Peter Van Eeckhoutte's Blog

Posts Tagged ‘Active Directory’

The following procedure explains how to set up a Juniper ScreenOS based firewall to accept Netscreen Remote Client VPN connections and authenticate users using Active Directory (Radius via Windows 2003 IAS or Windows 2008 NPS). 
We’ll assume that all traffic to from the client to the 192.168.0.0/16 networks needs to pass via the client VPN tunnel.  Clients will use dynamic IP addresses (either public or behind a nat router that is capable of handling IPSec passthrough)
The VPN connection must use the following encryption and hashing parameters  and PSK :

Phase 1 :  aes-128, sha-1, DH Group2, PSK : This1sNot4GoodPSK3y
Phase 2 :  aes-128, sha-1, replay protection, PFS with DH Group2

Network layout :

The Juniper firewall has 3 zones : Public (eth2, …

On popular request, this is a quick write-up on how to set up a Juniper screenOS firewall to use an external Radius server (I’ll use Windows IAS) to authenticate administrators and to let the Radius server to assign admin privileges (read-only or read-write) First, you will need to set up an dedicated external Authentication server for admin authentication on the screenOS device  (assuming that your Radius server is 192.168.10.10): set auth-server "IAS Radius Admin" id 1
set auth-server "IAS Radius Admin" server-name "192.168.10.10"
set auth-server "IAS Radius Admin" account-type admin
set auth-server "IAS Radius Admin" timeout 30
set auth-server "IAS Radius Admin" …

According to Microsoft, Windows Server 2008 is the most secure Windows server version ever.

Windows 2008 does include many features that will help increase overall security of the OS, or assist you with securing AD, the network, etc. Most of the features/roles available in Windows 2008 are not being installed in a default installation of Windows 2008, leaving the OS in a more or less ‘secure’ state right after installation. The attack surface of a default Windows 2008 server may be smaller than it was under NT4, 2000 and 2003, but concluding that Windows Server 2008 is secure, may be one bridge too far.

Microsoft has published a paper on the differences between 2003 and 2008, which includes some security related information. The document can be downloaded from “…

Every admin knows by now that using Active Directory as the central authentication database allows for a lot of possibilities in terms of user account and security management. Keeping internal as well as external users in one and the same AD might be a good idea if you have a lot of external people (partners, support contracts, …) that need to connect to resources in your network, whether it is remote (via vpn) or on-site. However, these people are external people, and you might need to control those user accounts (because of legislation regulations or just because that’s a good idea). One of the options is to disable those user accounts every day. As the number of users and groups grows, this can become a challenging and annoying …

As most of the bigger players in the firewall market, Juniper/Netscreen SreenOS based firewalls allow you to use/enforce/require authentication for various reasons : Admin login Client VPN Authentication to open a specific rule on the firewall In a default configuration, ScreenOS uses a local user account database for all types of authentication listed above. In some real life environments, it’s not uncommon to see that administrators would want to use their existing Active Directory infrastructure as a back-end authentication database, and use additional features such as Active Directory group membership to be more specific in terms of allowing access. ScreenOS offers 2 ways of accomplishing this : using …

Windows 2000 /Active Directory has been around for more than 7 years now. I’ve been using AD for almost 7 years, and due to its stability, I never had to recover a deleted object in AD. (Knock on wood). So it’s not a real surprise to find out that a lot of admins don’t even know how to properly restore a deleted object, or even restore AD the proper way. First of all, you need to have a System State backup from your Domain Controller, created with ntbackup. This System state backup contains various components from that server (such as the registry) and also contains a snapshot of the AD database (ntds.dit). Before explaining how to use the System State backup to restore an object, it’s important to know that you will …

Updating from 2003 to 2003 R2 & implementing Exchange are 2 common administrative tasks which both require a schema update. Since I’ve mentioned "updating from 2003 to 2003 R2", I’ll take the opportunity to add some "notes from the field" to this blog post, which will increase success rate of the update and limit the risk of the schema update itself. I’ll jump into a technique that will allow you to safely apply a schema update without messing up an entire AD forest right away, but first, I’ll explain some steps on how to apply the R2 update. I’ll assume that you have 2003 with SP1 (or higher) running on all DC’s. If your environment doesn’t meet this assumption, I recommend upgrading to 2003 SP1 first. A domain that has …