4.

2 Understand Kerberos Authentication

and Domain Security
 Kerberos Authentication and Domain
Security
 Trusts relationship between domain
 IPSecurity
 Kerberos Authentication
 Is a computer network authentication protocol that works on the
basic of ‘tickets’ to allow nodes communicating over a non-
secure network to prove their identity to one another in a secure
manner.
 Kerberos is a protocol for authenticating service requests
between trusted hosts across an untrusted network (internet)
 Kerberos is built in to all major operating systems including
Microsoft Windows, Apple OS X, FreeBSD and Linux.
 The Kerberos version 5 authentication protocol provides a
mechanism for authentication and mutual authentication
between a client and a server, or between one server and
another server.
2
 Kerberos Authentication
 The three heads of the Kerberos protocol
represent a client, a server and a Key Distribution
Center (KDC), which acts as Kerberos' trusted
third-party authentication service.
 Users, machines and services using Kerberos need
only trust the KDC, which runs as a single process
and provides two services: an authentication
service and a ticket granting service.
 KDC "tickets" provide mutual authentication,
allowing nodes to prove their identity to one
another in a secure manner.
 Kerberos authentication uses conventional
shared secret cryptography to prevent packets
traveling across the network from being read or
changed and to protect messages from
eavesdropping and replay attacks. 3
 Kerberos Authentication
Kerberos advantages:
 Is very secure, preventing various types of intrusion attacks
 Uses tickets that can be securely presented by client or a service on the
client behalf to the server for access to services
 Permits Cross-Forest Trusts to use transitive properties and eliminate
the full-mesh scenario
 Permit interoperability with other Kerberos realms such as Unix – permit
non-Windows clients to authenticate to Windows domain and gain access
to resources.
 Provide authentication across the Internet for Web apps
4
 KERBEROS AUTHENTICATION PROCESS

1. To start the Kerberos authentication process, the

initiating client sends a request to an
authentication server for access to a service. The
initial request is sent as plaintext because no
sensitive information is included in the request.
2. The authentication server retrieves the initiating
client's private key, assuming the initiating client's
username is in the KDC database. If the initiating
client's username cannot be found in the KDC
database, the client cannot be authenticated and
the authentication process stops. If the client's
username can be found in the KDC database, the
authentication server generates a session key and
a ticket granting ticket.
3. The ticket granting ticket is timestamped and
encrypted by the authentication server with the
initiating client's password.

5
 KERBEROS AUTHENTICATION PROCESS

4. The initiating client is then prompted for a password; if what is

entered matches the password in the KDC database, the encrypted
ticket granting ticket sent from the authentication server is
decrypted and used to request a credential from the ticket
granting server for the desired service. The client sends the ticket
granting ticket to the ticket granting server, which may be
physically running on the same hardware as the authentication server,
but performing a different role.
5. The ticket granting service carries out an authentication check
similar to that performed by the authentication server, but this time
sends credentials and a ticket to access the requested service. This
transmission is encrypted with a session key specific to the user and
service being accessed. This proof of identity can be used to
access the requested "kerberized" service, which, once having
validated the original request, will confirm its identity to the
requesting system.
 The timestamped ticket sent by the ticket granting service allows
the requesting system to access the service using a single ticket for
a specific time period without having to be re-authenticated.
Making the ticket valid for a limited time period makes it less likely
that someone else will be able to use it later; it is also possible to
set the maximum lifetime to 0, in which case service tickets will
not expire. Microsoft recommends a maximum lifetime of 600
minutes for service tickets; this is the default value in Windows 6

Server implementations of Kerberos.

 Trust Relationship between Domain
 Trust relationships are an administration and communication link between two domains. A trust
relationship between two domains enables user accounts and global groups to be used in a domain
other than the domain where the accounts are defined.
 Account information is shared to validate the rights and permissions of user accounts and global
groups residing in the trusted domain without being authenticated. Trust relationships simplify user
administration by combining two or more domains into an single administrative unit.
 There are two domains in a trust relationship:
The trusting domain. This domain trusts another domain to authenticate users for them.
The trusted domain. This domain authenticates users on behalf of (in trust for) another domain.
 IPSecurity
 IPsec (Internet Protocol Security) is a framework for
a set of protocols for security at the network or
packet processing layer of network communication.
 Internet Protocol Security (IPSec) is a framework of
open standards for ensuring private, secure
communications over Internet Protocol (IP) networks,
through the use of cryptographic security services.
 IPSec supports network-level peer authentication,
data origin authentication, data integrity, data
confidentiality (encryption), and replay protection.
 IPsec can protect data flows between a pair of hosts
(host-to-host), between a pair of security gateways
(network-to-network), or between a security
gateway and a host (network-to-host)
 IPSecurity
IPSec Security Features
 IPSec is the most secure method commercially available for connecting
network sites.
 IPSec was designed to provide the following security features when
transferring packets across networks:

