Time
10 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
12

Video Transcription

00:05
So could gross.
00:07
Kerberos is used in windows and in Windows Active directory. Excuse me. When was active directory supports and tell em, but would rather use Kerberos.
00:18
Karos is a lot more secure.
00:20
Developed a m i t.
00:24
They fall within the casement windows 2000 higher networks and also supports you, Nick Networks in UNIX. You'll you may actually see it labeled as a Kerberos realm.
00:35
That's what they call the equivalent to an active directory domain.
00:40
Why could rose
00:43
one time with indication what they do in the sea if it's in here?
00:48
Yep. Lady. Okay.
00:50
One time authentication for multiple network service is used. Indicate once and then you're good. You don't have to get re challenged every time you go back to that printer. Every time you go back to the file,
01:02
use the strong cryptography,
01:03
um, and tell him can be broken. The hash algorithms aren't good enough,
01:10
and you can authenticate two ways you authenticate the server you're talking to is really the server you think you are. And the server. Then, in case that you're really the user that you say you are
01:23
so server Corbeau servers or the active directory domain controller is actually a key distribution center,
01:29
and what it does is it grants tickets
01:33
and access to resource is is done. Buy tickets.
01:38
So what's funny about it is the first ticket it grants is a ticket granting ticket
01:46
sound right
01:47
Okay with you.
01:49
So when you first authenticate to the to the active directory or to the domain,
01:53
you get a ticket branding ticket
01:57
that take a granny ticket allows you to ask for
02:00
used tickets.
02:02
So when you want to go use a resource on a server, you take your ticket granting ticket and say, I need to use ticket from you.
02:09
So if it's a file server, the file server will take your ticket granting picket. Check it, verify it. If it's correct, then it gives you a use ticket, and then you use the use ticket
02:21
for your access to that service,
02:24
and we'll make that work is once I'm giving that used ticket. I don't have to authenticate again. What do I have that ticket,
02:31
and by the way of the tickets piece of the paper,
02:35
what do you think they might be?
02:38
A little bit of certificates,
02:42
so that's the idea behind it.
02:44
is
02:45
want to authenticate to a resource,
02:47
then it's all going to maintain that ticket. You can go back to that resource and continue to use it. Now. The tickets do eventually expire. How it happens is when they expire, itjust renews and gives you a new certificate again.
03:01
You and your ticket.
03:07
At that point, you are rethinking when you get the new ticket, but only long enough to get a ticket. Not every time you try to access the resource.
03:21
So K D. C. It's called the key distribution center, and that's the place with the copy of the user's credentials. So in Windows, what would that be?
03:30
Over the K. D. C. V
03:31
Domain Controller. Perfect.
03:36
Yeah,
03:36
The main control is the key distribution center.
03:40
So here's your crew grows with in case an example.
03:45
Step one.
03:47
Use the sensor log in information requesting your ticket graining ticket.
03:53
Step to it, gets the ticket grain and kick it back.
03:57
Step three.
03:58
The T G T. Is used to get a service ticket for some network service. You want to talk to you? Do you wanna print? You want to get a file you want to connect to the mail server, whatever it is and the service ticket goes back.
04:11
And now you take that service ticket, and every time you want to go to that resource, you just present the service ticket.
04:16
And because the service tickets already been authenticated, you don't have to be re authenticated every time you go.
04:28
So
04:29
that's Karos. What is my weight? Direct
04:31
my way. Directory access protocol L dap.
04:36
I know it's a subset of the Exxon 500 standard.
04:41
Everybody feels much better now knowing that, right?
04:45
The extra 500 standards is this huge standard for naming conventions and how you write names out.
04:51
You most likely to know Exxon 500 because extra 500 is what email names are built out of
05:00
Exxon five hundred's what D. N s names are built out of,
05:03
they all compliant with the extra 500 standard.
05:06
So in l doubt they took a subset of the Exxon 500 standard and says much right user names out of them.
05:15
So they're just a consistency thing
05:18
is also an object oriented model,
05:24
and what it means is that the user account is an object.
05:29
Ah, machine account is an object
05:34
and
05:35
the way they used optics is the object. If I have a user accounts and I have a password
05:43
or I have some authentication method, I also have the ability to go around the system with a certain set of rights.
05:51
That's my authorization. I ca n't touch these files. I can't touch those files.
05:58
Where the optic part comes in is who gets to set my rights.
06:05
Yeah,
06:06
well, not necessarily. Owner of the Arctic. Anybody? No.
