title: "Network Authentication and Directory Services"
author: ["Z. Cliffe Schreuders"]
license: "CC BY-SA 4.0"
description: "Introduction to centralised authentication, directory services, and identity management using Active Directory and LDAP in enterprise environments."
overview: |
This lab introduces you to centralised authentication and directory services, which are fundamental components of enterprise network security. Instead of managing user accounts separately on each system, organisations use centralised directory services like Active Directory (AD) and LDAP (Lightweight Directory Access Protocol) to manage identities, authentication, and authorisation across their entire infrastructure. You will learn about the differences between these two major directory service technologies, their use cases, and their roles in modern enterprise networks. This lab provides an overview of key concepts including domain controllers, directory schemas, authentication protocols, and group policies, preparing you to implement and secure directory services in real-world environments.
In modern enterprise environments, managing user accounts and authentication across dozens, hundreds, or even thousands of computers becomes impossible without centralised systems. Imagine having to create a separate user account on every single computer for every employee in an organisation – not only would this be time-consuming, but it would also be a security nightmare when employees leave, passwords need to be changed, or access permissions need to be updated.
Directory services solve this problem by providing a centralised database of users, computers, and other network resources, along with a standardised way for systems to authenticate users and query information about them. This lab will introduce you to two major directory service technologies: **Active Directory** (Microsoft's solution) and **LDAP** (an open standard implemented by various systems).
# What are Directory Services? {#what-are-directory-services}
A **directory service** is a centralised system that stores, organises, and provides access to information about network resources. Think of it as a specialised database optimised for reading and searching, containing information about:
# Active Directory vs LDAP {#active-directory-vs-ldap}
## Active Directory (AD)
**Active Directory** is Microsoft's proprietary directory service, introduced with Windows 2000 Server. It's the dominant solution in Windows-based enterprise environments.
**Key characteristics:**
- Tightly integrated with Windows operating systems
- Uses Kerberos for authentication
- Includes Group Policy for centralised configuration management
- Hierarchical structure based on domains, trees, and forests
- Includes DNS as a core component
- Supports Windows, and with additional configuration, Linux/Unix systems
**Common use cases:**
- Windows-dominated corporate networks
- Organisations using Microsoft ecosystem (Exchange, SharePoint, etc.)
- Environments requiring Group Policy for desktop management
## LDAP (Lightweight Directory Access Protocol)
**LDAP** is an open standard protocol for accessing and maintaining directory services. It's not a directory service itself, but rather the protocol used to communicate with directory services. OpenLDAP is a popular open-source implementation.
| **Cost** | Requires Windows Server licenses | Free and open-source |
> Note: Active Directory actually uses LDAP as one of its protocols! AD implements LDAP for directory queries, but adds many proprietary extensions and features on top.
> Warning: Because directory services are security-critical, they are prime targets for attackers. Securing your directory service is essential to organisational security.
A **Domain Controller** is a server that responds to authentication requests and verifies users on the network. In Active Directory, DCs store a complete copy of the directory database and handle authentication. Organisations typically deploy multiple DCs for redundancy.
**Organisational Units** are containers within a directory that organise users, groups, computers, and other objects. They allow administrators to apply policies and delegate administrative control at different levels of the organisation.
**Groups** are collections of users (or other objects) that simplify permission management. Instead of granting permissions to individual users, you grant them to groups. Common types include:
- **Security groups**: Control access to resources
- **Distribution groups**: Used for email distribution lists (AD)
## LDAP Distinguished Names (DNs)
An **LDAP Distinguished Name** uniquely identifies an entry in the directory tree. For example:
```
cn=John Smith,ou=Users,dc=example,dc=com
```
Where:
-`cn` = Common Name
-`ou` = Organisational Unit
-`dc` = Domain Component
## Authentication Protocols
- **Kerberos**: Ticket-based authentication protocol used by Active Directory
- **NTLM**: Older Windows authentication protocol, still supported for compatibility
- **LDAP Bind**: Simple username/password authentication against LDAP directory
- **SASL**: Framework for adding authentication to connection-oriented protocols
# Setup Guides {#setup-guides}
To gain hands-on experience with directory services, you'll work through detailed setup guides for both Active Directory and LDAP:
## Active Directory Setup
The Active Directory guide walks you through:
- Setting up Windows Server 2016 as a Domain Controller
- Configuring static IP addresses and DNS
- Installing Active Directory Domain Services (AD DS)
==action: Work through both the Active Directory and LDAP setup guides== to get a start on your assignment and understand how each directory service works and to get hands-on experience with centralised authentication.
> Action: Save snapshots of your VMs so you can return to a working baseline if needed.
## Assignment Requirements
Your systems security assignment requires you to implement and secure a directory service for your assigned infrastructure.
> Note: Refer to your assignment specification document for the complete requirements, including:
> - Specific users and groups you need to create
> - Security policies to implement
> - Client systems that need to be joined to the domain
> - Testing requirements and success criteria
## Documentation
When documenting your implementation in your technical report:
- **Include evidence** that you completed the getting started guides (screenshots of successful authentication)
- **Document all changes** you make beyond the getting started guides
- **Identify and fix** any insecure settings or software you find in the provided VMs
- **Demonstrate each requirement** with screenshots and a testing plan
- **Present a testing results table** with clear success/failure indicators for each requirement
> Note: If you follow the getting started guides provided, you don't need to document those steps in extensive detail in your report, but you should include evidence that it was completed and document anything you do that isn't the same as in the guides (and generally cover any other changes you make to any VMs).
---
**Good luck with your implementation!** Directory services are complex systems, so take your time to understand each step. If you encounter issues, review the troubleshooting sections in the setup guides, and don't hesitate to ask for help.
