Windows 2000 Security (Networking)

TEAM LinG - Live, Informative, Non-cost and Genuine! ® Microsoft Windows 2000 ® Security TEAM LinG - Live, Informat...

Author: Rashi Gupta | NIIT

156 downloads 1106 Views 10MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

TEAM LinG - Live, Informative, Non-cost and Genuine!

®

Microsoft Windows 2000 ®

Security


This page intentionally left blank


®

Microsoft Windows 2000 ®

Security Rashi Gupta with


© 2003 by Premier Press, a division of Course Technology. All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system without written permission from Premier Press, except for the inclusion of brief quotations in a review. The Premier Press logo and related trade dress are trademarks of Premier Press, Inc. and may not be used without written permission. Windows is a registered trademark of Microsoft Corporation. All other trademarks are the property of their respective owners.

Publisher Stacy L. Hiquet Marketing Manager Heather Hurley Project Editor Sandy Doell Interior Layout Marian Hartsough Associates Cover Design Phil Velikan Indexer Sharon Shock

Important: Premier Press cannot provide software support. Please contact the appropriate software manufacturer’s technical support line or Web site for assistance. Premier Press and the author have attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. Information contained in this book has been obtained by Premier Press from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, Premier Press, or others, the Publisher does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from use of such information. Readers should be particularly aware of the fact that the Internet is an everchanging entity. Some facts may have changed since this book went to press. ISBN: 1-931841-86-1 Library of Congress Catalog Card Number: 2002106543 Printed in the United States of America 03 04 05 06 07 BH 10 9 8 7 6 5 4 3 2 1 Premier Press, a division of Course Technology 2645 Erie Avenue, Suite 41 Cincinnati, Ohio 45208


About NIIT NIIT, a global training and software organization, offers customized and packaged multimedia educational software products and training, training needs identification (TNI), systems integration, software solutions (for business, engineering, and manufacturing), IT consulting and application software development to a range of audiences—both individuals and organizations. The success of NIIT’s courses lies in its unique approach to education. NIIT’s Knowledge Solutions Business conceives, researches, and develops all the course material for a range of audiences. Each NIIT course has a definite aim. After finishing a course, the learner should be able to do a set of tasks. Besides being a large software development and consulting division, NIIT has one of the largest learning material development facilities in the world. NIIT trains over 150,000 executives and learners each year in Information Technology areas using Stand-Up Training, Video-Aided Instruction, Computer-Based Training (CBT), and Internet-Based Training (IBT). NIIT has been featured in The Guinness Book of World Records for the largest number of learners trained in one year! NIIT has developed over 10,000 hours of Instructor-Led Training (ILT) and over 3,000 hours of Internet-Based Training and Computer-Based Training. Through the innovative use of training methods and its commitment to research and development, NIIT has been in the forefront of computer education and training. NIIT has strategic partnerships with companies such as Microsoft, Computer Associates, AT&T, NETg, Sybase, Intersolv, and Information Builders.


Acknowledgments Thank you, Mom and Dad, for supporting me when I worked the night through for this book. Thanks for your patience and the inspiration to make the best of my ability. I am very grateful to my Team Leader Sripriya, who supported me when I was burning the midnight oil. My Project Manager Anita Sastry helped me to arrange the best of resources for the book. Special thanks to A. Subramani for the technical reviews and valuable suggestions. I really appreciate your patience and your efforts to make the book better. Thank you, Fran Hatton and Sandy Doell, for editing the book very well. Your comments and input have helped to improve the quality of the book. I would also like to thank Stacy Hiquet for making this book happen in the first place! She has provided active support in all the development stages of the book. I am especially grateful to Kartik Bhatnagar and Rahul Menon for helping me out with some chapters of the book.


About the Author RASHI GUPTA is an Advanced Diploma holder in Software Engineering. In her two years of work experience at NIIT, she has developed instructor-led training material on various technical and non-technical projects, such as Windows 2000 Security, Adobe Illustrator 9, FrontPage, Dreamweaver, and Fireworks. She has also authored a book on Python and has assisted various other authors in writing books on such subjects as ASP.NET, XML, Linux, and Apache. Her area of work primarily includes analysis, design, development, testing, and implementation of books and articles. In addition, her responsibilities include training development executives, instruction, technical review, and ISO compliance.


Contents at a Glance Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

PART I

WINDOWS 2000 SECURITY—AN OVERVIEW . . . . . 1

PART II

PART III

PART IV

1

Need for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2

Introducing Windows 2000 Security . . . . . . . . . . . . . . . . . . . 39

AN INSIGHT INTO WINDOWS 2000 SECURITY FEATURES . . . . . . . . . . . . . . . . . . . . . 63 3

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

4

Authorization and Access Control . . . . . . . . . . . . . . . . . . . . 101

5

Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

NETWORK SECURITY . . . . . . . . . . . . . . . . . . . . 197 6

Public Key Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . 199

7

Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

8

Internet Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

9

Internet Information Server (IIS) . . . . . . . . . . . . . . . . . . . . 317

10

Remote Access and VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . 347

OTHER SECURITY FEATURES . . . . . . . . . . . . . . 393 11

Reliability Features of Windows 2000 . . . . . . . . . . . . . . . . . 395

12

Securing Non-Microsoft Clients . . . . . . . . . . . . . . . . . . . . . 433


Contents at a Glance

PART V APPENDIXES . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 A

Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

B

FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483


ix

Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

PART I

WINDOWS 2000 SECURITY— AN OVERVIEW . . . . . . . . . . . . . . . 1

Chapter 1

Need for Security. . . . . . . . . . . . . . . . . . . . . . . . 3 What Is at Risk? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Threats and Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Relationship Between Threats, Vulnerabilities, and Risk . . . . . . . . . . 6 Purpose of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Types of Attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Internal Attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 External Attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Combined Effect of Internal and External Attackers . . . . . . . . . . . . 13 Security Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Assembling Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Damaging/Disrupting Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Modifying Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Windows 2000 Core Security Features—A Primer. . . . . . . . . . . . . . . . . 30 Windows 2000 Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34


Contents

Chapter 2

Introducing Windows 2000 Security . . . . . . . . . 39 Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Active Directory and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Active Directory Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Trust Relationship. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Kerberos V5 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Certificate Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 NTLM Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Secure Sockets Layer/Transport Layer Security (SSL/TLS) Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Accessing Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Access Control Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Data Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Symmetric Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Asymmetric Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Encryption File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

PART II AN INSIGHT INTO WINDOWS 2000 SECURITY FEATURES. . . . . 63 Chapter 3

Authentication . . . . . . . . . . . . . . . . . . . . . . . . 65 Introduction to Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Interactive Logon and Network Authentication. . . . . . . . . . . . . . . . 67 How Does Authentication Take Place? . . . . . . . . . . . . . . . . . . . . . . 70


xi

xii

Contents

Kerberos V5 Authentication Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Advantages of Kerberos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 How Does Kerberos V5 Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Logging on Interactively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Smart Card Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Security Support Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Other Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Secure Sockets Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Extensible Authentication Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 96 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Chapter 4

Authorization and Access Control . . . . . . . . . . 101 An Overview of Windows 2000 Access Control. . . . . . . . . . . . . . . . . . 102 Working of Access Control Mechanism . . . . . . . . . . . . . . . . . . . . 103 Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Security Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Access Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Security Descriptors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Access Checking and Audit Generation . . . . . . . . . . . . . . . . . . . . 121 Configuring Access Control Permissions . . . . . . . . . . . . . . . . . . . . . . . 124 Configuring Share Permissions on Folders. . . . . . . . . . . . . . . . . . . 124 Configuring NTFS Permissions on Files and Folders. . . . . . . . . . . 126 Combining NTFS and Share Permissions . . . . . . . . . . . . . . . . . . . 126 Configuring Access Permissions for Active Directory Objects . . . . 126 Encryption File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Encryption Of Data Using EFS . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Decryption of EFS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 EFS Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Securing the Print Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Managing Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138


Contents

Managing Documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Chapter 5

Security Policies . . . . . . . . . . . . . . . . . . . . . . 143 Group Policy—An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Group Policy Objects and Active Directory . . . . . . . . . . . . . . . . . . 145 Group Policy Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 MMC Snap-In Extension Model . . . . . . . . . . . . . . . . . . . . . . . . . 151 Group Policy Snap-In Namespace . . . . . . . . . . . . . . . . . . . . . . . . . 151 Group Policy Object Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Group Policy Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 How Group Policy Affects Startup and Logon . . . . . . . . . . . . . . . 163 Synchronous versus Asynchronous Processing . . . . . . . . . . . . . . . . 164 Refresh Frequency. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Using Group Policy Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Creating a Custom Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Creating a Group Policy Object . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Filtering GPO Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Group Policy Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Group Policy Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . 179 Windows 2000 Security Templates—An Overview . . . . . . . . . . . . . . . 180 Predefined Security Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Custom Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Security Configuration and Analysis Tools. . . . . . . . . . . . . . . . . . . 187 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

PART III NETWORK SECURITY . . . . . . . . 197 Chapter 6

Public Key Infrastructure . . . . . . . . . . . . . . . . 199 What Is Public Key Cryptography? . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204


xiii

xiv

Contents

Windows 2000 PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 PKI Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Designing Windows 2000 PLI Architecture . . . . . . . . . . . . . . . . . 212 Certificate Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Certificate to User Account Mapping . . . . . . . . . . . . . . . . . . . . . . 223 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Chapter 7

Network Services . . . . . . . . . . . . . . . . . . . . . 237 DNS: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Structure of DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Windows 2000 DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Threats Faced by DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Securing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 DHCP: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Configuring DHCP Dynamic Update. . . . . . . . . . . . . . . . . . . . . . 247 Securing DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 SNMP: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 SNMP Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 RIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 RIS: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 RIS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Terminal Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Terminal Services Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Terminal Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Chapter 8

Internet Security . . . . . . . . . . . . . . . . . . . . . . 269 IPSec. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 IPSec Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 IPSec Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Working of IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Deploying IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280


Contents

Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Functionality of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 DMZ Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Secure Public Access to DMZs . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Chapter 9

Internet Information Server (IIS) . . . . . . . . . . . 317 IIS: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Security Features of IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Services Associated with IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 IIS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Anonymous Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Basic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Digest Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Integrated Windows Authentication . . . . . . . . . . . . . . . . . . . . . . . 335 Certificate Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Access Control Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Access Control Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Chapter 10 Remote Access and VPN . . . . . . . . . . . . . . . . 347 Remote Access Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Features of RRAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 RRAS Connection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Remote Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Installing and Configuring Remote Access Services . . . . . . . . . . . . 362 Virtual Private Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 VPN Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Features of NPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Knowing Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374


xv

xvi

Contents

IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 IAS Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . 382 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Tunneling with IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

PART IV OTHER SECURITY FEATURES . . 393 Chapter 11 Reliability Features of Windows 2000 . . . . . . . 395 Diagnostic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 System Monitor and Performance Logs and Alerts . . . . . . . . . . . . 400 Task Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Windows File Protection Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Automatic Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 System File Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Windows Backup Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 System Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Safe Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Last Know Good Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Enable Boot Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Recovery Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Chapter 12 Securing Non-Microsoft Clients . . . . . . . . . . . . 433 Securing Access to UNIX Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Service for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Authentication of UNIX Clients . . . . . . . . . . . . . . . . . . . . . . . . . . 436


Contents

Securing Access with NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Inoperability with NetWare Clients. . . . . . . . . . . . . . . . . . . . . . . . 439 Authentication with NetWare Clients ad Servers. . . . . . . . . . . . . . 440 Access to NetWare Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Securing Access with Macintosh Clients . . . . . . . . . . . . . . . . . . . . . . . 443 Inoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Secure Access to Windows 2000 Resources . . . . . . . . . . . . . . . . . . 445 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

PART V APPENDIXES . . . . . . . . . . . . . . 449 Appendix A Best Practices . . . . . . . . . . . . . . . . . . . . . . . 451 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452 Securing CAs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 EFS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Security Configuration and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 Acess Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Software Installation and Management . . . . . . . . . . . . . . . . . . . . . . . . 459 Folder Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Distributed File System (Dfs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Network and Dial-up Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 TCP/IP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Server Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464 Internet DNS Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464 Internet Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Remote Access Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468


xvii

xviii

Contents

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Disk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Backing Up and Restoring Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Disk Fragmenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Appendix B FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483


Introduction This book provides you with a comprehensive study of Windows 2000 Security. The book is aimed at readers who are familiar with Windows 2000 Server concepts but now want to gain a solid foundation in Windows 2000 security features. These readers are assumed to have a certain degree of networking experience and familiarity with general concepts on Active Directory, DNS, DHCP, OSI model, and TCP/IP. This book contains detailed explanatory concepts, hands-on exercises, and questions to check your understanding at the end of each chapter. The first part of the book provides you with an overview of some basic security threats and vulnerabilities against which you need to plan for security. The second chapter gives you a brief overview of the security features in Windows 2000. After you have gotten a fair idea of the security issues you’ll encounter, the book moves on to an insight into Windows 2000 security. It covers topics that explain how Windows 2000 authenticates and authorizes the client on the network. The book then talks about Windows 2000 security policies to assign consistent permissions across groups of users. PKI is a key technology to protect valuable information resources for e-commerce, the Internet, intranets, and Web-enabled applications. This book provides you with an overview of PKI and how Windows 2000 allows you to secure your network through PKI and Certificate Services. Then the book moves on to how to secure network services, such as DNS, DHCP, SNMP, RIS, and Terminal Services. It also talks about securing Internet communication through IPSec and firewalls. You’ll also learn about securing IIS, remote access, and VPNs. Finally, the book contains other security features of Windows 2000 that harden Windows 2000 and features for securing communications with non-Microsoft clients. The Appendixes section includes Best Practices and FAQs that provide you with reallife relevance about Windows 2000 security.

How to Use This Book This book has been organized to facilitate your learning and give you a better grasp of the content covered here. The various conventions and special elements used in the book include: ◆ Notes. Notes give you additional information that may be of interest, but the

information is not essential to performing the task at hand.


xx

Introduction ◆ Tips. Tips have been used to provide special advice or unusual shortcuts. ◆ Cautions. Cautions are used to warn you of possible disastrous results if you

perform a task incorrectly. ◆ New term definitions. All new terms are italicized and then defined as a

part of the text.


PART

I

Windows 2000 Security—An Overview




Chapter 1 Need for Security


few decades ago, computers were primarily used for storing information for an organization’s daily functioning. They were used mainly as data storage devices, and their use was limited to the organization’s employees. Therefore, any threat posed to the system was from the internal staff only. It wasn’t hard to fight threats because there was almost no chance of external interference. Only a few forms of threats existed, such as misuse of accounts, theft of hardware, or data manipulation by authorized users. These threats were carried out physically and so could be dealt with by keeping computers in locked rooms and manually verifying that data had not been tampered with.

A

Today, computers have radically changed the way organizations and individuals function. Organizations use computers to store data that can be accessed from anywhere in the world. Individuals use computers to enhance the communication that takes place across the globe. Along with this expansion of the technology, threats to computer systems have also increased. A simple click of the mouse is enough to shake your infrastructure. In the year 2001, the Computer Crime and Security Survey conducted by the Computer Security Institute (CSI) and the Federal Bureau of Investigation (FBI) showed that 85 percent of large organizations and government agencies detected breaches of security. In most cases, the loss was estimated to be over 2 million US dollars. Recently, a staggering number of attacks have been reported against IT environments, many of them through the Internet, and many of them targeted at systems running the Windows operating system. The threat to security from malicious insiders is as big as the threat to security from sophisticated hackers. After all, in an enterprise-wide network, you cannot be sure that, of the many employees accessing network-based resources, none poses a threat to security. What is security? Security is not a goal or a product. It is an endless process. Many computer enthusiasts maintain that security is the firewall at your network boundary or the virus scanner integrated into your mail server. Well, security is none of these. Put briefly, security is the process of allowing access to authorized users only. To design a secure system, it is important to have some understanding of security threats.


NEED FOR SECURITY

Chapter 1

This chapter talks about the basic concepts of security and answers some important security-related questions, such as “What is at risk?”, “What are we trying to protect?”, “Who are the attackers?”, and “Where do they come from?” This chapter will also introduce you to the core security features of Windows 2000 and the Windows 2000 security model.

What Is at Risk? A completely secure network environment does not exist. Even the most secure networks of today are not free from risk, but risk can be minimized by improving security. On the other hand, an increase in the security measures in an organization results in an increase in the cost of both installing and maintaining them. A greater amount of security might also add to the complexity of the system. For example, extra methods used to authenticate users in a bank might make the system so complex for the users that they do not take the trouble to use the system as they should. The evaluated cost of this loss might be greater than the benefits achieved from increased security. Therefore, before examining the security measures for the network, you need to examine the risks you currently face. To understand the principles of risk on your network security, you need to understand some key terms used in the risk management process. These include threats and vulnerabilities.

Threats and Vulnerabilities A threat is anything—a circumstance, people, or event—that has the potential to cause harm to your resources. Physical threats can be posed by employees, hackers, criminals, spies, and so on. Program threats might be intentional or unintentional and can take the form of viruses, worms, Trojan horses, or attack scripts. Program threats have the ability to cause greater harm than physical threat agents. Vulnerability is a flaw or a loophole in a system or a program that facilitates an attacker to break into the security measures of a system. Vulnerabilities can be known or unknown. Known vulnerabilities exist in the system and are known at the time of manufacturing. Consider an example of known vulnerability. Suppose the operating systems that an organization is using have known manufacturing flaws in them. However, the organization is not aware of these flaws and continues to use the operating systems without taking preventive measures against the


5

6

Part I

WINDOWS 2000 SECURITY — AN OVERVIEW

flaws. Intruders, who are aware of the loopholes in the operating systems, try to take maximum advantage of the situation and cause damage to the information and systems of the organization. Unknown vulnerabilities exist in the system but remain undetected by manufacturers as well. Consider another example. Suppose an organization is using flawed operating systems. However, these flaws are not known to the organization or the manufacturer of the operating system. An intruder who is trying to hack the network of this organization comes across the weaknesses and, through these weaknesses, finds a way to access the information related to the organization. In this case, if the intruder is a white hat hacker, he may inform the organization about the flaw in the system. However, if the intruder has malicious intentions, he may try to take advantage of the flaw to jeopardize the information system of the organization.

Relationship Between Threats, Vulnerabilities, and Risk After identifying threats and vulnerabilities in your organization, you should rate them based on the level of risk using a standard, such as low, medium, or high. This rating will help you identify the countermeasures and their intensity. The rating will vary between organizations and sometimes even within an organization depending on the type of organization, the kind of equipment, and their location. For example, the threat of earthquakes is significantly higher for offices near a major fault line than for those elsewhere. The vulnerability of physical damage would be very high for an organization producing highly sophisticated and delicate electronic equipment. On the other hand, a construction company may have a lower physical vulnerability level. Thus, the level of risk that an organization faces increases as the threats and vulnerabilities increase.

Purpose of Security While focusing on risks and security, you may wonder why one should worry so much about security. It is important for one to understand what exactly one is trying to protect. Security begins and ends with people. The people in an enterprise, the partners of the enterprise, and all others connected with the enterprise use enterprise resources in some ways. This makes the resources in your environment the primary concern of security. Resources can include information, applications, servers, routers, and even people.


NEED FOR SECURITY

Chapter 1

As a resource, information is very precious to any organization; it holds an organization together and is the source from which any productivity arises. It should, therefore, be protected at all costs. The management of an organization just cannot allow an intruder to steal data from the organizational network or read the trade secrets of the organization. Sometimes lost data cannot be replaced even after spending a huge amount of money. Your computer systems may contain all your employee records, contracts, sales information, private arrangements, schedules, research, and other important and confidential information—all of which, if placed in wrong hands, can lead to disastrous consequences. When deciding about data security, you should consider who accesses your data. Most of this information is shared by multiple users over a network. Your network is the most heavily used vehicle for distributing your organization’s information. If your network is connected to the Internet, your network opens up to the outside world and becomes vulnerable to a host of security threats. Information security answers the following basic security needs of any organization: ◆

Confidentiality ◆ Integrity ◆ Availability ◆ Authentication

Confidentiality The term confidentiality refers to preventing the disclosure of critical information to unauthorized users. The extent to which confidentiality should be maintained depends on what type of information you are trying to secure. For example, a high level of confidentiality is required for a company’s annual report that has not yet been made public. On the other hand, the confidentiality required for quarterly reports that have already been released is relatively low. Consider another example. The type of information an organization shares with its staff is more confidential than the type of information it shares with people outside the organization. An organization can share all its policies, procedures, customer information, and other business-related information with its employees, but it may not share that same information with outsiders. Similarly, there are different levels of confidentiality maintained for different types of data among different employees within an organization. For instance, information about the appraisal of an employee will be accessible only to the


7

8

Part I


FIGURE 1-1 Ensuring Confidentiality, Integrity, Availability, and Authentication.

Human Resources department and the supervisors of the employee and not to other members of the staff. A breach of confidentiality can cause heavy damages to the organization, depending on the degree of importance of the information disclosed. For example, if the details of prospective customers and the offers made by an organization are passed on to its competitors, the organization can incur heavy business losses. In addition, if the employees’ appraisal information is somehow leaked to the employees, the leakage may cause distrust and unrest among them. Therefore, you need to assign different levels of confidentiality to different types of information.


NEED FOR SECURITY

Chapter 1

Integrity Integrity is the process of ensuring that data, whether in transit or stored on the network, is not tampered with in any way. An infringement of data integrity leads to misrepresentation of the intended audience, and can, in turn, have very serious consequences. The following are a few common ways of breaching integrity of data: ◆

Modification of an audit report

◆

Modification of employee records

◆

Modification of a company’s accounts

◆

Modification of the key factual material

◆

Modification to the source data

◆

Modification in bank accounts

A breach of data integrity can occur due to an inadvertent mistake made at the time of entering and storing data in databases. For example, an accountant may accidentally delete vital financial information. His intention may not be questionable but his action may prove to be harmful. Data integrity may also be hampered if the files or systems become corrupt or are completely destroyed. Corruption may occur if you use defective software or wrong programming techniques.

Availability Availability of information implies that the information is ready for use when required. It essentially means designing the security framework in such a manner that it prevents unauthorized activity that results in nonavailability of information to authorized users. The term availability means the existence and accessibility of information. It also encompasses functionality of systems and other resources, hardware or software, required to access the information. In addition, ensuring the availability of information means that users are not denied services when they need to use them. A denial of service occurs when the network is flooded with requests from unauthorized users and, consequently, authorized users are unable to access system services.

Authentication Authentication is the mechanism of ensuring that an individual is what he or she claims to be. It can be used to provide the identity proof of the sender to the receiver. Authentication ensures that only authorized users and computers are able


9

10

Part I


to gain access to network resources. It may also include establishing the identity of a resource to the user. All the reasons discussed here form the core of any technology that provides security to computer systems. In other words, these are the main reasons why you need to have a secure network. Some of the other reasons include preventing: ◆

Unauthorized access to network resources

◆

Data manipulation

◆

Interception of data in transit

◆

Damage to system

◆

Disruption of services

You now understand the various security needs of an organization. The next section elaborates on the attackers who pose a threat to the security.

Types of Attackers All attacks on the information of an organization take place by using the organization’s network. Network attackers fall under two categories: ◆

Internal attackers. These are the employees of an organization and they pose a threat from within the network.

◆

External attackers. These are the entities lying outside the organization and they pose a threat to security by intruding into the network.

Internal Attackers Often, organizations direct their effort in tracing outsiders who may be a threat to security. While doing so, they forget that internal entities may be more harmful than outsiders; therefore it is more important to guard against insiders. In fact, statistics prove that attacks from internal agencies occur much more often than external attacks. Studies show that unauthorized access of network users forms a major part of all kinds of security threats. Figure 1-2 shows an employee of an organization attacking a network. An insider attack may be quite severe in nature because the insider already enjoys a certain amount of access to network resources. An internal attack can breach all the purpose of data security. For example, an insider can plant Trojan horses or


NEED FOR SECURITY

Chapter 1

FIGURE 1-2 Internal attackers.

browse through the contents of confidential files. These may jeopardize the confidentiality and integrity of data. Insiders can also affect availability of data by overloading the system’s processing or storage capacity or causing the system to crash. These attacks are possible for a variety of reasons. The basic one is the ill will of the employee against the organization. The other reasons are as follows: ◆

The access control settings of a resource may not reflect the organization’s security policies.

◆

The employees may abuse the Internet access to browse through restricted sites.

◆

An insider may exploit the operating system bugs and cause the system to crash.

◆

A user may use another user’s password to fiddle with the systems.

◆

The devastating acts of a user may go undetected because audit trails are inadequate or ignored.

Now, the task is to resolve this problem. How does one decide which employees to be considered threats to security? This question is surely difficult to answer.


11

12

Part I


Before you go on to discussing the methods that can be employed to control insiders, you need to identify the intruder. To start with, the focus of the organization should be on the employees who are well versed in IT. This is because employees who are responsible for creating, managing, and maintaining an IT infrastructure have all the knowledge of the organization’s critical resources. If they harbor any wrong intentions, they can pose a threat to the security of the entire system. For example, if an employee has root-level access to resources, then nothing can stop him or her from hacking the entire system. A disgruntled employee, even with limited rights and permissions, can easily introduce malicious software, such as worms, Trojans, and viruses, on the network. In order to safeguard an organization against internal attackers, one must educate and train the employees. They should know about the dangers that result from sharing usernames/passwords, opening anonymous e-mail attachments, and having conventional or predictable passwords. The rights and permissions granted to a user must be in accordance with the security policy of the organization.

External Attackers External attackers are intruders who attack your network while sitting well away from it. These intruders can be either professional hackers or amateurs who try to gain access to your organization’s network just for fun. During the past few years, the definition of a hacker has changed tremendously. Initially, the term “hacker” referred to a person who enjoyed getting the most out of the system he was using. A hacker would use and study a system extensively until he became proficient in all its functions and features. Today, the term “hackers” refers to people who can enter systems for which they are not authorized or intentionally infringe their bounds over systems for which they do not have a legitimate access. Figure 1-3 illustrates an external attack on a network. The reasons for external security threats can be many. A few of them are: ◆

Enjoyment/fun. The primary aim of a hacker might be just to have fun.

◆

Ex-employees. An organization might face a threat due to an exemployee turning hostile. Such a person is already aware of the organization’s network and resources and can gain access without much difficulty.

◆

Curiosity. An intruder might break into your network because of curiosity or because of the intruder’s desire to face an interesting challenge.


NEED FOR SECURITY

Chapter 1

FIGURE 1-3 External attackers.

◆

Competitors. Rival organizations may hire professional hackers to raid your network.

As against preventing internal attacks, many options are available to safeguard against external security threats. The most commonly employed ones are firewalls, intrusion detection systems, various authentication protocols, and access control lists. These topics are covered in later chapters.

Combined Effect of Internal and External Attackers An organization faces the most serious threat when both internal and external attackers join hands. Lapses in your internal security may allow intruders to break in, steal information, or plant viruses in your systems. Another rival organization might hire your disgruntled ex-employee and work together to wreak havoc on your network.


13

14

Part I


FIGURE 1-4 Internal and External Attackers.

Figure 1-4 illustrates the combined attack by internal and external attackers on the network.

Security Threats You know that the information on your network is prone to a variety of threats including computer fraud, espionage, vandalism, defacement, computer viruses, and hackers. With an increase in the world’s reliance on computer systems, these threats have become extremely pervasive and sophisticated. I have categorized threats on information according to their nature and source. The categories are: ◆

Assembling information

◆

Damaging/Disrupting network

◆

Modifying information

The following section focuses on these security threats.


NEED FOR SECURITY

Chapter 1

Assembling Information Assembling information or simply gathering information is the kind of threat that occurs when an entity gathers information from your network and sends it out. This entity can be either a person or an application. Six kinds of security lapses fall into this category. They are: ◆ ◆ ◆ ◆ ◆ ◆

Password cracking Session hijacking Impersonation Adware Social engineering IP Spoofing

Let me now discuss each of these lapses in detail.

Password Cracking Password cracking is a common method that is used to furtively acquire the password of another user’s account to gain system access. This is a common method of hacking used by intruders when the user assigns a weak password. The major weaknesses in passwords exist in situations when passwords can be easily guessed (for example, passwords based on the user’s name or date of birth) or when passwords can be cracked using a dictionary.

Session Hijacking Due to the vulnerabilities of the HTTP protocol, the Web is prone to threats such as session hijacking. A session with a Web site begins when a user connects to the Internet and ends only when a user closes that site. HTTP is a stateless protocol. Therefore, to maintain a session with a Web application, it grants session IDs to bind the user activities with the Web server. In session hijacking, the attacker (by accessing the data on servers and networks) gets session IDs of the Web sessions. Then, with the help of these session IDs, he takes over the session of the other person.

Impersonation Impersonation occurs when an unauthorized user accesses critical resources by posing as an authorized user. This unauthorized user can then bring spurious content into the network of an organization or capture confidential information; as a


15

16

Part I


FIGURE 1-5 Security threat due to impersonation.

result, the security of the network is compromised. Figure 1-5 illustrates how an unauthorized user can gain access to the network of your organization by impersonating an authorized user. A related concept to impersonation is that of sniffing. Sniffing is the process of intercepting data packets traveling to and fro on the network. Software that can capture and decode all packets entering and leaving the network cables is called a sniffer. For example, sniffing is used to attack information when a user logs on to a remote server by using a remote access service. The impersonator can use a network utility or hacking software to capture the username and the password. He can later use the captured credentials to gain access to the remote server. Attempts of impersonation can be controlled by strictly restricting the access to network resources to only a limited number of users and using digital signatures on data packets. Access lists can also be used to define the level of access to users.


