构建安全策略与使用Active Directory实现身份管理

需积分: 8 161 浏览量更新于2024-08-01 收藏 2.81MB PDF 举报

《创建安全策略与利用Active Directory实施身份管理》(Syngress安全图书)是一本深度解析企业信息安全管理和治理的专业著作。该书第二版由John Carver和Miriam Carver共同编撰，他们在原有的畅销政策治理手册基础上，结合多年实践经验，使这一有效治理方法更加易懂且实用。书中核心是Carver的Policy Governance模型，该模型在全球范围内被广泛认可，并深远影响了组织的治理方式。本书共分为三个章节： 1. **构建人的因素**：这一章探讨了在保障安全的同时兼顾用户体验的方法。涉及的内容包括如何平衡安全性和可用性、外部网络访问管理、合作伙伴和供应商网络管理、保护敏感内部网络以及建立和维护组织意识。作者强调了政策制定时考虑人性因素的重要性，确保在政策实施过程中既保护企业免受威胁，又能提升员工工作效率。 2. **创建有效的公司安全政策**：这一部分详细阐述了建立良好安全政策的基础原则，如预防未来攻击、避免无效的“搁置政策”、理解和遵循当前政策标准。涵盖了从制定政策到实施和执行，再到定期审查的全过程，帮助读者理解并创建一套全面而实用的公司安全体系。 3. **规划和实施Active Directory基础设施**：对于身份管理和企业级目录服务，作者提供了深入的指导。包括制定全球目录服务器的战略部署方案、评估网络流量影响、启用通用组缓存的需求分析、设计和构建Forest和Domain结构、创建根域和子域，以及配置应用程序和服务等步骤。这部分着重于技术实践，确保Active Directory的有效集成和管理，从而支撑身份管理的实施。《Creating Security Policies and Implementing Identity Management with Active Directory》一书不仅提供了理论框架，还包含实际操作指南，对于IT管理者和董事会成员来说，是提升企业信息安全治理能力、优化身份管理流程的重要参考资源。无论是公共部门还是非营利组织，想要实现卓越治理，这本书都是不可或缺的实用工具。

Managing the Wildcards: SOCKS Proxying

The SOCKS protocol was developed by David Koblas and further extended by

Ying-Da Lee in an effort to provide a multiprotocol relay to permit better access

control for TCP services. While dynamic NAT could be used to permit internal

users to access an array of external services, there was no way to log accesses or

restrict certain protocols from use. HTTP and FTP proxies were common, but

there were few proxies available to address less common services such as telnet,

gopher, and finger.

The first commonly used SOCKS implementation was SOCKS version

4. This release supported most TCP services, but did not provide for any active

authentication; access control was handled based on source IP address, the ident

service, and a “user ID” field. This field could be used to provide additional

access rights for certain users, but no facility was provided for passwords.

SOCKS version 4 was a very simple protocol, only two methods were available

for managing connections: CONNECT and BIND. After verifying access rights

based on the used ID field, source IP address, destination IP address and/or

destination port, the CONNECT method would establish the outbound connection

to the external service. When a successful CONNECT had completed, the client

would issue a BIND statement to establish a return channel to complete the

circuit. Two separate TCP sessions were utilized, one between the internal client

and the SOCKS proxy, and a second between the SOCKS proxy and the external

host.

In March 1996, Ying-Da Lee and David Koblas as well as a collection of

researchers from companies including IBM, Unify, and Hewlett-Packard drafted

RFC 1928, describing SOCKS protocol version 5. This new version of the

protocol extended the original SOCKS protocol by providing support for UDP

services, strong authentication, and IPv6 addressing. In addition to the

CONNECT and BIND methods used in SOCKS version 4, SOCKS version 5

added a new method called UDP ASSOCIATE. This method used the TCP

connection between the client and SOCKS proxy to govern a UDP service relay.

This addition to the SOCKS protocol allowed the proxying of burgeoning

services such as streaming media.

