Windows 2000: Concepts & Deployment Larry Lieberman NT Support Engineer Premier Enterprise Support Microsoft Corporation

Windows 2000: Windows 2000: Concepts & DeploymentConcepts & Deployment

Larry LiebermanLarry LiebermanNT Support EngineerNT Support EngineerPremier Enterprise SupportPremier Enterprise SupportMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

Active DirectoryActive Directory Microsoft DNSMicrosoft DNS Distributed SecurityDistributed Security System ManagementSystem Management

Active DirectoryActive Directory

ArchitectureArchitecture ComponentsComponents Planning AD DesignPlanning AD Design

AD ArchitectureAD Architecture

X.500 X.500 derived data modelderived data model Directory stored schemaDirectory stored schema Windows 2000 Trusted Computing Windows 2000 Trusted Computing

Base Base security modelsecurity model Delegated Delegated Administration ModelAdministration Model DNS integrationDNS integration

AD Components (1/10)AD Components (1/10)

ObjectsObjects Organizational Units (OUs)Organizational Units (OUs) DomainsDomains SitesSites Trees & ForestsTrees & Forests Global CatalogGlobal Catalog

AD Components (2/10)AD Components (2/10)ObjectsObjects

ObjectObjectClassClass

ObjectObjectClassClass

Attributes

Defined in the schemaDefined in the schema

Data storage is allocated as necessaryData storage is allocated as necessary

DirectoryDirectoryObjectObject

DirectoryDirectoryObjectObject

An object instanceAn object instanceis created in theis created in theDirectoryDirectory

AD Components (3/10)AD Components (3/10)Object AccessObject Access

Access to directory objects is Access to directory objects is controlled via Access Control Lists controlled via Access Control Lists (ACLs)(ACLs)

DirectoryObject

DirectoryObject

Fine granularity is provided by Access Fine granularity is provided by Access Control Entries (ACEs) that apply to Control Entries (ACEs) that apply to specific attributes specific attributes

ACL

Sales Managersread access


ACE

ACEs can apply to specific attributes

AD Components (4/10)AD Components (4/10)Organizing the DirectoryOrganizing the Directory A hierarchy of objects can be created A hierarchy of objects can be created

using Organizational Units (OUs)using Organizational Units (OUs) Although OUs are the primary containers Although OUs are the primary containers

used to create the hierarchy, all directory used to create the hierarchy, all directory objects are potential containersobjects are potential containers

ou ou

ou ou

ouou

Deep or flat structure?

ouou ouou

AD Components (5/10)AD Components (5/10)OUsOUs

OU security provides the mechanism OU security provides the mechanism for controlling object visibility and for controlling object visibility and delegating administrationdelegating administration

OUOU

ACL



ACLACLUK User Admins

Create Users

UK User AdminsCreate Users

ACLACL Location1 AdminsReset passwords

Location1 AdminsReset passwords

ACL

UK UsersRead Volume objects

UK UsersRead Volume objects

Inheritable ACLs

AD Components (6/10)AD Components (6/10)DomainsDomains

One or more domain controllersOne or more domain controllers

SitesDomain directory

Directoryhosted on all DCs

Multi-master replicationMulti-master replication One or more sitesOne or more sites

Configuration

Schema

AD Components (7/10)AD Components (7/10)SitesSites

Controls Active Directory replicationControls Active Directory replication

Schedule Inter-site replication

Intra-site replicationautomatically configured

One or moresubnets

One or moresubnets

Site knowledge usedSite knowledge used Logon locatorLogon locator Printer locator and prunerPrinter locator and pruner Dfs and moreDfs and more

AD Components (8/10)AD Components (8/10)Trees And ForestsTrees And Forests

Configuration and schema common Configuration and schema common to all domains to all domains

Transitive trusts link domainsTransitive trusts link domains

AD Components (9/10)AD Components (9/10)Boundaries Boundaries

ReplicationReplication AdministrationAdministration Security PolicySecurity Policy Group PolicyGroup Policy

AD Components (10/10)AD Components (10/10)Global CatalogGlobal Catalog

Enterprise wide searchesEnterprise wide searches Resolves enterprise queriesResolves enterprise queries

GCPartial replica of all domain objectsHosted on one or more DCs

Planning AD Design (1/6)Planning AD Design (1/6)ConsiderationsConsiderations Defining a logical hierarchy of Defining a logical hierarchy of

resources resources Administrative architecturesAdministrative architectures Allocation of physical resources Allocation of physical resources

and budgetand budget Current infrastructure and Current infrastructure and

upgrade strategiesupgrade strategies Data availability requirementsData availability requirements Network bandwidth Network bandwidth PoliticsPolitics

