Active Directory

Computers in organizations Computers are linked together for

communication and sharing of resources There is always a need to administer the

computing facilities easily and centrally such as Granting access to a computer Give permission to use a printer Read and write files to a certain folder

And to ensure the security of the system

Aims of Active Directory

Enable users to find network resources easily Central and easy administration of users and

resources in a domain Improve security by controlling access on

resources and restrictions placed on user and computer configuration

Active Directory: What is it? An implementation of LDAP directory

services by Microsoft for use primarily in Windows environments.

Provide central authentication and authorization services for Windows based computers.

Allow administrators to assign policies, deploy software, and apply critical updates to an entire organization.

What is it

Active Directory stores information and settings relating to an organization in a central, organized, accessible database.

Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects.

What is it It is a hierarchical framework of objects. The

objects fall into three broad categories: resources (e.g. computers), services (e.g. e-mail) and users (user accounts and groups).

The AD provides information on the objects, organizes the objects, controls access and sets security.

Necessary components

Domain controller(s) as central repository of the domain and provides access control

DNS server for locating resources Other computers: servers and workstations

added to domain by domain administrator

Protocols used

Kerberos for network authentication Lightweight Directory Access Protocol

(LDAP) to provide directory service (to get information about objects)

AD Structure

Domain based Hierarchical tree structure Network resources are objects Containers for grouping Objects have attributes, allow security to

build

Elements of AD

Domain

Organizational Unit

Group

Domain Organization Unit

Group User User

Elements of AD

Site Computer

Print Queue Contact

Site Computer

Print Queue Contact

Elements of AD

Policy Licensing site

Policy License Site

AD as centre of network

Domain Each AD must has at least one Domain

Controller which is the central management of the system.

The other computers, computing resources including people (users) are joined to the AD by the administrator

The Domain Naming System as used in Internet is used to name the resources in the AD.

LDAP

The Lightweight Directory Access Protocol, or LDAP is used to add, modify and delete information stored in Active Directory as well as to query and retrieve data over TCP/IP.

LDAP is used as a source of information for authorization.

Information obtained from LDAP

Information obtained from LDAP

Directory Service

Directory Services

Telecommunication companies introduced the concept of directory services to information technology and computer networking, as their understanding of directory requirements was well-developed after some 70 years of producing and managing telephone directories.

Directory Services The X500, protocol for directory services was

created in the 1960s. X.500 directory services were traditionally

accessed via the X.500 Directory Access Protocol (DAP), which required the Open Systems Interconnection (OSI) protocol stack.

The LDAP is a light weight alternative that uses the TCP/IP stack.

Application of Directory Service

Part of Network OS Stores and organizes information about a

computer network's users and network resources

Acts as a central/common authority that can securely authenticate the system resources that manage the directory data

Example

MS Active Directory Sun Java System Directory Server IBM Tivoli Directory Server

Domain Name System

Domain Name/ IP Address resolution system, used chiefly in Internet

A distribution systems contains a no. of root domain servers and each domain has its own domain server

The domain name follows a certain structure, the namespace

AD and DNS

DNS domains are for finding resources. AD domains are for organizing resources. Work together in AD

AD and DNS work together

Entry in AD dn: cn=John Doe,dc=example,dc=com cn: John Doe givenName: John sn: Doe telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1234 mail: john@example.com manager: cn=Barbara Doe,dc=example,dc=com objectClass:

inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top

Search information in AD

Search information in AD

Search information in AD

Search information in AD

Search information in AD

Structure in AD

Forest Tree Domain Organization Unit (OU) Group

Domain Tree

AD Forest

When different namespace is required Must share common schema and Global Catalog

Server

Organizational Unit

Contains the following units for easy management Users Computers Groups Printers Applications Security Policies File shares

Group Policy

Group Policies are rules to define user or computer settings for an entire group of users or computers at one time.

The settings that you configure are stored in a Group Policy Object (GPO), which is then associated with Active Directory containers such as sites, domains, or organizational units.

Group Policy

Apply to

Policy

Site

Organizational Unit

Domain

Group Policy Many different aspects of the network,

desktop, and software configuration environments can be managed through Group Policies. registry settings for both users and

computers file system permissions, Internet Explorer settings, registry permissions, software distribution, etc.

Group Policy

Group Policies are analyzed and applied at startup for computers and during logon for users. The client machine refreshes most of the Group Policy settings periodically.

It can also be applied to offline computers and roaming users

Group Policy Hundreds of settings can be defined Each setting has 3 possible states:

Not configured Disabled Enabled

Group Policy

Multiple group policies can be created and distributed.

User and computers accounts can have more than one policy applicable to them based upon the site, domain, or OU they are in, security groups, or any combination.

Property of Group Policy

Policy setting inherited by child containers A container can have multiple policies being

applied Which policy setting comes into effect

depends on it precedence of the policy

Group Policy Processing OrderLSDOU Local Computer Policy Site Domain OU Organization Unit (Sub-OU) The policy processed last will take

precedence (win)

Group Policy Management Tool Download from Microsoft for easy

management of group policy

Logon procedure in AD Client makes a RPC and passes its

configuration (domain membership, IP) to Netlogin service

Netlogin makes query to DNS server Query changed to a form of LDAP DNS Server returns a list of domain

controller to client Client sends request to domain controller

Authentication and Authorisation procedure

Authentication request to domain controller Domain controller verifies credential using the

Kerberos protocol AD gathers all group policy applied to the

user and computer and returns a list of SID to user’s computer

The LSA uses the SIDs to form an access token

Kerberos for authentication

Advantages of using Kerberos

Central authentication with service tickets for resources

No need to authenticate with the resources one by one

Saving of bandwidth Session key encrypted with timestamp, save

from eavesdropping and replay attack

Authentication Protocol

Windows NT: NT Lan Manager (NTLM) Aged protocol Relatively easy to crack

Windows 2000/2003: Kerberos

Content of Access Token

To show identity and privilege Name SID of user Groups SID of groups user belongs Logon SID (valid for a certain duration)

Content of Security Descriptor

SID of owner SID of group (seldom used in Windows) DACL

SID, Rights Deny on top

System ACL

Request for use of network resources

The user’s request is authenticated by comparing the Access Token to the Security Descriptor of an object

(The SID on the access token is compared with the ACL on the Security Descriptor)

Use of Access token for authorisation

AD at work

AD at work

AD at work

AD at work

Active Directory Security

Industry-standard secure protocols Kerberos (Authentication) LDAP over SSL (Authorization) X.509 (Cert-based Authentication) Smart cards Public Key Infrastructure (PKI)

Domain trusts Security groups and permissions

AD and Certificates

A Certificate Authority can be installed within the AD to provide additional security such as using L2TP for remote VPN services

Enrollment to certificate can be easily done through a web browser

Samples of Group Policy A package called Common Scenario

provided by Microsoft Lightly managed Mobile Multi-user App station Task station Kiosk