Embed Size (px)
Citation preview
Security Aspects Security Aspects Of Directory Of Directory Enabled ApplicationsEnabled Applications
Praerit GargPraerit GargProgram ManagerProgram ManagerWindows NT SecurityWindows NT SecurityMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Why should you care about security?Why should you care about security? What are the security aspects What are the security aspects
of Directory Operations?of Directory Operations? How can you leverage How can you leverage
Directory Security ?Directory Security ? Finally… some tips to rememberFinally… some tips to remember
Question OneQuestion One
Why should you care about security?Why should you care about security? What are the security aspects What are the security aspects
of Directory Operations?of Directory Operations? How can you leveraging How can you leveraging
Directory Security ?Directory Security ? Finally… some tips to rememberFinally… some tips to remember
If You Are Writing…If You Are Writing…
Client applications that browse Client applications that browse the directorythe directory
Client applications that modify Client applications that modify the directorythe directory
Service applications that publish Service applications that publish to the directoryto the directory
Service applications that store data Service applications that store data in the directoryin the directory
THEN YOU SHOULD CARETHEN YOU SHOULD CARE
Because…Because…
Active Directory is Windows NT’s Active Directory is Windows NT’s security databasesecurity database Not everyone is allowed to read or write Not everyone is allowed to read or write
everything from everywhereeverything from everywhere
Directory may reject certain requests Directory may reject certain requests with authorization failure errorswith authorization failure errors Handle these gracefully!Handle these gracefully!
Question TwoQuestion Two
Why should you care about security Why should you care about security when building a directory when building a directory enabled application?enabled application?
What are the security aspects What are the security aspects of Directory Operations?of Directory Operations?
How can you leveraging How can you leveraging Directory Security ?Directory Security ?
Finally… some tips to rememberFinally… some tips to remember
Active Directory OperationsActive Directory Operations
Locating an Active Directory Server (DC)Locating an Active Directory Server (DC) Connecting and bindingConnecting and binding Searching and browsingSearching and browsing Publishing and modificationsPublishing and modifications
Directory OperationsDirectory OperationsLocating AD Server (DC)Locating AD Server (DC)
WindowsWindows®® platforms (NT, 95/98) platforms (NT, 95/98) DsGetDCNameDsGetDCName
Non-Windows platformsNon-Windows platforms DNS SRV Record LookupDNS SRV Record Lookup
Locating a DC is not secure, Locating a DC is not secure, nor restrictednor restricted
Lookup is handled automaticallyLookup is handled automatically
Directory OperationsDirectory OperationsConnecting and bindingConnecting and binding
BasicsBasics Always authenticate to do Always authenticate to do
anything meaningful!anything meaningful! Make no assumptions…Make no assumptions… Use user’s default credentials Use user’s default credentials
when possiblewhen possible Connect, bind and forget!Connect, bind and forget!
Never cache when using Never cache when using alternate credentialsalternate credentials
Directory OperationsDirectory OperationsCode example using ADSICode example using ADSI
OpenOpen Interface - IADsOpenDSObjectInterface - IADsOpenDSObject Method - OpenDSObjectMethod - OpenDSObject
Credentials in OpenDSObjectCredentials in OpenDSObject UserName, Password, TypeUserName, Password, Type Use Defaults -- NULL, NULLUse Defaults -- NULL, NULL If needed, always prompt for alternateIf needed, always prompt for alternate
Never cache passwordsNever cache passwords
Directory OperationsDirectory OperationsSearching and browsing in ADSISearching and browsing in ADSI
Interfaces and methodsInterfaces and methods E.g. IADs - Get, GetEx, GetInfoE.g. IADs - Get, GetEx, GetInfo
Handle errorsHandle errors E_ADS_INVALID_DOMAIN_OBJECT,E_ADS_INVALID_DOMAIN_OBJECT, E_ADS_PROPERTY_NOT_SUPPORTED,E_ADS_PROPERTY_NOT_SUPPORTED, E_ADS_PROPERTY_NOT_FOUNDE_ADS_PROPERTY_NOT_FOUND
Directory OperationsDirectory OperationsPublishing and modificationsPublishing and modifications
ADSIADSI E.g. IADs -- Put, PutEx, SetInfoE.g. IADs -- Put, PutEx, SetInfo
Handle errors Handle errors E_ADS_PROPERTY_NOT_SET,E_ADS_PROPERTY_NOT_SET, E_ADS_PROPERTY_NOT_MODIFIED E_ADS_PROPERTY_NOT_MODIFIED
Question ThreeQuestion Three
Why should you care about security Why should you care about security when building a directory when building a directory enabled application?enabled application?
What are the security aspects What are the security aspects of Directory Operations?of Directory Operations?
How can you leverage How can you leverage Directory Security ?Directory Security ?
