Wednesday, February 22, 2006

Security: How To Part 3

Now that we have configured the external and perimeter networks most people would say they were done. I say we are just getting started. In this article, we will look at setting up a VLAN structure at a main site. We will look at why we would create VLANs and how they can be a major part of our security policy.

Before we start going into VLAN, let’s take a trip in time, and look at the original networks. We would have flat networks covering entire buildings servers and workstations. There would be so many nodes within a segment that broadcast storms would commonly occur. A need to segment the flat network, to break up the broadcast domain, was eventually solved with the creation of Virtual Local Area Networks (VLAN). This allowed a router to create them and for each port on a switch to be assigned a different VLAN. This was a quick high-level overview of the creation of VLANs.

VLANs are created either on a router or a layer 3 switch. VLANs are trunked using IEEE 802.1q tagging to other switches. They are configured like any other layer 3 interface. These days it is commonly configured on a layer 3 core switch. This covers what they are and how they are created.

Let’s look at why, we briefly touched on it to break up broadcast domains. You would also do it to separate servers from workstations, to group users together who need access to common resources, separate services like VOIP or teleconferencing, etc.

Design on implementing can vary from extremely easy to extremely complex, it would all depend on your security requirements and your budget. But some common design concepts I try to work with our:

Do not use VLAN 1 for anything. If a hacker is good he will use this common knowledge to attack your switched network. Use another VLAN for management and only for management.

Put all servers with services requiring Internet connectivity in the same VLAN. You could place your internet connection in this VLAN or have the Internet connection have it own VLAN. But segregate the Internet based servers from your regular data servers. This would be e-mail, IM, web, databases for web resources, CMS, and proxy servers. This is helpful if a worm does breach your network. You can shut this VLAN down to help stop the spread of infection.

Then obviously place production servers that do not require Internet services in their own VLAN.

Group users together by function. What I mean if you have employees that access the same resources, but don’t need access to the other resources. This way we can apply VACLs to increase security. You will find that many departments will have the same requirements.

Now that your VLAN policy is well established, you can start planning your VACLs. Do not place them on your server VLANs. You will want to place them on your user VLANs. My only suggestion to this is carefully plan, test, and document everything. Also, don’t go crazy with them use the KISS method. You can lock resources down using other methods. Cisco has some information for you to look at.

Well it’s been a while!

Sorry I havent posted in a while, I have been looking for work either contract or at this point W-2. In the last few weeks the IT market has dried up real bad, so I have expanded the distance I am willing to go for work. About two weeks ago I got a call from a recruiter (Headhunter) asking me if I would be interested in a full-time position in the city (NYC). So after a few interviews it is looking good. I am waiting for an offer and will see were it leads to.

In other news, I finished my recertification of CCNP and CCDP. I have taken one of the two required exams to upgrade to MCSE 2003 as well. I got a call from this national body shop, I mean temporary employment agency, and asked if I wanted to do a one week install of Cisco Secure ACS, sure why not. Well after doing the entire meet and greet and start getting down to the nitty-gritty. Well this new network setup is not completed. They have not decided what to do about VLANs. So for two days they are asking me, what we should do. Answer, well group users by function. Meaning if you have a group of users that need access to Servers A, B, and C but not D then group them together so you can place VACLS in place to help secure the network. Then they were trying to pump me for information on that as well.

So I install the ACS and machine authentication was working fine, but then they wanted to work with user authentication. I knew this was going to be a headache, I knew there was a reason we did not implement this at the hospital. So after headbanging and attitudes from the client it was figured out.

The client needs to be Windows XP SP2, which they were only at SP1. The PEAP settings need to be set, which thanks to Bill Gates and Microsoft there is no easy way to do it for a WIRED 802.1x device. I think Bill and crew need to fix that for SP3. Then since they want to user authentication, you need to tweak Windows. Windows does not send an EAP-Logoff request by default so you need to go to HKLMSoftwareMicrosoftEAPOLParametersGeneralGlobal and you need to create a DWORD AuthMode and set it to 1. Then create a second DWORD SupplicantMode and set it to 3. Now if that was not enough, if you want PEAP Fast Reconnect to work you need to apply post-SP2 hotfix 885453 to fix that issue.

What a job, for only three days worth of work. I would have been done sooner if I could have set the whole thing up myself. My biggest issue was I had too much help, but that is a whole other story. So after all that, they will not be deploying it anytime soon since their systems group will need to figure out when they will go to XP SP2. Until next-time keep computing.

Authentication Methods White Paper

This paper is taking me longer than expected, I keep getting sidetracked with other issues that keep popping up. So I have decided to post what I have into sections. I will post what I have and will post each completed subsection as I complete this. I figure this way it may take a while, but at least something is being shown.

Security: How to Part 1

When question I get a lot as a consultant is “Is my network secure?” My response is usually, “If you are asking that question then NO!” So I will spend sometime on my blog discussing overall network security.

First of all a network is never be secure, I don’t care what anyone says it will never be secure. The reason being with all the patches, updates, poorly written code, and the end-user there will always be some weak spot on your network. So lets look at all the different steps that I have done and have suggested to customers about securing their networks. But before just rushing out and implementing any of these suggestions first sit down and plan out the implementation. Will this have any effect on your end-user, if so how, will it effect their ability to do their job? These are just a few a a slew of questions that you should be asking and answering. With that said lets begin.

We shall begin at the perimeter and work our way in. The first thing we should look at is the router. Your router is your first line of defense from the Internet. Most companies are so predictable they will either by a basic router and/or do a basic configuration and be done with it. Here is what you should be doing:


Turn off telnet, DO NOT TELNET to your perimeter router. Why you may ask? Telnet is plain-text and if something on your network is compromised a hacker will be able to get those packets, including the password. If you need remote access use SSH if it is supported and lock it down with an ACL to which IP addresses are allowed remote access. If SSH is not supported use HTTPS (not HTTP), if not shut the web server piece off is possible. In a perfect world you would do everything from the console in a secure data center, but in reality use SSH. Note: Use a 14 character password with Upper, Lower and Numbers.

Next, we will use ACLs for everything. ACLs will use a lot of processing power, but since most routers are hooked up to T1s it shouldn’t effect overall performance significantly. What, and where do these ACLs go you may ask. On your outside interface you should apply an ACL that does the following:
Deny all RFC private addresses this includes 10.0.0.0, 172.16.0.0, 169.254.0.0 and 192.168.0.0.

Deny all incoming traffic from you internal network. An incoming packet should not have a source address from your internal network.

Deny all IANA reserverd, test, multicast and loopbacks address blocks. If you go here you will see in his template a list of bogons that have been created for an IOS router.

Now we shall place a simple ACL on your internal interface to allow any outgoing traffic from your internal IP range to anything.

If you are using SNMP on your outside router you should use an access-list to allow SNMP traffic to be received from only a specific source. Also, do not use the default community string of public, and don’t name it private. This should be kept as if it is a password.

Use an access-list to allow only specific IP addresses for remote administration, via SSH, or HTTPS. Do not use HTTP or telnet.

You should also create a null interface and add route statements so your bogon list will route to this interface. This is an added level of security in case a packet from another interface gets into the router it will route to nowhere. I will say this for saying it. DO NOT USE A ROUTING PROTOCOL. Never use routing protocols on your perimeter router. Always use static routes! The only exception if you are a big company with multiple Internet connections then you would use BGP or IS-IS.

These are some basics that you can do to. Specifically for Cisco routers you can enter the following commands:



No service tcp-small-servers

No service udp-small-servers

No ip bootp server

No service fingeer

No snmp-server (Only if you are not going to use it)

No cdp run

No service config

No ip source-route

No ip directed-broadcast

No ip mask-reply

No ip proxy-arp

You will also want to shutdown all unused interfaces. Another Cisco centric suggestion would be to upgrade the IOS to include the firewall feature set and into configure CBAC for some common protocols. More reading on this can be retrieved from the NSA and from here.

In the next part we shall look at firewalls. The different types and design for implementing.

Authentication Methods White Paper

This paper is taking me longer than expected, I keep getting sidetracked with other issues that keep popping up. So I have decided to post what I have into sections. I will post what I have and will post each completed subsection as I complete this. I figure this way it may take a while, but at least something is being shown.

