comp3123 internet security
Download
Skip this Video
Download Presentation
COMP3123 Internet Security

Loading in 2 Seconds...

play fullscreen
1 / 42

COMP3123 Internet Security - PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on

COMP3123 Internet Security. Richard Henson University of Worcester October 2011. Week 4 Access Controls: Network Directories & the PKI. Objectives: Explain the components of a network directory service

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' COMP3123 Internet Security' - naasir


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
comp3123 internet security

COMP3123 Internet Security

Richard Henson

University of Worcester

October2011

week 4 access controls network directories the pki
Week 4 Access Controls: Network Directories & the PKI
  • Objectives:
    • Explain the components of a network directory service
    • Explain how the use of security policies can help prevent network internal security breaches
    • Analyse Windows active directory and compare it with an x500 standard service
    • Prepare a Windows active directory tree with two contiguously named domain controllers
network directories
“Network Directories”
  • Directories not to be confused with “folders”…
    • generally a data store that changes only infrequently…
      • e.g. a telephone directory
    • to avoid confusion, computer-based directories also called “repositories”
  • Lots of different “network databases” have evolved on the web
    • not a good idea!
    • often contain approx. the same info...
    • Problem: one updated, all should be
      • but unlikely in practice unless a managed solution
meta d irectory
Meta-Directory
  • Simple idea of putting all information about any one entity or object in one place…
    • information about those entities and objects can then be presented in a consistent way
    • simplifies collection and distribution of info on an Intranet covering the whole organisation
  • Examples of Directory-enabled applications
    • enforce network policies!
      • across the network
      • between networks
    • digital signature verification
    • remote dial-in access authorization
    • signing in to a network
network directories the pki
Network Directories & the PKI
  • Needs to avoid multiple-directories problem…
  • Solution:
    • use the meta directory approach
    • provide digital certificate information on the web as a “directory service”
    • use LDAP applications to directly access that info
distributed directory
Distributed Directory
  • Another way of keeping entity information consistent if it does need to appear in multiple locations
    • entry may appear in multiple directories
      • e.g. one for each email system (if more than one)
      • e.g. one for gaining access to the network by logging on
  • Paper-based equivalent – series of telephone directories each covering a clearly define area
    • collectively cover a wide geographical region
    • serve a variety of purposes
    • all part of the same system for communication
  • Regular directory synchronisation essential for maintaining consistency of information
development of internet directories and iesg
Development of Internet Directories and IESG
  • IESG (Internet Engineering Steering Group) provides technical management of IETF activities
    • As approp, translate RFC proposals into RFC standards
  • Procedure:
    • draft RFC submitted
    • if accepted: IESG elevates it to RFC “draft” status
    • RFC then given consideration as a standard…
    • draft RFC eventually may become a true Internet standard
  • Example of successful evolution: x500 -> LDAP
x500 architecture
X500 Architecture
  • Internet database based on the OSI model
    • RFC 1006
    • allows OSI applications to run over an IP network
  • Full X500 Architecture:
    • DMD (directory management domain)
    • DSA (directory system agent)
    • DUA (directory user agents)
    • DIB (directory information base – object oriented!)
      • e.g.: a directory service database
    • DIT (directory information tree)
      • e.g.: Windows 2000 Active Directory
x500 protocols
X500 Protocols
  • DAP (Directory Access protocol)
  • DSP (Directory System protocol)
  • DISP (Directory Information Shadowing Protocol)
  • DOP (Directory operational binding management protocol)
  • Collectively, these protocols give X500 a wide range of functionality, but the structure is cumbersome…
simplifying x500 ldap
Simplifying X500 - LDAP
  • Known as Lightweight Directory Access Protocol
  • Thanks to University of Michigan Researchers, early 1990s
    • gave up on the complexities of X.500
    • came up with a scheme that:
      • retained the X.500 directory structure
      • gave it a streamlined access protocol based on standard TCP/IP instead of ISO
    • Other improvements:
      • pared-down referral mechanism
      • more flexible security model
      • no fixed replication protocol
microsoft and x500
Microsoft and x500
  • In 1996, Microsoft launched version 4 of its mailserver software, Exchange
  • Designed also to provide the infrastructure to enable DAP clients to access Microsoft Exchange directory service information…
    • client served as an X.500 DAP client to DAP-compliant directories
      • e.g. U.S. Government Defense Messaging System (DMS)
  • Also designed to manage table entries efficiently using a new obj oriented database engine called ESE (Extensible Storage engine)
microsoft and ldap
Microsoft and LDAP
  • Microsoft wanted to use X500 in its directory service planned for next version of NT
    • Like Michigan Uni, found X500 cumbersome, and adapted LDAP
  • Supporting the Open Directory Services Interface (ODSI), Microsoft helped build a PKI service provider (Verisign) that supports the LDAP protocol
    • allowed developers to build applications that register with, access, and manage multiple directory services with a single set of well-defined interfaces
    • Microsoft Exchange Server 4 supported LDAP
    • Internet Explorer supported LDAP from v4 onwards
ldap ese and active directory
LDAP, ESE, and Active directory
  • Windows 2000 “active directory” service was a successful commercial roll out of an X500 compliant directory service
