COMP 3122 Network Management Richard Henson February 2012

  • Slides: 43
Download presentation
COMP 3122 Network Management Richard Henson February 2012

COMP 3122 Network Management Richard Henson February 2012

Week 5 – Active Directory & Domain Security n Objectives – Explain the essential

Week 5 – Active Directory & Domain Security n Objectives – Explain the essential features of a secure networked system – Use W 2 K 3 group policies to implement network-wide security – Identify the weak links in a networked system and take steps to reduce/eliminate the possibility of unauthorised access

The Nature of Security within Networks n Data held on a single workstation in

The Nature of Security within Networks n Data held on a single workstation in an open office is unlikely to be truly secure – operating system itself may be secure… – still possible for the hard disk to be removed and the data extracted in a different environment!! n Two Protection issues to be addressed: – unauthorised system access » network configuration & monitoring – undesirable physical access » keeping people away… & locking it down…

Physical Security of the Network n What to do with sensitive data – hold

Physical Security of the Network n What to do with sensitive data – hold in an encrypted form – on a computer in a secure room » only network administrators can gain access » no chance of an outsider physically getting hold of the hard disk containing the data – in the highly unlikely event that an outsider/rogue insider did get hold of the data, they wouldn’t be able to make sense of it n Data should also be backed up in another location in case of fire, earthquakes, etc

Physical Security of copied data n Typically on CD or memory stick – could

Physical Security of copied data n Typically on CD or memory stick – could also be removable hard disk n Simple way to keep copied data secure: – password protection not enough… – use strong encryption over all files » previous, deleted data might still be accessible

Accessing Data on a Secure Computer Users should only be able to access organisational

Accessing Data on a Secure Computer Users should only be able to access organisational data via network from the server n Even then, potential physical & system vulnerabilities: n – physical security of data as it travels along a cable – unauthorised access to downloaded data » at rest on the client machine » whilst being accessed by an authorised user

Vodafone (and how not to do network security…) n On the first Monday of

Vodafone (and how not to do network security…) n On the first Monday of March 2011, 100, 000 people couldn’t use the Vodafone network – thieves broke into the operator's Basingstoke exchange and stole their switches (i. e. routers) – the police were quickly notified n Vodafone noticed its own network collapsing – assembled its "War Room" which is supposed to deal with network outages n It took 12 hours to fix the problem… – why was such critical kit so vulnerable?

User Responsibility n Fundamental rule of any network: – all users MUST bear responsibility

User Responsibility n Fundamental rule of any network: – all users MUST bear responsibility for data they access – should enter a signed agreement when they get their log on n To support this, network software should make sure that: – users have appropriate access through allocation to groups – user activities can be monitored and logged – sufficient auditing is undertaken to scrutinise the activity of individual users…

Accessing Data on a Secure Computer n Typical user errors: – giving other employees/outsiders

Accessing Data on a Secure Computer n Typical user errors: – giving other employees/outsiders their password – using an easily guessed password n Typical administrator errors: – leaving username on display after log off – not enforcing long (8 character min, inc caps/lower, number, punct. mark) passwords – not ensuring that the downloaded data is physically no longer available once that user has logged off

Accessing Data on a Secure Computer n n Client machine MUST use an operating

Accessing Data on a Secure Computer n n Client machine MUST use an operating system that allows file/folder level security Suitable secure desktop file systems: – UNIX file system – NTFS n Alternative is to use dumb terminals – no local storage – impossible to get at the electronic data from the client end

Accessing Data on a Secure Computer n n BUT even with a secure file

Accessing Data on a Secure Computer n n BUT even with a secure file system, other users could still see the screen! Even with no local storage: – – the data will be displayed on a screen with poor user technique: » data could even be left on the screen » the screen contents could be photographed by someone… n Answer: – use screen savers that cut in very quickly when a mouse button is not being clicked

Printing or Emailing Accessed Data n If someone has security rights to access the

Printing or Emailing Accessed Data n If someone has security rights to access the data, they will also be able to: – print it out – email it to someone else n Anyone with such rights must therefore be completely trustworthy…

How File Systems Manage Security (revision? ) n n Several different levels of permissions

How File Systems Manage Security (revision? ) n n Several different levels of permissions Particular folder permissions allocated to groups of users, starting from the root e. g. – managers may have read, execute, and write – students may have read and execute only n n n Files inherit the permissions of the folder that contains them Subfolders inherit the characteristics of the parent folder Inheritance can be overridden

Security Policy n Responsibilities of network users and administrators needs to be clearly defined

Security Policy n Responsibilities of network users and administrators needs to be clearly defined as a matter of organisational policy – objective: ensure that AT ALL TIMES company data is only being accessed by an authorised user

