1 / 32

Staying Secure During an NT to Windows 2000 Migration

Staying Secure During an NT to Windows 2000 Migration. Paul Hinsberg, MCSE, MBA CEO, CRSD Inc http://www.crsdinc.com. Introduction. Sources of Risk Points of Risk During Migration Understanding the Tools Risks related to Services. Sources of Risk. Lack of Direction

denna
Télécharger la présentation

Staying Secure During an NT to Windows 2000 Migration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Staying Secure During an NT to Windows 2000 Migration Paul Hinsberg, MCSE, MBA CEO, CRSD Inc http://www.crsdinc.com

  2. Introduction • Sources of Risk • Points of Risk During Migration • Understanding the Tools • Risks related to Services Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  3. Sources of Risk • Lack of Direction • Lack of Planning/Testing • Lack of Knowledge Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  4. Points of Risk During Migration • Planning Phase • Preparation • Implementation • Post-Implementation Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  5. Planning Phase • Clear understanding of direction • Knowing what the Domain and OU structure will look like in the end • Established Group Policies • Understand the Business Objectives Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  6. Preparation • Evaluation of Systems • Review of the types of Services in your enterprise • Separation of client facing and internal • Evaluation of Security • Review of the Permissions, roles, and measures Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  7. Evaluation of Systems • Identify all Servers and services • RAS, DHCP, Exchange, IIS, Terminal Services… RAS will often require Windows 2000 security to be relaxed in order to accommodate users. DHCP servers will need to be authorized in order to function correctly and depending on configuration carries risks. Exchange 5.5 has its own directory and will need special care in order to migrate to Exchange 2000. IIS implies outside access. Security should already be a focus here. Terminal Services/Citrix will need some attention to maintain user access. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  8. Evaluation of Security • Understand the current security model completely • User group memberships • Understanding SID History will be paramount • File Server DACL • Cleaning this up will be tedious, but there are tools to help! • System Policies • You’ve created your own personal nightmare. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  9. Security Evaluation Tools • SCM – Security Configuration Manager • NT 4.0 SP 4+ • Careful ! Q195509 • AddUsers.exe – Resource Kit • ADMT for DACL Cleanup • Timing is important on this one! Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  10. Implementation • Migration Types have different Risks • Groups/User Accounts • How other services influence security Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  11. Migration Types • In-place • Restructure-migration combination • Moving to a pristine environment Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  12. Inplace • PDC/BDC is upgraded “as is” • Offers benefits of reduced migration time • Carries all of the old infrastructure baggage from old NT domain • Operation and security are different then a new build! Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  13. Inplace Security Issues • NT 4.0 User groups are moved as is. • Everyone group exists and allows unauthenticated users • Physical security of DCs is often missed Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  14. Restructure-migration combination • Reorganization of Domains/Users/Groups is done before or after migration • Preparation of NT 4.0 domain is required • Or Reorganization of domains afterward • Multiple phases can lead to disorganization • Best when building a pristine is not an option Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  15. Restructure Security Issues • From a security standpoint requires the most diligence • Inadvertent access to Administrative level accounts is often missed • Frustration levels can be high leading to relaxed security • Switch to Native Mode can cause operation issues. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  16. Pristine • Building a Windows 2000 AD and then migrate users • Allows for the least impact on users and reduces outage risks • Takes longer! • User Migration opens security risks Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  17. Pristine Security Issues • Planning is a big key, and may often be rushed through • ADMT and Cloning of user accounts carries inherent security issues • Post-Migration cleanup is critical Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  18. Groups/User Accounts • Clean up the groups and user accounts on DCs prior to any migration (ADDUSERS/NET USERS) • Must be done before AND after migration • Special Attention to Administrators and Domain Admins groups • SID History Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  19. SID History • Windows 2000 eases migration by allowing a SID History to Exist Pre-Migration PaulHins User SID 1-5-46-4562654-23423523-33.. Groups 1-5-46-243623-346234626-44.. 1-5-46-454982-132423423-43.. Post-Migration PaulHins User SID 1-5-46-4326256-45236356-44… OLD USER SID 1-5-46-4562654-23423523-33.. (treated as a group) Groups 1-5-46-243623-346234626-44.. (old NT 4.0 groups) 1-5-46-454982-132423423-43.. 1-5-46-456456-234123421-86.. (win2k groups) 1-5-46-346456-53453453-99.. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  20. SID History Issues • ADMT/Clone can allow a properly authorized user to insert SID of one account into the username of another. • Objects can only have 1,024 SIDs associated. Companies with many nested groups could run into a problem. • Post-Migration Cleanup is required Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  21. Other Services • Services sometimes need administrative access (more often they are given the access although not required) • Service accounts will need to be treated separately during migration • Some systems that will need special attention: SMS, RAS, Exchange Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  22. RAS • RAS (including VPN, Dialup, etc) may require some relaxed security on Windows 2000 in order to operate during the migration (Mixed Mode) • The general solution is to allow the EVERYONE group to read user attributes. Thus, unauthenticated users can see user accounts. • Upgrading RAS systems to Windows 2000 as soon as possible is best Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  23. DHCP • Has the ability to dynamically update machine records • If installed on a Domain Controller can lead to security holes – Q255134, Q309625 • Requires authorization to operate correctly. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  24. DNS • Windows 2000 DNS allows for Dynamic Updates. • Until the Domain is in Native Mode Dynamic Updates may not be an option • This can permit unauthorized updates to the DNS or force you to perform manual entries. • Understanding this vulnerability and monitoring the changes is key Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  25. Post Implementation • DACL Cleanup • Access Control Lists are the most tedious task, but a required one. The SIDs from the previous domains may still exist and need to be cleared. • SID History • Old SIDs represent clutter and a security issue. The ADSI Edit Tool can find and cleans these out. • Native Mode Transition Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  26. Tools of the Trade • Active Directory Migration Tool (ADMT) • ClonePrincipal • ADSI • NT Resource Kit • Windows 2000 Support Tools Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  27. ADMT/Clone • In a migration the Active Directory Migration Tool is going to be one of the main weapons • https://www.microsoft.com/windows2000/downloads/tools/default.asp Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  28. ADMT Reports • Migrated Users and Groups Report • This report summarizes the results of the user and group migration operations. • Migrated Computers Report • This report summarizes the results of the computer migration operations. • Expired Computers Report • This report lists the computer accounts with expired passwords. • Impact Analysis Report • This report lists the user accounts and groups that will be affected by computer migration operations. • Name Conflicts Report • This report lists the user accounts and groups that exist in both the source and target domains. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  29. ADMT Use • Only local Administrators on the DCs will be able to use the tool • Only install the tool on Windows 2000 DC that will be used to migrate the users. • Use NTFS permissions to further restrict the running of the tool on the system. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  30. ADSI Edit • An MMC Snap-in that is used to search for the SID History for the users. • To Perform the Search Connect to a domain. • Create a query, cut and paste this… (&(objectCategory=user)(SIDhistory=*)) • Then Run it • ADSI Scripting allows for the removal of SID History (the GUI Does NOT). Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  31. Don’t Let Frustration Rule You! • Planning, Testing and Patience will be your best defense against the pressure and complexities of the migration! Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

  32. Questions! Please click the Ask a Question link in the lower left part of the screen to submit a question. Staying Secure During an NT to Windows 2000 Migration Paulhins@crsdinc.com

More Related