Who, What, Where? The Case for Authentication and Logging

Although proxies were originally conceived and created in order to facilitate and

simplify outbound network access through firewall devices, by centralizing

outbound access they provided a way for administrators to see how their

bandwidth was being utilized. Some organizations even adopted billing systems

to distribute the cost of maintaining an Internet presence across their various

departments or other organizational units.

Although maintaining verbose logs can be a costly proposition in terms

of storage space and hidden administrative costs, the benefits far outweigh these

costs. Access logs have provided the necessary documentation for addressing all

sorts of security and personnel issues because they can provide a step-by-step

account of all external access, eliminating the need for costly forensic

investigations.

Damage & Defense…

The Advantages of Verbose Logging

ID_MANAGE_01.doc

In one example of the power of verbose logs, the Human Resources department

had contacted me in regard to a wrongful termination suit that had been brought

against my employer. The employee had been dismissed after it was discovered

that he had been posing as a company executive and distributing fake insider

information on a Web-based financial discussion forum. The individual had

brought a suit against the company; claiming that he was not responsible for the

posts and seeking lost pay and damages. At the time, our organization did not

require authentication for Web access, so we had to correlate the user’s IP

address with our logs.

My co-workers and I contacted the IT manager of the ex-employee’s

department, and located the PC that he had used during his employment. (This

was not by chance—corporate policy dictated that a dismissed employee’s PC be

decommissioned for at least 60 days). By correlating the MAC address of the PC

against the DHCP logs from the time of the Web-forum postings, we were able to

isolate the user’s IP address at the time of the postings. We ran a simple query

against our Web proxy logs from the time period and provided a detailed list of

the user’s accesses to Human Resources. When the ex-employee’s lawyer was

presented with the access logs, the suit was dropped immediately—not only had

the individual executed POST commands against the site in question with times

correlating almost exactly to the posts, but each request to the site had the user’s

forum login ID embedded within the URL.

In this instance, we were able to use asset-tracking documentation, DHCP

server logs, and HTTP proxy logs to associate an individual with specific

network activity. Had we instituted a proxy authentication scheme, there would

have been no need to track down the MAC address or DHCP logs, the

individual’s username would have been listed right in the access logs.

The sidebar example in this section, "The Advantages of Verbose

Logging," represents a reactive stance to network abuse. Carefully managed

logging provides extensive resources for reacting to events, but how can you

prevent this type of abuse before it happens? Even within an organization,

Internet access tends to have an anonymous feel to it, since so many people are

browsing the Web simultaneously, users are not concerned that their activity is

going to raise a red flag. Content filtering software can help somewhat, as when

the user encounters a filter she is reminded that access is subject to limitations,

and by association, monitoring. In my experience however, nothing provides a

more successful preventive measure than active authentication.

Active authentication describes an access control where a user must

actually enter her username and password in order to access a resource. Usually,

credentials are cached until a certain period of inactivity has passed, to prevent

users from having to re-enter their login information each time they try to make a

connection. Although this additional login has a certain nuisance quotient, the act

of entering personal information reminds the user that they are directly

responsible anything they do online. When a user is presented the login dialog,

the plain-brown-wrapper illusion of the Internet is immediately dispelled, and the

user will police her activity more acutely.

Handling Difficult Services

Occasionally, valid business justifications exist for greater outbound access than

is deemed acceptable for the general user base. Imagine you are the Internet

services coordinator for a major entertainment company. You are supporting

ID_MANAGE_01.doc

roughly 250,000 users and each of your primary network access points are

running a steady 25 Mbps during business hours. You have dozens of proxy

devices, mail gateways, firewalls and other Internet-enabled devices under your

immediate control. You manage all of the corporate content filters, you handle

spam patrol on your mail gateways, and no one can bring up a Web server until

you’ve approved the configuration and opened the firewall. If it comes from

outside the corporate network, it comes through you.

One sunny California morning, you step into your office and find an

urgent message in your inbox. Legal has become aware of rampant piracy of your

company’s products and intellectual property, and they want you to provide them

instructions on how to gain access to IRC (Internet Relay Chat), Kazaa, Gnutella,

and Usenet. Immediately.

