Enterprise Computing (part 6.3) Secure Directory Services

Video Activity

This lesson focuses on Secure Directory Services and focuses on the following and how they relate to network security: Lightweight Directory Access Protocol (LDAP) Active Directory: Federated ID Single Sign On (SSO)

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

10 hours 28 minutes
Video Description

This lesson focuses on Secure Directory Services and focuses on the following and how they relate to network security:

  • Lightweight Directory Access Protocol (LDAP)
  • Active Directory:
  • Federated ID
  • Single Sign On (SSO)
Video Transcription
Now there are other ideas. Networking ideas in the realm of security and in the realm of network infrastructure. L DAP, which stands for lightweight directory access protocol.
This is the protocol behind any sort of directory service is structure. NetWare Directory service is was, uh, long before Windows Active Directory. But the ideas we have this
organizational management security tool again, most people can relate to Windows Active Directory and its way of organizing our our network.
It's one of those inverted trees where we start with the route, and then we come down to domains than we have organizational units that we have groups and so on. But the idea is, it gives me a way off organizing my users, my groups might remains my physical sites for the purpose of policy distribution of software.
It's so much more than just a security database or,
ah, an authentication data base.
Really, L dap is kind of revolutionized network management, and this goes back years and years ago. Now the predecessor to L Dap was a protocol called x 0.500 which was the original directory service is. Protocol was very cumbersome. There was a lot of overhead with it.
It was very slow because I tried to do too many things at once
so that X not 500 was scaled back. Which is why the name lightweight directory access protocol was made much more efficient and much easier to working to integrate with. So that's elder. And of course, that's the protocol. That's the basis for active directory. But also back in the days when Novell ruled the Earth,
L dap was the underlying protocol there.
Now the idea of Federated Identities and single Sign on When we talk about Federated Identities, when we talk about single sign on, sometimes it's easiest to understand when we go back to what we had before, we had single sign on
and let's say, at a network of 10 or 15 computers,
I would arrange those computers or connect them. And very frequently what we configured was a peer to peer environment.
So I didn't have a specific system designated as the server. I have 15 computers that are all piers, each one of them capable off of sharing resource is each one capable of accessing. Resource is. But now the problem with that is, if I've got 15 different machines, each one hosting information that may be I need access to
I had the log on to the security database on each one of those 15 machines to access. My resource is
way too much for user's to keep up with,
And one of the things that we'll talk about is the benefit of single sign on, because if users have 15 different passwords to keep track of, what do you think the first thing they're gonna do is they're gonna grab their pen and they're gonna write those passwords down, and then they're gonna put that password list on a sticky note on their monitor
or my personal favorite, the top secret underneath the keyboard.
No one ever thinks to look there.
Um, so the environment had to change peer to peer network put too much weight on the users. So instead, most corporations shifted to a client server environment where you provide log in credentials to an authentication server. In exchange that authentication server gives you a token,
and that token contains your list of groups toe what you remember.
And then every time I go to access, maybe a resource like a printer,
my access token that has my group membership is matched up against the access control list on the printer,
so I've got a token device with that shows I'm a member of the sales group.
That access control list on the printer says Sales group gets to print. Therefore I get to print.
So that idea of single sign on where I get a token my user account has a token associated with it, and all access to systems is based on that token, rather than me having to provide new credentials. That was a huge step in the right direction, one sign on and then access to moat. Multiple resource is.
But, as you can imagine, if my one set of credentials gets compromised, well, whoever's compromise those credentials have access to whatever I had access to in the domain. Sometimes we refer to that as, ah, the idea of keys to the kingdom.
So if you get a compromise, you have access to everything.
Well, one of the things that's happening today is that single sign on is expanding beyond just our domain.
Maybe I have a partner organization and users in my domain wanna access resource is in my partner's organization.
Well, we might set up what we refer to as a Federated trust.
So we have a trust relationship across different organizations, and that authentication token can pass across those trusts. So ultimately, not only do I have a log in for my domain, but that same set, that same log in
grants me a token that I can use access for your domain. Assuming the trust relationship has been configured,
we're now seeing that across the Internet. So whereas I can access a resource, maybe for the Washington,
um, Washington Journal and provide my Facebook credentials to access the Washington Journal Why? Because there's a Federated Trust from those organizations and my authentication token conspire man, that Federated Trust. What does that mean? That means I have less user names and passwords to keep up with.
because if you think about it, how many of you have more than 10 passwords to keep up with?
And I would imagine every person on the planet with few exceptions, have at least 10 passwords. If you think about all the passwords at work
at home for this website or another, we got a lot of passwords, so If, instead, rather than having 20 different user names and passwords, we have a single online identity. Maybe that's bound to our social media accounts like Twitter, Facebook or whatever.
Then we only have to keep up with that one set of credentials.
What's the downside? We only have that one set of credentials. So again, an attacker that compromises those credentials has access the keys to the kingdom. So obviously, pros and cons were always always balancing the need for security with
ease of use, keeping it simple for our users, making it seamless to our users
while still providing security.
And what many people would argue is that idea of keys to the kingdom and having users have just one set of credentials. Some people would argue that just by having a single set of credentials, users are better able to choose complex passwords that aren't easily guessed.
They're easier to protect because there's just one set of credentials, and the alternative is user's writing down their 20 passwords or even worse users using the same password again and again and again. Um, you know, I think it's something like 70% of users use their online banking password
in multiple locations.
Users need things to be easy, the easier I could make things for my users. Ultimately, in the long run, that leads to security. So ideas like single sign on help improve security with passwords. And now what we're seeing today across the Web is super sign on. You can make your arguments of good or bad,
but certainly, if nothing else, that reduces the weight on users to have good passwords
and distort those securely.
Up Next

In our online CompTIA CASP training, you will learn how to integrate advanced authentication, how to manage risk in the enterprise, how to conduct vulnerability assessments and how to analyze network security concepts and components.

Instructed By