BACK

See the AD layer Eight stuff section elsewhere on this site - it tightly integrated with the content on this page

See also the RADIUS page - relevent to Remote Access (RA), 802.1x, PEAP, and more

 

Authentication: Authentication, Authorization, Auditing, Smartcards, Groups, Kerberos

 

The three As: Authentication, Authorization, Auditing

Resource
-->
User
A user has authorizations to a resource - the resource trusts the user's authenticator. At the ATM you present two factors for authentication, the ATM card and your pin - the banking network's backend systems confirm all is right, then you get cash (access the resource). You go to get a driver's license in a new state and present your passport as a form of ID - the xxDOT trusts the background checks etc. that the INS did in issuing the passport as authentication, the xxDOT grants you access to the resource - a drivers license - authorizing you to drive. (These are not perfect examples as the license could be thought of as just another form of authentication and the ATM might not technically be authorizing anything - the is most likely done over the network too.)
Trusting
-->
Trusted
ATM
-->
bank pin in DB
xxDOT
-->
INS

Authentication

Authorization

Auditing

Authentication Factors:

 

Authentication Related Concepts:

UPN

sAMAccountName

SPN

 

Smartcards:

See also the Cryptography section elsewhere on this site for background and info on crypto, PKI, etc

X.509 certificate (more here)

PKI private key stored on removable media or on a smartcard

A smartcard is smart because the card has a CPU and does encryption and decryption on the smartcard, so the private key is never actually on the computer system.

Smartcard requires the user to enter a PIN (password) to access the private key functions

Server 2003 supports smartcard Kerberos extentions that use the users private key on the smartcard (to encrypt the Kerberos timestamp) and the user's public key in the AD X.509 store to de-crypt it - instead of using the use's password to do the same.

Smartcards can be set in AD to be optional or manditory via GPO.

 

Groups:

Group nesting and best practice:

Permissioning terms:

Rights:

Privileges:

A GPO is a group of security policies and has almost nothing to do with groups.

An OU is not a group. An OU is not a security principle. An OU is a container object to which GPOs can be linked.

 

Kerberos:

Kerberos - Secure, single sign on (SSO), trusted third party, mutual authentication system.

Design Goals:

AD Security Principles:

Windows Access Tokens

 

Comprehensive Microsoft page on Kerberos in AD:

 

If I could find the animated Kerberos teaching tool this pdf talks about - that would be cool!
An animated learning tool for Kerberos authentication architecture:
http://portal.acm.org/citation.cfm?id=1231091.1231116&coll=portal&dl=ACM&idx=J420&part=affil&WantType=Affiliated%2520Organizations&title=JCSC&CFID=15151515&CFTOKEN=6184618

NTLM v2:

Second authentication option after Kerberos

Mostly for backwards compatibility with NT (and 9x clients with the Directory Services Client): NT to AD, AD to NT, AD external trusts

Also used with 2003 and 2000 servers in workgroup mode

Introduced in NT4 SP4, an upgrade from NTLM, which is an upgrade from LM. (LM = LAN Man)

Use the LAN Manager authentication-level security policy to control how low/backward your security goes

The [Active] Directory Services Client is an add-on for 9x and NT that enables:

 

MISC:

See the Trusts sections elsewhere on this site for additional relevant content.

 

How Interactive Logon Works
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/779885d9-e5e9-4f27-9c14-5bbe77b056ba.mspx

 

 

BACK