Microsoft’s Active Directory Security Feature

Microsoft’s Active Directory

What is Microsoft's Active Directory?

Active Directory provides the means to manage the identities and relationships that make up your organization’s network. Active Directory gives you out-of-the-box functionality needed to centrally configure and administer system, user, and application settings. Active Directory Domain Services (AD DS) stores directory data and manages communication between users and domains, including user logon processes, authentication, and directory searches.

 It is responsible for authenticating and authorizing all users and computers within a network of Windows domain type, assigning and enforcing security policies for all computers in a network and installing or updating software on network computers. Secure Domain Controller Policy Setting

Security Feature

• Secure Domain Controller Policy Setting

Establishing Group Policy settings for your domains in Active Directory, you can also establish Group Policy settings and Windows 2000 configuration settings to secure your domain controllers. Domain controller policies are set on the Domain Controllers organizational unit (OU) in each domain.

Domain controller policies are divided into multiple categories of settings. To enhance comprehensive security for your domain controllers, perform the following tasks: Establish domain controller user rights assignment policy settings.

• Establish domain controller audit policy settings.
  
• Enable auditing on Active Directory database objects.
  
• Establish domain controller security options policy settings.
  
• Establish domain controller event log policy settings.
  

http://technet.microsoft.com/en-us/library/bb727065.aspx

http://www.promedianj.com/data-center-and-virtualization/microsoft-solutions

LDAP Security Feature

LDAP

What is LDAP?

It is Lightweight Directory Access Protocol, it defines the "language" used for client programs to talk to servers (and servers to servers, too). On the client side, a client may be an email program, a printer browser, or an address book. The server may speak only LDAP, or have other methods of sending and receiving data—LDAP may just be an add-on method.

Security Feature

• Kerberos Authentication

Kerberos is an open standard based authentication system generally used with password based authentication that is widely deployed, in particular as the default Windows authentication mechanism. A key feature of Kerberos is its use of “Tickets” to retain authentication information so that users do not have to enter username and password for each network application used; this is known as Single Sign On (SSO).

Kerberos is an authentication service commonly used to authenticate the user using an application client (such as an email client) to an application server (such as an email server) by using "tickets" obtained from a trusted third party "Kerberos" server. 

• SASL Authentication

SASL (Simple Authentication and Security Layer) Internet standards for LDAP client authentication, enabling a wide range of password based authentication mechanisms. The Isode SASL implementation supports a number of authentication mechanisms, given authentication flexibility. SASL also enables authentication using simple string names (as opposed to directory names), which is convenient for applications using directory based authentication.


http://www.isode.com/products/m-vault-security.html
http://www.isode.com/whitepapers/kerberos.html
http://www.gracion.com/server/whatldap.html

X.500 Security Feature

X.500

What is X.500?


It is a standard created by ISO/ITU defining information model and protocols for a directory service that is independent of computer application and network platform. 


It was produce in the year 1988 and updated in 1993 and 1997, defines a specification for a rich, distributed directory based on hierarchically named information objects (directory entries) that users can browse and search.

The X.500 protocol architecture consists of a Client-Server communicating via the Open Systems Interconnection (OSI) networking model. The Client is called the Directory Service Agent (DUA) and the Server is called the Directory System Agent (DSA).

Security Features

• Access Control

It was implemented when X.500 standard was created, access control is to restrict people based on their level of authentication so as to allow authorized personnel to enter.

• Strong Authentication 

Based on X.509 public key infrastructure (PKI) using Isode's strong authentication infrastructure is provided for all X.500 protocols (DAP, DSP, and DISP). This provides additional integrity and audit security for individual operations and allows chained updates to be authenticated using a digital signature from the originating directory client.

Signed operations are also used for the X.500 DISP replication protocol, providing the same per operation security as for DAP and DSP.

A certification authority issues a certificate binding a public key to a particular distinguished name in the .500 tradition, or to an alternative name such as a DNS-entry.

http://www.isode.com/products/m-vault-directory.html

MBWS Tutorial

GSM Security Feature, Threats and Solution

Security Feature

The reason of having security is to make sure the GSM system is as secure as the Public Switched Telephone Network (PSTN) and also to make sure that phone cloning is not allow and GSM uses air for transmission media so it will allow quite a number of potential threats from eavesdropping.

