Enterprise Directory Services & Authentication
UNCLASSIFIEDEnterprise DirectoryServices & AuthenticationInformation Exchange ForumSession: #2EDS&ARobert BachertNETCOM 9th SC(A) G5UNCLASSIFIED
UNCLASSIFIED Will establish an Enterprise Directory Services andAuthentication (EDS&A) Capabilities. Army to implement an enterprise baseline. This effort includes the standardization of the Army’s operatingenvironment . The objective is to make Army’s information technologyinfrastructure available and secure to authenticateduser’s. Provide users more flexibility and mobility Enhance collaboration opportunities across the Army NETCOM/9th SC(A) will acquire required equipment toimplement, integrate, and support the EDS&A theaterenvironments. A phased approach will be used to implementation Theater environments managed by 9th SC (A)2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIEDAccountable Data SourcesOther ApprovedUser orPersonnelData WholesalersDEERSJPASDMDCGDS/411NPE/.509DMDC Batch Broker Service (BBS)Provision (EDSP)– as ating ForcesDomain(As needed)DISA ManagedIdentity Synchronization Service (IdSS) Personas Certifications Global Access List (GAL) Entitlements, etc.Provision Army User Accounts, Certs &Attribute Updates with each TheaterForestCONUSEURSWA esDISA ManagedForestsArmy EnterpriseApplication Service Forest(AEASF) Army Account Attributes Army scoped Apps Army Governance Direct PKE authenticationKOREA5 Theater ForestsTheater Forests and DomainsFunctionalUsers/WorkstationsForestsService EntitlementFunctional Forests MigratedApps consolidation sync with ADCCP effortArmy Managed Forests JointEnterprise Application &Services Forest (EASF)DoD Account AttributesDoD scoped AppsEnterprise EmailEnterprise SharePoint1. CIO/G-6 Publish architecture2. Requires Issue and enforcement of EDS&A Orders3. Applications will be migrated under ADCCP consolidation2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIEDActive Directory Theater Based ConstructPhase 0 – Pre-Active DirectoryImplementation Activities (e.g.9th SC(A) & Publish EXORD, Functional ForestContractor Analysis / Collapse Plan (POA&M))2/2011Sep ‘12Capabilities Received: Common Operating Environment (COE) 100% 9th SC(A) NETOPS C2 Single Identity Global Mobility/CollaborationSep ‘113/2011Phase 1 – Implement Tech9th SC(A) & Insertion & Global FootprintContractorWindows 2K8 R2 AGM release is in thecritical path to start this Phase.Sep ‘115/2011Phase 2 – Enterprise Baseline Environment, 59th SC(A) Theater Forests Upgraded to W2K8 R2Mar ‘126/20119th SC(A)9thPOA&MDevelopedfor EachPhase –NIPR &SIPROut of Band Management (OOBM)Phase 3 – Rationalize applicationsSC(A) in support of ADCCP effortApr ‘127/20119th SC(A)2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationPhase 4 – User Migration & CollapseFunctional Forests (80%)1/2012(20%)Sep ‘12IEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIEDSep 13
UNCLASSIFIEDDISAEASFJointLegacyARMYDASFCore Infrastructure Baseline for global environment.Deployment of Enterprise Management Capability(Complete by MAR 2012)Phase 2 POA&M – Lead: NETCOM G5, support G3. Network standardization critical success factor AD Server 2008 R2 configuration All client machines Vista/Windows 7 Out of Band Management (OOBM) Install Admin tools within OOBM environment Management Tools (NETOPS) NSA security risk mitigations fully implemented Decommission old theater 9/201222011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED Enterprise Governance Enterprise InfrastructureAdministration Sig Bde/ InstallationCampus Administration Tenant OrganizationAdministration2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED ARMY Cyber Operation and Integration Center (ACOIC) Drive the plan for strengthening the performance of theenterprise as defined by ARMY leadership Cascade strategy and goals down into the enterprise Providing organizational structures that facilitate theimplementation of strategy and goals Ensure standards and policies are defined and enforced Drive adoption of Change Management within the Enterprise Measure IT performance within the Enterprise2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIEDEnterprise and Domain levels managed by 9th SC (A) andsubordinate Signal organizationsEnterprise AdministratorsDomain Administrators Forest Configuration Operators Domain Configuration Operators Replication ManagementAdministrators Security Policy Administrators Schema Administrators Security Policy Administrators Domain Controller Administrators Domain Controller Administrators Replication Monitoring Operators DNS Administrators Service Admin Managers Backup Operators2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED Installation TLOU Administration Administration of Top Level Organizational Units (TLOU) is delegated by9th SC (A) and subordinate Signal organizations to entities responsiblefor the function of administration of a set of AD resources TLOU(s) are not limited to physical sites and may include logicalorganizational entities that receive delegation of a subset of ADinformation infrastructure resources Installation Tenant Organization Administration Delegation of Subordinate OU structure is authorized by TLOUAdministrators for a given organization2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED PURPOSE To provide global remote administration of ADfrom identified Army Data Centers. To provide secure access to AD administrativeapplications and DC console access within theArmy network and from the Internet. To provide an accessible, scalable, and highlyavailable administration environment.2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED11UNCLASSIFIEDAn OU Administrator accesses a local workstation on any post, camp, or stationglobally.UNCLASSIFIEDNCP 11.1.2.1.11
UNCLASSIFIED122UNCLASSIFIEDThe OU Administrator connects to the OOBM enclave via Hypertext TransferProtocol over Secure Sockets Layer (HTTPS)UNCLASSIFIEDNCP 11.1.2.1.11
UNCLASSIFIED1323UNCLASSIFIEDOnce authenticated, the RD Connection Broker directs the user to a highassurance desktop on the RD Session Host managed by Theater Forest leveladministrators. The RD Session Host supports session load balancing andreconnection to existing sessions.UNCLASSIFIEDNCP 11.1.2.1.11
rs1 OU Admins1DISNInstallation Campus Area Network(ICAN)Remote SiteHTTPSIPSecRTLAKOREAEUROPESWA34RD Session HostsPACRD LicensingRD Connection Broker22RD Web AccessRD GatewayCONUSEnterprise EnclaveOOBM EnclaveTheater Forest Root Location4UNCLASSIFIEDUsing the high assurance desktop, approved native and third party tools can beaccessed to perform Active Directory administration on replicas locatedanywhere within Theater. All traffic is secured end to end using IPSec.UNCLASSIFIEDNCP 11.1.2.1.11
UNCLASSIFIED2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIEDIn Phase 0, NETCOM and the Contractor build POA&Msfor each Functional forest to migrate to the theaterenterprise. All applications have been identified &rationalized by Apr 2012 to support five theatermanaged environment and ADCCP.Phase 3 POA&M – Lead: NETCOM G5, support G3. OPT Lead transferred to G3 Plan will be incorporated into AD EXORD Plan will be aligned with ADCCP All Functional client machines Vista or Windows 7 Identify any required extension of theater forestfootprints Analysis of theater & Functional application basedupon ADCCP rationalization criteria Define and coordinate functional POA&Ms for usersand some applications to migrate into the 5-theaterforest sts (80%)PACEUROPEFunctionalForests 1-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED The identification and consolidation of applicationswithin the Army Vision: Reduce costs associated with Army applications Provide common services to the larger Army community Simplify location and presentation of services and data Three Phases: Discovery Analysis Consolidation2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED Involves gathering information about applications,environment, and interdependencies Critical Phase – Basis for subsequent decisions Collecting Data: Definition of binning process informs discovery criteria Need usage, financial and technical data Minimize number of data calls Identifying owners and key data sources Adjusting for bias More than Active Directory aware applications The Army does