Authenticating iOS devices to join the Active Directory Domain - Essay Example

Authenticating iOS devices to join the Active Directory Domain Ahmed Almalki Contents 0Introduction 2.0 Lightweight Directory Access Protocol (LDAP)…………………………………….2 2.1 LDAP Background Information ……………………………………………..2 2.2 Understanding the LDIF file format …………………………………………3 2.3 LADP Utility (ladp.exe) ……………………………………………………..4 2.4 Issue without LDAP …………………………………………………………6 3.0 Microsoft Active Directory as a LDAP implementation ……………………………6 3.1 Active Directory Fundamentals ……………………………………………..6 3.2 Users and Groups ……………………………………………………………8 3.3 Active Directory Security (Authentication) ………………………………….. 9 3.3.1 Permissions and auditing ………………………….……………….9 3.3.2 Advanced authentication ……………………………….…………..9 4.0 Wireless security ……………………………………………………………………10 4.1 Understanding 802.1x to secure connections ……………………………….10 4.2 802.1x vs 802.11 LDAP) ……………………………………………………12 Works cited …………………………………………………………………..…………13 1.0 Introduction Network environments are characterized by heavy traffic of users seeking to accomplish different objectives. This could be requests for access to common or personal files or to a network printer. The requests are often numerous and simultaneous, requiring that the network be fast and robust enough to sustain its functions. However, some users would be having intentions of accessing personal files of other users, corrupting public files or denying users access to printers forcing us to think carefully about network integrity. Contemporary society cannot allow us to continue using a centralized service delivery system where people crowd around one terminal to receive services. The rigor of maintaining wired systems coupled with the obvious challenge of ensuring convenient access to services render such networks inefficient and thus undesirable. Fortunately, technology offers invaluable tools with which we can establish network systems that deliver services to users with unparalleled convenience and security for wired systems. With wireless connection technologies (Wi-Fi), users are able to access personal files, public folders and printers on their school, hospital or office networks from wherever they are at any time. A system to offer the above functionality clearly requires far more than ownership of a device that can wirelessly access network resources. This project seeks to establish a network that provides all the desirable aforementioned features using a server-client model. Given that the client required is any iOS device with networking capabilities –which are available on the market –emphasis remains on creating a server system. The project suggests the use of Microsoft Active Directory to identify users and resources on the network. Closely associated with this is the Lightweight Directory Access Protocol (LDAP) which will be employed to utilize its security and access features. With the understanding that the network will require wireless access, this paper gives the means through which such connections can be secured to assure integrity- the 802.1x is preferred. The overall objectives of this network are first: to allow iOS users to securely access resources on networks at their learning institutions or workplaces from any point within and without the premises and second, to cut down on costs of having to wire buildings with network cables. As a result convenience concerns are averted and comfort during access to services in the institution is attained. 2.0Lightweight Directory Access Protocol (LDAP) The Lightweight Directory Access Protocol (LDAP) is a directory service protocol. It operates on a layer above the IP/TCP stack. It gives a system used to Search, connect to, and in modification of Internet directories. The main purpose of LDAP is to facilitate access to an existing directory. 2.1 Background information LDAP is an open network protocol standard created to provide access to distributed directories, so that information can be retrieved or modified (Thompson). Information stored exists in a directory information tree (DIT) and could be about users, printers, applications, files or other network resources. LDAP itself does not provide Application programming interface (API) system to implement access to these resources but rather serves as guidance in building distributed. Directories are different from databases in several ways thus they require different means of accessing information stored in them. Unlike databases that can handle updates and transactions quite reliably, directories are more inclined to providing read-only access. In distributed environments, directories experience problems with updates coming from several users in different locations on the network. The need to query directories, explains Thompson, came about during the development of X.500 and Directory Access Protocol (DAP). The X.500 technology allowed directories entries