the important details of windows authentication
play

The Important Details Of Windows Authentication Stefan Metzmacher - PowerPoint PPT Presentation

Oct 14, 2022 •142 likes •497 views

The Important Details Of Windows Authentication Stefan Metzmacher <metze@samba.org> Samba Team / SerNet 2017-05-04 https://samba.org/~metze/presentations/2017/SambaXP/ Topics Windows Domains, Forests and Trusts Netlogon Secure

  1. The Important Details Of Windows Authentication Stefan Metzmacher <metze@samba.org> Samba Team / SerNet 2017-05-04 https://samba.org/~metze/presentations/2017/SambaXP/

  2. Topics ◮ Windows Domains, Forests and Trusts ◮ Netlogon Secure Channel ◮ Authentication Protocols ◮ Authorization Token ◮ Trust Routing Table ◮ New Kerberos Features ◮ Thanks! ◮ Questions? Windows Authentication Stefan Metzmacher (2/1)

  3. Layout of a single Windows Domain Windows Authentication Stefan Metzmacher (3/1)

  4. Layout of an Active Directory Forest (with one Tree) Windows Authentication Stefan Metzmacher (4/1)

  5. Forest Information (with one Tree) ◮ TOP LEVEL NAME: example.com ◮ TOP LEVEL NAME: example.private ◮ DOMAIN INFO: EXAMPLE; example.com; S-1-5-21-99-88-11 ◮ DOMAIN INFO: ASIA; asia.example.com; S-1-5-21-99-88-22 ◮ DOMAIN INFO: DEVEL; devel.asia.example.com; S-1-5-21-99-88-33 ◮ DOMAIN INFO: PRODUCT; product.asia.example.com; S-1-5-21-99-88-44 ◮ DOMAIN INFO: EUROPE; europe.example.com; S-1-5-21-99-88-44 Windows Authentication Stefan Metzmacher (5/1)

  6. Layout of an Active Directory Forest (with multiple Trees) Windows Authentication Stefan Metzmacher (6/1)

  7. Forest Information (with multiple Tree) ◮ TOP LEVEL NAME: corp1.private ◮ TOP LEVEL NAME: corp2.private ◮ DOMAIN INFO: CORP1; corp1.private; S-1-5-21-77-88-11 ◮ DOMAIN INFO: DEVEL; devel.corp1.private; S-1-5-21-77-88-22 ◮ DOMAIN INFO: PRODUCT; product.corp1.private; S-1-5-21-99-88-33 ◮ DOMAIN INFO: CORP2; corp2.private; S-1-5-21-99-88-44 ◮ DOMAIN INFO: SUPPORT; support.corp2.private; S-1-5-21-99-88-55 Windows Authentication Stefan Metzmacher (7/1)

  8. Trust Types (low level) ◮ LSA TRUST TYPE DOWNLEVEL ◮ This is used for NT4 Domains. ◮ It can only handle NTLMSSP. ◮ LSA TRUST TYPE UPLEVEL ◮ This is used for AD Domains. ◮ It supports NTLMSSP by default. ◮ It supports Kerberos, the Realm is the Dns-Domain-Name. ◮ LSA TRUST TYPE MIT ◮ This is used for trusts to RFC4120-compliant Kerberos. ◮ Unlikely to be implemented in Samba. ◮ LSA TRUST TYPE DCE ◮ Not used in Windows. Windows Authentication Stefan Metzmacher (8/1)

  9. Trust Directions ◮ Trusting vs. Trusted Domain ◮ Users of the ”trusted” domain can access resources of the ”trusting” domain. ◮ LSA TRUST DIRECTION INBOUND ◮ The local domain is the ”trusted” domain. ◮ The specified/remote domain is the ”trusting” domain. ◮ Also known as INCOMING. ◮ LSA TRUST DIRECTION OUTBOUND ◮ The local domain is the ”trusting” domain. ◮ The specified/remote domain is the ”trusted” domain. ◮ Also known as OUTGOING. Windows Authentication Stefan Metzmacher (9/1)