Planning AD Design (2/6) Planning AD Design (2/6) One Or More ForestsOne Or More Forests All domains in a forest share a All domains in a forest share a

common schema and global catalogcommon schema and global catalog Create multiple forests if:Create multiple forests if:

Separate schemas are requiredSeparate schemas are required One or more domains are required to be One or more domains are required to be

isolated from the spanning tree of isolated from the spanning tree of transitive truststransitive trusts

Total administrative autonomy is Total administrative autonomy is required required

Planning AD Design (3/6)Planning AD Design (3/6)Domain StructureDomain Structure Where possible use a single domainWhere possible use a single domain

Use OUs to delegate administrationUse OUs to delegate administration Use sites to tune replicationUse sites to tune replication

Use multiple domains when there is a Use multiple domains when there is a requirement for requirement for Scalability across WANsScalability across WANs Autonomous administrative entitiesAutonomous administrative entities Different security account policiesDifferent security account policies

password, lockout and Kerberos ticketpassword, lockout and Kerberos ticket

Planning AD Design (4/6)Planning AD Design (4/6)Multiple Domains(1/3)Multiple Domains(1/3) Containment of network trafficContainment of network traffic

Directory replicationDirectory replication Policies (FRS)Policies (FRS)

In-place upgrades from In-place upgrades from Windows NT domainsWindows NT domains Autonomous divisions with Autonomous divisions with

separate namesseparate names No technical reasons, only politicsNo technical reasons, only politics Names are not importantNames are not important

Each domain has an incremental Each domain has an incremental overheadoverhead Increased administrationIncreased administration Increased hardwareIncreased hardware

Separate DCs are required for Separate DCs are required for each domaineach domain

Try to avoid creating divisional or Try to avoid creating divisional or departmental domains for purely departmental domains for purely political reasonspolitical reasons Change is inevitable, they are Change is inevitable, they are

easy to create and hard to retire easy to create and hard to retire

Planning AD Design (5/6)Planning AD Design (5/6)Multiple Domains(2/3)Multiple Domains(2/3)

Separate the production forest from Separate the production forest from development and testingdevelopment and testing Prevents unwanted schema changes Prevents unwanted schema changes

propagating through the enterprisepropagating through the enterprise

Create a separate forest to restrict Create a separate forest to restrict access for business partnersaccess for business partners

Planning AD Design (6/6)Planning AD Design (6/6)Multiple Domains(3/3)Multiple Domains(3/3)

Microsoft DNSMicrosoft DNS

Windows 2000 DNS RequirementsWindows 2000 DNS Requirements MS DNS FeaturesMS DNS Features DNS DesignDNS Design

DNS RequirementsDNS Requirements

A DNS server that is authoritative for a A DNS server that is authoritative for a Windows 2000 domain MUST support Windows 2000 domain MUST support SRV records (RFC 2052)SRV records (RFC 2052)

It also should support dynamic It also should support dynamic updates (RFC 2136)updates (RFC 2136) The NETLOGON service on the domain The NETLOGON service on the domain

controller automatically registers all of controller automatically registers all of the domain services and the site that it the domain services and the site that it supports supports

MS DNS Features (1/12)MS DNS Features (1/12)

Active Directory integrationActive Directory integration Dynamic UpdateDynamic Update AgingAging Administrative toolsAdministrative tools Caching resolverCaching resolver

MS DNS Features (2/12) MS DNS Features (2/12) Active Directory IntegrationActive Directory Integration

AD-integrated DNS zone AD-integrated DNS zone is multi-masteris multi-master

1) Receive 1) Receive updateupdate

3) ADS replicates3) ADS replicates

4) Read from 4) Read from ADSADS2) Write to ADS2) Write to ADS

ADSADSDNSDNS

ADSADSDNSDNS

““Primary” zonesPrimary” zones

MS DNS Features (3/12) MS DNS Features (3/12) Active Directory integrationActive Directory integration


AD-integrated DNS zone AD-integrated DNS zone is multi-masteris multi-master High availability of write, as well as readHigh availability of write, as well as read Doesn’t require separate from Doesn’t require separate from

AD replicationAD replication


ADS replication is loosely consistentADS replication is loosely consistent Name-level collisionName-level collision

Two hosts create same name Two hosts create same name simultaneously (first writer wins)simultaneously (first writer wins)

Attribute-level collisionAttribute-level collision Two hosts modify A RRset for Two hosts modify A RRset for

microsoft.com simultaneously (last-microsoft.com simultaneously (last-writer wins)writer wins)

