Active Directory’s Physical Structure

• Active Directory uses the following two objects to represent the physical structure of the
network.

• A site

– AD site is simply a physical location where DCs are placed and group policies can be
applied

– A site represents a group of well-connected networks

• A subnet

– Represents a physical network segment.

– Each subnet possesses its own unique network address space.

• Each domain controller contains a full replica of the objects that make up the domain and is
responsible for the following functions:

– Storing a copy of the domain data and replicating changes to that data to all other
domain controllers throughout the domain

– Providing data search and retrieval functions for users attempting to locate objects in
the directory

– Providing authentication and authorization services for users who log on to the domain
and attempt to access network resources

• You should know the following about sites and subnets:

– Sites and subnets are used to manage Active Directory replication between locations.

– All Active Directory sites contain servers and site links (the connection between two
sites that allows replication to occur).

– Site links are used by Active Directory to build the most efficient replication topology.

– A site differs from a domain in that it represents the physical structure of your network,
while a domain represents the logical structure of your organization.

– Clients are assigned to sites dynamically according to their Internet Protocol (IP) address
and subnet mask.

– Domain controllers are assigned to sites according to the location of their associated
server object in Active Directory.
Access Control
• Access control is a system which enables an authority to control access to areas and resources
in a given physical facility or computer-based information system

• “The prevention of unauthorized use of a resource, including the prevention of use of a resource
in an unauthorized manner“

 Access Controls: The security features that control how users and systems communicate and
interact with one another.

 Access: The flow of information between subject and object

 Subject: An active entity that requests access to an object or the data in an object

o a process representing user/application

o often have 3 classes: owner, group, world

 Object: A passive entity that contains information

o e.g. files, directories, records, programs etc

o number/type depend on environment

 Access right - way in which subject accesses an object

o e.g. read, write, execute, delete, create, search

Access Control Terminology

Identification, Authentication, and Authorization are distinct functions.

 Identification

 Authentication

 Authorization
  Identification

 Method of establishing the subject’s (user, program, process) identity.

 Use of user name or other public information.

 Know identification component requirements.

 Authentication

 Method of proving the identity.

 Something a person is, has, or does.

 Use of biometrics, passwords, passphrase, token, or other private information.

 Authorization

 Determines that the proven identity has some set of characteristics associated with it

Three ways to prove identity to an authentication server:

Type 1: Something you know

 Requires you to provide a password or some other data that you know.

 This is the weakest type of authentication.

Examples:

 Passwords, PINs or Pass phrases

Type 2: Something you have

 Also called token-based authentication, is authentication based on something a user has in their
possession.

Examples: Smart cards

Type 3: Something you are

 Uses a biometric system.

 Attempts to identify a person based of the person’s biological attribute.

 This is the most expensive and least accepted, but is generally considered to be the most secure
form of authentication.

Biometric systems include:

 Voice recognition
 Facial scans
 Fingerprints
 Hand topology
 Palm scans

Measure the effectiveness of authentication solutions:

 Type I Error (false negative): When a biometric system rejects an authorized individual.

 Type II Error (false positive): When a biometric system accepts an individual who should have
been rejected. Most dangerous error and most important to avoid.

 Crossover Error Rate (CER): Rating stated as a percentage and represents the point at which the
false rejection rate equals the false acceptance rate.

o Most important state for determining system’s accuracy.

o Lower value indicates better accuracy.

o May also be called Equal Error Rate (ERR).

o Most helpful when comparing two different biometric systems

To increase security, you can use a combination of authentication methods as
described in these options:

Authentication Method

 Two-factor, Three-factor, Multi-factor:

o Requires two (or more) different authentication types to be deployed.

 Strong

o Requires two or more methods, but they can be of the same type.

 One-factor

o Uses credentials of only one type, but may require multiple methods within the same
type

 Mutual

o Requires that both parties authenticate with each other before beginning
communications.

Access Control Models:

 Three Main Types

 Discretionary

 Mandatory

 Non-Discretionary (Role Based)

 Rule Based Access Control

 Discretionary Access Control (DAC)

 A system that uses discretionary access control allows the owner of the resource to
specify which subjects can access which resources.

 Access control is at the discretion of the owner.

 often provided using an access matrix

 lists subjects in one dimension (rows)

 lists objects in the other dimension (columns)

 each entry specifies access rights of the specified subject to that object
 Mandatory Access Control (MAC)

 Access control is based on a security labeling system. Users have security clearances
and resources have security labels that contain data classifications.

 This model is used in environments where information classification and confidentiality

is very important (e.g., the military).

 Higher class users may grant their privileges to other lower class users without owner
notification
  Non-Discretionary (Role Based) Access Control Models

 Role Based Access Control (RBAC) uses a centrally administered set of controls to
determine how subjects and objects interact.

 Is the best system for an organization that has high turnover.

 Rule Based Access Control

 Uses specific rules that indicate what can and cannot happen between a subject and an
object.

