Networks

Windows User Authentication: Active Directory

nikita-kachanovsky-571468-unsplash.jpg 

William Donaldson, Brent Carpenter, Tyler Dodds 
 
Abstract
The foundation of user authentication in Windows is using Active Directory. While Active Directory itself is used for domain level authentication, some vulnerabilities can be mitigated using various other tools, such as Kerberos, and if working remotely, the use of a RADIUS server or VPN to join the network securely. A domain is only as strong as its’ weakest link, so the use of policies and password strength to prevent unnecessary access are integral to its’ use. Throughout this project, we will cover these, and other methods of authentication integrated with Active Directory. Some of the various topics we will address are Active Directory SSO (Single Sign-On), password policies, DNS (Domain Name System), Azure, and will include a hands-on project featuring a step-by-step guide of a Server 2012 R2 install.
Active Directory is a database based system which provides authentication, policy, directory, and other services in Windows. Active Directory comes with most Windows Server operating systems and serves as a set of services and processes. When a server runs AD DS (Active Directory Domain Services), it is called a domain controller. Active Directory is also built upon the Lightweight Directory Access Protocol (LDAP), which is an application protocol used for modifying and querying items in the directory. Active Directory uses DNS (Domain Name System) and cannot assign rights and permissions to OUs. There are four types of partitions- Domain, Configuration, Schema, and Application. Active Directory offers security using SSL (Secure Sockets Layer) and Kerberos-based authentications.
Active Directory authentication enables users to log in as if they have an account in an AD domain. It offers more secure, scalable, and faster with authentication than with LDAP. By using domain logins, users are given access to resources throughout the whole domain. These domain user accounts are kept in an Active Directory domain and are installed on each domain controller, then copied throughout the domain. Before this can occur, the computer, a user, is trying to access using a domain account must be joined to a domain. Computers must authenticate to the domain’s Active Directory by initiated a computer login.
 In Active Directory, computers and users are deemed as equal security principles when attempting to retrieve network resources. However, to gain access to those resources both user and computer must have their identities verified. Active Directory makes authentication much easier in Windows client and server operating systems. However, it is important to remember that when using server operating systems, they can only operate as domain controllers and initiate Active Directory.
Kerberos is a network authentication protocol intended for Intranet usage, through a three-tier system that uses encrypted service tickets instead of the traditional username and password. Kerberos service tickets are created using the Kerberos Key Distribution Center, or KDC, and have a limited time to be used before the credentials become invalid. The KDC assigns key pairs to both the client and application server within an environment, so that it requires three systems to authenticate a transaction on the network.
            Service tickets not only have a limited time of use but are also unique to the client and server that they are being used to authenticate; this means that an intercepted service ticket on the network is of little use to an attacker since they would need to be able to authenticate as a user against the server. These benefits allow a single sign-on system to be used through Kerberos, authenticating a workstation that a user is logged in to access all the resources allowed within a Kerberos realm (domain).
            Some things to consider before implementing Kerberos authentication in an environment are that all connected systems will need to be within the same realm or a trusted realm. At that time, servers will need to be coordinated with all devices on a network, since Kerberos allows no more than five minutes of skewed time before authentication will fail. Active Directory is yet another means of authentication and can be integrated with Kerberos for single sign-on use with non-Windows systems. Active Directory essentially allows for single sign-on within a domain, to allow profiles and resources to be accessed from any system that is on the domain. This means that users without an account will not be able to access these resources and that user accounts and other objects can be centrally managed from a domain controller on a network, allowing resources to be allocated depending on organizational units, locations, and other unique identifiers assigned to each user.
Active Directory uses access control lists, or ACLs, to manage the resources that a user may access. Group Policy is another benefit, which allows groups to be created, and specific policies applied to them for different features within the environment, such as network shares and printers. This allows for the single sign-on environment to function from any system and permitting administrators to know who has access to what resources from the domain controller.
Having a strong password policy is a necessity for a secure environment. Passwords are used for user authentication on systems in a company, and companies with single sign-on configured can get users into many applications and business functions. Because of how much access users can be granted with a single password, it is necessary to have solid password policies. It should be noted that while strong passwords are the best option for any best practice, no password is truly uncrackable. Having a strong password just makes it harder and more time consuming for an attacker to crack it and gain authentication.
            Upon setup of a new domain, there is a default domain password policy already in place to offer initial password standards, but it is recommended not to be left at the default setting and instead strengthened. This is configured in group policy at the domain level, with a range of options available to configure. These options include a password history counter, maximum password age, minimum password age, a minimum password length, complexity requirements, and reversible encryption. Reversible encryption should never be enabled unless necessary; it essentially stores passwords in plain text so administrators can see them. Passwords, whether they are normally stored or with reverse encryption, are kept in the security account manager, which is a local database on each system. It should also be noted that password policies are configured at the domain level and cannot be applied to different organizational units in the Active Directory.
            What is defined as a strong password? Strong passwords are typically at least 8 characters in length, but some policies in sensitive environments may be greater than ten characters required. A good password policy requires a combination of uppercase letters, lower case letters, numbers, and generally at least a symbol of some sort. A symbol can be a dollar sign ($) or a percent sign (%), basically something that adds more complexity to the password. Password policies should also have a history remembrance of some sort so that users cannot reuse the same password repeatedly. Passwords should also be encouraged to not contain words in any dictionary as password attacks are a common thing that attackers can use to break other user’s passwords.
            Password policies extend to more than just what administrators can enforce on the server side as well. Users need to be educated that their passwords should only be known by them, not even the IT department should know end-user credentials if they do not need to. Coinciding with this, users should not have their passwords written down anywhere in their office space, especially not on sticky notes attached to their monitors. Other users in the office have no right to access their account with their credentials, and action should be taken if users are discovered to be allowing others onto their accounts.
            Password policies, to a degree, should also be influenced by the environment in which they are being used in. Hospitals, banks, and any organization that must adhere to compliance such as HIPAA should enforce more complex password policies than your average workplace. Data stored in environments such as those are more highly targeted and often work frequently with personal health information and identifiable information. These could range from medical records to credit cards to social security numbers. Regardless of which, any data breach in these environments results in enormous consequences and quite possibly a lack of trust from the public moving forward as they let their clientele know of the breach.
IP addresses are used for communication between any two devices on both internal and external networks. Because of the number of IP addresses out there, the length of IP addresses, and how many different places users travel to in one day, it is impossible to use IP addressing and remember it. Domain Name System, or DNS, is used to translate IP addresses into domain names such as Google.com and any other internal or external place a user may visit. An example of an internal location may be //ServerA/Users/UserA/Documents. DNS uses the network layer to translate a domain name to an IP address, which then allows you to reach your destination.
            Active Directory relies heavily on DNS to add and locate objects within the directory. Servers, computers, and other objects will be represented by their DNS name and not with their IP address. For Active Directory to work best, forward and reverse lookup zones must be set up on the server that hosts the domain DNS role. The forward lookup zone is used to convert hostnames into IP addresses. In the opposite sense, reverse lookup zones are configured to convert IP addresses into hostnames. At least one DNS server must be present and function in a domain for Active Directory and domain services, in general, to function properly.
            DNS can resolve host to IP addresses by checking with the local DNS servers, which checks the DNS table stored. If the DNS server’s table does not have a DNS record for that host or domain that is trying to be reached, it reaches out to the next DNS server and asks if it has the record in question. If that server does not have the DNS record, the question gets sent to the next DNS server in line. This process continues until the record is located and resolved, or no answer is returned, and the DNS resolution fails. There is a global hierarchy of DNS servers, but that entire process is outside the scope of this research paper.
 Active Directory provides many useful functions such as easier and more secure authentication in Windows. While LDAP provides many of these same functions like Active Directory, Active Directory is much more scalable, secure, and faster. By using Kerberos to enable nodes to communicate securely, it allows a single sign-on system to be used. The name Kerberos is based on the 3-headed guard dog of Hades in Greek mythology, which can’t be any more fitting since it grants the user access. Additionally, Active Directory SSO (Single Sign-on) makes providing credentials easier by automatically granting the user access to multiple applications.
 
