Explicit ACL Inheritance ACL applies to OU OU ACL Inheritable ACL Directory Object ACL Explicit ACL Objects can inherit ACLs as well as having them explicitly set

All Objects are Potential Containers All Objects are Potential Containers

Windows UI All objects inherit permissions for possible child objects The Windows 2000 UI Windows UI All objects inherit permissions for possible child objects The Windows 2000 UI displays the inherited permission even if the object has no children defined in the schema The Windows Sever 2003 UI simplifies the interface by hiding the non-applicable permissions

Windows 2000 Security Tab Permission on a shared folder object Windows 2000 Security Tab Permission on a shared folder object

Explicit ACLs ACL applies to OU OU ACL Inheritable ACL Directory Object ACL Explicit Explicit ACLs ACL applies to OU OU ACL Inheritable ACL Directory Object ACL Explicit ACL Objects can inherit ACLs as well as having them explicitly set

ACE Ordering DENY SID 1 W Allow SID 3 RX Allow SID 1 RX ACE Ordering DENY SID 1 W Allow SID 3 RX Allow SID 1 RX Allow SID 3 W Each ACE grants or denies permissions for an individual security principal The ACL is only checked until the requested access has been granted or denied

Explicit and Inherited ACEs Explicit DENY SID 20 W Allow SID 3 R Allow Explicit and Inherited ACEs Explicit DENY SID 20 W Allow SID 3 R Allow SID 1 R Allow SID 3 W Inherited DENY SID 15 RWX DENY SID 1 RWD Allow SID 11 R Allow SID 31 W An object’s explicit ACEs are checked in advance of inherited ACEs This can result in non-canonical order in the concatenated ACLs

Effective Permission Calculates effective permissions based on the security principal’s group membership Effective Permission Calculates effective permissions based on the security principal’s group membership

Example Deny Full Control on Shared Folders Allow Full Control on Shared Folders Example Deny Full Control on Shared Folders Allow Full Control on Shared Folders

Initial Object ACL OU ACL Inheritable ACL Directory Object ACL Explicit ACL from the Initial Object ACL OU ACL Inheritable ACL Directory Object ACL Explicit ACL from the schema Set programmatically during creation Inherit ACL from parent and combine with explicit Schema default ACL for the particular object type

Viewing the Default Permissions The default permissions are stored in the Schema Location: default. Viewing the Default Permissions The default permissions are stored in the Schema Location: default. Security. Descriptor attribute Stored as an SDDL Unicode string For full details of SDDL see the SDK documentation

User Object Default Security D: (A; ; RPWPCRCCDCLCLORCWOWDSDDTSW; ; ; DA)(A; ; RPWPCRCCDC LCLORCWOWDSDDTSW; User Object Default Security D: (A; ; RPWPCRCCDCLCLORCWOWDSDDTSW; ; ; DA)(A; ; RPWPCRCCDC LCLORCWOWDSDDTSW; ; ; SY)(A; ; RPWPCRCCDCLCLORCWOWD SDDTSW; ; ; AO)(A; ; RPLCLORC; ; ; PS)(OA; ; CR; ab 721 a 53 -1 e 2 f-11 d 09819 -00 aa 0040529 b; ; PS)(OA; ; CR; ab 721 a 54 -1 e 2 f-11 d 0 -981900 aa 0040529 b; ; PS)(OA; ; CR; ab 721 a 56 -1 e 2 f-11 d 0 -981900 aa 0040529 b; ; PS)(OA; ; RPWP; 77 B 5 B 886 -944 A-11 d 1 -AEBD 0000 F 80367 C 1; ; PS)(OA; ; RPWP; E 45795 B 2 -9455 -11 d 1 -AEBD 0000 F 80367 C 1; ; PS)(OA; ; RPWP; E 45795 B 3 -9455 -11 d 1 -AEBD 0000 F 80367 C 1; ; PS)(OA; ; RP; 037088 f 8 -0 ae 1 -11 d 2 -b 42200 a 0 c 968 f 939; ; RS)(OA; ; RP; 4 c 164200 -20 c 0 -11 d 0 -a 76800 aa 006 e 0529; ; RS)(OA; ; RP; bc 0 ac 240 -79 a 9 -11 d 0 -902000 c 04 fc 2 d 4 cf; ; RS)(A; ; RC; ; ; AU)(OA; ; RP; 59 ba 2 f 42 -79 a 2 -11 d 0 -902000 c 04 fc 2 d 3 cf; ; AU)(OA; ; RP; 77 B 5 B 886 -944 A-11 d 1 -AEBD 0000 F 80367 C 1; ; AU)(OA; ; RP; E 45795 B 3 -9455 -11 d 1 -AEBD 0000 F 80367 C 1; ; AU)(OA; ; RP; e 48 d 0154 -bcf 8 -11 d 1 -870200 c 04 fb 96050; ; AU)(OA; ; CR; ab 721 a 53 -1 e 2 f-11 d 0 -981900 aa 0040529 b; ; WD)(OA; ; RP; 5 f 202010 -79 a 5 -11 d 0 -902000 c 04 fc 2 d 4 cf; ; RS)(OA; ; RPWP; bf 967 a 7 f-0 de 6 -11 d 0 -a 28500 aa 003049 e 2; ; CA)(OA; ; RP; 46 a 9 b 11 d-60 ae-405 a-b 7 e 8 ff 8 a 58 d 456 d 2; ; S-1 -5 -32 -560)(OA; ; WPRP; 6 db 69 a 1 c-9422 -11 d 1 -aebd 0000 f 80367 c 1; ; S-1 -5 -32 -561)