NEED FOR SECURITY

Chapter 1

Adware Advertising Supporting Software (Adware) is an application that is used to display advertisement banners while an application is running. Many times, while opening a Web page in your browser, various other browser windows appear automatically. These windows are mainly used for advertisements, and it is the Adware software that executes them. How can these seemingly harmless advertisement banners prove to be dangerous? These advertisement applications can sometimes include some additional applications. These additional applications, known as Spyware, capture information from your computer and pass it on to other networks without your knowledge.

Social Engineering Many attackers and hackers employ social engineering, which may be defined as the art of using interpersonal skills for extracting confidential information from vendors or employees, to bypass even the most stern defense systems on networks. The outsider who employs social engineering fools the organization’s personnel into providing proprietary information or allowing unauthorized access to resources. This is why social engineering is popularly known as people hacking. The following are the most common techniques used in social engineering: ◆

Direct approach. In direct approach, the social engineer may directly ask the target for some information. However, in most cases, this approach does not succeed because people have become more security conscious.

◆

Authority figure. Another technique of social engineering is pretending to be a senior official or an authority figure in an organization. For example, the intruder may impersonate an authority figure and pressure the system operator to extract important information. The information may be about the type of remote access software used in the organization, ways of configuring it, the telephone numbers of the RAS server to dial, and the user name and the password to log on to the server. After obtaining the information, the intruder may set up remote access to the organization’s network.

◆

Naive employee. In this case, the intruder pretends to be an employee who needs help to access the resources of the organization. The attacker, for instance, can call the secretary pretending to be a naive employee


17

18

Part I


who is having trouble accessing the organization’s network. The secretary, not wanting to appear incompetent or offensive, may help by giving away the username and the password of an active account or his or her own account. Consider another example. An intruder pretends to belong to the organization’s technical support team that is trying to solve a network problem and extracts information from a naive employee. ◆

Reverse social engineering (RSE). RSE is another form of social engineering. In RSE, the user is influenced to ask the intruder questions that, in turn, automatically reveal information about the organization. In this approach, the attacker is mistaken for a senior official. An RSE attack consists of three parts, sabotage, advertising, and assisting. During sabotage, the attacker corrupts the workstation of the user or gives it an appearance of being corrupted. Seeing this, the user looks for help. To ensure that the user calls the attacker for help, the attacker advertises his presence by either leaving his business card at the user’s workstation or by displaying his contact number in the error message. Finally, the attacker assists the target in solving the problem, and, in the process, obtains information that he requires.

◆

E-mail cons. An e-mail con is another technique that is based on social psychology. It involves the use of contemporary subjects to elicit emotions. This leads to unconscious participation from the user.

◆

Internet fraud. Internet fraud is a popular means deployed for social engineering. In this, the user, through conversation, is persuaded to disclose important and personal information. Internet frauds commonly occur on Internet chats. For example, an intruder enters a chat room and invites people to chat. The intruder might carry the conversation from general topics to subjects of the victim’s interest and make him or her reveal maximum confidential details of the victim.

Spoofing Spoofing is an attack in which one computer masquerades as a different computer on the target computer’s network. The aim of masquerading is to trick the other computer into believing that the pretender computer is the original computer with which it is supposed to interact. The intention is to lure the other computer into sharing or sending data or gaining data modification rights.


NEED FOR SECURITY

Chapter 1

Spoofing can either be blind or active. Blind spoofing is a method in which a hacker is not able to view the responses sent from the target computer. This is because the hacker does not have complete information about the network conditions. That is, it probably does not have the information about the IP address of the computer that it wishes to masquerade or the access rights that the computers share. In such a situation, the hacker uses all possible techniques to gain access to the network. It is like throwing darts in the dark. In active spoofing, a hacker has information about the access rights shared between the host computer (that it intends to imitate) and the target computer. This information helps the hacker view the responses from the target computer. Because the hacker computer can view the responses, the data can be easily corrupted, modified, and passed to other destinations on the network. One form of network spoofing attack is IP spoofing. IP spoofing is a method in which the hacker accesses the target computer by using a spoofed IP address of a trusted host. Hackers perform IP spoofing by using either blind or active spoofing. An IP spoofing attack (also called IP sequence guessing spoofing attack) is made at the time of three-way handshake connection process. To start an IP spoofing attack, the hacker first needs to forge the IP address of a trusted host on the network. He then needs to maintain a sequence number with the target computer. At this time, the hacker needs to insert the initial sequence number in the header information of the data packets. This task is highly complicated because when the target sends the initial sequence number as acknowledgement, the attacker must accordingly respond with a correct response, which can be accomplished only if the attacker is successfully able to guess the TCP initial sequence number.

Damaging/Disrupting Network An intruder can cause substantial damage to the network of your organization by either physically damaging the resources or causing the network services to be disrupted. In this section, you will learn about the four most common security threats. These are: ◆

Tunneling

◆

Viruses, Worms, and Trojan Horses

◆

Man-in-the-middle attack

◆

Denial of service (DoS) attacks


19

20

Part I


Tunneling Tunneling allows an organization’s personnel to access those resources from the organization’s intranet that cannot be accessed due to firewalls or proxy servers. Proxy servers can prevent employees from accessing certain unauthorized Web sites or passing on critical organization information to an outsider. However, there are a number of applications that enable employees to access any Web site in spite of a proxy server or a firewall. An example of such an application is HTTP-Tunnel that allows access to any Internet application.

NOTE The HTTP-Tunnel application runs as a SOCKS server to connect to the Internet. It can also use port mapping to tunnel both TCP and UDP traffic. SOCKS is a protocol that enables machines without Internet connectivity to connect to the Internet. For this it uses only a single machine, referred to as the SOCKS server, which is connected to the Internet. All other machines can access the Internet by using this machine. A Proxy server is an example of a SOCKS server.

Viruses, Worms, and Trojan Horses The use of viruses, worms, and Trojan Horses has become increasingly common to disrupt network services and corrupt or completely remove important information. A virus is a software application that starts replicating itself after being introduced on your computer either deliberately or inadvertently. A virus can attach itself to any file; when that file is accessed the virus is also stimulated. By replicating itself multiple times, a virus eats away all your system resources. The following are the most common mediums through which viruses can spread: ◆

Floppy disks and CDs

◆

Files downloaded from the Internet

◆

Attachments in e-mails

A worm is a special type of virus. Although it replicates itself just like a virus, it is different from a virus in the sense that it does not attach itself to any program and runs independently on your computer. Trojan horses are applications that do not replicate themselves. Instead, they secretly collect information from your computer and pass it on to the external networks.


NEED FOR SECURITY

Chapter 1

Recovering after a virus attack may be quite painful depending on the intensity of loss. Therefore, it is always suggested that you take proper measures to ensure security against virus attacks. The following section elaborates on some of these measures.

Prevention Is Better Than Cure The best way of protecting network and stand-alone computers against viruses is to apply the following antivirus measures: ◆

Educate users. Most importantly, each user on the network should have some understanding of the various types of viruses and their functionality. This awareness would help users evade the general threats that arise from viruses. For instance, Word and Excel documents contain macros and, therefore, are more prone to macro virus threats. When sending documents through mails, you should ensure that the attachment being sent is saved in Rich Text Format (RTF). RTF files do not contain macros and, therefore, the possibility of a virus infecting such files is bleak.

◆

Check Internet downloads. You should avoid downloading software, applications, and other materials from unknown sources on the Web. To prevent virus infection from such unknown sources, it is preferable to download the material or software on a floppy disk and then scan the floppy disk for viruses before finally transferring the content on the hard disk. To avoid these hassles, it is preferable to buy software and programs from trusted authorized dealers.

◆

Avoid purchasing pirated and illegal software. Pirated and illegal software that is not purchased from reliable sources might also contain viruses. As mentioned earlier, it is preferable to purchase software from trusted authorized dealers.

◆

Disable floppy disk booting. You should disable floppy disk booting by changing the CMOS boot sequence stored in the CMOS memory. Most computers now allow you to do this. This eliminates the risk of the boot sector virus getting transferred from a floppy disk that is left unattended in the drive accidentally.

◆

Scan e-mails from unknown senders. You should avoid opening e-mail messages and the attachments in those messages if the sender of the message is unknown. Before opening e-mail messages, it is advisable to scan them for viruses by using antivirus software.


21

22

Part I


◆

Scan storage media. If you share floppy disks and CDs with other users, scan them with an antivirus scanner before you transfer any data from them.

◆

Make regular backups. Another security measure that can deflate the consequences of a virus infection on a personal computer is making regular backups of hard disks. In case of an organization, you can set up backup servers on the network where users can make regular backups. Organizations can make backups on multiple computers on the network as well. They can also make backups on floppy disks or tapes. However, while making backups on floppy disks, you should ensure that the disks are write-protected. Viruses cannot infect writeprotected disks.

◆

Install antivirus software. You should ensure that antivirus software is installed and updated regularly to detect, report, and disinfect viruses on all computers on the network.

In addition to the preceding measures, organizations should take the following precautions to ensure that the network is completely secure from all channels: ◆

The network should be set up in such a manner that only authorized users are able to access network resources. To implement this, organizations may use various tools that prevent unauthorized access to computers on the network.

◆

Keep dedicated machines to test new software, files, and disks.

◆

Transfer of executable files to and from external sources should be blocked.

◆

Organizations can also protect computers on the network from virus attacks by using computers that do not have a floppy disk drive. This prevents computers from using infected floppy disks and ensures that a virus is not passed to the network.

◆

Network should be divided into a private network, a public network, and extranets to provide security to each part of the network. For example, for a private network, you can use Group Policy Objects (GPOs). GPOs are explained in detail in Chapter 5, “Security Policies.” For a public network you can use firewalls, and for extranets you can use perimeter subnets or demilitarized zones (DMZs). These are explained in detail in Chapter 8, “Internet Security.”


NEED FOR SECURITY

Chapter 1

Cure In the present scenario of security threats, almost all administrators are well aware of the threats and take proper preventive measures, but still virus attacks occur and cause heavy damages to a network. To ensure that you have successfully recovered from a virus attack, you need to perform the following steps: ◆

Assess the extent of damage caused. After you are sure that a virus has infected your computer, identify how many other computers on the network are affected with the virus and the other locations that can be affected. The infected computers should then be isolated from the network so that the virus does not spread. To prevent any further virus attacks, you also need to identify the source from which the virus has originated. You can do this by monitoring the log files on client and server computers.

◆

Check the backup servers for virus infection. After you have removed the infected computers from the network, you need to check the backup servers for virus infection. To eliminate the remotest possibility of a virus attacking the backup servers, you should also remove the servers from the network. Next, clean the servers by using antivirus software. However, before cleaning the backup server, it is preferable to make a backup of the data stored in this server as well so that if there is data loss while cleaning, you can still try and recover data from the backup.

◆

Disinfect all computers on the network. The next step is to disinfect all other computers on the network. You should restart the computer with a fresh startup floppy disk. Next, identify the data and programs that are infected by virus by using scanners. Disinfect the computer by using antivirus software.

Man-in-the-Middle Attack As the name indicates, the main idea behind the man-in-the-middle attack is that before the two authorized entities exchange data, a third non-trusted party intercepts to monitor, capture, or control the communication transparently. For example, the attacker can re-direct the data between the two authorized entities. In a man-in-the-middle attack, an attacker assumes the identity of an authorized entity and reads the data meant for that entity. The sender of that data on the other end might believe it is the intended recipient because the attacker might


23

24

Part I


be responding well to the communication to continue the exchange and gain more information.

Denial-of-Service Attacks Denial-of-service (DoS) attacks are quite different from other kinds of network attacks. An intruder might use other network attacks, such as impersonation, Adware, and viruses, to access resources or damage them. On the other hand, DoS attacks are used for making some services or target computers inaccessible. DoS attacks are becoming quite common these days, because they do not require any special software or access to the network. They are based on the concept of network congestion. Any intruder can cause network congestion by sending loads of junk data over the network. As a result, the target computers are inaccessible for some time because all routes to reach the computers are blocked. It can even lead to crashing of the target computers. Figure 1-6 illustrates how hackers can cause network congestion by introducing spurious data over your network. DoS attacks enjoy many advantages. They can easily be kept anonymous. DoS attacks come in a variety of forms and can target many network services. An intruder can initiate a DoS attack in many ways, such as sending a large number of junk mails or a large number of IP request packets. However, there exists no single measure to determine the identity of the intruder. Intruders employing DoS attacks make use of some innate lapses in communication technologies and the IP protocol. In fact, a DoS attack can be executed from any IP packet that is sent over a network. You will now learn about some of the commonly used methods for initiating DoS attacks. These DoS attacks are: ◆

SYN flood

◆

Broadcast storm

◆

Smurf DoS

◆

Ping of death

◆

Mail bomb

◆

Spam mailing


NEED FOR SECURITY

Chapter 1

FIGURE 1-6 Network congestion by hackers.

SYN Flood SYN flood is an attack where the firewall is locked up by flooding it with incomplete TCP sessions. In this type of attack, all your TCP connections are used up. This prevents authorized users from accessing resources by using TCP connection. Let us first consider the working of a TCP connection. Let me first briefly discuss the working of a TCP connection. To initiate a session, TCP uses a three-way handshake mechanism. The steps involved in establishing a TCP connection are as follows: 1. A host sends a data packet to some other host on the network. This data packet contains the host ID and is referred to as Synchronize Sequence Number (SYN).


25

26

Part I


2. The recipient host acknowledges the receipt of the data and checks for the authenticity of the host ID. After authenticating the host ID, it replies to the host by sending a data packet known as Acknowledgement (ACK), along with the received SYN packet. Both these data packets combine to form the SYN-ACK data packet. 3. After receiving the SYN-ACK data packet from the recipient, the first host sends back the third data packet or ACK. The complete process involves only three steps (thus the term three-way handshake). TCP connections can lead to network congestion if someone sends a fake ID in the SYN packet. If a fake ID is sent, the receiving host can never receive an acknowledgement. Eventually, the connection times out and the incoming channel becomes free to receive another request. In a SYN flood attack, so many packets with fake IDs are sent that all incoming channels are tied up waiting for acknowledgements. As a result, there is no interface available for authorized users.

Broadcast Storms A broadcast is a message that is sent to every computer on a network. Excessive broadcasts over a network increase network traffic. Such a condition is referred to as a broadcast storm. In a broadcast storm, an intruder puts a large number of broadcast packets onto your network. However, these packets contain fake destination addresses. As a result, each computer forwards these packets to the specified fake destination address. These packets remain on the network, moving from one computer to another, until they completely choke the network. You can use or misuse tools, such as finger, asping, and sendmail, to initiate such broadcast storms.

Smurf DoS In this DoS attack, an intruder uses a spoofed IP address and sends a large number of IP echo requests to the broadcast IP address of the network. Other computers on the network send their IP echo reply messages in response to the broadcast IP echo request. This results in an enormous amount of congestion on the network.


NEED FOR SECURITY

Chapter 1

NOTE Smurf attacks assume large proportions in case of a multi-access broadcast storm. This is because, in such a situation, if there are hundreds of computers on a network, then each and every computer will reply to each echo request.

Ping of Death Ping of death refers to the DoS attack where an intruder floods the network with many large-sized Internet Control Message Protocol (ICMP) packets. These packets are sent to specific computers, though, not as broadcasts. The specific computer receives the ping command in fragments. On receiving the ping command, the computer tries to reassemble the packet into one big packet. However, the size of the data packets is so large that they cannot fit into the computer’s buffer. As a result, these large-sized ICMP packets cause overflow, which might even lead to system damage, such as system crashing, frequent reboots, or protocol hangs.

NOTE Intruders can send these large-sized ICMP packets from computers running Windows 95 or NT. The following command is used for this purpose: ping -l 65500 -s 1

In this command, • -1 65500 is used to set the buffer size to 65500. • -s 1 is used to specify the time stamp for hop counts. You can counter a ping attack by blocking pings to your computer. However, blocking all regular pings is not an advisable solution. Instead of blocking all pings, you can block only the fragmented pings. When you block fragmented pings, all pings that are bigger than the maximum transmission unit (MTU) size of your link are stopped. In addition, it allows regular pings of 64 bytes through most systems.

Mail Bomb A mail bomb attack is targeted towards your mail server and disrupting its services by sending excessive mails. In this attack, attackers subscribe to various mailing


27

28

Part I


lists on the Internet by using the e-mail IDs of numerous other users. Due to subscription, identical copies of e-mail are sent to the e-mail addresses. In addition, mails that are capable of replicating themselves at the server end are sent. This causes the mail server to process all incoming mails. A mail server might not be capable of handling such a large amount of traffic due to low bandwidth, low disk space, or other processing constraints. This puts the mailing server in a looping process and might even lead to a server crash.

Spam Mailing While a mail bomb attack is aimed at the mail server, Spam mailing is aimed at users. Any unsolicited mail is called spam. For example, an attacker sends the same e-mail repeatedly to a user, containing different subject headings to get a prompt reply from the user. The user has to read through this unwanted mail. Spam mailing can also use fake reply addresses in e-mail messages. It can also include creation of unattended e-mail accounts. When you receive an e-mail from such accounts and reply to these messages, the reply bounces back because of nonexistence of e-mail addresses or because the account is never accessed. Many reply addresses in the Spam mail or a self-replicating Spam mail, affects mail services by causing congestion on the mail server.

Countermeasures for DoS Attacks DoS attacks are becoming very popular with hackers. However, you can take the following measures to counter their attack: ◆

Disable unused or unneeded services on the network.

◆

Maintain regular backup.

◆

Create, maintain, and monitor daily logs.

◆

Create appropriate password policies.

◆

Implement an Intrusion Detection System.

◆

Implement route filters to filter fragmented ICMP packets.

◆

Monitor physical security of your network resources.

◆

Configure filters for IP-spoofed packets.

◆

Install patches and fixes for TCP SYN attacks.

◆

Partition the file system to separate application-specific files from regular data.


NEED FOR SECURITY

◆

Chapter 1

Deploy tools, such as Tripwire, which detect changes in configuration information or other files.

Modifying Information The most common reasons for modifying information are: ◆

Spreading rumors. Hackers can modify the contents of a Web site to spread false rumors.

◆

Undermine organization effectiveness. Databases contain important information. The effectiveness of this data is the basis for the organization’s future plans. If the contents of the database are modified, it can affect the present and future working of the organization. Therefore, to undermine the effectiveness of an organization, hackers can either enter false data or modify the contents of the existing data.

Figure 1-7 illustrates how a hacker can intercept information in transit and change its contents.

FIGURE 1-7 Modifying information.


29

30

Part I


To modify information, hackers can utilize the following two security lapses: ◆

Defacing Web sites

◆

DNS poisoning

Defacing Web Sites Unauthorized modifications to the contents of a Web site, or defacing a Web site, have become a widespread menace. It has been commonly used for propaganda, spreading misinformation, and rumors. To overcome this menace, organizations need to: ◆

Make their servers read-only.

◆

Separate their Web servers from application and database servers.

◆

Implement a strong authentication mechanism.

DNS Poisoning DNS poisoning is a process in which the DNS server is given false information about the IP addresses in a domain. In other words, the DNS server is made to believe that the domain maps to different IP addresses. To prevent DNS poisoning, use the latest security features of DNS, password protect the DNS, and allow only a few authorized persons to view the DNS information. Thus, the list of ways and means to attack a system for hijacking the information or disrupting network services is never ending. Windows 2000 is a powerful operating system with the architecture to provide a strong and flexible security framework. The following section will introduce you to the Windows 2000 core security features.

Windows 2000 Core Security Features—A Primer Extensive access to public networks and the Internet by organizations and individuals call for a powerful operating system to build the security infrastructure. To address this, Windows 2000 delivers an integrated set of tools and services. These tools allow administrators to control insider access to network resources as well as


NEED FOR SECURITY

Chapter 1

to protect the privacy of intercompany communications. Following are the functions provided by Windows 2000 Server: ◆

Security management. Windows 2000 Server provides for security management by using Active Directory directory service. Active Directory is a central place for storing information about the users, hardware, applications, and data on the network. It provides for management of user accounts, their access rights, and delegation of security administration. Active Directory also integrates the Windows 2000 security services, such as Encryption File System (EFS), the Security Configuration Manager, Group Policy, public key infrastructure, and delegated administration.

◆

Security at network logon. Windows 2000 starts data privacy and integrity at logon. Windows 2000 provides strong password and single sign-on on all network resources by using the Kerberos V5 authentication protocol.

◆

Data security on the network. Windows 2000 ensures security of data on your network by using authentication protocols. You can also encrypt your data traveling on the network for additional security. For data security in applications, encryption is provided by Secure Sockets Layer (SSL) authentication protocol. All network communication can also be encrypted between all or specific clients by using Internet Protocol Security (IPSec).

◆

Data security for communication across networks. Windows 2000 also provides support for data transmission taking place on internal networks, over the Internet, and over virtual private networks. Besides protecting the transactions happening within an organization’s network, the organization can also protect business transactions across its network, set security limits for temporary employees, and restrict access to external partners.

NOTE The security features introduced in the previous section are detailed in subsequent chapters of this book.


31

32

Part I


Windows 2000 Security Model The Windows 2000 operating system provides two process accessor modes to ensure that applications are not able to access the system hardware and operating system source code directly. These modes are user and kernel. User mode is used to run applications, and kernel mode is used to run operating system functions. This division ensures security in Windows 2000-based computers because it prevents applications from accessing low-level system drivers that are located in kernel mode. Access to kernel mode is secured. When an application needs to request system services located in kernel mode, the request must be made though Application Programming Interface (API). The API, in turn, forwards all requests to the desired services in kernel mode. In user mode, Windows 2000 has two subsystems, Win32 and security. The Win32 subsystem is used for all user interactions, and the security subsystem is the subsystem from where the AD directory service runs. In kernel mode, the actual enforcement of the security rules of the security subsystem takes place in the security reference monitor (refer to Figure 1-8). The actual enforcement of security occurs in kernel mode, which a user cannot access. Figure 1-8 shows the Windows 2000 architecture. The security subsystem runs in the security context of the local security authority process. This security subsystem contains components that ensure that users and applications do not access resources without proper identification and authentication. The components of security subsystem that make up Windows 2000 security model are ◆

Netlogon service (Netlogon.dll). This service locates domain controllers and maintains a secure channel between domain controllers and the client.

◆

SSL authentication protocol (Schannel.dll). This protocol provides encryption to the transmitted data in the application layer for security of data against inspection.

◆

NTLM authentication protocol (MSV1_0.dll). NTLM is used to authenticate clients that do not support previous versions of Windows. These may include Windows NT, Windows 95, or Windows 98.

◆

Kerberos authentication protocol (Kerberos.dll). This is the default authentication protocol for Windows 2000.


NEED FOR SECURITY

Chapter 1

FIGURE 1-8 Security within Windows 2000 architecture.

◆

Kerberos Key Distribution Center (KDC) service (Kdcsvc.dll). This service is responsible for issuing ticket granting tickets to clients as part of the authentication process. It also issues them session tickets for authentication on a resource server.

◆

LSA sever service (Lsasrv.dll). This service is responsible for enforcement of security policies.

◆

Security Accounts Manager (SAM) (Samsrv.dll). The SAM is used for storage of local security accounts on non-domain controllers. It also enforces all locally stored policies and supports APIs.

◆

Directory Service module (Ntdsa.dll). This module is responsible for replication between Windows 2000 domain controllers and Lightweight


33

34

Part I


Directory Access Protocol (LDAP) access to Active Directory. It also manages partitions of data and naming context stored in Active Directory, such as the domain naming context, the configuration naming context, and the schema naming context. ◆

Multiple Authentication Provider (Secur32.dll). This security support provider is responsible for holding all the components together and supports all security packages available on the system.

Summary In this chapter, you were introduced to the need for security. This need is due to the threats and vulnerabilities that exist in the current network systems. The threats and vulnerabilities can be internal as well as external to an organization. Therefore, it is important for the organization, which has a wide variety of people accessing its intranet and the public networks, to detect these threats and vulnerabilities and devise proper countermeasures. Next, the chapter introduced you to the core security features of Windows 2000 that help you to counter the attacks. Finally, you looked at how security is integrated into the Windows 2000 security model. Subsequent chapters offer details on the security features of Windows 2000.

Check Your Understanding Multiple Choice Questions 1. James is the network administrator of Expo Inc., an engineering goods manufacturing company. Lately he has been getting complaints from users that the transfer of data across the network has becomes relatively slow. After monitoring the network usage he finds out that a hacker is intercepting data during transit and modifying the content. What type of attack is this? a. IP spoofing b. Man-in-the-middle attack c. Impersonation d. Social engineering


NEED FOR SECURITY

Chapter 1

2. The hacker uses a program to access the data transferred within the internal network. What is the name of this program? a. A network packet sniffer b. Spoofer c. Virus d. Trojan horse 3. At Velocity Express Inc., the board of directors decides to make Internet access available to its employees. In doing so, what are the attacks that the company is exposing its business to? a. Viruses b. Password cracking c. Trojan horses d. DoS attack e. Session hijacking 4. The hacker runs a program that automatically downloads useless data from the Internet. The transfer of this data blocks the network traffic. This is a DoS attack on which resource? a. Disk space b. Bandwidth c. Buffers d. CPU cycle usage

Short Questions 1. Consider a situation. Host A sends requests to Host B on the network. However, Host A does not send the requests with its own IP address. Instead, it sends the requests with a non-existent IP address. Thinking that requests are from a known host, Host B acknowledges the requests by returning its own IP address to Host A. However, after a few seconds, Host B goes into a hanged state as its memory is clogged with half connections. Can you identify why Host B is in a hanged state? 2. A computer on a network is swamped with several spurious messages from an unknown source. On examining the network, the system administrator comes to the conclusion that not only this computer but also the


35

36

Part I


other computers on the network are behaving abnormally. The other computers do not show the sign of being attacked but their activity logs show processes that do not belong to the computers. The system administrator presents a report that the machine is infested with the DoS attack. Is he right in his judgment? 3. A computer on a network receives several ICMP request messages with data packets loaded in them. The computer, assuming that the requests are coming from a trusted host, starts assembling the packets. However, the computer soon realizes that the data packets are so large that it does not have the ability to handle them. As a result, its buffer capacity is flooded with data packets and it cannot send replies at the same rate. The computer soon crashes. Identify the attack that has occurred on this computer. 4. An organization has been receiving complaints from its customers that they are not able to access the site of the organization. In fact, customers complain that they are redirected to a different site on the network. The organization checks with the DNS administrator to determine whether the contents of the site have been changed. The DNS administrator reports that the site content is intact. In that case, what could be the possible problem with the site? 5. Briefly explain the connection setup process in the three-way handshake process of TCP.

Multiple Choice Answers 1. b. This is a case of Man-in-the middle attack because, in the case of IP spoofing, only the header of the data packet is modified while in case of Man-in-the middle attacks the content of the data packet is modified. 2. a. 3. a, b, c, d, e. When opening to the Internet, companies expose their networks to a wide variety of threats. All the mentioned attacks can threaten a business. 4. b.


NEED FOR SECURITY

Chapter 1

Short Answers 1. Host B has undergone a SYN flood attack. In a SYN flood attack, the computer is flooded with half connections. In other words, the destination computer does not receive an acknowledgement because the requests contain a non-existent IP address. As a result, the connection process is not completed and the other computer remains in a hanged state. 2. The system administrator’s report is not correct. The computers on the network are not infected by DoS attacks; they are infected by a single Distributed Denial-of-Service (DDoS) attack. DDoS attacks use several computers to infect a single computer on the network. The other computers are used as the means of reaching the victim computer. 3. The computer is flooded with the ping of death attack. 4. Looking at the scenario, it doesn’t seem that there is a problem at the organization’s end. It appears that some manipulations have been made on the DNS server. The information that maps the domain names with the IP addresses has been tampered with. As a result, instead of opening the organization’s site, the customers are redirected to a different site. This type of attack is called a DNS spoofing attack. 5. The steps that are used to set up a connection between two hosts (Host A and Host B) on a network are: •

Host A sends a SYN packet to Host B.

•

Host B acknowledges the packets by returning a SYN + ACK packet.

•

In response to the acknowledgment, Host A sends a SYN packet to Host B.


37



Chapter 2 Introducing Windows 2000 Security


etwork operating systems have undergone a tremendous change over the years. Windows NT was characterized as one of the most powerful, secure, and user-friendly network operating systems. Windows 2000, however, came up with many new and enhanced security features. Although Windows 2000 is based on Windows NT, the security features added to Windows 2000 make it a much more reliable and dependable network operating system. Windows 2000 also offers enhanced, more flexible management tools.

N

With the introduction of Active Directory, Windows 2000 network security makes use of other advanced technologies. The authentication methods used in Windows 2000 are more advanced than those used in Windows NT. The common authentication methods in Windows 2000 are Kerberos V5, certification-based authentication, and NT LAN Manager (NTLM). Windows 2000 uses security identifiers (SIDs), access control lists, such as DACL and SACL, and security groups to manage and control unauthorized access to network resources. Data encryption techniques, such as symmetric key encryption, public key encryption, and digital signatures ensure secure data transmission and validate the authenticity of the user. This chapter gives you a broad overview of the security features in Windows 2000. You’ll learn about the Active Directory security features, authentication methods, and the access model. You’ll also learn about the various data encryption methods, Encryption File Security, and Public Key Infrastructure (PKI).

