2. 1. Control User Accounts
Introduction
• A domain is a logical grouping for network resources,
including servers, shares, printers, groups, and, of
course, user accounts.
• Every individual who requires access to network or
computer resources must have a user account.
• The user account represents the individual to the
domain, and allows for different types of access and
different types of tasks.
• Every user account is unique! It is the uniqueness of
the user account that allows administrators to control
access for every member of the domain.
2
3. • There are two types of user accounts that you must be
familiar with:
1. Local accounts: - Local accounts are maintained in
the local database of a computer and cannot be used
to grant access to network resources.
• Local accounts are primarily used to administer a
computer or to allow several people to share a single
computer that is not a member of a domain.
2. Domain accounts:- Domain user accounts are
much more widely used in organizations than local user
accounts because they allow for central administration
and users can log on to any computer in the domain.
Domain user accounts are stored in Active Directory,
and a user with a domain account is able to log on to
any computer in the domain, except if they have been
specifically restricted from the computer.
3
4. • A user must be a member of the Domain Admins
group, or have been specifically granted rights to
log on to a domain controller.)
• Using local user accounts in a large organization
would be extremely cumbersome and impractical,
as they would require that each user maintain a
different user account for every computer they
logged into.
• The administration of such an environment would
be nightmarish.
4
5. • Although a user account is required to access network
resources, granting access to individual users would be a
monumental task in larger networks. To make the
administration of resources easier, user accounts are collected
into groups, and access is granted to a group instead of an
individual account.
• By collecting user accounts into groups, network access
can be granted to all members of a group at the same time.
When access to a specific network resource, such as a printer,
is required, it is simpler to assign access to a group than to
assign access to each user account.
5
6. • Just as there are local accounts and domain accounts, there are
also local groups and domain groups.
• Again, local groups are used to administer the computer or to
grant access to local user accounts.
• Domain groups are much more powerful, and can be used not
only to grant access for users in the network, but also to grant
access for users in other networks and other domains.
• Although setting up a group strategy can be complicated, once
the groups are implemented, administering access to resources
is much simpler than administering access by only using the
user account.
6
7. User Accounts
• A user account is used to identify an individual to a computer or a
network.
• A user account consists of an account name and password, and a unique
identifier.
• This unique identifier is a binary bit number of variable length that is
generated by the computer or the domain where the account is created.
• This security identifier (SID) identifies the user to the computer or
domain, and is used when a user attempts to gain access to a resource.
• A user account also may have other attributes, such as group
membership, remote access permissions, e-mail addresses, and others..
7
8. • Every user who logs on to a Windows computer must have a
valid user account, either for that computer or for the domain
the computer belongs to.
• At logon, the user has to select whether they are logging on to a
domain or to the local computer.
• The users’ credentials are then either checked against the local
database or against Active Directory as appropriate.
•There are two types of user accounts: local user accounts and
domain user accounts.
•The two types of accounts share common characteristics, but
they vary in scope.
•A local user account can only be used on a single computer, and
a domain user account can be used throughout the entire
network.
8
9. Local User Accounts
• Local user accounts are stored in the local database of
a computer and are only used for accessing resources
on the computer.
• All computers except domain controllers have a local
database for storing local user accounts.
• When a user attempts to access a computer with a
local user account, they must enter the correct user
name and password and be validated against the local
database. 9
10. •
• NOTE Domain controllers are different from all other
computers in that a local database of user accounts
and groups is not kept.
• The definition of a domain controller is that of a
server with Active Directory installed.
• Since Active Directory is running on a domain
controller, the domain controller validates all local
logon attempts against Active Directory.
• In order to log on to a domain controller, a user must
be a member of the Domain Admins group, the
Enterprise Admins group, or have been explicitly
granted the logon locally user right.
10
11. • The problem with using local user accounts is that they are not
portable.
• If a user needs to use more than one computer, that user needs to have
two user accounts, one for each computer they use.
• Also, if a user attempts to access a resource on another computer,
such as a shared folder, they will have to present logon credentials for
the remote computer to authenticate and use resources.
• If a user requires access to resources on several computers, they will
require several user accounts, one for each computer.
• Even if a user only works from a single computer, they may need to
have several user accounts for several computers in order to access resources.11
12. • Also, since each account is unique to the local computer, any account maintenance,
such as changing passwords, will have to be done multiple times.
• As you can see, trying to maintain an environment with local user accounts only
would be cumbersome.
• Local user accounts are created and administered using the Local Users and
Groups snap-in on the Computer Management Console (see Figure 1-1).
