comp3123 internet security
DESCRIPTION
COMP3123 Internet Security. Richard Henson University of Worcester October 2011. Week 4 Access Controls: Network Directories & the PKI. Objectives: Explain the components of a network directory service - PowerPoint PPT PresentationTRANSCRIPT
COMP3123 COMP3123 Internet SecurityInternet Security
Richard HensonRichard Henson
University of WorcesterUniversity of Worcester
OctoberOctober 20112011
Week 4 Week 4 Access Controls: Access Controls: Network Directories & the PKINetwork Directories & the PKI
Objectives:Objectives: Explain the components of a network directory Explain the components of a network directory
serviceservice Explain how the use of security policies can help Explain how the use of security policies can help
prevent network internal security breachesprevent network internal security breaches Analyse Windows active directory and compare it Analyse Windows active directory and compare it
with an x500 standard servicewith an x500 standard service Prepare a Windows active directory tree with two Prepare a Windows active directory tree with two
contiguously named domain controllerscontiguously named domain controllers
““Network Directories”Network Directories” Directories not to be confused with “folders”…Directories not to be confused with “folders”…
generally a data store that changes only generally a data store that changes only infrequently…infrequently… » e.g. a telephone directorye.g. a telephone directory
to avoid confusion, computer-based directories also to avoid confusion, computer-based directories also called “repositories”called “repositories”
Lots of different “network databases” have Lots of different “network databases” have evolved on the webevolved on the web not a good idea!not a good idea! often contain approx. the same info... often contain approx. the same info... Problem: one updated, all should be Problem: one updated, all should be
» but unlikely in practice unless a managed solutionbut unlikely in practice unless a managed solution
Meta-DirectoryMeta-Directory Simple idea of putting all information about Simple idea of putting all information about
any one entity or object in one place…any one entity or object in one place… information about those entities and objects can then be information about those entities and objects can then be
presented in a consistent waypresented in a consistent way simplifies collection and distribution of info on an Intranet simplifies collection and distribution of info on an Intranet
covering the whole organisationcovering the whole organisation Examples of Directory-enabled applicationsExamples of Directory-enabled applications
enforce network policies! enforce network policies! » across the networkacross the network» between networksbetween networks
digital signature verificationdigital signature verification remote dial-in access authorizationremote dial-in access authorization signing in to a networksigning in to a network
Network Directories & the PKINetwork Directories & the PKI
Needs to avoid multiple-directories Needs to avoid multiple-directories problem…problem…
Solution: Solution: use the meta directory approachuse the meta directory approach provide digital certificate information on the web as provide digital certificate information on the web as
a “directory service”a “directory service” use LDAP applications to directly access that infouse LDAP applications to directly access that info
Distributed DirectoryDistributed Directory Another way of keeping entity information consistent Another way of keeping entity information consistent
if it does need to appear in multiple locationsif it does need to appear in multiple locations entry may appear in multiple directoriesentry may appear in multiple directories
» e.g. one for each email system (if more than one)e.g. one for each email system (if more than one)» e.g. one for gaining access to the network by logging e.g. one for gaining access to the network by logging
onon Paper-based equivalent – series of telephone Paper-based equivalent – series of telephone
directories each covering a clearly define areadirectories each covering a clearly define area collectively cover a wide geographical regioncollectively cover a wide geographical region serve a variety of purposesserve a variety of purposes all part of the same system for communicationall part of the same system for communication
Regular directory synchronisation essential for Regular directory synchronisation essential for maintaining consistency of informationmaintaining consistency of information
Development of Internet Development of Internet Directories and Directories and IESGIESG
IESG (Internet Engineering Steering Group) provides IESG (Internet Engineering Steering Group) provides technical management of IETF activitiestechnical management of IETF activities As approp, translate RFC proposals into RFC standardsAs approp, translate RFC proposals into RFC standards
Procedure:Procedure: draft RFC submitteddraft RFC submitted if accepted: IESG elevates it to RFC “draft” statusif accepted: IESG elevates it to RFC “draft” status RFC then given consideration as a standard…RFC then given consideration as a standard… draft RFC eventually may become a true Internet standarddraft RFC eventually may become a true Internet standard
Example of successful evolution: x500 -> LDAPExample of successful evolution: x500 -> LDAP
X500 ArchitectureX500 Architecture Internet database based on the OSI modelInternet database based on the OSI model
RFC 1006RFC 1006 allows OSI applications to run over an IP networkallows OSI applications to run over an IP network
Full X500 Architecture:Full X500 Architecture: DMD (directory management domain)DMD (directory management domain) DSA (directory system agent)DSA (directory system agent) DUA (directory user agents)DUA (directory user agents) DIB (directory information base – object oriented!)DIB (directory information base – object oriented!)
