05. Authentication Basics.pdf
(
281 KB
)
Pobierz
Authentication
Basics
Security Fundamentals
Instructor: Don Jones
Authentication Basics
Security Fundamentals
In This Lesson:
Meeting Active Directory
Domain Controllers
NTLM and Kerberos
Authentication Basics
Security Fundamentals
Meeting Active Directory
•
Active Directory (“AD”) plays the central role in authentication
on a Microsoft-centric network.
•
AD maintains the list of users that are permitted in the
environment.
•
AD authenticates those users using a password (or, with extra
software, other authentication mechanisms).
•
AD is a set of software services that run primarily on servers,
known as domain controllers, that have the AD software
installed and running.
Authentication Basics
Security Fundamentals
AD Technical Details
•
AD complies with a set of industry standards for a Lightweight
Directory Access Protocol (LDAP).
•
Using the LDAP standard helps ease interoperability between
the directory and other software, including non-Microsoft
software.
•
AD depends upon the Domain Naming System (DNS) protocol,
which helps advertise network services and provide a name-to-
address lookup service.
•
Microsoft provides DNS software that works alongside AD, or
you can use compatible third-party DNS software.
Authentication Basics
Security Fundamentals
AD Organization
•
AD provides several levels of organization, which we’ll look at in
the “Active Directory” lesson.
•
These include various kinds of groups, organizational units, and
so forth.
Authentication Basics
Security Fundamentals
AD Replication
•
In order to provide fault tolerance and workload distribution, a
network often contains multiple AD domain controllers (“DCs”).
•
These DCs are each fully functional AD servers and they
replicate information with each other automatically, keeping
each other up-to-date with changes.
Authentication Basics
Security Fundamentals
Domain Controllers
•
A DC is a normal Windows Server on which the AD software has
been installed and activated.
•
This is done by adding the Active Directory Domain Services
(ADDS) server role, and then running the Dcpromo utility to
configure AD.
•
DCs perform all of the work involved in operating and
maintaining AD.
Authentication Basics
Security Fundamentals
Management Tools
•
AD provides several tools to manage its various services:
–
Active Directory Users and Computers (ADUC)
–
Active Directory Domains and Trusts
–
Active Directory Sites and Services
–
Active Directory Administrative Center (ADAC)
–
Group Policy Management Console (GPMC)
Authentication Basics
Security Fundamentals
NTLM
•
NTLM – “NT LAN Manager” – is an authentication protocol that
relies on password authentication.
•
It is an older protocol that is still supported by AD for use by
older clients.
•
NTLM is also used by Windows computers that are not members
of an AD domain.
•
NTLM can be used if AD’s preferred authentication protocol isn’t
able to be used for some reason.
Authentication Basics
Security Fundamentals
How NTLM Works
•
NTLM is a challenge-response protocol.
•
The server (such as an AD DC) sends a random 8-byte
challenge to the client.
•
The client generates a response that uses the user’s password
as an encryption key to generate a hashed version of the
challenge.
•
The response is sent to the server, which uses its copy of the
password to generate a hash of the challenge.
•
If the two hashes match, the user is authenticated.
•
Your password is never actually sent across the network!
Authentication Basics
Security Fundamentals
Kerberos
•
This is an industry-standard authentication protocol originally
developed at MIT.
•
It is AD’s preferred authentication protocol.
•
Its operation is more complex than NTLM’s, but it offloads more
computing workload from servers to help keep them running
smoothly.
•
Kerberos relies heavily on encryption principles and
technologies.
Authentication Basics
Security Fundamentals
How Kerberos Works
•
It starts with the client transmitting the user’s name to a DC (in
Kerberos, it’s called a Key Distribution Center or KDC).
•
The KDC generates an authentication ticket, which basically
contains information about the user’s identity, and encrypts that
ticket using the user’s password as the encryption key.
•
The client receives the ticket and attempts to decrypt it. If the
user provides the correct password, this will succeed.
•
The ticket includes a second copy that is encrypted with a key
known only to the KDC.
•
The client then retains the entire ticket, including the portion
that it cannot decrypt.
Authentication Basics
Security Fundamentals
Need to Access Something?
•
When the client needs to access a network resource, it sends
the ticket back to the KDC.
•
The KDC decrypts its copy of the ticket – there’s no need to look
up the client’s information again.
•
The KDC constructs a session ticket for the specific network
resource (like a file server), and encrypts it using that resource’s
secret key (all servers have one stored in AD).
•
The session ticket is sent to and stored by the client.
•
Each time the client needs to access that resource, it sends
along the session ticket.
•
The resource server can decrypt the session ticket to see the
user’s identity and entitlements.
Authentication Basics
Security Fundamentals
Kerberos Details
•
Tickets expire after a set period of time and must be reissued.
•
Authentication relies on time stamps to prevent capture-and-
replay attacks; there’s only a small ‘drift’ permitted between
server and client clocks.
Kerberos in Action
Plik z chomika:
morek3333
Inne pliki z tego folderu:
01. Getting Started with Security Fundamentals.pdf
(242 KB)
03. Physical Security as the First Line of Defense.pdf
(201 KB)
02. Introducing Security.pdf
(209 KB)
05. Authentication Basics.pdf
(281 KB)
07. Using Encryption to Protect Data.pdf
(233 KB)
Inne foldery tego chomika:
MP3
Zgłoś jeśli
naruszono regulamin