    • used LDAP…
    • also used (uses) ESE to manage data tables
    • and DNS to integrate with www locations
  • Next version of Microsoft Exchange also used the ESE/LDAP/DNS combination…
directory services and active directory
Directory Services and “Active Directory”
  • Active Directory has just one data store, known as the directory
    • Stored as NTFS.DIT
      • where does “.dit” originate from?
    • distributed across ALL domain controllers (dcs)
    • links to objects on/controlled by each dc
    • changes automatically replicated to all dcs
    • Contains details of:
      • stored objects
      • shared resources
      • network user and computer accounts
directory services and domain trees
Directory Services and Domain Trees
  • Active Directory logically links domains together
    • very useful for networks with more than one domain
    • each domain is identified in the directory by a DNS domain name
  • Multiple domains with contiguous DNS domain names, make up adomain tree
    • if domain names are non-contiguous, structures form separate domain trees
trust relationships between legacy nt domains
“Trust Relationships” between (legacy) NT Domains
  • Account authentication between domains was first established in the Windows NT architecture
    • Allowed users and computers can be authenticated between any domains
  • Problem: Windows NT trust relationships were isolated and individual
active directory trust relationships
Active Directory Trust Relationships
  • Automatically created between adjacent domains (parent and child domains) in the tree
    • users and computers can be authenticated between ANY domains in the domain tree
  • So how does this all work securely in practice, across an entire enterprise????
access to network resources and security controls
Access to Network Resources and Security Controls
  • The set of security mechanisms used to define what a user can access after logging on to a secured environment
    • enforce “authorisation”
    • “identification” and “authentication” may also be associated with logging on
  • Effect includes:
    • access to systems & resources
    • interactions users can perform
mechanism of access control in windows
Mechanism of Access ControlIn Windows
  • User management level:
    • pre-defined Groups for Users to belong to
    • control of file and service access permissions
    • trusted relationships across domains
  • Translated down to system level by…
    • System Policies and Group Policies
    • Control of user and system desktop settings
control of end user and system settings
Control of End User and System Settings
  • In Windows, ultimately, controls user access through the local Windows registry
    • first made available to simplify configuration in Windows 95
      • effectively replaced CONFIG.SYS, AUTOEXEC.BAT, SYSTEM.INI and WIN.INI by a single structure
    • all settings saved into a hierarchical data file called SYSTEM.DAT
  • Principles later extended to networks…
the local registry and windows networks
The local registry and Windows networks
  • Like Windows 95, Windows NT v4 allowed system and user settings to be configured locally by registry overwrite files
  • However, it also made it possible for files within a network to overwrite the local registry as well…
    • facility available on any Windows client machine that used a Windows registry
what is the registry
What is The Registry?
  • Five basic subtrees:
    • HKEY_LOCAL_MACHINE : local computer info. Does not change no matter which user is logged on
    • HKEY_USERS : default user settings
    • HKEY_CURRENT_USER : current user settings
    • HKEY_CLASSES_ROOT : software config data
    • HKEY_CURRENT_CONFIG : “active” hardware profile
  • Each subtree contains one or more subkeys
editing registry settings
Editing Registry Settings
  • Generally…. DON’T!!! Contents of the registry should not be changed in any way unless you really know what you are doing!!!
  • Special tools available e.g. REGEDT32 for those with experience:
    • used to edit local registry settings on Windows NT systems
    • Bearing in mind, however, that registry settings can also be overwritten in memory by data downloaded across the network…
system policy file
System Policy File
  • Consists of a collection of registry settings
  • Can apply different system settings to a computer, depending on the user or group logging on
  • Can overwrite:
    • local machine registry settings
    • current user registry settings
  • Should therefore only be used by those who know what they are doing!!!
system policy file1
System Policy File
  • NTCONFIG.POL
    • provides a list of desktop settings, and therefore can be used to control aspects of appearance of the desktop
    • held on Domain Controllers
    • read during logon procedure
  • Different NTCONFIG.POL files can be applied to:
    • groups
    • users
    • computers
what is a security policy
What is a Security Policy?
  • A set of rules and procedures that state the access rights and privileges of a particular user/group of users
  • Should also:
    • confirm the identity of the people that are attempting to access the network
    • prevent imposters from accessing, stealing, or damaging system resources
implementation of security policy
Implementation of Security Policy
  • Intention:
    • create a computing environment that provides users with all of the information and resources they need to be successful
    • protect the information and resources on the network from damage and unauthorized access
group policy in windows 2000 and subsequent networks
Group Policy in Windows 2000 (and subsequent) Networks
  • Group Policy settings
    • define access to local and network resources from the user\'s desktop environment:
    • e.g. Startmenu options
      • provide access to programs/resources that user needs to use
  • Group Policy Objects
    • used with authenticated users to enhance flexibility and scalability of security beyond “domains”, and “NT trusted domains”
    • trust achieved through:
      • Active directory – establishment of “trees”
      • Kerberos authentication
implementation of group policy objects