Finally… some tips to rememberFinally… some tips to remember
Leveraging AD SecurityLeveraging AD SecurityApplication server configurationsApplication server configurations
Services on Domain ControllersServices on Domain Controllers Running under Local SystemRunning under Local System Running under Service Running under Service
Accounts - Accounts - RecommendedRecommended
Services on Member Servers Services on Member Servers or Workstationsor Workstations Running under Local Running under Local
System - System - RecommendedRecommended Running under Service AccountsRunning under Service Accounts
Leveraging AD SecurityLeveraging AD SecurityAccess controlAccess control
Object security descriptorsObject security descriptors Per property access controlPer property access control Object type access controlObject type access control Operation specific permissionsOperation specific permissions Delegation of administrationDelegation of administration
Manipulating security descriptorsManipulating security descriptors Using security groupsUsing security groups
Property 1Property 1Property 2Property 2
Property 3Property 3Telephone #Telephone #
ntSecurityDescriptorntSecurityDescriptor
GroupGroupOwnerOwner
System ACLSystem ACL
Discretionary ACLDiscretionary ACL ACLACLHeaderHeader ACE 1ACE 1 ACE iACE i ACE nACE n
Header: (ALLOWED_OBJECT_ACE)Header: (ALLOWED_OBJECT_ACE)No Inherit Flags, Size=No Inherit Flags, Size=
Mask (Read,Write Property)Mask (Read,Write Property)
ObjectTypeGuidObjectTypeGuid(Telephone# Prop. GUID)(Telephone# Prop. GUID)
InheritedObjectTypeGuidInheritedObjectTypeGuid(NULL)(NULL)
Security ID (group/user)Security ID (group/user)
Leveraging AD SecurityLeveraging AD SecurityPer property access - code samplePer property access - code sample
Leveraging AD SecurityLeveraging AD SecurityObject type access - code sampleObject type access - code sample
ntSecurityDescriptorntSecurityDescriptor
GroupGroupOwnerOwner
System ACLSystem ACL
Discretionary ACLDiscretionary ACL ACLACLHeaderHeader ACE 1ACE 1 ACE iACE i ACE nACE n
Header: (ALLOWED_OBJECT_ACE)Header: (ALLOWED_OBJECT_ACE)No Inherit Flags, Size=No Inherit Flags, Size=
Mask (Create, Delete Child)Mask (Create, Delete Child)
InheritedObjectTypeGuidInheritedObjectTypeGuid(NULL)(NULL)
Security ID (group/user)Security ID (group/user)
OUOU
OUOU GroupGroup
ObjectTypeGuidObjectTypeGuid(User Object GUID)(User Object GUID)
UserUser
Leveraging AD SecurityLeveraging AD SecurityOperation specific permissionsOperation specific permissions
Specialized operationsSpecialized operations Change Password, Apply Group PolicyChange Password, Apply Group Policy
Instantiate a “Control Access Right”Instantiate a “Control Access Right” Publish under Extended Rights containerPublish under Extended Rights container
ObjectTypeGuid =Right GUIDObjectTypeGuid =Right GUID Mask = CONTROL_ACCESSMask = CONTROL_ACCESS Use AccessCheckByTypeUse AccessCheckByType
AuditAlarm variationAuditAlarm variation
Leveraging AD SecurityLeveraging AD Security
Code sample to use operation Code sample to use operation specific rightsspecific rights
GroupGroup
GroupGroup
Header: (ALLOWED_OBJECT_ACE)Header: (ALLOWED_OBJECT_ACE)ContainerInherit, Size=ContainerInherit, Size=
Mask (Read,Write Property)Mask (Read,Write Property)
ObjectTypeGuidObjectTypeGuid(Members Prop. GUID)(Members Prop. GUID)
InheritedObjectTypeGuidInheritedObjectTypeGuid(Group GUID)(Group GUID)
Security ID (group/user)Security ID (group/user)
OUOU
OUOU
Header: (ALLOWED_OBJECT_ACE)Header: (ALLOWED_OBJECT_ACE)
InheritOnlyInheritOnly, ContainerInherit, Size=, ContainerInherit, Size=
Mask (Read,Write Property)Mask (Read,Write Property)
ObjectTypeGuidObjectTypeGuid(Members Prop. GUID)(Members Prop. GUID)
InheritedObjectTypeGuidInheritedObjectTypeGuid(Group GUID)(Group GUID)
Security ID (group/user)Security ID (group/user)
Leveraging AD SecurityLeveraging AD SecurityDelegation of administrationDelegation of administration
Leveraging AD Security Leveraging AD Security Default security descriptorsDefault security descriptors
Object classes in schemaObject classes in schema DefaultSecurityDescriptorDefaultSecurityDescriptor Security Descriptor Definition Language (SDDL)Security Descriptor Definition Language (SDDL)
ConvertSecurityDescriptorToText- ConvertSecurityDescriptorToText- SecurityDescriptorSecurityDescriptor
Object instantiationsObject instantiations (Default Security Descriptor) + (Inherited Security (Default Security Descriptor) + (Inherited Security
Descriptor from parent)Descriptor from parent) ExceptionException
Object specific inherited security descriptor Object specific inherited security descriptor from parentfrom parent
Leveraging AD Security Leveraging AD Security Manipulating security descriptorsManipulating security descriptors
Reading and writing with ADSIReading and writing with ADSI Entire NTSecurityDescriptor attributeEntire NTSecurityDescriptor attribute Granular interfacesGranular interfaces