Active Directory The increasing numbers of telecommuters and mobile users have caused presentday networks to be larger and more distributed than earlier networks. To accommodate these changes, operating systems need to have the ways and means to manage distributed resources. A directory service stores information about network resources, such as files, printers, users, and applications, and makes them available to a user based on that particular user’s role. You can manage the resources and the relationships between distributed resources so that they can work together. In addition, a directory service helps you to define and maintain a network infrastructure


INTRODUCING WINDOWS 2000 SECURITY

Chapter 2

and perform system administration tasks easily. A directory service is the means for keeping order in the complexities of large and distributed networks. Windows 2000 uses Active Directory to provide directory services. Active Directory is a scalable, enterprise-class directory service, which is completely integrated with Windows 2000. Active Directory hierarchically organizes the domain security policy and account information of an organization. It replaces the Security Accounts Manager (SAM) database of Windows NT, which stores security information, such as accounts, groups, and passwords. Active Directory forms a trust relationship with the Local Security Authority (LSA) and stores user and access control information to support both authentication and authorization to access system resources.

Active Directory and Security Two key features of Windows 2000 that make use of Active Directory are user authentication and object-based access control. Active Directory confirms a user who is logging on to a domain by verifying the user’s credentials with those stored in Active Directory. In addition, Active Directory also stores access control information for all users who need to access the resources in a domain. For example, when users trys to log on to a given computer or a domain, they provide their credentials to the system and the system authenticates the user’s identification. When a user tries to access a network printer, the system checks access-control lists for access permissions granted to the user for that printer. Active Directory eases the manageability of system resources by allowing you to create user and group accounts. For example, if all the users of a group need to be denied access to a particular file, the administrator can adjust the file properties. An overview of these concepts is provided later in this chapter in section “Access Control Model”.

Active Directory Hierarchy You use the hierarchical structure of Active Directory to efficiently administer the security of a network. In Windows 2000 Active Directory, network resources, such as users, groups, devices, and applications, are referred to as objects and organizations, which collate objects that share common limits, such as sites, domains, and OUs, are referred to as containers. The Active Directory hierarchy is shown in Figure 2-1. The information about these objects and containers in Active


41

42

Part I


FIGURE 2-1 The Active Directory hierarchy.

Directory is organized in a tree structure. This hierarchical structure implements consistent security by: ◆

Using Organizational Units (OUs) to support security settings. OUs are Active Directory containers that you can use to group users, groups, and accounts that have the same security requirements. In the case of multiple domains, each domain can have an OU hierarchy with different security policy settings applied to each OU. For example, you can create an OU that contains the users of a particular department. After creating the OU, you can apply Group Policy settings, such as defining desktop configurations for users in that OU. Group is discussed in detail in Chapter 5, “Security Policies.”

◆

Delegating administration. In Windows 2000, permissions can be set at the OU level. When permissions are set at the OU level, administrators can delegate tasks with similar attributes to selected administrators. For example, the administrators in an OU can be granted rights to modify



Chapter 2

the passwords in that OU, but they may not have the rights to create new users. ◆

Using domains to define security limits. A domain consists of objects with the same security policy. Within a domain, a security policy applies to all security accounts. However, the child domains do not inherit this policy. For example, if the domain settings, such as an account policy, vary between different areas in an organization, you must split the organization into multiple domains and define security settings for each domain.

You can apply consistent security configurations across organizational units (OUs) and domains within a forest by using the various security features of Active Directory.

Group Policy If you have worked on Windows NT you know that in Windows NT 4.0, the System Policy Editor tool was used to configure the user and computer settings stored in the Windows NT registry database. In Windows 2000, you can use Group Policy Objects to define system and application settings for groups of users and computers. An administrator uses a Group Policy to specify settings for desktop configurations for users and classes of computers, such as domain controllers, kiosks, and application servers. For example, Group Policy can be used to configure security options, manage applications, assign scripts, redirect folders, and manage desktop appearance. You can use Group Policy settings either for defining local policies on a local machine (local Group Policy settings) or defining system configurations for a particular group of users or computers. Group Policy settings are included in Group Policy objects (GPOs). These GPOs are associated with specific Active Directory containers, sites, domains, or OUs. Using Group Policy, you can create a specific desktop configuration for a particular group of users or computers. This is unlike the System Policy Editor in Windows NT, where desktop configuration can only be configured in a specific user’s desktop environment. A Group Policy has the following characteristics: ◆

Sites, domains, and OUs can be associated with it.

◆

Only the administrator can change the settings.


43

44

Part I


◆

It affects all the users and computers in the specific Active Directory container.

Trust Relationships To ensure secure data transfer between two domains, you create a trust relationship between the domains. Trust relationships are also used to allow the authentication of user accounts in one domain by resource servers in some other domain. In this type of relationship, the domain that allows access to data trusts the other domain. The domain that trusts another domain is known as the trusting domain while the other domain is the trusted domain. The trusting domain allows access to resources even if the users and computers in the trusted domain do not exist in the trusting domain. To work in a trust relationship, the trusted domain should have valid user accounts for the trusting domain. In a Windows NT 4.0 multidomain environment, every domain can be classified as an account domain or a resource domain. One or more resource domains can have a one-way trust relationship with account domains. This means that user accounts created in account domains are trusted by all resource domains, whereas accounts created in resource domains are not automatically trusted by account domains. As a result, managing trust relationships over a large network containing many resource and account domains can become a complex task. Windows 2000 supports two types of trust relationships, transitive and nontransitive. Transitive trust relationships exist automatically between domains, but nontransitive trust relationships have to be explicitly created. These trusts are explained in detail as follows: ◆

Transitive trust. A transitive trust is a two-way trust relationship that is applied automatically to all domain members of the same tree or forest, as shown in Figure 2-2. For example, if domain A and B have a trust relationship and domain B and C also have a trust relationship, it is implied that domain A and C also have a trust relationship. For authenticating the domains, a transitive trust relationship uses the Kerberos version 5 security protocol, introduced later in this chapter.

◆

Nontransitive trust. Nontranstive trusts can be further classified as shortcut trusts and external trusts.

◆

Shortcut trust. Shortcut-trust relationships help you in improving the efficiency of remote authentication by shortening the path that logon traffic has to traverse. A trust path can be configured to avoid all



Chapter 2

intermediary domains. A trust path comprises a series of trust relationships. For example, a parent domain A has two child domains B and C, and a user in domain B needs to access an object in domain C. This access will be provided after traversing the series of all intermediate trust relationships, that is from domain B to domain A and then from domain A to domain C. To obtain authentication and query results between domains B and C quickly, a shortcut trust relationship can be established between them. Also known as a cross-link trust relationship, a shortcut trust relationship helps to reduce the time required to bypass all intermediate trust relationships. ◆

External trusts. An external trust relationship is the trust relationship between Windows 2000 domains located in different forests. You can also create external trusts between Windows NT domains and Windows 2000 domains. In the case of external trusts, you can give resource access to only that domain from where a trust relationship originates because all external trust relationships are one-way or nontransitive trusts. However, to create a two-way trust between two domains, you should create two external trusts between them.

FIGURE 2-2 Types of trust relationships.


45

46

Part I


TIP An external trust affects only the domains that form the trust relationship and not the entire forest.

Authentication Authentication is the process of identifying a user during logon, or when the user accesses some network resources. In other words, authentication verifies that somebody actually is who he/she claims to be. This kind of authentication is analogous to proving one’s credentials at an international border by showing a passport. The guard authenticates the passport by verifying that it was issued by a government authority. Similarly, Windows 2000 authenticates a user when the user proves his identity at the time of logon. Windows 2000 supports single signon that allows users to simultaneously authenticate to multiple servers and applications. After a network has authenticated a user, the user does not need to be authenticated separately when she logs on to some other network resources. This way, users can access network resources based on a single logon using a user name and a password. In Windows 2000, user authentication involves two different types of logon processes: ◆

Interactive logon. The user logs on to either a domain account or a local computer account. Domain user accounts are stored in Active Directory services. The user logging on to a domain account is first authenticated to the domain before being allowed to access the local system services. For a user to log on to a local machine, the user must have an account in the system’s SAM.

◆

Network authentication. The identity of a user is provided to specific network services that a user tries to access. Network authentication is dependent on the success of interactive domain logon.

Windows 2000 also supports optional smart-card authentication. Deploying smart-card authentication, though, requires additional resources. A smart card is an electronic device that stores data such as the authentication credentials of user



Chapter 2

logon and remote access authentication. In order to use the card, the user must insert the card into the smart-card reader that is attached to the system, and then enter a unique personal identification number (PIN). A smart card, usually the size of a credit card, contains a small integrated circuit that cannot be tampered with. The user’s private key, logon information, and public key certificates stored in the smart card provide tamperproof authentication and nonrepudiation. Smart cards are explained in detail in Chapter 3. The following authentication methods are supported by Windows 2000: ◆

Kerberos V5 authentication

◆

Certificate-based authentication

◆

NTLM protocol authentication

◆

Secure Sockets Layer/ Transport Layer Security (SSL/TLS) authentication

Kerberos V5 Authentication The Kerberos authentication protocol was developed by the Massachusetts Institute of Technology and has been implemented on many platforms. The latest version of Kerberos—Kerberos V5—also has been implemented on a wide variety of platforms and has been used as a single authentication service in a distributed network. Kerberos V5 replaces NTLM as the default authentication protocol for handling the authentication of user or system identification. When using Kerberos V5, passwords are sent encryptedacross networks and not as plain text. Kerberos authentication is fully integrated with the Winlogon single sign-on architecture to provide authentication and access control. In other words, if a user provides a password to log on, Windows 2000 uses Kerberos for authentication. Similarly, if a smart card is used to log on, Kerberos authentication with certificates is used. Kerberos V5 implements a network authentication service called Key Distribution Center (KDC). Because Kerberos is implemented on a wide variety of platforms, a client running on an OS other than Windows 2000 can request and use the service ticket issued by a Windows 2000 KDC. Similarly, a Windows 2000 Professional desktop can also be configured to use UNIX KDC.


47

48

Part I


Certificate Authentication When you install Windows 2000 Certificate services, you can create certification authorities (CAs), which manage and issue digitally signed certificates. These certificates contain information such as user account names, group memberships, and certificate templates. The CAs obtain this information directly from the Active Directory. You can organize the CAs into a parent-child relationship hierarchy to manage security over a public or private network, as shown in Figure 2-3. The top-level CA is known as the root CA while the CA below the root CA is known as the subordinate or intermediate CA. For large-sized networks, a CA provides easy administration and scalability.

FIGURE 2-3 Certification Authorities.



Chapter 2

NTLM Protocol Your network might contain Windows NT 4.0 or earlier versions of Windows. These versions do not support new authentication protocols, such as Kerberos V5. You can use the NT LAN Manager (NTLM) protocol to authenticate computers that still run Windows NT 4.0 or some earlier version of Windows. You can also use this protocol to authenticate logon requests to stand-alone Windows 2000 computers. NTLM is used when: ◆

You want to authenticate a computer running Windows 2000 to a computer running a Windows 2000 stand-alone server.

◆

You want to authenticate a computer running Windows 2000 to a computer running a Windows NT server.

◆

You want to authenticate computers running Windows 95, Windows 98, or Windows NT configured with Windows 2000 Directory Services Client software to a Windows 2000 domain controller.

◆

A Windows 2000 client computer is unable to authenticate a Windows 2000 domain controller by using the Kerberos V5 authentication.

The NTLM V2 protocol is supported by Windows NT 4.0 with Service Pack 4 or higher. If Windows 95- and Windows 98-based computers do not have Directory Services Client, the LAN Manager protocol is used for authentication. The NTLM protocol assumes that every server is authentic and, therefore, does not authenticate the servers. On the other hand, Kerberos supports mutual authentication, which means that both a client and a server authenticate each other.

Secure Sockets Layer/ Transport Layer Security (SSL/TLS) Authentication You now know that Kerberos V5 authenticates users entering a Windows 2000 domain. On the other hand, the SSL authentication protocol is used to authenticate a user for a secure Web server over the Internet. This protocol uses a combination of public and private keys for secure data transfer. TLS protocol provides privacy and security between two applications interacting over a network. These protocols are discussed in detail in Chapter 3, “Authentication.”


49

50

Part I


Accessing Network Resources In a distributed network where a host of users need to access multiple resources, one of the important tasks for an administrator is to save the confidential resources on the network that need to be secured from unauthorized access. These resources can range from printers to files and folders, member servers, scanners, and so on. Various access events that occur for an object can be tracked by auditing the object. Selected events get recorded in the event log of a workstation or a server.

Access Control Model In Windows 2000, the access control model forms a basis for the security of network resources. You can use this model to access and audit network resources. Access control and auditing mechanisms are based on rights and group memberships assigned to users in the Active Directory. To restrict unauthorized access to certain resources in Windows 2000, you can: ◆

Use security identifiers (SIDs).

◆

Define access control lists, such as Discretionary Access Control List (DACL) and System Access Control List (SACL).

◆

Define security groups, such as global groups, domain local groups, and universal groups.

Access control model is discussed in detail in Chapter 4, “Authorization and Access Control.”

Security Identifiers A security identifier (SID) is a domain-unique value that is generated when you register a computer with a domain, or when you create a user or a group. You use SIDs to uniquely distinguish security principals, such as the groups, users, machines, and domains within a system. The access control mechanisms that control access to network resources identify security principals by their SIDs rather than by name. Windows 2000 uses SIDs in the following access control components: ◆

Access tokens. Each user, based on the rights and permissions granted to the user, is granted an access token. A SID contained in the access token



Chapter 2

represents the user. Other SIDs represent the groups to which the user belongs. ◆

Security descriptors. One of the SIDs on a security descriptor represents the user of the descriptor and another SID represents the primary group of the user.

◆

Access control entry (ACE). An ACE for a resource contains a SID that denotes the user or the group to which access is allowed, denied, or audited.

The characteristics of SIDs are: ◆

They are automatically generated when a principal account or security group is created.

◆

They assign a unique identity to users, groups, or machines.

◆

They grant access rights and permissions to network resources.

Access Control Lists An ACL is a sequence of access control entries (ACEs) that define the access permissions or denials that apply to an object and its properties. When a user tries to access a resource (for example, a file) on the network, the object’s ACL is used to compare the information about the user. If the user has the desired rights and permissions to that object, the user is allowed to access the object, otherwise he is denied access. There are two types of ACLs: dynamic access control lists and system access control lists.

Discretionary Access Control List (DACL) The DACL of an object contains a list of ACEs. Each ACE is linked to one SID and contains information specifying entry allowed or access denied permissions granted to a single user or group. The DACL controls access to system resources by specifying the users or groups who have rights for accessing these resources.

System Access Control List (SACL) You use the SACL associated with a resource for auditing resources rather than controlling access to them. The SACL lists the access control entries (ACEs) that indicate whether a success or failure event was triggered during auditing. Each auditing event is recorded in the security log of a system.


51

52

Part I


Configuration Management In a network consisting of several users, it is very important to set up and manage the security settings of an organization’s network. For the administration of Windows 2000-based system security settings, Windows 2000 includes two tools. They are the Security Configuration and Analysis tool and the Security Templates tool. The Security Configuration and Analysis tool is used to apply the restrictions defined in security templates to actual systems. Administrators can use the Security Templates MMC snap-in to define standard templates and apply them to multiple users and groups. The following section describes these security groups.

Security Groups For efficient and effective administration of network resources, you can arrange users and domain objects into groups. You can use the Windows 2000 security groups to assign the same security permissions to a large number of users by a single action. This way you can also ensure consistency while assigning rights and permissions to the users. In Windows 2000 there are two types of groups: ◆

Security groups. Security groups can be used to group users on the basis of their security permissions. These groups can also be used as mailing lists. You can include security groups in DACLs to assign permissions to objects and resources.

◆

Distributed groups. Security functions are not associated with these groups. You use these groups only for creating mailing lists. Distributed groups cannot be included in DACLs for assigning object and resource permissions; they can be used only with e-mail applications for sending mail to groups of users.

While creating a user account, you add the user account to a security group. Based on the security group’s rights and permissions, the user’s permissions and access limits are also defined. In Windows 2000, there are four types of predefined security groups illustrated in Figure 2-4: ◆

Domain local groups ◆ Global groups ◆ Universal groups ◆ Computer local groups



Chapter 2

FIGURE 2-4 Types of security groups.

Domain Local Groups You use domain local groups to grant access rights mainly to resources, such as file systems and printers located in a domain requiring common-access permissions. These groups are also known as resource groups. The following are the features of domain local groups: ◆

You can assign access rights and permissions to domain local groups only within the domain in which they are located.

◆

You can use domain local groups on any computer within the Windows 2000 domain in which they are defined.

◆

You can include other domain local groups in a domain local group.

◆

You can include global groups, universal groups, and accounts from any domain in a domain local group. In native mode, you can convert a domain local group to a universal group only if the domain local group does not have another domain local group as its member.


53

54

Part I


Global Groups You use global groups to arrange users with the same access permissions. These permissions are assigned on the basis of their job function or business role. You can assign permissions to these groups in any domain in the forest. These groups don’t have any built-in system privileges and have global scope. The following are the features of global groups: ◆

You can make global groups the members of universal and domain local groups in any domain in a forest.

◆

They contain only those user accounts that are located in the domain where a global group is created.

◆

In native mode, you can include other global groups from the same domain within one global group.

◆

You can assign rights and permissions to global groups by making them members of a domain local group that is granted permissions to a set of related reasources.

◆

In the case of very large group structures, global groups can also be nested.

Universal Groups You use universal groups only in multiple domain trees or forests. There might be a situation when you need to grant access to similar groups that are located in multiple domains. In such a situation, you use a universal group. These groups don’t have any built-in system privileges. The features of universal groups are: ◆

You can grant rights and permissions to universal groups in any domain in a domain tree or forest.

◆

You can easily grant access to universal groups by making them a member of a domain local group that is used to grant permissions to resources.

◆

They contain accounts, global groups, and other universal groups from any domain in a domain tree or forest.

◆

You cannot convert them to any other type of group.

◆

You can group global groups created in multiple domains.

◆

You can create them in any native-mode domain in a forest.

◆

The global catalog stores the details of the membership of a universal group.



Chapter 2

Computer Local Groups These groups are specific to a computer and are not defined elsewhere in a domain. You use computer local groups to define local access permissions and perform administrative tasks on that computer directly.

Data Encryption You can use encryption to secure data in a Windows 2000 network. When you encrypt the data, it gets transformed into ciphertext or protected data. Encryption is mostly used for securing locally stored files and folders and data transmissions from unauthorized access. An encrypted file can only be read and decrypted by a user who has its decryption key. Windows 2000 supports symmetric key encryption and asymmetric key encryption, each to its own function.

Symmetric Key Encryption You can use symmetric key encryption to protect your data from unauthorized access. Symmetric encryption algorithms use the same key for both encrypting and decrypting data, and therefore the term symmetric encryption. The data that is transformed into ciphertext actually consists of two parts, the cryptographic algorithm (the constant part) and the cryptographic key (the variable part). You can use a cryptographic algorithm on a number of devices or software supporting cryptography. Generally, the algorithm part is not considered to be secret, and hence the cryptographic key should always be kept a secret. Symmetric key encryption is also known as secret key encryption. Communication protocols can use symmetric key encryption to transmit data securely.

NOTE Symmetric key encryption is the encryption choice in communication protocols, such as IPSec and TLS because it is much faster than public key encryption.

Technologies Using Symmetric Key Encryption Using symmetric key encryption (illustrated in Figure 2-5), you can efficiently encrypt a large amount of application data. The encryption-decryption algorithm


55

56

Part I


FIGURE 2-5 Symmetric key encryption.

that is used in a symmetric key encryption is also known as a shared secret key. This algorithm does not involve a large amount of processing. Therefore, it is widely used. You can encrypt the following types of application data by using symmetric key encryption: ◆

Document files encrypted using Microsoft Office products, such as Word, Excel, or Access.

◆

Confidential e-mail messages. Secure Multipurpose Internet Mail Extension (S/MIME) is the standard that uses symmetric key algorithms to encrypt messages to ensure the confidentiality of e-mail.

When you want to transmit confidential information, you can use the shared secret keys that are used in symmetric encryption. Various communication protocols, such as Internet Protocol Security (IPSec) and Transport Layer Security (TLS), use the shared secret keys as session keys for transmitting confidential data.By using symmetric key encryption with standard encryption algorithms, these protocols encrypt and decrypt the confidential data that is exchanged between the sender and the receiver.



Chapter 2

Asymmetric Key Encryption While symmetric key encryption uses a single key for both encryption and decryption, asymmetric key encryption uses two complementary keys for encryption and decryption. These keys are the public key and the private key. The public key is used to encrypt data, and the private key is used to decrypt data. Therefore, to ensure the security of data, the private key is kept secret. The public key can be derived from the private key and need not be kept secret. The public key, which is illustrated in Figure 2-6, is available to all the users on a network. This is the reason why the private key is known only to the owner of the key. The use of two separate keys makes asymmetric key encryption more secure than symmetric key encryption. After data has been encrypted using a recipient’s public key, it cannot be decrypted by any key other than the recipient’s corresponding private key. Public key encryption performs the following functions in Windows 2000: ◆

It encrypts symmetric keys. In this way, it protects the symmetric keys when they are being exchanged over a network

◆

It also protects the symmetric keys that are stored in EFS-protected documents.

FIGURE 2-6 Public key encryption.


57

58

Part I


TIP Public key encryption requires a greater amount of processing to decrypt data than symmetric key encryption does. This processing burdens the processor with a heavier load, and as such, it is not suited for encrypting large amounts of data.

Encryption File System You now know different techniques and methods for protecting resources on a centralized network. But what do you do to secure data on the hard disk of your computer? The answer to this lies in the Encryption File System (EFS). You can encrypt a file stored on NTFS partitions by using EFS. Only the user who had encrypted the contents of the file by using EFS can decrypt it. EFS provides a higher level of security by denying unauthorized access to confidential data on a computer. You can use EFS to encrypt all the confidential data in a user’s document folders. This way even if someone tries to boot a computer with a floppy disk containing another operating system, the folders that have been encrypted using EFS cannot be accessed. The data cannot be decrypted unless an authorized user logs on the network initially. Using EFS, you encrypt a file or folder only in the NTFS volume. The OS encrypts the files using the public key and symmetric key encryption algorithms. Although this mechanism works internally and is complicated, the users and administrators can encrypt a file by using the Advanced Attributes dialog box, which is in the File Properties dialog box. What happens if the owner of the data loses his keys or leaves the organization? In such a situation, the EFS recovery policy comes into play. The EFS issues recovery certificates to the Domain Administrator account. These certificates act as recovery agents for the domain to apprehend encrypted files. In the case of stand-alone computers, EFS recovery certificates are issued to the local administrator’s account.

CAUTION Only NTFS used in Windows 2000, which is NTFS5, supports EFS. No other file system, including earlier versions of NTFS, supports EFS.



Chapter 2

TIP If an encrypted file is copied to a file system that does not support the Windows 2000 NTFS volume, the contents of the file are copied as plain text and the encryption is removed. Windows NT 4.0 with service pack 4 and above supports the Windows 2000 version of NTFS, but files encrypted using EFS cannot be read from a Windows NT system.

Encryption of Stored Data by Using EFS Both symmetric and asymmetric key encryption are used by EFS to secure stored data stored in NTFS 5 volume on the hard disk of a computer. The steps to encrypt the data are: ◆

A symmetric key known as the file encryption key first encrypts the data.

◆

The owner’s public key is used to encrypt the file encryption key. A field header known as the Data Decryption Field (DDF), which is attached to the file, stores this encrypted file encryption key.

◆

The owner uses his private key to decrypt the data.

Encryption of Transmitted Data by Using EFS Once a file is encrypted using EFS, it automatically encrypts the file when it is being used or saved. When a file is being read from a disk before being sent to a remote location, it is decrypted. There is no security for data when it is being transmitted. You can encrypt the data being transmitted between a client and a server by using industry-standard protocols, such as IPSec, Secure Socket Layer (SSL), and Transport Layer Security (TLS). ◆

IPSec. IPSec ensures the security, integrity, and confidentiality of the data that is being transmitted over an insecure network. The encryption of data by IPSec takes place at the IP network layer. In this way, it does not require any configuration at the Application Layer and is also transparent to many applications. The data encryption occurs at the IP layer by the computer that is sending data. The decryption is done only by the computer that is receiving data. In this way, data is decrypted before it reaches any application. Symmetric key encryption is used by IPSec to


59

60

Part I


encrypt large amounts of data. The symmetric key is encrypted using a public key to ensure that only the authorized user (the recipient of transmitted data) can decrypt the symmetric key. ◆

SSL. SSL encrypts data at the Application Layer. This protocol can be used only with applications that support SSL. You can use SSL to authenticate servers, encrypt data, and maintain data integrity for applications supporting both symmetric and public key encryption. As with IPSec, SSL uses symmetric key encryption for encrypting large amounts of data and public key encryption for ensuring that only the recipient can decrypt the symmetric key.

◆

TLS. TLS is quite similar to SSL. It is also an Application Layer protocol that uses both symmetric and public key encryption. As in the case of IPSec and SSL, TLS ensures that the symmetric key encrypts large amounts of data and public key encryption ensures that only the authorized user reads the data.

Public Key Infrastructure Public key cryptography is used to protect data transfer on open networks, such as the Internet. The term public key infrastructure (PKI) is used to manage, use, and find certificates and public and private keys. PKI can be implemented in software, standards, and policies. In practice, PKI refers to an industry-standard system of digital certificates, certification authorities (CAs), and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction. Windows 2000 PKI provides a framework for deploying and managing a strong information security system that is based on public key technology. Windows 2000 uses PKI to authenticate and validate clients involved in the exchange of electronic data. Digital certificates help you to authenticate user accounts by providing electronic credentials while CAs help to verify the identity of user accounts by issuing digitally signed certificates, as shown in Figure 2-7. The main concepts related to PKI are: ◆

Microsoft Certificate Services. You can use these services to allow an organization to implement its own PKI and issue its own certificates.



Chapter 2

FIGURE 2-7 Public key infrastructure.

◆

Smart card logon. You can use a smart card to store certification keys and cryptographic data.

◆

Active Directory. You can use the Active Directory to publish certificates and Certification Revocation Lists (CRLs).

◆

CA. Windows 2000 contains preloaded commercial CA certificates. With these certificates, users and computers can use existing PKIs on the Internet.


61

62

Part I


◆

Group Policy containing Public Key policies. By implementing these policies, the external CAs trusted by users and computers can be controlled by administrators.

Summary In this chapter, you were introduced to the significant security features of Windows 2000. You learned that Windows 2000 uses Active Directory as a core flexibility and scalability feature of the Windows 2000 security model. In addition, you learned that Windows 2000 uses various authentication protocols with Kerberos V5 being the default authentication protocol. Windows 2000 also uses various methods of data encryption, such as symmetric and asymmetric encryption. EFS is the file system that facillitates the optional encryption of data stored on the hard disk. Finally, you were introduced to Windows 2000 PKI, which makes extensive use of certificate to ensure security.


PART

II An Insight into Windows 2000 Security Features




Chapter 3 Authentication


n today’s world where networks are prone to the risks of hackers and unauthorized access, it is very important for an operating system to control access to the resources on a network. Most distributed networks support many users, each having different access permissions to the resources and computers on the network. The security model of an operating system ensures a tight control on resources by using the following mechanisms:

I

◆

The security model should be such that it first identifies an unauthorized user or computer, and restricts the user to accessing the data and resources on a computer. A server must verify the identity of a user in such a manner that a hacker or a rogue application is not able to gain access to the server.

◆

The security model should finally identify a valid user and enable the user to access the data and resources on a computer.

You may wonder why authentication and authorization are treated as different concepts? Authentication is a method that enables an operating system to validate the identity of a user attempting to connect or log on to a server. Authenticating a user ensures that only a valid user with pre-assigned access credentials can connect to a computer. Authentication is the first step toward enabling a user to access resources. On the other hand, authorization is verification that the attempt to gain access is permitted; this happens after authentication. Once the user is authenticated and tries to access an object, the permission is granted based on the rights attached to an object for that particular user. There are various ways in which the access of a user can be restricted. You will learn more about this in Chapter 4, “Authorization and Access Control.” This chapter primarily deals with authentication and the various methods by which Windows 2000 implements it. In the introduction to authentication, you will learn about interactive logon and network authentication. As discussed in Chapter 2, Windows 2000 supports a variety of authentication methods. This chapter discusses the complete architecture and working of Kerberos V5. This chapter also explains how a Security Support Provider (SSP) implements a network authentication protocol that authenticates a user to access a network application


AUTHENTICATION

Chapter 3

via Security Support Provider Interface (SSPI). Finally, the chapter explains Windows 2000 support for the NT LAN Manager (NTLM) protocol for compatibility with Windows NT-based systems and Secure Sockets Layer (SSL) for communication with secure Web servers.

Introduction to Authentication Single sign-on is one of the key features of Windows 2000. By using a single password or smart card, a user logs on to a domain once, and can be authenticated to any computer or resource on the network. The network resources can include printers and other hardware, files, and folders on machines and applications, all of which may be spread throughout the network on various types of servers running various operating systems. Successful authentication, including single sign-on, in a Windows 2000-based computing environment consists of two separate processes: interactive logon and network authentication.