• The Local Users and Groups snap-in can also be added to any custom Microsoft
Management Console (MMC).
• The Local Users and Groups snap-in not only allows you to create and manage
user accounts and groups for the local machine, but it also supports connecting to a
remote computer and manage user accounts and groups on a remote computer.
12
14. • NOTE The Local Users and Groups snap-in is not
available on domain controllers.
• When Active Directory is installed on a server, any
accounts or groups in the local database are moved to
Active Directory and become domain user accounts
and domain groups.
• The Local Users and Groups snap-in is then removed
from the system, and is not available as part of the
Computer Management snap-in or any other custom
MMC.
• Previously in Windows 2000, the Local Users and
Groups snap-in displayed with a red X and a
notification screen that local users and groups were
not available on a domain controller. 14
15. Built-in Accounts
• By default, several accounts are created when Windows
Server 2003/2008/2012 is installed. If you have had any
experience with NT or Windows 2000, you are probably
already familiar with the Administrator and Guest account.
The Administrator Account
• An Administrator account is created when the operating
system is installed.
• The Administrator account has complete control over the
local machine and can be used to perform any function.
• It is used to install software, configure devices, and to
perform system tasks. 15
16. • The Administrator account cannot be disabled or deleted, but can and
should be renamed.
• Because it cannot be disabled, hackers will attempt to log on as
Administrator because the normal rules of locking out an account after
several tries does not apply.
• Upon installation of Windows 20003 server or upper, you are prompted to
enter a password for the Administrator account.
• If you leave the password blank, Windows prompts you to enter a
password and notifies you that for security reasons you really should enter
a password.
• Passwords protect the user accounts from being used by unauthorized
users, and leaving passwords blank can compromise the security of the
computer.
• Passwords should be at least seven characters in length, and passwords
with number and letter combinations are preferred.
16
17. • NOTE The local Administrator account can be renamed
using Group Policy.
• To do so, open the Local Security Policy MMC, navigate to
the Local Policies | Security Options and select “Accounts:
Rename the administrator account policy.”
• Enter the new name of the Administrator account and close
the Group Policy window.
• You will need to restart the computer for the change to take
effect.
17
18. Guest Account
•The Guest account is created to provide access to users who don’t have domain
accounts.
•By default, the Guest account is created in a disabled state. If the Guest account is
enabled, any user logged on to a local machine can use domain resources to which
the guest account has access.
•Users don’t have to log on as Guest with a password because the Guest account
includes anyone who doesn’t have an account.
•So if a friend comes to your office and brings his laptop, he can plug his laptop in to
your network and access any resources on any computer that the Guest account has
been enabled on without ever having to authenticate.
•All he has to do is log on to his own laptop with a local account. This can be a huge
security risk. The Guest account should stay in a disabled state unless there is some
compelling reason to enable it.
18
19. 19
Information Security…
2. Network Security:
Computer networks are widely used to
connect computers at distant locations.
Raises additional security problems:
o Data in transmission must be protected.
o Network connectivity exposes each
computer to more vulnerabilities.
20. 20
Attacks, Services and
Mechanisms
Three aspects of Information Security:
• Security Attack: Any action that
compromises the security of information.
• Security Mechanism: A mechanism that is
designed to detect, prevent, or recover from a
security attack.
• Security Service: A service that enhances
the security of data processing systems and
information transfers. A security service
makes use of one or more security mechanisms.
22. 22
Security Attacks
Interruption: An asset of the system is
destroyed or becomes unavailable or
unusable.
• This is an attack on availability.
Examples:
• Destroying some H/W (disk or wire).
• Disabling file system.
• Swamping a computer with jobs or
communication link with packets.
23. 23
Security Attacks
Interception: An unauthorized party
gains access to an asset.
O This is an attack on confidentiality.
Examples:
>Wiretapping to capture data in a
network.
>Illicitly copying data or programs.
24. 24
Security Attacks
Modification: An unauthorized party
gains access and tampers an asset.
oThis is an attack on integrity.
Examples:
• Changing data files.
• Altering a program.
• Altering the contents of a message.
25. 25
Security Attacks
Fabrication: An unauthorized party
inserts a counterfeit object into the
system.
O This is an attack on authenticity.
Examples:
> Insertion of records in data files.
> Insertion of spurious messages in a
network. (message replay).
26. 26
Passive vs. Active Attacks
1. Passive Attacks:
o Eavesdropping on information without
modifying it.