Implementation of Group Policy Objects
  • Group Policy objects are EXTREMELY POWERFUL…
    • contain all specified settings to give a group of users their desktop with agreed security levels applied
    • template editing tool available as a “snap-in” with Windows 2000
    • creates a specific desktop configuration for a particular group of users
  • The GPO is in turn associated with selected Active Directory objects:
    • Sites
    • Domains
    • organizational units
combined power of group policies and active directory
Combined Power of Group Policies and Active Directory
  • Enables written user/group policies to be easily implemented in software
  • Enables policies to be applied across whole domains:
    • beyond in trusted contiguous domains in the domain tree
    • or even across any non-contiguous domains in the same forest
  • Because Active directory is x500 compliant, all the principles of directory services apply
authentication factors
Authentication Factors
  • Classified as type 1, type 2, or type 3:
  • Type 1: Knowledge based (what user knows)
    • information provided based on unique knowledge of the individual being authenticated
  • Type 2: Token based (what user has/does)
    • information comes from a token generated by a particular system
    • token is tied in some way to the user logging on
    • generally not considered a good idea on its own because someone else could have stolen/copied it
  • Type 3: Characteristic based (what user is)
    • biometric data from the person logging in
one time passwords otp
One time Passwords (OTP)
  • Can only be used once…
    • If user gets it wrong, becomes invalid…
      • locked out
      • has to contact administrator to reset
  • Implemented as a type 2 factor
    • password characters randomly generated
  • If used properly…
    • very secure indeed
    • problem: degree of randomness…
single sign on sso
Single Sign On (SSO)
  • Logon once…
    • authenticated for all servers in that environment
  • More a convenience matter than a security issue
    • only one set of authentication factors needed
    • single username/authentication factor database covering all servers
  • SOME very secure environments have dropped SSO in favour of separate logon for each server
    • arguable whether this is necessary but avoids the “all eggs in one basket” argument
password administration
Password Administration
  • Three aspects:
    • Selection
      • should be a company IS policy that includes choice of password
      • generally no. of characters is a good match with strength – the higher the better
    • Management
      • selection & expiration period must comply with policy
    • Control
      • policy should be enforced by the network itself
      • usually achieved through use of “group policies”
access control techniques
Access Control Techniques
  • Discretionary (DAC)
    • access to files/resources controlled by administrator
    • Achieved through ACLs (Access Control Lists)
      • consist of ACEs (Access Control Entries)
    • the granting of access can be audited
  • Mandatory (MAC)
    • access dependent on rules/classifications
    • classification dependent on security clearance levels
    • hierarchical or compartmentalised, or hybrids
remote logon and kerberos authentication
Remote Logon and Kerberos Authentication
  • KDC can maintain a secure database of authorised users,passwords & domain names maintained throughout an active directory domain tree using Kerberos V5 security protocol
    • uses strong encryption
    • freely available from its inventor, MIT
  • Active Directory + Kerberos = Very Powerful combination
    • can even be used to authenticate across mobile & wireless networks
components of enterprise wide login with kerberos authentication
Components of “Enterprise wide” Login with kerberos authentication
  • Active Directory tree logical connects and “trusts” servers throughout the enterprise
  • Servers in their turn control access to users within domains
  • Group(s) selected during the user authentication process
  • Group Policy Objects invoked which rewrite registry settings and control client desktops
how much security should be applied to domain users
How much security should be applied to domain users?
  • General rule: don’t give a user more rights than they actually need
  • Think carefully…
    • identify security privileges appropriate to different types of user
    • create a group based on each type of user
  • Allocate each new user to an appropriate group
    • automatically will have appropriate access rights…
users groups security and ntfs partitions
Users, Groups, Security, and NTFS partitions
  • Any file or folder on an NTFS partition will have file permissions imposed
  • Typical permissions:
    • No Access
    • Read only
    • Read and Execute
    • Write
    • Modify
    • Ownership/Full Control
  • Much wider range of permissions available
point for debate is read only access dangerous
Point for debate: is “read only” access dangerous?
  • If information held on server, and accessed by dumb terminals…
    • secure enough!
    • this was the case in the days of centralised networks with no distributed processing
  • With client-server networking, read only means “the user can take a copy”
    • is this dangerous, from an organisational security point of view?
what if the network goes wrong accountability
What if the network goes wrong? Accountability
  • The broad security concept of being able to hold a human to account for their actions using …
    • a strong authentication environment so one user cannot masquerade as another
    • strict imposition of “least privilege”
    • regular monitoring of the network environment
    • rigorous inspection of audit logs
what if the network goes wrong auditing
What if the network goes wrong? Auditing
  • Essential component of security monitoring
  • A network can generate lots of data on a wide variety of network functions and results they return
  • this is readily customisable to focus on, for example, the behaviour of particular users or resources
    • data normally saved as timestamped .log files
    • audit files help to ensure accountability for user behaviour
ad