Presentation is loading. Please wait.

Presentation is loading. Please wait.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

Published byAshley Underwood Modified over 8 years ago

Similar presentations

Presentation on theme: "70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security."— Presentation transcript:

1 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security

2 Guide to MCSE 70-294, Enhanced2 Objectives Describe security principles and how they are identified Describe the user authentication process in an Active Directory domain using the NTLM and Kerberos authentication protocols Demonstrate the use of DACLs to control access to objects in Active Directory

3 Guide to MCSE 70-294, Enhanced3 Objectives (continued) Demonstrate the use of SACLs to control auditing of objects in Active Directory Describe how network resources can be protected using security based on Active Directory

4 Guide to MCSE 70-294, Enhanced4 Security Principles User object inetOrgPerson object Computer object Security group object Have an SID: Windows security subsystem uses to identify security principals

5 Guide to MCSE 70-294, Enhanced5 Security Identifiers Attribute as binary value Specifies the SID of user object Unique value used to identify user as security principal Number of formats: Hexadecimal notation Security Descriptor Definition Language (SDDL)

6 Guide to MCSE 70-294, Enhanced6 Security Descriptor Definition Language (SDDL) Begins with S Followed by three to seven numbers: Separated by hyphens First number is revision level of SDDL format Next identifier authority Next subauthority identifier “Well-known” SIDs: Identify certain users or groups Recognized by OS

7 Guide to MCSE 70-294, Enhanced7 Domain and Relative Identifiers Domain identifier Calculated when domain created 3 32-bit numbers Guaranteed to be unique Relative Identifier (RID) 32 bits Identifies object within domain

8 Guide to MCSE 70-294, Enhanced8 Access Tokens Contains several important pieces of information User’s SID SID for every group of which user is member Security subsystem Examines user’s access token Determines if user or one of groups of which user is member has access to resource Generated based on authentication protocol used

9 Guide to MCSE 70-294, Enhanced9 Activity 9-1: Access Tokens Objective: View the contents of an access token Use whoami command to view access token

10 Guide to MCSE 70-294, Enhanced10 Permissions and Rights Used to control access on system Permissions Rules associated with object Define which users can gain access to object What actions users can perform on object Rights Define what tasks or operations user can perform on computer system or domain

11 Guide to MCSE 70-294, Enhanced11 Active Directory Authentication Authentication methods used in Windows Server 2003: NT LAN Manager (NTLM) Kerberos

12 Guide to MCSE 70-294, Enhanced12 NTLM Authentication Supported for backward compatibility For Windows NT 4.0 client computers Not primary means of authentication in Windows Server 2003 Based on older authentication protocol called LAN Manager

13 Guide to MCSE 70-294, Enhanced13 NTLM Authentication Example

14 Guide to MCSE 70-294, Enhanced14 NTLM Issues Each time user wants to access resource user must be reauthenticated by domain controller Only provides client authentication Easy to capture NTLM challenge and use hacking tools to discover password

15 Guide to MCSE 70-294, Enhanced15 Kerberos Authentication Default protocol for network authentication for all Windows Server 2003 computers Components: Security principal requesting access Key Distribution Center (KDC) Server holding resource or service being requested

16 Guide to MCSE 70-294, Enhanced16 Kerberos Authentication (continued) KDC services: Authentication Ticket-granting Service Authentication Service Ticket-granting ticket (TGT) Issued to user when first authenticated during successful logon Allows user to request session tickets

17 Guide to MCSE 70-294, Enhanced17 Kerberos Authentication (continued) Authentication Service Ticket-granting ticket (TGT) Valid for 10 hours Ticket-granting Service TGT is submitted to Ticket-granting Service on KDC Sends two copies of session ticket back to user’s machine

18 Guide to MCSE 70-294, Enhanced18 Kerberos in Action

19 Guide to MCSE 70-294, Enhanced19 Down-level Client Authentication Older clients referred to as down-level clients Pre-Windows 2000 Create security concern Directory Services Client Available as add-on component to Windows 95/98 Enables these clients to use NTLMv2 on Windows 2000/2003 network

20 Guide to MCSE 70-294, Enhanced20 Two-factor Authentication Factors that help identify you for authentication: Something you know Something you have Something you are More of these factors used, more secure resource is Increase security of network or computer system by introducing second factor Called two-factor authentication

21 Guide to MCSE 70-294, Enhanced21 Public Key Infrastructure for Authentication with Smart Cards Active Directory supports use of smart cards Part of Public Key Infrastructure (PKI) Cryptography terms: Symmetric keys Public key cryptography Private/public key pair X.509 digital certificate

22 Guide to MCSE 70-294, Enhanced22 Public Key Infrastructure for Authentication with Smart Cards (continued) Use Active Directory as repository for X.509 certificates Smart card: Provides nonvolatile memory Stores owner’s certificate and private key Small amount of computing power to perform encryption and decryption requiring private key on card itself

23 Guide to MCSE 70-294, Enhanced23 Public Key Infrastructure for Authentication with Smart Cards (continued) Use smart cards and certificates to increase security of the Windows-authentication process System uses user’s private key KDC employs public key of user to decrypt it Can configure domain to require smart cards for logons: Can make them optional Require them for some users, but not others

