Module 1: Planning and Configuring an Authentication and Authorization Strategy Overview Components of an Authentication Model Planning and Implementing an Authentication Strategy Groups and Basic Group Strategy in Windows Server 2003 Creating Trusts in Windows Server 2003 Planning, Implementing, and Maintaining an Authorization Strategy Using Groups Lesson: Components of an Authentication Model Authentication, Authorization, and Least Privilege Authentication Protocols in Windows Server 2003 How NTLM Authentication Works How Kerberos Authentication Works Windows Server 2003 Authentication Methods for Earlier Operating Systems Windows Server 2003 Storage of Secrets Tools for Troubleshooting Authentication Problems Practice: Configuring Secure Authentication Authentication, Authorization, and Least Privilege Least privilege: provide users with the minimum privileges needed to accomplish the tasks they are authorized to perform Least privilege: provide users with the minimum privileges needed to accomplish the tasks they are authorized to perform Authentication: the process of verifying the identity of something or someone User is really Ben Smith Authorization: the process of determining whether something or someone has permission to access a resource Ben Smith has permission to access this resource User Resource NTLM Kerberos  Default authentication protocol for Windows Server 2003, Windows 2000, and Windows XP Professional  Most secure Authentication Protocols in Windows Server 2003 Protocol Example LM Used in OS2 and Windows for Workgroups, Windows 95, Windows 98, and Windows Me Least secure protocol NTLMv1 Used for connecting to servers running Windows NT Service Pack 3 or earlier NTLMv2 Used for connecting to servers running Windows 2000, Windows XP, and Windows NT Service Pack 4 or higher How NTLM Authentication Works Domain Controller Client User Name, Domain User Name, Domain Security Accounts Database Nonce Nonce 2 2 User Password Hash + Nonce User Password Hash + Nonce 3 3 User Password Hash User Password Hash = User Password Hash + Nonce User Password Hash + Nonce 5 5 1 1 4 4 User Password Hash User Password Hash 4 4 When a user enters a user name and password, the computer sends the logon credentials to the Key Distribution Centre (KDC). When a user enters a user name and password, the computer sends the logon credentials to the Key Distribution Centre (KDC). The KDC looks up the user’s master key (KA), which is based on the user’s password. The KDC creates two items, a session key (SA) to share with the user, and a Ticket Granting Ticket (TGT). The KDC looks up the user’s master key (KA), which is based on the user’s password. The KDC creates two items, a session key (SA) to share with the user, and a Ticket Granting Ticket (TGT). Target Server How Kerberos Authentication Works KDC User KAB KAB KAB KAB TGT+SA TGT+SA TGT+Timestamp TGT+Timestamp Logon credentials Logon credentials To access a resource, the client presents its TGT and a timestamp encrypted with the session key To access a resource, the client presents its TGT and a timestamp encrypted with the session key The KDC creates a pair of tickets, one for the client and one for the server the client wants to access resources on. Both tickets also contain a new key (KAB). The KDC creates a pair of tickets, one for the client and one for the server the client wants to access resources on. Both tickets also contain a new key (KAB). Windows Server 2003 Authentication Methods for Earlier Operating Systems Compatibility Levels Client Domain Controller Level 0 Use LM and NTLM but never use NTLMv2 Use LM, NTLM, and NTLMv2 Level 1 Use LM and NTLM; will use NTLMv2 if supported Use LM, NTLM, and NTLMv2 Level 2 Only use NTLM; will use NTLMv2 if supported Use LM, NTLM, and NTLMv2 Level 3 Use only NTLMv2 Use LM, NTLM, and NTLMv2 Level 4 Use NTLM and NTLMv2 Use only NTLM and NTLMv2 Level 5 Use NTLMv2 Use only NTLM v2 Windows Server 2003 Storage of Secrets Local passwords are stored in LSA LSA stores  Trust relationship passwords  User names  Passwords  Service account passwords  Service account names Tools for Troubleshooting Authentication Problems Tool Function Kerbtray.exe Displays Kerberos ticket information Allows you to view and purge the ticket cache Klist.exe Lets you view and delete Kerberos tickets granted to the current logon session CmdKey.exe Creates, lists, and deletes stored user names and passwords or credentials