 Also called the Rule-Based Role-Based Access Control (RB-RBAC) model or automated
provisioning
  Can dynamically assign roles to subjects based on a set of rules defined by a custodian

 Each resource object contains a set of access properties based on the rules

• Rule Based Access Control is often used for managing user access to one or more systems

Account Restrictions

• Time of day restrictions

– Limit when a user can log on to a system

– These restrictions can be set through a Group Policy

– Can also be set on individual systems

• Account expiration

– The process of setting a user’s account to expire

– Orphaned accounts are user accounts that remain active after an employee has left an
organization

• Can be controlled using account expiration

Passwords

• Password

– The most common logical access control

– Sometimes referred to as a logical token

– A secret combination of letters and numbers that only the user knows

• A password should never be written down

– Must also be of a sufficient length and complexity so that an attacker cannot

easily guess it (password paradox)
• Attacks on passwords

– Brute force attack

• Simply trying to guess a password through combining a random

combination of characters

– Passwords typically are stored in an encrypted form called a “hash”

• Attackers try to steal the file of hashed passwords and then break the
hashed passwords offline

– Dictionary attack

• Begins with the attacker creating hashes of common dictionary words

• And compares those hashed dictionary words against those in a

stolen password file

– Rainbow tables

• Make password attacks easier by creating a large pregenerated data set

of hashes from nearly every possible password combination

• Generating a rainbow table requires a significant amount of time

• Rainbow table advantages

– Can be used repeatedly for attacks on other passwords

– Rainbow tables are much faster than dictionary attacks

– The amount of memory needed on the attacking machine is greatly reduced
Door Security

• Hardware locks

– Preset lock

• Also known as the key-in-knob lock

• The easiest to use because it requires only a key for unlocking the door
from the outside

• Automatically locks behind the person, unless it has been set to remain
unlocked

• Security provided by a preset lock is minimal

– Deadbolt lock

• Extends a solid metal bar into the door frame for extra security

• Is much more difficult to defeat than preset locks

• Requires that the key be used to both open and lock the door

• Most organizations observe the following practices:

– Change locks immediately upon loss or theft of keys

– Inspect all locks on a regular basis

– Issue keys only to authorized persons

– Keep records of who uses and turns in keys

– Keep track of keys issued, with their number and identification

– Master keys should not have any marks identifying them as masters

– Secure unused keys in a locked safe

– Set up a procedure to monitor the use of all locks and keys and update the
procedure as necessary

– When making duplicates of master keys, mark them “Do Not Duplicate,” and
wipe out the manufacturer’s serial numbers to keep duplicates from being
ordered
 – Cipher lock

• Combination locks that use buttons that must be pushed in the proper
sequence to open the door

• Can be programmed to allow only the code of certain individuals to be

valid on specific dates and times

– Cipher locks also keep a record of when the door was opened and by which code

– Cipher locks are typically connected to a networked computer system

• Can be monitored and controlled from one central location

– Cipher lock disadvantages

• Basic models can cost several hundred dollars while advanced models can
be even more expensive

• Users must be careful to conceal which buttons they push to avoid

someone seeing or photographing the combination

– Tailgate sensor

• Use multiple infrared beams that are aimed across a doorway and
positioned so that as a person walks through the doorway

• Some beams are activated and then other beams are activated a
short time later

• Can detect if a second person walks through the beam array immediately
behind (“tailgates”) the first person

• Without presenting credentials

• Physical tokens

– Objects to identify users

• ID badge

– The most common types of physical tokens

– ID badges originally were visually screened by security guards

– Today, ID badges can be fitted with tiny radio frequency identification (RFID) tags
 • Can be read by an RFID transceiver as the user walks through the door
with the badge in her pocket

• Mantrap

– A security device that monitors and controls two interlocking doors to a small
room (a vestibule) that separates a nonsecured area from a secured area

• Mantraps are used at high-security areas where only authorized persons are allowed to
enter

– Such as sensitive data processing areas, cash handling areas, critical research
labs, security control rooms, and automated airline passenger entry portals

• Closed circuit television (CCTV)

– Using video cameras to transmit a signal to a specific and limited set of receivers

• Some CCTV cameras are fixed in a single position pointed at a door or a hallway

• Other cameras resemble a small dome and allow the security technician to move the
camera 360 degrees for a full panoramic view

• Physical access log

– A record or list of individuals who entered a secure area, the time that they
entered, and the time they left the area

– Can also identify if unauthorized personnel have accessed a secure area

• Physical access logs originally were paper documents

– Today, door access systems and physical tokens can generate electronic log
documents

Access control best practices take into consideration the following security principles:

• Separation of duties

– Requires that if the fraudulent application of a process could potentially result in

a breach of security

• Then the process should be divided between two or more individuals

• Job rotation
 – Instead of one person having sole responsibility for a function, individuals are
periodically moved from one job responsibility to another

• Least privilege

– Each user should be given only the minimal amount of privileges necessary to
perform his or her job function

• Implicit deny

– If a condition is not explicitly met, then it is to be rejected