Solved

Authentication, Authorization, Accounting procedures from Microsoft side.

Posted on 2014-11-15
7
240 Views
Last Modified: 2014-11-16
Hi All,

you all know about AAA  from Cisco side, that you can authenticate, authorize, and Account all access to the Network device through radius, or tacacs+ server.
the same thing happens from Microsoft side. such as every access the user can make to any resource is controlled through active directory, which in my point of view is AAA schema. the user first authenticates to the server required, then get authorized to access the required resources, then his access is getting logged.

what I'm looking for is. any articles or documents that provides detailed explanation about the procedures used for AAA from Microsoft side. like Exchange, File Server, print server, SharePoint resources access rules.

any help is appreciated.

Regards,
Maher
0
Comment
Question by:Centamin-SGM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 63

Expert Comment

by:btan
ID: 40445275
Microsoft has a listing of Infrastructure Planning and Design (IPD) for its portfolio which is useful. You may want to check out the NAP, Forefront Identity mgmt, Forefront UAG. I see the NAP as the first guardian to route as RADIUS  (with NAP incorporated with necessary extension DLLs) for other AAA entity check if need to and enforce consistent NAP client to be check prior to granting access to resource mentioned with a cleared remediation health state (using Network Access Protection)
http://msdn.microsoft.com/en-us/library/cc196387.aspx

e.g. NPS architecture
http://technet.microsoft.com/en-us/library/dd197439(v=ws.10).aspx
e.g. Example 1: Validate Health of NAP Client for IPsec Communication
http://msdn.microsoft.com/en-us/library/hh872011.aspx
0
 

Author Comment

by:Centamin-SGM
ID: 40445300
Thanks btan for your comment,
but actually, I have Cisco ISE installed and Access control is already applied.
and I use Cisco ISE as a radius server for authenticating device Admins too.
what I'm trying to clarify is that, when the end user wants to access any resource in the network, there many steps required for the user to get access.
1. authentication through active directory.
2. authorization to get access to whatever the resources required.
3. accounting of what he has done.

that's what I'm looking for, the hierarchy of authentication, Authorization, accounting from Microsoft view.

thanks and regards.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 40445603
As you've said, Authentication is going to be at the LDAP (AD) level, but Authorization is a bit tougher to document. Permissions on shares for instance, they combine and take the most resistive settings of the Share permissions and the NTFS permissions. The accounting is equally as hard, by default many items that can be logged aren't, such as process creation and termination, some error, warning and other failures aren't logged, by default.
From a microsoft recommended direction,. there isn't much. Microsoft has an framework that supports AAA: http://msdn.microsoft.com/en-us/library/ms731082%28v=vs.110%29.aspx and http://msdn.microsoft.com/en-us/library/ff647503.aspx

Now back to defaults, and "what he/she has done" as far as tracking... another default is to not log file/directory access/actions. To start logging actions on files and directories, you have to enable them in the event logs settings as well as on the directories or files you want to monitor.Then you'd have to be able to search those logs to report on them, and now you NEED at 3rd party, beyond SCCM or LogParser, there are no M$ offerings I am aware of that give you better visibility into the logs.
AAA in your use case appears to be a SIEM.
-rich
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 

Author Comment

by:Centamin-SGM
ID: 40445610
Thanks rich,
now I've got the point.

Regards,
Maher
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40445613
Microsoft has advice on doing these activities, but not the holistic approach of AAA.They recommend you do them around critical infrastructure and data, but AAA isn't how they label it. The concepts are the same, but then the auditing piece, at least where you and I would review what happened, isn't easy without a SEIM or some 3rd party log parsing software.
-rich
0
 
LVL 63

Expert Comment

by:btan
ID: 40445626
in fact NPS is ike ISE on the basic AAA. so the IDP will still help.

1. ISE will perform LDAP call to AD which will then verify against the credential pass over, this will be as per like "login" into your machine in domain. The LDAP filter CN for matching username tends to be the usual "cn=user" group, with the attribute as per in the entity field such as displayname etc. There is no much different from Microsoft usual AD check. Probably to note that the DNS, NTP will need to be synchronised as well since ISE is supposed to joined the AD domain too.

2. ISE ACL is based on RADIUS-vendor dictionaries that comes with Microsoft support as well. So when access to the authenticated user is successful, it is as if the login is alright and when the usual Windows security permission for file/folder (NTFS) will apply with ISE passing the identity to the resource requested.

3. Accounting is the usual audit log and security/appl/system event log that the domain controller will be tracking as well.
0
 

Author Comment

by:Centamin-SGM
ID: 40445650
Thanks Guys for your support.

much appreciated.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question