Saturday, October 27, 2012

Active Directory Security Risks Loom Large


Active Directory is one of the most ubiqutously used technologies in the world today, because virtually all organizations that operate on Microsoft's Windows Server platform are powered by Active Directory.

Active Directory plays a central role in IT security, regulatory compliance and identity and access management today because all critical aspects of IT security such as authentication, authorization and auditing are completely integrated with Active Directory.

Active Directory Security is thus rapidly becoming a very important component of organizational IT security, as organizations realize that the very foundation of their security may be vulnerable.

Because of the vital role of Active Directory in IT security today, it is increasingly vulnerable to attacks, both from insider the perimiter and from the outside, espesiclaly by sophisticated hackers seeking to compromise the security.

In fact, even the US Department of Homeland Security runs on Active Direcotry and a recent audit showed that it too may be vulnerable to attack - http://www.identitysecurityandaccessblog.com

Active Directory Security risks thus loom large and organizations are actively taking steps to ensure that the security of their Active Directory is also adequately protected.

Friday, October 26, 2012

Permissions Analyzer for Active Directory


It has been quite some time since I blogged. I had started this blog in 201 when I was between jobs. Since I started my previous job, things have been very busy not giving any time for blogging.

Anyway, as a part of my job responsibilities at work, I was recently tasked with performing an audit of our Active Directory Security, and in particular, auditing who had what permissions in our Active Directory.

So I went looking for a tool to analyze permissions in our Active Directory. My research was largely restricted to searching the Internet on Google, and I came across two products that could do this for us - one was a free tool called Liza, and one was called Gold Finger for Active Directory. I tried them both out and I was really impressed with one of the, so I thought of blogging about it.

Permission Analyzer for Active Directory

In my opinion, Gold Finger for Active Directory is the best permissions analyzer for Active Directory because it allowed us to do exactly what we needed to do, i.e find out who has what permissions where in our Active Directory, and how.


 
In addition, it also allowed us to look for specific permissions anywhere in the Active Directory.

For example, we needed to find all Explicit Allow Reset Password Extended Right permissions in a specific OU and we were able to do so in about 30 seconds, because it let us specify that exact combination of permissions to select from, and then it went and searched the OU for all objects in whose ACL there were security permissions matching this combination.

We also reviewed LIZA but it was not half as capable, because it lacked many capabilities, including most importantly the ability to specify the exact permissions we wanted to look for. Besides, it is free and our security policies do not allow us to deploy free products in our environment

It also had half a dozen other capabilities but we were mostly interested in its permission analyzer capabilities for Active Directory, so that is the only capability we reivewed.

If you're looking for a good permission analyzer for Active Directory, I recommend checking it out - http://www.active-directory-permissions-analyzer.com/

Thanks.

Saturday, June 19, 2010

Advantages of Kerberos over NTLM

As you may know, prior to Windows 2000, NTLM was the primary authentication protocol in Windows Server, and Windows 2000 onwards and beyond, Microsoft made Kerberos the native authentication protocol.

The Kerberos protocol is obviously not only an industry standard but as such offers numerous advantages over NTLM, some of which include -
  • Mutual Authentication - This means that not only can clients authenticate to a server, but that the client can request that the server too authenticate itself to the client, and this undoubtedly helps enhance security by ensuring that clients authenticate themselves to genuine servers.

  • Faster Authentication -The use of the TGTs substantially enhances the speed with which authentication can take place in distributed systems, and this certainly facilitates more efficient and secure network accesses across the enterprise.

  • Support for Delegation - Kerberos enabled security delegation, which essentially allows a server to impersonate a client when accessing remote resources, and this really helps provide trustworthy security in multi-tier application scenarios.

  • Support for PKI Integration - Through the Kerberos PKINIT extension, Kerberos provides support for smartcard logons, and this substantially enhances security because it obviates the need for passwords, allowing the use of smart-cards in lieu.

All in all, Kerberos really makes Windows Server powerful enough to provide enterprise grade distributed security, and in fact today its use is so ubiquitous and prevalent across the world.

Wednesday, May 12, 2010

Kerberos Authentication in Windows Server based IT Infrastructures

If you're reading this blog, you probably know what Kerberos is. (It is the native authentication protocol used in Microsoft Windows Server based IT infrastructures and it facilitates distributed security in these IT infrastuctures.)

In fact, without Kerberos authentication, single-sign-on would largely not be possible in a Windows Server based environment, and the thousands of distributed security accesses that organizational employees engage in every day, whether sending email, navigating to an intranet portal or accessing a file on a server, would largely be much harder and certainly not seamless.

In this blog, I plan to take a look at numerous vital aspects of Kerberos, so IT admins can better understand its importance, identify how to configure and manage it, and learn about some cool tips and tricks that could optimize performance and enhance security.

Should you have any questions, you can leave your question via a comment.

Thanks,
Aaron