(difficult to detect ).
2. Active Attacks:
o Involve modification or creation of info.
28. 28
Passive Threats
• Release of a message contents:
Contents of a message are read.
> A message may be carrying sensitive or
confidential data.
• Traffic analysis:
An intruder makes inferences by observing message
patterns.
> Can be done even if messages are encrypted.
> Inferences: location and identity of hosts.
29. 29
Active Threats
• Masquerade:
An entity pretends to be some other entity.
Example: An entity captures an authentication
sequence and replays it later to impersonate the
original entity.
• Replay:
Involves capture of a data unit and its
retransmission to produce an unauthorized
effect.
30. 30
Active Threats
• Modification of messages:
A portion of a legitimate message has been
altered to produce an undesirable effect.
• Denial of service:
Inhibits normal use of computer and
communications resources.
> Flooding of computer network.
>Swamping of CPU or a server.
31. 31
Security Services
A classification of security services:
• Confidentiality (privacy)
• Authentication (who created or sent the data)
• Integrity (has not been altered)
• Non-repudiation (the order is final)
• Access control (prevent misuse of resources)
• Availability (permanence, non-erasure)
– Denial of Service Attacks
– Virus that deletes files
33. CIA
• CIA == Confidentiality, Integrity, and Availability
• AOB must prevent Trudy from learning Bob’s
account balance
• Confidentiality: prevent unauthorized reading of
information
– Cryptography used for confidentiality 33
34. CIA
• Trudy must not be able to change Bob’s account
balance
• Bob must not be able to improperly change his
own account balance
• Integrity: detect unauthorized writing of
information
– Cryptography used for integrity
34
35. CIA
• AOB’s information must be available whenever it’s
needed
• Alice must be able to make transaction
– If not, she’ll take her business elsewhere
• Availability: Data is available in a timely manner when
needed
• Availability is a “new” security concern
– Denial of service (DoS) attacks
35
38. Firewalls
Firewalls are devices or programs that control the flow
of network traffic between networks or hosts that
employ differing security postures. (NIST Defn)
38
39. Where a firewall is placed
It is inserted between the internal network
and the Internet
That way, it can be said to establish a
perimeter
And provides a choke point where security
and audits can be imposed
39
40. What Firewalls can do
Block unwanted traffic (Dos, viruses, etc)
Re-direct traffic to other systems (router
functionality)
Hide the internal network (using NAT)
Log traffic information
Force authentication through proxies
40
41. Firewall as a facility
Single point of control for an organization
(single choke point)
Security policy formulation
Enforcement
Audit management
Configuration management
41
42. Firewall as a facility …
Another layer of protection
Defence in depth
Dealing with future threats
Concentration of security
management
Focused capacity building
42
43. Firewall limitation
“Dial in” and “dial out” connection can not be
controlled by a firewall.
Wireless communication can not be
controlled either.
43
44. Firewall: Design goals
All incoming and outgoing traffic must pass
thru the firewall.
take care of “out of band” traffic such as
“dial in” and “dial out” connection
Only authorized traffic, as defined by the
security policy will be allowed to pass.
The firewall itself must be immune to malicious
attacks.
44
46. Packet filtering firewall
Packets (small chunks of data) are
analyzed against a set of filters.
Packets that make it through the filters are
sent to the requesting system and all others
are discarded.
46
47. Packet filtering rules
Based on …
source address
destination address
options in the network header
transport-level protocol (i.e., TCP, UDP, ICMP, etc.)
flags in the transport header
options in the transport header
source port or equivalent if the protocol has such a
construct
destination port or equivalent if the protocol has such
a construct
the interface on which the packet was received or will
be sent
whether the packet is inbound or outbound
47
48. Packet filtering rules
Defaults
Two types of defaults
Discard those packets that are not explicitly
permitted.
Forward (or Accept) those packets that are not
explicitly prohibited.
48
50. Limitations of packet filtering
firewall
Can not prevent application layer specific
vulnerabilities.
Logging info is limited due to the fact that the info
available to such a firewall is limited.
Do not support advanced user authentication.
Vulnerable to some attacks such as IP address
spoofing, source routing attack, tiny fragment
attacks.
Susceptible to improper configuration.
50
51. Limitations of packet filtering
firewall …
The most important limitation is the difficulty of
writing correct filters.
It cannot determine which user is causing which
network traffic.
It can inspect the IP address of the host where
the traffic originates, but a host is not the
same as a user.