Security Descriptor Definition Language (ACL) D=DACL S=SACL Primary group has no O: owner_sid significance Security Descriptor Definition Language (ACL) D=DACL S=SACL Primary group has no O: owner_sid significance in AD G: group_sid D: dacl_flags(string_ace 1)(string_ace 2). . . (string_acen) S: sacl_flags(string_ace 1)(string_ace 2). . . (string_acen) dacl_flags AI for auto inherit (always set) PAI for protected

Security Descriptor Definition Language (ACL) A=access allowed D=access denied OA=object access allowed OD=object access Security Descriptor Definition Language (ACL) A=access allowed D=access denied OA=object access allowed OD=object access denied GUID of attribute, extended right or property set ace_type; ace_flags; rights; object_guid; inherit_object_guid; account_sid Permissions to be set CI=container inhertit OI=object inherit NP=no propagation IO=inherit only ID=inherited ACE GUID of object type to inherit permission

SDDL Examples Authenticated users full control on this object PAI(A; ; CCDCLCSWRPWPDTLOCRSDRCWDWO; ; ; SDDL Examples Authenticated users full control on this object PAI(A; ; CCDCLCSWRPWPDTLOCRSDRCWDWO; ; ; AU) Authenticated users full control on this object and all objects O: DAG: DUD: PAI(A; CI; CCDCLCSWRPWPDTLOCRSDRCWDWO; ; ; AU) Authenticated users full control on child objects only O: DAG: DUD: PAI(A; CIIO; CCDCLCSWRPWPDTLOCRSDRCWDWO; ; ; AU) Read admin description this object only (OA; ; RP; bf 967919 -0 de 6 -11 d 0 -a 285 -00 aa 003049 e 2; ; AU) Read and write location string on printer objects (OA; CIIO; RPWP; 09 dcb 79 f-165 f-11 d 0 -a 064 -00 aa 006 c 33 ed; bf 967 aa 8 -0 de 6 -11 d 0 -a 285 -00 aa 003049 e 2; AU) Read and write location string on printer objects within this container only (OA; CINPIO; RPWP; 09 dcb 79 f-165 f-11 d 0 -a 064 -00 aa 006 c 33 ed; bf 967 aa 8 -0 de 6 -11 d 0 -a 285 -00 aa 003049 e 2; AU)

Controlling Object Visibility ACL Sales data Remove explicit Read for Authenticated Users X X Controlling Object Visibility ACL Sales data Remove explicit Read for Authenticated Users X X Read volume objects: sales domain users corporate managers X For many of the objects, the default ACL from the schema provide Read for the Authenticated Users To control the visibility, this ACE must be removed

Modifying the Default Explicit Permissions The schema defaults could be modified The permissions from Modifying the Default Explicit Permissions The schema defaults could be modified The permissions from the schema can be reapplied using dsacls …… /S /T Check if schema defaults apply to an object with acldiag …… /schema Take great care reapplying the schema defaults Explicit permissions set by other programs will be removed