Security Policies n Define expectations for: – proper computer usage – procedures for preventing

Security Policies n Define expectations for: – proper computer usage – procedures for preventing and responding to security incidents n Can be imposed in two ways: – Local system policy » security policy file held on individual computers – Group policy » uses active directory to impose policy across the domain » not possible for computers running NT » not possible if partitions are formatted using FAT or FAT-32

Enforcement of Policy on Windows networks n Local system policy – security policy file

Enforcement of Policy on Windows networks n Local system policy – security policy file held on individual computers n Group policy – uses active directory to impose policy across the domain – not possible for pre-Windows 2000 operating systems – not possible if partitions are formatted using FAT or FAT-32

Security Template Files n “one I prepared earlier…” – quicker to customise to needs

Security Template Files n “one I prepared earlier…” – quicker to customise to needs than start over… n Implementation of security policy on – Individuals & groups on Windows networks – 600+ settings in Windows 2000, now many more… n Stored as a text file (. inf) – predefined templates are “ready to use” e. g. : » » basic (default) compatible (all applications still run) secure high (testing high security applications only)

Using Security Templates n SAM (security accounts manager) crucial to setting up user security:

Using Security Templates n SAM (security accounts manager) crucial to setting up user security: – controls security during logon process n During logon, security templates imported into the relevant SAM of: – each individual computer (system policy) – the domain controller of a Windows domain (group policy)

Analysing/Changing Local Security n Templates & SAM combine: – default security configuration of the

Analysing/Changing Local Security n Templates & SAM combine: – default security configuration of the local computer compared with a configuration imported from a template – configuration then changed to become like the template n Changes to template settings achieved by – GUI: security configuration “snap in” n Or: – command line tool (secedit. exe)

Implementing Policy n Group Policy settings are really powerful – only administrators have access

Implementing Policy n Group Policy settings are really powerful – only administrators have access to manage these on a system or domain n As with computer policy… – usually more convenient to edit an existing policy template than create a new one from scratch

Auditing Access to System/Network Resources n n Auditing - the process of tracking predefined

Auditing Access to System/Network Resources n n Auditing - the process of tracking predefined events Many events can be tracked on a computer and computer network… – a record of each event is written to an “event file” n Contents of a Windows network Audit record: – – Action User Success or failure Additional info » e. g. computer ID where event occurred/failed

Access to Audit Entries n All recent Windows systems are capable of recording a

Access to Audit Entries n All recent Windows systems are capable of recording a wide range of events – saved in Security Event Log – as a structured text file n Contents easily viewed – service called Event Viewer – available from menus

The Importance of Audit n Essential in the case of: – – – n

The Importance of Audit n Essential in the case of: – – – n network failure server failure breach of security Extremely useful for troubleshooting: – – – what failed what went wrong finding who’s username was used to hack into the system

What to Audit n Audit files can grow very large, very quickly, – only

What to Audit n Audit files can grow very large, very quickly, – only essential information should be stored n Examples: – – – – Account logon Account Management Active Directory object access Logon Object access Policy Change Privilege Use Process Tracking

Audit Policy n Part of Information Security Policy – Again, implemented through Group Policy

Audit Policy n Part of Information Security Policy – Again, implemented through Group Policy n Planning: – – – n which computers need events auditing? which events to audit? whether to audit success or failure (or both!) whether to track trends of system usage? when to schedule review of security logs? Set up: – security template for Group Policy

“File object” resources that can usefully be audited – “failure for read” operations –

“File object” resources that can usefully be audited – “failure for read” operations – success and failure for delete – success and failure for: » change permissions » take ownership – success and failure of all operations attempted by “guests” group – file and folder access on shares

Auditing Access to Windows “print object” resources n Reminder from last year… – Windows

Auditing Access to Windows “print object” resources n Reminder from last year… – Windows “printer” = printing management system – Print device = physical printer n Auditing specified printers: – failure events for print operations on restricted printers success and failure for full control operations – success events for delete so incomplete print jobs can be tracked – success and failure for change permissions and take control on restricted printers

Implementing an Audit Policy on a System n Typical Policy Settings: – Password policy

Implementing an Audit Policy on a System n Typical Policy Settings: – Password policy – Account Lockout policy – Audit policy – IP Security policy – user rights assignment – recovery agents for encrypted data

Local/Domain Security Policy n Local: – available for all Windows 2000/XP/Vista/7 computers that are

Local/Domain Security Policy n Local: – available for all Windows 2000/XP/Vista/7 computers that are not domain controllers n Domain: – local security settings still apply when users logged on locally » but may well be overridden by (typically) group policies received from domain controller(s), when logging on to the domain