51
52. Limitations of packet filtering
firewall …
In some cases the local machines know the
context of the communication not available
to the firewall.
For example, a file transfer may be allowed or
denied based on what file is being transferred
and by whom. The firewall does not have
this local, contextual knowledge.
52
53. Stateful inspection firewall
Packet filter with state – also called dynamic pf
Stateful inspection improves on the functions of packet
filters by tracking the state of connections and blocking
packets that deviate from the expected state.
This is accomplished by incorporating greater awareness of
the transport layer.
As with packet filtering, stateful inspection intercepts
packets at the network layer and inspects them to see if
they are permitted by an existing firewall rule, but unlike
packet filtering, stateful inspection keeps track of each
connection in a state table.
While the details of state table entries vary by firewall
product, they typically include source IP address,
destination IP address, port numbers, and connection state
information.
53
54. Stateful inspection firewall
Packet filter with state – also called dynamic pf
Three major states exist for TCP traffic—connection
establishment, usage, and termination.
Stateful inspection in a firewall examines certain
values in the TCP headers to monitor the state of
each connection.
Many firewalls are more cognizant of the state
machines for protocols such as TCP and UDP, and
they will block packets that do not adhere strictly to
the appropriate state machine.
For example, it is common for firewalls to check
attributes such as TCP sequence numbers and
reject packets that are out of sequence
54
55. Stateful inspection firewall
Packet filter with state – also called dynamic pf
Some protocols, such as UDP, are connectionless
and do not have initializing, establishing, and
termination states. For these protocols, most
firewalls with stateful inspection are only able to
track the source and destination IP addresses and
ports.
UDP packets must still match an entry in the state
table based on source and destination IP address
and port information to be permitted to pass.
For example, a DNS response (which is on UDP)
from an external source would be permitted to pass
only if the firewall had previously seen a
corresponding DNS query from an internal source.
55
56. Proxy-server firewall
What is a proxy server?
Acts on behalf of other clients, and presents
requests from other clients to a server.
Acts as a server while talking with a client.
56
57. Proxy-server firewall
What is a proxy server?
It is a server that sits between a client
application (Web browser), and a real server.
It intercepts all requests to the real server to
see if it can fulfil the requests itself.
If not, it forwards the request to the real
server.
57
58. Proxy-server firewall
What is a proxy server?
Mainly serves three purposes:
Improve performance
Can dramatically improve performance for a group of
users.
It saves all the results of requests in a cache.
Can greatly conserve bandwidth.
Filter requests
Prevent users from accessing a specific set of web sites.
Prevent users for accessing pages containing some
specified strings.
58
59. Proxy-server firewall
What is a proxy server?
Anonymize access
Hide the user’s IP address, thereby
preventing unauthorized access to user’s
computer through the Internet.
All requests to the outside world originate
with the IP address of the proxy server.
59
60. Proxy-server firewall
These firewalls contain a proxy agent that acts as an
intermediary between two hosts that wish to communicate
with each other, and never allows a direct connection
between them.
Each successful connection attempt actually results in the
creation of two separate connections—one between the
client and the proxy server, and another between the proxy
server and the true destination.
The proxy is meant to be transparent to the two hosts.
Because external hosts only communicate with the proxy
agent, internal IP addresses are not visible to the outside
world.
The proxy agent interfaces directly with the firewall ruleset
to determine whether a given instance of network traffic
should be allowed to transit the firewall.
60
61. Proxy-server firewall
In addition to the ruleset, some proxy agents
have the ability to require authentication of each
individual network user.
This authentication can take many forms,
including user ID and password, hardware or
software token, source address, and biometrics.
61
62. Proxy-server firewall
For truly application layer firewalls, you’d need a separate
firewall for each different type of service. For example, you’d
need separate firewalls for HTTP, FTP, SMTP, etc.
A more efficient alternative consists of using a protocol
between the application layer and the transport layer. This is
sometimes referred to as the shim layer between the two
layers to trap the application-level calls from intranet clients
for connection to the servers on the internet.
62
63. Proxy-server firewall
Using a shim layer protocol, a proxy server can monitor all
session requests that are routed through it in an application-
independent manner to check the requested sessions for
their legitimacy.
In this manner, only the proxy server, serving as a firewall,
would require direct connectivity to the internet and the rest
of the intranet can ”hide” behind the proxy server.
63
64. Proxy-server firewall
Commonly available proxies
The SOCKS protocol (RFC 1928) is
commonly used for designing shim
layer proxy servers.
Squid is another example.
Available on all platforms.
64