Hardening the TCP/IP Stack

There is an article on Microsoft’s website about hardening the TCP/IP stack on Windows Server 2003. From my knowledge of TCP/IP I find this article indispensable for setting up new servers, or hardening existing networks for my clients. Click on the title to goto the article. I suggest reading the article in whole, but below are some excerpts from the article.
Set SYN Protection Thresholds
* Registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
* Value name: TcpMaxPortsExhausted
* Recommended value: 5
* Value name: TcpMaxHalfOpen
* Recommended value data: 500
* Value name: TcpMaxHalfOpenRetried
* Recommended value data: 400
Set Additional Protections
* Registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
* Value name: TcpMaxConnectResponseRetransmissions
* Recommended value data: 2
* Value name: TcpMaxDataRetransmissions
* Recommended value data: 2
* Value name: EnablePMTUDiscovery
* Recommended value data: 0
* Value name: KeepAliveTime
* Recommended value data: 300000
* Value name: NoNameReleaseOnDemand
* Recommended value data: 1
Protect Against ICMP Attacks
* Registry key: HKLMSystemCurrentControlSetServicesAFDParameters
* Value: EnableICMPRedirect
* Recommended value data: 0
Protect Against SNMP Attacks
* Registry key: HKLMSystemCurrentControlSetServicesTcpipParameters
* Value: EnableDeadGWDetect
* Recommended value data: 0
AFD.SYS Protections
* Registry key: HKLMSystemCurrentControlSetServicesAFDParameters
* Value: EnableDynamicBacklog
* Recommended value data: 1
* Value name: MinimumDynamicBacklog
* Recommended value data: 20
* Value name: MaximumDynamicBacklog
* Recommended value data: 20000
* Value name: DynamicBacklogGrowthDelta
* Recommended value data: 10
Additional Protections
* Registry key: HKLMSystemCurrentControlSetServicesTcpipParameters
Protect Screened Network Details
* Value: DisableIPSourceRouting
* Recommended value data: 1
Avoid Accepting Fragmented Packets
* Value: EnableFragmentChecking
* Recommended value data: 1
Do Not Forward Packets Destined for Multiple Hosts
* Value: EnableMulticastForwarding
* Recommended value data: 0
Only Firewalls Forward Packets Between Networks
* Value: IPEnableRouter
* Recommended value data: 0
Mask Network Topology Details
* Value: EnableAddrMaskReply
* Recommended value data: 0
You should test all these setting in a test environment before implementing them in production, this can not be stressed enough. You may find that you may need to tweak the setting to best suit your network environment. Also for additional reading check out Microsoft KB articles 315669 for Windows 2000 and324270 for Windows 2003.

New client can't run Windows Updates

Derrick, who is a good friend of mine, runs a company names SystemsEng. He uses me as a sub contractor quite a bit. Derrick is currently in the process of signing a new client. He wanted me to go with him to help impress them to get the contact signed quicker. So after the two of us poking around this domain setup we found several things that needed to be fixed, but none were a quick fix. After discussing with the on-site tech people, we found out that they were unable to get to the Windows Update site to run patches on all XP workstations. I have run into this before at another state agency. So I hop onto this guy's computer and checked to see if he was a local admin. SInce he was we headed out to Microsoft's support site to look for an article. Contrary to popular belief I can't remember everything. So after some searching I find article Q883821 which define a workaround for there error. Running from the command-line a command to reapply the security settings allowing them to do this. The guy saw that it worked and was ecstatic, he definitely wants us there now.

How to Ghost a RAID 5 Boot partition

I have always been from the motto that a good engineer only works 10% of the time and sits around 90% of the time. While I have never been able to achieve this goal, I do strive towards it. I have been able to take a slow day once in a great while. What I am getting to is that given enough time and imagination there is ALWAYS a more efficient (easier) way of doing something. You are probably wondering where I am going with this.

Last year I was working a project for the state where I needed to replace 50+ servers, of which 39 needed to be installed and ready for a forklift replacement for the existing 39 servers they were replacing. Timeframe, 6 weeks. To top it off here are the details 13 regions, 3 servers each, 1 DC/ISA 2004 server, 1 Exchange Server, 1 file/print server.

I know what you are saying just setup a bunch servers on a KVM switch and start installing the OS, etc. Well, the staff knowing of my motto wanted me to help the two domain administrators that are responsible for the whole state a way to recover in case of catastrophic failure. Specifically, they asked me to come up with this method.

Alright so let’s go see what Symantec says. Answer, not supported. Well I have run into that in the past but was able to get away with things. With no help from Symantec I went to Dell to see if I could find a driver for DOS, well there was none. Now I have a problem.

I remember an article from The Screen Savers (back when it was Leo and Patrick, and fun to watch). I won’t bother with a link because the show, in my opinion, is not any good anymore (except for some of Kevin Rose’s content). Now this article discussed a freeware solution named Bart PE which allows you to use a stripped XP kernel to boot too.

I remember that Dell had an XP driver for the RAID controller, this might work. So I find a forum located on a website named 911 Rescue CD. After looking around I found some information on not only how to configure the driver for Bart PE, but how to get the Gigabit NIC to work at a full Gig while using this Pre-install Environment (PE). I added ghost 8.0, and a couple of other utilities. Next, I created the iso file and burned it to a bootable CD.

Now I made three different images, 1 DC/ISA server, 1 Exchange server (uninstalled), and 1 file/print server. I used Sysprep to make life even easier. I then booted from the CD we made, and it sees the RAID partition (YAH!!!). So now we ghost it to a network server, it goes real quick running at 1 Gigabit. I then hook up another server and downloaded the image, again quickly (about 5 minutes). A quick reboot and it worked!

I have now saved myself time to devote to other parts of the project. We also got some good points for achieving our rather ambitious goal, which sometimes is better than billable hours.

MCSE-RGB.jpg



Active Directory authentication for Linux Part 3

As promised here is the rough write-up. If any one has any questions, let me know.

LDAP with SSL (LDAPS)
With normal LDAP authentication there is a major weakness, and that is all information is transmitted between the client and server in clear-text. In most secure environments this would not be acceptable. Another issue that we can run into is that Active Directory will not let you change your password unless you can do it securely.
To solve these issues we will simply encrypt all LDAP requests using Secure Socket Layer (SSL). This will require an additional prerequisite of a certificate server.
You will need to install at least one Microsoft Enterprise Certificate Server and allow automatic computer enrollment for the domain, or at least the domain controller. You will need to confirm that OpenSSL is installed on the Linux workstation.

Converting the CA certificate
Now that the lab is setup we will need to get the CA certificate from the server. This can be done by downloading it from the certificate server web page located at http://certificate _server/certsrv/ where certificate_server can be either the hostname, FQDN or the IP address of the machine. You should save it in your home directory on the Linux workstation.
Once you have the certificate you must now convert this to the PEM format. This is easily done by using the OpenSSL command. The command would have the following syntax:
openssl x509 inform DER outform PEM in cacert.cer out cacert.pem
The output should be the new certificate in PEM format that the Linux workstation will use. This new certificate needsto be placed in the /etc/ssl/certs directory. Make sure that the file permissions are set for everyone to have read access on the certificate.

Edit /etc/ldap.conf
Now that the certificate stuff is done, we now need to edit ldap.conf. We need to add three lines to the file. The first line will be to turn the SSL feature on. The next line is to tell the PAM module where to find the CA certificate that we just converted. The last line tells the client not to request the cert since we have already installed it on the local client. Here is the text that I added to my ldap.conf file.
ssl
on
TLS_CACERT /etc/ssl/certs/adcert.pem
TLS_REQCERT never
Once I saved this file, I wanted to make sure that I could test this, so I copied my /etc/ldap.conf to /etc/openldap/ldap.conf. This way I am able to use this with my ldap tools.

Caching of Universal Groups

Here is some information I came across about the caching of universal groups on non-GC Domain Controllers. The universal group info is stored in the users msDS-Cached-Membership attribute and given a timestamp in the msDS-Cached-Membership-Time-Stamp value.The user's logon site is placed in the msDS-Site-Affinity value. Only the msDS-Site-Affinity value is replicated.

When a user logs on, if the data stored in the msDS-Cached-Membership is older then 7 days it is considered stale and the system consults a Global Catalog. By default the cached information is updated every 8 hours and 500 accounts at the most will be refreshed in each cycle.

With this being said, if you add a user to a new universal group it could take 8 hours for it to fully cycle through the domain. In Microsoft article 871159 they list several resolutions and a workaround to resolve this issue.

A vbscript to migrate all those network shares

Here is a treat for you. You need to migrate 13 file servers at once, each with a minimum of 60 shares, and a maximum of 200+ shares. What are you to do? Well manual recreation is definitely out of the question, because you have 13 servers to do it to and only 6 weeks to build them along with 13 DC/ISA and 13 exchange servers. What to do? Well the base server is built now what.

Being old school I know I can do an xcopy to copy the data from one server to another. I know I could script this as well but I am only given a handful of weeks to set this process up and get servers out the door. Restoring from tape is out of the question, restoring from over a T1 would take to long an eventually incur issues with business applications. And old tape drives and new tape drives are different make all together. So I go with the tried and true method. I set up a batch job to copy the main folders from the old server from the D: drive to the new servers E: drive. This command line would look something like the following:

Xcopy oldserverd$ newservere$ /E /V /I /F /O

I could use the /C switch in here, but I actually wanted to see if it would bomb and where to verify all data made it over. This was a good thing since domain admins were locked out of a few things (of which we fixed). So I would set up this batch job to start on a Friday night and would wait for it to finish. Once done I would manually inspect that all files were copied. Now came the fun part, writing and testing a script.

My script was simple and to the point attach to the old server. Then attach to the new server. Once both connections were established, all shares on the old server would be enumerated one at a time, and as they were they would be re-created on the new server with the new drive location. The script would then close the connections at the termination of the script automatically. The script is not the neatest written script but it was written quickly and served it purpose. Use it “as-is” or modify it some more. Below is the script I wrote:

Set ShareSrvObj = GetObject("WinNT://oldserver/LANMANSERVER")
set Newsharesrvobj = GetObject("WinNT://newserver/LANMANSERVER")
on error resume next
For Each ShareObj in ShareSrvObj
Set newshareobj = Newsharesrvobj.create("FileShare", ShareObj.Name)
newshareobj.path = "e" & Right(ShareObj.Path, (len(ShareObj.Path)-1))
newshareobj.MaxUserCount = shareobj.MaxUserCount
newshareobj.SetInfo
set newshareobj = nothing
Next

Happy scripting until next time!!

Still working on it!

I am still working on the first part, using LDAP authentication with with Linux against AD. I will prbably post version 1.5 from the Whitepaper. I am also stuck on getting LDAP with Kerberos using SASL as well; so I have been trying to balance writing with research. Soon I promise!

