Terminology Security Windows 000 Security Access Control List - An Access Control List is a list of Access Control Entries (ACEs) stored with the object it protects ACE Inheritance - Inheritance allows a given ACE to be propagated from the container where it was applied to all children of the container M04 Josef Beeking Terminology Security Terminology Security Delegation - Delegation allows a higher administrative authority to grant specific administrative rights for containers and subtrees to individuals and groups Certificate Authority - A Certificate Authority (CA) is simply an entity or service that issues certificates Encrypting File System (EFS) - EFS provides the core file encryption technology to store Windows NT file system (NTFS) files encrypted d on disk IPSEC - IPSEC defines protocols for network encryption at the IP protocol layer Kerberos - A transitive and hierarchical security protocol that is an Internet security standard Public Key Infrastructure (PKI) - An n integrated set of services and administrative tools for creating, deploying, and managing Public- Key-based applications Terminology Encrypted File Security (EFS) Domain Local Group - A Domain Local group can be used on ACLs only in its own domain - A Global group can appear on ACLs anywhere in the Forest Local Group - As in earlier versions of Windows NT, administrators on member servers and workstations can create Local groups Universal Group - A Universal group is the simplest form of group Utilized to protect sensitive data Encryption is done on file or parent directory Encryption is set in advanced attributes page of the file or directory Deployment: Cannot encrypt and compress
Encrypted File Security (EFS) EFS-Recovery Utilized to protect sensitive data Encryption is done on file or parent directory Encryption is set in advanced attributes page of the file or directory Designated Recovery Agents can recover encrypted data for a domain There must be at least one Recovery Agent Recovery keys can be exported as a file and kept physically secure (e.g. floppy) Intrinsic Security Agenda Intrinsic Security Introduction Access Control Rights Permissions Inheritance Delegated Administration Defined attributes of intrinsic security Rules for inheritance Object and attribute security Intrinsic Security Access Control Intrinsic Security Access Control Rights Apply to groups and users Define capability to perform an operation (backup files, etc.) Permissions Security Attributes of an Object Specify who and what Rights may override Permissions Permissions may be applied at the object or attribute level Scope of permissions: Current Object Object and its children Only to children Only to specific children
Intrinsic Security Delegation Intrinsic Security Delegation Delegate entire container or 4 different sub-container attributes 6 types of general permissions 54 individual property permissions 88 individual creation/deletion permissions Delegate Entire Container when: Scope of Administration will not be restricted When passing authority of a sub-tree Delegate Partial Container when: Assigning authority for task administration (printers, users, etc.) Intrinsic Security Delegation Delegated to: - Admins May not modify access rights, create/ delete containers or intellimirror groups. Intrinsic Security Rules for Delegation Restrict permissions that have wide scopes Never delegate entire container except when no higher authority exists Task delegation: Grant only permissions necessary for task IT Structure Recommended Delegation Computers Users Printers Delegated to: -Account Admins-MANF May only create/delete user and group objects. Delegated to: -Printer Admins-MANF May only create/delete printer objects. Centralized Decentralized Distributed Always task based Permissions are always delegated Limited Intrinsic Security Summary Server Roles Security Policies Rights and Permissions Inheritance Access Control Delegated Administration Security is the balance between providing easy access and protecting valuable data Various types of security in Windows 000 Kerberos PKI IPSec Certificate Authorities Security Configuration Editor Policy based security
Agenda Purpose and Function Global Domain Local Universal Defined Purpose Design Considerations New and improved for Windows 000 Universal Domain Local Global Group Nesting Security and May contain Users and Computers ease account management Security Structures Global Hierarchical Management Use security structures to reflect administrative hierarchy contain security principals contain other groups manage groups Reduces the points of Administration May contain members only from the hosting domain Members may include User objects Global groups from their own domain May be members of universal and domain local groups Usage Controlled membership scope Foundation of security structures Assign to resources anywhere Admins Account Admins Printer Admins Global Admins Account Admins Printer Admins Users (Contains all Users in ) Global Users (Contains all Users in ) Admins SQL Admins Global Printer Admins Users (Contains all Users in ) Admins SQL Admins Printer Admins Users (Contains all Users in ) Global