Interactive Logon and Network Authentication In Windows 2000, entering logon credentials, for authentication to a domain account or a local computer, is called interactive logon. Winlogon provides interactive logon support for the Windows 2000 operating system. The logon support may be provided by typing a password, or, on specially equipped systems, it may be provided by a smart card protected by a PIN. Other sophisticated systems might even take logon credentials in the form of biometric identification, such as fingerprints or retinal scans. Irrespective of the method used for accepting credentials, Winlogon collects the user’s credentials, packages them, and passes everything to the Local Security Authority (LSA) for verification. If the LSA can verify that the user’s account is valid, Winlogon starts an interactive session on the computer. Otherwise, the user is denied access to the computer. A successful logon to a domain account provides access both to the resources and services on the local machine, and to the domain’s authentication service, which is used to authenticate access to network resources.

Security Principals In Windows 2000, any entity that can initiate action is called a security principal. Security principals can be human users or inanimate entities, such as computers or services. If a security principal intends to act on a computer, it establishes a


67

68

Part II

AN INSIGHT INTO WINDOWS 2000 SECURITY FEATURES

communication channel by presenting its credentials from a trusted authority to the LSA on which the principal intends to act. For example, even if there is no user logged on to a Windows 2000 computer in a domain, the computer communicates with the domain controller. To start a communication channel, the computer must have an account in the domain and must present its credentials to the DC to prove that it actually has an account. The LSA on the DC authenticates the computer’s identity exactly as it does for a human user.

Interactive Logon After the user credentials are found to be valid, Winlogon sets an interactive session on the user’s computer. Interactive logon requires the following three network components: ◆

Winlogon.exe. This module loads the other two components required by interactive logon. It also handles other operations related to the user interface that are not related to the authentication policy, such as creating usable desktops, maintaining workstation states, registering a secure attention sequence (SAS) with the operating system, and applying timeout operations. ◆ Graphical Identification and Authentication DLL (GINA). Unlike Winlogon, this module performs user interface functions related to an authentication policy. This DLL is loaded by Winlogon early during the boot process. It provides a list of export functions that Winlogon uses to authenticate a user. This DLL can be replaced by other GINA modules, so it also supports other forms of user identification and authentication. For example, GINA can provide functionality for biometric identification. ◆ Network Provider DLL. Secondary authentication through a standard protocol to other types of networks, such as Linux or Novell, can also be provided by DLLs loaded by Winlogon. A network-provider DLL can translate logon instructions provided by the user for logon purposes on that network when interactive logon occurs. Winlogon calls GINA whenever it has to execute a task. GINA then detects the SAS and registers it with Winlogon. When the user keys in her credentials, Winlogon again passes control to GINA. The SAS provides a trusted path to the operating system so that other applications do not attach themselves to this sequence


AUTHENTICATION

Chapter 3

to capture user passwords. The default SAS is Ctrl+Alt+Del. When the SAS is registered with Winlogon, it generates three desktops for system use: ◆

Winlogon desktop. When Winlogon receives an SAS, it switches on the Winlogon desktop for user authentication. This is the familiar logon prompt, which appears when you press Ctrl+Alt+Del. This dialog box allows the user to enter her user name, password, domain name, and so on.

◆

Application desktop. This is the desktop that appears when user credentials are verified and accepted. The application desktop is also called a user desktop and is available as long as the user remains logged in. This desktop is also protected and is available only to a logged-in user.

◆

Screen saver desktop. This is the desktop that is active when a screen saver is executing. A user can have access to this desktop only if she is logged in.

The authentication actions performed by GINA are specific to the current state of Winlogon. GINA is responsible for implementing state transitions, whereas Winlogon is responsible for implementing states. Winlogon maintains three states: ◆

Logged-on state. The logged-on state refers to the state in which the user has access to the application desktop and can run an application. A user can also transfer from this state to the other two states (logged-off or locked). If the user wants to log off, she can close all the running applications. In this case, Winlogon terminates all the processes connected to that user’s logon session and changes the state to locked. A user can also choose to lock the workstation for later use, which changes the session state to workstation locked.

◆

Logged-off state. This state occurs when there is no current interactive logon session on a computer. From this state, if a user chooses to log on, he can invoke the SAS and present his credentials when prompted by Winlogon. If the user credentials are successfully validated by GINA, Winlogon changes the session state to logged-on.

◆

Workstation-locked state. This is a secure state where only a user can switch to the logged-on state or an administrator can switch to the logged-off state. To unlock the workstation and reactivate the application desktop, a user can provide his original logon credentials. Alternately, an administrator can provide his credentials to terminate the logon session and return to the logged-off state.


69

70

Part II


How Does Authentication Take Place? To understand how interactive logon authenticates a user, there are two key concepts that you need to know: authentication package and local security authority.

Authentication Package An authentication package is a software package that implements different protocols for determining whether or not a user has privileges to a particular domain or service. It is implemented as a DLL and takes user credentials as input and determines the validity of the user. An authentication package uses its authentication routines to determine whether or not to permit the user to log on. An LSA links to the DLLs of an authentication package during the boot process and passes the logon credentials to the authentication package. This happens both during interactive logon and network authentication. Apart from authenticating a user, the authentication package has two other responsibilities: ◆

Creating a new LSA logon session for the user

◆

Returning a set of SIDs that will be part of the user’s security access token

In Windows NT 4.0, the only available authentication package was MSV1_0, but Windows 2000 comes installed with two authentication packages, MSV1_0 and Kerberos V5. You can find out which authentication package DLLs are available on the hard disk of your computer in the following registry location: HKEY_LOCAL_MACHINES\System\CurrentControlSet\Control\Lsa\AuthenticationPackage

The Kerberos V5 authentication package cannot handle local logon requests on workstations or member servers. It requires the presence of a Key Distribution Center (KDC). KDC runs as a service only on a Windows 2000 domain controller and not on member servers or workstations. By default, two authentication packages for Kerberos V5 and MSV1_0 are installed. Windows 2000 is extensible, which means that software vendors can implement custom-built authentication packages to provide other authentication processes. For a non-default package, GINA should be replaced with a GINA that calls that package.


AUTHENTICATION

Chapter 3

The authentication database stores the credentials needed during the authentication process. In NT4 machines, Windows 2000 workstations, and member servers, local user credentials are stored in the SAM database (which is part of the system registry). A Windows 2000 domain controller stores all user credentials in Active Directory.

Local Security Authority The LSA is the OS kernel component of Windows 2000, and its key features are validating user credentials for logon and maintaining the local security policy. After Winlogon receives an SAS from the user, Winlogon passes control to GINA. Winlogon displays the Winlogon desktop and accepts user credentials. GINA passes this information to the LSA. In order to validate the data, the LSA calls a specific authentication package, such as Kerberos V5 or NTLM. The authentication package checks the user credentials for validity and returns the results to the LSA. The LSA, in turn, passes these results back to GINA, which returns the results to the user. If the credentials are found to be valid, the user is authenticated and the application desktop is displayed. Otherwise, an appropriate error message is displayed.

Interactive Logon to a Local Machine As explained earlier, credentials containing local accounts are stored in the SAM database. The SAM database is stored in the local computer’s registry. The user’s logon credentials are compared with the credentials stored in the SAM database. To start the logon procedure, the user invokes the SAS by pressing Ctrl+Alt+Del. Winlogon displays the Winlogon desktop, dispatches to GINA, and then displays the logon prompt. Once the user enters her credentials, GINA collects this information and feeds it to the LSA. The LSA calls the appropriate authentication package for verifying the user’s credentials and if the user is found to be a valid user, it returns the user’s SID and group membership SID to the LSA. This process is illustrated in Figure 3-1. Before learning about interactive logon to a domain account, you need to look at the Kerberos V5 authentication protocol, which is the default protocol used while logging on to a Windows 2000 domain.


71

72

Part II


FIGURE 3-1 Interactive authentication process.

Kerberos V5 Authentication Protocol The Kerberos V5 authentication protocol replaces NTLM as the default protocol for users who log on to a Windows 2000 domain account from a Windows 2000 computer. The Kerberos protocol provides for mutual authentication between a client and a server before a client can request access to a server resource.

Advantages of Kerberos One of the most important benefits of Kerberos V5 is that it supports mutual authentication. This means that a client intending to access a resource on a server has to be authenticated by the server and, at the same time, the server is authenticated by the client. In the Kerberos authentication process, the client requests a service from a network server by sending it a service ticket. The server, in turn, responds by sending a time stamp encrypted with a session key shared with the client. On receiving the encrypted time stamp, the client decrypts it and verifies the time stamp. If the time stamp is valid, the client authenticates the server. This feature is not present in NTLM, where servers are assumed to be genuine. Thus, in Kerberos, clients TEAM LinG - Live, Informative, Non-cost and Genuine!

AUTHENTICATION

Chapter 3

are protected against providing credentials to a rogue server. Other advantages of Kerberos are as follows: ◆

Simplified trust creation and management. In a Windows 2000 tree, an implicit two-way transitive trust relationship is created automatically as part of the domain hierarchy building process. Transitive trust means that if both east.stronglock.com and west.stronglock.com trust stronglock.com, then east.stronglock.com implicitly trusts west.stronglock.com. One of the features that make transitive trusts possible in Windows 2000 is the Kerberos authentication protocol. Under Kerberos, the credentials issued by the security authority of one domain are accepted anywhere in the domain tree. Therefore, mutual authentication with Kerberos V5 reduces the number of explicit trusts that you need to define in a domain tree. This leads to simplified trust management.

◆

Open standard. Kerberos V5 is based on the standards defined in RFC 1510. This makes Kerberos V5 compatible with other operating systems supporting an RFC 1510-based Kerberos implementation. Thus, a Windows client can log on to another non-Windows 2000 server that supports Kerberos.

◆

Faster connections. When a client wants to access a server the first time, the server authenticates the client by examining the credentials provided. On subsequent visits, the server does not need to verify the credentials of the client; it can reuse the credentials throughout a network logon session.

How Does Kerberos V5 Work? To validate the entities involved in an authentication process, Kerberos uses symmetric key encryption. In symmetric key encryption, communicating entities use the same key for both encryption and decryption. The question that now arises is how does Kerberos protect a symmetric key? In practice, the key is generated at one end of the communication channel and should be sent to the other end of the communication channel in a secure manner. If anybody could use the secret key when it is sent across the network, the whole authentication system is rendered futile. Thus, the secrecy of the secret key is an important part of the authentication mechanism. Kerberos has three parts: a server, a client, and a trusted third party. The trusted third party is the protocol that intermediates between a server and the client who TEAM LinG - Live, Informative, Non-cost and Genuine!

73

74

Part II


wants to access a resource on the server. The third party is called a KDC and it runs as a service on a Windows 2000 domain controller on the network. Another important factor is the authenticator, which is a simple protocol that uses secret-key authentication in which information is encrypted with a secret key. The encrypted information should be different every time the protocol is executed; otherwise, an unauthorized person can capture the information. Let me explain this with an example. Consider two users, Alice and Bob, intending to communicate with each other. Before the communication can start, however, each of them needs to prove his or her identity to the other person. This authentication takes place in the following steps: 1. Alice sends a message to Bob that contains her name and some information encrypted in a secret key she shares with Bob. This information can contain Alice’s credentials and the current time on Alice’s workstation, also called a time stamp. 2. Bob receives the message, decrypts it by using the same shared secret key, and compares the time stamp on the message with the time on his workstation. If the time skew is greater than 5 minutes, he can reject the message. Otherwise, he can be sure that the message was actually sent by Alice and not someone else using a message previously sent by Alice. 3. Bob uses the secret key again to encrypt the time stamp on Alice’s message and sends the time stamp back to Alice. This time Bob does not send the rest of the information on the authenticator so that now Alice can be sure that a poser did not take the original message from Bob’s machine and send it unchanged to Alice. 4. Alice receives the response, decrypts it, and compares the time stamp with the time stamp on the authenticator she had originally sent to Bob. If the time stamps match, she is sure of Bob’s authenticity. Kerberos is a ticket-based system. Authentication takes place by means of the tickets granted and received both by the server and the client. KDC provides two services, the authentication service (AS) and the ticket granting service (TGS). ◆

Authentication service. This service issues ticket granting tickets (TGTs) that are used to access the ticket-granting service in the KDC. In other words, before any client can get the ticket for a service, the client must obtain a TGT from the AS in the user’s account domain.


AUTHENTICATION

◆

Chapter 3

Ticket-granting service. The TGS issues tickets that are used for admission to other services in its own domain or to access the TGS of a trusted domain. When clients want access to a service, they must contact the TGS in the service’s account domain, present a TGT, and ask for a session ticket. If the client does not have a TGT for admission to the TGS in another domain, then it must obtain a session ticket by following a referral path. The referral path begins at the ticket-granting service in the user’s account domain and ends at the ticket-granting service in the service’s account domain.

Both AS and TGS are started automatically by the domain controller’s LSA, and these services run in the process space of the LSA. Neither of these services can be stopped. The availability of these services is ensured by Windows 2000, which allows each domain to have several domain controllers; all acting as peers. As a result, any domain controller can accept the authentication requests and ticketgranting requests that clients send to a domain’s KDC. As specified in RFC 1510, the name of the security principal of the KDC is krbtgt. This security principal is used in all Windows 2000 domains. When a new Windows 2000 domain is created, an account for krbtgt is created automatically, which cannot be deleted or modified. A password is automatically assigned to krbtgt. In the Kerberos authentication process, the password for the KDC’s account is used to generate a secret key. This secret key is used to encrypt and decrypt the TGTs that are issued by the KDC. All instances of the KDC (that is, KDCs on all DCs) in a domain use the domain account for the security principal krbtgt. Clients send messages to a domain’s KDC by specifying both the service’s principal name (krbtgt) and the name of the domain. Both of these items are also used in tickets to identify the issuing authority.

Key Distribution Now that you have become familiar with the concept of Kerberos and the services associated with a KDC, I will explain the Kerberos authentication process as it occurs when a user logs on to a domain and tries to access a service from the resource server.


75

76

Part II


The Kerberos protocol completes in the following three phases, each containing two steps. Consider a user, Alice, trying to access a service on the resource server. 1. AS exchange. This phase occurs only once in one logon session and contains the following steps: 1.1. Alice logs on to her domain from her local machine, and a request for a TGT is sent to a Windows 2000 KDS making use of the AS. 1.2. On receiving the request for a TGT, the AS of the Windows 2000 KDC sends a TGT and a session key to Alice. The session key is valid until Alice is logged on to the network. 2. TGS exchange. This phase takes place only once when the same client (Alice’s computer) accesses a resource on a specific resource server. This phase contains the following steps: 2.1. In this step, a ticket requesting access to a resource server is sent to Windows 2000 KDC. The Kerberos client (on Alice’s computer) sends a TGS request, which contains the TGT, the user name, and an authenticator encrypted with Alice’s logon session key and the name of the service she wants to use, to the KDC. 2.2. On receiving the TGS request, the KDC decrypts the TGT with its secret key and extracts Alice’s logon session key. (Each time a user logs on to a Win2k domain, a logon session is established). The KDC uses this logon session key to decrypt and evaluate the authenticator. On successful evaluation of the authenticator, the KDC extracts Alice’s authorization data from the TGT and creates a session key for Alice’s Kerberos client. This session key is shared with the service that Alice wanted to use. A copy of this session key is encrypted by the KDC with Alice’s logon session key. Another copy of this session key is embedded in a ticket, along with Alice’s authorization data, and is encrypted with the service’s key. The KDC now sends this ticket back to Alice’s Kerberos client to complete the ticket-granting service phase. 3. Client server authentication exchange. This phase takes place every time the client wants to access the resource server. The phase contains the following steps: 3.1. The client sends a request containing the service ticket, an authenticator encrypted with the session key for the service, and an


AUTHENTICATION

Chapter 3

optional flag indication if the client wants mutual authentication, to the resource server. 3.2. The resource server receives the service ticket, decrypts it, and extracts Alice’s authorization data and session key. The server now decrypts Alice’s authenticator and checks the time stamp inside. If the time stamp matches the current time on the server computer, the server looks for a mutual authentication flag, if any. If mutual authentication is contained in Alice’s request, the server now uses the session key to encrypt the time from Alice’s authenticator and returns the request to Alice’s Kerberos client. Figure 3-2 demonstrates the complete Kerberos authentication process of a client gaining access to a resource server.

FIGURE 3-2 The complete Kerberos protocol.


77

78

Part II


NOTE You might wonder whether the client needs to issue a password to provide its credentials every time it wants to request a resource on the server. However, this is not the case. When the client wants to use a resource subsequently, it checks the ticket cache valid for that resource. If the client is able to find the ticket, it issues the ticket to the resource server. Otherwise, if the ticket is expired or the client does not possess one, then the second phase, TGS exchange, will occur again, where the client asks the TGS for a new ticket or for renewal of the expired one.

Service Ticket To keep a service ticket secure, most of the information contained in the service ticket is encrypted. A client has to access many resources across different servers. Therefore, to enable a client to manage its service tickets, there is some header information in a service ticket that is not encrypted. This information is: ◆

Version number of the format of the ticket ◆ Name of the domain that issued the service ticket ◆ Name of the resource server that the ticket authenticates The rest of the information in a service ticket is encrypted. The information includes a time stamp of the initial authentication and issuance of the TGT by the AS of a KDC. The resource server compares the time stamp received in the user’s service ticket against the local time. If the time difference between these two time stamps is too great, the resource service rejects the authentication attempt, with the idea that a hacker could have replayed the user’s original authentication packet. In addition, the service ticket contains the following encrypted information: ◆

The session key shared between the client and the server for secure exchanges ◆ Name of the domain to which the client belongs ◆ Client’s name ◆ Time period for which the ticket is valid

Ticket Granting Ticket The KDC maintains the account database for all the security principals in its realm. Kerberos uses the term realm as the equivalent of a Windows 2000 domain. As explained earlier, the KDC uses symmetric key encryption as the encryption


AUTHENTICATION

Chapter 3

technique. The KDC stores the symmetric key that is known only to the security principal (client) and the KDC. This key is derived from the user’s logon password and is known as the long-term key. For example, when Alice logs on, the client computer accepts her password and converts it into her long-term key. This is done by passing the text of the password through a one-way hashing function. The longterm key is used for exchanges between the security principal and the KDC. The KDC also maintains a centralized database, which contains every user’s longterm key, also called the master key. When the KDC receives a request from the client computer from which Alice logs on, the KDC searches the database for Alice’s name, finds her record, and extracts her long-term key stored in the record. It is clear from the preceding information that the process of taking user credentials and producing one copy of the long-term key from the password and another from the account database takes place only once, at the time of user logon. Immediately after this, the client requests a session key and a session ticket, which it can use in subsequent transactions, from the KDC during the current logon session. On receiving this request, the KDC responds by returning a session ticket. This session ticket is nothing but a TGT. A TGT contains the copy of the session key that the KDC uses in transactions with the client. The KDC’s copy of the session key is encrypted using the KDC’s long-term key. Along with the TGT, the KDC also returns a session key that the client can use in transactions with the KDC. The client’s copy of the session key is encrypted using the user’s copy of the longterm key. After receiving the session key along with the TGT, the client computer uses the cached copy of the long-term key to decrypt the client’s copy of the session key. The client can use this decrypted key. It discards the user’s long-term key because it is not required any longer. As stated earlier, the session key is temporary and is valid for one logon session. Therefore, it is also called the logon session key. You just learned about the session key, which the client received along with the TGT. But what happens to the TGT? Before trying to connect to the resource server, the client computer tries to locate the service ticket for the network service in the client computer’s cache. If it does not find one, it searches the cache again for a TGT. If the client finds a TGT, it obtains the corresponding session key. Then, the client uses the session key to prepare an authenticator and sends the authenticator, as well as the request to use the service on the resource server. The authenticator contains the user’s ID and the current time stamp and is encrypted using the session key.


79

80

Part II


When the KDC receives the TGT and the request for the service, it decrypts the TGT by using its own long-term key, extracts the session key, and uses this session key to validate the authenticator. The KDC uses the user’s long-term key only once when it issues the initial TGT. Thus, the TGT saves the time taken by the KDC to process requests.

Authentication Across Domain Boundaries Authentication across domain boundaries can be best understood by taking two examples, one when there are two domains and the other when there are more than two. To start with, consider a case of two domains, east.stronglock.com and west.stronglock.com. Because East and West are the child domains of stronglock.com, the administrators of these domains belong to the same organization. A trust relationship exists between these two domains; therefore, interdomain keys are shared automatically between them. Administrators use these interdomain keys to enable authentication across domain boundaries. After the trust relationship is established, the TGS in each domain is registered as a security principal with the other domain’s KDC. Therefore, the TGS in each domain can treat the TGS in the other domain as any other service for which the authenticated clients can request and receive service tickets. If a user whose account is in East wants to access a service in West, the Kerberos client from the user’s workstation sends a request to the TGS in the user’s account domain (East). The TGS in East determines that the service to which the client wants access is not a security principal in its own domain, so it responds by sending a referral ticket to the client. This referral ticket is the TGT encrypted using the interdomain key shared by the KDCs of both the domains. The client uses the referral ticket to prepare a second request for the service and sends it to the TGS in the server’s account domain (West). On receiving the request, the KDC in West uses its copy of the interdomain key to decrypt the referral ticket. If the decryption is successful, it sends the desired service ticket to use the resource to the client. Figure 3-3 illustrates authentication across two domains. The referral process is more complicated on networks containing more than two domains. The KDC of one domain can establish a direct relationship with the KDC of every other domain having an interdomain key for each link. However, the complexity of these relationships can make them unmanageable. Kerberos allows you to do away with these links. It allows a client in one domain to get a service ticket for a server in another domain by traveling a referral path through one or more intermediary domains. TEAM LinG - Live, Informative, Non-cost and Genuine!

AUTHENTICATION

Chapter 3

FIGURE 3-3 Authentication across two domains.

Consider three domains, East, West, and Stronglock. The KDC in East and the KDC in West do not share an interdomain key, but the KDC in East and West share an interdomain key with Stronglock. Now, when the client in East wants to access a service in West, the referral path begins at the KDC in the user’s account domain, East, passes through the intermediary domain, Stronglock, and ends at the service’s account domain, West. In this case, the client sends its request for the service to three different KDCs. The process can be broken down into the following steps: 1. The client in East requests its KDC for a service ticket to the server in West. The KDC for East sends the client a referral ticket to the KDC for Stronglock. This ticket is encrypted in the interdomain key that East shares with Stronglock. 2. The client in East requests Stronglock’s KDC for a service ticket to the server in West. The KDC for Stronglock sends the client a referral ticket to the KDC for West. This ticket is encrypted in the interdomain key that Stronglock shares with West. 3. The client in East requests West’s KDC for a service ticket to the server in West. The KDC for West sends the client a service ticket to the KDC for West. Figure 3-4 demonstrates the complete sequence of Kerberos authentication across domain boundaries. TEAM LinG - Live, Informative, Non-cost and Genuine!

81

82

Part II


FIGURE 3-4 Authentication across domain boundaries.

NOTE In the interdomain authentication occurring in the above scenario, a client has to request many referral tickets. In spite of being a long process, it is not time consuming. This is true for two reasons: 1. The referral process is short and the time period between request and response for each referral ticket is minimal. 2. Kerberos does not follow the same process every time a resource has to be accessed over a network because tickets have a lifetime and are cached for subsequent access.


AUTHENTICATION

Chapter 3

FIGURE 3-5 Shortcut trusts.

If a resource needs to be accessed frequently in a complicated domain tree, the referral path becomes very long. The referral process can be made smaller by defining explicit shortcut trusts. Figure 3-5 illustrates that a shortcut trust can be established between two domains to shorten the referral path.

Kerberos Policy You learned about the working of Kerberos, but can the Kerberos protocol and its working be controlled? The answer to this lies in configuring the Kerberos policy. In Windows 2000, the Kerberos policy is defined and implemented by a domain’s KDC. This policy is defined in the domain group policy of Active Directory. Only the Domain Admins group has rights to set the Kerberos policy. The Kerberos V5 policy has the following settings: ◆

Enforce user logon restrictions. Enabling this option makes a KDC validate every request for a service ticket. This involves examining the user’s rights policy on the computer containing the resource to verify whether the user has the right to either log on locally or access the computer from the network. By default, this option is enabled. Turning it off may be less secure but saves the time for an extra step that might slow the network process.


83

84

Part II


◆

Maximum lifetime for the service ticket. This option specifies the duration for which the user can access a service by using the same service ticket. The setting must be greater than 10 minutes and less than the setting for maximum lifetime for a user ticket. The setting is done in minutes, and this policy is set to 10 hours by default.

◆

Maximum lifetime for the user ticket. This option specifies how long a user can use the same user ticket, or TGT, to request a service ticket before requesting a renewal or a new TGT. The setting is done in hours and, by default, is set to 10 hours.

◆

Maximum lifetime for a user ticket renewal. This setting specifies the maximum time for which a continuously renewed TGT is valid. The setting is done in days and, by default, is set to 7 days.

◆

Maximum tolerance for computer clock synchronization. This setting is specified because of the time inconsistencies on different machines. You already know that Kerberos V5 uses a time stamp to verify that attackers do not steal tickets and use them later. This policy specifies the allowable difference between client and server clocks. The setting is done in minutes and, by default, is set to five minutes.

Logging on Interactively Logging on to a domain from a computer running Windows 2000 requires at least one service ticket, which is the ticket for the computer from where a user is logging on. This is because you can use a computer running Windows 2000 only through some system services. To use a system service, you first need to be authenticated by that service, which, in turn, requires a service ticket. On computers running Windows 2000, system services run under the Local Account on the computers. When a computer joins a domain, these services participate in the domain by using the computer’s domain account. Domain users who want access to the services running as Local System must present a service ticket to the computer where the services are running. Domain users also must have a service ticket for the computer before they get admission to the computer’s services. The following section elaborates the processes of a user logging on to a computer for accessing local system services and a user logging on to a network for accessing network-based resources.


AUTHENTICATION

Chapter 3

Logging On to a Computer A user can log on to a computer in a single domain or across multiple domains when any of the following takes place: ◆

Single-domain logon. Alice is logging in from a computer that is a member of the same domain where Alice’s account is created.

◆

Multiple-domain logon. Alice is logging in from a computer that is in a different domain than the domain where Alice’s account is created.

Single-Domain Logon The following steps show what happens during a logon to a computer in a singledomain environment: 1. Alice invokes the SAS, Ctrl+Alt+Del, on a client computer to log on to a domain. 2. By querying DNS, the client computer on behalf of Alice tries to locate a KDC for the domain. The Kerberos package retries up to 3 times, each time for 10 seconds, for locating the KDC. In most cases, the KDC is already known. 3. Once the KDC is located, Alice sends a Kerberos authentication request to the DC. This request does two things: authenticates Alice to the DC and sends a TGT request to the AS of the KDC. 4. The AS responds by generating a TGT and sending it to Alice’s computer. 5. Because Alice needs to use the local machine, which is a service like any other service in the domain, she needs to have a ticket for the service. Therefore, Alice sends a request for a service ticket by using her TGT and an authenticator. 6. The TGS of the DC verifies the TGT and the authenticator, generates a service ticket for the local machine, and sends it to Alice. 7. Alice’s client computer presents this service ticket to the LSA, which creates an access token for Alice. Any process acting on behalf of Alice can access the local machine’s resources. Figure 3-6 illustrates the preceding process.


85

86

Part II


FIGURE 3-6 Logging on to a computer in a single-domain environment.

Multiple-Domain Logon To explain a logon to a computer in a multiple-domain environment, I will use the previous example of three domains: stronglock.com being a parent domain and east.stronglock.com and west.stronglock.com being its child domains. Alice’s account is defined in East, and she tries to log on from a workstation whose account is in West. The local logon process completes in the following steps: 1. To request a ticket to log on, Alice’s computer sends a TGT request to the KDC in east.stronglock.com. Even if Alice wants to log on to a computer in west.stronglock.com, a request for a TGT is sent to the KDC in east.stronglock.com because a KDC of Alice’s account domain can authenticate Alice. The DCs in different domains do not replicate account information. 2. The service, which is the computer from which Alice wants to log on, is in west.stronglock.com; the KDC of east.stronglock.com cannot issue a TGT for a workstation in west.stronglock.com. This can be done only by the KDC of west.stronglock.com. Therefore, the KDC of east.stronglock.com returns a referral ticket for the KDC in stronglock.com. 3. On receiving the referral ticket, Alice’s computer sends the referral ticket to the KDC of the intermediary domain, stronglock.com. TEAM LinG - Live, Informative, Non-cost and Genuine!

AUTHENTICATION

Chapter 3

4. The KDC of stronglock.com decrypts the referral ticket by using the interdomain key shared between east.stronglock.com and stronglock.com. The KDC detects the domain closest to west.stronglock.com with which it has a trust relationship, and then sends the TGT to that domain to Alice’s client computer. 5. Now, Alice’s computer can send the TGT to the KDC of west.stronglock.com to get a ticket for the local workstation. 6. Finally, the KDC of west.stronglock.com sends a valid service ticket for the workstation. Figure 3-7 illustrates local logon in a multiple-domain environment.

FIGURE 3-7 Logging on to a computer in a multiple-domain environment.


