W2k Security At FNAL
description
Transcript of W2k Security At FNAL
![Page 1: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/1.jpg)
W2k Security At FNAL
Jack SchmidtFNAL W2K Migration Working
Group ChairApril 16
![Page 2: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/2.jpg)
Background
• W2K Migration working group– Existing NT4 Domain Admins and
Division/Section representatives– Initially chartered to propose domain
design only - but presently implementing design
– Pressure to migrate but also to do things right!
![Page 3: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/3.jpg)
Background
• win.fnal.gov– Top level domain. Apply site wide security
policies– Limited number of Administrators– Contains no users or resources.
• fermi.win.fnal.gov– Child domain. Contains all users and most
resources.– Limited number of Domain Administrators.
• ‘resource’.win.fnal.gov– Child domain(s). Controls systems, members
of other critical systems. – No user accounts allowed.
![Page 4: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/4.jpg)
Lab Policy
• Kerberos authentication• Domain Controllers are ‘critical
systems’• Centralized accounts/ou
administration• No shared accounts
![Page 5: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/5.jpg)
Authentication
• Kerberos and NTLMv2– 95/98/NT and non-domain w2k
systems use NTLM– No ‘kerberos-only’ setting
• 2 central kerberos servers– MIT
• Can’t change password• Long incorrect password timeout
– Active Directory– 2 way trust
![Page 6: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/6.jpg)
Critical System
Definition“Computer security incidents involving certain
systems could seriously impact the laboratory’s science programmatic operations. Such systems may be designated “critical systems” and may be subject to additional computer security policies and procedures”
Plan• Identify systems • Identify possible weaknesses and
solutions
![Page 7: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/7.jpg)
Critical System Plan
• 4 Domain Admins for win and fermi domains appointed by Computing Division and CSExec
• DCs in locked cabinets• Remote administration using IPSEC and
terminal server• Services monitored for state change and
additions• Backup policy and domain disaster
recovery • One password policy• Identification of OU Admin Rights • Define W2K Policy Committee
![Page 8: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/8.jpg)
Centralized Accounts
• Single user account – One per realm. Same username.
• create/disable – Security able to flip a ‘switch’– Admins not allowed to create
accounts
• User accounts only in 1 domainwin.fnal.gov
fermi.win.fnal.gov controls.win.fnal.gov
• NT4 Domain Admins -> OU Admins
![Page 9: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/9.jpg)
OU Administration
• Requirements:– Reset passwords– Define print/disk shares in AD– Change allowed user account
information– Add/Delete/Move machine accounts– Add/Delete/Modify global groups– Enable/Disable user accounts– Move user accounts to ‘terminated’
OU – Retrieve user accounts from New-
User OU
![Page 10: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/10.jpg)
OU Administration
• Requirements (cont)– Set and Define policy for the OU– Create sub-OUs – Delegate control of sub-OUs
![Page 11: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/11.jpg)
OU Administration
Implementation IssuesAdmins can:
– Reset passwords– Define printers/shares– Change allowed user account
settings– Add/Delete/Move machine accounts– Add/Delete/Modify global groups– Enable/Disable User accounts
![Page 12: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/12.jpg)
OU Administration
Implementation IssuesAdmins CAN’T:
– Create/Delete OUs below their top OU
– Move users within their OU structure– Delegate control of sub-OUs
Why?AD does not provide a ‘move’ permission
- only create/delete!AD does not provide a basic security
setting to prevent Admins for changing subOU permissions
![Page 13: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/13.jpg)
OU Administration
Possible Solutions• Domain Admins perform function
– Not acceptable to group
• Explore commercial products– None that fit our security
requirements
• Write a service program– Time consuming
• Combination GPO and Audit Policy– Implementable now
![Page 14: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/14.jpg)
OU Administration
GPO Implementation:OU Creator Group
– Domain Admins control membershipusername-Creator-OU
– Full Control over OU– Only found in top-level OU– Limited membership (3 per OU)
OU Admin Group– Domain Admins or OU creators control
membershipusername-Admin-OU
– Limited control over OU/sub-OU
![Page 15: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/15.jpg)
OU Administration
OU Creator Rights:• This object and all child objects-
– Full control
• This object only-– Deny Delete– Deny Modify Permissions– Deny Modify Owner
The Creator group provides all requested admin rights – but also can create/delete users
![Page 16: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/16.jpg)
OU Administration
OU Admin Rights:• This object and all child objects-
– Full Control– Deny Modify Permissions– Deny Modify Owner– Deny Create OU Objects– Deny Create User Objects– Deny Delete User Objects
• This object only-– Deny Delete
![Page 17: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/17.jpg)
OU Administration
OU Admin Rights: (cont)• User Objects-
– Deny Write Division, Last Name, Logon Name, etc.. 18 total
The OU Admins group have basic rights but cannot create sub-OUs or move users
![Page 18: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/18.jpg)
OU Administration
Audit Policy• Monitor DC event logs for
violations in security policy – Create/delete users
• Notify appropriate personnel• Auditing done on external
computer(s)– Harder for hackers to cover tracks
![Page 19: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/19.jpg)
OU Administration
Audit Policy Implementation:• Configure DCs to log proper events• Install software on DCs to forward
events to unix syslog server– Event Reporter ($49)– ELM (price varies)– Ntsyslog (free)
• Central syslog unix server– Uses syslog-ng and swatch
• Violation notification – Sends email to archived list
![Page 20: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/20.jpg)
OU Administration
• Present status– Testing design– Needs Computer Security Review
![Page 21: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/21.jpg)
No Shared Accounts
• Existing NT4 Shared accounts:– Administrative accounts– Test accounts– Console/Demo accounts– Data logging accounts– Monitoring Accounts– Service Accounts
![Page 22: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/22.jpg)
No Shared Accounts
• Progress so far:– No shared admin or test
accounts.– Service Accounts:
•Examples: tape backup, anti-virus management, web server anonymous account
•Waiver request form– Approval by Policy committee and
computer security
•Requires annual review
![Page 23: W2k Security At FNAL](https://reader036.fdocuments.in/reader036/viewer/2022062803/56814747550346895db48425/html5/thumbnails/23.jpg)
Future
• Shared accounts• Terminal servers• Home Users