Time can fly!

Wow, has time flown by, and a lot has happened. I have switched my blog to my own server using WordPress. I have gotten a new contract. I have been extremely busy, the last couple of months. You now how it is everyhting hits you at once. I have been working on some exciting new stuff involving Linux and Windows 2003 R2. In depth look at Kerberos, LDAP, and Samba. I will be filling everyone in shortly so keep track!

Security: How To Part 4

How do we prevent unauthorized machines and users from getting on to our network? Well we can keep them from resources, by not allowing them to logon to the domain. This does not stop them from plugging in a laptop that could be infected with a worm or from attempting to sniff traffic. So you may be asking how I stop them. There are several methods.

The first method is to shutdown all unused ports. Depending on the size of your network, this could become very overwhelming and tedious. You could use sticky MACs where the layer 2 port remembers or has a hardcoded MAC address(es) placed in it and will only work for those particular NICs. This works great for servers in a datacenter, but is unrealistic in the networking closets.

Let’s kill two birds with one stone. In the last article I mentioned placing users in VLANs with common functions. What is we can assign VLAN by user account and/or machine account; and shutdown the port off if neither is approved. Well with IEEE 802.1x we can.

As a quick high level overview here is how it works. An 802.1x compliant switch is configured to contact a RADIUS server. The RADIUS server can be a Microsoft IAS server, CiscoSecure ACS, or other third-party RADIUS server. It will authenticate information from a central database like Active Directory. Then it will send the correct RADIUS tag information (64, 65, and 81) to assign the VLAN.

Now it is a little more complicated than that, but it depends on what RADIUS server you use. I would look into who you use for your infrastructure and also who you use for wireless, 802.1x is big for enterprise wireless. I am just covering the basics.
So, we have a switch and a RADIUS server, now what? Well we need to decide the authentication method we will use. Here are the common choices:

PEAP

EAP-TLS

EAP-MD5

PEAP is usually my preferred favorite, especially when authenticating against an Active Directory. The specific PEAP I use for this is EAP-MSCHAP2 which is supported in Microsoft® Windows® XP SP1, but we will get into specifics in a few minutes. PEAP uses a server certificate from the RADIUS server to establish a SSL tunnel over which all authentications takes place. I think this is the easiest deployment since you only need the one certificate. This certificate can be published to all clients as a Trusted Source via Group Policy.

EAP-TLS will require an Enterprise Certificate server be installed. Automatic enrollment will need to be configured and publishing to Active Directory as well. EAP-TLS will require each client to have a certificate, because authentication is done via PKI. The client authenticates the server via its certificate and the server authenticates the client via its certificate. I do like this method, but I personally feel there is a lot of overhead to maintain this authentication method. But this method could be used for non Windows based clients.

EAP-MD5 basically is using a password to get on the network. This method is good for outside consultants that do not want to join there computer to the domain. It is also good for non-Windows clients. Authentication is done via password hash. It is not a recommended authentication method, because it is the easiest to crack and does not support mutual authentication.

Since most of the IT world out there uses Windows, we will talk about it. Microsoft Windows XP supports EAP. SP1 specifically supports PEAP, but not well without some modification. Here is where good planning comes into play. Microsoft at this time does not make deploying IEEE 802.1x on a wired world easy at all. You cannot apply EAP settings to computer via GPO. Your choices are to setup everything in advance in your image or recruit some desktop resources during a deployment. Next, order of business, while Microsoft states that it will work with SP1 I find that SP2 is required to work out a lot of bugs. So this may require testing of user applications to see is SP2 can be deployed if it is not already. Next, for user authentication to work we need to do some registry hacking. This can be done via group policy, using a number of methods. The keys are listed in another article where I vented a little bit. And there is a post SP2 hot fix if you will be using FAST-Reconnect, but that is mostly used for wireless. If these steps are taken then machine and user authentication will succeed.

If you are assigning a VLAN via RADIUS, then you will need to assign the information using the following RADIUS attributes:

64 - Tunnel Type = VLAN

65 – Tunnel-Medium-Type = 802

81 – Tunnel-Private-Group-ID = VLAN Name or VLAN ID (VLAN Name is case sensitive)

Until next time!

Something I found interesting

Here is a quick note about what I found out the other day. I am working with a Nortel Engineer t install a Contivity VPN device. The VPN box will accept IPSec connection from the client software. The goal is to allow the box to authenticate from Active Directory. Well this is simple just use IAS.

Here comes the wrench, the traffic from the VPN box to IAS must me encrypted. Alright, so PAP is out of the question. CHAP will work but then AD will need to store password in reversible encryption. That is not allowed due to security concerns.

Well lets see here, the Contivity supports 5 types of authentication, PAP, CHAP, AXENT,TOKENS, and MS-CHAP. Let's use MS-CHAP, that would be the logical assumption you say. Well after much testing and research, I am informed by Nortel that MS-CHAP is not a supported authentication method when using IPSec, so at this point I am looking at eiter using L2TP (not), PAP (not), CHAP (NOT), or another product.

So talks have started at the upper levels to do Cisco Secure ACS (hahaha, wonder how that happened). And we shall see were it takes us.

AdminSDHolder - or where did my permissions go?

I came across this article a while back and remembered all the hassles I had with this issue. I figured I would post it for everyone to reference. While there is a Technet article on this issue. He puts everything in plain English. Check it out.

AdminSDHolder - or where did my permissions go?
by: Ulf B. Simon-Weidner


I recently had a customer who had an issue which is by design, but not well known to every AD Administrator. So I decided to summarize some info about it.

Symptom
Usually you delegate permission in Active Directory via OUs. Those permissions apply (if configured so) to objects like users underneath that OU. However you may experience that they don't apply to all user-accounts (e.g. a delegated admin is able to change the phonenumber for most users, but not on a few others), or that the permissions are being reset/lost on some accounts. If you look at the permissions of that user-account you'll find that the accounts security-descriptor is set not to inherit permissions from parent objects. If you set the security-descriptor to inherit permissions again, you'll see that this will be reset after a while. If you configure permissions directly on the object they will be reset after a while as well.

Reason
Active Directory protects certain accounts not to inherit delegated permission. This behavior applies to direct and nested members of the following security-groups:

Windows 2000 SP3:
Enterprise Admins
Schema Admins
Domain Admins
Administrators

Windows 2000 SP4 oder Windows Server 2003 additional:
Account Operators
Server Operators
Print Operators
Backup Operators
Cert Publishers

Additional the accounts Administrator and krbtgt are protected.

Why are those accounts protected?
Delegation via AD permissions is usually used to delegate administrative rights to regular user-accounts, to implement administrative roles like Site-Administrator. Those might be assigned to reset passwords, deactivate accounts or other tasks. The AdminSdHolder-Thread assures that such an administrative roles gains not more permissions or is able to compromise the privileged accounts.

How are those accounts protected?
The AdminSdHolder/Ds Propagator tread modifies all accounts which are direct or nested members of one of those groups and increases the attribut adminCount to a value higher than 0. This thread runs once an hour on the Domaincontroller holding the PDC-Emulator role. The thread further resets the security-descriptor of those accounts with the default permissions for administrative accounts which is defined by the security-descriptor of the object cn=AdminSdHolder,cn=System,dc=yourdomain,dc=com. This also resets the flag to disable inheritance of parent objects.

But what can I do if I need different permissions?
If you need different permissions on those accounts there are a few approaches you can take:


Usually you should avoid using administrative accounts for the daily routine. Use a regular user-account, and just start administrative applications (such as Active Directory-Users and -Computers) with administrative credentials (via RunAs or Context-Menu, Open with…). Active Directory enabled applications or Site-Admins would be able to change the regular user-account of the Administrators, which is usually sufficient, but their administrative accounts are protected. This protects the Administrator from administrative errors of delegated administrators, and he's further protected against virusses/worms when surfing the web/reading e-mail.
You could use a domain-admin account for AD-enabled applications: This would be a solution, but should be avoided whenever possible. It's quite easy to delegate AD-integrated applications only write-permissions to the attributes they need, so use that feature to protect your AD. Many times those applications only need permissions to add/modify/delete objects which are defined by their schema extension, and write-permissions on attributes on existing objects their schema extension also added.
If absolutely necessary you are able to change the default permissions on administrative accounts to reflect the need of those applications. You can easily do this by modifying the permissions on cn=AdminSdHolder,cn=System,dc=yourdomain,dc=com. This can be accomblished using ADSIEdit.msc or DsAcls.exe. DsAcls is a commandline-tool for modifying AD-permissions, which every administrator who delegates rights in AD should know. Be sure to test in advance which attributes of which objects are being modifies by the application.