87

88

Part II


Logging On to a Network A network logon can occur in a single domain or across multiple domains when one of the following takes place: ◆

Network logon in a single-domain environment. Alice is accessing a service on a computer that is a member of Alice’s account domain.

◆

Network logon in a multiple-domain environment. Alice is accessing a service on a computer that is in a different domain than Alice’s account domain.

Network Logon in a Single-Domain Environment Network logon in a single-domain environment occurs when Alice is already logged on to a computer in a domain and wants to access a resource server that is located in the same domain. In this case, the logon is accomplished in the following steps: 1. Alice is already logged on to the local computer, so she already has a TGT for her domain. She sends the TGT along with the authenticator to the KDC of the same domain to request a service ticket. 2. The KDC looks at the time stamp in the authenticator and decides whether the TGT is valid. If it is, a ticket is issued to Alice. 3. Alice sends the service ticket along with the authenticator to the resource server. 4. The resource server verifies the service ticket and the authenticator to authenticate Alice. It then sends another authenticator to Alice’s client computer for verification of the resource server’s identity. Figure 3-8 illustrates network logon in a single-domain environment.

Network Logon in a Multiple-Domain Environment I will use the example of a parent domain and two child domains again. Alice is logged on to a computer in the West domain and she wants to access a resource in the East domain. Network logon to access the resource server is accomplished in the following steps: 1. Alice wants to contact a sever in a different domain than the domain in which she is logged on; therefore, she must have a valid referral ticket to interact with the KDC of the East domain. Alice’s client computer sends


AUTHENTICATION

Chapter 3

FIGURE 3-8 Network logon in a single-domain environment.

a request for the referral ticket to the KDC of the East domain from the KDC of the domain where she is logged on, west.stronglock.com. 2. A direct trust relationship between the East and West domains does not exist. The KDC of west.stronglock.com responds by sending her a referral ticket encrypted using the interdomain key shared between west.stronglock.com and stronglock.com. 3. Using this referral ticket, Alice’s client computer sends a request for a TGT to the KDC of stronglock.com. 4. The KDC of stronglock.com returns a referral ticket for the KDC of east.stronglock.com. 5. The KDC of east.stronglock.com returns a service ticket for the target resource server. 6. Finally, Alice’s client computer uses the service ticket received to send an access request to the resource server. Besides the service ticket, the request to the resource server also contains an authenticator. On receiving the service ticket, the resource sever can optionally send an authenticator to Alice. Figure 3-9 illustrates the network logon in a multiple-domain environment.


89

90

Part II


FIGURE 3-9 Network logon in a multiple-domain environment.

Smart Card Logon You have learned how Windows 2000 uses Kerberos V5 for password-based authentication. Kerberos V5 also includes a public key extension that enables smart card logons. Support for smart cards can be built into a Windows 2000 domain to enable both interactive logon and network authentication, including remote access authentication. A smart card is an electronic device the size of a credit card. It stores electronic data. A user proves his identity by inserting the smart card into a smart card reader and entering a unique personal identification number (PIN) allocated to him by a trusted security authority.


AUTHENTICATION

Chapter 3

In Kerberos logons, users prove their identity to a KDC by providing their credentials. These credentials are used to obtain a long-term key that the KDC stores and is known only to the client and the KDC. This symmetric key is used only during the AS exchange phase. This AS exchange works as follows: 1. The client encrypts the preauthentication data (user credentials). 2. The KDC decrypts the preauthentication data and encrypts the logon session key. 3. The client decrypts the logon session key. In this case, the same key is used for both encryption and decryption; therefore, the long-term keys used are said to be symmetric. In smart card logons, a user initiates the authentication process by supplying an SAS, similar to typing Ctrl+Alt+Del, and then typing a password. In a smart logon, the user inserts the smart card into the smart card reader. This produces an SAS, which switches the Winlogon desktop, dispatches GINA, and displays the logon prompt that asks for an activation PIN. In this case, public key encryption is asymmetric; one key is used to encrypt, and the other is used to decrypt. Together the keys needed to encrypt and decrypt form a public/private key pair. The private key is known only to the owner of the pair and never shared. The public key can be given to anyone with whom the owner wants to share information. This asymmetric key pair is used only during the AS exchange phase. This AS exchange works as follows: 1. The LSA obtains the user’s public key certificate by using the PIN that the user specifies. 2. The client sends the user’s public key certificate to the KDC along with the encrypted preauthentication data. 3. The KDC decrypts the preauthentication data. 4. The KDC encrypts the logon session key with the public key found on the certificate. 5. The KDC returns the encrypted logon session key along with a TGT. 6. If the client possesses the private half of the key pair, it decrypts the logon session key. 7. Once this decryption takes place, the session key secures all future exchanges between the parties.


91

92

Part II


Security Support Provider The security support provider (SSP) is an important component of the Windows 2000 authentication model. The SSP is used during noninteractive logons, such as network authentication. Implemented as a DLL, an SSP makes one or more security packages available to an application. The SSP implements a network authentication protocol, such as NTLM or Kerberos, which authenticates a user to a network service. The component through which system services and transport-level applications gain access to SSPs is called security support provider interface (SSPI). SSPI is a structural element of Windows 2000 that provides compatibility with existing client and specialized security mechanisms. SSPI is a Win32 API that allows applications and system services to utilize security packages without having to know specific details about the authentication protocols used. The SSPI provides generic functionality that helps applications and system services in querying for available SSPs and selecting an SSP to obtain an authenticated connection. Figure 3-10 shows how SSPI mediates between specific SSPs and the processes that use them. As you can see in Figure 3-10, SSPI serves as a middle-layer process that acts as a link between various application protocols and authentication protocols. Application developers can take advantage of this to create applications that use Windows 2000 authentication protocols. The specific method of authentication used is hidden from an application. Administrators can choose from a variety of SSPs available without bothering about the compatibility of an application with an authentication protocol. After an application is written to SSPI, the application uses an SSP depending on the configuration of the client and the server. The SSP of the selected protocol then interacts with different authentication services and authentication databases. The selected SSP can be one of the following: ◆

NTLM SSP. The NTLM protocol is used when backward compatibility with previous versions of Windows, such as Windows NT, is required. The NTLM SSP uses the MSV1_0 authentication service and the NetLogon service for client authentication and authorization. It uses the SAM database for verifying user credentials.

◆

Kerberos SSP. This SSP uses the Active Directory account database to verify user credentials, and the client interacts with the online KDC to obtain a session ticket.


AUTHENTICATION

Chapter 3

FIGURE 3-10 SSPI—A Link between application protocols and authentication protocols.

◆

SChannel SSP. This SSP implements the SSL protocol. The SSL/TLS protocol does not rely on an online server for authentication; it is based on trusted public key certificates obtained by trusted certificate authorities.


93

94

Part II


Other Authentication Protocols In the previous section, you learned how Windows 2000 uses Kerberos V5 to authenticate the users and services on a Windows 2000 network. Apart from Kerberos V5, there are other protocols for non-Windows 2000 users, users using dial-up connections, and external users trying to connect to a network over the Internet. Some of these protocols are: ◆

NT LAN Manager

◆

Secure Sockets Layer

◆

Extensible Authentication Protocol

NT LAN Manager NTLM is the protocol used for authentication in Windows NT. NTLM is included in Windows 2000 for backward compatibility with Windows NT on a network that has workstations and servers running both Windows 2000 and Windows NT. This is required when the client, the server, or both are running Windows NT. NTLM is also used for the authentication of computers that are not part of a domain. Active Directory also supports cross-domain service that allows computers from Windows NT domains to use NTLM to logon and access the resource servers in a Windows 2000 domain. If the use of NTLM has to be restricted to network authentication for a network that contains all Windows 2000 machines, the network configuration can be set to native mode on a DC.

Secure Sockets Layer Kerberos V5 is the preferred protocol for authentication within a single domain or across multiple domains. However, most networks do not use Kerberos V5 for network-to -network authentication. Windows 2000 has support for SSL for users who need authentication through the Internet. SSL is an open standard that uses both public key certificates and symmetric keys to provide the authentication and confidentiality of network or Internet transactions. Like Kerberos, SSL also allows both the client and the server to authenticate each other. However, SSL authentication occurs not by using session tickets but by exchanging public key certificates.


AUTHENTICATION

Chapter 3

An SSL session between the client and the server starts with an exchange of messages. This exchange of messages is called the SSL handshake. In the SSL handshake, the server authenticates itself to the client by using a public key. The steps involved in an SSL session are as follows: 1. The client sends its SSL version number, encryption settings, and other information to the server and requests a secure channel. 2. In response, the server sends its SSL version number, public key certificate, encryption settings, and other information to the client. This information is used by the client to communicate with the server. 3. Based on the information sent by the server, the client authenticates the server and an SSL session is established. 4. The client creates a key for the current session. The client then encrypts the session key (using the public key of the server) and sends the encrypted session key to the server. Additionally, the client also sends its certificate and signed data. 5. The server verifies the certificate and signed data sent by the client and authenticates the client. If the client is authenticated, the server decrypts the data sent by the client by using its private key. The server uses the decrypted data to generate a session key. 6. These session keys are symmetric and are used to encrypt and decrypt the data transmitted during the SSL session. 7. The client and the server inform each other that all future messages, which will be sent during the SSL session to the other party, will be encrypted using the session key. Both parties also send encrypted messages to each other to indicate that the handshake is over. 8. After the SSL handshake is over, the client and the server use the session keys to encrypt and decrypt the information that they send to each other. Figure 3-11 illustrates the process of the SSL handshake between the client and the server. SSL protocol has the following features: ◆

Server authentication. SSL-enabled client software allows the client to verify the identity of the server. SSL-enabled client software uses publickey encryption to verify the validity of the server’s certificate and ascertain whether it has been issued by a CA that is trusted by the client.


95

96

Part II


FIGURE 3-11 Secure Sockets Layer.

◆

Client authentication. SSL-enabled server software uses public-key encryption to verify the client’s certificate. It also allows the server to verify that the client’s certificate is issued by a CA that is trusted by the server.

◆

Encrypted connection. All information transmitted between the client and the server is encrypted. This provides a high level of data confidentiality during transit.

Extensible Authentication Protocol Another authentication mechanism used by Windows 2000 is Extensible Authentication Protocol (EAP). EAP is an extension of the Point-to-Point protocol (PPP).


AUTHENTICATION

Chapter 3

EAP enables Windows 2000 to select an appropriate authentication method based on the type of client that is requesting a connection. There are several types of authentication mechanisms that can be used to validate RAS users through EAP. These mechanisms include passwords, smart cards, and certificates. EAP does not provide the server with the choice of an authentication mechanism at the time of requesting a connection; rather, it does so at the time of user authentication. EAP will allow third-party vendors to create custom authentication schemes for biometric identification, such as retina scans, voice recognition, and fingerprint identification. Windows 2000 implements two EAP authentication methods: ◆

EAP-MD5

◆

EAP-Transport Layer Security

EAP-MD5 Like SSL, the MD5 protocol implements the technique of challenge handshake authentication. In an MD5 authentication process, the server using EAP requests logon credentials from the client. The client first sends the logon name. The server verifies the logon name and returns a request for the user password. The client responds by encrypting the logon name and the password and sending them back to the server. On receiving the logon name and the password, the server authenticates the user and allows access to its resources. To enable EAP-MD5 authentication to work on Windows 2000, user passwords must be stored using reversible encryption. This is required to ensure that the authenticating server decrypts and verifies the passwords at the time of user authentication.

EAP-Transport Layer Security EAP-Transport Layer Security (TLS) is an implementation of SSL. You can implement this authentication technique only on computers participating in network authentication. As compared to Kerberos, where mutual authentication is not compulsory, this method requires compulsory mutual authentication to enable the client and the server to communicate with each other. In addition, EAP-TLS implements techniques, such as symmetric and asymmetric encryption, to ensure the secure transmission of authentication credentials between the client and the server.


97

98

Part II


NOTE Apart from the authentication protocols discussed in this chapter, there are other protocols also used for WAN authentication, such as Point-to-Point (PPP) protocol, Password Authentication Protocol (PAP), Challenge Handshake Protocol (CHAP), and Microsoft Challenge Handshake Protocol (MS-CHAP). These are discussed in Chapter 10, “Remote Access and VPN.”

Summary In this chapter, you learned about the various mechanisms used by Windows 2000 to authenticate users and services. You also learned the architecture and working of Kerberos V5. Finally, you learned about some of the other authentication protocols that Windows 2000 supports, such as NTLM, SSL, and EAP. This chapter explained the authentication of a user in a domain and across domains. The chapter discusses how a user is authorized to access resources on the network and the entire process of access control of network resources.

Check Your Understanding Short Questions 1. What are the benefits of Kerberos V5 authentication? 2. List the steps followed in implementing Kerberos V5. 3. List the steps a user takes to connect to an application or a print server. 4. Which protocol would you use if you have a network comprising of Windows NT 4.0 or earlier versions of Windows and Windows 2000? 5. Why do you need to use NTLM protocol?


AUTHENTICATION

Chapter 3

Answers Short Answers 1. The answers might include: •

Supports single sign-on for the complete network.

•

Supports mutual authentication support.

•

Supports caching of tickets.

2. The steps are: •

KDC authenticates the user at the time of logon.

•

KDC’s authentication service provides encrypted TGTs to the user.

•

The client computer uses a TGT to request session tickets for that specific service.

•

The client computer decrypts the TGT by using the private key of the user.

•

The client computer stores this decrypted TGT in a protected storage.

•

This ticket can be used each time the client computer needs to access a network service.

3. The steps are: •

The user requests an ST for the target server hosting the service by sending the TGT obtained earlier to the KDC.

•

The user is authenticated by the KDC by decrypting the TGT. The ST is then transmitted to the user’s computer and is stored locally on it.

•

The user provides the ST to the target server, which in turn gives access to the services requested by the user.

•

A session is then established between the client computer and the target server.

4. Only NTLM protocol is supported by Windows NT 4.0 or earlier versions of Windows.


99

100

Part II


5. You need to use NTLM authentication protocol for the following reasons: •

For authenticating a computer running Windows 2000 to a computer running a Windows 2000 stand-alone server.

•

For authenticating a computer running Windows NT server to a computer running Windows 2000.

•

For authenticating a Windows 2000 domain controller with computers running Microsoft Windows 95, Windows 98, or Windows NT configured with Windows 2000 Directory Services Client software.

•

For authenticating a Windows 2000 domain controller by using NTLM protocol when it is not possible using Kerberos V5 authentication protocol.


Chapter 4 Authorization and Access Control


indows 2000 provides authentication and authorization features for securing local as well as network resources. Chapter 3, “Authentication,” discussed how a user is authenticated by providing his credentials. Authorization is the mechanism that takes place after authentication and determines if the authenticated user has the required permissions to access and use a resource. By providing specific access control, a computer system can grant access to sensitive data, without compromising network security.

W

This chapter delves into the complete access control model of Windows 2000 and its fundamental components. It discusses how file-level and share-level security can be used for secure access to resources. In addition, the chapter explains how Windows 2000 EFS allows you to secure files stored locally and how you can design secure access to a print resource in a Window 2000 network.

An Overview of Windows 2000 Access Control In a network consisting of many users, groups, and computers, shared resources must be secured from unauthorized users. The Windows 2000 access control model decides what a user can do on a shared resource and who can access it. Consequently, the access control on the shared resource can be limited in two ways, one by limiting the users who can access a resource and the other by specifying the file-level permissions of a resource to an authorized user. Access control is nothing but authorizing the use of Active Directory objects by security principals. In Active Directory, entities that make up the network are called Active Directory objects. The default Active Directory objects created at the time of Active Directory installation are domain, users, computers, and system. You can use Active Directory to create objects, such as a user, contact, computer, OU, group, shared folder, and shared printer. Let me now explain how they take part in access control mechanism.


AUTHORIZATION AND ACCESS CONTROL

Chapter 4

Working of Access Control Mechanism When a security principal acts upon an object, for example when a user opens a file, it is actually a program that performs the action. The program runs as a process containing many threads. A thread is the smallest runnable entity of a process. It is a program sequence scheduled for execution on a processor. In reality, the file is not opened by a user but by a thread. A process can have multiple threads, all running at the same time. It is the task of the operating system to schedule these threads by assigning each a scheduling priority. Although only a thread can perform an action on an object, it does not have a security identity of its own. A thread borrows the security identity of the security principal that wants to gain access on a resource. When a user logs on to a computer or domain, the security identity of the user is wrapped in the form of SIDs in the access token. The access token contains the user’s SID, the SIDs of the user’s groups, and the user’s rights. This access token describes the identity and capabilities of the user on that computer. When the user starts an application, it runs as a process in the user’s logon session. Each of the threads of the process are distributed a copy of the user’s access token. When a thread of the user’s application requests access to a file, the thread acts as the real agent by presenting the access token. But how does the object know that it is an authorized thread that wants to gain access to it? Each object has a security descriptor that contains the security information of the object. The object’s security descriptor contains its owner’s SID as well as the DACL comprised of the ACEs. The DACL lists the access rights allowed or denied to security principals. The operating system uses the access token to perform a check against the security descriptor. When trying to authorize a thread, the security subsystem tries to match the object’s DACL with the SIDs in the thread’s access token. It matches each ACE with the access token until it finds an ACE that allows or denies permission to the user or the group to which the user belongs. In addition to a DACL, the object’s security descriptor can also contain an SACL that tracks access attempts to the object. Figure 4-1 illustrates how the security subsystem validates a request for access to an object.


103

104

Part II


FIGURE 4-1 Authorizing a user attempt for access to an object.

Permissions You now know very well that authorization is all about providing access to the right people, on the right objects. For this, the objects should contain the required permissions. A permission is an authorization to perform an action on a specific object. Security principals are given permissions on an object, based on the DACL and SACL, which are set by the object owner. Only an owner can allow or deny a permission to access an object. The owner is the security principal associated with the thread that created the object. You can assign specific permissions to individual users based on their needs. However, you often need to apply consistent settings to more than one user, which you can do by creating user groups and then assigning permissions to groups. If permission to perform an action on an object is not granted to a security principal, it is denied by default. For example, if Alice only allows the Sales group to read the contents of a file, all users who are not a part of the Sales group are denied



Chapter 4

access to that file unless explicitly allowed. If Alice wants to exclude Bob from being given permission even if he is part of the Sales group, she can explicitly assign a deny permission to him.

User Rights versus Permissions Often, the terms user rights and permissions are used interchangeably. However, there is a marked difference in their implications. User rights authorize security principals to perform an operation that affects an entire computer in contrast to a permission that affects a particular object. User rights are divided into two types: ◆

Logon rights. These types of rights specify how a particular security principal is allowed to access a computer—through the keyboard, as a service, through a network connection, or as a batch job.

◆

Privileges. These types of rights control how a user is allowed to manage system resources, for example, loading device drivers, creating shared folders, and changing time in the system clock.

Permissions are assigned by the object’s owner, whereas user rights are assigned as a part of the security policy of the computer.

Permission Inheritance Permission inheritance is a mechanism that allows container objects to pass permissions assigned to them to new objects created within it, as well as existing objects—both container and noncontainer. Objects that allow you to create other objects within them are called container objects. For example, a folder can contain other files and subfolder objects. An object contained in another object is called a child object. Thus, if inheritable permissions are set on an object, then those permissions are automatically set on all the child objects within that container. This can be understood with an easy example of specifying read permissions for a folder. When you do so, all the files and folders within that folder are assigned read permission. In addition to this, when the permissions on an object are modified or a new child object is created, Windows 2000 uses the latest control mechanism to change the permissions of all child objects within that container. This also involves modification of the parent’s security descriptor. A detailed discussion on inheritance is given later in this chapter.


105

106

Part II


Access Control Lists As discussed in Chapter 2 “Introducing Windows 2000 Security,” ACLs are ordered lists of entries that define the criteria that the operating system should use while protecting the object and its properties. Each entry in the ACL is called an ACE, which identifies a security principal and the permission associated with that security principal. An object’s security descriptor can contain two ACLs: ◆

A DACL that identifies users and groups and their access rights on the object.

◆

An SACL that identifies how the access to the object is audited.

The components and structure of an ACL are shown in Figure 4-2. Table 4-1 lists the description for each component of an ACL.

Access Control Entries An ACE contains the following access control information: ◆

An SID identifying a user or group

◆

An access mask specifying access rights

◆

A set of bit flags specifying whether or not child objects can inherit the ACE

◆

A flag indicating the type of ACE

FIGURE 4-2 Components and structure of an ACL.



Chapter 4

Table 4-1 Components of an ACL Component

Description

ACL size

ACL size specifies the number of bytes of memory allocated for the ACL. The size of an ACL depends on the number and size of the ACEs present in it.

ACL revision

ACL revision is the revision number for the data structure of an ACL. The revision number for Active Directory objects is 4 and that for many other objects is 2.

ACE count

The ACE count refers to the number of ACEs in the ACL. An ACE count of zero means that the ACL is empty. If this is the case with a DACL, then the DACL does not allow anyone to access the object.

ACEs

ACEs can include zero or multiple ACEs. During an access check, ACEs are processed in the order in which they are listed.

Windows 2000 supports six types of ACEs. Out of these, three are generic ACE types and are present in all securable objects. The other three are object-specific ACE types and are present only in Active Directory objects. The ACE types are listed in Table 4-2.

Table 4-2 Types of ACEs ACE Type

Description

Access-denied

This generic ACE type denies access in a DACL.

Access-allowed

This generic ACE type allows access in a DACL.

System-audit

This generic ACE type logs access attempts in an SACL.

Access-denied, object-specific

This object-specific ACE denies access in a SACL to a property or property set, or limits ACE inheritance to a specified type of child object.

Access-allowed, object-specific

This object-specific ACE allows access in a DACL to a property or property set, or limits ACE inheritance to a specified type of child object.

System-audit, object-specific

This object-specific ACE logs access in a SACL to a property or property set, or limits ACE inheritance to a specified type of child object.


107

108

Part II


Object-Specific ACEs versus Generic ACEs The generic and object-specific ACEs are quite similar. However, object-specific ACEs offer a more granular control over the types of objects that can inherit them. Suppose Stronglock wants to increase the security of the HR OU. The desired security solution is that only the desktop computers physically placed in the HR department can have access rights to the HR OU. Therefore, you can set the HR OU object’s ACL to have an object-specific ACE marked for inheritance only by Computer objects. Other types of objects, such as User objects, will not inherit the ACE. In other words, inheritance of object-specific ACEs can be limited to specific types of child objects. Compared to object-specific ACEs, generic ACEs offer limited control over the kinds of child objects that can inherit them. Essentially, they can distinguish only between containers and noncontainers. This will be clearer if I use an example. Consider a generic ACE in the DACL of the Folder object that contains the permission to list the folder’s contents for a user group. This is an operation that can be performed only on container objects; therefore, only child objects in the folder that are container objects inherit the ACE; noncontainer objects, such as File objects, do not inherit this ACE. There are similar differences in how the two ACE types control access to objects. Generic ACEs apply to an entire object. For example, if a generic ACE gives Sally read access to a folder, Sally can read all information inside the folder—both data and properties of the files and other subfolders. This is not a serious limitation for many object types, for example, File objects that have few properties, all used for describing characteristics of the object rather than for storing information. This can, however, be a serious limitation for Active Directory objects, which store most of the information in their properties. Object-specific ACEs can apply to any individual property of an object or to a set of properties rather than the entire object. It is often required to control each property of an Active Directory object individually. This is possible through object-specific ACEs. For example, using one object-specific ACE you can define permissions for a User object to allow a particular user, such as Principal Self (that is, the user), read access to the Home Address property. You can use other objectspecific ACEs to deny Principal Self access to write Home Directory property. How does an ACE specify which actions can a security principal perform on an object? The ACE does this with the help of an access mask.



Chapter 4

Access Masks In an ACE, an access mask is a 32-bit value that specifies what actions a given security principal can perform on the object. One or more bits in the access mask specify whether an operation can be performed on the object. When a thread requests an access to an object, the operating system compares the access mask of the thread with that in each ACE of the object’s DACL and finds which permissions are granted to the thread. Since each bit corresponds to a particular operation or set of operations that can be performed on the object, turning a bit on in the access mask of the requesting thread specifies that the thread is requesting the right to perform the corresponding operation. On the other hand, turning a bit on in the access mask of the object’s ACE means that the corresponding operation is either allowed or denied to the user. Figure 4-3 shows the structure of an access mask. The access mask comprises the following four types of access rights: ◆

◆

Generic access rights. These types of access rights apply to all objects, but their implication on every type of Active Directory object is different depending on the mapping of each generic access right with standard and object-specific access rights. The following are the generic access rights: •

GENERIC_ALL.

Allows read, write, and execute access.

•

GENERIC_READ.

•

GENERIC_WRITE.

•

GENERIC_EXECUTE.

Allows read access. Allows right access. Allows execute access.

Standard access rights. These types of access rights are more specific than generic access rights but they apply to most of the Active Directory objects. The following are the standard access rights: •

DELETE.

•

READ_CONTROL.

Allows the information in the object’s security descriptor, excluding the SACL, to be read.

•

SYNCHRONIZE. Allows the object to be used for synchronization. This access right is not supported by some of the object types.

•

Allows the object to be deleted.

WRITE_DAC.

Allows the DACL in the object’s security descriptor to be

modified.


109

110

Part II


FIGURE 4-3 Structure of an access mask.

•

WRITE_OWNER.

Allows the owner to be changed in the object’s security

descriptor. ◆

SACL access rights. These types of access rights allow reading or changing an object’s SACL.

◆

Object-specific access rights. These types of access rights depend on the type of securable object. Each type of object defines its own set of object-specific access rights.

Security Identifiers An SID is a unique value that is used to identify a security principal or a security group. The SID for a specific account or group is created by the system at the time of creation of the account or the group. The SID for the local system is generated by the LSA on the local computer and is stored in the registry. Similarly, the SID for the domain account is generated by the domain security authority and is stored as an attribute of the User or Group object in Active Directory. SIDs are unique within the scope of the account or group they identify. In other words, no two accounts in the same scope can ever have the same SID. Every computer generates a unique SID every time it creates an account on that



Chapter 4

computer. Similarly, no two domain accounts can have the same SIDs. In an enterprise containing multiple domains, the SIDs of accounts and groups in one domain never match those in the other. This exclusivity of accounts and groups exists even when they are destroyed. SIDs are used in the following access control components: ◆

Access tokens. Each user, based on the rights and permissions granted to the user, is granted an access token. An SID contained in the access token represents the user. Other SIDs represent the groups to which the user belongs.

◆

Security descriptors. One of the SIDs on a security descriptor represents the user of the descriptor and another SID represents the primary group of the user.

◆

ACE. An ACE for a resource contains an SID that denotes the user or the group to which access is allowed, denied, or audited.

The structure of SID is in binary format and is variable in length. For example, the high-level SIDs, such as those for the Everyone group are relatively smaller than those for the Guests or Power Users groups. The first few values in the SID contain information about the SID structure. The remaining structure is hierarchical and identifies the SID-issuing authority, the SID-issuing domain, and a particular account or group. Figure 4-4 shows the structure of an SID.

FIGURE 4-4 Structure of an SID.


111

112

Part II


When converted to string format, the general format of an SID is: S–R–X–Y1–Y2–…– YN-1– YN

Now I will explain the individual components of the SID structure: ◆ S.

Presence of this letter in the string indicates that the string is an SID.

◆ R (Revision level). This

value, shown as a number, indicates the version of the SID structure. This value is 1 in Windows NT and Windows 2000.

◆ X (Identifier authority). This

value indicates the highest-level authority that can issue SIDs for this particular type of security principal. The identifier authority for the Everyone group is World Authority; therefore, it has an identifier authority value of 1. For an Administrator account or any other specific Windows 2000 or Windows NT account, the identifier authority is NT Authority, and hence, the value is 5.

◆ Y (Subauthorities). The

series of Y values indicate the series of subauthorities where N is the number of subauthorities. All values excluding the last value (Y1 - YN-1) in the series collectively identify a domain in an enterprise. This part of the series is called the domain identifier. This part is important in an enterprise containing multiple domains; it differentiates SIDs in one domain from those in another. No two domains in an enterprise can share the same domain identifier. The domain identifier for the Administrator group is 32 (Builtin). The last identifier in the series of subauthorities is called the relative identifier. This identifier distinguishes an account or group from other accounts and groups in the domain. The relative identifier for any two accounts or groups cannot be the same.

Each component in an SID structure can be better explained with the help of the string format SID for the Administrators group. S-1-5-32-544

The break up values are as follows: ◆ 1 —revision

level

◆ 5 —identifier

authority value ( NT Authority)

◆ 32 —domain

identifier (Builtin)

◆ 544 —relative

identifier (Administrator)



Chapter 4

The domain identifier value for all built-in accounts and groups is always 32. This value identifies the domain, Builtin, which exists on every computer running Windows 2000 and Windows NT. The built-in accounts and groups are local in the scope where they are defined—local to a computer if defined on the computer, or local to a network domain if defined on a domain controller. Therefore, they have the same domain identifier value of 32. To distinguish every group or account within a scope, each of its SIDs has a unique relative identifier. The relative identifier for the built-in Administrators group is 544. No other account or group will have this value of relative identifier.