MS DNS Features (6/12) MS DNS Features (6/12) Dynamic UpdateDynamic Update

Based on RFC 2136Based on RFC 2136 Client discovers primary server for the Client discovers primary server for the

zone where the record should be zone where the record should be added/deletedadded/deleted

Client sends a dynamic update Client sends a dynamic update package to the primary serverpackage to the primary server

Primary server processes the updatePrimary server processes the update


Windows 2000 computer registersWindows 2000 computer registers A RR with:A RR with:

Hostname.PrimaryDnsSuffix Hostname.PrimaryDnsSuffix (default)(default) and and

Hostname.AdapterSpecificDnsSuffix Hostname.AdapterSpecificDnsSuffix (if configured)(if configured)

PTR RR if adapter is not DHCP PTR RR if adapter is not DHCP configured or DHCP server doesn’t configured or DHCP server doesn’t support DNS RR registrationsupport DNS RR registration


Windows 2000 DHCP server registers Windows 2000 DHCP server registers (based on draft-ietf-dhc-dhcp-dns-*.txt)(based on draft-ietf-dhc-dhcp-dns-*.txt) PTR records on behalf of upgraded PTR records on behalf of upgraded

clients (default)clients (default) A and PTR records on behalf of downlevel A and PTR records on behalf of downlevel

clients (default)clients (default) A and PTR records on behalf of upgraded A and PTR records on behalf of upgraded

clients (if configured)clients (if configured)

Windows 2000 DHCP server removes Windows 2000 DHCP server removes records that it registered upon records that it registered upon lease expirationlease expiration

MS DNS Features (9/12) MS DNS Features (9/12) Secure Dynamic UpdateSecure Dynamic Update

Based on draft-skwan-gss-tsig-04.txtBased on draft-skwan-gss-tsig-04.txt Available only on AD-integrated zonesAvailable only on AD-integrated zones Per -zone and -name granularityPer -zone and -name granularity ACL on each zone and nameACL on each zone and name

MS DNS Features (10/12) MS DNS Features (10/12) Aging/ScavengingAging/Scavenging

Enables deletion of the stale records Enables deletion of the stale records in AD-integrated zonesin AD-integrated zones

Requires periodic refreshes Requires periodic refreshes of the recordsof the records

MS DNS Features (12/12) MS DNS Features (12/12) Caching ResolverCaching Resolver

Windows 2000 serviceWindows 2000 service Caches RRs according to TTLCaches RRs according to TTL Negative cachingNegative caching Tracks transient/PnP adaptersTracks transient/PnP adapters Reorders servers according Reorders servers according

to responsivenessto responsiveness

Fewer round-trips, fewer timeouts, Fewer round-trips, fewer timeouts, faster response timefaster response time

DNS Design (1/11)DNS Design (1/11)To support DC locatorTo support DC locator

DNS server authoritative for the DC DNS server authoritative for the DC records MUST support SRV RRsrecords MUST support SRV RRs

Support for Dynamic Updates Support for Dynamic Updates is recommendedis recommended

DNS Design (2/11)DNS Design (2/11)

Delegate a DNS zone for each AD Delegate a DNS zone for each AD domain to the DNS servers running domain to the DNS servers running on the DCs in that AD domainon the DCs in that AD domain


corp.example.comcorp.example.com

Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”

DNS Design (4/11)DNS Design (4/11)corp.example.comcorp.example.com

Domain1.corp.example.comDomain1.corp.example.com

Zones:Zones:Primary AD-int “Domain1.corp.example.com”Primary AD-int “Domain1.corp.example.com”



Delegate a DNS zone for each AD Delegate a DNS zone for each AD domain to the DNS servers running domain to the DNS servers running on a DC in that AD domainon a DC in that AD domain

Install a DNS server on at least two Install a DNS server on at least two DCs in each AD domain and one DC DCs in each AD domain and one DC in each sitein each site



Site1Site1 Site2Site2 Site3Site3

Zones:Zones:Primary AD-int “Domain1.corp.example.com”Primary AD-int “Domain1.corp.example.com”



Delegate a DNS zone for each AD Delegate a DNS zone for each AD domain to the DNS servers running domain to the DNS servers running on a DC in that AD domainon a DC in that AD domain

Install a DNS server on at least two Install a DNS server on at least two DCs in each AD domain and one DC DCs in each AD domain and one DC in each sitein each site

If different sites in the forest are If different sites in the forest are connected over slow link, delegate the connected over slow link, delegate the zone “_msdcs.<ForestName>” and zone “_msdcs.<ForestName>” and make at least one DNS server in every make at least one DNS server in every site secondary for this zonesite secondary for this zone




Zones:Zones:Primary AD-int “Domain1.corp.example.com”Primary AD-int “Domain1.corp.example.com”Secondary “_msdcs.corp.example.com.”Secondary “_msdcs.corp.example.com.”

Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”Primary AD-int “_msdcs.corp.example.com.”Primary AD-int “_msdcs.corp.example.com.”


Install a DNS server on at least two DCs Install a DNS server on at least two DCs in each AD domain and one DC in each sitein each AD domain and one DC in each site

Delegate a DNS zone for each AD domain Delegate a DNS zone for each AD domain to the DNS servers running on a DC in that to the DNS servers running on a DC in that AD domainAD domain

If different domains of the forest are If different domains of the forest are connected over slow links, delegate the connected over slow links, delegate the zone _msdcs.<ForestName> and make zone _msdcs.<ForestName> and make at least one DNS server in every site at least one DNS server in every site secondary for this zonesecondary for this zone

Each client should be configured to query Each client should be configured to query at least two DNS servers one of which is at least two DNS servers one of which is in the same sitein the same site




Zones:Zones:Primary AD-int “Domain1.corp.example.com”Primary AD-int “Domain1.corp.example.com”Secondary “_msdcs.corp.example.com.”Secondary “_msdcs.corp.example.com.”

Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”Primary AD-int “_msdcs.corp.example.com.”Primary AD-int “_msdcs.corp.example.com.”

DNS Design (11/11)DNS Design (11/11)Hardware planningHardware planning

Memory usageMemory usage No zones loadedNo zones loaded ~4 MB~4 MB Each record requires Each record requires ~100 bytes~100 bytes

PerformancePerformance Alpha 533 MHz dual-processor with 25% Alpha 533 MHz dual-processor with 25%

Processor utilizationProcessor utilization 1600 queries and 200 dynupd/second1600 queries and 200 dynupd/second

Intel P-II 400 MHz dual-processor with Intel P-II 400 MHz dual-processor with 30% Processor utilization30% Processor utilization 900 queries and 100 dynupd/second900 queries and 100 dynupd/second

Security TopicsSecurity Topics

Kerberos Integration with Windows NTKerberos Integration with Windows NT Security Provider ArchitectureSecurity Provider Architecture Public Key Security ComponentsPublic Key Security Components Smart card logon and authenticationSmart card logon and authentication Encrypting File SystemEncrypting File System Security Policies and Domain TrustSecurity Policies and Domain Trust Secure Windows NT ConfigurationSecure Windows NT Configuration

Security GoalsSecurity Goals

Single enterprise logonSingle enterprise logon Integrated security services with Integrated security services with

Windows NT Directory ServiceWindows NT Directory Service Delegated administrationDelegated administration

and scalability for large domainsand scalability for large domains Strong networkStrong network

authentication protocolsauthentication protocols Standard protocols for interoperability Standard protocols for interoperability

of authenticationof authentication

Authentication/ Authentication/ AuthorizationAuthorization Authenticate using domain credentialsAuthenticate using domain credentials

User account defined in Active DirectoryUser account defined in Active Directory

Authorization based on group Authorization based on group membershipmembership Centralize management of access rightsCentralize management of access rights

Distributed security tied to the Distributed security tied to the Windows NT Security ModelWindows NT Security Model Network services use impersonationNetwork services use impersonation Object-based access control listsObject-based access control lists

One Security Model: One Security Model: Multiple Security ProtocolsMultiple Security Protocols

Shared key protocolsShared key protocols Windows NTLM authentication: Windows NTLM authentication:

compatibility in mixed domainscompatibility in mixed domains Kerberos V5 for enterprise networksKerberos V5 for enterprise networks

Public key certificate protocolsPublic key certificate protocols Secure Sockets Layer (SSL) / Secure Sockets Layer (SSL) /

Transport Layer Security (TLS)Transport Layer Security (TLS) IP SecurityIP Security

Multiple forms of credentials in the Multiple forms of credentials in the Active DirectoryActive Directory

1.1. NTLM challenge/responseNTLM challenge/response

Application server Application server

Windows NT domain controllerWindows NT domain controller

MSV1_0MSV1_0

NetlogonNetlogon

NTLM AuthenticationNTLM Authentication

4. Server4. Server impersonates impersonates client client

2.2. Uses LSA Uses LSA to log onto log onto domainto domain

3.3. NetlogonNetlogonservice returnsservice returnsuser and groupuser and groupSIDs from domainSIDs from domaincontrollercontroller

Windows NTWindows NTDirectory ServiceDirectory Service

Kerberos IntegrationKerberos Integration

KDC relies on the KDC relies on the Active Directory as Active Directory as the store for security the store for security principals and policyprincipals and policy

Kerberos SSPI providerKerberos SSPI providermanages credentials andmanages credentials andsecurity context;security context;LSA manages ticket cacheLSA manages ticket cache