Before you’ve even had the opportunity to begin spewing profanities and

randomly blocking IPs belonging to Legal, another urgent e-mail appears—the

CFO’s son is away at computer camp, and the CFO wants to use America

Online’s Instant Messenger (AIM) to chat with his kid. The system administrator

configured the application with the SOCKS proxy settings, but it won’t connect.

Welcome to the land of exceptions! Unless carefully managed, special

requests such as these can whittle away at carefully planned and implemented

security measures. In this section, I discuss some of the services that make up

these exceptions (instant messaging, external e-mail access points, and file-

sharing protocols) and provide suggestions on how to minimize their potential

impact on your organization.

Instant Messaging

I don’t need to tell you that instant messaging has exploded over the past few

years. You also needn’t be told that these chat programs can be a substantial

drain on productivity—you’ve probably seen it yourself. The effect of chat on an

employee’s attention span is so negative that many organizations have instituted

a ban on their use. So how do we as Internet administrators manage the use of

chat services?

Despite repeated attempts by the various instant-messaging vendors to

agree upon a standard open protocol for chat services, each vendor still uses its

own protocol for linking the client up to the network. Yahoo’s instant messenger

application communicates over TCP/5050, America Online’s implementation

connects on TCP/5190. So blocking these services should be fairly basic: Simply

implement filters on your SOCKS proxy servers to deny outbound connections to

TCP/5050 or 5190, right? Wrong!

Instant messaging is a business, and the vendors want as many as users

as they can get their hands on. Users of instant-messaging applications range

from teenagers to grandparents, and the software vendors want their product to

work without the user having to obtain special permission from the likes of you.

So they’ve begun equipping their applications with intelligent firewall traversal

techniques.

Try blocking TCP/5050 out of your network and loading up Yahoo’s

instant messenger. The connection process will take a minute or more, but it will

likely succeed. With absolutely no prompting from the user, the application

realized that it was unable to communicate on TCP/5050 and tried to connect to

the service on a port other than TCP/5050—in my most recent test case, the

fallback port was TCP/23—the reserved port for telnet, and it was successful.

ID_MANAGE_01.doc

When next I opened Yahoo, the application once again used the telnet port and

connected quickly. Blocking outbound telnet resulted in Yahoo’s connecting over

TCP/80, the HTTP service port, again without any user input. The application

makes use of the local Internet settings, so the user doesn’t even need to enter

proxy information.

Recently, more instant messaging providers have been adding new

functionality, further increasing the risks imposed by their software. Instant

messaging–based file transfer has provided another potential ingress point for

malicious code, and vulnerabilities discovered in popular chat engines such as

America Online’s application have left internal users exposed to possible system

compromise when they are using certain versions of the chat client.

External E-Mail Access Points

Many organizations have statements in their “Acceptable Use Policy” that forbid

or limit personal e-mails on company computing equipment, and often extend to

permit company-appointed individuals to read employee e-mail without

obtaining user consent. These policies have been integral in the advent of

external e-mail access points, such as those offered by Hotmail, Yahoo, and other

Web portals. The number of portals offering free e-mail access is almost too

numerous to count; individuals will now implement free e-mail accounts for any

number of reasons, for example Anime Nation (www.animenation.net) offers

free e-mail on any of 70 domains for fans of various anime productions. Like

instant messaging, they are a common source of wasted productivity.

The security issues with external e-mail access points are plain. They can

provide an additional entry point for hostile code. They are commonly used for

disseminating information anonymously, which can incur more subtle security

risks for data such as intellectual property, or far worse, financial information.

Some of these risks are easily mitigated at the desktop. Much effort has

gone into developing browser security in recent years. As Microsoft’s Internet

Explorer became the de facto standard, multiple exploits were introduced taking

advantage of Microsoft’s Visual Basic for Applications scripting language, and

the limited security features present in early versions of Internet Explorer.

Eventually, Microsoft began offering content signatures, such as Authenticode, to

give administrators a way to take the decision away from the user. Browsers

could be deployed with security features locked in, applying rudimentary policies

to what a user could and could not download and install from a Web site.

Combined with a corporate gateway HTTP virus scanner, these changes have

gone a long way towards reducing the risk of hostile code entering through e-

mail access points.