Domain Local Domain Local Usage May contain members from any domain Members may include User objects Universal and Global groups Domain local groups from their own domain May be members of domain local groups* Admins Domain Local Group Admins muser madmin Intended for local usage and global membership Parent of security structure for local domain Admins duser dadmin Admins Domain Local Group Universal Admins muser madmin May contain members from any domain Members may include User objects Global groups Universal groups from any domain Members of local domain and universal groups Admins duser dadmin Can only be used in Referenced from any domain Universal Group Universal Usage Domain Local Group Admins Users Admins Users Build structure (child and parent) Should contain only other groups Use cautiously Restricts ability to create Can only be used in Referenced from any domain Universal Group Admins Users Domain Local Group Admins Users Admins Admins Users Users
Design Considerations Can only be used in Referenced from any domain Admins Users Domain Local Group Can only be used in Referenced from any domain Universal Group Domain Local Group Admins Users Admins Users All Users Domain Local Can only be Group used in Admins Foundation of user management Plan well User classifications A basis for policy Performance Universal group membership well known Universal Group Admins Users All Users Domain Local Can only be Group used in Admins Users Users All Users Universal Group All Users Universal Group Referenced from any domain Referenced from any domain Mixed Mode Restrictions Summary Universal groups are for distribution only Global groups may only contain accounts and may not be nested Local groups may contain accounts and global groups but may not be nested Global Domain Local Universal Contain members only from the local domain Provide access to resources anywhere Contain members from any domain Provide access to resources in a single domain Contain members from any domain Provide access to resources anywhere Plan well Administrative units Global Catalog implications Concepts Agenda Policy Selection Rules of Policy Policy Planning Design Considerations Defining Policy Understanding the architecture Rules of policy The ease of policy The web of policy Design impact of policy
Overview Concepts Policy: The ability for a wish to be stated once, and carried out many times is associated with a container Policy applies to users and computers within a container Policy processed by computer at startup Policy processed by client at logon Refresh occurs every 90 minutes (w. 30 min. offset) GPO ( Object) is a collection of settings that will affect a given user or computer affects subjects regardless of physical location A single GPO may contain hundreds of individual settings A GPO is made up of a GPT stored on SysVol and a GPC stored in the Active Directory may be associated with the Local computer, Site(s), Domain(s), or Organizational Unit(s) (SDOU) Rules of Policy Inheritance Inheritance GP is inherited by children within a domain Cumulation GP aggregates and accumulates Filtering GP may be targeted at specific groups of users or computers through filtering Policy is inherited by child containers (Site acts like a parent of both Domain and OU) Inheritance may be influenced Blocking a flag on a container Applied to the entire container Enforced by the GPO Specified on a per policy basis Inheritance GPO = False GPO = False STOP Users STOP Users GPO STOP = False GPO inherited by Default Block Policy Inheritance flag blocks all inherited policy Blocking policy also prevents further inheritance by child containers GPO STOP = False Users Users
Inheritance GPO No Override GPO No Override Users No Override flag may be set on each GPO Negates the effect of Blocking containers Does not allow any settings within policy to be overridden Users Inheritance Inheritance Sites and Policy Sites act like parents of domains for the purpose of policy Means that Site Policy may affect only a portion of a Domain or OU For a site that spans two domains, the Site s actual GPO is stored in one of the domains SITE-B GP SITE-A No Override GP G O STOP Users Site-A All users in Site-A receive GP Site-B Only users in Site-B B in Domain receive GP Users SITE-A GP No Override Cumulation SITE-B GP STOP G O Users Cumulation: : Policy applied sequentially in order of priority setting Applies to containers and inheritance May be aggregate or truly cumulative Most duplicated policies will be set multiple times (cumulative) Tiered policy such as scripts and software installation may aggregate Users
