Microsoft’s Active Directory Security Feature

Background Information

Active Directory is an enterprise-class directory service that is scalable, built from the ground up using internet-standard technologies, and fully integrated at the operating-system level. Active Directory simplifies administration and makes it easier for users to find resources. Active Directory stores information about network components. It also is designed especially for distributed networking environments. 

Features

• Support for the X.500 standard for global directories
• An object-oriented storage organization, which allows easier access to information
• Support for the LDAP (Lightweight Directory Access Protocol) to enable inter-directory operability

Active Directory Security Issues

• Forest and Domains
• Native Mode
• Schema
• Organizational Units (OU)
• Global Catalog
• Domain Controllers and Replication
• Domain Name System (DNS)

References

http://technet.microsoft.com/en-us/library/cc737139(WS.10).aspx

http://technet.microsoft.com/en-us/library/bb742424.aspx#XSLTsection125121120120

http://www.sans.org/reading_room/whitepapers/win2k/basic-security-issues-active-directory_191

http://docs.oracle.com/cd/B10501_01/network.920/a96573/asoappe.htm

LDAP Security Feature

Background Information
LDAP (Lightweight Directory Access Protocol) is an application protocol for accessing and maintaining distributed directory information services over an IP (Internet Protocol) network. It is a directory-access protocol derived from X.500. It is a protocol for communications between LDAP servers and LDAP clients. These LDAP servers store "directories" which are being accessed by LDAP clients. The reason why it is called "lightweight" because it is a smaller and easier protocol which was derived from the X.500 DAP (Directory Access Protocol) defined in the OSI network protocol stack.

The four models of LDAP

LDAP Security Issues

• Unauthorized access to data via data-fetching operations
• Unauthorized access to data by monitoring others' access
• Unauthorized modification of data
• Unauthorized modification of configuration

LDAP Authentication Types

• Basic Authentication
• Accomplished is accomplished through the use of a DN (Distinguished Name) and a password. This data is sent either in plaintext or encoded using Base64 encoding.
• Simple Authentication and Security Layer (SASL)
• A framework for plugging in alternative security mechanisms. These mechanisms include:
• S/Key
• GSSAPI
• CRAM-MD5
• TLS
• ANONYMOUS

References

http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/security-with-ldap.html

http://docs.oracle.com/javase/jndi/tutorial/ldap/security/

http://www.tech-faq.com/ldap-lightweight-directory-access-protocol.html

X.500 Security Feature

Background Information
The X.500 is a series of computer networking standards specifying a distributed directory service. Up until now, there are four versions of the X.500 standard. They are the 1988 edition, 1993 edition, 1997 edition and as well as the 2001 edition. The X.500 was developed by ITU-T.

Protocols Used

• DAP (Directory Access Protocol)
• DSP (Directory System Protocol)
• DISP (Directory Information Shadowing Protocol)
• DOP (Directory Operational Bindings Management Protocol)

LDAP (Lightweight Directory Access Protocol) is one of the well-known alternatives to DAP (Directory Access Protocol), developed to allow internet clients to access to the X.500 Directory using the TCP/IP networking stack.

List of X.500 series standards

Security

• Simple Authentication
• Clear Passwords
• Compare Operation
• Protected Passwords
• Strong Authentication
• Digital Signatures
• Strong Authentication of a sender
• The SIGNED and ENCRYPTED Macros

References

http://sec.cs.kent.ac.uk/x500book/

http://sec.cs.kent.ac.uk/x500book/Chapter.7/Chapter7a.htm