Server Server

Session ticket Session ticket authorization authorization data supports data supports NT access NT access control modelcontrol model

ClientClient

Windows NTWindows NTDirectory ServerDirectory Server

Key DistributionKey DistributionCenter (KDC)Center (KDC)

Windows NT Domain ControllerWindows NT Domain Controller

Kerberos Protocol Kerberos Protocol AdvantagesAdvantages Faster connection authenticationFaster connection authentication

Server scalability for high-volume connectionsServer scalability for high-volume connections Reuse session tickets from cacheReuse session tickets from cache

Mutual authentication of both client, serverMutual authentication of both client, server Delegation of authentication Delegation of authentication

Impersonation in three-tier Impersonation in three-tier client/server architecturesclient/server architectures

Transitive trust between domainsTransitive trust between domains Simplify inter-domain trust managementSimplify inter-domain trust management

Mature IETF standard for interoperabilityMature IETF standard for interoperability Testing with MIT Kerberos V5 ReleaseTesting with MIT Kerberos V5 Release

Kerberos Unix Kerberos Unix InteroperabilityInteroperability Based on Kerberos V5 ProtocolBased on Kerberos V5 Protocol

RFC 1510 and RFC 1964 token format RFC 1510 and RFC 1964 token format Testing with MIT Kerb V5 ReleaseTesting with MIT Kerb V5 Release

Windows NT DS hosts the KDCWindows NT DS hosts the KDC UNIX clients to Unix ServersUNIX clients to Unix Servers UNIX clients to NT ServersUNIX clients to NT Servers NT clients to UNIX ServersNT clients to UNIX Servers

Simple cross-realm authenticationSimple cross-realm authentication UNIX realm to NT domainUNIX realm to NT domain

Application Server (target)Application Server (target)

3.3. Verifies session Verifies session

ticket issuedticket issuedby KDCby KDC

Kerberos AuthKerberos AuthNetwork Server connectionNetwork Server connection

Windows NTWindows NTDirectory ServerDirectory Server

Key DistributionKey DistributionCenter (KDC)Center (KDC)

Windows NT domain controllerWindows NT domain controller

1.1. Send TGTSend TGTand request and request session session ticket from KDC ticket from KDC for target serverfor target server

TGTTGT

2.2. Present session ticketPresent session ticketat connection setupat connection setup

TargetTarget

TargetTarget Auth data:Auth data: User SIDUser SID Group SIDsGroup SIDs PrivilegesPrivileges

KerberosKerberos

LSALSA

Session Session ticketticket

Server applicationServer application

Building An Building An Access Token with Kv5Access Token with Kv5 Kerberos package Kerberos package

gets auth data gets auth data from session from session ticketticket

Impersonation Impersonation tokentoken

TokenToken LSA buildsLSA buildsaccess token for access token for security contextsecurity context

Server thread Server thread impersonates impersonates client contextclient context

Remote File Access Remote File Access CheckCheck

RdrRdrServerServer

Kerberos Kerberos SSPSSP

Kerberos Kerberos SSPSSP

File File applicationapplication

SMB protocolSMB protocol

NTFSNTFS

SSPISSPI

\\infosrv\share\\infosrv\share

FileFile

TokenToken

KDCKDC

TicketTicket

AccessAccesscheckcheck

SDSD

TokenToken

ClientClient

Secure RPCSecure RPC HTTPHTTP

SSPISSPI

Internet Explorer,Internet Explorer,

Internet InformationInternet InformationServerServer

NTLMNTLM KerberosKerberos SChannelSChannelSSL/TLSSSL/TLS

MSV1_0/MSV1_0/ SAM SAM KDC/DSKDC/DS

DCOM DCOM applicationapplication

DPADPA

MembershipMembershipservicesservices

POP3, NNTPPOP3, NNTP

Mail, Mail, Chat, Chat, NewsNews

CIFS/SMBCIFS/SMB

Remote Remote filefile

Architecture For Architecture For Multiple Authentication Multiple Authentication ServicesServices

LDAPLDAP

DirectoryDirectoryenabled appsenabled appsusing ADSIusing ADSI

Windows NT 4.0 - 5.0 Windows NT 4.0 - 5.0 InteroperabilityInteroperability

Windows NT 4.0 clients and serversWindows NT 4.0 clients and servers Use NTLM authenticationUse NTLM authentication

Windows NT 5.0 clientsWindows NT 5.0 clients Locate NT 5.0 Active Directory and KDCLocate NT 5.0 Active Directory and KDC Support smart card logonSupport smart card logon Use Kerberos or NTLM protocol Use Kerberos or NTLM protocol