Cumulation GP A-, B- GP GP GP A-, B- = Users Effective Policy GP3 A-, B- A-0, B- = Effective Policy A-0, B- C- = Effective Policy A-0, B-,C- Policies are applied by SDOU Effective Policy Policy applied in order Overriding policy The applicable effects of policy = Effective Policy A-, B- A-0, B- = Effective Policy A-0, B- Users GP3 C- = Effective Policy A-0, B-,C- NoOverride NoOverride NoOverride GP GP GP3 GP4 GP5 GP6 A-,D0 B- C- A-, C A- A-3,B-3,C- Cumulation GP7 GP8 GP9 What's my group policy? Users A-3,B-4,C-5 C-,D-,E- A-,D-,E- Cumulation also applies to policies within a container Setting within a policy marked for no-override override cannot be changed at lower level Tracking effective policy can be tricky but it is critical NoOverride GP A-,D0 GP B- GP3 C- NoOverride GP4 A-, C GP5 A- NoOverride GP6 A-3,B-3,C- What's my group policy? Users GP7 A-3,B-4,C-5 GP8 C-,D-,E- GP9 A-,D-,E- Filtering Filtering Policy applies to authenticated users by default! Policy selection based on ACL Filtering may be inclusive, exclusive, or explicitly denied I receive policy for which I am mentioned I will not receive policy that I am mentioned in, but un- allowed (or not mentioned) I will not receive policy for which I am mentioned and also explicitly denied Notes on filtering Explicitly denying a policy will always override future grants of the policy based on other group membership (Deny( overrides all other permissions) Un-allowing a policy has the effect of deny except: Another grant of the policy based on other group membership will allow the policy Always un-allow unless a group should not receive a policy under any circumstances
Filtering GP User : A=, B= Filters : Task Users (Allow), Office Users ( Deny ) Other Users ( Deny ) GP User : A=, B= Filters: Task Users (Allow), Office Users (Deny) Other Users (Deny) Users GP User : A=, B= Task Users Filter: Office Users (Allow), juser Task Users ( Unallow) Other Users (Unallow) Office Users suser Other Users Effective Policy (GP) User : none Effective Polciy (GP) User : none Effective Policy (GP) User : none Effective Polciy (GP) User : A=, B= GP: Denies Other Users group, of which juser is a member juser gets no policy GP: Un-allows Other Users group of which suser is a member suser still gets policy because of grant on Office Users GP User : A=, B= Filter : Office Users (Allow), Task Users ( Unallow ) Other Users ( Unallow ) Users Task Users juser Office Users suser Other Users Effective Policy (GP) User : none Effective Polciy (GP) User : none Effective Policy (GP) User : none Effective Polciy (GP) User : A=, B= (Note: Cumulation and Inheritance are not included in this example) Planning Planning - where to associate what Two strategies Group Based Policy based on users Example: (Which users get what software?) Task Based Policy based on action Example: (Location A must always use IPSec) Site Network Location dependent security Domain Enterprise business rules Domain level security OUs Departmental Tasks Planning Naming GPOs Planning Guidelines - Enhancing Performance Follow a standard naming convention Subject type Scope Intent Limit the number of GPOs that affect any given computer or user Number of GPOs directly affects client performance Use security groups to filter the affect of - this reduces the real number of GPOs that a Computer (at startup) or User (at logon) must process Disable unused portion of the GPO User or Computer portions of a GPO may be disabled Naming Convention should reflect usage
Planning-Best Practices Limit how often is updated: Limit number of Administrators that can edit GPOs Updates require replication between all DCs The scope may be HUGE, for example: Think of this as Regedit for the AD Application installation and removal for users and computers Security: set file system ACL s for 000 users or computers Use test GPOs Concepts Policy Selection Rules of Policy Policy Planning Design Considerations Summary Objects Policy application based on subject and object Policy applied on containers affects objects Inheritance Cumulation Filter Understand the impact and the implications Understand the power Understand the organizational structure Limiting resources that can set policy Regedit for Active Directory Security Agenda Kerberos Introduction Kerberos PKI IPSec PKI Usage Defining technologies and implementations Setting boundaries Security considerations Feature sets Security impact Default Authentication Protocol for Windows 000 Enables transitive trust of domains within a forest Mutual Authentication Efficient Authentication KDC not required during resource access Industry Standard Interoperable with any other v5 Kerberos Terms Kerberos Key Center (KDC) Authentication Server (AS) Ticket Granting Server (TGS) (Runs on all Domain Controllers) Tickets Ticket Granting Ticket (TGT) Session Ticket used to acquire Tickets Ticket - Record For Client Authentication @ Server Privilege Attribute Certificate (PAC) Session Key Time Stamp... More about time stamps SNTP built into Windows 000 DC time replication Client time replication Impact Non Windows 000 clients require NTP client