  10. Transitive vs. Non-Transitive Trusts ◮ Non-Transitive Trust ◮ This is just a trust between two single domains. ◮ Transitive Trust ◮ The trust between two single domains is expanded to indirect trusts. ◮ DOM1 trusts DOM2, while DOM2 trusts DOM3, so DOM1 implicitly trusts DOM3. ◮ In some situations a transitive trust is some kind of default route. Windows Authentication Stefan Metzmacher (10/1)

  11. Trust Types (high level, Part 1) ◮ Workstation (Domain Member) Trust ◮ LSA TRUST DIRECTION OUTBOUND to the primary domain. ◮ LSA TRUST TYPE DOWNLEVEL (NT4) or LSA TRUST TYPE UPLEVEL (AD). ◮ Transitive Trust as default route. ◮ computer account can only reliable access its primary domain. ◮ External Domain Trust ◮ LSA TRUST TYPE DOWNLEVEL (NT4) or LSA TRUST TYPE UPLEVEL (AD). ◮ Non-Transitive ◮ Forest Trust ◮ LSA TRUST TYPE UPLEVEL (AD) between two forest root domains. ◮ Transitive Trust (by default) between the two forests only. Windows Authentication Stefan Metzmacher (11/1)

  12. Trust Types (high level, Part 2 within Forests) ◮ Parent Child Trusts ◮ LSA TRUST DIRECTION INBOUND and LSA TRUST DIRECTION OUTBOUND ◮ LSA TRUST TYPE UPLEVEL (AD). ◮ LSA TRUST ATTRIBUTE WITHIN FOREST. ◮ The child is a DNS-subdomain of the parent ◮ Transitive Trust, on the parent with a route to the child and the related grandchildren. ◮ Transitive Trust, on the child as default route. ◮ Automatically created together with the child domain. ◮ Tree Root Trusts ◮ Similar to Parent Child Trust. ◮ The new tree root is not DNS-domain below the forest root. ◮ Transitive Trust, on the forest root with a route to the new tree root and the related grandchildren. ◮ Transitive Trust, on the child as default route. ◮ Automatically created together with the new tree root domain. Windows Authentication Stefan Metzmacher (12/1)

  13. Trust Types (high level, Part 3 within Forests) ◮ Shortcut Trust ◮ LSA TRUST DIRECTION INBOUND and/or LSA TRUST DIRECTION OUTBOUND ◮ LSA TRUST TYPE UPLEVEL (AD). ◮ LSA TRUST ATTRIBUTE WITHIN FOREST. ◮ Non-Transitive, acts as direct route to the specified domain. ◮ Created by an administrator for performance reasons. Windows Authentication Stefan Metzmacher (13/1)

  14. Trust Attributes (low level) The content of the trustAttributes attribute in Samba: typedef [public , bitmap32bit ] bitmap { LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001 , LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY = 0x00000002 , LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN = 0x00000004 , LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE = 0x00000008 , LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION = 0x00000010 , LSA_TRUST_ATTRIBUTE_WITHIN_FOREST = 0x00000020 , LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040 , LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION = 0x00000080 // TODO LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION = 0x00000200 // TODO LSA_TRUST_ATTRIBUTE_PIM_TRUST = 0x00000400 } lsa_TrustAttributes ; Windows Authentication Stefan Metzmacher (14/1)

  15. Forest (routing) Information ◮ The information about a forest: ◮ can be queried from the forest root of the ”trusted” forest by netr GetForestTrustInformation() constructed by the information under CN=Partitions,CN=Configuration,... ◮ is stored in the ”msDS-TrustForestTrustInfo” attribute in the root domain of the ”trusting” forest. ◮ It is an array of records of the following types: ◮ FOREST TRUST DOMAIN INFO includes Netbios-Name, DNS-Name and Domain-Sid. ◮ FOREST TRUST TOP LEVEL NAME includes a top level DNS-Name that part of the forest (including all DNS-subdomains). ◮ FOREST TRUST TOP LEVEL NAME EX includes a top level DNS-Name that is explicitly excluded from the forest (including all DNS-subdomains). ◮ Individual records will be disabled if conflicts with other trusts are detected. ◮ Individual records can also be disabled by the admin. Windows Authentication Stefan Metzmacher (15/1)