Windows NT 5.0 ServersWindows NT 5.0 Servers Accept both NTLM or Kerberos protocolAccept both NTLM or Kerberos protocol

Public Key ComponentsPublic Key ComponentsX.509 and PKCS StandardsX.509 and PKCS Standards

Windows NT Windows NT Directory ServerDirectory Server

Certificate Certificate ServerServer

For clientsFor clients User key and User key and

certificate mgmtcertificate mgmt Secure channelSecure channel Secure storageSecure storage Auto enrollmentAuto enrollment

For serversFor servers Key and certificate Key and certificate

managementmanagement Secure channelSecure channel Client authenticationClient authentication Auto enrollmentAuto enrollment

EnterpriseEnterprise Certificate Certificate

servicesservices Trust policyTrust policy

Crypto API ArchitectureCrypto API Architecture

Crypto API 1.0Crypto API 1.0

RSA baseRSA baseCSPCSP

FortezzaFortezzaCSPCSP

Application Application

SmartCard SmartCard CSPCSP

CryptographicCryptographicService ProvidersService Providers

Certificate management servicesCertificate management services

Secure channelSecure channel

KeyKeydatabasedatabase

CertificateCertificatestorestore

SSL Client AuthenticationSSL Client AuthenticationIntegrated Security AdministrationIntegrated Security Administration

Strong authentication using X.509 Strong authentication using X.509 certificatescertificates Single user ID for multiple protocolsSingle user ID for multiple protocols

Security account managementSecurity account management Use existing infrastructure: ccount Use existing infrastructure: ccount

admin and access controladmin and access control

Accept third-party X.509 certificates Accept third-party X.509 certificates from trusted Certificate Authoritiesfrom trusted Certificate Authorities

Inter-business authenticationInter-business authentication

SSL Client AuthenticationSSL Client Authentication

SChannel SSPSChannel SSP

Client certificateClient certificate

Œ

ServerServer

Certificate StoreCertificate Storeof Trusted CAsof Trusted CAs

AuthenticationAuthenticationserviceservice

DomainDomain

Org (OU)Org (OU)

UsersUsers

2. Locate user object in directory by subject name2. Locate user object in directory by subject name

Access tokenAccess token

Ž

3. Build NT access token based on group membership 3. Build NT access token based on group membership

1. Verify user certificate based on trusted CA, CRL1. Verify user certificate based on trusted CA, CRL

Server Server resourcesresources

ACLACL

4. Impersonate client, object access verification4. Impersonate client, object access verification

Internet Explorer 4.0Internet Explorer 4.0

ReaderReader

Crypto APICrypto API

SmartCard SmartCard CSPCSP

ReaderReaderdriverdriver

Secure channelSecure channel

SSPISSPI

Client AuthenticationClient AuthenticationUsing SmartCardsUsing SmartCards Secure channel between Secure channel between

Internet Explorer and Internet Explorer and Internet Information Internet Information ServerServer

Keys and certificates Keys and certificates managed by managed by Crypto APICrypto API

SmartCard CSP gets SmartCard CSP gets certificate and protocol certificate and protocol signature from cardsignature from card

ICCICC

Smart Card LogonSmart Card Logon

Private key and Private key and certificate on cardcertificate on card

Public key domain Public key domain authenticationauthentication

PK KerberosPK Kerberos

ProfileProfile

CertsCerts KeysKeys

Internet ExplorerInternet Explorer User profile for User profile for

other keys and other keys and certificatescertificates

RAS supportRAS support

Domain credentialsDomain credentials Obtain Kerberos Obtain Kerberos

TGT and NTLM TGT and NTLM credentialscredentials

TGTTGT

Management Of TrustManagement Of Trust

Trust policy decisionsTrust policy decisions What CAs are trusted?What CAs are trusted? What are they trusted for? What are they trusted for?

Client Authentication, Client Authentication, Server Authentication, Server Authentication, AuthenticodeAuthenticode

Trust determination made locallyTrust determination made locally Certificate path verificationCertificate path verification

Configure trust policy centrallyConfigure trust policy centrally Define trust policy in Policy EditorDefine trust policy in Policy Editor

Signed by an authorized userSigned by an authorized user

Encrypting File System Encrypting File System Privacy of data that goes beyond Privacy of data that goes beyond

access controlaccess control Protect confidential data on laptops Protect confidential data on laptops Configurable approach to data recoveryConfigurable approach to data recovery

Integrated with core operating Integrated with core operating system components system components Windows NT File System - NTFSWindows NT File System - NTFS Crypto API key managementCrypto API key management LSA security policyLSA security policy