» e.g.: a directory service databasee.g.: a directory service database
DIT (directory information tree)DIT (directory information tree)» e.g.: Windows 2000 Active Directorye.g.: Windows 2000 Active Directory
X500 ProtocolsX500 Protocols
DAP (Directory Access protocol)DAP (Directory Access protocol) DSP (Directory System protocol)DSP (Directory System protocol) DISP (Directory Information Shadowing DISP (Directory Information Shadowing
Protocol)Protocol) DOP (Directory operational binding DOP (Directory operational binding
management protocol)management protocol) Collectively, these protocols give Collectively, these protocols give
X500 a wide range of functionality, but X500 a wide range of functionality, but the structure is cumbersome…the structure is cumbersome…
Simplifying X500 - LDAPSimplifying X500 - LDAP Known as Known as Lightweight Directory Access Lightweight Directory Access
ProtocolProtocol Thanks to University of Michigan Thanks to University of Michigan
Researchers, early 1990sResearchers, early 1990s gave up on the complexities of X.500gave up on the complexities of X.500 came up with a scheme that:came up with a scheme that:
» retained the X.500 directory structureretained the X.500 directory structure» gave it a streamlined access protocol based on gave it a streamlined access protocol based on
standard standard TCPTCP//IPIP instead of ISO instead of ISO Other improvements:Other improvements:
» pared-down referral mechanismpared-down referral mechanism» more flexible security modelmore flexible security model» no fixed replication protocolno fixed replication protocol
Microsoft and x500Microsoft and x500 In 1996, Microsoft launched version 4 of its In 1996, Microsoft launched version 4 of its
mailserver software, Exchangemailserver software, Exchange Designed also to provide the infrastructure Designed also to provide the infrastructure
to enable DAP clients to access Microsoft to enable DAP clients to access Microsoft Exchange directory service information…Exchange directory service information… client served as an X.500 DAP client to DAP-client served as an X.500 DAP client to DAP-
compliant directoriescompliant directories» e.g. U.S. Government Defense Messaging System e.g. U.S. Government Defense Messaging System
(DMS)(DMS)
Also designed to manage table entries efficiently Also designed to manage table entries efficiently using a new obj oriented database engine called using a new obj oriented database engine called ESE (Extensible Storage engine)ESE (Extensible Storage engine)
Microsoft and LDAPMicrosoft and LDAP Microsoft wanted to use X500 in its directory service Microsoft wanted to use X500 in its directory service
planned for next version of NTplanned for next version of NT Like Michigan Uni, found X500 cumbersome, and adapted Like Michigan Uni, found X500 cumbersome, and adapted
LDAPLDAP Supporting the Open Directory Services Supporting the Open Directory Services
Interface (ODSI), Microsoft helped build a PKI Interface (ODSI), Microsoft helped build a PKI service provider (Verisign) that supports the service provider (Verisign) that supports the LDAP protocolLDAP protocol allowed developers to build applications that register allowed developers to build applications that register
with, access, and manage multiple directory services with, access, and manage multiple directory services with a single set of well-defined interfaceswith a single set of well-defined interfaces
Microsoft Exchange Server 4 supported LDAP Microsoft Exchange Server 4 supported LDAP Internet Explorer supported LDAP from v4 onwardsInternet Explorer supported LDAP from v4 onwards
LDAP, ESE, and Active LDAP, ESE, and Active directorydirectory
Windows 2000 “active directory” service Windows 2000 “active directory” service was a successful commercial roll out of was a successful commercial roll out of an X500 compliant directory servicean X500 compliant directory service used LDAP…used LDAP… also used (uses) ESE to manage data tablesalso used (uses) ESE to manage data tables and DNS to integrate with www locationsand DNS to integrate with www locations
Next version of Microsoft Exchange also Next version of Microsoft Exchange also used the ESE/LDAP/DNS combination…used the ESE/LDAP/DNS combination…
Directory Services and Directory Services and “Active Directory”“Active Directory”
Active Directory has just one data store, Active Directory has just one data store, known as known as the directory the directory Stored as NTFS.DITStored as NTFS.DIT
» where does “.dit” originate from?where does “.dit” originate from? distributed across ALL domain controllers (dcs)distributed across ALL domain controllers (dcs) links to objects on/controlled by each dclinks to objects on/controlled by each dc changes automatically replicated to all dcschanges automatically replicated to all dcs Contains details of:Contains details of:
» stored stored objectsobjects» shared resourcesshared resources» network user and computer accountsnetwork user and computer accounts
Directory Services and Directory Services and Domain TreesDomain Trees
Active Directory logically links domains Active Directory logically links domains together together very useful for very useful for networknetworkss with more than one domain with more than one domain eeach domain is identified in the directory by a DNS ach domain is identified in the directory by a DNS
domain name domain name
MMultiple domains ultiple domains withwith contiguous DNS contiguous DNS domain namesdomain names, make up a , make up a domain treedomain tree if domain names are non-contiguous, structures if domain names are non-contiguous, structures
form separate domain treesform separate domain trees
““Trust Relationships” Trust Relationships” between (legacy) NT Domainsbetween (legacy) NT Domains
Account authentication Account authentication betweenbetween domain domains s was first established in the Windows NT was first established in the Windows NT architecturearchitecture Allowed users and computers can be Allowed users and computers can be
authenticated between any domainsauthenticated between any domains
Problem: Windows NT trust relationships Problem: Windows NT trust relationships were isolated and individualwere isolated and individual
Active Directory Active Directory Trust RelationshipsTrust Relationships
Automatically created between adjacent Automatically created between adjacent domains (parent and child domains) in domains (parent and child domains) in the treethe treeusers and computers can be authenticated users and computers can be authenticated
between ANY domains in the domain treebetween ANY domains in the domain tree
So how does this all work securely in So how does this all work securely in practice, across an entire enterprise????practice, across an entire enterprise????
Access to Network Resources Access to Network Resources and Security Controlsand Security Controls
The set of security mechanisms used to The set of security mechanisms used to define what a user can access after logging define what a user can access after logging on to a secured environmenton to a secured environment enforce “authorisation”enforce “authorisation” ““identification” and “authentication” may also be identification” and “authentication” may also be
associated with logging onassociated with logging on Effect includes:Effect includes:
access to systems & resourcesaccess to systems & resources interactions users can performinteractions users can perform
Mechanism of Access ControlMechanism of Access ControlIn WindowsIn Windows
User management User management level:level: pre-defined Groups for Users to belong to pre-defined Groups for Users to belong to control of file and service access permissionscontrol of file and service access permissions trusted relationships across domainstrusted relationships across domains
Translated Translated down to system level down to system level by…by… System Policies and Group PoliciesSystem Policies and Group Policies Control of user and system desktop settingsControl of user and system desktop settings
Control of End User Control of End User and System Settingsand System Settings
In Windows, ultimately, controls user access In Windows, ultimately, controls user access through the local Windows registrythrough the local Windows registry first made available to simplify configuration in first made available to simplify configuration in
Windows 95Windows 95» effectively replaced CONFIG.SYS, AUTOEXEC.BAT, effectively replaced CONFIG.SYS, AUTOEXEC.BAT,
SYSTEM.INI and WIN.INI by a single structureSYSTEM.INI and WIN.INI by a single structure
all settings saved into a hierarchical data file called all settings saved into a hierarchical data file called SYSTEM.DATSYSTEM.DAT
Principles later extended to networks…Principles later extended to networks…
The local registry The local registry and Windows networksand Windows networks
Like Windows 95, Windows NT v4 allowed Like Windows 95, Windows NT v4 allowed system and user settings to be configured system and user settings to be configured locally by registry overwrite fileslocally by registry overwrite files
However, it also made it possible for files However, it also made it possible for files within a network to overwrite the local registry within a network to overwrite the local registry as well…as well…facility available on any Windows client facility available on any Windows client
machine that used a Windows registrymachine that used a Windows registry
What is The Registry?What is The Registry?