Password policies, an integral part of any login security system, must be thorough and advanced. It is too common for users to use weak passwords such as, for example, their pet’s name; this type of information can be easily found on social media and then used to gain access. DNS (Domain Name System) is utilized by Active Directory to find objects within it as well as enable name resolution using raw IP addresses and common names. Active Directory simplifies the jobs of network administrators by maintaining a central repository of data and allows for reduced overhead through standardization. Active Directory provides more secure authentication and management for user and computer accounts, the simple application of policies, and numerous other benefits. Fully understanding what Active Directory is, how it works, and how it can be used is crucial for any IT professional to know.
 
References
Technet. (2017, March 20). How Interactive Logon Works. Retrieved from https://technet.microsoft.com/en-us/library/cc780332(v=ws.10).aspx.
Dostálek, L., & Kabelová, A. (2006). DNS in Action: A Detailed and Practical Guide to DNS Implementation, Configuration, and Administration. Birmingham: Packt Publishing.
Wakefield, R. L. (2004). Network Security and Password Policies. CPA Journal, 74(7), 6-8.
Gibson, D. (2011). Microsoft Windows Security Essentials. Indianapolis, IN Wiley.
Active Directory. (2018). Msdn.microsoft.com. Retrieved from https://msdn.microsoft.com/en-us/library/bb742424.aspx.
Kerberos: The Network Authentication Protocol. (2018). Web.mit.edu. Retrieved from https://web.mit.edu/kerberos.

What Is Kerberos Login and Authentication? (2018). Technet.microsoft.com. Retrieved from https://technet.microsoft.com/en-us/library/cc780469(v=ws.10).aspx

 
 
 
 
 
 
 

 

 
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s