Transparent and very high Transparent and very high performanceperformance

Crypto APICrypto API

I/O managerI/O manager

EFS.sysEFS.sys

NTFSNTFS

User modeUser mode

Kernel modeKernel mode

Win32 layerWin32 layer

ApplicationsApplications

LPC communicationLPC communicationfor all key for all key management supportmanagement support

FSRTL calloutsFSRTL callouts

Encrypted on-disk data storageEncrypted on-disk data storage

EFSEFSserviceservice

EFS ArchitectureEFS Architecture

RNGRNG

Data decryptionData decryptionfield generationfield generation

(e.g., RSA)(e.g., RSA)

Data recoveryData recoveryfield generationfield generation

(e.g., RSA)(e.g., RSA)

DDFDDF

DRFDRF

User’sUser’spublicpublic key key

Recovery agent’sRecovery agent’spublicpublic key keyin recovery policyin recovery policy

Randomly-Randomly-generatedgeneratedfile encryption keyfile encryption key

File EncryptionFile Encryption

File decryptionFile decryption(e.g., DES)(e.g., DES)

A quickA quick brown fox brown foxjumped...jumped...

*#$fjda^j*#$fjda^ju539!3tu539!3tt389E *&t389E *&

*#$fjda^j*#$fjda^ju539!3tu539!3tt389E *&t389E *&

DDFDDF

A quick A quick brown foxbrown foxjumped...jumped...

A quick A quick brown foxbrown foxjumped...jumped...

DDF extractionDDF extraction(e.g., RSA)(e.g., RSA)

File decryptionFile decryption(e.g., DES)(e.g., DES)

File encryptionFile encryptionkeykey

DDF is decrypted DDF is decrypted using the using the private private keykey to get to the file to get to the file encryption keyencryption key

File DecryptionFile Decryption

DDF contains file DDF contains file encryption key encryption key encrypted under encrypted under user’s user’s public keypublic key

User’s User’s privateprivatekeykey

Active Directory Active Directory Security FeaturesSecurity Features

Organization Units (OU) to organize Organization Units (OU) to organize the directory name spacethe directory name space Users, groups, computers in separate Users, groups, computers in separate

containerscontainers

Directory object securityDirectory object security Per property access controlPer property access control Per property auditingPer property auditing

Delegation of administrationDelegation of administration Who can create, manage users, groups, Who can create, manage users, groups,

computer accounts, other objects computer accounts, other objects

DomainDomain

DomainDomain DomainDomain

DomainDomain

DownlevelDownleveldomaindomain

Explicit Windows NT 4.0-style trustsExplicit Windows NT 4.0-style trusts

DomainDomain

microsoft.commicrosoft.com

europe. microsoft. comeurope. microsoft. com

Kerberos trustKerberos trust

fareast. microsoft. comfareast. microsoft. com

Domain TrustDomain Trust

Managing SecurityManaging Security

Security Configuration Editor (SCE)Security Configuration Editor (SCE) Defines security configuration templatesDefines security configuration templates

Group Policy EditorGroup Policy Editor Defines hierarchy of user or computer Defines hierarchy of user or computer

policy templates for OUs up to the policy templates for OUs up to the DomainDomain

Security configuration is part of Security configuration is part of Group PolicyGroup Policy Group Policy for a computer includes the Group Policy for a computer includes the

security configurationsecurity configuration Security configuration applied at startupSecurity configuration applied at startup

A Security ConfigurationA Security Configuration

Covers various security areasCovers various security areas Account Policies -- password, Account Policies -- password,

lockout, kerberoslockout, kerberos Local Policies -- auditing, user Local Policies -- auditing, user

rights,...rights,... Restricted Groups -- Restricted Groups --

Administrators, Power Users,…Administrators, Power Users,… Registry & File System -- security Registry & File System -- security

descriptorsdescriptors Services -- startup mode and Services -- startup mode and

security descriptorssecurity descriptors

Summary (1/2)Summary (1/2)

Kerberos for domain authentication Kerberos for domain authentication for the Enterprisefor the Enterprise Mutual authentication, transitive trustMutual authentication, transitive trust

Public key security componentsPublic key security components Certificate Services to issue organization Certificate Services to issue organization

certificatescertificates Personal key and certificate managementPersonal key and certificate management Public key credentials for serversPublic key credentials for servers

Directory-based SSL/TLS client Directory-based SSL/TLS client authentication using X.509 certificatesauthentication using X.509 certificates

SummarySummary

Crypto API enhancementsCrypto API enhancements Smart card logon and dialup accessSmart card logon and dialup access Message encryption using SSPIMessage encryption using SSPI SMB data encryption using IPsecSMB data encryption using IPsec Encrypting File SystemEncrypting File System DS Security Administration and PolicyDS Security Administration and Policy Security Configuration Editor Security Configuration Editor Cross-platform authentication Cross-platform authentication

interoperabilityinteroperability

Group Policy ObjectsGroup Policy Objects

Group Policy DefinitionGroup Policy Definition

““The ability for the administrator to The ability for the administrator to state a wish about the state of their state a wish about the state of their users’ environment once, and then rely users’ environment once, and then rely on the system to enforce that wish!”on the system to enforce that wish!”