not track much of this data2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIEDAll applications are separated into three groupsActive Directory dependent applications: (These are applications that may or maynot sit on a windows platform but rely on AD for authentication.Active Directory aware applications: Applications that reside on a Windows-basedmember server but don’t require AD for authenticationNon-Windows based applications: Applications that don’t reside on a Windowsbased member server and don’t use AD for authentication2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIEDDISA-ManagedArmy Enterprise ServiceApplication Forest (AESAF)APPLICATIONSDISA-ManagedArmy Enterprise Application ForestArmy Data Centers withinTheaters2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED Identification and Bounding––––Gather necessary information about the application environmentDetermine scope for migration iterationsTrace connectivity to determine architecturesUnderstand application linkage and user permission Preparation– Stage configuration changes for rapid execution– Communicate with users and schedule service interruptions– Document and rehearse changes Movement– Conduct per test– Migrate applications between environments during non-peak hours– Validate application functionality2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIEDIn Phase 0, NETCOM and the Contractor buildPOA&Ms for each Functional forest tomigrate to the theater enterprise. 80% ofFunctional migrated by 30 SEP 2012,remaining by Sep 2013 .DISAEASFJointLegacyARMYDASFPhase 4 POA&M – Lead: NETCOM G5,support G3. Execution of each Functional POA&M forusers and some applications into the 5theater forest architecturePlan will be incorporated into AD EXORDPlan will be aligned with ADCCPDependant on POA&Ms for eachfunctional forest (Phase 1)If a functional forest has an approvedEnterprise Email waiver, they should alsobe granted a waiver for AD migration.This does not mean they are exemptfrom migration.CONUSFunctionalForests (80%)PACFunctionalForests (20%)SWA9/20111/201242011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationEUROPE9/2012KOREA9/20134IEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIEDCONUSPACFederation Services providing global collaborationcapabilitiesActive Directory Federated ServicesDISAEASF JointLegacyEUROPESWAKOREAARMYDASFDISA Provide Application Authentication servicesFederation Services (FS) providing globalcollaborative access for web enabled applicationsFunctional Forests collapsed into five theaterAD Environment managed by 9th SC (A)Active Directory & Army DataCenter Consolidation End State9/20119/20132011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED Establish 5 Theater Forest standardized Active DirectoryOperating Environment Standard ConfigurationStandard OU StructureStandard GPO ManagementStandard Hardware ConfigurationStandard Configuration Management Processes across TheatersStandard Administration Tools and processes Windows 2008 R2 Server environment Windows 7 Desktop environment Application Hosting criteria established Agreed upon Functional Forest POA&Ms 60-80% of Function Forests collapsed Establish an Out of Band Management (OOBM) environment2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED CIO/G6 AONS – COL Gary Langston / Jeff Gotherman Cyber Dir – Ms. Tracy Traylor / Andre Townes IRI – Mike Ramsey / Ted Schiller Army Cyber Command G-33: COL Max Duggan / Steve Mize NETCOM G3: COL Gerald Miller / Ernest Exum G5: COL Daniel Matchette/ Robert Bachert / Stuart Wells G8: Charlotte Calvert Daily Operational Planning Team (OPT) TELCON: 520-538-9890; 11:30 ET, 08:30 PT px2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIEDBackup2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED1.) ConsolidateFunctionals2.) ExamineUsers3.) Users Tiedto Apps?4.) ExamineApplicationsYesNo5.) ExamineTheater DCLocation andCapacity6.) IdentifyUsers Tied toApp7.) Kill AppthroughAttritionNo8.) Can Appbe Cleaned?Dirty9.) App StateYesYes11.) UpdateApp to ADCCPStandards10.) ExtendTheaterFootprint14.)Move Appto TheaterEnvironment ArmyNo12.) ExtendTheater withAdditionalDCs15.) ADCCPCriteria?13.) MigrateUser Set toTheatersUserMigrationsShutdownActivities16.) MoveApp to s?CleanYes18.)ShutdownDomainControllers(DCs)No20.) ReviewRemainingUsers & AppsNo19.)Shutdown Forest?·····2011-08-23 (1445-1600)//Enterprise Directory Services & AuthenticationDISAYes20.)Dispose ofEquipment21.) FunctionalConsolidatedC2 (NetOps)Need shutdown dates in orderRequires enforcement of ordersTemporary extensions decided byNETCOM CGIntegrate into enterprise CM processIEF Session: #2, NETCOM/9th SC(A)UNCLASSIFIED