Access Tokens The access token is an object containing the access control details of a user account. The access control details include the identity and the privileges associated with the user account. Consider an example of Alice trying to access an object on a computer in the stronglock.com domain, which is running on Windows 2000. When Alice logs on to the local computer or the domain, the logon process authenticates Alice’s logon credentials, and in the process, the LSA on the computer returns an access token to Alice. Obviously, the access token is prepared from the logon details that Alice provides. This contains the SIDs returned by the logon process as well as a list of privileges assigned by the local security policy to Alice and to the groups Alice is a member of. Every process or thread that will now execute on Alice’s behalf will get a copy of her access token. When Alice’s thread interacts with a securable object or tries to perform a system task, the operating system checks the thread’s access token to decide whether the thread has the required level of authorization. Each user or group SID in an access token can have one of two attributes that control how the operating system uses the SID in an access check. Based on this attribute, the operating system decides whether the SIDs have to be checked in all ACEs or in ACEs that deny access. The following are the SID attributes: ◆ SE_GROUP_ENABLED.

An SID with this attribute is enabled for access checks against all ACEs that apply to the SID.

◆ SE_GROUP_USE_FOR_DENY_ONLY.

An SID with this attribute is enabled for access checks against deny access ACEs that apply to the SID.


113

114

Part II


Contents of an Access Token In addition to the SIDs, the access token contains a complete description of the security context for a process or thread. The description includes the fields listed in Table 4-3. Table 4-3 Displaying Dynamic Content Field

Description

User

This field contains the SID for the user’s account.

Groups

This field contains a list of SIDs for security groups of which the user is a member.

Privileges

This field contains a list of privileges that the user and the user’s security groups hold on the computer.

Owner

This field contains the SID for the user or security group who, by default, becomes the owner of any object that the user either creates or assumes ownership.

Primary Group

This field contains the SID for the user’s primary security group.

Default DACL

This field contains a default set of permissions the operating system applies to objects created by the user if no other access control information is available. The default DACL grants the Full Control permission to the Creator Owner and System groups.

Source

This field identifies the process for which the access token was created, such as Session Manager, LAN Manager, or Remote Procedure Call (RPC) Server.

Type

This field contains a value indicating whether the access token is a primary or temporary thread used to adopt a different security context.

Impersonation Level

This field indicates to what extent a service can impersonate the client represented by the access token. (Impersonation is further explained in the next section.)

Statistics

This field contains information about the access token, which the operating system uses internally.

Restricting SIDs

This field contains an optional list of SIDs for threads that limit the authorization to a level lower than what the thread is allowed.

Session ID

This field indicates whether the access token is assigned to a Terminal Services client session.



Chapter 4

Impersonation Impersonation occurs when a thread executes in a security context that is different from the context of the process that owns the thread. The main idea behind impersonation is to allow services to make requests to servers on behalf of the client. The requests to the server are not based on the privileges of the server; they are based on the privileges of the client for which the service acts. In this context, a server can be a different computer or the client computer itself. When running on the same computer, the service “is” the client to some extent. When a user wants to access an object, the service uses an authentication mechanism to establish a security context of the client. Therefore, one of the service’s threads uses an access token representing the client’s credentials to gain access to objects for which the client has permissions. When a user wants to access a network resource, the service impersonating the client uses the authentication mechanism to establish a security context, but this time, on the server. Each process that executes uses the primary access token that identifies the security context of the user account associated with that process. However, a service process runs under its own security accounts and acts as a user. Usually, services run under the Local System account. When a client requests a service to act on behalf of the client, the client’s access token is associated with the server, an impersonation token. This token identifies the client, its group, and its privileges. The server uses the information in the impersonation token to perform access checks when a thread requests access server resources on the client’s behalf. When the operation is complete, the thread dismisses the impersonation token and reverts back to using the primary token associated with the service’s own security context. When the impersonation succeeds, the client can control the extent to which a service is able to impersonate the client by selecting an impersonation level when it connects to the service. A user cannot select the impersonation level; it is specified in the Security Quality of Service (SQoS) in the code for client/server applications. The following is a brief description of the available impersonation levels: ◆

Anonymous. In this level, the client is anonymous to the service. The service can impersonate the client but the impersonation token does not contain any information about the client.

◆

Identify. In this level, the service can get the identity of the client for its own use, but it cannot impersonate the client.


115

116

Part II


◆

Impersonate. In this level, the service can impersonate the client. If the service is on the same computer as the client process, it can access network resources as the client. If the service is on a remote computer, it can impersonate the client only when accessing resources on the service’s computer.

◆

Delegate. In this level, which is supported only by Windows 2000, the service can impersonate the client—both when it accesses resources on the service’s computer and when it accesses resources on other computers.

Security Descriptors You already know that the information about the user’s rights and privileges is contained in the user’s access token. Similarly, the access control information of an object is stored in its security descriptor. When a user tries to access an object and perform an action on the object, the operating system compares the object’s security descriptor with the user’s access token to determine whether the user can perform the desired action.

Sources of Access Control Information When an object is created, the access control information is written to the object’s security descriptor. This access control information comes from: ◆

The subject. A subject is a thread executing in the security context provided by the access token of an authorized user. A subject’s access token contains the information that can be used in security descriptors for new objects created by the subject or existing objects modified by the subject. This information in the subject’s access token includes the following fields:

◆

Owner

◆

Primary Group

◆

Default DACL

NOTE The Owner, Primary Group, and Default DACL fields have already been discussed under the section “Access Tokens.”



◆

Chapter 4

The object manager. Object managers are responsible for security, naming, allocation, and disposal of different objects based on their type. Therefore, objects of different types have their own object managers. For example, the object manager for registry keys is the registry, and that for a printer is print spooler. Table 4-4 lists other object types and their managers.

Table 4-4 Object types and their object managers Object Type

Object Manager

Files and folder

NTFS

Shares

Share Service

Active Directory objects

Active Directory

Registry keys

The registry

Services

Service Control Manager

Printers

Print spooler

Terminals, window stations, desktops, and windows

Window Manager

◆

The parent object. The container of the child object is called its parent object. The child object can inherit access control information from its parent object (in the parent object’s ACL). The discussion about how this happens will occur a little later in this chapter in the “Inheritance” section.

When a subject creates a new object, it can optionally set the object’s security descriptor. If the subject does not set a security descriptor, the access control information is inherited from the parent object and the information is used to create a security descriptor. If there is no information to inherit, then the operating system uses the default access control information provided by the object manager of that particular type of object. After an object has been created, the subject can modify its security descriptor. A thread operating on behalf of the owner of the object or by another one who has owner’s permission can modify the access control information. An object’s security descriptor can be modified when the explicit permissions (permissions explicitly set in that object’s DACL) or the inherited permissions (permissions inherited from the parent object’s DACL) are modified.


117

118

Part II


Although child object owners cannot modify the inherited permissions in an object, they can specify whether or not the permission should be inherited from the parent object’s security descriptor. In the parent container object, the owner can specify whether or not a permission should be propagated to its child objects. In addition, an owner can specify whether to allow or deny access for objects within containers that are too prohibitive or too liberal. For example, suppose you have assigned the Full Control permission on the HRData folder to all the members of the HR group. However, Dana, who is a new employee in the HR department, is not supposed to be given Full Control on the Confidential_data subfolder. In such a case, the owner of the HRData folder can assign the Full Control to the HR group and the owner of the Confidential_data folder can assign Read permission to Dana. Dana’s access control on Confidential_data is restricted because explicit ACEs in a DACL are processed before the inherited DACL.

Structure of a Security Descriptor The information contained in the security descriptor depends on the type of the object and how the object was created. The structure of the security descriptor contains the following parts: ◆

Header. The Header field contains a revision number and a set of control flags that describe the security descriptor or its components. The information in the control flags is stored in bits and specifies, among other things, whether a DACL or an SACL is included in the object’s security descriptor. The control flags contain information about the automatic propagation of inheritable security information from the parent to the child object.

◆

Owner. The owner field contains the SID for the object’s owner. The owner of an object has the rights to modify the ACEs and give other users rights to take ownership.

◆

Primary Group. The Primary Group field contains the SID for the object owner’s primary group.

◆

DACL. A DACL is a list of ACEs that control the access of different users and groups on the object. Each ACE is assigned to a single SID and includes information that specifies whether the ACE allows or denies access for an operation. As stated earlier, only the owner of the object and others to whom the owner has granted ownership can modify a DACL.



◆

Chapter 4

SACL. Like a DACL, an SACL is also a list of ACEs, but the SACL is used to audit rather than control access. The SACL includes a header that specifies whether success or failure (or both) triggered the audit event, an SID that specifies the user or group to audit, and an access mask listing the operations to audit.

The security descriptors of parent objects are linked with those of the child objects. The next section details the process of inheritance that causes this link to be created.

Inheritance The process of inheritance causes the ACEs present in the parent object’s ACL to propagate to the child object’s ACL. Inheritance occurs when a new child object is created or when the DACL or the SACL on the parent object is modified. As you already know, ACEs in ACLs can both be inherited and explicitly created. An inheritance flag in the ACE indicates whether the ACE was explicitly created or inherited from a parent object. Another important point here is that only container objects can be parent objects. Some ACEs in child objects can be defined only for the purpose of inheritance and not to apply on the parent object where they are defined. This is the case when the ACEs need to be passed down in an object hierarchy until they reach a noncontainer object where they actually become effective. Two things determine how a child object inherits permissions from its parent object: a set of inheritance flags and a set of inheritance rules that are built into the operating system.

Inheritance Flags and Rules Inheritance flags are contained in the ACE header. These flags and the rules indicated by the flags determine the level of inheritance on the child objects. Following are the inheritance flags that an ACE can contain: ◆ INHERITED_ACE

indicates whether the ACE was inherited from the parent object. This flag is not set on an ACE defined directly on an object (explicit ACE).

◆ INHERIT_ONLY_ACE

indicates that the ACE is an inherit-only ACE. This means the ACE will be ignored during the access control processing of the object but will be propagated to child objects. If this flag is not set,


119

120

Part II


then the ACE is an effective ACE—an ACE that is processed during the access control processing of the object. ◆ CONTAINER_INHERIT_ACE on

an inherited ACE makes the container objects inherit the ACE as an effective ACE. When the ACE is inherited by a container object, the operating system clears the flag for INHERIT_ONLY_ACE and uses this ACE in the access control processing. Noncontainer child objects do not inherit this ACE.

◆ OBJECT_INHERIT_ACE on

an inherited ACE makes the noncontainer objects inherit the ACE as an effective ACE. When the ACE is inherited by a container object, the operating system clears the flag for INHERIT_ONLY_ACE. On the other hand, when the ACE is inherited by a noncontainer object, the operating system sets the flag for INHERIT_ONLY_ACE.

◆ NO_PROPAGATE_INHERIT_ACE prevents

the ACE from being inherited by subsequent generations of child objects. When a child object inherits an ACE where this flag is set, the operating system clears the flags for OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE.

Order of ACEs in an ACL Since during an access check all ACEs are processed sequentially, the order of ACEs in an ACL is important. The order in which ACEs appear in a DACL is called canonical order. Windows 2000 uses the following canonical order: ◆

All explicit ACEs are placed before any inherited ACEs.

◆

Within a group of explicit ACEs, access-denied ACEs appear before access-allowed ACEs.

◆

Inherited ACEs are placed in the order of the level from which they are inherited. ACEs inherited from the child object’s parent come first, then ACEs inherited from the grandparent, and so on up the hierarchy of objects.

The canonical order ensures that the owner of the object has more control than any other object in the tree. For example, suppose Pete, as the owner of the Finance OU, restricts access of the Everyone group. However, John, as the owner of the Budget OU, which is contained in the Finance OU, wants to give read access to the Directors group. John can then explicitly define an ACE for the Budget OU allowing read access to the Directors group. During the access check,



Chapter 4

the operating system steps through the ACEs in the order they appear. Therefore, the deny-access ACE inherited from the parent, which will appear after the explicit allow-access ACE (in the Budget OU DACL), will not be processed. The canonical order also allows the owner to allow access to a group but deny access to a particular user in that group. This permits the owner to have a control over the object against ACEs that are too restrictive or too permissive. For example, suppose John, after assigning read access to the Directors group, feels that one of the directors should not be allowed read access to the Budget OU. He can now deny read access to that director. During the access check, the director will be denied access irrespective of his or her group. Figure 4-5 shows the canonical order of ACEs.

Access Checking and Audit Generation When a thread acting on behalf of a security principal tries to access an object, the object manager calls the AccessCheckAndAuditAlarm function. This function works in two phases: 1.

The function determines whether the thread is allowed or denied access.

2.

Then, it determines whether it should generate auditing information for that object.

Let me explain these phases one by one.

FIGURE 4-5 Canonical order of ACEs.


121

122

Part II


Access Check The access checking mechanism determines whether the subject is authorized to perform the task the subject has requested. The AccessCheckAndAuditAlarm function determines this by using the following information: ◆

The subject’s access token containing its credentials.

◆

The subject’s desired access mask that indicates the access rights the thread is requesting.

◆

The object’s security descriptor containing the DACL and SACL along with the other information.

After the AccessCheckAndAuditAlarm function completes the access check, it returns an access mask—called as granted access mask—similar to the desired access mask to the calling process. Like the desired access mask, the granted access mask is a 32-bit structure containing the same bit fields, which are turned off initially. As the access checking process continues and grants access for each access right in the desired access mask, the corresponding bit is turned off in the desired access mask and turned on in the granted access mask. This process goes on until all bits in the desired access mask are turned off and corresponding bits in the granted access mask are turned on. The AccessCheckAndAuditAlarm function uses the following steps to determine the subject’s authorization: 1.

If the object’s security descriptor does not contain a DACL (not an empty DACL), then the granted access mask is set exactly to match the desired access mask. The access checking stops and the subject receives all the access that it requested.

2.

If the desired access mask is empty, access checking stops. In this case, the subject gains no access to the object.

3.

If the subject requests the right to access the SACL, the subject’s access token is checked for the Manage auditing and security log privilege. If the access token contains this privilege, the corresponding bit is turned off in the desired access mask and turned on in the granted access mask.

4.

If the subject requests read permissions, change permissions, or modify owner, then the Owner SID in the security descriptor is mapped with the User and Groups SIDs in the access token. If a match is found, the corresponding bits are turned off in the desired access mask and turned on in the granted access mask.



5.

Chapter 4

The object’s DACL is applied by investigating each ACE in sequence, starting with the first ACE. •

If an ACE’s inheritance flag is INHERIT_ONLY_ACE, the access checking skips the ACE.

•

If the SID in an ACE does not match any SID in the subject’s access token, the access checking skips the ACE.

•

If the ACE type is access-denied, the rights denied in the ACE’s access mask are compared to the rights requested in the subject’s desired access mask. If access checking finds any matches, all bits are turned off in both the desired access mask and the granted access mask, and access checking stops. As a result, the subject gains no access to the object.

•

If the ACE type is access-allowed, the rights allowed in the ACE’s access mask are mapped against the rights requested in the subject’s desired access mask. If access checking finds any matches, corresponding bits are turned off in the desired access mask and turned on in the granted access mask, and access checking stops. As a result, the subject gains access to the object.

•

If any bits in the desired access mask are still turned on, access checking investigates the next ACE.

•

If any bits are turned on in the desired access mask, even if all the ACEs are investigated, then access is implicitly denied. Any bits that have been turned on in the granted access mask are turned off, and the granted access mask is returned to the calling process. The subject gains no access to the object.

Auditing Auditing generates entries in the security log for a subject’s successful or failed attempts to access an object. The AccessCheckAndAuditAlarm function can determine whether an attempted access resulted in success or failure until it completes an access check. After the access checking is complete, the function determines what needs to be logged by using the following information: ◆

The subject’s access token ◆ The desired access mask presented by the subject ◆ The granted access mask resulting from the access check ◆ The object’s SACL


123

124

Part II


The number of access events that require security monitoring is limited compared to the total number of access events. As a result, SACLs generally have fewer ACEs than DACLs. When you set too many ACEs in the object’s SACL, security logs become cluttered with unusable information. Therefore, you should set audit controls judiciously. AccessCheckAndAuditAlarm

uses the following steps to assess ACEs in an object’s

SACL: 1. If an ACE’s inheritance flag is INHERIT_ONLY_ACE, the audit generation process skips the ACE. 2. If the SID in an ACE does not match any SID in the subject’s access token, the audit checking skips the ACE. 3. If an ACE’s access mask includes a bit that is not set in the desired access mask, the ACE is skipped. Only those ACEs are considered that match rights that the subject has requested. 4. If an ACE’s audit flags are marked to record an access success, the ACE’s access mask is mapped with the granted access mask. If a bit is set in the ACE’s access mask and the corresponding bit is set in the granted access mask, a successful access event is recorded in the security log. 5. If an ACE’s audit flags are marked to record access failure, the ACE’s access mask is mapped against the granted access mask. If a bit is set in the ACE’s access mask and the corresponding bit is not set in the granted access mask, a failure access event is recorded in the security log. 6. When the process completes reading all the ACEs in the SACL, audit checking stops.

Configuring Access Control Permissions You know that the ACEs contain the information about the access control permissions on an object. You can configure access permissions for Active Directory objects as well as share permissions and NTFS permissions for files and folders.

Configuring Share Permissions on Folders Share permissions are used to allow network access to resources on a server. Files and folders located on file allocation table (FAT), FAT32, NTFS, and CD-ROM file system (CDFS) volumes can be shared on the network. In spite of allowing



Chapter 4

the flexibility of volumes, sharing a folder does not require a user to be logged on to the computer containing the shared resource; switching the computer on is enough for the resource to be accessed on the network. For example, if Read permission for Alice is configured to Deny on the Customer folder, then Alice will not be allowed access if she tries to access the Customer folder over the network. She can, however, read and execute any file in the Customer folder, if she is seated at the server itself. You can configure share permissions by editing the folder properties. The familiar Properties dialog box allows you to configure share permission in the Sharing tab, as shown in Figure 4-6. You can configure the following share permissions for a security principal on a folder: ◆ Full Control. This

permission allows a security principal to read, modify, and delete any contents inside the shared folder. In addition, this permission allows a security principal to take ownership of the shared folder and change the permissions on the files and folders within that folder.

◆ Change. This

permission allows a security principal to read, modify, or delete any content within the shared folder.

FIGURE 4-6 Configuring share permissions

on a folder.


125

126

Part II


◆ Read. This

permission allows a security principal to read, execute, and copy any content within the shared folder.

Configuring NTFS Permissions on Files and Folders You can perform the following steps to set the access control permissions for files and folders in an NTFS volume: 1. Right-click the object whose properties you want to set and choose Properties. 2. Click the Security tab to open the Security properties page.

Combining NTFS and Share Permissions You can combine share and NTFS permissions to secure resources. If you want to access the resource locally, you only need NTFS permissions, but if you want to access it over the network, you need both share and NTFS permissions. When you apply both permissions to a resource, the one that has stricter security settings will be effective. For instance, if the share permissions allow you to read data and the NTFS permission allows modifications, then you will only be able to read data over the network. However, if you access the resource locally, you will be able to make modifications. It is recommended that you set the share permission to the Change setting for Authenticated Users option and use NTFS permissions to provide access rights directly to the resource on an NTFS partition.

Configuring Access Permissions for Active Directory Objects You can use the Active Directory Users And Computers snap-in to view or modify the access permissions for Active Directory objects by performing the following steps: 1. Choose View, Advanced Features to view the security properties. 2. Select an object in the Active Directory namespace. 3. Right-click the object and, from the context menu, choose Properties. 4. Click the Security tab to open the Security property page.



Chapter 4

This Security property page is the same for configuring the files and folders on an NTFS partition. I will talk about the properties a little later in this section.

Security Properties The Security tab in the Active Directory and NTFS object properties dialog box shows the permissions assigned to each security principal on that object. Figure 4-7 shows the security permissions assigned to the SalesData folder. The entries on this page constitute the ACL for an object. Note in Figure 4-7 that the SalesData folder has permissions for three security principals: the Sales group and two users, User1 and User2. You can use the Permissions frame to Allow or Deny a permission for the selected security principal. You can click the Add button to open the Select Users, Computers, and Groups dialog box, which allows you to add additional security principals to the DACL, as shown in Figure 4-8. Figure 4-8 shows the sample entries for adding User3 Sales and User5 Sales to the DACL.

FIGURE 4-7 The folder properties dialog box.


127

128

Part II


FIGURE 4-8 Configuring security permissions.

Access Control Settings The Advanced button on the object’s properties Security tab opens an access control settings dialog box with three tabs: Permissions, Auditing, and Owner. These tabs contain various options to modify an object’s security descriptor. I will talk about each tab in detail in the following sections.

Changing the Permissions The Permissions tab in the dialog box can be used to view, add, modify, and remove the ACEs in an object’s DACL. Figure 4-9 shows a sample DACL for the SalesData folder. Notice the ACEs in the Permission Entries frame. Each ACE displays an entry type (Allow or Deny), the name of the security principal, the permission configured for the security principal, and the scope to which the permission applies. But, here is a question. Suppose the Sales group is denied write access on a folder. However, Alice, who is a member of the Sales group, is allowed write access on the folder. Which of these permissions will be applied to Alice? Your NTFS and Active



Chapter 4

FIGURE 4-9 Access control setting for the SalesData folder.

Directory permission design is affected by the following ACL rules for canonical order that specify the sequencing of ACEs in a list: ◆

Explicit ACEs are applied before inherited ACEs. Therefore, in the preceding example, Alice will be allowed write access to the folder.

◆

Within a group of multiple explicit ACEs, access-denied ACEs are placed before access-allowed ACEs. This implies that, when applied in the same grouping, Deny ACEs take precedence over Allow ACEs.

The Allow inheritable permissions from parent to propagate to this object check box enables you to propagate inheritable permissions from the parent object of the current object. The second check box allows propagation of permissions from the current object to its child objects. Also notice the textual information appearing above the check boxes. This information tells you whether the highlighted permission is inherited from the parent object or is explicitly defined for that object. The Add, Remove, and View/Edit buttons allow you to add, remove, and modify the special permissions for an object. You can select an ACE and click the Remove


129

130

Part II


FIGURE 4-10 The permission entry dialog box.

button to remove the ACE from the list. To edit an ACE, you can select the ACE and click the View/Edit button to open the Permission Entry dialog box. Clicking the Add button also opens a permission entry dialog box, as shown in Figure 4-10 where you can enter the details of the ACE. This dialog box contains a list of special permissions, which are more extensive than the ones in the property page (refer to Figure 4-8). The Apply onto drop-down list allows you to define the scope of inheritance of the permissions in the ACE. The available scopes for folder objects are: ◆ ◆ ◆ ◆ ◆ ◆ ◆

This Folder Only This Folder, Subfolders, and Files This Folder and Subfolders This Folder and Files Subfolders and Files Only Subfolders Only Files Only

This page appears similar to Active Directory objects. However there is a difference in the available permissions that can be applied to objects. The ACE that is



Chapter 4

inherited from parent objects cannot be removed, and therefore the Remove button is disabled both on the property page and the access control setting dialog box. Also, the individual permissions that are inherited cannot be edited.

Auditing You can use the Auditing tab on the Access Control Settings dialog box to configure auditing for this object. This page is similar to the Permissions property page. It has the same buttons—Add, Remove, and View/Edit—that allow you to manage ACEs in the SACL and set approved permissions for each. It also has similar check boxes at the bottom that allow you to set the inheritance behavior of the object from its parent and to its children. Figure 4-11 shows sample entries in the Auditing page. Notice that this page is different from the Permissions page in that the Permissions page listed the permissions set on each ACE, but this page lists the type of access that triggers an audit event. The audit event can be triggered in case of a success or failure or both. The access types shown in Figure 4-11 are Delete access for User3 Sales, Write Attributes for User2, and Read attributes for User5 Sales.

FIGURE 4-11 The Auditing tab in the access control

settings dialog box.


131

132

Part II


Changing Ownership You know that every object in Active Directory or in an NTFS volume has an owner, usually the creator of the object. By default, the owner has the right to set permission on that object for other users’ access. When an object is created, the SID in the Owner field of the owner’s access token is copied to the Owner field of the security descriptor. The exception occurs in case of the Administrators group and Domain Admins group. When an administrator from any of these two groups creates an object, the Owner field of the object contains the SID of the group and not the individual who created the object. This is because the tasks that administrators perform are usually related to managing resources; therefore, resources created by one administrator can be managed by other administrators in the same group. Owners of NTFS objects can allow other users to own the object by giving them the Take Ownership permission in the Owner tab of the access control settings dialog box. Owners of Active Directory objects can also allow other users to take ownership by assigning them the Modify Owner permission. However, both of these permissions map to the same access right WRITE_OWNER, but they appear different in their user interfaces. For example, Figure 4-12 shows the Owner tab of the SalesData folder object created by User1, who is the member of the Administrators group. The Current owner of this item box shows User1.

FIGURE 4-12 The Owner tab.



Chapter 4

As stated earlier, when an administrator creates an object, the Owner field of the object contains the SID of the group and not the individual who created the object. Therefore, administrators become the owner of the SalesData folder object by default. However, User1 has an option of taking ownership himself. He can simply select his name in the Change owner to list and click Apply. However, administrators can retake this ownership. Checking Replace owner on all subcontainers and objects can make User1 take ownership of all subfolders and files at the same time. But User1 has this option only because he is the member of the Administrators group. Ordinary users have this option available only when, in addition to having the Take Ownership permission for the parent object, they have this permission for all child objects.

Encryption File System Encryption involves the use of a combination of key encryption methods to preserve the confidentiality of data. Using this combination allows you to protect the key used for encryption. Only the original user or an EFS recovery agent can decrypt the data. EFS provides encryption of stored data on NTFS volumes. EFS allows security of data that is stored on the local hard disk and not the security of data being transferred over the network. Knowledge of how the EFS process takes place helps you in determining: ◆

Which user has encrypted the file using EFS? ◆ Who can recover an EFS encrypted file? To encrypt a file or folder by using EFS, right-click the object, and choose Properties. On the General tab, click the Advanced button to open the Advanced Attributes dialog box. Check the Encrypt contents to secure data option, as shown in Figure 4-13.

Encryption of Data Using EFS Data encryption takes place, when data encryption is enabled on an NTFS object, or when the user saves an NTFS object that has encryption attribute enabled. The encryption process takes place as follows (as shown in Figure 4-14): 1. A File Encryption Key (FEK) is generated for each file that the user wants to encrypt. This FEK is used to convert a plain text document into an encrypted document.


133

134

Part II


FIGURE 4-13 The Advanced Attributes dialog box.

FIGURE 4-14 The encryption process.



Chapter 4

2. This FEK is then encrypted using the user’s EFS encryption public key. This ensures that the user who has the corresponding private key can decrypt the FEK. The encrypted FEK is stored in DDF. 3. The FEK is also encrypted using the recovery agent’s EFS recovery public key. This ensures that the user who has the corresponding EFS recovery private key can decrypt the FEK. The encrypted FEK is stored in DRF. The recovery agent is a user, typically an administrator, who can recover an encrypted file or folder if the user who encrypted the object leaves the organization. You can also have multiple recovery agents defined for a domain. In that case, an FEK will have multiple DRFs associated with the object.

Decryption of EFS Data An encrypted file can only be decrypted by the user who encrypted it or by an EFS recovery agent. The process of decrypting a file differs based on whether the file is being decrypted by the original user or the EFS recovery agent. When the user opens the file that he or she originally encrypted, the following process takes place, as shown in Figure 4-15. 1. The users’ EFS encryption private key is used to decrypt the FEK stored in the DDF.

FIGURE 4-15 Decryption by the original user.


135

136

Part II


2. The FEK is used to convert the encrypted document to plain text. When the EFS recovery agent opens the file that was encrypted by another user, the following process takes place, as shown in Figure 4-16. 1. The EFS recovery agent’s EFS recovery private key is used to decrypt the FEK stored in the DRF. 2. The FEK is used to convert the encrypted document to plain text.

EFS Recovery Plan EFS is a public key method of encryption and is based on certificates issued to individual users. Hence, it is a single user encryption method. In case a user loses the encryption key or leaves the organization, you need to have a plan to be able to recover the encrypted data. A recovery agent decrypts a file with a recovery key either at a dedicated recovery station or at the computer where the encrypted file is stored.

Recovery Agent The agent could be a single user or a group of users who have the responsibility to manage and use the certificates required for recovering encrypted files. If a

FIGURE 4-16 Decryption by the EFS recovery agent.



Chapter 4

computer does not have a recovery agent, encryption cannot be performed. In a domain, the Administrator account for the domain is the default recovery agent. Recovery agents can be set at site, domain, or organizational unit level. For a stand-alone computer, the administrator is the recovery agent. If the Windows 2000-based computer is a member of a domain, the Default Domain policy is applied to that computer. The Default Domain policy makes the Administrator account of the domain the EFS recovery agent. If you want to use EFS on a duplicate domain controller, export the administrator’s EFS recovery key on the domain and copy it to the duplicate domain controllers.

Recovery Station A recovery station is a computer that stores the recovery keys required to decrypt an encrypted file. You can preserve the encryption by making a backup of the file. You can send the backup file to the recovery station through mail. Then the recovery agent will log on and perform the recovery of data with the recovery keys. To ensure security, create a new account for every recovery and delete it after the task. This way no information about the recovery will be left in the computer.

Exported Recovery Key You can export a recovery key with the certificate snap-in the MMC instead of sending the file to the recovery station. The recovery key can be stored on a floppy in a safe place. The recovery agent could carry this floppy and use it on the computer where the encrypted file is stored and decrypt it. Alternatively, you can send the encrypted file to the recovery agent via mail and the decryption can be performed on the agent’s computer.

