Embed Size (px)
Citation preview
Group 1 1
CSE 8343CSE 8343
Group 1Group 1
Windows 2000 Domain Windows 2000 Domain
Security & AuthenticationSecurity & Authentication
Group 1 2
Motivation
Communication ?Security?
Client Workstations
Servers
Group 1 3
Outline
How clients connect to the network with Windows 2000 Dynamic Host Configuration Protocol (DHCP), Automatic Private Internet Protocol (IP) addressing, and static addressing.
How Windows 2000 clients use the Dynamic Domain Naming System (DDNS) support in Windows 2000 to locate domain controllers and other servers in the infrastructure needed during startup and logon.
How the Lightweight Directory Access Protocol (LDAP) is used during authentication.
How the Kerberos & NTLM security protocols are used for authentication.
How MS Remote Procedure Calls (MSRPC) are used. How Server Message Block (SMB) is used to transfer group
policy information and other data during the startup and logon process.
Group 1 4
Windows 2000 Security Components
Dynamic Host Configuration Protocol (DHCP). Automatic Private IP Addressing. Domain Naming System (DNS). Kerberos. NTLM. Lightweight Directory Access Protocol (LDAP). Server Message Block (SMB). Microsoft Remote Procedure Call (MSRPC). Time Service.
Group 1 5
Dynamic Host Configuration Protocol (DHCP)
Provides each DHCP client with a valid TCP/IP configuration. The process in general consists of eight messages:
• DHCPDiscover. A DHCP client uses this message in order to detect at least one DHCP server.
• DHCPOffer. Each DHCP server that receives the request from a client checks its scopes for a valid configuration set and offers this to the DHCP client.
• DHCPRequest. The DHCP client requests the first offer it receives from the DHCP server.
• DHCPAcknowledge. The selected DHCP server uses this message in order to confirm the lease with the DHCP client.
• DHCPNack. The DHCP server uses this message in order to inform a client that the requested TCP/IP configuration is invalid.
• DHCPDecline. The DHCP client uses this message in order to inform the server that an offered TCP/IP configuration is invalid.
• DHCPRelease. The DHCP client uses this message to inform the server that an assigned configuration is no longer in use by the client.
• DHCPInform. If a client has already obtained an Internet Protocol (IP) address (for example, manual configuration), it may use this message to retrieve additional configuration parameters that are related to the IP address from a DHCP server.
This role of a DHCP server was extended with the availability of Dynamic DNS. In this case, the DHCP server can be used for the dynamic registration of the client’s IP address and the hostname.
Group 1 6
Automatic Private IP Addressing (APIPA)
provides an IP address to a DHCP client even if there is no DHCP server available. • Used for computers on a subnet that does not have a DHCP server.• APIPA automatically assigns an IP address from a reserved range.• When a client fails to locate a local DHCP, it would use such an address.• WNT used to stick with an unexpired lease even if connection to the DHCP
server had been broken.
Group 1 7
Domain Name System (DNS)
primary mechanism for service location and name resolution in Windows 2000.
Tightly integrated with the operating system providing integration with the Active Directory and support for making Dynamic updates.
Is a replacement of Windows Internet Naming service (WINS). Solves scaling problem in WINS (uses hierarchical structure
rather than flat file). At time of authentication, a client uses DNS to:
• locate services like LDAP and Kerberos to retrieve the address of at least one domain controller.
• Register its hostname and IP address in DNS zone database.
Group 1 8
DNS Server Placements
A DNS server should be located at each remote site to ensure DNS lookup capabilities to all clients if the WAN link to a central site is down.
Each domain must have at least two DNS servers to provide fault tolerance in the event of server or WAN link failure.
The DNS service at each site must contain zone information for all domains that must be accessed at that site. If clients can authenticate with two different domains at a site, DNS services should have replicas of the zones for those two domains hosted at a local DNS server.
All global catalog resource records are stored in the forest root domain.
Group 1 9
Kerberos: Authentication for W2K clients
The default authentication protocol in Windows 2000 server. Authenticates W2K clients/workstations. (NTLM is the protocol
used for down level authentication). Allows mutual authentication. Once the server has positive
identification of the client, it can then make the determination about whether it is authorized to access the resource.
Group 1 10
Kerberos Domain Authentication Steps
1. User enters his login name, password, and the domain he wants to authenticate to.
2. The Kerberos client on the workstation sends a request to the Authentication Service on the KDC asking the Authentication Service to return a ticket to validate the user. The Authentication Service verifies the client’s credentials and sends back a Ticket Granting Ticket (TGT).
3. Client requests access to a service or a resource by sending a TGS request to the Ticket Granting Service (TGS) on the KDC. The Ticket Granting Service returns an individual ticket for the requested service that the client can submit to whatever server holds the service or resource the clients wants.
4. Kerberos client submits the service ticket to the server and requests access to the service or resource.
Group 1 11
Kerberos Network Authentication Steps
1. The user sends a Ticket Granting Service Request (KRB_TGS_REQ) to the KDC to acquire a service ticket for the target computer. The KRB_TGS_REQ includes the TGT and an authenticator.
2. The Ticket Granting Service of the KDC checks the authenticator and the TGT, generates a new service ticket, and sends it back to the user using a Kerberos Ticket Granting Service Response (KRB_TGS_REP). The service ticket is encrypted using the long-term key between the KDC and the target service.
