1 / 74

Securing Access in a Heterogeneous Network Environment

Securing Access in a Heterogeneous Network Environment. Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication in a Heterogeneous Network Designing Directory Synchronization and Integration Securing Access to Windows 2000 Resources

merle
Télécharger la présentation

Securing Access in a Heterogeneous Network Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing Access in a Heterogeneous Network Environment • Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks • Securing Authentication in a Heterogeneous Network • Designing Directory Synchronization and Integration • Securing Access to Windows 2000 Resources • Securing Windows 2000 User Access to Heterogeneous Networks

  2. Providing Interoperability Between Windows 2000 and Heterogeneous Networks • AppleTalk Network Integration Services • Microsoft Services for Netware 5.0 • Microsoft Services for UNIX 2.0

  3. AppleTalk Network Integration Services • Formerly known as Services for Macintosh • File Services for Macintosh • Allows Macintosh users to authenticate with the network and access file resources by creating Macintosh-accessible volumes • Print Services for Macintosh • Allows Macintosh users to access print servers in a Microsoft Windows 2000 network

  4. Microsoft Services for Netware 5.0 • Microsoft Directory Synchronization Services (MSDSS) • Microsoft File Migration Utility • File and Print Services for NetWare (FPNW)

  5. Microsoft Services for UNIX 2.0 • Network File System (NFS) software • Telnet services • Management tools • Network Information Services (NIS) • Two-Way Password Synchronization • User Name Mapping

  6. Making the Decision: Designing Secure Integration • File Services for Macintosh • Print Services for Macintosh • MSDSS • FPNW • NIS Services • NFS Services • Two-Way Password Synchronization • User Name Mapping

  7. Applying the Decision: Designing Secure Integration for Blue Yonder Airlines • Macintosh connectivity • Use File Services for Macintosh. • NetWare connectivity • Eventually migrate the NetWare resources at Consolidated Messenger to Windows 2000. • Use MSDSS during the premigration stage to synchronize user account passwords between Novell Directory Services (NDS) and Active Directory directory service. • Install FPNW on the BYDATA server to allow NetWare clients at Consolidated Messenger to connect to resources using native NetWare clients.

  8. Applying the Decision: Designing Secure Integration for Blue Yonder Airlines (Cont.) • UNIX connectivity • Deploy the NFS components from Services for UNIX 2.0 to ensure interoperability for the UNIX installations. • The NFS client allows Windows 2000 users to access scheduling and status reports on the UNIX NFS server. • The NFS server allows UNIX clients to connect to the BYDATA server using UNIX NFS clients. • Deploy Two-Way Password Synchronization to maintain the same password on both systems. • Deploy User Name Mapping to associate UNIX UIDs with Windows 2000 user accounts.

  9. Securing Authentication in a Heterogeneous Network • Securing authentication for Macintosh clients • Securing authentication for Novell clients • Securing authentication for UNIX clients

  10. Securing Authentication in a Heterogeneous Network: Overview • Authentication associates users with a security principal within Active Directory. • The credentials provided by the user authenticate the user with the network. • Once the user is authenticated, authorization can take place to limit access to specific authorized resources.

  11. Securing Authentication for Macintosh Clients • File Services for Macintosh • Windows 2000 authentication methods • No authentication • Apple Clear Text • Apple Standard Encryption • Microsoft User Authentication Module (MS-UAM) • Windows 2000 multiple domain network

  12. Making the Decision: Securing Macintosh User Authentication • Allow unauthenticated access to Macintosh users. • Allow all Macintosh clients to connect to the Windows 2000 server. • Require encrypted authentication. • Restrict supported authentication methods. • Limit access to a volume.

  13. Applying the Decision: Securing Macintosh User Authentication at Blue Yonder Airlines • Blue Yonder Airlines requires that Macintosh user authentication not allow interception of user passwords. • Configure File Services for Macintosh to allow only Apple Standard Encryption or the MS-UAM. • The MS-UAM supports 14-character passwords but requires installation of the MS-UAM at each Macintosh computer. • All Macintosh computers are located within the same department.