What else is important to know?
AdminSdHolder also applies the permissions to accounts which are nested members through distribution groups. E.g. if User1 is a member of the distribution group Maillist-KnowHow, which is a member of account operators, then User1 is considered as one of the protected accounts (since the distribution group could be converted to a security group). Be aware that the command whoami /all does show nested group memberships, but not nested groups through distribution groups. Usually you should avoid nesting distribution groups in one of the protected groups.
Users, which are removed out of one of the protected groups (or their nested groups) do not inherit permissions from parent objects. You need to check the box to inherit permissions when removing those users out of the group manually, or use a script to check your users.
If you have many accounts which are protected by the AdminSdHolder/DS Propagation-Thread, you might notice that the lsass-process on the Domaincontrller holding the PDC-Emultor raises to 100% once an hour. Therefore you should avoid putting loads of users in the protected groups, and rather use delegated administration whenever possible.
Depending on your need you might want to remove Backup Operators, Printer Operators, Server Operators or Account Operators out of the AdminSdHolder protection. You can get a Hotfix at Microsoft PSS which allows to configure that. See the following KB for more informations on that: http://support.microsoft.com?id=817433


More Information:
http://search.microsoft.com/search/results.aspx?qa=adminsdholder+admincount

Hardening the TCP/IP Stack

There is an article on Microsoft’s website about hardening the TCP/IP stack on Windows Server 2003. From my knowledge of TCP/IP I find this article indispensable for setting up new servers, or hardening existing networks for my clients. Click on the title to goto the article. I suggest reading the article in whole, but below are some excerpts from the article.
Set SYN Protection Thresholds
* Registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
* Value name: TcpMaxPortsExhausted
* Recommended value: 5
* Value name: TcpMaxHalfOpen
* Recommended value data: 500
* Value name: TcpMaxHalfOpenRetried
* Recommended value data: 400
Set Additional Protections
* Registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
* Value name: TcpMaxConnectResponseRetransmissions
* Recommended value data: 2
* Value name: TcpMaxDataRetransmissions
* Recommended value data: 2
* Value name: EnablePMTUDiscovery
* Recommended value data: 0
* Value name: KeepAliveTime
* Recommended value data: 300000
* Value name: NoNameReleaseOnDemand
* Recommended value data: 1
Protect Against ICMP Attacks
* Registry key: HKLMSystemCurrentControlSetServicesAFDParameters
* Value: EnableICMPRedirect
* Recommended value data: 0
Protect Against SNMP Attacks
* Registry key: HKLMSystemCurrentControlSetServicesTcpipParameters
* Value: EnableDeadGWDetect
* Recommended value data: 0
AFD.SYS Protections
* Registry key: HKLMSystemCurrentControlSetServicesAFDParameters
* Value: EnableDynamicBacklog
* Recommended value data: 1
* Value name: MinimumDynamicBacklog
* Recommended value data: 20
* Value name: MaximumDynamicBacklog
* Recommended value data: 20000
* Value name: DynamicBacklogGrowthDelta
* Recommended value data: 10
Additional Protections
* Registry key: HKLMSystemCurrentControlSetServicesTcpipParameters
Protect Screened Network Details
* Value: DisableIPSourceRouting
* Recommended value data: 1
Avoid Accepting Fragmented Packets
* Value: EnableFragmentChecking
* Recommended value data: 1
Do Not Forward Packets Destined for Multiple Hosts
* Value: EnableMulticastForwarding
* Recommended value data: 0
Only Firewalls Forward Packets Between Networks
* Value: IPEnableRouter
* Recommended value data: 0
Mask Network Topology Details
* Value: EnableAddrMaskReply
* Recommended value data: 0
You should test all these setting in a test environment before implementing them in production, this can not be stressed enough. You may find that you may need to tweak the setting to best suit your network environment. Also for additional reading check out Microsoft KB articles 315669 for Windows 2000 and324270 for Windows 2003.

Cisco Lab Topology



Security: How To Part 2

In the last article of this series we looked at securing the perimeter router. With this done we shall move onto firewalls. I will not be getting into a great detail about any one specific firewall, but I will review the types and the overall implementation design of them.

First, let’s have a networking 101 review. There is this thing called the OSI model of networking. This model consists of 7 layers used to refer to what happens when a packet is to be sent over a wire across a network. The seven layers are as follows in order:

Application

Presentation

Session

Transport

Network

Datalink

Physical

For the purpose of firewalls we will be looking at layer 3 (Network), layer 4 (Transport) and layer 7 (Application). A layer 3 firewall is basically what we set up in the last article; this allows us to indicate which addresses we do not want to accept packets from. With a layer 4 firewall not only can you specify source and destination addresses, but you can specify ports as well. The IP protocol is broken up into 2 transport protocols, TCP and UDP. Each protocol ad 65536 unique ports it can use a network device. For example, if we wanted only to allow traffic from the Internet to see a web server, we would say on the layer 4 firewall to allow all internet traffic to server A using TCP on port 80. It would then filter out traffic on all 65535 other ports for TCP and drop all UDP packets.

So layer 3 and layer 4 firewalls are basically like sifters each having a finer screen. So now let’s look at an Application firewall (layer 7). This is the most processor intense of all firewalls. It will decode a packet completely and analyze its contents before accepting or denying. These are commonly used for HTTP, SMTP, IM, SNMP, etc. Again, these are the most process intense of all firewalls, they must analyze each packet for corrupt information, and attempts for buffer under run, malformed packets, everything. These are also the strictest of firewalls, if a vendor implements extra features in a protocol that are non-RFC compliant or if you do not upgrade the firewall to keep up with new RFCs, these firewalls could drop the packet.

Now I said I would not talk about specific firewalls, and I am not. But, I will discuss the underlying OS or use of appliances. First off, this is your firewall, your best defense against evil hacker coming through the internet or some part-time script kiddy. Do not skimp on your firewall. Buy a dedicated server or device to be your firewall. Do not place any other services on it like a mail server or web server. If you are going to place your firewall on a server use an OS that is proven to be a work horse and stripped from bells and whistles. To me I would only use a BSD-kernel UNIX. I would prefer to use an appliance, the only reason being is that patches come out on a daily basis for different pieces of Unix (depending what you have installed on it) and patching can become a complete nightmare. With an appliance you buy from a vendor they are responsible for the firewall software and the underlying OS it runs on. Applying patches to an appliance is a lot easier then a Unix based server, with lower amount of down-time.

Let’s move on to design of a firewall setup within your network. Most companies will purchase one firewall or two firewalls for redundancy. They stop so short of doing right. You see you want to make it as hard as possible for hackers so that they move on and hit someone else. So the key point here is to put firewalls in layers. So we started with the perimeter router. That is layer one. Next, you should put in a layer 4 firewall; behind this will be a Dirty DMZ where you would place a honeypot, an external DNS server, or a FTP server for file swapping between companies. Then you would put in a layer 7 firewall and behind this would be your Clean DMZ where you would place your external mail server, VPN concentrators, web servers, virus scanner appliances, spam filter appliances, etc. Then depending on your financial situation you would either put in a NAT router or preferably another layer 7 firewall; behind this would be your internal network. Below is an example of our ideal setup.



With all these layers a hacker would spend a great amount of time penetrating your network. In the next article, we shall look at VLAN configuration.

Well it’s been a while!

Sorry I havent posted in a while, I have been looking for work either contract or at this point W-2. In the last few weeks the IT market has dried up real bad, so I have expanded the distance I am willing to go for work. About two weeks ago I got a call from a recruiter (Headhunter) asking me if I would be interested in a full-time position in the city (NYC). So after a few interviews it is looking good. I am waiting for an offer and will see were it leads to.

In other news, I finished my recertification of CCNP and CCDP. I have taken one of the two required exams to upgrade to MCSE 2003 as well. I got a call from this national body shop, I mean temporary employment agency, and asked if I wanted to do a one week install of Cisco Secure ACS, sure why not. Well after doing the entire meet and greet and start getting down to the nitty-gritty. Well this new network setup is not completed. They have not decided what to do about VLANs. So for two days they are asking me, what we should do. Answer, well group users by function. Meaning if you have a group of users that need access to Servers A, B, and C but not D then group them together so you can place VACLS in place to help secure the network. Then they were trying to pump me for information on that as well.

So I install the ACS and machine authentication was working fine, but then they wanted to work with user authentication. I knew this was going to be a headache, I knew there was a reason we did not implement this at the hospital. So after headbanging and attitudes from the client it was figured out.

The client needs to be Windows XP SP2, which they were only at SP1. The PEAP settings need to be set, which thanks to Bill Gates and Microsoft there is no easy way to do it for a WIRED 802.1x device. I think Bill and crew need to fix that for SP3. Then since they want to user authentication, you need to tweak Windows. Windows does not send an EAP-Logoff request by default so you need to go to HKLMSoftwareMicrosoftEAPOLParametersGeneralGlobal and you need to create a DWORD AuthMode and set it to 1. Then create a second DWORD SupplicantMode and set it to 3. Now if that was not enough, if you want PEAP Fast Reconnect to work you need to apply post-SP2 hotfix 885453 to fix that issue.

What a job, for only three days worth of work. I would have been done sooner if I could have set the whole thing up myself. My biggest issue was I had too much help, but that is a whole other story. So after all that, they will not be deploying it anytime soon since their systems group will need to figure out when they will go to XP SP2. Until next-time keep computing.

Something else I found out about the Contivity

Okay, so last time I told you that Nortel Contivity doesn't support MS-CHAPv1 or v2 with IPSEC tunnels. Well here is something else. After looking at another configuration, all authentication methods were enabled, on both sides (the Contivity and IAS). Answer, it still chose to use PAP for its authentication. So I get to break the bad news that their exisitng VPN device is sending inforamtion accross a customer network unsecurely. Just thought I would share that tidbit.

PS. I am almost done with the LDAP configuration section of the whitepaper, a couple of more sections to complete, with a quick spell check. Remember that this will be draft qualitiy only.

Something I found interesting

Here is a quick note about what I found out the other day. I am working with a Nortel Engineer t install a Contivity VPN device. The VPN box will accept IPSec connection from the client software. The goal is to allow the box to authenticate from Active Directory. Well this is simple just use IAS.

