6. RESULTADOS Y ANALISIS
6.3 FASE DE PROCESAMIENTO Y ANALISIS DE CONTENIDO
6.3.4 Matriz de Vester
Kerberos List allows you to manage Kerberos tickets from the command prompt. You can view and delete tickets assigned to the current logon session.The only file required to use Kerberos List is Klist.exe. Kerberos List must be ran locally on the machine for which you want to manage the tickets.Table 3.9 lists the syntax for Klist.exe and explains the output shown in the following examples.
The following is an example of running Kerberos List with the tickets switch:
Cached Tickets: (3)
Server: krbtgt/[email protected] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 10/17/2001 1:49:09
Renew Time: 9/12/2037 22:48:05
Server: krbtgt/[email protected] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 1/4/2013 6:10:08
Renew Time: 9/12/2037 22:48:05 Server: [email protected]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 10/17/2001 1:49:08
Renew Time: 9/12/2037 22:48:05
The following is an example of running Kerberos List with the TGT switch:
Cached TGT: ServiceName: krbtgt TargetName: krbtgt FullServiceName: Administrator DomainName: COMPANYNAME.XYZ TargetDomainName: COMPANYNAME.XYZ
AltTargetDomainName: COMPANYNAME.XYZ TicketFlags: 0x40e00000 KeyExpirationTime: 256/0/29920 0:100:8048 StartTime: 8/8/2001 15:10:08 EndTime: 1/4/2013 6:10:08 RenewUntil: 9/12/2037 22:48:05 TimeSkew: 9/12/2037 22:48:05
Next is as example of running Kerberos List with the Purge switch:
Cached Tickets: (4)
Server: krbtgt/[email protected] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 10/17/2001 1:49:09 Renew Time: 9/12/2037 22:48:05 Purge? (y/n) : y Deleting ticket: ServerName = krbtgt/COMPANYNAME.XYZ (cb=44) RealmName = COMPANYNAME.XYZ (cb=30)
Submit Buffer size = 102 Ticket purged!
Server: krbtgt/[email protected] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 1/4/2013 6:10:08 Renew Time: 9/12/2037 22:48:05 Purge? (y/n) : y Deleting ticket: ServerName = krbtgt/COMPANYNAME.XYZ (cb=44) RealmName = COMPANYNAME.XYZ (cb=30)
Submit Buffer size = 102 Ticket purged!
Server: [email protected]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 10/17/2001 2:47:09 Renew Time: 9/12/2037 22:48:05 Purge? (y/n) : y Deleting ticket: ServerName = SERVER1$ (cb=16) RealmName = COMPANYNAME.XYZ (cb=30) Submit Buffer size = 74
Ticket purged! Server:
LDAP/server1.companyname.xyz/[email protected] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 10/17/2001 2:47:09 Renew Time: 9/12/2037 22:48:05 Purge? (y/n) : y Deleting ticket: ServerName = LDAP/server1.companyname.xyz/companyname.xyz (cb=88) RealmName = COMPANYNAME.XYZ (cb=30)
Submit Buffer size = 146 Ticket purged!
Table 3.9Syntax for Kerberos List
klist [-?] [tickets | tgt | purge]
tickets Shows the cached tickets of services that you have authenticated to in your current logon session.
The following attributes are shown for all cached tickets:
Server Server and domain for the ticket. KerbTicket Encryption Type Encryption type used on the ticket.
End Time Time when the ticket is invalidated.
Renew Time The maximum lifetime for a renewable ticket. TGT Lists the initial Kerberos ticket-granting-ticket.
The following attributes are shown for cached TGT ticket:
ServiceName The name of the account the key distribution center service uses to create TGTs.
TargetName The servicePrincipalName of the account that requested the TGT.
FullServiceName The canonical name of the account principal using the TGT.
DomainName The service’s domain name.
TargetDomainName The realm in which the ticket is valid.
AltTargetDomainName Name supplied to InitializeSecurityContext that generated this ticket.
TicketFlags Kerberos ticket flags.
KeyExpirationTime Expiration time from the KDC. Start time Time when the ticket is valid. End Time Time when the ticket is invalidated.
RenewUntil The maximum lifetime for a renewable ticket. TimeSkew The time difference between the client and the
server.
Purge Allows you to delete a specific ticket.