Authentication - Verifies that the packet received is actually from the

claimed sender.
Integrity - Ensures that the contents of the packet did not change in
transit.
Confidentiality - Conceals the message content through encryption.
 IPSecurity
IPSec components
 IPSec contains the following elements:
Encapsulating Security Payload (ESP): -
Provides confidentiality, authentication, and
integrity.
Authentication Header (AH):
- Provides authentication and integrity.
Internet Key Exchange (IKE):
- Provides key management and Security
Association (SA) management.
4.3 Implement the Infrastructure,
Authentication, Auditing of Windows
 Windows Server Authentication
 Authentication is a process for verifying the identity of an object, service or person.
When you authenticate an object, the goal is to verify that the object is genuine. When
you authenticate a service or person, the goal is to verify that the credentials
presented are authentic.
 In a networking context, authentication is the act of proving identity to a network
application or resource. Typically, identity is proven by a cryptographic operation that
uses either a key only the user knows — as with public key cryptography — or a shared
key. The server side of the authentication exchange compares the signed data with a
known cryptographic key to validate the authentication attempt
 Authentication techniques range from a simple logon, which identifies users based on
something that only the user knows — like a password, to more powerful security
mechanisms that use something that the user has — like tokens, public key certificates,
and biometrics.
 Windows Server Authentication

 Windows Authentication
is used to verify that the
information comes from a
trusted source, whether
from a person or
computer object, such as
another computer.
Windows Server Authentication
 Windows Server Auditing and Logging
 Windows auditing is a mechanism for tracking events. Knowing when and
where these events occurred and who triggered them can help when doing
Windows network forensics. It can also be very helpful with detecting
certain types of problems like improper rights assignments in the file
system.

What is Windows security audit?

 The Security Log, in Microsoft Windows, is a log that contains records of
login/logout activity or other security-related events specified by the
system's audit policy. Auditing allows administrators to configure Windows
to record operating system activity in the Security Log.
 Windows Server Auditing and Logging
 Example :
If the audit policy is set to record logins, a successful login results in the user's user name and
computer name being logged as well as the user name they are logging into.
Depending on the version of Windows and the method of login, the IP address may or may not be
recorded. Windows 2000 Web Server, for instance, does not log IP addresses for successful logins,
but Windows Server 2003 includes this capability. The categories of events that can be logged are:
 Account logon events
 Account management
 Directory service access
 Logon events
 Object access
 Policy change
 Privilege use
 Process tracking
 System events
 Windows Server Auditing and Logging
 Establishing audit policy is an important facet of security.
 Monitoring the creation or modification of objects gives you a way to track potential security
problems, helps to ensure user accountability, and provides evidence in the event of a
security breach.
 Categories of events that can be logged:
1. Account logon events.
- Audit this to see each instance of a user logging on to or logging off from another
computer in which this computer is used to validate the account.
Account logon events are generated in the domain controller's Security log when a domain
user account is authenticated on a domain controller. These events are separate from
Logon events, which are generated in the local Security log when a local user is authenticated
on a local computer. Account logoff events are not tracked on the domain controller.
 Windows Server Auditing and Logging
2. Account management. Audit this to see when someone has changed an account name, enabled or disabled an account,
created or deleted an account, changed a password, or changed a user group.

3. Directory service access. Audit this to see when someone accesses an Active Directory @ directory service object that
has its own system access control list (SACL).

4. Logon events. Audit this to see when someone has logged on or off your computer (either while physically at your
computer or by trying to log on over a network).

5. Object access. Audit this to see when someone has used a file, folder, printer, or other object. While you can also audit
registry keys, we don't recommend that unless you have advanced computer knowledge and know how to use the
registry.

6. Policy change. Audit this to see attempts to change local security policies and to see if someone has changed user rights
assignments, auditing policies, or trust policies.

7. Privilege use. Audit this to see when someone performs a user right.

8. Process tracking. Audit this to see when events such as program activation or a process exiting occur.

9. System events. Audit this to see when someone has shut down or restarted the computer, or when a process or program
tries to do something that it does not have permission to do. For example, if malicious software tried to change a setting
on your computer without your permission, system event auditing would record it.
Windows Server Auditing and Logging

User logon activity

Windows Server Auditing and Logging

Printer audit report

 Windows Certification Authorities
 A certification authority (CA) is responsible for attesting to the
identity of users, computers, and organizations. The CA authenticates
an entity and vouches for that identity by issuing a digitally signed
certificate
 Certificates are important credentials. Administrators may not want
to let users decide which certificates to trust and which not to trust.
Often the decision to trust or not trust a particular certificate should
be made by an administrator or individual who is knowledgeable about
the particular certificate and its trust implications for the
organization.
Windows Certification Authorities