to be defined in a hierarchical namespace that was then contained in a DIT.DAP- built upon the Open System Interconnection (OSI) stack – was then used to search the DIT (Thompson). To improve on directory access methods, LDAP was designed as a simple yet highly functional protocol for directory access and manipulation. LDAP has been adopted in various APIs. It is a standard developed by the Internet Engineering Task Force (IETF) and has been implemented by various institutions including Microsoft, IBM, Netscape and University of Michigan. LDAP is described by four models: Informational model – describes the structure of information in the directory information tree. It provides standards for creating enterprise-level directories. Naming model – provides guidance on how information is organized and referenced in the DIT. Functional model – defines actions that can be performed on the stored information. Security model – describes how to protect information stored in DIT. Mechanisms for secure access of this information can thus be developed (Thompson). 2.2 Understanding LDIF file format LDIF refers to LDAP Data Interchange Format. It is an internet standard that describes file formats as shown by the diagram below. so that batch export and import actions can be carried out on directories that conform to LDAP (Thompson). Directories entries in LDIF can be entered via a file where records are entered with each starting with dn and records separated by empty lines (Qadeer et al.). A record could be entries to the directory or a set of modifications to an already existing entry in the directory. The LDIF has a command line utility, LDIF Directory Exchange (LDIFDE), with which various administrative activities can be performed like adding, deleting, renaming and modifying directory objects. In Windows 2000 Server the utility is available when LDIFDE command is run from the command prompt while Windows 2000 Professional would require the installation of ldifde.exe before the utility is made available on the command line (Thompson). 2.3LADP Utility (ldp.exe) ldp.exe is a graphical tool used to carry out LDAP operations on directories that conform to LDAP such as the Active Directory. Using this utility actions such as search, connect, bind, delete, modify can be performed on the LDAP-compatible directories (Thompson). Windows 2000 Server has ldp.exe prepackaged in it as a Resource Kit and on top of the functions mentioned above, Active Directory administrators can use it for troubleshooting by viewing information together with their metadata. Ldp.exe authentication APIs Authentication in LDAP occurs any time a client connects to Directory Server Agent (DSA) so as to access information. A DSA is a computer that hosts a network directory thus act ing like a LDAP server. Three basic functions are studied: Ldap_open_s(), Ldap_bind_s(), Ldap_unbind_s(). Ldap_open_s() creates, initializes and opens a connection to a LDAP server. It returns a session handle as a pointer to a LDAP data structure in case it executes successfully otherwise it returns a null pointer. Ldap_bind_s() is used to authenticate a client before they are connected to a LADP server and returns a message ID of the operation initiated in case of success. The function takes various parameters including the session handle, a name to bind to, user credentials and method to be used in authentication. Ldap_unbind_s() function is used to terminate connection between client and LDAP server freeing all resources that had been assigned to a session. Upon successful return from call, it gives a success value and an error code in case it fails to execute successfully. It takes a single parameter: the session handle of the connection to unbind. Ldp.exe interrogation APIs Interrogation APIs are used to query the LDAP directory for information. Under these are functions Ldap_search_s() and Ldap_compare_s(). Ldap_search_s() searches the LDAP directory and returns a set of attributes matching the searched items. On successful execution, it returns message ID of the search operation and -1 in case it fails. Ldap_compare_s() is used to determine whether an attribute for a given entry holds a known value. Ldp.exe update APIs APIs enable user to modify information stored in the DIT. Using the functions under this category, users can create new entries, modify or delete existing ones. Ldap_add_s() is used to add an entry to the DIT Ldap_modify_s() is used to change an existing entry in the DIT where deleting, adding and modifying attributes to entries can be performed. Ldap_modrdn_s() function changes the relative distinguished name of an entry in the LDAP directory. Ldap_delete_s() function is used to remove a leaf entry from a DIT. 2.4 problems of not using LDAP Salim, Akhtar and Qadeer explain that services without LDAP authentication would experience a number of challenges. First, the service will have an added work load of having to authenticate users besides its usual task of delivering services. In cases where there is a lot of traffic (so many requests at a go), the performance of the service is adversely affected. Second, given that LDAP authorization techniques are well managed and definitely superior to service based methods, not using it would mean the services are not adequately secure. 