UNCLASSIFIED1.) ManageTheater Forests2.) Users onOld DCs3.) TechRefreshTheater DCsReuse10.) Rebuildand use in theEnterprise4.) Usersutilize newDCs5.) ExamineApplicationsNo6.) DC VerdictDispose7.) App StateDirty8.) Can Appbe Cleaned?No9.) Kill AppthroughAttritionYes11.) Send toProperty BookOffice12.) UpdateApp to ADCCPStandards13.) TheaterForest Clean?Tech RefreshClean· No Additional Forest Required· Requires Enforcement of Orders· Theater Forests End State Windows2008R2ApplicationCleanup2011-08-23 (1445-1600)//Enterprise Directory Services & Authentication14.) ADCCPCriteria?15.)CleanArmy App Remainsin TheaterDISA16.) MoveApp to DISAEnvironmentIEF Session: #2, NETCOM/9th SC(A)Yes17.) TheaterManagedForestsUNCLASSIFIED
Identify any required extension of theater forest footprints Analysis of theater & Functional application based upon ADCCP rationalization criteria Define and coordinate functional POA&Ms for users and some applications to migrate into the 5-theater forest architecture 7/2011 9/2011 3
Module 4: Principles of Active Directory Integration This module explains how Active Directory can be integrated and used with other Active Directory Forests, X.500 Realms, LDAP services and Cloud services. Lessons Active Directory and The loud _ User Principle Names, Authentication and Active Directory Federated Services
Broken Authentication - CAPTCHA Bypassing Broken Authentication - Forgotten Function Broken Authentication - Insecure Login Forms Broken Authentication - Logout Management Broken Authentication - Password Attacks Broken Authentication - Weak Passwords Session Management - Admin
unauthorised users. Generally, authentication methods are categorised based on the factor used: knowledge-based authentication uses factors such as a PIN and password, token-based authentication uses cards or secure devices, and biometric authentication uses fingerprints. The use of more than one factor is called . multifactor authentication
utilize an authentication application. NFC provides a list of possible authentication applications for employees to use on the two-factor authentication screen in My EPP, but they may use other authentication applications or browser plugins. Authentication applications are device specific i.e. Windows, iOS (Apple), and Android.
RSA Authentication Agent for Microsoft Windows RSA Authentication Agent for Mi crosoft Windows works with RSA Authentication Manager to allow users to perform two-factor authentication when accessing Windows computers. Two-factor authentication requires something you know (for example, an RSA SecurID PIN) and something you have (for
The Concept of Two Factor Authentication Two factor authentication is an extra layer of authentication added to the conventional single factor authentication to an account login, which requires users to have additional information before access to a system is granted (Gonzalez, 2008). The traditional method of authentication requires the
4.4 Configuring Enterprise User Security Objects in the Database and the Directory (Phase Two) 4-12 4.5 Configure Enterprise User Security for the Authentication Method You Require (Phase Three) 4-16 4.5.1 Configuring Enterprise User Security for Password Authentication 4-16 4.5.2 Configuring Enterprise User Security for Kerberos Authentication .
policy, and then configure and enable the certificate authentication service for the two-factor authentication to take effect. NIOS uses certificate authentication service as the authentication policy. Prerequisites OCSP (online certificate status protocol) responder. Microsoft Active Directory server with Certificate Authority.