3. The user sends the service ticket and an authenticator to the target server using a Kerberos Application Request (KRB_AP_REQ).
4. The target server verifies the ticket with the authenticator, decrypts the session key using the master key that's shared with the KDC, and sends back an authenticator to the user in a Kerberos Application Response (KRB_AP_REP). This authenticator provides mutual authentication of the user and server.
Group 1 12
NT LAN Manager (NTLM): Authentication for down level clients.
1. The NTLM challenge response is sent from the client computer to the server that the client is connecting to.
2. The application server uses the local security authority (LSA) to log on to the domain using the Netlogon service.
3. The Netlogon service queries Active Directory using the MSV1_0 sub-authentication filter to validate the user.
4. If the user is validated, the Netlogon service returns the user and group SIDs from the authenticating DC back to the server.
5. For the logon process, NTLMv2 introduces a secure channel to protect the authentication process.
Only Windows 2000 clients and UNIX clients can use Kerberos authentication in a Windows 2000 domain. To provide access to Windows NT 4.0 clients and Windows 95 and Windows 98 clients running the Directory Service client, Windows 2000 continues to support the use of the Windows NT LAN Manager authentication protocol.
Group 1 13
Lightweight Directory Access Protocol (LDAP)
LDAP process: The general model adopted by LDAP is of clients performing protocol operations against servers. A client transmits a request describing the operation to be performed to a server. The server is then responsible for performing the necessary operations in the directory. Upon completion of the operations, the server returns a response containing any results or errors to the requesting client.
LDAP is used extensively during the Windows 2000 startup and logon process. The client uses LDAP during the domain controller locator process to get the domain controller it will use. LDAP is also used to find the applicable group policy objects for the computer or user. Finally, LDAP is used to locate the appropriate certificates for the client during certificate auto enrollment.
LDAP referral.
Group 1 14
Server Message Protocol (SMB)
The SMB protocol is used in a client-server environment to access files, printers, mail slots, named pipes, and application programming interfaces (APIs).
In SMB communication, a client connects to the server by negotiating a dialect. Once the client has established a connection, it can then send commands (SMBs) to the server that allow the client to access resources.
Used to load Group Policy objects applicable to that workstation or user.
Used to make a DFS referral for the shared file being accessed.
Four SMB commands categories: (session control, file Commands, print commands, message commands).
SMB protocol model defines two levels of security: • Share level. Protection is applied at the share level on a server. Each share
can have a password, and a client needs only that password to access all files under that share.
• User Level. Protection is applied to individual files in each share and is based on user access rights. Each user (client) must log in to the server and be authenticated by the server. When it is authenticated, the client is given a user ID, which it must present on all subsequent accesses to the server. This model has been available since LAN Manager 1.0.
Group 1 15
MS Remote Procedure Calls (MSRPC)
RPC is a request by one computer to use the processing resources on another. The RPC protocol permits one process to request the execution of instructions by another process located on another computer in a network.
The RPC process consists of:• Client application. Requests the remote execution.• Client stub. Translates calls into/from standard network representation
(NDR) format.• Client RPC Runtime Library. Converts NDR into network messages
Network Transport: Handles the network communications.• Server RPC Runtime Library. Converts NDR into network messages.• Server stub. Translates calls into/from standard network representation
(NDR) format.• Server application. Executes the requested instructions.
Group 1 16
Time service
Provides a mechanism for synchronizing system time between Windows 2000 clients in a domain.
The following hierarchy is used by systems in the domain to perform time synchronization:• All client desktops nominate as their in-bound time partner their
authenticating domain controller.• All member servers follow the same process as client desktops.• All domain controllers in a domain nominate the primary domain controller
(PDC) Operations Masters as their in-bound time partner.• PDC Operations Masters follow the hierarchy of domains in the selection of
their in-bound time partner.
Group 1 17
Components - Revisited
Dynamic Host Configuration Protocol (DHCP). Automatic Private IP Addressing. Domain Naming System (DNS). Kerberos. NTLM. Lightweight Directory Access Protocol (LDAP). Server Message Block (SMB). Microsoft Remote Procedure Call (MSRPC). Time Service.
Synchronization
Com
mu
nic
atio
nL
ayer
s
Group 1 18
Putting the pieces together
Connect toNetwork (DHCP)
Determine Siteand DomainController
Kerberos/NTLM
Authentication(AS, TGS)
Load GroupPolicy
7 56
121110
8 4
21
9 3Time
Synchronization
Dynamic DNSUpdate
Completion
EstablishSecure
Channel withDomain
Controller
ClientCertificate
Autoenrollment
Windows Client Startup
Group 1 19
Putting the pieces together: Domain Controller Detection
What is a domain controller. How to detect a domain
controller. Do domain controllers interact?
Why?
Group 1 20
Related Topics - Extensions
Internet security - Web server model (IIS). WLAN, WIFI. Application Security.
Group 1 21
References
Greg Molnar et Al. Windows 2000 Client Startup and Logon Traffic Analysis . White paper. Microsoft Enterprise Services. August 2000.
Designing Authentication for a Microsoft Windows 2000 Network. http://www.microsoft.com/mspress/books/sampchap/4680.asp .
What’s new in Security. http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/security.mspx.
Microsoft IIS 6.0 Administrator pocket consultant. http://www.microsoft.com/MSPress/books/5804.asp.
Windows NT/2000 Login Security. http://www.cswl.com/whiteppr/white/gina.html.