Here comes the wrench, the traffic from the VPN box to IAS must me encrypted. Alright, so PAP is out of the question. CHAP will work but then AD will need to store password in reversible encryption. That is not allowed due to security concerns.

Well lets see here, the Contivity supports 5 types of authentication, PAP, CHAP, AXENT,TOKENS, and MS-CHAP. Let's use MS-CHAP, that would be the logical assumption you say. Well after much testing and research, I am informed by Nortel that MS-CHAP is not a supported authentication method when using IPSec, so at this point I am looking at eiter using L2TP (not), PAP (not), CHAP (NOT), or another product.

So talks have started at the upper levels to do Cisco Secure ACS (hahaha, wonder how that happened). And we shall see were it takes us.

Caching of Universal Groups

Here is some information I came across about the caching of universal groups on non-GC Domain Controllers. The universal group info is stored in the users msDS-Cached-Membership attribute and given a timestamp in the msDS-Cached-Membership-Time-Stamp value.The user's logon site is placed in the msDS-Site-Affinity value. Only the msDS-Site-Affinity value is replicated.

When a user logs on, if the data stored in the msDS-Cached-Membership is older then 7 days it is considered stale and the system consults a Global Catalog. By default the cached information is updated every 8 hours and 500 accounts at the most will be refreshed in each cycle.

With this being said, if you add a user to a new universal group it could take 8 hours for it to fully cycle through the domain. In Microsoft article 871159 they list several resolutions and a workaround to resolve this issue.

AdminSDHolder - or where did my permissions go?

I came across this article a while back and remembered all the hassles I had with this issue. I figured I would post it for everyone to reference. While there is a Technet article on this issue. He puts everything in plain English. Check it out.

AdminSDHolder - or where did my permissions go?
by: Ulf B. Simon-Weidner


I recently had a customer who had an issue which is by design, but not well known to every AD Administrator. So I decided to summarize some info about it.

Symptom
Usually you delegate permission in Active Directory via OUs. Those permissions apply (if configured so) to objects like users underneath that OU. However you may experience that they don't apply to all user-accounts (e.g. a delegated admin is able to change the phonenumber for most users, but not on a few others), or that the permissions are being reset/lost on some accounts. If you look at the permissions of that user-account you'll find that the accounts security-descriptor is set not to inherit permissions from parent objects. If you set the security-descriptor to inherit permissions again, you'll see that this will be reset after a while. If you configure permissions directly on the object they will be reset after a while as well.

Reason
Active Directory protects certain accounts not to inherit delegated permission. This behavior applies to direct and nested members of the following security-groups:

Windows 2000 SP3:
Enterprise Admins
Schema Admins
Domain Admins
Administrators

Windows 2000 SP4 oder Windows Server 2003 additional:
Account Operators
Server Operators
Print Operators
Backup Operators
Cert Publishers

Additional the accounts Administrator and krbtgt are protected.

Why are those accounts protected?
Delegation via AD permissions is usually used to delegate administrative rights to regular user-accounts, to implement administrative roles like Site-Administrator. Those might be assigned to reset passwords, deactivate accounts or other tasks. The AdminSdHolder-Thread assures that such an administrative roles gains not more permissions or is able to compromise the privileged accounts.

How are those accounts protected?
The AdminSdHolder/Ds Propagator tread modifies all accounts which are direct or nested members of one of those groups and increases the attribut adminCount to a value higher than 0. This thread runs once an hour on the Domaincontroller holding the PDC-Emulator role. The thread further resets the security-descriptor of those accounts with the default permissions for administrative accounts which is defined by the security-descriptor of the object cn=AdminSdHolder,cn=System,dc=yourdomain,dc=com. This also resets the flag to disable inheritance of parent objects.

But what can I do if I need different permissions?
If you need different permissions on those accounts there are a few approaches you can take:


Usually you should avoid using administrative accounts for the daily routine. Use a regular user-account, and just start administrative applications (such as Active Directory-Users and -Computers) with administrative credentials (via RunAs or Context-Menu, Open with…). Active Directory enabled applications or Site-Admins would be able to change the regular user-account of the Administrators, which is usually sufficient, but their administrative accounts are protected. This protects the Administrator from administrative errors of delegated administrators, and he's further protected against virusses/worms when surfing the web/reading e-mail.
You could use a domain-admin account for AD-enabled applications: This would be a solution, but should be avoided whenever possible. It's quite easy to delegate AD-integrated applications only write-permissions to the attributes they need, so use that feature to protect your AD. Many times those applications only need permissions to add/modify/delete objects which are defined by their schema extension, and write-permissions on attributes on existing objects their schema extension also added.
If absolutely necessary you are able to change the default permissions on administrative accounts to reflect the need of those applications. You can easily do this by modifying the permissions on cn=AdminSdHolder,cn=System,dc=yourdomain,dc=com. This can be accomblished using ADSIEdit.msc or DsAcls.exe. DsAcls is a commandline-tool for modifying AD-permissions, which every administrator who delegates rights in AD should know. Be sure to test in advance which attributes of which objects are being modifies by the application.

What else is important to know?
AdminSdHolder also applies the permissions to accounts which are nested members through distribution groups. E.g. if User1 is a member of the distribution group Maillist-KnowHow, which is a member of account operators, then User1 is considered as one of the protected accounts (since the distribution group could be converted to a security group). Be aware that the command whoami /all does show nested group memberships, but not nested groups through distribution groups. Usually you should avoid nesting distribution groups in one of the protected groups.
Users, which are removed out of one of the protected groups (or their nested groups) do not inherit permissions from parent objects. You need to check the box to inherit permissions when removing those users out of the group manually, or use a script to check your users.
If you have many accounts which are protected by the AdminSdHolder/DS Propagation-Thread, you might notice that the lsass-process on the Domaincontrller holding the PDC-Emultor raises to 100% once an hour. Therefore you should avoid putting loads of users in the protected groups, and rather use delegated administration whenever possible.
Depending on your need you might want to remove Backup Operators, Printer Operators, Server Operators or Account Operators out of the AdminSdHolder protection. You can get a Hotfix at Microsoft PSS which allows to configure that. See the following KB for more informations on that: http://support.microsoft.com?id=817433


More Information:
http://search.microsoft.com/search/results.aspx?qa=adminsdholder+admincount

Using logon scripts for GPOs

As more and more of my clients move to Windows Server 2000 and 2003, and their clients are moving to Windows 2000 and XP Professional. I have been showing them the wonders of Active Directory and using vbscipt for using as Startup/Shutdown and Logon and Logoff scripts. One of the better is ones are mapping drives. While use would use less code to map it through a batch file, it is much faster and more efficient to use a GPO. I will show you.

First, the actual drive mapping. While in a batch file we would use the command “net use z: fileserver1share1” and that would be it, if you wanted to apply that to everyone who would use the batch file. But say you only wanted to limit this to a specific number of groups and these groups had other separate and different requirements. This would add up to a lot of different batch files.

Now there if a number of different methods to do this; this method is NOT the end all be all, but if you have a small number of groups say around 50 different drive mappings; then this would be fine. Anything larger and you might want to look at alternatives. Now with that out of the way lets get down to it.
First we need to make a vbscript file to map the drive. This is done using the following piece of code:

Set objWshNetwork = WScript.CreateObject("WScript.Network")
objWshNetwork.MapNetworkDrive "Z:", fileserver1share1

Again these two lines will map the Z: drive to the share on the fileserver. Now that we have this we will go into our GPMC and create a new GPO. Once there we will then put the vbscript into the logon script. Once this is complete we need to do some tweaking for overall performance.

First, since this is a user object GPO we will need to disable the Computer Settings part of the GPO. Now let look at the security settings of the GPO. Everyone has the “Apply this policy” setting. We will remove this and add “Group1” and give them “Read” and “Apply this Policy” settings and then click apply. Once this is done the policy should only apply to the users of belonging to Group1. If down the road Group2 needs this setting as well, you would just add them to the security like we did for Group1. I hope this helps some people out there that are still new to AD and vbscript.

Until next time.

New client can't run Windows Updates

Derrick, who is a good friend of mine, runs a company names SystemsEng. He uses me as a sub contractor quite a bit. Derrick is currently in the process of signing a new client. He wanted me to go with him to help impress them to get the contact signed quicker. So after the two of us poking around this domain setup we found several things that needed to be fixed, but none were a quick fix. After discussing with the on-site tech people, we found out that they were unable to get to the Windows Update site to run patches on all XP workstations. I have run into this before at another state agency. So I hop onto this guy's computer and checked to see if he was a local admin. SInce he was we headed out to Microsoft's support site to look for an article. Contrary to popular belief I can't remember everything. So after some searching I find article Q883821 which define a workaround for there error. Running from the command-line a command to reapply the security settings allowing them to do this. The guy saw that it worked and was ecstatic, he definitely wants us there now.

Time can fly!

Wow, has time flown by, and a lot has happened. I have switched my blog to my own server using WordPress. I have gotten a new contract. I have been extremely busy, the last couple of months. You now how it is everyhting hits you at once. I have been working on some exciting new stuff involving Linux and Windows 2003 R2. In depth look at Kerberos, LDAP, and Samba. I will be filling everyone in shortly so keep track!

Security: How To Part 4

How do we prevent unauthorized machines and users from getting on to our network? Well we can keep them from resources, by not allowing them to logon to the domain. This does not stop them from plugging in a laptop that could be infected with a worm or from attempting to sniff traffic. So you may be asking how I stop them. There are several methods.

