Time
10 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
12

Video Transcription

00:05
all right. Enterprise Network authentication.
00:09
The idea of enterprise network authentication is to have a uniform
00:13
authentication system. Uniformed log on system works all the way across your environment. If you do that, then you've got consistent rules. If you got consistent rules, you've got consistent security,
00:25
so there's a number of ways to do it. Never Communication
00:29
path Password, authentication, protocol
00:34
chap eep all this stuff for
00:37
one of the oldest authentication message
00:40
and the problem with path as it works. But it passes the passwords back and forth in the clear the user names and passwords.
00:47
So a chap is an improvement on that one, and that one
00:51
uses hashes instead.
00:53
Eep extensible authentication protocol is a protocol allows you to write protocols.
01:00
Yeah, yeah,
01:03
basically, it's a It's a vindication framework, and it says,
01:07
I've got this plug in that says, if you can write an end system
01:15
and you can write the end sister rules for the user database,
01:18
plug it into my extensive authentication protocol. Then it can work all the way across your network
01:23
kind, like writing printer drivers into Windows.
01:26
Windows has this master printer driver is always you can write to that then it could talk to the printers.
01:34
Eep is most can be used anywhere if is primarily used in ah Enterprise Wireless
01:44
Radius
01:48
Attack axe
01:49
those air protocols that can be used again, anywhere primarily used in network management.
01:56
NT Land manager in T l m Anybody know where that's from?
02:00
As winders, right
02:04
as old Windows programming. And the funny thing is,
02:07
the new systems all the way up to Windows 2012 still have the option of going being backward compatible within. Tell him
02:16
and I will go to the curb. Rose.
02:20
Anyone know a curb? Roses?
02:24
Yeah.
02:27
Um,
02:29
yeah,
02:30
That's why he had the three headed dog here. Three of the dog that guards the entrance to Haiti's
02:35
cover ups.
02:37
So M. I. T. Developed in authentication system. They called her Burrows
02:42
guarding the three of the dog guarding right,
02:45
and in P k I public he infrastructure.
02:49
So password authentication protocol. Everything's in the clear. That bad
02:55
chap
02:57
uses hashes that's better.
03:00
Rainbow tables have made Chap somewhat dicey
03:06
because rainbow tables allow you to reverse
03:08
ah hash and figure out what the password waas
03:13
or extensible authentication protocols. Most of them are certificate based
03:16
and that's the most secure way to do it.
03:23
Radius, remote, authentication, dialling user service.
03:28
Anybody want to guess how old this protocol is?
03:32
Yeah. Ever since dialling modems, right?
03:37
It still gets used today. Doesn't have to be the island modem. We use it over network. Still
03:42
Ah, window supports. Radius by default is actually a radius server built into windows. Most other systems support radius
03:53
Radius works. Well,
03:55
uh, you can think it with shared secret or or encrypted passwords,
04:01
but most of it's just north. Indication,
04:05
um,
04:06
you can do authorization, but a lot of its authentication only attack axe attack acts, plus
04:15
the difference in tak acts attack acts. Plus
04:18
is he uses TCP instead of UDP. It can be encrypted.
04:24
And if you're using to support network authentication gear and network here,
04:29
uh,
04:30
one of the things is difficult to do with network equipment like routers and switches is to give people granular access.
04:38
What about me? Like granular access,
04:43
access control. What level of access for things like cannon, right.
04:48
If you use tact X plus
04:50
at least Francisco,
04:54
you can actually enlist the commands they're committed to use. And those are the only commands that work,
05:00
so you can set up accounts with tak acts and give people either help that's mobile access or engineering level access or root access, depending on what command you allow them to run through tak acts.
05:15
So that's
05:15
Tak acts wouldn't be as popular as it is if it weren't for that feature. But because of that feature, Tak Ax Plus gets used a lot to manage network devices.
05:26
Now we'll people will d'oh it for radius and Tak acts is they'll have a radio server or attack act server. And rather than make accounts for everybody,
05:36
you can actually take those servers and point them to another server
05:42
like an L DAP server.
05:45
Anybody know when l'd APP Server
05:47
Windows Active directory, Right.
05:49
So the concept is, if you want to use tak acts and give people
05:54
just certain privileges or just certain commands, they can run.
06:00
But you don't wanna have a tack ACS database and a separate user database. What you do instead is you create all the user accounts over here.
06:10
Let the tack acts machine query,
06:13
and then by group here,
06:15
you group all the same people together with the same privileges and you only give them certain commands. They can run
06:20
that way. They use their windows log on,
06:24
They get filtered by tak acts who are commands, they can run, and you haven't enterprise white system that does it.
06:32
So Intel M
06:34
NT Land Manager,
06:36
New Technology and Land Man's used in Windows 90 95 98 T when those 2000 networks,
06:46
Um, we
06:48
The reason this week is because
06:50
what it did was they took a password and broke it into seven character chunks.
06:56
So you maxim password Link could be 14.
07:00
But is it easy to break to seven character
07:03
passwords or 1 14 character password
07:08
to seven? Some lot fewer options, a lot fewer possibilities to run to seven character passwords?
07:14
And
07:15
for years
07:16
when I was in right, It's not anymore. But for years when I was in
07:20
in the 19 nineties, up to around 4000 and something,
07:26
the military required eight character passwords.
07:30
I think about that for a second.
07:33
If you broke the 1st 1 into seven
07:38
and then you had the eighth character to the eighth character had any complexity to the password at all?
07:44
No, because he ate character. One. Run through the hash and you're done right
07:49
has one character.
07:51
It's gotta be one of the 255 characters,
07:55
UH, 127 character options.
07:58
So eight character passwords were really silly for Intel M.
08:03
Ah, and tell him the Navy wanted to be, too, and telling me to is the one still being used
08:11
now infused backward compatibility
08:16
And they were actually even up through Windows 2003.
08:20
They were actually enabled by default and Windows 2008.
08:24
They're not enabled by default but can be turned on in Windows 2012 not enabled by default but can be turned on,
08:31
and people were turned them on because they were running older operating systems.
08:37
They only supported the earlier versions of authentication.
08:41
So if you had,
08:43
and even today, some systems were still running using very, very old operating systems X, p or even earlier.
08:50
If you're running those systems, you're running X, p or even something earlier. If you have to run it,
08:56
your best solutions to create two domains.
09:00
One domain can run the really, really old system so you can turn on and tell em with an occasion for those
09:07
25 or 50 or 100 machines, whatever it is and then another domain to support everybody that you're forcing into the more secure stuff
09:16
because it's crazy can lower the standards and security standards for an entire base for the entire Air Force.
09:22
Just a sport, a handful of old systems
09:26
doesn't mean that it works that way. It doesn't work that way because I'm not sure what post the Air Force has taken, but that's definitely an option.
09:35
So anti LM user request a section with server
09:41
step to the server issues a random string of bites called a challenge to the client.
09:46
The client encrypts to challenge with hash of the passwords, send the encryption back of the response
09:52
server, decrypt the response with the official, has word
09:58
and seize every matches
10:01
so long as they matched the user. The panic.
10:07
So this is Intel and authentication
10:11
and curb Roses indication in terms of how it passes things back and forth.
10:16
One of the tricks on this one is
10:20
it incorporates a number of elements into the password. One of the password elements is time.
10:28
It's important in Windows devices to have everybody running on the same clock. Every domain.
10:35
Every domain has a built in time server.
10:39
It's part of building a domain to build the time server automatically.
10:43
The reason it's important to have a time server is if you're more than five minutes off from the domain control you're trying to authenticate to your passwords Conf Ale.

Up Next