So the following is the Security Feature:

• Subscriber Identity Protection using Temporary Mobile Subscriber Identity (TMSI) which is assigned to each mobile phone
• User anonymity - Designed to protect the user against someone, from tracking the location of the user or to identify calls made to or from that user by eavesdropping on the radio path
• Key Management Scheme - Ki – Subscriber Authentication Key uses 128 bit key for authentication of user by operator. 
• Detection of Compromised Equipment using International Mobile Equipment Identifier (IMEI), Equipment Identity Register (EIR) and Central Equipment Identity Register (CEIR).

• Subscriber Authentication is to protect the network against unauthorized user, by challenge-response authentication of users by operator.
• Signaling and user data protection used to protect data and signaling over the radio path

Threats

• Microwave Links - Link between BS and BSC is a point to point microwave link so this link can be eavesdropped.
• False Based Station - MS is authenticated to the BS, but BS is not authenticated to MS, so GSM provides unilateral authentication. Hence it will allows attacks on mobile user by allow user to connect to a Fake Based Station. But setting up a Based station is expensive so this threat is very rare.
• Denial of service (DoS) attack will cause the network not to transmit messages or causing the network to send messages it should not. The network will not be able to distinguish real traffic from a fake traffic.

Solution

• Subscriber Authentication is to protect the network against unauthorized user, by challenge-response authentication of users by operator.

Using Spatscheck it will have three key points for preventing DoS attack

• Accounting for all consumed resources per client
• Detection when any client uses too much resources
• Containment it will reclaim the tied resources after detection by dedicating minimum additional server resources to the task and thus preventing a follow up attack.

GPRS Security Feature, Threats and Solution

Security Feature

The security feature of GPRS is very similar to GSM standard

• Identity Confidentiality to provide privacy to the user, a Temporary Logical Link Identifier (TLLI) is used that is combined with Routing Area Identity (RAI) to avoid ambiguities, and the identity is stored in the database in each SGSN.
• Identity Authentication it is done by the SGSN. Pairs of Random Numbers and Signed respones (RAND & SRES) is gathered from the HLR/AUC and kept by the SGSN.
• Signaling and user data protection used to protect data and signaling over the radio path

Threats

• GGSN exhaustion: Attackers can creates and forwards GTP commands (i.e., PDP Context Create, Delete or Update) to a GGSN, overloading it and changing the servicing contexts of users. This results in denial of service (DoS).
  

• Hackers will release viruses, trojans, malware and spyware as GPRS is designed to allow users to use the internet and the terminal equipment will be 'always on' and it has software like internet browsing and email application, that mean the equipment will be attack from viruses. Hence the software which can execute computer code so it allow code to be downloaded to the equipment and it can monitor user usage, making calls unknown to the user etc. 

Solution

• There are a range of antivirus software developed programmed to scan for viruses and firewalls can be used to prevent this attack from happening.

References

Christos Xenakis, D. A. (n.d.). A Qualitative Risk Analysis for the GPRS Technology. Retrieved Jan 04, 2012, from A Qualitative Risk Analysis for the GPRS Technology: citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.148

Howard, P. (n.d.). IIR-Overview. Retrieved Jan 04, 2012, from IIR-Overview: http://www.isrc.rhul.ac.uk/useca/OtherPublications/IIR-overview.pdf

Kröger, C. (n.d.). GSM security. Retrieved Jan 04, 2012, from GSM security: http://www.google.com.sg/url?sa=t&rct=j&q=gsm%20security%20features&source=web&cd=30&ved=0CHQQFjAJOBQ&url=http%3A%2F%2Freferaat.cs.utwente.nl%2FTSConIT%2Fdownload.php%3Fid%3D951&ei=eVkFT_7tJoXPrQf6md2sAQ&usg=AFQjCNEhtsXtzplEp5Pu5b2G206fBojhZg&cad=rja

 

Stepanov, M. (n.d.). GSM Security Overview . Retrieved Jan 04, 2012, from GSM Security Overview : www.cs.huji.ac.il/~sans/students_lectures/GSM%20Security.ppt