Reminder… Active Directory

Reminder… Active Directory

Where IS Active Directory? n On each domain controller… – Schema (database…) » replicated/updated

Where IS Active Directory? n On each domain controller… – Schema (database…) » replicated/updated frequently » exact directory used set during installation: n By default: <drive letter>SYSVOL » group policy container (GPC) found here – Group policy settings (known as GPT) » the list (a long one…) of settings for a particular group policy, saved as a text file (also in SYSVOL, by default)

Policy Files & Tools for editing them n Most important: – MMC (Microsoft Management

Policy Files & Tools for editing them n Most important: – MMC (Microsoft Management Console) » control/administration of local policy/settings – GPMC (Group Policy Management Console) » Control/administration of group policy objects

MMC Available via command line (type mmc) n Create “console” files for system admin

MMC Available via command line (type mmc) n Create “console” files for system admin n – user mode: » access existing MMC consoles to administer a system – author mode: » creation of new consoles or modifying existing MMC consoles

MMC “Security Configuration and Analysis” options n “Analyse computer now” – full run down

MMC “Security Configuration and Analysis” options n “Analyse computer now” – full run down of the current settings (i. e. settings for the local machine) – way of checking the “local policy” n “Select local policies” – lists of settings in categories – e. g. security settings » large number of settings » control security aspects of local policy » each setting can be set to either enabled, disabled, or not configured

AD Group Policies n Combine GPC and GPT – resultant settings that can be

AD Group Policies n Combine GPC and GPT – resultant settings that can be applied to users across a whole domain… – very powerful, settings to be appropriate » goes beyond “merely” controlling local registry settings… » can include file settings » and application settings…

Effects of Combining Policies on the user… n Policies applied during logon – combined

Effects of Combining Policies on the user… n Policies applied during logon – combined effect of e. g. group. A, group. B, and group. C for particular users will depend on the order in which they are applied to local registry… – computer settings applied as well n CAN GET VERY COMPLICATED!!!

Exploiting the Power of AD… n n The AD database covers all resources for

Exploiting the Power of AD… n n The AD database covers all resources for the domain What about “enterprise networks”? – i. e multiple domains in a “domain zone” n Can group policies help control users across a domain zone? – each domain has its own AD “schema”/database – how can AD schemas interact to deliver user control across multiple domains?

Windows 2003 Server and Group Policy n n Administrators spent a lot of time

Windows 2003 Server and Group Policy n n Administrators spent a lot of time setting up group policies for networks… e. g. Story of “Barking Eddie” – spent a whole two weeks manually documenting all the Group Policies for one company to fulfill their requirements n Main Improvement with Windows 2003… – Microsoft tried to make life easier for administrators – introduced tools and wizards to ease management

“megatool” GPMC (Group Policy Management Console) n One of 2003’s best features… – “contains

“megatool” GPMC (Group Policy Management Console) n One of 2003’s best features… – “contains a rich variety of tools for creating, editing, observing, modelling and reporting on all aspects of Group Policy” » ref: Anas (2009) “Getting started with GPMC” n Also, unifies Group Policy management so a policy can be applied to domains across an AD forest

GPMC Integration of User Management Tools n Administrators of earlier Windows networks needed multiple

GPMC Integration of User Management Tools n Administrators of earlier Windows networks needed multiple tools to do this: – Microsoft Active Directory Users and Computers – Delegation Wizard – ACL Editor n Story of 'Barking Eddie' (continued…) – overlooked the availability of GPMC with W 2 K 3 – when told what it could do… » he appeared crestfallen… » later said that with GPMC he could have set up those same group policies that took him two weeks… in half an hour…

GPMC Features n WMI filtering mechanism allows application of policies: – to a particular

GPMC Features n WMI filtering mechanism allows application of policies: – to a particular machine (assuming enough disk space) n n n Options to backup, restore, import, and copy Group Policy Objects Simplified management of Group Policyrelated security Reporting for GPO settings and Resultant Set of Policy (RSo. P) data

Using GPMC, once installed n Available from MMC – Standalone Snap-in dialog box n

Using GPMC, once installed n Available from MMC – Standalone Snap-in dialog box n Creating a custom console including GPMC: – select Group Policy Management option and click Add, click Close, OK n Several sample scripts available – found in the %Program. Files%GPMCScripts folder » use cscript. exe to execute – Scripting. Read. Me. rtf file in the scripts folder

Rolling out a Group Policy n Plan the Managed Network Environment: – consider various

Rolling out a Group Policy n Plan the Managed Network Environment: – consider various Common Desktop Management Scenarios – try them out using Group Policy Management Console n Design a Group Policy Infrastructure – if domain tree, policies from one domain can be applied to another… n Deploy Group Policy including Security Policy – is that was anticipated? – rework as necessary…