IADsSecurityDescriptorIADsSecurityDescriptor Rev, Control, Owner, Group, DACL, SACLRev, Control, Owner, Group, DACL, SACL
IADsAccessControlListIADsAccessControlList Revision, Count, Add/Remove ACERevision, Count, Add/Remove ACE
IADsAccessControlEntryIADsAccessControlEntry Type, Flags, Mask, ObjectType, Type, Flags, Mask, ObjectType,
InheritedObjectType, TrusteeInheritedObjectType, Trustee
UniverseUniverseofof
UsersUsers
Universe Universe ofof
ResourcesResources
Universal GroupsUniversal Groups
DomainDomainLocalLocal
GroupsGroups
GlobalGlobalGroupsGroups
Leveraging AD Security Leveraging AD Security Use security groupsUse security groups
Leveraging AD Security Leveraging AD Security Use security groupsUse security groups
Identify needed default authorizationsIdentify needed default authorizations Identify “roles” to grant Identify “roles” to grant
default authorizationsdefault authorizations Application Servers - machines the server Application Servers - machines the server
is running onis running on Application Server Admins - Application Server Admins -
administrators for the application serveradministrators for the application server
Create groups associated with the rolesCreate groups associated with the roles
And…And…
Why should you care about security Why should you care about security when building a directory when building a directory enabled application?enabled application?
What are the security aspects What are the security aspects of Directory Operations?of Directory Operations?
How can you leveraging How can you leveraging Directory Security ?Directory Security ?
Finally… some guidelines to rememberFinally… some guidelines to remember
Guidelines For All - OneGuidelines For All - One
Credentials for bindingCredentials for binding Use user’s default credentials Use user’s default credentials
when possiblewhen possible Connect, bind and forgetConnect, bind and forget
Expect and gracefully handle errorsExpect and gracefully handle errors Never assume who the user isNever assume who the user is Only subset of reads and searches Only subset of reads and searches
may succeedmay succeed Entire write may failEntire write may fail
Guidelines For All - TwoGuidelines For All - Two
Need-to-know User InterfacesNeed-to-know User Interfaces Use allowedAttributesEffectiveUse allowedAttributesEffective Use allowedChildClassesEffectiveUse allowedChildClassesEffective
Honor granularity of permissionsHonor granularity of permissions Batching multiple reads is OKBatching multiple reads is OK Batching multiple writes may not beBatching multiple writes may not be Commit object creation as single operationCommit object creation as single operation
Guidelines For Guidelines For Services - OneServices - One Plan for multi-tier setupPlan for multi-tier setup
Schema setup needs to be done Schema setup needs to be done by schema administratorsby schema administrators
Configuration container setup needs Configuration container setup needs to be done by Enterprise administratorsto be done by Enterprise administrators
Domain setup needs to be done Domain setup needs to be done by Domain Administratorsby Domain Administrators
Guidelines For Guidelines For Services - TwoServices - Two Be least privilegedBe least privileged
Can you run on a non-DC under Can you run on a non-DC under Local System?Local System?
Can you run under a service account Can you run under a service account on a DC?on a DC?
Use security groups toUse security groups to Define machine roles running the serviceDefine machine roles running the service Delegate administration of service Delegate administration of service
specific objectsspecific objects
Guidelines For Guidelines For Services - ThreeServices - Three Impersonate clientsImpersonate clients
Remember clients can talk to DS directly -- Remember clients can talk to DS directly -- leverage that where you canleverage that where you can
Impersonate client when binding to DS Impersonate client when binding to DS on their behalfon their behalf
Manage multiple DS connections cleanly!Manage multiple DS connections cleanly! Use Active Directory Object SecurityUse Active Directory Object Security
Define sensible default Define sensible default security descriptorssecurity descriptors
Support manipulating securitySupport manipulating security
Call To ActionCall To Action
Care about securityCare about security Active Directory is a secured data Active Directory is a secured data
store and Windows NT’s security store and Windows NT’s security accounts databaseaccounts database
Know about securityKnow about security Every directory object is secured Every directory object is secured
by a security descriptorby a security descriptor Use AD SecurityUse AD Security
Define default security and leverage object Define default security and leverage object specific delegation of administrationspecific delegation of administration
Follow the guidelinesFollow the guidelines