3.0 Microsoft Active Directory as a LDAP implementation 3.1 Active Directory (AD) Fundamentals Advancements in Microsoft NT NOS saw the introduction of Active Directory which is a directory service that utilizes LDAP and X.500 standards. Although they share some concepts, they differ greatly in functionality, features and scalability. Active Directory is a better option in LDAP. In fact, some of services like Windows NT Domain Controllers and Backup Domain Controllers have been replaced with Active Directory Domain Controllers (Desmond et al. 4). Objects storage and identification in AD Data in AD is organized hierarchically just like in normal file systems. Entries, referred to as objects, exist in two types; containers and non-containers (leaf nodes). Containers branch off into other containers or leaf nodes while non-containers do not branch further. Within the AD, there is need to uniquely identify objects when storing them in large numbers. AD assigns a Global Unique ID (GUID) to objects upon creation thus identifying each from others (Desmond et al. 17-18). Though resilient, GUID are not easy to remember, consequently an alternative approach is used that utilizes distinguished names (DN). Here hierarchical paths to objects in the AD are used to uniquely identify an object. The distinguished names are generated based on the LDAP naming standards. Domains and Domain Trees A domain basically consists of four components: A hierarchical structure of objects and containers that follow X.500 standards. A Domain Name that uniquely identifies the object A security service for authenticating access requests Policies that dictate functionality within a domainA domain tree comprises of a root domain and sub-domains branching from it. A Domain Controller exists that prohibits creation of more than one domain in it. Trees enhance access and management of resources in the AD(Kadlec, Jaros, Kuchta). Forests A forest is comprised of one or more domain trees that are connected via ‘transitive trust’ (Desmond et al. 22). Forests are important when independent business units need to be isolated but still maintain some kind of connection. In Active Directory such isolation is achieved by placing the units in separate forests. 3.2 Users and Groups Security in the AD requires that users of the network resources be well known to the directory before they can be allowed to access any resources. Creating accounts for users becomes a necessity in this implementation. When creating a user in Windows NT or 2000 servers, it is important to note mandatory attributes as they are key in defining how that user operates within the Active Directory domain. Microsoft Active Directory environment allows creation of simple user accounts as well as full-featured accounts. Utilities exist like Windows 2000 Resource Kit’s Addusers utility that help create users but one can also create command-line utilities or web based interfaces to add users to the AD. Upon creation administrative functions can be carried out like modifying user accounts and unlocking passwords (Desmond et al. 578). Like user accounts, groups can also be created in the Active Directory domain. Groups are important for allocating resources and permissions. Users with similar characteristics are grouped together and assigned to resources collectively. These way management actions can be easily performed on them. The Active Directory allows creation of groups, adding, deleting members from such groups and checking memberships through specific methods (Desmond et al. 583). 3.3Active Directory Security (Authentication) 3.3.1Permissions and Auditing Definition of permissions in the Active Directory employs methods used in NTFS file systems. Security Descriptors (SDs), Access Control Lists (ACLs) and Access Control Entries (ACEs) are used in this regard. Desmond gives a detailed look at the four main interfaces used in Active Directory to manipulate and iterate over permissions and auditing entries for objects (Desmond et al. 587-618). The four interfaces are; IADsAccessControlEntry IADsAccessControlList IADsSecurityDescriptor IADsSecurityUtility 3.3.2Advanced authentication Kadlec, Jaros and Kuchta suggested an authentication method that relied on five factors to fully authenticate a user. The factors are outlined as follows: Something you know – password or PIN Something you have – token or smart card (two-factor authentication) Something you are – biometrics, such as a fingerprint (three-factor authentication) Where you are - position information (four-factor