Kerberos Tray
Just like Kerberos List, Kerberos Tray allows you to view and delete Kerberos tickets assigned to the current logon session. Kerberos Tray is a graphical tool that gets its name by sitting on your system tray and waiting to be used. Once you run the executable file Kerbtray.exe, a green rectangular icon will appear on your system tray. By hovering your cursor over the icon, you can see the amount of time left before your TGT expires. Double-clicking the icon opens the Kerberos Tickets window.This window has four tabs. Figures 3.14 through 3.17 show each of the tabs;Tables 3.10 through 3.13 explain what is available at each tab.
Table 3.9Continued
Table 3.10The Components of the Names Tab
Option Description
Client Name The account that requested the ticket.
Service Name The canonical name of the account used to create the TGT. Target Name The service name that requested the ticket.
Figure 3.14The Names Tab of the Kerberos Tickets Window
Table 3.11The Components of the Times Tab
Option Description
Start time The time when the ticket becomes valid. End time The time when the ticket becomes invalid. Renew Until The maximum lifetime for a renewable ticket.
Table 3.12The Components of the Flags Tab
Option Description
Forwardable Allows authentication forwarding.
Forwarded Set when a client presents a ticket with the forwardable flag set and requests that it be forwarded to another KDC.
Proxiable Allows a client to pass a proxy to a server for the server to perform a remote request on the client’s behalf. Proxy Set when the ticket-granting service issues a proxy ticket. May Postdate Required to use a postdated ticket.
Postdated Indicates a ticket has been postdated. Invalid Indicates a ticket is invalid.
Initial Indicates that the AS protocol, not the TGT, issued the ticket.
Renewable Allows a ticket to be renewed.
HW Authenticated Provides information about the initial client authentication.
Preauthenticated Indicates if the client was preauthenticated.
OK as delegate Allows forwarding to services that are flagged as OK.
Table 3.13The Components of the Encryption Types Tab
Option Description
Ticket Encryption Type TGT encryption.
Key Encryption Type Session key encryption.
Figure 3.17The Encryption Tab of the Kerberos Tickets Window
Table 3.12Continued
Summary
Windows 2000 supports several authentication protocols, including Windows NT LAN Manager, Kerberos v5, Distributed Password Authentication, Extensible Authentication Protocol, and Secure Channel.The two protocols used for net- work authentication, for logging on locally or as an interactive user, are NTLM and Kerberos v5. Kerberos is the default authentication protocol used in
Windows 2000; NTLM is provided for backward compatibility and is used to authenticate Windows 2000 member and standalone servers.
Kerberos provides several advantages over NTLM, which was the authentica- tion protocol of choice in previous versions of Windows NT. One of the advan- tages is that Kerberos provides mutual authentication wherein the client can also verify the server’s identity, which cannot be accomplished using NTLM. Another advantage is that Windows 2000 Kerberos domains can communicate with Kerberos realms of other implementations of Kerberos.This cannot be accom- plished with NTLM, which is proprietary to Microsoft operating systems.
Kerberos is made up of several components, including the Key Distribution Center, session tickets, and ticket-granting tickets.The Key Distribution Center comprises two services, the Authentication Service and the Ticket-Granting
Service.Three subprotocols Kerberos uses are the Authentication Service Exchange, the Ticket-Granting Service Exchange, and the Client/Server Exchange.
Microsoft implements its own flavor of Kerberos in Windows 2000. Microsoft Kerberos adds extensions to the Kerberos standard to meet specific requirements necessary for Windows 2000, such as the capability to use public key certificates instead of the normal shared key to log on to Windows 2000 domains. Microsoft implements the KDC as a service in Windows 2000, and the service is automati- cally installed on all domain controllers. Microsoft Kerberos stores the Privilege Attribute Certificate (PAC) in tickets.The PAC consists of the user’s SID as well as group SIDs for the groups of which the user is a member.The PAC is
extracted after the server authenticates the user’s identity.The server then uses the PAC to create an impersonation token for access to the service the client has requested to use.
After Kerberos is up and running, you can use the Resource Kit tools to manage your Kerberos certificates. Each of these tools must be run locally on the machine being managed. If you prefer to manage from the command prompt, use Kerberos List. If you prefer the GUI, use Kerberos Tray.
Solutions Fast Track
Overview of the Kerberos Protocol
; Kerberos operates on the assumption that the initial transactions between clients and servers are done on an unsecured network.