The first method is to shutdown all unused ports. Depending on the size of your network, this could become very overwhelming and tedious. You could use sticky MACs where the layer 2 port remembers or has a hardcoded MAC address(es) placed in it and will only work for those particular NICs. This works great for servers in a datacenter, but is unrealistic in the networking closets.

Let’s kill two birds with one stone. In the last article I mentioned placing users in VLANs with common functions. What is we can assign VLAN by user account and/or machine account; and shutdown the port off if neither is approved. Well with IEEE 802.1x we can.

As a quick high level overview here is how it works. An 802.1x compliant switch is configured to contact a RADIUS server. The RADIUS server can be a Microsoft IAS server, CiscoSecure ACS, or other third-party RADIUS server. It will authenticate information from a central database like Active Directory. Then it will send the correct RADIUS tag information (64, 65, and 81) to assign the VLAN.

Now it is a little more complicated than that, but it depends on what RADIUS server you use. I would look into who you use for your infrastructure and also who you use for wireless, 802.1x is big for enterprise wireless. I am just covering the basics.
So, we have a switch and a RADIUS server, now what? Well we need to decide the authentication method we will use. Here are the common choices:

PEAP

EAP-TLS

EAP-MD5

PEAP is usually my preferred favorite, especially when authenticating against an Active Directory. The specific PEAP I use for this is EAP-MSCHAP2 which is supported in Microsoft® Windows® XP SP1, but we will get into specifics in a few minutes. PEAP uses a server certificate from the RADIUS server to establish a SSL tunnel over which all authentications takes place. I think this is the easiest deployment since you only need the one certificate. This certificate can be published to all clients as a Trusted Source via Group Policy.

EAP-TLS will require an Enterprise Certificate server be installed. Automatic enrollment will need to be configured and publishing to Active Directory as well. EAP-TLS will require each client to have a certificate, because authentication is done via PKI. The client authenticates the server via its certificate and the server authenticates the client via its certificate. I do like this method, but I personally feel there is a lot of overhead to maintain this authentication method. But this method could be used for non Windows based clients.

EAP-MD5 basically is using a password to get on the network. This method is good for outside consultants that do not want to join there computer to the domain. It is also good for non-Windows clients. Authentication is done via password hash. It is not a recommended authentication method, because it is the easiest to crack and does not support mutual authentication.

Since most of the IT world out there uses Windows, we will talk about it. Microsoft Windows XP supports EAP. SP1 specifically supports PEAP, but not well without some modification. Here is where good planning comes into play. Microsoft at this time does not make deploying IEEE 802.1x on a wired world easy at all. You cannot apply EAP settings to computer via GPO. Your choices are to setup everything in advance in your image or recruit some desktop resources during a deployment. Next, order of business, while Microsoft states that it will work with SP1 I find that SP2 is required to work out a lot of bugs. So this may require testing of user applications to see is SP2 can be deployed if it is not already. Next, for user authentication to work we need to do some registry hacking. This can be done via group policy, using a number of methods. The keys are listed in another article where I vented a little bit. And there is a post SP2 hot fix if you will be using FAST-Reconnect, but that is mostly used for wireless. If these steps are taken then machine and user authentication will succeed.

If you are assigning a VLAN via RADIUS, then you will need to assign the information using the following RADIUS attributes:

64 - Tunnel Type = VLAN

65 – Tunnel-Medium-Type = 802

81 – Tunnel-Private-Group-ID = VLAN Name or VLAN ID (VLAN Name is case sensitive)

Until next time!

Cisco Lab

My old Cisco lab that I used to practice for my CCNP and CCDP


Security: How to Part 1

When question I get a lot as a consultant is “Is my network secure?” My response is usually, “If you are asking that question then NO!” So I will spend sometime on my blog discussing overall network security.

First of all a network is never be secure, I don’t care what anyone says it will never be secure. The reason being with all the patches, updates, poorly written code, and the end-user there will always be some weak spot on your network. So lets look at all the different steps that I have done and have suggested to customers about securing their networks. But before just rushing out and implementing any of these suggestions first sit down and plan out the implementation. Will this have any effect on your end-user, if so how, will it effect their ability to do their job? These are just a few a a slew of questions that you should be asking and answering. With that said lets begin.

We shall begin at the perimeter and work our way in. The first thing we should look at is the router. Your router is your first line of defense from the Internet. Most companies are so predictable they will either by a basic router and/or do a basic configuration and be done with it. Here is what you should be doing:


Turn off telnet, DO NOT TELNET to your perimeter router. Why you may ask? Telnet is plain-text and if something on your network is compromised a hacker will be able to get those packets, including the password. If you need remote access use SSH if it is supported and lock it down with an ACL to which IP addresses are allowed remote access. If SSH is not supported use HTTPS (not HTTP), if not shut the web server piece off is possible. In a perfect world you would do everything from the console in a secure data center, but in reality use SSH. Note: Use a 14 character password with Upper, Lower and Numbers.

Next, we will use ACLs for everything. ACLs will use a lot of processing power, but since most routers are hooked up to T1s it shouldn’t effect overall performance significantly. What, and where do these ACLs go you may ask. On your outside interface you should apply an ACL that does the following:
Deny all RFC private addresses this includes 10.0.0.0, 172.16.0.0, 169.254.0.0 and 192.168.0.0.

Deny all incoming traffic from you internal network. An incoming packet should not have a source address from your internal network.

Deny all IANA reserverd, test, multicast and loopbacks address blocks. If you go here you will see in his template a list of bogons that have been created for an IOS router.

Now we shall place a simple ACL on your internal interface to allow any outgoing traffic from your internal IP range to anything.

If you are using SNMP on your outside router you should use an access-list to allow SNMP traffic to be received from only a specific source. Also, do not use the default community string of public, and don’t name it private. This should be kept as if it is a password.

Use an access-list to allow only specific IP addresses for remote administration, via SSH, or HTTPS. Do not use HTTP or telnet.

You should also create a null interface and add route statements so your bogon list will route to this interface. This is an added level of security in case a packet from another interface gets into the router it will route to nowhere. I will say this for saying it. DO NOT USE A ROUTING PROTOCOL. Never use routing protocols on your perimeter router. Always use static routes! The only exception if you are a big company with multiple Internet connections then you would use BGP or IS-IS.

These are some basics that you can do to. Specifically for Cisco routers you can enter the following commands:



No service tcp-small-servers

No service udp-small-servers

No ip bootp server

No service fingeer

No snmp-server (Only if you are not going to use it)

No cdp run

No service config

No ip source-route

No ip directed-broadcast

No ip mask-reply

No ip proxy-arp

You will also want to shutdown all unused interfaces. Another Cisco centric suggestion would be to upgrade the IOS to include the firewall feature set and into configure CBAC for some common protocols. More reading on this can be retrieved from the NSA and from here.

In the next part we shall look at firewalls. The different types and design for implementing.

MCSD-RGB.jpg



Resume of Douglas P. Smith

Professional Profile
9 year record of improving business processes, cutting costs, and inventing new ways to integrate diverse, multi-faceted IT systems, and environments.  Known for ability to examine complex issues and design simple user-friendly solutions.

Technical Skills
Networking:  Cisco routers, Cisco Catalyst switches, Dell switches (Extreme), Nortel Contivity VPN, Cisco VPN and security solutions using Cisco products.
Security Tools:  Cisco Secure ACS, NetScreen firewalls, Gauntlet/Sidewinder firewall, Cisco PIX firewall, Symantec AntiVirus Corporate Edition, McAfee VirusScan Suite w/ McAfee ePolicy Orchestrator, Nessus, and nmap.
Desktop/Server Operating Systems:  Windows (NT4, 2000, 2003, XP), Linux (Red Hat & Knoppix), UNIX (Solaris), and Novell 4.1.
Business Software:  MS Office, MS Project, Visio, and Internet tools.
Monitoring Software: HP OpenView NNM, HP Insight Manager, Dell OpenManage, CiscoWorks, Microsoft Operations Manager (MOM), Argent Guardian
Microsoft Technologies:  Active Directory, Group Policy, Distributed File System (DFS), Remote Installation Service (RIS), Internet Authentication Service (IAS), Exchange (5.5, 2000, 2003), Systems Management Server (SMS 2.0, 2003), Microsoft Operations Manager (MOM 2005), Software Update Services (SUS), Windows Server Update Service (WSUS), Sharepoint Portal Server (SPS), SNA Server 4, Host Integration Server, Live Communication Server, SQL, Virtual Server, Internet Security and Acceleration Server (ISA), vbscript using ADSI, CDO, COM, WSH, WMI

Certifications
Microsoft Certified Systems Engineer (MCSE)
Microsoft Certified Database Administrator (MCDBA)
Microsoft Certified Solutions Developer (MCSD)
Cisco Certified Network Professional (CCNP)
Cisco Certified Design Professional (CCDP)

Professional Experience
CDI Corporation 10/2005 - Present
Active Directory Systems Engineer

Sub-contracted to New York State Office for Technology Active Dirctory Services Group, which is responsible for all issues with the NYSWED, NYSeMail, and OFT Active Directory Forests consisting of over 50,000 objects. 

Robert Half Technology 8/2005
Consultant

Sub-contracted to Annese & Associates to install CiscoSecure ACS 3.2 for one of their customers.  Provided in-site instruction on how to install, configure, and monitor a redundant setup for use with 802.1x user and machine authentication with dynamic VLAN assignment, against Microsoft Active Directory.