Five basic subtrees:Five basic subtrees: HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE : local computer info. : local computer info.
Does not change no matter which user is logged Does not change no matter which user is logged onon
HKEY_USERSHKEY_USERS : default user settings : default user settings HKEY_CURRENT_USERHKEY_CURRENT_USER : current user settings : current user settings HKEY_CLASSES_ROOTHKEY_CLASSES_ROOT : software config data : software config data HKEY_CURRENT_CONFIGHKEY_CURRENT_CONFIG : “active” hardware : “active” hardware
profileprofile Each subtree contains one or more subkeysEach subtree contains one or more subkeys
Editing Registry SettingsEditing Registry Settings
Generally…. DON’T!!! Contents of the registry Generally…. DON’T!!! Contents of the registry should not be changed in any way unless you should not be changed in any way unless you really know what you are doing!!!really know what you are doing!!!
Special tools available e.g. REGEDT32 for Special tools available e.g. REGEDT32 for those with experience:those with experience: used to edit local registry settings on Windows NT used to edit local registry settings on Windows NT
systemssystems Bearing in mind, however, that registry settings Bearing in mind, however, that registry settings
can also be overwritten in memory by data can also be overwritten in memory by data downloaded across the network…downloaded across the network…
System Policy FileSystem Policy File Consists of a collection of registry settingsConsists of a collection of registry settings Can apply different system settings to a Can apply different system settings to a
computer, depending on the user or group computer, depending on the user or group logging onlogging on
Can overwrite:Can overwrite: local machine registry settingslocal machine registry settings current user registry settingscurrent user registry settings
Should therefore only be used by those who Should therefore only be used by those who know what they are doing!!!know what they are doing!!!
System Policy FileSystem Policy File NTCONFIG.POLNTCONFIG.POL
provides a list of desktop settings, and provides a list of desktop settings, and therefore can be used to control aspects of therefore can be used to control aspects of appearance of the desktopappearance of the desktop
held on Domain Controllersheld on Domain Controllers read during logon procedureread during logon procedure
Different NTCONFIG.POL files can be Different NTCONFIG.POL files can be applied to:applied to: groupsgroups users users computerscomputers
What is a Security Policy?What is a Security Policy? A set of rules and procedures that state the A set of rules and procedures that state the
access rights and privileges of a particular access rights and privileges of a particular user/group of usersuser/group of users
Should also:Should also: confirm the identity of the people that are confirm the identity of the people that are
attempting to access the networkattempting to access the network prevent imposters from accessing, stealing, or prevent imposters from accessing, stealing, or
damaging system resourcesdamaging system resources
Implementation Implementation of Security Policyof Security Policy
Intention:Intention:create a computing environment that create a computing environment that
provides users with all of the information provides users with all of the information and resources they need to be successfuland resources they need to be successful
protect the information and resources on protect the information and resources on the network from damage and the network from damage and unauthorized accessunauthorized access
Group Policy in Windows 2000 Group Policy in Windows 2000 (and subsequent) Networks(and subsequent) Networks
Group Policy settings Group Policy settings define access to local and network resources from the user's define access to local and network resources from the user's
desktop environment:desktop environment: e.g. Starte.g. Start menu options menu options
» provide access to programs/resources that user needs provide access to programs/resources that user needs to useto use
Group Policy ObjectsGroup Policy Objects used with authenticated users to enhance used with authenticated users to enhance
flexibility and scalability of security beyond flexibility and scalability of security beyond “domains”, and “NT trusted domains”“domains”, and “NT trusted domains”
trust achieved through: trust achieved through: » Active directory – establishment of “trees”Active directory – establishment of “trees”» Kerberos authenticationKerberos authentication
Implementation of Group Implementation of Group Policy ObjectsPolicy Objects
Group Policy objects are EXTREMELY Group Policy objects are EXTREMELY POWERFUL…POWERFUL… contain all specified settings to give a group of users contain all specified settings to give a group of users
