See also the RADIUS page - relevent to Remote Access (RA), 802.1x, PEAP, and more
Authentication: Authentication, Authorization, Auditing, Smartcards, Groups, Kerberos
The three As: Authentication, Authorization, Auditing
Resource |
--> | User |
A user has authorizations to a resource - the resource trusts the user's authenticator. At the ATM you present two factors for authentication, the ATM card and your pin - the banking network's backend systems confirm all is right, then you get cash (access the resource). You go to get a driver's license in a new state and present your passport as a form of ID - the xxDOT trusts the background checks etc. that the INS did in issuing the passport as authentication, the xxDOT grants you access to the resource - a drivers license - authorizing you to drive. (These are not perfect examples as the license could be thought of as just another form of authentication and the ATM might not technically be authorizing anything - the is most likely done over the network too.) |
Trusting |
--> | Trusted |
|
ATM |
--> | bank pin in DB |
|
xxDOT |
--> | INS |
Authentication
Authorization
Auditing
Authentication Factors:
Authentication Related Concepts:
UPN
sAMAccountName
SPN
See also the Cryptography section elsewhere on this site for background and info on crypto, PKI, etc
X.509 certificate (more here)
PKI private key stored on removable media or on a smartcard
A smartcard is smart because the card has a CPU and does encryption and decryption on the smartcard, so the private key is never actually on the computer system.
Smartcard requires the user to enter a PIN (password) to access the private key functions
Server 2003 supports smartcard Kerberos extentions that use the users private key on the smartcard (to encrypt the Kerberos timestamp) and the user's public key in the AD X.509 store to de-crypt it - instead of using the use's password to do the same.
Smartcards can be set in AD to be optional or manditory via GPO.
Group nesting and best practice:
Permissioning terms:
Rights:
Privileges:
A GPO is a group of security policies and has almost nothing to do with groups.
An OU is not a group. An OU is not a security principle. An OU is a container object to which GPOs can be linked.
Kerberos - Secure, single sign on (SSO), trusted third party, mutual authentication system.
Design Goals:
AD Security Principles:
Windows Access Tokens
Comprehensive Microsoft page on Kerberos in AD:
If I could find the animated Kerberos teaching tool this pdf talks about -
that would be cool!
An animated learning tool for Kerberos authentication architecture:
http://portal.acm.org/citation.cfm?id=1231091.1231116&coll=portal&dl=ACM&idx=J420&part=affil&WantType=Affiliated%2520Organizations&title=JCSC&CFID=15151515&CFTOKEN=6184618
NTLM v2:
Second authentication option after Kerberos
Mostly for backwards compatibility with NT (and 9x clients with the Directory Services Client): NT to AD, AD to NT, AD external trusts
Also used with 2003 and 2000 servers in workgroup mode
Introduced in NT4 SP4, an upgrade from NTLM, which is an upgrade from LM. (LM = LAN Man)
Use the LAN Manager authentication-level security policy to control how low/backward your security goes
The [Active] Directory Services Client is an add-on for 9x and NT that enables:
MISC:
See the Trusts sections elsewhere on this site for additional relevant content.
How Interactive Logon Works
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/779885d9-e5e9-4f27-9c14-5bbe77b056ba.mspx