Windows 000 Kerberos - Local Logon Windows 000 Kerberos - Domain Logon Local Account - Logon to Local Machine Uses MSV_0 (NTLM) Kerberos Fails and GINA (Global Identification Network Authentication) tries next Authorization Package User AS Req (Name, Dom, Serv) KDC AS Reply (TGT) TGS Req (TGT, Name, Dom, Serv) TGS Rep (Workstation Key) Kerberos Resource Access - Same Domain Kerberos-Cross Realm User Ticket Request Kerberos KDC Juser wants access to BOB in NW realm (domain) ) juser sends TGS_REQ to NE KDC ) NE KDC replies with session key for 3) juser sends TGS_REQ to KDC with target info 4) KDC replies with session key for NW. Ticket Target Server Ticket User Authenticated KDC juser NE..com 4 KDC 3.com 7 8 5 6 Bob KDC NW..com 5) juser sends TGS_REQ to NW KDC with target info 6) NW KDC replies with TGT and authorization data for Bob 7) juser sends AP_REQ to Bob with TGT and authorization data 8) Bob replies with authenticator (optional) *Same session ticket is used for access to Bob Windows 000 Kerberos Interoperability.com KDC 4 3 5 KDC 6 7 juser NE..com 8 Bob KDC NW..com Windows 000 Workstation can use UNIX KDC For database servers not using Window 000 s access control (name based on Authentication only), can only validate user name Windows 000 interoperate with MIT s KDCs in cross-realm realm trusts Using shadow/proxy accounts in the Windows 000 domain Windows 000 cannot use MIT s KDCs as authentication server (interactive logon) MIT s implementation misses several services necessary for Kerberos in Windows 000
Security Properties Authentication Verifying the source Integrity Data arrives as it was shipped Confidentiality Encryption Anti-Replay Elusive algorithms Non-Repudiation Once a packet has been sent, the source cannot deny sending it IP Security Network Level Authentication Transparent Application Independent Data Integrity Confidentiality Open Industry Standard Interoperable Extends to VPNs IP Security Policy IP Security Policy Define type and level Negotiation Policy Defines if a computer will request, respond or require IPSec Filters Defines additional restrictions when communicating via IPSec Security Policy Defines which computers will communicate via IPSec Options Responder Will only communicate with IPSec when requested Initiator Will request IPSec communication, but will talk in the clear Lockdown Will only communicate via IPSec IP-Sec:Policies and Rules Each IP Security Policy consists of rules A rule includes the following: IP filter settings Negotiation policies Authentication methods IP tunnel settings Connection types IP-Sec:Available Protection Services Integrity algorithms: HMAC-MD5: MD5: 8-bit key HMAC-SHA SHA-: 60-bit key Confidentiality algorithms: 40DES: 40-bit key 3DES: 56-bit key with triple encryption DES-CBC: 56-bit key with replay prevention Security Protocols for Data and Identity protection services: AH: Identity protection with authentication, integrity and anti-replay services ESP: Integrity and confidentiality services
Public Key Infrastructure Windows 000 PKI Cryptography Keys Certificates Microsoft Certificate Server Public Key Security Components Smartcard Interfaces Authenticode CryptoAPI Message Standards (PKCS) Applications Certificate Management Services Network APIs Secure Channel File I/O Crypto Services EFS Reader Device Driver Hardware CSP RSA Base CSP PKI-Cryptography & Keys Digital Certificates SENDER Public Key Private Key Algorithm Recipient Digital Certificate User Name: Serial Number: Public Key Expires: MM/DD/YY DATA Recipient Public Key Encypted Data = Algorithm Encypted Data Algorithm = DATA Recipient Private Key Public Key Certificate Authority Certificate Server Internet Services - Certificate Server Users may request X.509 certificates Independent of Active Directory Standards Support PKCS #0 PKCS #7 X.509 v. & v.3 Key Management Enterprise CA Corporate Root or Subordinate Active Directory policy & publishing Stand Alone CA Root issues to external CAs Subordinate may trust Internal Stand-alone alone Root CA External Root Authority (Verisign etc)
When To Use Certificates? PKI Usage Remote access authentication LTP/IPSec tunnel IPSec tunnel Interoperability with other systems Specialized enterprise network security To establish IPSec trust group for smaller group than the domain To establish IPSec trust group for computers across untrusted domains PKI Client Authentication Code Signing Smart Card Logon Remote Access Application Secure e-maile PKI Usage VPN Solutions PKI - Client Authentication Uses HTTPS for Internet Information Server EAP/TLS for Remote Access Services (RAS) LDAP over SSL for Directory Services Authentication of non-windows 000 users VPN Use PPTP for client tunneling Use IPSec/LTP for LAN to WAN access Tunneling clients and servers Windows NT 4.0, Windows 000 - PPTP/LTP Windows 95 and Windows 98 - PPTP only IPSec Usage Planning Summary IP Security LAN to WAN communication over public network IPSec and ISA KMP IPSec/LTP Client to Server communication over public network (POTS/ISP) PPTP IPSec/LTP PKI Deployment Considerations Trust relationships between Certification Authorities and domains CA hierarchies and domain topology Certificate enrollment/renewal methods for users and machines CRL publication frequency Code signing process Smart card hardware
Planning - Summary Plan scope of PKI usage Specific or Global usage Plan Certificate hierarchy CA Root, Mappings, and Certs Plan IPSec Scope, Policies and Capacity Plan Kerberos Trusts Extensions Server Roles Security Policies Rights and Permissions Inheritance Access Control Delegated Administration Security Summary Security is the balance between providing easy access and protecting valuable data Various types of security in Windows 000 Kerberos PKI IPSec Certificate Authorities Security Configuration Editor Policy based security