their desktop with agreed security levels appliedtheir desktop with agreed security levels applied template editing tool available as a “snap-in” with template editing tool available as a “snap-in” with
Windows 2000Windows 2000 creates a specific desktop configuration for a creates a specific desktop configuration for a
particular group of usersparticular group of users The GPO is in turn associated with selected The GPO is in turn associated with selected
Active Directory objects:Active Directory objects: SitesSites DomainsDomains organizational unitsorganizational units
Combined Power of Group Combined Power of Group Policies and Active DirectoryPolicies and Active Directory Enables written user/group policies to be Enables written user/group policies to be
easily implemented in softwareeasily implemented in software Enables policies to be applied across whole Enables policies to be applied across whole
domains:domains: beyond in trusted contiguous domains in the beyond in trusted contiguous domains in the
domain treedomain tree or even across any non-contiguous domains in the or even across any non-contiguous domains in the
same forestsame forest Because Active directory is x500 compliant, Because Active directory is x500 compliant,
all the principles of directory services applyall the principles of directory services apply
Authentication FactorsAuthentication Factors Classified as type 1, type 2, or type 3:Classified as type 1, type 2, or type 3: Type 1: Knowledge based (what user Type 1: Knowledge based (what user knowsknows))
information provided based on unique knowledge of the information provided based on unique knowledge of the individual being authenticatedindividual being authenticated
Type 2: Token based (what user Type 2: Token based (what user hashas/does)/does) information comes from a token generated by a particular information comes from a token generated by a particular
systemsystem token is tied in some way to the user logging ontoken is tied in some way to the user logging on generally not considered a good idea on its own because generally not considered a good idea on its own because
someone else could have stolen/copied itsomeone else could have stolen/copied it
Type 3: Characteristic based (what user Type 3: Characteristic based (what user isis)) biometric data from the person logging inbiometric data from the person logging in
One time Passwords (OTP)One time Passwords (OTP)
Can only be used once…Can only be used once… If user gets it wrong, becomes invalid…If user gets it wrong, becomes invalid…
» locked outlocked out» has to contact administrator to resethas to contact administrator to reset
Implemented as a type 2 factorImplemented as a type 2 factor password characters randomly generatedpassword characters randomly generated
If used properly…If used properly… very secure indeedvery secure indeed problem: degree of randomness…problem: degree of randomness…
Single Sign On (SSO)Single Sign On (SSO) Logon once…Logon once…
authenticated for all servers in that environmentauthenticated for all servers in that environment More a convenience matter than a security More a convenience matter than a security
issueissue only one set of authentication factors neededonly one set of authentication factors needed single username/authentication factor database single username/authentication factor database
covering all serverscovering all servers SOME very secure environments have SOME very secure environments have
dropped SSO in favour of separate logon for dropped SSO in favour of separate logon for each servereach server arguable whether this is necessary but avoids the arguable whether this is necessary but avoids the
“all eggs in one basket” argument“all eggs in one basket” argument
Password AdministrationPassword Administration
Three aspects:Three aspects: SelectionSelection
» should be a company IS policy that includes choice should be a company IS policy that includes choice of passwordof password
» generally no. of characters is a good match with generally no. of characters is a good match with strength – the higher the betterstrength – the higher the better
ManagementManagement» selection & expiration period must comply with selection & expiration period must comply with
policy policy ControlControl
» policy should be enforced by the network itselfpolicy should be enforced by the network itself» usually achieved through use of “group policies”usually achieved through use of “group policies”
Access Control TechniquesAccess Control Techniques
Discretionary (DAC)Discretionary (DAC) access to files/resources controlled by administratoraccess to files/resources controlled by administrator Achieved through ACLs (Access Control Lists)Achieved through ACLs (Access Control Lists)
» consist of ACEs (Access Control Entries)consist of ACEs (Access Control Entries)
the granting of access can be auditedthe granting of access can be audited
Mandatory (MAC)Mandatory (MAC) access dependent on rules/classificationsaccess dependent on rules/classifications classification dependent on security clearance classification dependent on security clearance
