on microsoft based platforms segregation of... · 2020-03-23 · dacl sacl header redmond\davidjo...
TRANSCRIPT
![Page 1: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/1.jpg)
on Microsoft Based Platforms
![Page 2: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/2.jpg)
The problem description
Some Windows security terminology Security Descriptor, Security Identifier, Discretionary Access Control List / System ACL, AC list Entries, Mandatory Integrity Check, Security boundaries, User Account Control, Managed Service Accounts, Security Groups
Privileges, Access & Authorization
Active directory
Forefront Identity Manager 2010
![Page 3: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/3.jpg)
![Page 4: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/4.jpg)
![Page 5: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/5.jpg)
![Page 6: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/6.jpg)
The problem description
Some Windows security terminology Security Descriptor, Security Identifier, Discretionary Access Control List / System ACL, AC list Entries, Mandatory Integrity Check, Security boundaries, User Account Control, Managed Service Accounts, Security Groups
Privileges, Access & Authorization
Active directory
Forefront Identity Manager 2010
![Page 7: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/7.jpg)
![Page 8: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/8.jpg)
![Page 9: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/9.jpg)
Owner SID:
REDMOND\BillB
DACL
SACL
Header
REDMOND\DavidJo
Access Denied
RWX
REDMOND\MSTE
Access Allowed
RX
REDMOND\BillB
Access Allowed
WD
Access token for
BDEvent.doc
ACE
ACE
ACE
DACL
![Page 10: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/10.jpg)
![Page 11: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/11.jpg)
![Page 12: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/12.jpg)
![Page 13: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/13.jpg)
![Page 14: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/14.jpg)
Code, Data Code, Data Policy
![Page 15: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/15.jpg)
![Page 16: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/16.jpg)
1. CAD
2. Collect Credential
3. Enter Credentials
Winlogon LSASS.EXE
NTLM
Credential Providers
Kerberos
Negotiate
Netlogon
4. LsaLogonUser
LSA Secrets Store
KDC + AD
![Page 17: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/17.jpg)
Admin
Process
Standard
User
Process ?
![Page 18: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/18.jpg)
![Page 19: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/19.jpg)
• Change Time Zone
• Run Standard User Compliant
Applications
• Install Fonts
• Run MSN Messenger
• IE
![Page 20: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/20.jpg)
![Page 21: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/21.jpg)
Impersonation
![Page 22: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/22.jpg)
![Page 23: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/23.jpg)
The problem description
Some Windows security terminology Security Descriptor, Security Identifier, Discretionary Access Control List / System ACL, AC list Entries, Mandatory Integrity Check, Security boundaries, User Account Control, Managed Service Accounts, Security Groups
Privileges, Access & Authorization
Active directory
Forefront Identity Manager 2010
![Page 24: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/24.jpg)
![Page 25: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/25.jpg)
![Page 26: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/26.jpg)
![Page 27: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/27.jpg)
![Page 28: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/28.jpg)
Microsoft Authorization Manager (AzMan) is part of Windows Server and allows role-based access control to provide separation-of-duties.
Separation of duties with Microsoft Authorization Manager
![Page 29: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/29.jpg)
The problem description
Some terminology SD, SID, DACL / SACL, ACE, MIC, Security boundaries, UAC, MSA, Security groups
Privileges, Access & Authorization
Active directory
Forefront Identity Manager 2010
![Page 30: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/30.jpg)
![Page 31: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/31.jpg)
![Page 32: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/32.jpg)
![Page 33: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/33.jpg)
3
4
New auditing categories:
Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service
Replication
![Page 34: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/34.jpg)
The problem description
Some Windows security terminology Security Descriptor, Security Identifier, Discretionary Access Control List / System ACL, AC list Entries, Mandatory Integrity Check, Security boundaries, User Account Control, Managed Service Accounts, Security Groups
Privileges, Access & Authorization
Active directory
Forefront Identity Manager 2010
![Page 35: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/35.jpg)
FIM group management provides the ability to perform the
following:
• Create and manage Security Groups
• Add and remove members from Groups
• Join and leave from Groups
• Perform extensive searches on groups
• View a history of actions taken on specific groups
• Workflows (delegation, escalation…)
• View request status as the requestor, or group owner
• Assign co-owners to assist in managing your Groups
• Dynamic (Calculated) groups based on attributes (query
builder or Xpath)
![Page 36: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/36.jpg)
Manage the Identity Lifecycle
![Page 37: on Microsoft Based Platforms Segregation of... · 2020-03-23 · DACL SACL Header REDMOND\DavidJo Access Denied RWX REDMOND\MSTE Access Allowed ACE RX REDMOND\BillB Access Allowed](https://reader033.vdocument.in/reader033/viewer/2022042116/5e9441a7be09df291c28d9e6/html5/thumbnails/37.jpg)