  14. Securing Authentication for Novell Clients • Windows 2000 Server running FPNW • A Windows 2000 server running FPNW emulates a NetWare 3.x server and allows NetWare clients to authenticate with the Windows 2000 server. • NetWare clients can access file and print services hosted by the Windows 2000 server, using native NetWare commands and utilities. • The NetWare clients must connect to the FPNW server using IPX/SPX protocols. • Configure the FPNW server to use the same frame type and internal network number. • Active Directory authentication • Configure user accounts as NetWare-enabled accounts in Active Directory Users And Computers. • Enable only the required accounts to Maintain NetWare Compatible Login in Active Directory Users And Computers. • Configure the Concurrent Connections option for a user account.

  15. Making the Decision: Securing NetWare User Authentication • Allow NetWare clients to authenticate with a Windows 2000 server. • Limit the number of simultaneous connections by a single user account. • Allow authentication by Microsoft Windows for Workgroups 3.11, Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows NT client computers.

  16. Applying the Decision: Securing NetWare User Authentication at Blue Yonder Airlines • If the client computers at the Consolidated Messenger office are running Windows 95 or later, consider installing both Microsoft and NetWare clients on the computers. • Install FPNW on the BYDATA server to allow NetWare clients to connect to the file server using native NetWare client software.

  17. UNIX Client Authentication Methods • Clear text • NIS • NTLM • Kerberos

  18. Making the Decision: Securing Authentication for UNIX Clients • Identify the applications that UNIX clients will use for accessing resources on the Windows 2000 network. • Design an authentication infrastructure to support the deployed applications based on the required authentication mechanisms. • Create accounts in Active Directory where necessary.

  19. Applying the Decision: Securing Authentication for UNIX Clients for Blue Yonder Airlines • NIS authentication • Use NIS to provide NFS access to UNIX users connecting to the BYDATA server. • Configure Active Directory to act as an NIS server by using Server for NIS. • Import the existing NIS source files from the UNIX NIS servers by using the NIS To Active Directory Migration Wizard. • Configure User Name Mapping so that the UID provided by a UNIX client is translated to a Windows 2000 security principal. • Use Two-Way Password Synchronization to synchronize the UNIX and Windows 2000 passwords.

  20. Applying the Decision: Securing Authentication for UNIX Clients for Blue Yonder Airlines (Cont.) • Kerberos inter-realm trust • Blue Yonder must establish an inter-realm trust between the blueyonder.tld domain and the UNIX Kerberos realm. • This inter-realm trust allows Active Directory users to authenticate with the UNIX database. • Only an inter-realm trust allows the UNIX Key Distribution Center (KDC) to recognize user credentials from Active Directory.

  21. Designing Directory Synchronization and Integration • Synchronizing Active Directory with a Novell directory • Securely synchronizing multiple directories • Integrating Active Directory with Kerberos realms

  22. Directory Synchronization Overview • Consider how multiple directories integrate to design a secure network. • Plan directory integration to prevent changes in one directory service from overwriting modifications in another directory service. • Plan to integrate authentication mechanisms supported in multiple operating systems.

  23. Using the MSDSS Application • Is included in Windows Services for NetWare 5.0 • Allows passwords to be synchronized between NDS user accounts and Active Directory user accounts based on mappings configured in MSDSS • Synchronizes account information between Active Directory and a NetWare bindery service from NetWare 3.x

  24. Making the Decision: Securing Directory Synchronization • Synchronize passwords between NDS and Active Directory by installing MSDSS on a Windows 2000 domain controller (DC). • Limit which attributes are synchronized by modifying the mapping table in MSDSS to map only the required attributes. • Perform password synchronization between NDS and Active Directory by installing Novell Client for Windows 2000 on the Windows 2000 client computers.