Empire Systems Technology 3/2004 - Present
Techinical Consultant

Cyber Security & Critical Infrastructure Coordination 3/2005 - 2/2006

 

Still going!

I am hoping to have the next section out soon. I plan on finishing it up this week. Been to busy fighting with people about trying to get firewall rules changed, which still hasn't happened. The sad part is, if given access and time I could probably fix it myself.

Active Directory authentication for Linux - Part 1

Overview
In an ever changing world, technologies are always changing and new technologies are every emerging. These technologies need to integrated into a heterogeneous networks and provide seamless transparent to the end-user. It is the job of the systems engineer to provide the ability of single sign-on.
Linux has taken hold within the corporate workplace and has an ever growing presence within it. The holy grail of systems integration has been to seamlessly integrate Linux with Microsoft Active Directory. This paper will show you some existing technologies that make this possible. Specifically, we will be looking at three methods using LDAP(S), Kerberos, and Samba 3. We will generally describe each method and give you some pros and cons of each.

Pre-requisites
The following items will need to be setup and in place in order before moving onto the different implementation methods.

· Microsoft Windows 2003 Server R2 (Release Candidate 1) configured as a domain controller. The following operating system components will need to be installed:
o Identity Management for Unix
o DNS
· Windows Server 2003 Support Tools
· Windows Server 2003 Resource Kit Tools
· SUSE 10.0 Linux with the appropriate PAM and NSS modules.
Pluggable Authentication Modules (PAM)
Pluggable Authentication Modules, or PAM for short, are a mechanism used to by software for authentication purposes. The system uses low-level authentication methods that are configured into a high-level API for software developers to use. The system is modular due to its use of dynamic linking of system libraries. PAM is either configured by editing a single file named /etc/pam.conf or by editing individual files located in a directory named /etc/pam.d. For each section of this document we will list which modules were installed and how they were configured.
Name Service Switch Module (NSS)
The Name Service Switch module allows for the replacement of many UNIX configuration files with a centralized database. Among the files that it replaces are /etc/passwd, /etc/group and /etc/hosts. It was originally created by Sun Microsystems for Solaris, but has been ported to support other versions of UNIX and Linux.
NSS is usually configured by editing the /etc/nsswitch.conf file. For each service listed in this file you may list one or more databases from which it can retrieve data.


CCDP.gif



Security: How To Part 3

Now that we have configured the external and perimeter networks most people would say they were done. I say we are just getting started. In this article, we will look at setting up a VLAN structure at a main site. We will look at why we would create VLANs and how they can be a major part of our security policy.

Before we start going into VLAN, let’s take a trip in time, and look at the original networks. We would have flat networks covering entire buildings servers and workstations. There would be so many nodes within a segment that broadcast storms would commonly occur. A need to segment the flat network, to break up the broadcast domain, was eventually solved with the creation of Virtual Local Area Networks (VLAN). This allowed a router to create them and for each port on a switch to be assigned a different VLAN. This was a quick high-level overview of the creation of VLANs.

VLANs are created either on a router or a layer 3 switch. VLANs are trunked using IEEE 802.1q tagging to other switches. They are configured like any other layer 3 interface. These days it is commonly configured on a layer 3 core switch. This covers what they are and how they are created.

Let’s look at why, we briefly touched on it to break up broadcast domains. You would also do it to separate servers from workstations, to group users together who need access to common resources, separate services like VOIP or teleconferencing, etc.

Design on implementing can vary from extremely easy to extremely complex, it would all depend on your security requirements and your budget. But some common design concepts I try to work with our:

Do not use VLAN 1 for anything. If a hacker is good he will use this common knowledge to attack your switched network. Use another VLAN for management and only for management.

Put all servers with services requiring Internet connectivity in the same VLAN. You could place your internet connection in this VLAN or have the Internet connection have it own VLAN. But segregate the Internet based servers from your regular data servers. This would be e-mail, IM, web, databases for web resources, CMS, and proxy servers. This is helpful if a worm does breach your network. You can shut this VLAN down to help stop the spread of infection.

Then obviously place production servers that do not require Internet services in their own VLAN.

Group users together by function. What I mean if you have employees that access the same resources, but don’t need access to the other resources. This way we can apply VACLs to increase security. You will find that many departments will have the same requirements.

Now that your VLAN policy is well established, you can start planning your VACLs. Do not place them on your server VLANs. You will want to place them on your user VLANs. My only suggestion to this is carefully plan, test, and document everything. Also, don’t go crazy with them use the KISS method. You can lock resources down using other methods. Cisco has some information for you to look at.

Active Directory authentication for Linux - Part 1

Overview
In an ever changing world, technologies are always changing and new technologies are every emerging. These technologies need to integrated into a heterogeneous networks and provide seamless transparent to the end-user. It is the job of the systems engineer to provide the ability of single sign-on.
Linux has taken hold within the corporate workplace and has an ever growing presence within it. The holy grail of systems integration has been to seamlessly integrate Linux with Microsoft Active Directory. This paper will show you some existing technologies that make this possible. Specifically, we will be looking at three methods using LDAP(S), Kerberos, and Samba 3. We will generally describe each method and give you some pros and cons of each.

Pre-requisites
The following items will need to be setup and in place in order before moving onto the different implementation methods.

· Microsoft Windows 2003 Server R2 (Release Candidate 1) configured as a domain controller. The following operating system components will need to be installed:
o Identity Management for Unix
o DNS
· Windows Server 2003 Support Tools
· Windows Server 2003 Resource Kit Tools
· SUSE 10.0 Linux with the appropriate PAM and NSS modules.
Pluggable Authentication Modules (PAM)
Pluggable Authentication Modules, or PAM for short, are a mechanism used to by software for authentication purposes. The system uses low-level authentication methods that are configured into a high-level API for software developers to use. The system is modular due to its use of dynamic linking of system libraries. PAM is either configured by editing a single file named /etc/pam.conf or by editing individual files located in a directory named /etc/pam.d. For each section of this document we will list which modules were installed and how they were configured.
Name Service Switch Module (NSS)
The Name Service Switch module allows for the replacement of many UNIX configuration files with a centralized database. Among the files that it replaces are /etc/passwd, /etc/group and /etc/hosts. It was originally created by Sun Microsystems for Solaris, but has been ported to support other versions of UNIX and Linux.
NSS is usually configured by editing the /etc/nsswitch.conf file. For each service listed in this file you may list one or more databases from which it can retrieve data.


Security: How To Part 2

In the last article of this series we looked at securing the perimeter router. With this done we shall move onto firewalls. I will not be getting into a great detail about any one specific firewall, but I will review the types and the overall implementation design of them.

First, let’s have a networking 101 review. There is this thing called the OSI model of networking. This model consists of 7 layers used to refer to what happens when a packet is to be sent over a wire across a network. The seven layers are as follows in order:

Application

Presentation

Session

Transport

Network

Datalink

Physical

For the purpose of firewalls we will be looking at layer 3 (Network), layer 4 (Transport) and layer 7 (Application). A layer 3 firewall is basically what we set up in the last article; this allows us to indicate which addresses we do not want to accept packets from. With a layer 4 firewall not only can you specify source and destination addresses, but you can specify ports as well. The IP protocol is broken up into 2 transport protocols, TCP and UDP. Each protocol ad 65536 unique ports it can use a network device. For example, if we wanted only to allow traffic from the Internet to see a web server, we would say on the layer 4 firewall to allow all internet traffic to server A using TCP on port 80. It would then filter out traffic on all 65535 other ports for TCP and drop all UDP packets.

So layer 3 and layer 4 firewalls are basically like sifters each having a finer screen. So now let’s look at an Application firewall (layer 7). This is the most processor intense of all firewalls. It will decode a packet completely and analyze its contents before accepting or denying. These are commonly used for HTTP, SMTP, IM, SNMP, etc. Again, these are the most process intense of all firewalls, they must analyze each packet for corrupt information, and attempts for buffer under run, malformed packets, everything. These are also the strictest of firewalls, if a vendor implements extra features in a protocol that are non-RFC compliant or if you do not upgrade the firewall to keep up with new RFCs, these firewalls could drop the packet.

Now I said I would not talk about specific firewalls, and I am not. But, I will discuss the underlying OS or use of appliances. First off, this is your firewall, your best defense against evil hacker coming through the internet or some part-time script kiddy. Do not skimp on your firewall. Buy a dedicated server or device to be your firewall. Do not place any other services on it like a mail server or web server. If you are going to place your firewall on a server use an OS that is proven to be a work horse and stripped from bells and whistles. To me I would only use a BSD-kernel UNIX. I would prefer to use an appliance, the only reason being is that patches come out on a daily basis for different pieces of Unix (depending what you have installed on it) and patching can become a complete nightmare. With an appliance you buy from a vendor they are responsible for the firewall software and the underlying OS it runs on. Applying patches to an appliance is a lot easier then a Unix based server, with lower amount of down-time.

Let’s move on to design of a firewall setup within your network. Most companies will purchase one firewall or two firewalls for redundancy. They stop so short of doing right. You see you want to make it as hard as possible for hackers so that they move on and hit someone else. So the key point here is to put firewalls in layers. So we started with the perimeter router. That is layer one. Next, you should put in a layer 4 firewall; behind this will be a Dirty DMZ where you would place a honeypot, an external DNS server, or a FTP server for file swapping between companies. Then you would put in a layer 7 firewall and behind this would be your Clean DMZ where you would place your external mail server, VPN concentrators, web servers, virus scanner appliances, spam filter appliances, etc. Then depending on your financial situation you would either put in a NAT router or preferably another layer 7 firewall; behind this would be your internal network. Below is an example of our ideal setup.