; Kerberos depends on shared secrets to perform its authentication. ; An authenticator is unique information encrypted in the shared secret. ; The Key Distribution Server (KDC), the trusted authority used in
Kerberos, maintains a database with all account information for princi- pals in the Kerberos realm. A principal is a uniquely named entity that participates in network communication; a realm is an organization that has a Kerberos server.
; Another key used with the KDC is the session key, which the KDC issues when one principal wants to communicate with another principal. For example, if a client wants to communicate with a server, the client sends the request to the KDC, and the KDC in turn issues a session key so that the client and server can authenticate with each other. Each por- tion of the session key is encrypted in the respective portion of the long-term key for both the client and server.
Kerberos and Windows 2000
; The KDC service runs on every Windows 2000 domain controller.This eliminates a single point of failure for the KDC service (unless, of course, you only have one domain controller).
; Policy for Kerberos in Windows 2000 is set at the domain level through the Default Domain Policy group policy object.
; Unlike standard Kerberos, which supports two methods of delegation (proxiable tickets and forwardable tickets), Microsoft Kerberos supports forwardable tickets only.
Authorization Data
; Kerberos verifies user’s identities, but it does not authorize which resources they can use.
; The authorization data field in a Microsoft Kerberos ticket contains a list of user SIDs and group SIDs for the user.
; An access token is created after the credentials in a session ticket have been verified.This information is used to construct an impersonation token for accessing services on the server.The impersonation token is presented to the service, and as long as the information presented matches the Access Control List (ACL) for the service, access is granted.
Kerberos Tools
; The tools Kerberos List and Kerberos Tray allow us to manage our Kerberos certificates.
; Kerberos List runs from the command prompt. ; Kerberos Tray is a GUI-based tool.
Q:What do you consider the main benefit of using Kerberos authentication? A:Kerberos provides mutual authentication for the server and the client.This
makes network communication more secure than the one-way authentication (NTLM) of the past.
Q:Do I need to manually create the Kerberos settings for my Windows 2000 domain?
A:Windows 2000 Server ships with a default domain policy that includes rea- sonable settings for the Kerberos policy.The only reason to change from the default settings is if your organization’s requirements differ from the default value settings.
Q:Can my Windows 9x clients authenticate using Kerberos?
A:No, Microsoft is not releasing a Kerberos add-on for Windows 9x.Windows 9x clients can only authenticate using the NTLM authentication protocol.To enhance the security of Windows 2000 domains, Microsoft recommends that you upgrade all clients to Windows 2000 so that the more secure Kerberos authentication protocol is utilized by all systems in the domain.
Q:How does a server know that a user is authorized access to a service, even though it has authenticated the user’s identity?
A:Microsoft Kerberos includes a Privilege Attribute Certificate in every ticket. The PAC includes the user’s SID and the SIDs for all groups of which the user is a member.The server compares this data with the data for the ACL on the service to determine if access is allowed or denied. If access is allowed, the server also determines the level of access based on information in the ACL.
Frequently Asked Questions
The following Frequently Asked Questions, answered by the author of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.
Q:How does a Windows 2000 client find a Microsoft KDC? A:It uses DNS to locate KDCs in the domain.
Q:I have one server that is both my domain controller and my DNS server. Everything seems to be running fine, but I can’t log on from any of my clients using Kerberos. All my clients are running Windows 2000.What could be the problem?
A:Clients use DNS Service Locator Records to find KDC servers on the net- work. DNS can be running fine, but if the SRV records do not exist, the clients cannot find the domain controllers.When domain controllers start the netlogon service on booting, they automatically go to their configured DNS server and register all the needed SRV records. If the DNS dynamic updates feature is turned off, this process must be done manually. Make sure dynamic updates are turned on for your DNS zone, or you could also create all the SRV records manually (but this practice is not recommended).To enable dynamic updates, open the DNS Management console. Expand your server. Expand Forward Lookup Zones. Right-click the zone that you want to enable for dynamic updates, and go to Properties. Choose Yes from the drop-down arrow next to allow dynamic updates.
Q:Why are ticket-granting tickets necessary?
A:To prove to the KDC that the clients requesting a session ticket are really who they say they are.The KDC issues the TGT to the client when it first logs on to the domain.
Q:How can Windows 2000 be configured to use forwardable tickets?
A:By default, members of the Domain Admins group can forward tickets. For other users, the option has to be configured individually.