  25. Applying the Decision: Securing Directory Synchronization for Blue Yonder Airlines • MSDSS simplifies migration from NetWare 4.11 to Windows 2000 by ensuring that the same user credentials are used in both networks. • Blue Yonder Airlines will reduce the cost of migrating to Windows 2000 by ensuring that passwords are the same for user accounts in both network operating systems. • When migration is complete, users will continue to authenticate using the same user name and password that was used in the NetWare environment.

  26. Securely Synchronizing Multiple Directories • Microsoft Metadirectory Services (MMS) 2.2 allows integration of identity information from multiple directory services. • Use MMS to ensure that the organization has a single authoritative directory store. • MMS establishes a single directory by deploying a metadirectory.

  27. Metadirectory Merges Directory Information

  28. Management Agents • Maintain synchronization between the metadirectory and the source directories. • Import data into the metadirectory and export metadirectory data to the connected directory assigned to the management agent. • This process ensures that the directory service is synchronized with the metadirectory. • MMS provides management agents for several common directories: • Microsoft Windows NT • Novell NDS • cc:Mail • Banyan Vines • Lotus Notes

  29. Making the Decision: Synchronizing Multiple Directories • Merge multiple directories into a common directory. • Connect a directory to an MMS metadirectory. • Maintain which directory service is authoritative for a specific attribute.

  30. Applying the Decision: Synchronizing Multiple Directories for Blue Yonder Airlines • MSDSS allows password synchronization between NetWare NDS directories and Active Directory. • MMS provides greater flexibility in deciding how to delegate attribute control. • Blue Yonder Airlines might want to use MMS instead of MSDSS because MMS can delegate management of specific attributes.

  31. Common Strategies for Integrating UNIX and Windows 2000 Network Authentication • Using Active Directory as the Kerberos realm • Using Microsoft Windows 2000 Professional in an existing Kerberos realm • Creating a Kerberos inter-realm trust

  32. Kerberos Inter-Realm Trust

  33. Making the Decision: Designing Kerberos Interoperability • Determine what version of Kerberos is used in the UNIX network. • Identify any Kerberos realms that exist in the UNIX environment. • If UNIX clients authenticate with a Windows 2000 DC, define name mappings to associate a UNIX UID with an Active Directory user account.

  34. Applying the Decision: Designing Kerberos Interoperability for Blue Yonder Airlines • Establish a Kerberos inter-realm trust between the blueyonder.tld domain and the UNIX Kerberos realm. • Establish an inter-realm trust relationship to allow Active Directory user accounts to obtain Kerberos service tickets (STs) for access to the UNIX database server. • Establish a two-way trust relationship to allow UNIX user accounts to access Windows 2000 resources. • Define Kerberos name mapping that associates a UNIX UID with an Active Directory user account.

  35. Securing Access to Windows 2000 Resources • Securing Macintosh access to Windows 2000 resources • Securing NetWare access to Windows 2000 resources • Securing UNIX access to Windows 2000 resources

  36. Securing File Access: File Services for Macintosh Service • Provides user access to Macintosh clients • Macintosh clients connect to the Windows 2000–based server using one of the following: • AppleTalk Phase 2 protocol • Apple Filing Protocol (AFP) over TCP/IP, if AppleShare client version 3.7 or later is installed

  37. Securing File Access: Mac-Accessible Volume • A Mac-accessible volume is predefined at the Windows 2000 server. • This volume is an entry point to an NT File System (NTFS) volume on a Windows 2000–based server. • The Macintosh client can connect to the Mac-accessible volume by selecting the volume in the Macintosh Chooser. • Security is defined by the permissions set on the Mac-accessible volume and the NTFS permissions set on the folders and files. • The user's effective permissions for the Mac-accessible volume are defined by their Active Directory user account and primary group.

  38. Comparing Macintosh and Windows 2000 Permissions • NTFS Read permissions are translated to See Files and See Folders permissions for Macintosh clients. • NTFS Write and Delete permissions are translated to the Make Changes permission for Macintosh clients. • Macintosh permissions are assigned only to folders, and permissions cannot be assigned to multiple users and groups.

