320 likes | 456 Vues
Staying Secure During an NT to Windows 2000 Migration. Paul Hinsberg, MCSE, MBA CEO, CRSD Inc http://www.crsdinc.com. Introduction. Sources of Risk Points of Risk During Migration Understanding the Tools Risks related to Services. Sources of Risk. Lack of Direction
E N D
Staying Secure During an NT to Windows 2000 Migration Paul Hinsberg, MCSE, MBA CEO, CRSD Inc http://www.crsdinc.com
Introduction • Sources of Risk • Points of Risk During Migration • Understanding the Tools • Risks related to Services Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Sources of Risk • Lack of Direction • Lack of Planning/Testing • Lack of Knowledge Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Points of Risk During Migration • Planning Phase • Preparation • Implementation • Post-Implementation Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Planning Phase • Clear understanding of direction • Knowing what the Domain and OU structure will look like in the end • Established Group Policies • Understand the Business Objectives Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Preparation • Evaluation of Systems • Review of the types of Services in your enterprise • Separation of client facing and internal • Evaluation of Security • Review of the Permissions, roles, and measures Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Evaluation of Systems • Identify all Servers and services • RAS, DHCP, Exchange, IIS, Terminal Services… RAS will often require Windows 2000 security to be relaxed in order to accommodate users. DHCP servers will need to be authorized in order to function correctly and depending on configuration carries risks. Exchange 5.5 has its own directory and will need special care in order to migrate to Exchange 2000. IIS implies outside access. Security should already be a focus here. Terminal Services/Citrix will need some attention to maintain user access. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Evaluation of Security • Understand the current security model completely • User group memberships • Understanding SID History will be paramount • File Server DACL • Cleaning this up will be tedious, but there are tools to help! • System Policies • You’ve created your own personal nightmare. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Security Evaluation Tools • SCM – Security Configuration Manager • NT 4.0 SP 4+ • Careful ! Q195509 • AddUsers.exe – Resource Kit • ADMT for DACL Cleanup • Timing is important on this one! Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Implementation • Migration Types have different Risks • Groups/User Accounts • How other services influence security Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Migration Types • In-place • Restructure-migration combination • Moving to a pristine environment Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Inplace • PDC/BDC is upgraded “as is” • Offers benefits of reduced migration time • Carries all of the old infrastructure baggage from old NT domain • Operation and security are different then a new build! Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Inplace Security Issues • NT 4.0 User groups are moved as is. • Everyone group exists and allows unauthenticated users • Physical security of DCs is often missed Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Restructure-migration combination • Reorganization of Domains/Users/Groups is done before or after migration • Preparation of NT 4.0 domain is required • Or Reorganization of domains afterward • Multiple phases can lead to disorganization • Best when building a pristine is not an option Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Restructure Security Issues • From a security standpoint requires the most diligence • Inadvertent access to Administrative level accounts is often missed • Frustration levels can be high leading to relaxed security • Switch to Native Mode can cause operation issues. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Pristine • Building a Windows 2000 AD and then migrate users • Allows for the least impact on users and reduces outage risks • Takes longer! • User Migration opens security risks Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Pristine Security Issues • Planning is a big key, and may often be rushed through • ADMT and Cloning of user accounts carries inherent security issues • Post-Migration cleanup is critical Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Groups/User Accounts • Clean up the groups and user accounts on DCs prior to any migration (ADDUSERS/NET USERS) • Must be done before AND after migration • Special Attention to Administrators and Domain Admins groups • SID History Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
SID History • Windows 2000 eases migration by allowing a SID History to Exist Pre-Migration PaulHins User SID 1-5-46-4562654-23423523-33.. Groups 1-5-46-243623-346234626-44.. 1-5-46-454982-132423423-43.. Post-Migration PaulHins User SID 1-5-46-4326256-45236356-44… OLD USER SID 1-5-46-4562654-23423523-33.. (treated as a group) Groups 1-5-46-243623-346234626-44.. (old NT 4.0 groups) 1-5-46-454982-132423423-43.. 1-5-46-456456-234123421-86.. (win2k groups) 1-5-46-346456-53453453-99.. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
SID History Issues • ADMT/Clone can allow a properly authorized user to insert SID of one account into the username of another. • Objects can only have 1,024 SIDs associated. Companies with many nested groups could run into a problem. • Post-Migration Cleanup is required Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Other Services • Services sometimes need administrative access (more often they are given the access although not required) • Service accounts will need to be treated separately during migration • Some systems that will need special attention: SMS, RAS, Exchange Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
RAS • RAS (including VPN, Dialup, etc) may require some relaxed security on Windows 2000 in order to operate during the migration (Mixed Mode) • The general solution is to allow the EVERYONE group to read user attributes. Thus, unauthenticated users can see user accounts. • Upgrading RAS systems to Windows 2000 as soon as possible is best Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
DHCP • Has the ability to dynamically update machine records • If installed on a Domain Controller can lead to security holes – Q255134, Q309625 • Requires authorization to operate correctly. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
DNS • Windows 2000 DNS allows for Dynamic Updates. • Until the Domain is in Native Mode Dynamic Updates may not be an option • This can permit unauthorized updates to the DNS or force you to perform manual entries. • Understanding this vulnerability and monitoring the changes is key Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Post Implementation • DACL Cleanup • Access Control Lists are the most tedious task, but a required one. The SIDs from the previous domains may still exist and need to be cleared. • SID History • Old SIDs represent clutter and a security issue. The ADSI Edit Tool can find and cleans these out. • Native Mode Transition Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Tools of the Trade • Active Directory Migration Tool (ADMT) • ClonePrincipal • ADSI • NT Resource Kit • Windows 2000 Support Tools Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
ADMT/Clone • In a migration the Active Directory Migration Tool is going to be one of the main weapons • https://www.microsoft.com/windows2000/downloads/tools/default.asp Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
ADMT Reports • Migrated Users and Groups Report • This report summarizes the results of the user and group migration operations. • Migrated Computers Report • This report summarizes the results of the computer migration operations. • Expired Computers Report • This report lists the computer accounts with expired passwords. • Impact Analysis Report • This report lists the user accounts and groups that will be affected by computer migration operations. • Name Conflicts Report • This report lists the user accounts and groups that exist in both the source and target domains. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
ADMT Use • Only local Administrators on the DCs will be able to use the tool • Only install the tool on Windows 2000 DC that will be used to migrate the users. • Use NTFS permissions to further restrict the running of the tool on the system. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
ADSI Edit • An MMC Snap-in that is used to search for the SID History for the users. • To Perform the Search Connect to a domain. • Create a query, cut and paste this… (&(objectCategory=user)(SIDhistory=*)) • Then Run it • ADSI Scripting allows for the removal of SID History (the GUI Does NOT). Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Don’t Let Frustration Rule You! • Planning, Testing and Patience will be your best defense against the pressure and complexities of the migration! Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com
Questions! Please click the Ask a Question link in the lower left part of the screen to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com