authentication) When you are – time information (five factor authentication) Based on this criterion, an authentication method has been designed to run on Windows Vista’s Credential Security Service Provider (CredSSP). CredSSP allows user login credentials to be send from the client to the target server in conformity to some client policies. In Windows Vista, credential providers present a user with a Logon User Interface where the user supplies their credentials and then the information is presented for authentication. The credential providers do not enforce any security rather they only gather and serialize the user credentials and presents for authentication. Authorization is performed against users created within the Active Directory domain. iOS devices will then connect to the configured LDAP servers. On iOS devices, options for providing account information of the LDAP server of interest are available and users can easily connect to the servers and access resources once the servers have been correctly set up and running (‘Gracion Software’). 4.0 Wireless Security 4.1 Understanding 802.1x to secure connection 802.1x is a Microsoft and industry standard Extensible Authentication Protocol (EAP) that provides network port authentication for 802.11 WLANs (Brawn, Koan and Caye). 802.1x alone does not fully satisfy the authentication requirements that 802.11 WLANs require therefore it relies on other methods for authentication like the PEAP, TTLS, TLS, token cards, one-time passwords and certificate-based authentication. This specification does not however bind one to use a specific authentication method. A setup of the components that facilitate use of 802.1x in securing wireless fidelity networks include the supplicant (client), the authenticator (access point) and the authenticating server (mostly used is RADIUS). No direct communication occurs between the supplicant and the authentication server, rather the authenticator is used as a link between the two. The access point has the responsibility of fetching information from the client and presenting it to the RADIUS server and vice versa. Authentication servers first ensure that the client is authentic before allowing a client to access any services available. This set-up does not require the authenticator to be powerful and more intelligent because all the authorizations are done at the RADIUS server. This favors Wi-Fi networks whose access points simply act as pass ways for clients and servers. In addition, RADIUS server is compatible with Active Directory as it carries out authentication based on LDAP protocol (Brawn, Koan and Caye). Brawn, Koan and Caye provide reliable documentation on how to configure workstations to work with 802.1x. In their paper, an outline of how Windows XP Workstation, Windows 2000 Workstation and Windows ME Workstation. 4.2 802.1x versus 802.11 802.11 is an earlier standard for securing wireless connections that uses two predefined authentication types and an encryption protocol (Craiger). WEP, SSID and MAC address filter ing are some of the security mechanisms employed in 802.11. The biggest challenge of this standard was that its security containers were hugely flawed making connections insecure. 802.1x is an IEEE standard that has been accepted as an improvement of 802.11 and attempts to fix the many problems of 802.11. Unlike 802.11 that has its own authentication and encryption protocols, 802.1x only provides guidance on how to secure connections while offering liberty to choose authentication methods. This way potential risks posed by use of flawed 802.11 security methods are eliminated. 802.1x uses a centralized authentication of users a fact that makes the resulting network scalable and easy to control access (Craiger). Works Cited Brawn, Steven K., R. Mark Koan, and Kelly Caye. "Staying secure in an insecure world: 802.1 x secure wireless computer connectivity for students, faculty, and staff to the campus network.”Proceedin. Print. Craiger, Philip. 802.11, 802.1x, and Wireless security. Sans Institute, 23 Jun. 2002. Print. Desmond, Brian, et al. Active Directory. Safari Books Online. O’Reilly Media, 2009. Print. Kadlec, Jaros, Kuchta, "Implementation of an Advanced Authentication Method within Microsoft Active Directory Network Services," icwmc, pp 453-456, 2010 6th International Conference on Wireless and Mobile Communications, 2010. Print. Salim, Akhtar, Qadeer, "Data Retrieval and Security Using Lightweight Directory Access Protocol," wkdd, pp.685-688, 2009 Second International Workshop on Knowledge Discovery and Data Mining, 2009. Print. Qadeer, Mohammed, et al. “Profile Management and Authentication using LDAP”2009 International Conference on Computer Engineering and Technology. Zakir Hussain College of Engineering & Technology. Print. Thompson, Dan. "Understanding LDAP." (2000): Microsoft Corporation. Print. ‘What is LDAP’. Gracion. N.p, n.d. Web. 30 Nov 2014 Read More