Securing the Print Resource When you shoot a print job from your computer, other users can manipulate the print job or read the data. In such a case you need to protect the printer resource. You can protect a printer by using the Print, Manage Printers, or Manage Documents permissions.


137

138

Part II


Printing A security principal assigned the Print permission can submit print jobs to a printer and make the printer process jobs.

Managing Printers is a permission that allows you to print, read and change permissions and take ownership of the print jobs. With this permission you can change the printer settings but cannot delete or manipulate print jobs on the printer. As an administrator you should give this permission to specific trusted individuals on sensitive printers. If you send a critical print job to a printer pool, there is a risk of the document being sent to public or unprotected printers. Hence, do not add restricted printers to printer pools. Manage Printers

Managing Documents The Manage Documents permission allows you to manage the print jobs in the printer queue. You can delete and prioritize the print jobs. Every user who sends a print job is the owner of that print job and has the Manage Documents permission for it. However, this permission does not include the permission to print a document. Permission to print a document must be given explicitly. For instance, if you have the Managing Documents permission but no right to print, you will not be able to access the printer object or perform the management activities. If you have only the Managing Printer permission, you cannot manipulate the documents in the printer queue. And if you have only the Managing Documents permission, you cannot change the printer settings but can delete a print job. When you send a print command from your workstation to the server, the data is not encoded and so can be interpreted. If you use IPSec, the traffic to the restricted print server is protected. You can use the IPSec client so that you need not use any other client or printer redirector to print confidential matter. A printer connected to the network must support IPSec to be able to protect printer traffic. Only Windows 2000-based computers support IPSec. Figure 4-17 illustrates the deployment of IPSec to protect printer transmissions.



Chapter 4

FIGURE 4-17 Protecting printer data transmissions.

Summary Windows 2000 uses the access control model to safeguard its network resources from unauthorized access. This chapter explained how Windows 2000 access control model uses the concepts of ACLs, access tokens, SIDs, and security descriptors internally for secure data access. The model allows object owners to assign separate permissions to users and groups of users. In addition Windows 2000 also allows encryption of stored data through EFS and secure access to print resources.

Check Your Understanding Multiple Choice Questions 1. Joanna is planning to install Windows 98 and Windows 2000 Professional on her computer. She has to choose the appropriate file system for the startup partition of her computer to both the operating systems. Which file system should she configure on the startup partition? (Choose two.) a. FAT b. FAT32 c. NTFS d. None of the above


139

140

Part II


2. By default, which group is assigned the Full Control permissions in a shared folder? a. Everyone b. Creator Owner c. Authenticated Users d. None of the above 3. When a folder is shared on a FAT volume, which actions does a user with the Full Control permissions for the folder have? a. Read b. Modify c. Delete d. Take ownership e. All of the above 4. When CONTAINER_INHERIT_ACE is set on a parent ACE, what will be the effect on a child ACE? (Choose two.) a. For noncontainer child objects, the ACE is inherited as an effective ACE b. For noncontainer child objects, the ACE is inherited as an inheritonly ACE unless the NO_PROPAGATE_INHERIT_ACE flag is also set c. No effect on the child object d. None of the above 5. Consider an ACL that contains explicit access-denied and accessallowed ACEs as well as inherited ACEs. What will be the order in which ACEs appear in a DACL? a. Within a group of explicit ACEs, access-denied ACEs appear before access-allowed ACEs. b. All explicit ACEs appear before any inherited ACEs. c. Inherited ACEs are placed in the order of the level from which they are inherited. ACEs inherited from the child object’s parent come first, then ACEs inherited from the grandparent, and so on up the hierarchy of objects. d. All of the above.



Chapter 4

Short Questions 1. You have a computer running Windows 2000 professional. You have shared a folder named Applications on your computer. The share permissions for the Everyone group are Full control but the NTFS permissions are Read and Write only. What will be the effective permissions of the Everyone group? 2. Laura is working on a Windows 2000 computer. She needs to implement the EFS feature of the NTFS file system. Before implementing, she needs to know who can decrypt the files that are encrypted by EFS. Can you explain who can decrypt the EFS encrypted files? 3. Jerry has two computers in his office. One is a desktop and another is portable. Both computers support the NTFS file system. Every time he goes out, he first encrypts all the files that he needs to take along on his portable. He found the task of encrypting files very tedious. Can you suggest an easy method of encrypting files? 4. Jim is the network administrator in his organization. He needs to provide limited access to the registry keys of the registry. He needs to ensure that users should be able to obtain values of the registry key and they should be able to find the owner of the key. Which DACL rights will you assign to users? 5. Diana is the network administrator of Hefty Craft Co. The company has a Windows 2000 network. In the last few months, lot of data hacking has happened in the company. She suspects that data hacking happens when documents go for printing. She needs to provide a secure mechanism for printing. How can she accomplish this task?

Answers Multiple Choice Answers 1. a, b. Only FAT and FAT32 can be supported by Windows 98 computers. 2. a. By default, only the Everyone group is assigned the Full Control permissions on a shared folder.


141

142

Part II


3. d. The Full Control permission allows a security principal to read, modify, and delete any contents inside the shared folder. In addition, this permission allows a security principal to take ownership of the shared folder and change the permissions on the files and folders within that folder. 4. a, b. 5. d. All the rules given in the question are correct. Windows 2000 uses these rules, called canonical order, to process ACEs in an ACL.

Short Answers 1. The effective permissions of the Everyone group on the Applications folder will be Read and Write only. 2. The files encrypted by EFS can be decrypted by the original user or by the EFS recovery agent. 3. He should create an encrypted folder on the desktop computer. Before leaving, copy all the files that he is taking on the portable computer to the encrypted folder. This will not require encrypting each file individually. 4. You can assign the following rights to users: •

Query value to obtain value of the registry key.

•

Read Control to view the owner of the registry key.

5. Diana can configure the IPSec client to encode the data transmitting over the network for printing.


Chapter 5 Security Policies


s discussed in Chapter 1, “Need for Security,” organizations must ensure the confidentiality, integrity, and availability of their data. An organization might face both internal and external threats to its network. To counter theses attacks, the organization must define its security policies. In Windows 2000, security policies help an administrator implement the security policy drafted by an organization. They may include administrative rights, security settings, and access control lists.

A

There are several types of security policies depending upon their implementation. In Windows 2000, security policies are implemented through Group Policy. Group Policy allows centralized control over user and computer settings. This chapter explores Group Policy in detail. It also takes a walkthrough of security templates and the Security Configuration and Analysis tool.

Group Policy—An Overview In Windows 2000, instead of applying security policies for each computer in an organization, Group Policy allows you to define configurations for groups of users and computers to standardize security settings. You can use Group Policy to specify settings for: ◆ ◆ ◆ ◆ ◆ ◆ ◆

Registry-based policies Security Software installation Scripts Folder redirection Remote installation services Internet Explorer maintenance

The Group Policy settings that you create are stored in a Group Policy object (GPO). By associating a GPO with selected Active Directory containers—sites, domains, and OUs—you can apply these consistent settings to the users and computers in those Active Directory containers. To create GPOs, you use the Group Policy Microsoft Management Console (MMC) snap-in. You will learn more about using the Group Policy MMC later in the “MMC Snap-In Extension Model” section.


SECURITY POLICIES

Chapter 5

Group Policy Objects and Active Directory Any site, domain, or OU can be associated with any GPO. A given GPO can be linked to multiple sites, domains, or OUs. Conversely, a given site, domain, or OU can have multiple GPOs linked to it. In the case where multiple GPOs are linked to a particular site, domain, or OU, you can prioritize the order of precedence in which these GPOs are applied. By linking GPOs to Active Directory sites, domains, and OUs, you can implement Group Policy settings for as broad or as narrow a portion of the organization as you want. The GPO applies to the Active Directory according to the following rules: ◆

A GPO linked to a site applies to all users and computers in the site.

◆

A GPO linked to a domain applies directly to all users and computers in the domain and by inheritance to all users and computers in child OUs.

◆

A GPO linked to an OU applies directly to all users and computers in the OU and by inheritance to all users and computers in child OUs.

NOTE You cannot link a GPO with a generic Active Directory container. However, users and computers in a generic Active Directory container receive policies by inheritance from a GPO linked at the higher-level Active Directory object.

Group Policy Hierarchy Policies are cumulative in nature; that is, the child directory service containers inherit Group Policy of a parent container. However, if a Group Policy is explicitly specified for a child container, it overrides Group Policy of the parent container. The GPOs are applied to the Active Directory objects hierarchically depending on the location of the Active Directory object in the network. The GPOs are applied in the following order: 1. The local Group Policy object (LPGO). 2. GPOs linked to sites. 3. GPOs linked to domains. Note that a GPO linked to a domain is not inherited across domains. GPOs defined at the domain level contain policies that apply to all the computers in that domain.


145

146

Part II


4. GPOs linked to the top-level OUs. GPOs associated with a larger number of computers or users are applied at the top-level OUs. 5. GPOs linked to the child OUs. In child OUs, the Group Policy settings are more specific, therefore they will affect smaller number of users and computers. In other words, a GPO applied to an OU applies directly to all users and computers in the OU and by inheritance to all users and computers in the child OUs. In a situation where two policies applied to a user or computer are in conflict, the last policy applied to it is the effective policy for that user or computer.

CAUTION You should avoid defining GPOs for sites containing different domains because when defined for a site, a GPO is stored in the system volume of the DCs in the domain in which the site policy has been defined. A Windows 2000 client must connect to the DC where the Group Policy was defined to download the Group Policy. If the DCs are accessible over a slow WAN link, the time required to log on may be more.

The following illustration (Figure 5-1) shows the application order of GPOs linked to sites, domains, and OUs.

FIGURE 5-1 The Group Policy application order.


SECURITY POLICIES

Chapter 5

FIGURE 5-2 A sample of application order for Group Policy Objects.

Figure 5-2 shows the sample domain structure of Stronglock.com to illustrate how GPOs are applied to objects in the Active Directory hierarchy. You can use the Active Directory Sites and Services snap-in to link a GPO to a site. To link a GPO to a domain or an OU, use the Active Directory Users and Computers snap-in. In these two Active Directory consoles, right-click the site, domain, or OU to which you want to link the GPO, and select Properties. Then, click the Group Policy tab, which you can use to create, edit, and manage GPOs.

Administrative Requirements To set Group Policy for a selected Active Directory container, you must have a Windows 2000 domain controller installed and you must have the Read and Write permissions to access the system volume folder of domain controllers (the Sysvol folder) and modify rights to the currently selected directory container.


147

148

Part II


NOTE The system volume folder is automatically created when you install a Windows 2000 domain controller (or promote a server to a domain controller).

Local and Non-local Group Policy Objects There are two kinds of GPOs, non-local and local. Non-local GPOs are available in an Active Directory environment and are stored at the domain level. They are stored with a globally unique identifier (GUID), which keeps them synchronized. A non-local GPO is applied to users and computers in a site, a domain, or OU. Every computer running Windows 2000 has a local GPO stored in it. These objects also contain a part of the available non-local GPO settings. If the settings conflict, the local GPO settings are overwritten by non-local settings. If they do not conflict, both of them are applied. In a local GPO, by default, only nodes under Security Settings are configured. Settings in other parts of the local GPO’s namespace are neither enabled nor disabled. The local GPO is stored on each server in %systemroot%\System32\GroupPolicy. Administrators and operating system have the Full Control permission for a local GPO, whereas any user has only the Read permission. A GPO is applied to a user or computer only when it has Read and Apply Group Policy permission. If the Read permission is withdrawn from the Local Administrator group, the GPO will not be applied to the group even if the Apply Group Policy permission is set to Allow. Non-local GPOs consists of two parts that are stored separately, the Group Policy container and the Group Policy template. The Group Policy container stores the small and infrequently used information, such as version information, status information, and subnodes for which settings are configured in the GPO and security policy settings in the subnodes. Any large and frequently stored information is stored in the Group Policy template. This information includes Administrative Templates-based security settings, Security Settings, applications available for Software Installation, and script files. The Group Policy template is stored in the Sysvol folder in the \Policies subfolder.


SECURITY POLICIES

Chapter 5

Group Policy Inheritance When you apply Group Policy to a parent OU, it is automatically applied to the child OUs. This is called inheritance of Group Policy. Inheritance is possible only within the OUs of a single domain and not across domains. Through inheritance, the administrators can apply the common policy settings to the parent OUs and the specific ones to the child OUs. This simplifies Group Policy administration. If a Group Policy setting is configured for a parent OU and not configured for the child OU, the same policy is inherited as configured. If a parent OU has policy settings that are not configured, the child OU does not inherit them. Policy settings that are disabled at the parent OU level are inherited as disabled. Policies are inherited only as long as they are compatible. In other words, if they do not conflict each other, both of them are applied. For example, if the parent policy setting causes certain folders to be placed on the desktop and the child policy places an additional folder on the desktop, then both the policies are applied. However, if you specify a conflicting Group Policy setting for a child container, the child container’s Group Policy setting overrides the setting inherited from the parent container. For example, if the parent policy places a certain folder on the desktop and the child container policy does not allow any folders to be placed on the desktop, then no folder will be placed on the desktop.

Exceptions to Group Policy Inheritance You can use the following settings to specify whether the Group Policy will be inherited or not: ◆

Block Inheritance. You apply this setting on a domain or an OU to prevent it from inheriting any GPOs from the parent containers. This group policy setting is applied directly to a site, a domain, or an OU, but not to a GPO or a GPO link.

◆

No Override. This setting is applied to GPO links and not to a site, domain, OU, or GPO. You use this setting to force the application of a particular Group Policy. The GPO with the No Override setting has a higher priority than other GPOs. If a GPO with No Override is applied to an OU, then all child OUs will forcefully inherit the GPO even if they have the Block Inheritance setting applied.


149

150

Part II


Loopback Setting User or computer settings are derived from a list of GPOs based upon the location of a user object or a computer object in Active Directory. However, in some cases, a policy may need to be applied to a user based on the location of the computer object and not the location of the user object. The Group Policy loopback feature enables an administrator to apply a user group policy based on the computer that the user logs on to. To describe the loopback feature, I will use the same example of Stronglock.com, as shown in Figure 5-2. Group Policy follows the default processing order for users and computers in the domain. The sequence in which the GPOs were applied during computer startup on the computers located in the HR OU was in the order: A3, A1, A2, A4, and A6. Regardless of which computer the users of the Boston OU log on to, they have the GPOs applied in the order: A3, A1, A2, and A5. However, this processing order might not match the desired order in which the GPO should be applied. For example, you might not want the applications that have been assigned or published to the users of the Boston OU to be installed when they log on to the computers in the HR OU. You can configure the Group Policy loopback feature and specify two other ways. These ways can be used to retrieve the list of GPOs for any user who logs on the computers in the HR OU: ◆

Merge mode. In this mode, the user’s GPO list is normally gathered during logon by using the GetGPOList function. Then, GetGPOList is called again by using the computer’s location in the Active Directory. Next, the lists of GPOs for the computer and the user are concatenated and the list of GPOs for the computer is added to the end of the list of GPOs for the user. Thus, the computer’s GPOs have higher precedence than the user’s GPOs. In this example, the list of GPOs for the computer is A3, A1, A2, A4, A6, which is added to the user’s list of A3, A1, A2, A5, resulting in A3, A1, A2, A5, A3, A1, A2, A4, and A6 (listed in lowest to highest priority).

◆

Replace mode. In this mode, the user’s list of GPOs is replaced by the list of GPOs based on the computer object. In this example, the list is A3, A1, A2, A4, and A6.


SECURITY POLICIES

Chapter 5

MMC Snap-In Extension Model The nodes of the Group Policy MMC snap-in are themselves MMC snap-in extensions. These extensions include Administrative Templates, Scripts, Security Settings, Software Installation, Folder Redirection, Remote Installation Services, and Internet Explorer maintenance. Extension snap-ins may, in turn, be extended. For example, the Security Settings snap-in includes several extension snap-ins. All the snap-ins are loaded by default when you start the Group Policy snap-in. You can modify this behavior by creating your own MMC extensions to the Group Policy snap-in or set policies for the use of the MMC itself. Doing this also provides additional security policies.

Group Policy Snap-In Namespace The root node of the Group Policy snap-in is displayed as the name of the GPO and the domain to which it belongs, in the following format: GPO Name [DomainName.com] Policy

For example: Default Domain Policy [Stronglock.com] Policy

The next level of this namespace has two nodes, Computer Configuration and User Configuration. These are the parent folders that you use to configure Group Policy settings. A computer-related Group Policy is applied when the operating system boots and during the periodic refresh cycle, explained later in this chapter. A user-related Group Policy is applied when users log on to a computer and during the periodic refresh cycle.

Computer Configuration The Computer Configuration node allows you to set policies on a computer in a domain regardless of the user who logs on to the computer. The Computer Configuration node contains subnodes for operating system behavior, desktop behavior, security settings, computer startup and shutdown scripts, application settings, and computer-assigned application options. Default computer configuration subnodes are shown in Figure 5-3.


151

152

Part II


FIGURE 5-3 The Computer Configuration node in the Group Policy snap-in console.

Let me now explain each subnode in detail.

Software Settings The Software Settings node configures the software settings that control all users who log on to a computer. By default, this node contains the Software Installation subnode. It can also contain other subnodes if you add custom MMC extensions. Software Installation The Software Installation node allows you to centrally manage software distribution in your organization by using which you can assign and publish software for groups of users and computers. You can assign an application to everybody within a given set of computers so that a specific application is available without actually setting up the application on each desktop to all the users who require that application. This can be done by creating a GPO that covers all the computers within the scope of the Active Directory container. When an administrator assigns an application to a group of users, he or she actually advertises the application on all the users’ desktops. This means that the


SECURITY POLICIES

Chapter 5

application shortcut appears in the Start menu, and the registry is updated with information about the application, such as the location of the application package and the location of the source files for installation. However, the application is not actually installed on the user’s machine. It is installed only when the user selects it from the Start menu and starts it the first time. You can also publish applications to groups of users, thereby making them available for users to install, if they choose to do so. When you publish an application, no shortcuts to it appear on the users’ desktops, and no local registry entries are made. The advertisement information for the published application is stored in Active Directory. To install a published application, users can use the Add/Remove Programs option in the Control Panel window, which includes a list of all the published applications that are available for them to use.

Windows Settings The Windows Settings node contains the settings that are applied to all users logging on to a particular computer. This node contains two subnodes, Scripts and Security Settings, as shown in Figure 5-4.

FIGURE 5-4 The Windows Settings node in the Group Policy snap-in console.


153

154

Part II


Scripts The Scripts node allows you to assign scripts to run automatically when a computer starts or shuts down or when users log on or off their computers. The startup and shutdown scripts run as Local System. The logon and logoff scripts execute only in user mode and not in privileged mode. Security Settings You can use the Security Settings node to define a security configuration for computers that fall within a GPO. A security configuration consists of the settings applied to one or more security areas supported on a computer running Windows 2000 Professional or Windows 2000 Server. The Security Settings extension of the Group Policy snap-in provides security settings on the same lines as the system security tools, such as the Security tab on the Properties page of a file or a folder, and Local Users and Groups in Computer Management. If you want to change specific settings, you can still use the same tools. The Security Settings node consists of the following subnodes shown in Figure 5-5.

FIGURE 5-5 The Security Settings node in the Group Policy snap-in console.


SECURITY POLICIES

Chapter 5

The following are the subnodes in the Security Settings subnode: ◆

Account Policies. These are computer security settings for the password policy, the account lockout policy, and the Kerberos policy in Windows 2000 domains. You can configure a password policy and an account lockout policy for member servers and workstations because they have their own SAM. The Kerberos policy does not apply to local account databases, therefore, is found only on domain controllers. Usually, the same Account Policies need to be set for all domain users. They are set in the Default Domain Policy GPO and, therefore, affect all users in the domain. If you require different account policies for different OUs, you can set Account Policies at the OU level.

◆

Local Policies. These are computer security settings for audit policy, user rights assignment, and security options. Local policy allows you to configure settings for local or network access to the computer and auditing of local events.

◆

Event Log. This subnode controls security settings for the Application, Security, and System event logs. You can access these logs using the Event Viewer.

◆

Restricted Groups. This subnode allows you to control the membership to a restricted group as well as the groups a restricted group should be a member of. This allows administrators to enforce security policies regarding sensitive groups, such as Enterprise Admins or Payroll. For example, only Joe and Mary may be required to be the members of Enterprise Admins group. An administrator can use Restricted Groups to enforce this requirement. Anna can be added to the Enterprise Admins group to accomplish a task. When the policy is enforced the next time, Anna is automatically removed from the Enterprise Admins group.

◆

System Services. This subnode allows you to control the startup options (security descriptors) for system services, such as network services, file and print services, telephone and fax services, Internet and intranet services, and so on.

◆

Registry. This subnode is used to configure the security settings, such as access control, audit, and ownership for registry keys. When you apply security on registry keys, the Security Settings subnode follows the same inheritance model as that used for all tree hierarchies in Windows 2000 (such as the Active Directory and NTFS).


155

156

Part II


◆

File System. This subnode is used to configure the security settings, such as access control, audit, and ownership for files and folders.

◆

Public Key Policies. This node allows you to configure the EFS recovery agents and other PKI options, such as Automatic Certificate Request Settings, Trusted Root Certification Authorities, and Enterprise Trust.

◆

IP Security Policies on Active Directory. The IPSec policy can be applied to the GPO of an Active Directory object. This propagates that IPSec policy to any computer accounts affected by that Group Policy object.

Administrative Templates The Administrative Templates node of the Group Policy snap-in uses administrative template (.adm) files to specify the registry settings that can be configured by the administrator. .adm files are Unicode files that consist of a hierarchy of categories and subcategories that define how the options are displayed using the Group Policy snap-in user interface. They also indicate which registry locations should be modified if a particular option is selected, specify any choices associated with the option, and in some cases, indicate a default value to use if an option is selected. The Administrative Templates node includes all the registry-based Group Policy information that governs registry settings including the behavior and appearance of the desktop (the operating system, its components, and applications). Policy settings for a user who logs on to a given workstation or a server are written to the User portion of the registry database under the HKEY_CURRENT_USER (HKCU) hive. Computer-specific settings are written to the Local Machine portion of the registry under the HKEY_LOCAL_MACHINE (HKLM) hive. The Administrative Templates node namespace can be invoked by using .adm files or by using Group Policy extensions. Windows 2000 includes three .adm files, System.adm, Inetres.adm, and Conf.adm, which contain all the settings initially displayed in the Administrative Templates node. It also includes .adm files for use with the Windows NT 4.0 System Policy Editor tool. The .adm files in Windows 2000 are listed in Table 5-1. The Administrative Templates node consists of the subnodes shown in Figure 5-6.


SECURITY POLICIES

Chapter 5

Table 5-1 Windows 2000 .adm Files File

Description

System.adm

contains operating system settings and is loaded by default for Windows 2000 clients

Inentres.adm

contains Internet Explorer restrictions for Windows 2000 clients and is loaded by default

Conf.adm

contains NetMeeting settings and is also loaded by default for Windows 2000 clients

Winnt.adm

contains the user interface settings specific to Windows NT clients for use with System Policy Editor

Common.adm

contains the user interface settings specific to Windows NT and Windows 9x clients for use with System Policy Editor

Windows.adm

contains the user interface settings specific to Windows 9x clients for use with System Policy Editor

Column

FIGURE 5-6 The Administrative Templates node in the Group Policy snap-in console.


157

158

Part II


Let me explain the nodes in Figure 5-6. Windows Components Windows Components is a subnode of the Administrative Templates node, which in turn contains the following extensions: ◆

Internet Explorer configures Security zones settings.

◆

NetMeeting enables or disables remote desktop sharing.

◆

Task Scheduler configures options for Task Scheduler.

◆

Windows Installer controls software configuration options for the Windows Installer package.

System Services The System subnode in the Administrative Templates node configures the security setting for system services. This configuration includes the startup options for the services and the rights and permissions required to access them. The System node includes the following subnodes: ◆

Logon. This subnode contains policy settings governing how logon and startup scripts are processed. In addition, it also controls other settings that relate to other user logging on.

◆

Disk Quotas. This subnode contains settings that control how disk quotas are applied and configured.

◆

DNS Client. This subnode allows you to suffix the primary DNS name on all computer names in the subdomain.

◆

Group Policy. This subnode allows you to configure settings for the application of Group Policy. It also defines settings for refreshing Group Policy updates.

◆

Windows File Protection. This subnode governs how Windows 2000 interacts with anti-virus software and installation programs.

Networks The Networks subnode allows you to configure the Offline file folder facilities of Windows 2000 as well as any dial-up connections. This subnode contains the Offline Files and Network and Dial-up Connections subnodes.


SECURITY POLICIES

Chapter 5

Printers The Printers subnode allows you to configure printers.

User Configuration The User Configuration node allows you set policies for users, which are applied regardless of the computer they log on to. This node provides settings for operating system behavior, desktop settings, security settings, assigned and published application options, application settings, folder redirection options, and logon and logoff scripts. You can also customize this node to your requirements by adding and removing extensions. Figure 5-7 shows the subnodes in the User Configuration node in the Group Policy snap-in.

Software Settings The Software Settings node controls the software settings that apply to users who log on to any computer. By default, this node contains the Software Installation subnode. (Refer to Figure 5-8.) It can also contain other nodes if you add custom MMC extensions.

FIGURE 5-7 The User Configuration node in the Group Policy snap-in console.


159

160

Part II


FIGURE 5-8 The Software Settings subnode in the Group Policy snap-in console.

Software Installation The Software Installation subnode allows you to centrally manage software distribution in your organization, using which you can assign and publish software for groups of users. This subnode is similar to the \Computer Configuration\Software Settings\Software Installation node the only difference being that here, it is applied for users regardless of the computer they log on to.

Windows Settings The Windows Settings node allows you to control Windows settings for users wherever they logon. This node contains the subnodes shown in Figure 5-9. The Folder Redirection subnode allows you to redirect several common folders in the users profile to other locations. Redirection of folder contents, for example to a network share, \\Server\Share\%username%, has several advantages, such as availability of files to roaming users and network users to be managed and


SECURITY POLICIES

Chapter 5

FIGURE 5-9 The Windows Settings subnode in the Group Policy snap-in console.

protected by the administrator or other users. Windows 2000 can redirect the following folders: ◆

Application Data

◆

Desktop

◆

My Documents

◆

My Pictures

◆

Start Menu

The Internet Explorer Maintenance subnode configures the following settings related to Internet Explorer: ◆

Browser User Interface allows you to customize the browser’s appearance.

◆

Connection allows you to configure the connection settings, such as the LAN and dial-up options.


161

162

Part II


◆

URLs allow you to specify the URLs that should be displayed by the browser, for example, for the Home page, for those on the Favorites list, and for the Search page.

◆

Security allows you to preset security settings, such as security zones, content ratings, and Authenticode.

◆

Programs allow you to specify the Internet programs that should be used by default for Internet-related tasks, such as reading e-mail or viewing newsgroups.

The Scripts (Logon/Logoff ) subnode can be used to configure logon and logoff scripts. The Security Settings subnode can contain another subnode for configuring Remote Installation Services. Remote Installation Services is an optional component that is included in the Windows 2000 Server operating system and works with other Windows 2000 technologies to implement the Remote Operating System Installation feature. This feature can be used to remotely install a copy of Windows 2000 Professional on client computers. Administrators use the Remote Installation Services subnode to specify the options that are available to users during client installation, for example, Automatic Setup, Custom Setup, and Restart Setup.

Administrative Templates The Administrative Templates subnode configures similar settings as the \Computer Configuration\Administrative Templates subnode, though this one applies to users and not computers.

Group Policy Object Links Linking a GPO to a site, a domain, or an OU causes the settings in the GPO to affect computer or user objects in that container. GPO linking to Active Directory container objects is flexible. When a GPO is created, it is automatically linked to the container in which it is created, called its storage domain. If you want a GPO not to be applied to a container, you can unlink it from that container. It is recommended that only the link be deleted and not the entire GPO. This allows the GPO to be relinked later in case there is a problem. It is possible to create an unlinked GPO for a given domain using the Group Policy MMC snap-in and link it to an Active Directory container object later.


SECURITY POLICIES

Chapter 5

NOTE Within a domain tree, Group Policy is not inherited across domains. Therefore, a GPO linked to a parent domain is not applied to child domains.

Group Policy Processing You know that the Group Policy processing sequence is: LGPO first then GPOs linked to containers in this order: site, domain, and OUs. However, this processing order is subject to the following conditions: ◆

Security group filtering that has been applied to GPOs. ◆ Any domain-based GPO may be enforced by using the No Override option so that its policies cannot be overridden. When more than one GPO has been marked as enforced, the GPO that is highest in the Active Directory hierarchy takes precedence. ◆ At any site, domain, or OU, Group Policy inheritance may be selectively designated as Block Inheritance. However, GPOs set to No Override are always applied and cannot be blocked. In this section, I’ll discuss other concepts related to how Group Policy processing takes place.

