RE: Microsoft Active Directory security concerns

["Jason Dinsdale" <jasondinsdale () gmail com>]

Nic,

Your problem is an interesting one, and I'm not sure that you can resolve it
with just vanilla MS tools (IIS, AD, ADAM) at your disposal.   The SSO
product that I specialise in addresses this by:

A) deploying Policy Enforcement Points (PEPs) at appropriate locations e.g.
IIS (as an ISAPI filter) or Apache (as a loadable module).  The PEPs
intercept any resource (web page) access requests and pass on those requests
to the Policy Decision Points (PDPs).

B) Deploying PDP servers that integrate with all necessary directories
(SunOne, AD, ADAM etc) and allow the PDPs to create a consolidated view of
user identities across all directories, against which they evaluate & apply
access & authentication policy.  

C) Having the PDPs return policy access & authentication decisions (allow,
deny, authenticate etc) to the PEPs, which then implement that decision.

Another approach might be to use a meta directory product which simply
provides the consolidated view of both AD & ADAM directories and
authenticate against that, however I don't think that this will work with
IIS (Integrated Windows?) authentication since it depends on AD. 

Hope this helps somewhat.

Jason


-----Original Message-----
From: NicS [mailto:nic.scheepers () logicaloptions com] 
Sent: Friday, 7 July 2006 2:44 AM
To: security-basics () securityfocus com
Subject: RE: Microsoft Active Directory security concerns


Hi Jason,

I am very delighted by your message because I was doing research on this
subject for the past few months. I came to the conclusion that I have to use
AD for the internal users and ADAM for the external users, but now the
implementation seems a bit tricky. 

I need IIS to authenticate the users, how will IIS know when to look in AD
and when to look in ADAM? Does this have anything to do with proxy
redirection from ADAM to AD or do you have to synchronise all users to ADAM
and then somehow make IIS look solely at ADAM for authenticating both the
internal and external users?

Does this solution mean development of software where the software first
tries AD and if it is failing then go to ADAM for the authentication?

Does anyone have some direction where I can read more about this? I cannot
find resources dealing directly with this issues.

Regards

Nic
--
View this message in context:
http://www.nabble.com/Microsoft-Active-Directory-security-concerns-tf1781619
.html#a5203344
Sent from the Security Basics forum at Nabble.com.


---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and  
practice to master. We can't teach you to hack. But we can teach you  
what we've learned so far. Our courses are honest, real, technical  
and practical. SensePost willl be at Black Hat Vegas in July. To see  
what we're about, visit us at: 

http://www.sensepost.com/training.html
---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------