  16. Netlogon Secure Schannel (Part1) ◮ Having an LSA TRUST DIRECTION OUTBOUND Trust: ◮ Means the ”trusting” workstation/domain can establish a Netlogon Secure Channel to DCs of the ”trusted” domain using the computer/trust account. ◮ The NETLOGON protocol is bases on DCERPC, see [MS-NRPC]. ◮ Establishing a global session state with a ”trusted” DC: ◮ netr ServerReqChallenge() and netr ServerAuthenticate[2,3]() are used to do a challenge/response authentication ◮ The global session state is indexed by the computer name of the ”client”. ◮ The global session state contains the initial session key, a sequence number. ◮ Samba uses ’struct netlogon creds CredentialState’ for this state. ◮ This state is stored in netlogon creds cli.tdb (on the client) and schannel store.tdb (on the server). Windows Authentication Stefan Metzmacher (16/1)

  17. Netlogon Secure Schannel (Part2) ◮ A lot of functions operate on the global session state: ◮ netr LogonSamLogon[WithFlags](), netr ServerPasswordSet[2](), netr LogonGetDomainInfo(), netr GetForestTrustInformation() and others. ◮ All functions using ’netr Authenticator’ arguments. ◮ These functions do some rolling crypto on the global session state. ◮ These functions need to be strictly ordered (globally!) ◮ Some of them also encrypt some application level fields with the current global session key. Windows Authentication Stefan Metzmacher (17/1)

  18. Netlogon Secure Schannel (Part3) ◮ The NETLOGON protocol implements a custom DCERPC authentication type (auth type=68): ◮ The DCERPC Bind/AlterContext just passes the domain and computer names to the server. ◮ The server takes a copy of the current global session based on the provided computer name. ◮ This copy will be the session key for the lifetime of the DCERPC auth context. ◮ Client and server provide DCERPC AUTH LEVEL INTEGRITY or DCERPC AUTH LEVEL PRIVACY protection for the auth context. ◮ The connection doesn’t support concurrent multiplexing and only one request at a time. Windows Authentication Stefan Metzmacher (18/1)

  19. Netlogon Secure Schannel (Part4) ◮ Usage of DCERPC authentication type (auth type=68) ◮ It is typically used for a protected NETLOGON connection. ◮ It is also used for LSA connections and the lsa LookupNames4() and lsa LookupSids3() calls. ◮ Typically the ”trusting” side of the trust should only use these NETLOGON and LSA connections to communicate with the ”trusted” domain. Windows Authentication Stefan Metzmacher (19/1)

Recommend

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Roadmap for Section 4.5. Thread Scheduling Details Quantum Stretching CPU Starvation Avoidance

Roadmap for Section 4.5. Thread Scheduling Details Quantum Stretching CPU Starvation Avoidance

Unit OS4: Scheduling and Dispatch 4.5. Advanced Windows Thread Scheduling Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 4.5. Thread Scheduling Details Quantum Stretching

153 views • 14 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
MTA Signatures Proposal Brief Overview Proposal details available at:

MTA Signatures Proposal Brief Overview Proposal details available at:

60th IETF August 2004 - San Diego, CA Message Authentication and Signature Standards (MOSS) BOF MTA Signatures Proposal Brief Overview Proposal details available at: http://www.elan.net/~william/asrg/mta_signatures.htm Presentation and

335 views • 8 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
Windows NT Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - COMP4631 - L20 1 Agenda

Windows NT Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - COMP4631 - L20 1 Agenda

Windows NT Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - COMP4631 - L20 1 Agenda Brief information about Windows NT Security architecture Identification and authentication Access control Administration C. Ding -

1.28k views • 52 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Chemist UNIT 5 DAY 1 What are we going to learn today? Note some important details on the

Chemist UNIT 5 DAY 1 What are we going to learn today? Note some important details on the

Thinking Like a Chemist UNIT 5 DAY 1 What are we going to learn today? Note some important details on the syllabus Become familiar with the course website Meet the teaching team Review the Mechanics of a Learner Centered Course Review the

462 views • 18 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
Module 19: Security The Security Problem Authentication Program Threats System

Module 19: Security The Security Problem Authentication Program Threats System

Module 19: Security The Security Problem Authentication Program Threats System Threats Securing Systems Intrusion Detection Encryption Windows NT Operating System Concepts Silberschatz, Galvin and Gagne 2002

425 views • 9 slides

More recommend