levelslevels hierarchical or compartmentalised, or hybridshierarchical or compartmentalised, or hybrids
Remote Logon and Remote Logon and Kerberos AuthenticationKerberos Authentication
KDC can maintain a secure database of KDC can maintain a secure database of authorised users,passwords & domain names authorised users,passwords & domain names maintained throughout an active directory maintained throughout an active directory domain tree using domain tree using Kerberos V5 security Kerberos V5 security protocolprotocol uses strong encryptionuses strong encryption freely available from its inventor, MIT freely available from its inventor, MIT
Active Directory + Kerberos = Very Powerful Active Directory + Kerberos = Very Powerful combinationcombination can even be used to authenticate across mobile & can even be used to authenticate across mobile &
wireless networkswireless networks
Components of “Enterprise wide” Components of “Enterprise wide” Login with kerberos authenticationLogin with kerberos authentication
Active Directory tree logical connects and Active Directory tree logical connects and “trusts” servers throughout the enterprise“trusts” servers throughout the enterprise
Servers in their turn control access to users Servers in their turn control access to users within domainswithin domains
Group(s) selected during the user Group(s) selected during the user authentication processauthentication process
Group Policy Objects invoked which rewrite Group Policy Objects invoked which rewrite registry settings and control client desktopsregistry settings and control client desktops
How much security should be How much security should be applied to domain users?applied to domain users?
General rule: don’t give a user more rights General rule: don’t give a user more rights than they actually needthan they actually need
Think carefully…Think carefully… identify security privileges appropriate to different identify security privileges appropriate to different
types of usertypes of user create a group based on each type of usercreate a group based on each type of user
Allocate each new user to an appropriate Allocate each new user to an appropriate groupgroup automatically will have appropriate access rights…automatically will have appropriate access rights…
Users, Groups, Security, and Users, Groups, Security, and NTFS partitionsNTFS partitions
Any file or folder on an NTFS partition will Any file or folder on an NTFS partition will have file permissions imposedhave file permissions imposed
Typical permissions:Typical permissions: No AccessNo Access Read onlyRead only Read and ExecuteRead and Execute WriteWrite ModifyModify Ownership/Full ControlOwnership/Full Control
Much wider range of permissions availableMuch wider range of permissions available
Point for debate: is “read only” Point for debate: is “read only” access dangerous?access dangerous?
If information held on server, and accessed If information held on server, and accessed by dumb terminals…by dumb terminals… secure enough!secure enough! this was the case in the days of centralised this was the case in the days of centralised
networks with no distributed processingnetworks with no distributed processing
With client-server networking, read only With client-server networking, read only means “the user can take a copy”means “the user can take a copy” is this dangerous, from an organisational security is this dangerous, from an organisational security
point of view? point of view?
What if the network goes wrong? What if the network goes wrong? AccountabilityAccountability
The broad security concept of being able to The broad security concept of being able to hold a human to account for their actions hold a human to account for their actions using …using … a strong authentication environment so one user a strong authentication environment so one user
cannot masquerade as anothercannot masquerade as another strict imposition of “least privilege”strict imposition of “least privilege” regular monitoring of the network environmentregular monitoring of the network environment rigorous inspection of audit logsrigorous inspection of audit logs
What if the network goes wrong? What if the network goes wrong? AuditingAuditing
Essential component of security monitoringEssential component of security monitoring A network can generate lots of data on a wide A network can generate lots of data on a wide
variety of network functions and results they variety of network functions and results they returnreturn
this is readily customisable to focus on, for this is readily customisable to focus on, for example, the behaviour of particular users or example, the behaviour of particular users or resourcesresources data normally saved as timestamped .log filesdata normally saved as timestamped .log files audit files help to ensure accountability for user audit files help to ensure accountability for user
behaviourbehaviour