Transcript Windows and Kerberos Authentication and Optimization

GOPAS
TECHED 2012
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security |
[email protected] | www.sevecek.com |
WINDOWS AUTHENTICATION
Windows Authentication
AN INTRODUCTION
The topics
• The hell of windows authentication mechanisms
• Basic, NTLM, Kerberos
• Certificates and smart cards or tokens
• How they work differently
• What is better or worse
• Weird and weirder things that you may not know
And the environment
• Windows 2000 and newer
• Active Directory domains
• Maybe some trusts or multidomain forests
• Connections to SMB, LDAP, Exchange, SQL,
HTTP, WMI, remote administration, RDP and
other servers
• Ideally SSO
Windows Authentication
NETWORK INTERACTIONS
Local Logon
Client
2000+
TGT: User
Kerberos
LDAP
SMB
TGS: LDAP, CIFS
GPO List
GPO Download
DC
2000+
CTRL-ALT-DEL Password
• Password is stored in memory only
• LSASS process
• In the form of MD4 hash
• never given out
Authentication Interactions
in General
App
Traffic
Client
2000+
Server
2000+
In-band
TGS: Server
NTLM
Kerberos
TGT: User
SMB
D/COM
TGS: Server
Occasional PAC
Validation
NTLM
Pass-through
D/COM Dynamic
TCP
DC
2000+
DC
2000+
The three authentication
methods
• Basic
• plain-text password
• results in Kerberos authentication
• NTLM
• hashed password (MD4) method from the past
• LM (DES), NTLM (DES), NTLMv2 (MD5)
• Kerberos
• hashed password (MD4) plus RC4/DES or AES
• mutual authentication and delegation
• can use certificates instead of passwords
Basic and RDP Network Logon
Client
2000+
App
Traffic
Server
2000+
In-band
clear text
Kerberos
DC
2000+
DC
2000+
TGT: User
NTLM Network Logon
Client
2000+
App
Traffic
Server
2000+
In-band
NTLM hash
SMB
D/COM
Pass-through
NTLM hash
D/COM Dynamic
TCP
DC
2000+
DC
2000+
Kerberos Network Logon
(basic principle)
App
Traffic
Client
2000+
In-band
TGS: Server
Kerberos
TGT: User
TGS: Server
DC
2000+
Server
2000+
Kerberos Network Logon
(complete)
App
Traffic
Client
2000+
Server
2000+
In-band
TGS: Server
Kerberos
TGT: User
SMB
D/COM
Occasional PAC
Validation
TGS: Server
D/COM Dynamic
TCP
DC
2000+
DC
2000+
Windows Authentication
PERFORMANCE COMPARISON
NTLM Network Logon
Client
2000+
Server
2000+
60 % CPU
55 % CPU
DC
2000+
DC
2000+
Kerberos Network Logon, no
PAC Validation
Client
2000+
Server
2000+
60 % CPU
0 % CPU
DC
2000+
DC
2000+
Kerberos Network Logon with
PAC Validation
Client
2000+
Server
2000+
60 % CPU
0 % CPU
DC
2000+
14 % CPU
DC
2000+
Basic Authentication
Client
2000+
Server
2000+
5 % CPU
0 % CPU
DC
2000+
DC
2000+
NTLM Performance Issues
Client
Client
Client
Client
Server
Client
Client
Client
7 concurrent
40 sec.
DC
NTLM Trusts
D\User
A\Server
DC A
DC D
DC C
DC B
Kerberos Trusts
D\User
A\Server
DC A
DC D
DC C
DC B
Windows Authentication
WE WANT KERBEROS, SO WHAT?
Basic Facts
• Do not use IP addresses
• Configure SPN (service principal name)
• Have time in sync
• Use trusted identities to run services on Windows
2008 and newer
• instead of AD user accounts
• no PAC validation
• Enable AES with Windows 2008 DFL
Trusted Identities – Network
Service
Trusted Identities – Service
Accounts
Trusted Identities –
AppPoolIdentity
Trusted Identities – Managed
Service Account
Windows Authentication
IDENTITY ISOLATION FOR
SERVICES
Identity Isolation
• Services on a single machine
• Services that access other back-end services
Windows Identities
Identity
Password
PAC
Validation
Local Isolation
Network
Isolation
Operating
System
SYSTEM
random
changed 30 days
no
Administrators
no isolation
no
2000
AD User Account
administrator
changed???
yes
Users
isolated
yes
2000
Network Service
random
changed 30 days
no
Users
no isolation
no
XP
Local Service
no network credentials
no
Users
no isolation
no
XP
Service Account
random
changed 30 days
no
Users
isolated
no
Vista
2008
Managed Service
Account
random
changed 30 days
no
Users
isolated
yes
7
2008 R2
Kerberos Underworld
SMART CARD LOGON
Smart Card Logon
App
Traffic
Client
2000+
Kerberos
PKINIT
Server
2000+
TGT: User
TGS: Server
DC
2000+
DC
2000+
Smart Card Logon and NTLM
Client
2000+
NTLM Hash
Server
2000+
TGT: User
TGS: Server
DC
2000+
NTLM Hash
DC
2000+
Smart Card Logon and NTLM
Client
2000+
NTLM Hash
Server
2000+
TGT: User
TGS: Server
NTLM Hash
NTLM Hash
DC
2000+
DC
2000+
Windows Authentication
DELEGATION
Kerberos Delegation
 GeekRoom
 Úterý 14:15
 Úterý 15:45
Windows Authentication
GROUP MEMBERSHIP
Group Membership Limits
• AD Group in forest with 2000 FFL
• 5000 direct members limit
• AD Group in forest with 2003+ FFL
• unlimited membership
• Kerberos Ticket
• network transport
• limited to 8 kB on 2000 and XP
• up to 12 kB on 2003+
• HTTP.SYS header limits
• 16 kB of Base-64 encoded tickets
• Access Token
• local representation of a logon
• up to 1025 groups including local and system
Kerberos Ticket (PAC)
Kamil
S-1-5-Prague-1158
Prague Marketing
Global
3082
8 Bytes
Prague Sales
Global
3083
8 Bytes
Paris Visitors
Domain Local
Paris
S-1-5-Paris-2115
40 Bytes
Roma IS
Domain Local
Roma
S-1-5-Roma-1717
40 Bytes
Prague Documents
Domain Local
Prague
S-1-5-Prague-3084
40 Bytes
Business Owners
Universal
Prague
3085
8 Bytes
Employees
Universal
Paris
S-1-5-Paris-2116
40 Bytes
Windows Authentication
TAKEAWAY
Takeaway
• Kerberos is the most secure, flexible and
performance efficient
• Don’t be afraid and play with them!
GOPAS
TECHED 2012
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security |
[email protected] | www.sevecek.com |
THANK YOU!