2823B

Module 1: Planning and Configuring an Authentication and Authorization Strategy
Overview
Components of an Authentication Model
Planning and Implementing an Authentication Strategy
Groups and Basic Group Strategy in Windows
Server 2003
Creating Trusts in Windows Server 2003
Planning, Implementing, and Maintaining an Authorization Strategy Using Groups
Lesson: Components of an Authentication Model
Authentication, Authorization, and Least Privilege
Authentication Protocols in Windows Server 2003
How NTLM Authentication Works
How Kerberos Authentication Works
Windows Server 2003 Authentication Methods for Earlier Operating Systems
Windows Server 2003 Storage of Secrets
Tools for Troubleshooting Authentication Problems
Practice: Configuring Secure Authentication
Authentication, Authorization, and Least Privilege
Least privilege: provide users with the minimum privileges needed to accomplish the tasks they are authorized to perform
User
Resource
NTLM






Kerberos
Default authentication protocol for Windows Server 2003, Windows 2000, and Windows XP Professional
Most secure
Authentication Protocols in Windows Server 2003
How NTLM Authentication Works
Domain Controller
Client
User Name, Domain
Security
Accounts
Database
1
When a user enters a user name and password, the computer sends the logon credentials to the Key Distribution Centre (KDC).
The KDC looks up the user’s master key (KA), which is based on the user’s password. The KDC creates two items, a session key (SA) to share with the user, and a Ticket Granting Ticket (TGT).
Target Server
How Kerberos Authentication Works
KDC
User
To access a resource, the client presents its TGT and a timestamp encrypted with the session key
The KDC creates a pair of tickets, one for the client and one for the server the client wants to access resources on. Both tickets also contain a new key (KAB).
Windows Server 2003 Authentication Methods for Earlier Operating Systems
Windows Server 2003 Storage of Secrets
Local passwords are stored in LSA
LSA stores
Trust relationship passwords
User names
Passwords
Service account passwords
Service account names


Tools for Troubleshooting Authentication Problems
Practice: Configuring Secure Authentication
In this practice, you will:






Secure authentication on a Windows 2003 Server by using Group Policy
Lesson: Planning and Implementing an Authentication Strategy
Guidelines for Creating a Strong Password Policy
Options for Account Lockout Policies and Logon Restrictions
Options for Creating a Kerberos Ticket Policy
Guidelines for Setting Security for Administrator Accounts
Strategies for Supplemental Authentication
Group Policy Settings to Control Authorization
to Computers
Practice: Configuring Delegated Authentication
Guidelines for Creating a Strong Password Policy
When implementing a password policy:
Educate users about password requirements
Consider the use of pass phrases rather than passwords
When enforcing a password policy:
Use password complexity
Use Group Policy to control:
Maximum password age
Password history
Minimum password age
Password length
Options for Account Lockout Policies and Logon Restrictions
Options for Creating a Kerberos Ticket Policy
Guidelines for Setting Security for Administrator Accounts
Methods to increase the security of administrative accounts include:
Limiting the number of administrator accounts to highly
trusted personnel
Separating user and administrative accounts
Using the secondary logon service
Disabling the built-in administrator account
Enforcing strong passwords
Implementing two-factor authentication
Strategies for Supplemental Authentication
Delegated authentication—Windows services impersonate clients when accessing resources on clients’ behalf
Constrained delegation—Computer account is configured so it is delegated for only specific services on the network
Group Policy Settings to Control Authorization to Computers
Practice: Configuring Delegated Authentication
In this practice, you will:








Configure delegated authentication for user accounts and for computer accounts


Lesson: Groups and Basic Group Strategy in Windows Server 2003
Windows Server 2003 Group Types and Scopes
Built-in Groups
Special Groups
Tools for Administering Security Groups
What Is a Restricted Group Policy?
Practice: Creating and Managing Groups
Windows Server 2003 Group Types and Scopes
Distribution groups
Used only with e-mail applications
Not security-enabled
Security groups
Used to assign rights and permissions to groups of users and computers
Used most effectively when nested
Built-in Groups
Built-in groups are designed to manage shared resources and delegate specific domain-wide administrative roles
Performance Monitor Users
Pre-Windows 2000 Compatible Access
Print Operators
Remote Desktop Users
Replicator
Server Operators
Users
Account Operators
Administrators
Backup Operators
Incoming Forest Trust Builders
Network Configuration Operators
Performance Log Users
Special Groups
Designed to provide access to resources without administrative or user interaction
Anonymous Logon
Authenticated Users
Batch
Creator Group
Creator Owner
Dialup
Everyone
Interactive
Local System
Network
Self
Service
Terminal Server Users
Other Organization
This Organization
Tools for Administering Security Groups
Function
Tool
Enables you to administer users and groups in Active Directory
AD Users and Computers
ACL Editor
Whoami
Dsadd
Ifmember
Getsid
Enables you to administer users and groups on a resource
Displays the complete contents of the access token in the command window
Creates groups and manipulates membership from the command line
Enumerates all groups the current member belongs to
Compares the SIDs of two user accounts
What Is a Restricted Group Policy?
Use restricted group policy to control membership
Specify members of a group
Members that are not specified in the policy are removed during configuration or refresh
To apply restricted group policy
Define the policy using the local computer security policy
Define the policy in a GPO that is linked to an organizational unit that contains computer accounts to manage local groups
Define the policy in a GPO that is linked to the Domain Controllers OU to manage domain groups
Practice: Creating and Managing Groups
In this practice, you will:






Create a new OU
Create a new global security group
Create and configure a new GPO to configure restricted groups
Configure the Default Domain Controllers Policy to configure restricted group for domain groups
Test the restricted group polices
Lesson: Creating Trusts in Windows Server 2003
Trusts in Windows Server 2003
Authentication Methods Used with Trusts in Windows Server 2003
Trust Types Associated with Server Operating Systems
How to Prevent SID Spoofing Using SID Filtering
How To Implement Selective Authentication
Between Forests
Practice: Creating Trusts
Trusts in Windows Server 2003
Forest
(root)
Tree/Root
Trust
Forest
Trust
Shortcut Trust
External
Trust
Kerberos Realm
Realm
Trust
Domain D
Forest 1
Domain B
Domain A
Domain E
Domain F
Domain P
Domain Q
Parent/Child
Trust
Forest 2
Domain C
Authentication Methods Used with Trusts in Windows Server 2003
Trust Types Associated with Server Operating Systems
Trust Type
Operating System
Forest trusts, one-way, or two-way external trusts
Between Windows
Server 2003 forests
Windows Server 2003
and Windows 2000 domains
Windows Server 2003
and Windows NT 4.0 domains
Windows Server 2003 and servers running other operating systems
One-way or two-way external trusts
One-way or two-way external trusts
Realm trust
How to Prevent SID Spoofing Using SID Filtering
How to Implement Selective Authentication
Between Forests
Selective authentication:
Limits which computers can be accessed by users from a trusted domain, and which users in the trusted domain can access the computer
Configured on the security descriptor of the computer object located in Active Directory
To configure selective authentication:
Configure the forest or external trust to use selective rather than domain wide authentication
Configure the computer accounts for selective authentication
Practice: Creating Trusts
In this practice, you will:







Create a cross-forest trust
Lesson: Planning, Implementing, and Maintaining an Authorization Strategy Using Groups
Account Group/ACL Authorization Method
Account Group/Resource Group Authorization Method
Group Naming Conventions
User/ACL Method
Benefit
Works well in small organizations
Limitations
Users within the same job function will have inconsistent access to resources
Administrator overhead increases because they will need to control access to resources on a user-by-user basis
Troubleshooting and tracking which users have access to which resources can be complicated
Account Group/ACL Authorization Method
Benefits
Simplifies resource management
Provides users performing the same role with the same set of permissions
You can add global groups to the access control lists of trusted domains
Limitations
Users within the same job function will have inconsistent access to resources
Administrator overhead increases
Troubleshooting and tracking user resource access can be complicated
Account Group/Resource Group
Authorization Method
Benefits
You need not modify permissions for individual groups
You can place account groups on ACLs in
trusted domains
You can provide groups with access to resources
by simply removing or placing account groups into resource groups
Group Naming Conventions
Use a universal naming convention to reduce the potential for user error when adding or removing members and selecting the correct group
Components of a naming convention
Lab: Planning and Configuring an Authentication and Authorization Strategy
Exercise 1: Planning and Implementing a Resource Authorization Strategy
Exercise 2: Planning and Implementing a
Cross-Forest Authentication Strategy
Exercise 3: Planning and Implementing an Authentication Policy