06:12
They get to set the rights of the files. Who gets to set my set of rights?
06:16
Yeah,
06:17
right. Well,
06:19
board directly.
06:20
Anybody who's given permission to make changes to that object.
06:30
So what happens is not only do I have rights to talk to files,
06:32
there are objects. Rights is who gets to step, who gets to change my password.
06:39
Who gets to reset my account?
06:42
Who gets to tell me what files I can talk to who gets to tell me what groups Aiken belong to?
06:47
That is the object permissions
06:51
around the object called
06:54
Joe Mays.
06:56
So the Joe Mays use your account
06:58
has permissions about who can touch that user account to make changes to it.
07:02
Some people can read it
07:04
but not change it. Other people contained some parts of it.
07:08
Some people can change all parts of it,
07:11
and that's the object model. The object oriented model
07:15
is. That's how people control.
07:17
What's it helped us get to do if the help desk can probably reset my account if I screw up my password?
07:25
But the help desk can't make me a domain administrator,
07:30
that's the object oriented part
07:31
is they put an object essentially like a box around every account, every user name
07:41
around every service account
07:44
you like. What service is running
07:46
the
07:47
exchange? What service there Any email?
07:50
Well, not only what service is on the email, but who can change that servers who can modify that service.
07:57
Everything is objects like that,
07:59
and it's all logical thing.
08:01
But the concept is that you can now control
08:05
who can do what in your network.
08:07
Prior to that, if you go back
08:11
two Windows and T, which waas
08:13
what ran up until 2000.
08:16
They had a couple of predefined groups, and you really couldn't change what they could. D'oh!
08:22
In the object oriented world, you can go into anything, and you can change the optics any way you want it.
08:28
So it's very, very granular in terms of what permissions. I could give you permission. Detained my path word I could give, you know, condition changed my password.
08:37
You can have permission to lock my account out, but not changed my password.
08:41
It could be that granular
08:43
and
08:45
I can also take these people and put them in groups.
08:50
And I can say anybody in that group can have permission to change my password.
08:54
Anybody in that group and have present permission nor my account.
09:00
So the object oriented model is what allows all the variable nous and all the granularity in terms of who's got control of the network and in the network as large as the Air Force. Right?
09:13
The old model wouldn't have worked. It wouldn't have worked to have 5000 domain advance
09:20
all across the Air Force for a f dot mil,
09:24
but instead we have admissions that can take care of people just on one base.
09:30
If you belong to that base, then you have the ability to change that person's attributes.
09:37
But you can't change the person's after abuse. It often
09:41
somebody in office
09:41
is a person has the attributes for that or central help desk can.
09:48
But the idea is you can now be there, that out. So you don't have tons and tons of people running around with domain admin rights just to run the network.
09:56
Because if you had 5000 domain admin, how long you think could be before the never crashed?
10:03
All right,
10:05
you'd have people all over the earth making changes, and the changes they made would be incompatible with somebody else's changes. And pretty soon the thing would just melt down.
10:15
So true domain admin Zehr Probably a very select group of people way at the top Top top.
10:20
Everybody else has given a subset.
10:24
They're giving the rights they need to take care of the people they have and the systems they have, but not enough rights to run the whole network.
10:31
And they can do that because of that optic Korean bottle.
10:37
So Windows Active Directory,
10:39
the route unit for trust, is a is called the forest,
10:45
and one or more domains will exist inside a forest.
10:48
The route security container is called a domain.
10:52
So what happens is when you make multiple domains inside the same forest, they're automatically trust each other.
10:58
Trusting each other means that if I want to, I can let somebody from this base have rights over here.
11:07
If they're not trusted,
11:09
then even if I try to, I can't give somebody from the Army writes in the Air Force,
11:16
because they're in two different trust. Two different
11:20
forests.
11:22
That's the difference
11:24
within the Air Force within a truck. A for a structure
11:28
if I want to. I can grant rights to cross domains just by doing it.
11:33
If I don't have
11:35
the same forest
11:37
over here, I got the Army Forest over here. Get the Air Force Forest.
11:41
There's no way to give rights from Army people into the Air Force forest without manually
11:48
creating a trust.
11:48
And that's why you've seen in the Air Force. If you've been involved in the Air Force I T.
11:54
Or any of the military service is, they've gone to have fewer and fewer forests
12:00
and put more and more domains inside the same forest because it's easier to manage.