Group Policy ReviewGroup Policy Review

Policies Are Not ProfilesPolicies Are Not Profiles A A profileprofile is a collection of user environment settings that is a collection of user environment settings that

the the user may changeuser may change Group PolicyGroup Policy is a collection of user environment settings, is a collection of user environment settings,

specified by the administratorspecified by the administrator

Group Policy is more than simple “lockdown”Group Policy is more than simple “lockdown” Group Policy enhances the “Follow Me!” experience by Group Policy enhances the “Follow Me!” experience by

enabling organizations to:enabling organizations to: Set registry settings securely and without fear of Set registry settings securely and without fear of

tattooing tattooing (Administrative Templates)(Administrative Templates) Specify security oriented settings Specify security oriented settings (Security Settings)(Security Settings) Install software Install software (Software Installation)(Software Installation) Re-direct “My Documents,” “Desktop,” etc. to the Re-direct “My Documents,” “Desktop,” etc. to the

network network (Folder redirection)(Folder redirection) Implement tiered scripts Implement tiered scripts (Scripts)(Scripts)

Sites are described by Sites are described by Subnet address’s and may Subnet address’s and may cross Domain boundaries, cross Domain boundaries, normally they would notnormally they would not

SiteSite

OU’sOU’s

A1A1 A2A2

GPO’sGPO’sA1A1

A2A2

A3A3

A5A5A4A4

The affect of a GPO may be The affect of a GPO may be filtered based on security filtered based on security group membership (ACLs)group membership (ACLs)

AADomainDomain

GPOs are per DomainGPOs are per Domain

Group Policy Group Policy is NOT inheritedis NOT inheritedacross Domainsacross Domains

Any SDOU may be Any SDOU may be associated with any GPO, associated with any GPO, even across Domains even across Domains (slower - maybe very slow)(slower - maybe very slow)

OU’sOU’s

B1B1 B2B2

B3B3

BB

GPO’sGPO’sB1B1

B2B2

DomainDomain

Multiple SDOUs may use Multiple SDOUs may use a single GPOa single GPO

Multiple GPOs may Multiple GPOs may be associated with be associated with a single SDOUa single SDOU

What is What is my policy?my policy?

Sites are described by Sites are described by Subnet address’s and Subnet address’s and may cross Domain may cross Domain boundaries, normally they boundaries, normally they would notwould not

GPOs are per DomainGPOs are per Domain

Multiple GPOs may Multiple GPOs may be associated with be associated with a single SDOUa single SDOU

Multiple SDOUs may use Multiple SDOUs may use a single GPOa single GPO

Any SDOU may be Any SDOU may be associated with any GPO, associated with any GPO, even across Domains even across Domains (slower - maybe very (slower - maybe very slow)slow)

The affect of a GPO may The affect of a GPO may be filtered based on be filtered based on security group security group membership (ACLs)membership (ACLs)

Group Policy And The Active DirectoryGroup Policy And The Active Directory

Group Policy Linked To OUsGroup Policy Linked To OUs

The OU structure is your The OU structure is your administrative structureadministrative structure

Group Policy configuration must be Group Policy configuration must be tuned to fit your OUs structuretuned to fit your OUs structure

Design for the most stable and Design for the most stable and maintainable solutionmaintainable solution

FilteringFiltering

Security Groups may be used to filter Security Groups may be used to filter the effect of Group Policythe effect of Group Policy Any Group Policy may have it’s scope Any Group Policy may have it’s scope

modified by setting ACL permissionsmodified by setting ACL permissions

Read and Apply Group Policy (AGP) Read and Apply Group Policy (AGP) ACEs are required for Group Policy to ACEs are required for Group Policy to be appliedbe applied

Only filter if necessaryOnly filter if necessary Keep simple if possibleKeep simple if possible

GP applied to virtual group

ExampleExample

Filtering can be inclusionary or using Filtering can be inclusionary or using “deny” exclusionary“deny” exclusionary

ou

ou

ou

ouououou

GP

ACL

Read &APG

Read &APG

ConclusionConclusion

Active DirectoryActive Directory DNSDNS Security FeaturesSecurity Features Group PolicyGroup Policy