  39. Securing Print Access • AppleTalk provides no native mechanism for securing printer access in a Macintosh network. • Macintosh clients assume that security is not required for printer access and do not send user credentials when printing. • Print security implementation • Change the service account associated with the MacPrint service. • Restrict access to specific printers.

  40. Making the Decision: Securing Macintosh Access to Windows 2000 Resources • Allow Macintosh clients to access NTFS volumes. • Ensure the highest level of security for Macintosh users. • Restrict access to Mac-accessible volumes to authorized users.

  41. Applying the Decision: Securing Macintosh Access for Blue Yonder Airlines • BYDATA server • Install File Services for Macintosh to allow Marketing users to access stories and digital photos. • Establish a process to allow Microsoft clients to store the stories and digital photos. • Define permissions for the Mac-accessible volume to allow both Windows and Macintosh users to access the data. • Create a global group to contain all Macintosh users. • Designate this global group as the users' primary group in Active Directory Users And Computers.

  42. Applying the Decision: Securing Macintosh Access for Blue Yonder Airlines (Cont.) • AGFA film printer • Restrict access by creating a custom user account as the service account for the MacPrint service on the BYDATA server. • Assign only Print permissions to the custom user account.

  43. Securing NetWare Access to Windows 2000 Resources • FPNW allows a Windows 2000–based server to provide secure access to file and print resources to NetWare clients using NetWare Core Protocol (NCP). • FPNW emulates a NetWare 3.x server and allows NetWare clients to connect to Windows 2000 resources by using NetWare clients and utilities.

  44. Securing File Access • Provide file access to NetWare clients by defining Novell volumes in the Computer Management console. • Set permissions on the NetWare volume to restrict access to authorized users. • The most restrictive volume and NTFS permissions are the effective permissions for resources.

  45. Securing File Access (Cont.) • Defining NTFS permissions on folders and files within the NetWare volume also affects effective permissions. • The user account named FPNW Service Account must have Read permission for the directory that is the root of the NetWare volume. • Only NetWare-enabled accounts can access the NetWare volumes on the Windows 2000–based server.

  46. Securing Print Access • All shared printers hosted by the Windows 2000–based server running FPNW are accessible to both Windows and NetWare client computers. • NetWare clients use the share name defined for the printer as the queue name for the printer. • Assign Print permissions to groups that contain the NetWare-enabled user accounts to control printer access. • Define a default queue in FPNW that NetWare clients will connect to for printing.

  47. Making the Decision: Securing NetWare Access to Windows 2000 Resources • Allow NetWare clients to access NTFS volumes. • Restrict which user accounts can access NetWare volumes stored on a Windows 2000–based server. • Restrict access to printer resources.

  48. Applying the Decision: Securing NetWare Access at Blue Yonder Airlines • Install FPNW on the BYDATA server to allow NetWare clients at Consolidated Messenger to connect and access data. • Define a NetWare volume to contain the folders where NetWare-accessible data is stored. • Set NTFS and volume permissions that limit access to authorized users.

  49. Securing UNIX Access to Windows 2000 Resources • UNIX clients can use several methods to access resources stored in a Windows network. • Including NFS, WinSock, and SMB clients to access file resources on a Windows 2000–based server • Windows 2000 can support UNIX clients using Line Printer Remote (LPR) print commands to send print jobs to Windows 2000 printers. • Requires installing Print Services for UNIX

  50. Services for UNIX 2.0 Provides an NFS Server Service • Services for UNIX 2.0 allows a Windows 2000–based server to provide access to UNIX NFS clients. • The UNIX clients see the Windows 2000–based server as a native NFS server and connect using NFS protocols. • Access to the NFS data is determined using the discretionary access control lists (DACLs) defined for the NFS folders. • Services for UNIX uses the User Name Mapping console to map UNIX UIDs and GIDs to Windows 2000 user and group accounts.

More Related