24 Guide to MCSE 70-294, Enhanced24 Active Directory Authorization Used to determine what actions user can or cannot do Discretionary access control list (DACL) Defined as: “an access control list that is controlled by the owner of an object and that specifies the access that particular users or groups can have to the object”

25 Guide to MCSE 70-294, Enhanced25 Discretionary Access Control List (DACL) Associated with resources List of access control entries (ACEs) Specifies a “who” and a permission Can be very specific Allow or deny access If no match is found between access token and DACL Access is not permitted

26 Guide to MCSE 70-294, Enhanced26 Discretionary Access Control List (DACL) (continued) Most access control entries allow access Deny ACEs used to change effect of permissions that user would otherwise have as member of group Owner of object can always gain access to object by resetting its permissions Owner of most Active Directory objects is Domain Admins Group

27 Guide to MCSE 70-294, Enhanced27 Inheritance Permissions can be inherited from parent objects Referred to as inheritance Each ACE marked to indicate whether it is directly applied or inherited

28 Guide to MCSE 70-294, Enhanced28 Groups in Security Security group Container object used to organize collection into single security principal Can contain: Users Computers Other groups Simplify administration by assigning rights and permissions to group rather than to individual users

29 Guide to MCSE 70-294, Enhanced29 Groups in Security (continued) No good reason to grant rights and permissions explicitly to individual users

30 Guide to MCSE 70-294, Enhanced30 Delegation of Control Giving data owners ability to manage their own objects To delegate control: Organize directory so that all objects in organizational unit have same data owner Use Delegation of Control Wizard to create appropriate ACEs in DACL on the organizational unit Allow them to be inherited to objects in organizational unit

31 Guide to MCSE 70-294, Enhanced31 Activity 9-4: Using the Delegation of Control Wizard Objective: Set the permissions on an organizational unit using the Delegation of Control Wizard Follow instructions to delegate control

32 Guide to MCSE 70-294, Enhanced32 Granular Control Can delegate control with precision Important part of flexibility of Active Directory Advanced Security Settings dialog box In Active Directory Users and Computers Tab to display effective permissions

33 Guide to MCSE 70-294, Enhanced33 Permission Types Standard Used for everyday tasks Found on main Security tab of object Special permissions Represent exact and granular permissions available Can be very specific

34 Guide to MCSE 70-294, Enhanced34 Active Directory Auditing System access control list (SACL) Used for auditing object access Very similar to DACLs

35 Guide to MCSE 70-294, Enhanced35 System Access Control List (SACL) Same basic structure as DACL Determines if access is audited

36 Guide to MCSE 70-294, Enhanced36 Activity 9-7: Auditing Object Access Objective: Create a SACL on an Active Directory object so that access to the object can be monitored. Part of this activity requires you to work with a partner Follow instructions to create a SACL

37 Guide to MCSE 70-294, Enhanced37 Auditing Event Categories Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events

38 Guide to MCSE 70-294, Enhanced38 Protecting Network Resources Number of other resources on network also rely on Active Directory for security Use DACLs Objects: NTFS Printers Shares Registry keys

39 Guide to MCSE 70-294, Enhanced39 NT File System (NTFS) Assigns security descriptor to each object Object in file system has: Owner DACL SACL NTFS DACL permissions relate to what users can do with the files and folders

40 Guide to MCSE 70-294, Enhanced40 Standard File Permissions in NTFS

41 Guide to MCSE 70-294, Enhanced41 Printers Have security descriptor with: Owner DACL SACL Standard permissions: Who can print to printer Who can change printer settings Who can manage documents

42 Guide to MCSE 70-294, Enhanced42 File Shares User must first be allowed access to share, and then access to file Very few choices Allow or deny Full control Change Read access Use NTFS permissions to further restrict access to folder

43 Guide to MCSE 70-294, Enhanced43 Registry Keys Values stored in registry control how computer system operates Each registry key has typical Windows 2003 security descriptor with: SACL DACL Specified owner

44 Guide to MCSE 70-294, Enhanced44 Other Applications Many applications do not perform any authentication or authorization Can be given access control by setting NTFS permissions on executable files or directory Some applications perform authentication and authorization internally Can also gain added protection using NTFS permissions

45 Guide to MCSE 70-294, Enhanced45 Other Applications (continued) More sophisticated applications often use Active Directory for authentication But provide own authorization A few applications use Active Directory for authentication and authorization

46 Guide to MCSE 70-294, Enhanced46 Summary SIDs work with ACEs in DACLs to control access to resources or objects and with ACEs in SACLs to control auditing of resource use DACLs are list of ACEs used to define permission SACLs are list of ACEs used to define auditing Delegation of control refers to assigning permissions on Active Directory objects so that data owners can manage their own objects

47 Guide to MCSE 70-294, Enhanced47 Summary (continued) The two primary user authentication methods in Windows Server 2003 network are NTLM and Kerberos Active Directory supports smart cards and X.509 certificates with extensions to the Kerberos protocol, enabling asymmetric encryption during the exchange Other applications may use Active Directory for authentication, authorization, both, or neither

Download ppt "70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security."

Similar presentations

Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Lesson 4: Configuring File and Share Access

Lesson 4: Configuring File and Share Access
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

Similar presentations

Ads by Google