12:05
And for some of you
12:07
who's been in long enough that you've had your email address change a couple of times,
12:13
that's part of The effect of that is as they're cutting down on the number of forests
12:20
they cut down on the number of email address
12:24
extensions because e mails are connected to forests.
12:31
So Federated Systems,
12:33
uh, Federated Systems came about because when Microsoft originally developed active directory in the Active Directory Forest, they said, We'll never need anything bigger than this.
12:46
What do you think happened?
12:48
Yeah, they needed something bigger.
12:52
So the bigger thing now is to have Federated Systems and Single Sign On and The Federated Systems means I can create something bigger than a forest.
13:01
I can take multiple forests and make them all work together.
13:05
It goes back to the trust issue that says, Do I trust the other guy's security levels and the other guy's security implementation the other guy's security on it?
13:15
So it's gonna take a long time for this to work.
13:16
But when it does work, what See I was
13:20
what's the reasoning behind it? Wise, wise and work all the effort
13:26
19 accounts for one person because they move around a difference. No need 19 accounts as they move. And that's a good thing because
13:37
from a security standpoint,
13:39
we know why It's a good thing from a manpower standpoint. Why is it a good thing from security?
13:46
A set of rules for that person?
13:48
Change or recreate?
13:52
Cry?
13:54
Yeah, You say one set of rules and the saints of the rules everywhere. So for those reasons, if you ever could get everybody together
14:01
and put them on the same bucket,
14:03
they don't have the same security policies. You don't have the same security enforcement. You would have a quote unquote safer environment, right?
14:13
At least ask. The idea behind it
14:15
is to have uniformity of security. So there is no weak spot.
14:20
If everybody gets to set their own security, somebody's gonna be the weak one.
14:24
They're all set the same. Then everybody gets the same security and the other advanced to that is what if a new threat comes up that's never been seen before.
14:37
Soon as you understand it, and soon you know how to come, how to defend against it. Once you apply, you've applied it
14:45
everywhere.
14:48
You don't have to call up 27 people and hope they all applied it
14:52
for 270 people or 2700 people. Right?
14:58
So P k I
15:03
Anybody want to take a wild guess is toward a p K. I might have to do with Federated Systems and single sign on.
15:13
So she
15:15
those accounts
15:16
and you could create a p k I infrastructure that could
15:20
support multiple forests,
15:22
put all the trussed up in the P K I level
15:26
and allow multiple forest to talk to each other via a trusted P K I.
15:31
All right,
15:33
So
15:35
that's where that's eventually going.
15:37
We're gonna get there in my lifetime.
15:41
We're gonna get there in your lifetime.
15:43
I'm not taking any bets on there
15:48
At the same time,
15:48
I remember when
15:50
there was no centralized control of domain law guns at all.
15:54
So candy's big changes get made.
15:58
Yeah, they actually can.
16:00
They actually can't happen.
16:04
So never communication best practices used curtain rose.
16:07
Any time you can
16:11
use in, tell him only when you have to. And if you have to least make it intel on B two, and if you're capable of doing it, put it in his own domain so that only that domain
16:22
has to support and tell him
16:23
so the whole system doesn't have to support it.
16:27
Enforced password policies. We know about password policies
16:34
and out of network passwords regularly. That's an interesting point. Um, cane or cane enable?
16:42
Or John the Ripper? Did those sound like, you know, people you want to have come visit you for dinner, right?
16:49
Those are actually cracking tools,
16:52
password cracking tools. So why are we introducing password cracking tools into the system?
17:00
I had to see if your passwords or crackle right now were used. We're taking hack rituals and using a minute security tools
17:08
because we figure if we can't hack it with John the Ripper that nobody else can either.
17:14
And we might as well check first cause somebody else is going to try.
17:18
So since somebody else is gonna try, why don't we get to it first?
17:21
And if somebody has a weak password, will find it and have him fix it.
17:26
You know what's funny?
17:29
Most people don't have the ability to even create a week Password. Correct.
17:34
Great.
17:37
So where do you think weak passwords are most likely to live?
17:42
Personal computer
17:45
and I t at Mons
17:48
because they're the ones that can exempt themselves from the password requirements, right?
17:56
Think about that for a minute. Dealing people that can make weak passwords are the people who control the network.
18:03
Ah,
18:03
which is why you need third party auditing.
18:07
You need someone else to come in. Make sure that nobody got tempted to actually say I'm tired of typing these long passwords. I want to make my password password,
18:15
Okay?

Up Next