With all these layers a hacker would spend a great amount of time penetrating your network. In the next article, we shall look at VLAN configuration.

Cisco Lab

My old Cisco lab that I used to practice for my CCNP and CCDP


Something else I found out about the Contivity

Okay, so last time I told you that Nortel Contivity doesn't support MS-CHAPv1 or v2 with IPSEC tunnels. Well here is something else. After looking at another configuration, all authentication methods were enabled, on both sides (the Contivity and IAS). Answer, it still chose to use PAP for its authentication. So I get to break the bad news that their exisitng VPN device is sending inforamtion accross a customer network unsecurely. Just thought I would share that tidbit.

PS. I am almost done with the LDAP configuration section of the whitepaper, a couple of more sections to complete, with a quick spell check. Remember that this will be draft qualitiy only.

MCDBA-RGB.jpg



Active Directory authentication for Linux - Part 2

LDAP
Many organizations use MicrosoftActive Directory as their primary LDAP stores. In this section we will be showing you how to use the LDAP protocols to be able to logon and authorize Active Directory users on Linux machines. 
What is LDAP?
Lightweight Directory Access Protocol (LDAP) refers to a directory servicethat store objects with attributes in a hierarchical structure. Although there are many different types of LDAP directories, for this paper we will be referring to Microsoft Active Directory. Active Directory is accomplished with one or more domain controllers. Each domain controller is allowed to write information to the LDAP database. If more than one domain controller exists for a domain, then multi-master replication occurs to synchronize the databases.
Schema Changes
When installing Windows 2003 Server R2 onto your domain controllers you should have already done a schema upgrade in that process. If you are not using R2 then you will need to download MicrosoftServices for Unix 3.5 (SFU). This document specifically focuses on the use of R2 not SFU. Most of the concepts are similar, but the NSS mapping of attributes will be different. These schema changes are used later on in this section to map Active Directory user attributes to UNIX attributes.
Required Modules
Now that we have the Windows side done, now we need to install the appropriate modules on the Linux machine. With this particular method the following modules will be required:
· openldap-client-2.2.27-6
· ldapcipplib-0.0.3-33
· nss_ldap-238-2
· pam_ldap-178-3
· libnscd-1.1-5
· nscd-2.3.5-40

If you decide to encrypt the LDAP information using SSL, then you will also need to install the openssl-0.9.7g-2.2 module.We will discuss more on this later in the section. Now that we have all the modules installed lets begin with the configuration.
Configuring /etc/openldap/ldap.conf
In this particular flavor of Linux there are two ldap.conf files. This one is used by the client libraries and tools. The other is /etc/ldap.conf which is used for the PAM and NSS modules.
In the /etc/openldap/ldap.conf file, you will need to edit both the HOST and BASE lines of the file. The host should designate the FQDN of a domain controller for the domain. The BASE attribute will designate the beginning of the search path within LDAP. They should look like the following:


HOST w2k3dc.mytest.org
BASE cn=Users,dcmytest,dc=org


Now to test the configuration, this is done using the ldapsearch command. The following command will test basic connectivity to Active Directory:

ldapsearch x s base b (objectclass=*)

If successful, you should receive an output describing the Active Directory LDAP description. If for some reason you did not, check your IP and DNS configuration.
Active Directory Configuration
At this point we have made a successful anonymous connection to Active Directory. Before preceding any further we must make a decision, do we want to allow anonymous binds to Active Directory? You see Active Directory by default will only allow anonymous binds to RootDSE; if we want to search the directory we will get an error.
We have two choices, we can modify Active Directory to allow for anonymous connections, or we can pre-configure a restricted account for the workstations to use to search for users. Being a security conscious I will do the extra work and configure a restricted account. If you chose differently, you may go to Microsoft knowledgebase article Q326690 - Anonymous LDAP operations to Active Directory are disabled on Windows Server 2003 domain controllers.
In my configuration, I created a user account named PADL that belonged to just Domain Users. This account will need to be given Unix Attributes, of an NIS domain, UID, Login Shell, and Primary Group; in Active Directory Users and Computers. For example, my settings were the following:

· NIS Domain mytest
· UID 499
· Login Shell - /bin/false
· Home Directory - /dev/null
· Primary Group Name/GID Domain Users

Configuring /etc/ldap.conf
Now that we have created our restricted account we can continue and edit /etc/ldap.conf. Remember, this file is used for the PAM and NSS modules.

host devdcr2aa.mytest.org
base cn=Users,dc=mytest,dc=org
ldap_version 3
binddn cn=PADL,cn=Users,dc=mytest,dc=org
bindpw MicrosoftLinux
ssl no
port 389
scope sub
timelimit 30
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember msSFU30PosixMemberOf
nss_map_attribute userPassword unixUserPassword
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell loginShell
nss_map_attribute gecos name
nss_map_objectclass posixGroup Group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
nss_base_passwd cn=Users,dc=mytest,dc=org?sub
nss_base_shadow cn=Users,dc=mytest,dc=org?sub
nss_base_group cn=Users,dc=mytest,dc=org?sub


As you can see we added quite a bit to this file, starting with the host. This entry defines the name of a domain controller, since this is a test environment we only define one domain controller, we could for production, list a number of domain controllers separated by a space, or we could just enter the domain name of which a domain controller would be returned from DNS.
The next line is base, which is used to define were in Active Directory to start looking for objects.Again, since this is a test environment we limited the search to the Users container within Active Directory. This is great if you want to limit the ability of only certain users contained within a certain set of OUs to have the ability to login to a Linux workstation.
By default, PAM will assume that we are using a version 3 LDAP source, but just for clarity, we define it with the next line ldap_version.
Binddn
is defined so that PAM has an account to usein order to query Active Directory. As outlined earlier in this section, you can either use this method or modify Active Directory to allow anonymous binding to all of Active Directory. Remember, the RootDSE is set to allow anonymous binding by default. I felt this to be a more secure option. This account is just allowed domain user and nothing else. With further testing one could further lockdown this account. Bindpwis the password for the account used in binddn.
SSL and port are for just that. SSL would be used to to encrypt traffic from the client to Active Directory. We will cover on how to do this in a later section;at this point we shall set this option to no. Port if left blank will default to 389, we have it there just for confirmation.
The scope attribute allows us to confine the search to the base, one level below, or to search through all lower levels. This is done by entering the word base, one, or sub.
We now will see a number of entries starting with nss. These entries are mapping setting for the Name Service Switch Module. This will allow us to map essential Active Directory attributes to required UNIX attributes. Those listed above are for use with Microsoft Windows 2003 Server R2. If you are not using R2, but are instead using Services for Unix 3.5, then this list will be different and can be acquired from Microsoft documentation.
The last three references that I will point out are for the PAM module for authentication. Pam_login_attribute this defines what the user will user to logon with, since we have it defined to use the sAMAccountName; they can use their regular username for logon purposes. Pam_filter allows us to filter out just user accounts so that we are not trying to authenticate users against other Active Directory objects. Lastly, pam_password which allows us to define the password to be for Active Directory. This must be set to ad, otherwise issues may arise when you attempt to change your password from the Linux workstation.

Configuring /etc/nsswitch.conf
Now with the ldap.conf edited, we shall move on to the Name Service Switch module. This is rather easy; we will just add the keyword ldap to the following lines: passwd, shadow, group, hosts, networks, services, netgroup, and aliases. We could add it to more but this is a good beginning. The file should look like the following when completed.

passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns ldap
networks: files dns ldap
services: files ldap
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files ldap
publickey: files
bootparams: files
automount: files
aliases: files ldap


This was taken from my testing workstation, while all these entries cover more than what we need I thought I would show you what I used. From what I understand the only ones that required, are passwd, shadow, and group.
Once this file is edited and saved we can test to see if it works. First we will need to test to see if we can see user accounts. To do this we enter the command getent passwd. It should enumerate all user accounts within the files, and then append all Active Directory accounts that have configured with the correct UNIX attributes. If this is not working review the previous steps for something that may be missing or mistyped.
Now that we have confirmed user accounts, let move on to groups. For this we use getent groups. Again, it will enumerate all local groups stored in the local files and then append all the groups within Active Directory that are configured with UNIX attributes.

PAM Configuration
Now that we know we can successfully map user and group information to Active Directory information, we can move on to authentication. This is done through editing the PAM files. Remember, that depending on the type of Linux that you are using you may have one file named pam.conf, or a directory named pam.d filled with numerous configuration files. I will be using the latter of the two examples.
Before proceeding I will warn you to be careful. Improperly configuring your PAM modules could leave you locked out of your system.
Below is the example from my xdm file. If you read the literature about PAM it is pretty self explanatory. I commented out the original lines that sent auth and password to the common files. I then added new authentication entries to check the local accounts, and then check ldap. For password I told it to do the same. This is used for changing passwords
Then finally I added a line in the session which tells PAM to create a local home directory on the workstation if one does not exist.


#%PAM-1.0
#auth include common-auth
auth sufficient pam_unix2.so nullok
auth sufficient pam_ldap.so use_first_pass
account include common-account
#password include common-password
password sufficient pam_unix2.so
password sufficient pam_ldap.so use_authtok
session include common-session
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_devperm.so
session required pam_resmgr.so


With all the changes made and saved, we can do one of two things; either restart the XDM service, or reboot. I usually go with a reboot. When the computer comes back up you should be able to logon using an Active Directory account.