List Object Mode G 1: list contents G 1: access allowed List contents allows List Object Mode G 1: list contents G 1: access allowed List contents allows users to see the existence of contained objects even if access is denied to some of those objects G 1: list object G 1: access allowed G 1: access denied The List Object mode allows the contained objects to be hidden Caveat: additional CPU cycles required for access checking

Comparison List content List object Logged on as a Fish Company administrator Comparison List content List object Logged on as a Fish Company administrator

Selecting List Object Mode Set the third ds. Heuristic flag to 1 If the Selecting List Object Mode Set the third ds. Heuristic flag to 1 If the ds. Heuristic attribute is not already set, set it to 001 to enable object mode If the attribute already contains a value, modify it appropriately Remember the first two flags control the ANR search algorithm

Admin. SDHolder If different, replace and disable inheritance ACL Member of a protected group Admin. SDHolder If different, replace and disable inheritance ACL Member of a protected group ACL Template ACL cn=Admin. SDHolder, cn=system, dc=domain, dc… The ACL on user accounts that are members of one or more “protected” groups are automatically set and refreshed to enhance security The propagator thread runs every hour on the PDC FSMO

Protected Groups Windows 2000 Enterprise Admins Schema Admins Domain Admins Administrators Windows 2003 & Protected Groups Windows 2000 Enterprise Admins Schema Admins Domain Admins Administrators Windows 2003 & 2000 with 327825 hotfix Administrators Account Operators Server Operators Print Operators Backup Operators Domain Admins Schema Admins Enterprise Admins Cert Publishers Membership can be transitive through membership of a distribution list The admin. Count on protected groups is greater than or equal to 1

Default Template The default ACL template on Admin. SDHolder cannot be fully edited through Default Template The default ACL template on Admin. SDHolder cannot be fully edited through the UI For example, there is no Change Password ACE for a container Change the template with dsacls cn=adminsdholder, cn=system, dc=…. /G “Everyone: CA; Change Password”

Problem The European division is a child domain of corporate HQ in the US Problem The European division is a child domain of corporate HQ in the US The European Domain Administrators need to authorize their own DHCP servers Authorization fails HQ is not prepared to elevate the European domain admins to Enterprise admins How do you solve the dilemma?

Solution Enable auditing on the directory Attempt to authorize the DHCP server View the Solution Enable auditing on the directory Attempt to authorize the DHCP server View the failed access in the security log Adjust the security on the directory objects Iterate until the problem is solved Smile

Solution cn=Net. Services, cn=Configuration, dc=example, dc=com Enable creation of d. HCPClass objects ACL Enable Solution cn=Net. Services, cn=Configuration, dc=example, dc=com Enable creation of d. HCPClass objects ACL Enable updating of the Dhcp. Root ACL cn=Dhcp. Root 2. Update root X d. HCPClass objects cn=netads 01. example. com X 1. Create child object cn=netads 03. child. example. com

A Harder Problem It has been identified that the audit team needs to be A Harder Problem It has been identified that the audit team needs to be able to view deleted objects The team should have no other administrative privileges

And There is More… If you’ve enjoyed this session Tell your friends, ask your And There is More… If you’ve enjoyed this session Tell your friends, ask your local Microsoft subsidiary when we will be in your area next! Hope to see you – soon Don’t forget to buy the book!!

Community Resources http: //www. microsoft. com/communities/default. mspx Most Valuable Professional (MVP) http: //www. mvp. Community Resources http: //www. microsoft. com/communities/default. mspx Most Valuable Professional (MVP) http: //www. mvp. support. microsoft. com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http: //www. microsoft. com/communities/newsgroups/default. mspx User Groups Meet and learn with your peers http: //www. microsoft. com/communities/usergroups/default. mspx

Suggested Reading & Resources Investigating and Managing Objects and Attributes, Windows 2000 and Windows Suggested Reading & Resources Investigating and Managing Objects and Attributes, Windows 2000 and Windows Server 2003 John Craddock and Sally Storey ISBN 0 -9544218 -0 -9

evaluations evaluations

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.