File-Sharing Protocols

Napster, Kazaa, Morpheus, Gnutella, iMesh—the list goes on and on. each time

one file-sharing service is brought down by legal action, three others pop up and

begin to grow in popularity. Some of these services can function purely over

HTTP, proxies and all, whereas others require unfettered network access or a

SOCKS proxy device to link up to their network. The legal issues of distributing

and storing copyrighted content aside, most organizations see these peer-to-peer

networks as a detriment to productivity and have implemented policies restricting

or forbidding their use.

ID_MANAGE_01.doc

launch attacks against users of these file-sharing networks who are suspected of

making protected content available publicly, without threat of legal action. The

bill, the P2P Piracy Prevention Act (H.R. 5211), introduced by Howard Berman,

D-California (www.house.gov/berman), would exempt copyright holders and the

organizations that represent them from prosecution if they were to disable or

otherwise impair a peer-to-peer network. The only way to undermine a true peer-

to-peer network is to disrupt the peers themselves—even if they happen to be

living on your corporate network.

Although the earliest popular file-sharing applications limited the types

of files they would carry, newer systems make no such distinction, and permit

sharing of any file, including hostile code. The Kournikova virus reminded

system administrators how social engineering can impact corporate security, but

who can guess what form the next serious security outbreak would take?

Solving The Problem

Unfortunately, there is no silver bullet to eliminate the risks posed by the services

described in the preceding section. Virus scanners, both server- and client-level,

and an effective signature update scheme goes a long way towards minimizing

the introduction of malicious code, but anti-virus software protects only against

known threats, and even then only when the code is either self-propagating or so

commonly deployed that customers have demanded detection for it. I have been

present on conference calls where virus scanner product managers were

providing reasons why Trojans, if not self-propagating, are not “viruses” and are

therefore outside the realm of virus defense.

As more and more of these applications become proxy-aware, and

developers harness local networking libraries to afford themselves the same

preconfigured network access available to installed browser services, it should

become clear to administrators that the reactive techniques provided by anti-virus

software are ineffective. To fully protect the enterprise, these threats must be

stopped before they can enter. This means stopping them at the various external

access points.

Content filters are now a necessity for corporate computing

environments. Although many complaints have been lodged against filter

vendors over the years (for failing to disclose filter lists, or over-aggressive

filtering), the benefits of outsourcing your content filtering efforts far outweigh

the potential failings of an in-house system. One need only look at the

proliferation of Web-mail providers to recognize that managing filter lists is a

monumental task. Although early filtering devices incurred a substantial

performance hit from the burden of comparing URLs to the massive databases of

inappropriate content, most commercial proxy vendors have now established

partnerships with content filtering firms to minimize the performance impact.

Quite frequently in a large organization, one or more departments will

request exception from content filtering, for business reasons. Legal departments,

Human Resources, Information Technology, and even Research and

Development groups can often have legitimate reasons for accessing content that

filters block. If this is the case in your organization, configure these users for an

alternate, unfiltered proxy that uses authentication. Many proxies are available

today that can integrate into established authentication schemes, and as described

in the “Who, What, Where? The Case for Authentication and Logging” section

ID_MANAGE_01.doc

剩余234页未读，继续阅读

sunxianbin

粉丝: 9
资源: 83

构建安全策略与使用Active Directory实现身份管理

"Windows企业网络的构建与管理：VPN、活动目录、网络安全

"CSA云安全控制矩阵CCM3.01控制措施更新规范及应用

"云安全控制矩阵CCM_v3.0中英文版控制规范更新与应用

LDAP Metadirectory Provisioning Methodology: A Step by Step Method to Implementing LDAP Based Metadirectory Provisioning & Identity Management Systems

Implementing program management Templates and forms aligned with PgMP

Designing And Implementing Linux Firewalls With QoS

Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure (70-294)

Microsoft.SharePoint.2010：Creating.and.Implementing.Real-World.Projects(2012.3)

Exam 70–305: Developing and Implementing Web Applications with Microsoft Visual Basic .NET 习题集

Implementing Active Script Site with ATL用ATL实现Active scri

最新资源