A PPLICATION N O T E Active Directory Schema modification in SafeWord RemoteAccess This application note provides background on SafeWord RemoteAccess modification of Microsoft s Active Directory schema, and approved best practices for making the modification consistent with Microsoft s recommendations. www.securecomputing.com
Table of Contents Overview... 3 Schema extension recommendations... 3 Best practices... 3 Application requirements for shipping... 4 Attribute modified by SafeWord RemoteAccess... 5 For more information... 6 2 86-0944477-A
Overview SafeWord RemoteAccess adds strong authentication to VPNs, RADIUS devices, Citrix MetaFrame applications, and Outlook Web Access, positively identifying remote users. SafeWord RemoteAccess delivers security through one-time passcode-generating hardware tokens. Only the SafeWord server knows which passcode will allow the user to gain access, which eliminates threats from outsiders stealing, copying, or reusing passwords to gain unauthorized access. SafeWord RemoteAccess is managed directly from Microsoft Active Directory, allowing administrators to easily manage tokens and users. Schema extension recommendations Some network administrators and IT staff members have expressed reluctance to install applications that extend the Active Directory schema, as evidenced in several online discussion groups. While Microsoft s knowledge base suggests using caution when making changes to the Active Directory schema, Microsoft expressly decrees that extending the AD schema is encouraged to extend Active Directory definition (when done following Microsoft recommendations). Best practices Microsoft recommends only using schema extensions that follow recommended best practices. SafeWord RemoteAccess follows Microsoft s best practices list, which can be found at http:// msdn.microsoft.com/library/default.asp?url= /library/en-us/dnactdir/ html/adschemaext.asp. Microsoft s Best Practices list includes the following guidelines for extending the schema: Š The schema is neither a database nor a file system. Do not treat it as such. Š Place references in the directory that point to other data stores instead of using the directory for something for which it was not designed. Š Only define globally interesting, relatively static information in the schema. 86-0944477-A 3
Š Objects defined in the schema should not be created very often nor modified frequently. Š Objects should have a long life. Š Use twice the maximum replication frequency when determining longevity or frequency. Š Test the application in a private forest and with other applications before deploying. Š The schema upgrade must be separate from the application installation. SafeWord RemoteAccess has followed the Microsoft recommendations to create the SafeWord RemoteAccess Active Directory extension. Application requirements for shipping Microsoft offers some caveats for schema extensions that ship with applications such as SafeWord RemoteAccess. These caveats have been followed: a separate install has been created for SafeWord RemoteAccess, and the following steps recommended by Microsoft have been implemented: Š The application must use a registered prefix and base OID for each class and attribute. Š The application must have a unique schemaidguid for each class and attribute. Š LDIF files for your schema installation must be created. Š The application uses LDIFDE.exe to load the LDIF files. Š The application and schema extensions were tested on Secure Computing s local network. 4 86-0944477-A
Attribute modified by SafeWord RemoteAccess The following provides details about the LDIF file imported by SafeWord RemoteAccess, and changes made to Active Directory. LDIF File dn: CN=SecureComputing-Com-2000-SafeWord- UserID,CN=Schema,CN=Configuration,DC=ncheng,DC=net changetype: add objectclass: attributeschema attributesyntax: 2.5.5.4 omsyntax: 20 attributeid: 1.2.840.113556.1.4.7000.233.28688.28684.8.326285.1218988.199308 1.788993.1 ldapdisplayname: securecomputingcom2000-safeword-userid ismemberofpartialattributeset: TRUE User class modification dn:cn=user,cn=schema,cn=configuration,dc=ncheng,dc=net changetype: modify add: maycontain maycontain: 1.2.840.113556.1.4.7000.233.28688.28684.8.326285.1218988.199308 1.788993.1 86-0944477-A 5
For more information If you have additional questions or concerns on the implementation of the Active Directory schema extensions in SafeWord RemoteAccess, contact sales@securecomputing.com or visit: http://msdn.microsoft.com/library/default.asp?url=/library/ en-us/ dnactdir/html/adschemaext.as 6 86-0944477-A
86-0944477-A 7
Product names used within are trademarks of their respective owners. Copyright 2004 Secure Computing Corporation. All rights reserved.