How Group Policy Affects Startup and Logon A client computer might apply settings for both user configuration and computer configuration. However, there is a specific order in which the operating system applies the computer configuration and user configuration settings at the startup and the user logon. This is explained as follows: 1. When the network starts, Remote Procedure Call System Service (RPCSS) and Multiple Universal Service Name Provider (MUP) are also started. 2. An ordered list of GPOs is obtained depending upon the following factors: • Whether the computer is a part of a Windows 2000 domain and, therefore, will have a Group Policy implemented through Active Directory infrastructure. • The location of the computer in Active Directory. • Whether loopback is enabled and the setting of the loopback policy.


163

164

Part II


3. Computer configuration settings are processed in the following sequence: local GPO, site GPOs, domain GPOs, OU GPOs, and so on. No user interface is loaded until all computer policies are applied. 4. Startup scripts run. This is hidden and synchronous, by default. Processing of each script is completed before the next one starts. 5. The user presses Ctrl+Alt+Del to log on. 6. After the user is validated, the user profile loads, according to the Group Policy settings in effect. 7. An ordered list of GPOs is obtained for the user. The list might depend on the following factors: • Whether the user is a part of a Windows 2000 domain and therefore will have a Group Policy implemented through Active Directory infrastructure. • The location of the user in Active Directory. • Whether loopback is enabled and the state (Merge or Replace) of the loopback policy setting. If the list of GPOs to be applied has not changed, then no processing is done. You can change this behavior by using a policy setting. The check for a GPO change is carried out at the domain controller. 8. User configuration settings are processed in the following sequence: local GPO, site GPOs, domain GPOs, OU GPOs, and so on. No user interface is loaded until all user policies are applied. 9. Logon scripts run. Unlike Windows NT 4.0 scripts, Group Policy-based scripts run hidden and asynchronously, by default. The user object scripts run last in a normal window. 10. The operating system user interface defined by the Group Policy appears.

Synchronous versus Asynchronous Processing The processing of Group Policy can be either synchronous or asynchronous. Synchronous processing processes each thread of the computer startup and user logon in order and does not allow a thread to start before the previous one has completed execution. Asynchronous processing allows startup and logon threads to run in an arbitrary order without waiting for each other’s outcome.


SECURITY POLICIES

Chapter 5

By default, the processing of Group Policy is synchronous. Settings under Computer Configuration are processed before the Ctrl+Alt+Del dialog box is displayed, and the settings under User Configuration are processed before the user interface is made available for user interaction. An administrator can change the processing to be asynchronous by using a Group Policy setting for both computers and users. To view or configure Group Policy processing settings: 1. Open a Group Policy snap-in from the MMC. 2. Navigate to the Computer Configuration/Administrative Templates/System/Logon and Group Policy settings and to the User Configuration/Administrative Templates/System/Logon/Logoff settings. A number of settings can be viewed such as: ◆

Run logon scripts synchronously

◆

Run startup scripts asynchronously

◆

Apply Group Policy for computers asynchronously during startup

◆

Apply Group Policy for users asynchronously during logon

You can change the order of processing to asynchronous. However, since asynchronous processing can lead to unpredictable and possibly dangerous results, synchronous processing of Group Policy is recommended.

Refresh Frequency Within Active Directory, computers refresh GPO settings at established intervals. The default Group Policy refresh intervals are 90 minutes for computers running Windows 2000 Professional and for member servers running Windows 2000 Server and 5 minutes for domain controllers. An administrator can change the default refresh values by modifying the template settings for the user or computer configuration in the Default Domain Controllers GPO. The setting is located under Computer Configuration/Administrative Templates/System/Group Policy/Group Policy Refresh Interval for Computers. If you want to change the setting for domain controllers, the setting is located under Computer Configuration/Administrative Templates/System/ Group Policy/Group Policy Refresh Interval for Domain Controllers.


165

166

Part II


NOTE It is recommended that the default refresh rates not be significantly decreased or increased. Every policy causes the Windows shell to refresh, all context menus to close, and the screen to flicker.

Using Group Policy Tools Group Policy can be managed by a number of extensions that provide extended functionality to the Group Policy snap-in. Windows 2000 also introduces two new tools from within the Administrative Tools folder on the Start Menu. These are Domain Controller Security Policy, which sets security policies specifically related to the domain controller, and Domain Security Policy, which sets security policies specifically related to the domain. For member servers and workstations, Local Security Policy tool replaces these tools. The Group Policy tool set consists of the Group Policy snap-in as well as extensions to the Active Directory User and Computers and Active Directory Sites and Services snap-ins. These tools can be used to configure different aspects of the computer’s security. The best approach is to create a GPO console containing the relevant snap-ins.

Creating a Custom Console You can create an MMC loaded with relevant snap-ins. After saving the console, you can open it whenever required from the Administrative Tools menu. The following are the steps you perform to create a custom console. 1. Log on to the domain controller as an administrator. 2. From the Start menu, choose Run. In the Run dialog box, type mmc in the Open box, and click OK. 3. In the new MMC console, from the Console menu, choose Add/Remove Snap-In. 4. In the Add/Remove Snap-In dialog box, click Add to open the Add Standalone Snap-In dialog box.


SECURITY POLICIES

Chapter 5

5. In the Available Standalone Snap-Ins list box, select Active Directory Users and Computers. Click Add, select Group Policy, and click Finish. Click Close. 6. Click the Extensions tab, and verify that the Add All Extensions check box is checked by default. Click OK. 7. The extension is now added to the MMC console, as shown in Figure 5-10. From the Console menu, choose Save As. 8. Specify the name of the console as sample.msc, and click OK.

Creating a Group Policy Object To create a Group Policy targeted to a specific computer, you must create the GPO object at that computer itself. The following are the steps to create a GPO: 1. Open the relevant snap-in. To create a GPO linked to a domain or an OU, you can use the Active Directory User and Computers snap-in. To create a GPO linked to a site, you use the Active Directory Sites and Services snap-in. 2. Right-click the site, the domain, or the OU for which you want to create a GPO, and from the context menu, choose Properties.

FIGURE 5-10 MMC with Group Policy snap-ins loaded.


167

168

Part II


3. In the properties dialog box, click the Group Policy tab. (Refer to Figure 5-11.) 4. Click New, and then type the name of the new GPO. By default, the new GPO will be linked to the site, domain, or OU that was initially selected in the MMC. 5. Click Close.

Specifying Group Policy Settings After you create a GPO, you can specify Group Policy settings as follows: 1. Access the Group Policy snap-in, as shown in Figure 5-12. 2. In the console tree, expand the policy you want to set. For example, in Figure 5-12, I have expanded \User Configuration\Administrative Templates\Control Panel\Display. 3. In the right pane, right-click the policy you want to set, and choose Properties. For example, if you select the Hide Screen Saver tab policy, the dialog box shown in 5-13 will appear. 4. In this dialog box, by default, a policy is not configured, which means that no change will be made to the registry regarding this setting. You can select Enabled or Disabled depending on whether or not you want to apply the policy to users and computers that are subject to the GPO.

FIGURE 5-11 The Group Policy tab.


SECURITY POLICIES

Chapter 5

FIGURE 5-12 Group Policy snap-in.

FIGURE 5-13 The Hide Screen Saver Tab

Properties dialog box.

Specifying GPO Processing Exceptions You already know that the GPO processing order is LGPO, site GPO, domain GPO, and OU GPOs. However, the default processing order can be changed by specifying the Block Policy Inheritance option, specifying the No Override option, or enabling the Loopback setting. TEAM LinG - Live, Informative, Non-cost and Genuine!

169

170

Part II


To specify the Block Policy Inheritance option, perform the following steps: 1. To specify the Block Policy Inheritance option for a domain or an OU, open the Active Directory Users and Computers snap-in, and to specify the option for a site, open the Active Directory Sites and Services snap-in. 2. In the console tree, right-click the domain, site, or OU, and open the Group Policy tab in the Properties dialog box. 3. Check Block Policy Inheritance to specify that all GPOs from higherlevel containers should be blocked from linking to the selected container, as shown in Figure 5-14. To specify the No Override option for a container, perform the following steps: 1. To specify the No Override option for a domain or an OU, open the Active Directory Users and Computers snap-in and to specify the option for a site, open the Active Directory Sites and Services snap-in. 2. In the console tree, right-click the domain, site, or OU, and open the Group Policy tab in the Properties dialog box. 3. Select the GPO, click Options, and check the No Override option in the Options dialog box, as shown is Figure 5-15. 4. Click OK.

FIGURE 5-14 Blocking policy inheritance.


SECURITY POLICIES

Chapter 5

FIGURE 5-15 The Options dialog box with

No Override option enabled.

To enable the loopback setting, perform the following steps: 1. Access the Group Policy snap-in for the GPO. 2. In the console tree, right-click the domain, site, or OU, open the Properties dialog box, and click the Group Policy tab. 3. In the right pane, double-click User Group Policy Loopback Processing Mode to open the User Group Policy Loopback Processing Mode dialog box. 4. In the dialog box, click Enabled. 5. From the Modes list, select Replace or Merge. These modes have been explained under the “Loopback Setting” section earlier in this chapter. 6. Click OK.

Linking a GPO By default, a GPO is linked to the Active Directory container for which it was created. However, you can link the GPO to other containers also by performing the following steps: 1. To link a GPO to a domain or an OU, open the Active Directory Users and Computers snap-in, and to specify the option for a site, open the Active Directory Sites and Services snap-in. 2. In the console tree, right-click the domain, site, or OU, open the Properties dialog box, and click the Group Policy tab.


171

172

Part II


FIGURE 5-16 The Add a Group Policy Object Link

dialog box.

3. If the GPO does not appear in the Group Policy Object Links list, click Add. 4. In the Add a Group Policy Object Link dialog box, click the All tab (refer to Figure 5-16), select the desired GPO, and then click OK. 5. In the Properties dialog box, click OK.

Modifying Group Policy You can modify a GPO by using the Security tab in the Properties dialog box of a site, a domain, or an OU for the following: ◆

Deleting a GPO link

◆

Deleting a GPO

◆

Editing a GPO and GPO settings

Filtering GPO Scope The policies in a GPO apply only to users who have the Apply Group Policy and Read permissions enabled for that GPO. As stated earlier, you can filter the scope of a GPO by creating security groups and then assigning desired permissions to them. By default, authenticated users have both Apply Group Policy and Read


SECURITY POLICIES

Chapter 5

permissions but not Full Control, which means that they can view the contents of the GPO but not modify them. For more information on users who can edit a GPO, see “Editing Group Policy Objects” later in this chapter. Groups having the Read permission for a GPO and not having the Apply Group Policy permission can still view the contents of the GPO. Therefore, it is recommended that you remove the Read permission from a GPO for groups on which you do not need to apply the Group Policy. To filter the scope of a GPO perform the following steps: 1. Access the Group Policy snap-in for the GPO. 2. Right-click the root node of the console, and open the Properties dialog box. 3. Click the Security tab, and select the group for which you want to filter this GPO. 4. Set the permissions, as shown in Figure 5-17.

FIGURE 5-17 The GPO properties

Security tab.


173

174

Part II


Group Policy Delegation In Active Directory, administrators can delegate the control of administrative tasks to other users and groups. The delegation of Group Policy consists of the following four aspects, which can be used in combination or separately, as required: ◆

Managing Group Policy links for a site, a domain, or an OU

◆

Creating GPOs

◆

Editing GPOs

◆

Specifying Group Policy to control the Behavior of MMC extensions

To achieve delegation using the first three methods, you apply the appropriate DACLs to GPOs and other objects in the Active Directory. The fourth method of delegation relies on several policy settings within the Group Policy infrastructure that are designed to control the access and behavior of an MMC and MMC snap-ins. For example, you can use Group Policy to manage the rights to access and modify MMC consoles.

Using Security Groups to Delegate Group Policy After creating a GPO, it is important for you to know which groups of administrators have access permissions to the GPO. Table 5-2 lists the default security permission settings for a GPO. Table 5-2 Default GPO Permissions Security Group

Default Setting

Authenticated Users

Read and Apply Group Policy

Domain Administrators

Full Control without Apply Group Policy

Enterprise Administrators


CREATOR OWNER


SYSTEM



SECURITY POLICIES

Chapter 5

Managing Group Policy Links for a Site, a Domain, or an OU Each site, domain, or OU stores information about the GPOs linked to it in two Active Directory properties called gPLink and gPOptions. The gPLink property contains a prioritized list of GPOs, and the gPOptions property contains the Block Policy Inheritance setting. To manage GPO links to a site, a domain, or an OU, you must have Read and Write access to both these properties, gPLink and gPOptions. By default, the Domain Admins group has the permission to manage GPO links for domains and OUs, and only the Enterprise Admins and Domain Admins groups of the forest root domain can manage links for sites. Administrators can give Read and Write access for specific properties to a nonadministrator. If non-administrators have Read and Write access to the gPLink and gPOptions properties, they can manage the list of GPOs linked to that site, domain, or OU. To give a user Read and Write access to these properties, you use the Delegation of Control Wizard as follows: 1. In the Active Directory Users and Computers snap-in, right-click the OU to which you want to delegate control, and choose Delegate Control. 2. In the Delegation of Control Wizard, click Next. You will be asked to confirm the OU to which you want to delegate control. 3. Click Next. Select the names of the users and groups that are to be delegated control, and click Next. Only the users and members belonging to the groups you select will be able to manage the links for the current OU. 4. In the common tasks list, select Manage Group Policy links (as shown in Figure 5-18), and click Next. 5. Click Finish to complete the changes.


175

176

Part II


FIGURE 5-18 The Delegation of Control Wizard.

Delegating Creation of Group Policy Objects By default, only the members of Domain Admins, Enterprise Admins, Group Policy Creator Owners, and System groups can create new Group Policy objects. Other users must be added to the Group Policy Creator Owners security group to enable them to create GPOs. When a non-administrator who is a member of the Group Policy Creator Owners group creates a GPO, that user becomes the creator and owner of the GPO and can edit the GPO. However, being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those GPOs that the user creates or those explicitly delegated to that user; it does not grant control over other GPOs in the domain.

NOTE When an administrator creates a GPO, the Domain Administrators group becomes the creator owner of the Group Policy object.

When granting users the ability to create new GPOs, you should also consider delegating the ability to manage the links for a specific OU. This is because by default, non-administrators cannot manage links, and this prevents them from


SECURITY POLICIES

Chapter 5

being able to use the Active Directory Users and Computers snap-in to even create a GPO.

Editing Group Policy Objects In order to edit an already-existing GPO, the user must have both the Read and Write permissions to the GPO. By default, domain administrators, enterprise administrators, the operating system, and GPO creator owners can edit GPOs. Other users can also be delegated access to a GPO by performing the following steps: 1. Open a Group Policy object in the Group Policy snap-in. 2. Right-click the root node, select Properties from the context menu, and click the Security tab. 3. Click Add to add a user or a group of users to the ACL, and grant them Read and Write access. If they do not need the policy applied to them, clear the Apply Group Policy option. 4. Click OK to save the changes.

Specifying Group Policy to Control the Behavior of MMC Extensions Windows 2000 Group Policy includes several policy settings designed to control the behavior of MMC snap-ins. For example, you can use Group Policy to manage the rights to use MMC snap-ins.

Restricting Access to Permitted Snap-Ins Administrators can specify which MMC snap-ins may or may not be run by the affected user. This may be specified as inclusive, which only allows a set of snap-ins to run, or it may be set as exclusive, which does not allow a set of snap-ins to run. To create a list of permitted snap-ins for users, the following group policy setting must first be set: 1. Open a GPO in the Group Policy snap-in via the MMC or access a linked GPO through a container by right-clicking the container and choosing Properties from the context menu. 2. Click the Group Policy tab.


177

178

Part II


3. Select the desired GPO, and click the Edit button to access the Group Policy snap-in. 4. Navigate to the User Configuration\Administrative Templates\Windows Components\Microsoft Management Console node. 5. Double-click the Restrict users to the explicitly permitted list of snap-ins setting in the right pane. 6. Click the Enabled radio button if you plan to disallow most snap-ins and allow only a few. Click the Disabled radio button if you plan to allow most snap-ins and disallow only a few.

Controlling Access to a Snap-In To restrict or explicitly permit access to a particular snap-in, perform the following steps: 1. In the console tree, navigate to User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy. 2. In the right pane, double-click the snap-in to which you want to permit or restrict access, and then select Enabled or Disabled. 3. If you want to restrict access to a Group Policy extension, double-click the Group Policy node, and select a snap-in from the list and disable or enable it. Restricting or allowing access to particular snap-ins for a given group of users is often environment- and network-specific. For example, normal users are restricted from accessing several snap-ins by default but may need even greater restriction. In case of non-administrators, it may be easier to define which snapins they can access and implicitly deny access to all other snap-ins. Groups of administrative users that are delegated Active Directory abilities can also be limited to certain tasks. It is recommended that normal, non-administrators not be allowed access to the Security Templates and Security Configuration and Analysis snap-ins. Access to these snap-ins could allow a user to access and view all the security settings of a system and analyze whether the system is vulnerable to attack.


SECURITY POLICIES

Chapter 5

Group Policy Troubleshooting Tools Sometimes GPO settings do not apply as expected. This might include incorrect or incomplete policy settings or the lack of policy application to the computer or user. Windows 2000 supports some tools to troubleshoot Group Policy Application. These are: ◆

GPresult Tool (GPResult.exe). This tool, provided in Microsoft Windows 2000 Server Resource Kit, allows you to view system information about the GPOs applied to a user or a computer, including a detailed list of the resultant Group Policy settings that are being applied.

◆

GPOTool (GPOTool.exe). This is a Group Policy troubleshooting and administration tool and is provided in Microsoft Windows 2000 Server Resource Kit. It allows you to perform various command line operations, such as • checking if a user can successfully connect to a domain controller on the network • finding out if the Group Policy object that was not applied has been successfully replicated to all domain controllers • checking the number of unique Group Policy objects available on the network, and the status of each of these Group Policy objects on each domain controller. The status output from Gpotool.exe indicates all necessary information to diagnose whether Active Directory and Sysvol are synchronized for each domain controller that you can connect to.

◆

Network Diagnostics (Netdiag.exe). The tool is provided in Windows 2000 and helps to isolate networking and connectivity problems by performing a series of tests to determine the state of your network client and whether it is functional. Netdiag.exe can be used to check your network connectivity further. For example, if you can connect to a domain controller, run Netdiag.exe to see if other computers in the same organizational unit are successfully receiving the Group Policy Scripts extension Group Policy settings. If other computers are successfully receiving these Group Policy settings, it might be a replication issue.


179

180

Part II


◆

Active Directory Replication Monitor (Replmon.exe). This tool can provide additional information about the state of Active Directory synchronization, and provide assistance in resolving the problem. You can use this tool to determine the replication partners for the domain controller that the client used as a source for the Group Policy and determine if replication is succeeding.

Windows 2000 Security Templates—An Overview Using Group Policy, you can assign same security settings to all the members of an Active Directory container. But still, you have to configure each security setting that you want your Group Policy to have. Windows 2000 includes support for security templates to define security for computers that share similar security requirements. You can use security templates to ensure that security is applied consistently to multiple computers. Security templates are inf files that contain a set of security configurations. They provide an easy way to standardize security across a platform or domain. You can apply templates to Windows 2000 computers by either importing them into a GPO, or directly applying them to the local computer policy. Security templates define security based on seven categories of configuration to provide support for applying specific computer-based security. These categories are as follows: ◆

Account Policies. This policy defines account authentication settings. It includes Password Policy, Account Lockout Policy, and Kerberos Policy. • Password Policy. Used to customize the password like its length and complexity. • Account Lockout Policy. Used to restrict the number of login tries and freeze accounts for a specific period. • Kerberos Policy. Sets the default Kerberos Version 5 protocol for each domain.


SECURITY POLICIES

◆

Chapter 5

Local Policies. This policy defines security for the computer to which the template is applied. It includes the following: • Audit Policy. Used to specify the events that will be audited. You can configure each auditing event that is stored in the local computer’s security log for Success or Failure or both. • User Rights Assignment. Used to specify which security principals will be granted access rights on the local computer. These rights override any NTFS permissions defined for an object. • Security Options. Used to define a wide variety of settings that are configured in the Windows 2000 registry.

◆

Event Log. This policy includes settings for the application, security, and system logs. These settings include the maximum log sizes, the access to logs, the retention period for the logs, and the action that should be taken if the security log reaches its maximum size.

◆

Restricted Groups. This policy includes membership settings for sensitive groups. This includes the settings such as which groups a restricted group can be a member of and which other groups and users can be members of a restricted group. Common sensitive groups include Power Users, Enterprise Admins, and Schema Admins.

◆

System Services. This policy includes configurations for system services installed on a computer, such as network transport. These settings include defining whether a service is enabled or disabled and whether a security principal can start or stop the service.

◆

Registry. This policy includes registry key permissions. For each registry key that you define, you can configure registry key settings, and configure whether the current permissions and subtrees settings are to be replaced. Security settings for the registry key include security principals that can modify the registry and auditing attempts to modify the registry.

◆

File System. This policy includes NTFS file and folder DACLs and SACLs.

You can view, define, modify existing security templates by loading the Security Templates snap-in into the MMC, as shown in Figure 5-19.


181

182

Part II


FIGURE 5-19 The Security Templates snap-in.

To load the Security Templates snap-in, perform the following steps: 1. Choose Run from the Start menu, type mmc in the Open box, and then click OK. 2. In the new MMC console, from the Console menu, choose Add/Remove Snap-In. 3. In the Add/Remove Snap-In dialog box, click Add to open the Add Standalone Snap-In dialog box. 4. In the Available Standalone Snap-Ins list box, select Security Templates. 5. Click Add, and then click Close. 6. Click OK. Expand the Security Templates node. 7. Expand the %systemroot%\Security\Templates node. In order to define your security templates, you must first identify the computers on your network that require similar security configurations. You can do so by identifying the role performed by each computer. For example, the security requirements for domain controllers will be more stringent than any other com-


SECURITY POLICIES

Chapter 5

puter on the network. Similarly, for file and print servers, you might need to define specific DACLs defined for specific data stores.

Predefined Security Templates This section describes the predefined security templates available for the Security Templates snap-in. I will discuss about the following templates: ◆

Default security templates

◆

Basic templates

◆

Incremental Security Templates

CAUTION These templates should be applied with care and they must be evaluated and customized as per the requirements of the target system.

Default Security Templates There are several security template files that contain the default security settings applied to a newly installed Windows 2000 machine. These files are located in the %SystemRoot%\inf folder. Table 5-3 lists the default security templates. Table 5-3 Default Security Templates Security Template

Applied To

Defltwk.inf

Workstations running Windows 2000 Professional

Defltsv.inf

Servers running Windows 2000 Server/ Windows 2000 Advanced Server/ Windows 2000 Data Center

Defltdc.inf

Domain controllers running Windows 2000

The default security templates are specially useful when you want to return the system to its original state or when you want to convert from a FAT or FAT32 file system to NTFS. When a conversion is made, the default settings grant Full Control to the Everyone group for all files and folders. To obtain the file system security settings that would have been present if NTFS had been the original file system, apply the File System portion of the appropriate default security template.


183

184

Part II


NOTE Once a template is applied to a computer, it is stored in the %SystemRoot%\ security\templates folder as setup security.inf.

Basic Security Templates The default security templates are not applied to the computers that are upgraded from previous versions of Windows NT. In such a situation, you can apply the Basic templates to increase the security of those computers. The Basic templates apply the same settings as those applied by the default security templates except the settings for restricted groups and user rights. This ensures that any existing user right is not removed. Table 5-4 lists the default Basic security templates. Table 5-4 Basic Security Templates Security Template

Applied To

Basicwk.inf

Workstations running Windows 2000 Professional

Basicsv.inf

Servers running Windows 2000 Server/ Windows 2000 Advanced Server/ Windows 2000 Data Center but not on domain controllers

Basicdc.inf

Domain controllers running Windows 2000

Incremental Security Templates Microsoft has included several incremental security templates to provide additional security configuration. These security templates are best suited for specific scenarios, such as when Terminal Services is deployed on a Windows 2000 Server. Windows 2000 provides the following incremental security templates: ◆

The No Terminal Server SID (Notssid.inf) template. All Terminal Services users are added in the Terminal Server Users group. By default, Terminal Services applies consistent security settings to the Terminal Server Users group. The Notssid.inf template removes the Terminal Server Users SID from all DACLs. As a result, all security is applied based on the individual user’s SID and group membership.


SECURITY POLICIES

Chapter 5

◆

The Windows NT 4.0 Compatible Security (Compatws.inf) template. The increased security in Windows 2000 might not allow some older versions of applications to run correctly. These are the applications that generally attempt to write to areas on the computer that administrators or power users are allowed to access. A normal user running applications does not have access to these registry areas or file system. The Compatws.inf template weakens the security so that non-certified applications can run on Windows 2000.

◆

The Initial DC Configuration (DC security.inf) template. The DC security.inf template contains settings for file and registry permissions that must be applied when a Windows 2000-based server is promoted to a domain controller.

◆

The Optional Components (Ocfilesw.inf and Ocfiles.inf) templates. These templates, as the name Optional Components suggests, increase the security of optional components that might be installed on Windows 2000-based computers. These components might include Microsoft Internet Explorer, Microsoft NetMeeting, and Internet Information Services (IIS) 5.0.

◆

The Secure (Securews.inf and Securedc.inf) templates. These templates provide security that overrides the settings specified in DACLs or the registry. These templates enforce additional security on the operating system and include modifications for the account policy. For example, the Secure templates prevent normal users from being the members of the Power Users group.

◆

The High Secure (Hisecws.inf and Hisecdc.inf) templates. These templates provides greater security than Secure templates for networks in which increased security is required. A server configured with the High Secure template ignores all the LAN Manager and NTLM requests.

CAUTION You should deploy the High Secure template only when all computers on your network are running Windows 2000. This is because implementing the High Secure template may prevent clients running previous versions of Windows from participating in the network.


185

186

Part II


Custom Security Templates There might be situations when you need additional security settings than those provided by the default templates. If the settings that you require are in the Security Templates snap-in, you can simply create custom template by using an existing template as its base. However, you should avoid applying too many settings in a custom template because the template should not exceed the required security baseline. You can also import a security template to a local or a non-local GPO. This can significantly ease the administration because it configures security for multiple objects in one step.

Customizing a Predefined Security Template Customizing a security template allows you to edit and save a predefined security template as a new template. To customize a security template perform the following steps: 1. Double-click Security template, and then double-click the default path folder (<systemroot>\Security\Templates). 2. Click the security policy you want to modify, such as Account Lockout Policy, and then double-click the security setting you want to modify, such as Account Lockout Duration. 3. In the Template Security Policy Setting dialog box, click Define This Policy Setting in the Template check box to allow configuration, then configure the security setting. Click OK. 4. Configure other security settings, as required, for example, as shown in Figure 5-20. 5. From the Console menu, choose Save As. Specify the name of the template, mytemplate.inf, and click Save. 6. Close the Security Template Console.

Exporting Security Settings to a Security Template When you apply the settings in a security template, the current local or non-local settings are lost. To preserve the local settings, you can export both local and effective security settings to a security template and restore it at a later time. You can then import the settings into a security database, overlay new templates, and analyze conflicts using the Security Configuration and Analysis tool.


SECURITY POLICIES

Chapter 5

FIGURE 5-20 A sample Password Policy configuration in setup security template.

Security Configuration and Analysis Tool The Security Configuration and Analysis Tool is a stand-alone snap-in designed to work with the MMC. This tool allows administrators to compare a target computer’s current security settings to the desired settings configured in the security template for that class of computer. After you have created your security template, it is important to draw a comparison between the security settings of a Windows 2000-based computer and the security template to determine how the current configuration differs from the desired configuration. Comparing current security to the desired security has the advantage of helping you to identify the: ◆

Current security weaknesses on your network.

◆

Manually configured security settings.

◆

Changes that a potential security policy must be able to set before it is actually deployed.

In the following sections, I will discuss how you can use the Security Analysis and Configuration tool to perform a security analysis and configure system security.


187

188

Part II


Loading the Security Configuration and Analysis Snap-In To perform security analysis and configuration, you must load the Security Configuration and Analysis snap-in, as shown in Figure 5-21. To load the Security Configuration and Analysis snap-in, perform the following steps: 1. Choose Run from the Start menu, type mmc in the Open box, and then click OK. 2. In the new MMC console, from the Console menu, choose Add/Remove Snap-In. 3. In the Add/Remove Snap-In dialog box, click Add to open the Add Standalone Snap-In dialog box. 4. In the Available Standalone Snap-Ins list box, select Security Configuration and Analysis. 5. Click Add, and then click Close.

FIGURE 5-21 The Security Configuration and Analysis snap-in.


SECURITY POLICIES

Chapter 5

Importing and Exporting Templates The Security Configuration and Analysis snap-in provides the ability to import and export security templates into or from a working database. You can merge several different templates into one composite template, and then use it for analyzing or configuring a system. This can be done by importing each template into a working database. Once you have created a composite template, you can save it for future analysis or configuration of other systems. The export feature provides the ability to save the stored configuration as a new template file that can be exported to other databases. This exported template can be further used to analyze or configure a system. All security configurations and analyses take place through a database. Therefore, you must first load a baseline analysis template into a database by implementing the following steps: 1. Right-click the Security Configuration and Analysis node and choose Open Database from the context menu. 2. Type the name of the database, and click Open. 3. Select the security template, mytemplate.inf, to import it into the database. 4. Click Open. An MMC window appears, as shown in Figure 5-22. Note that the name of the database is shown in the right pane.

Analyzing System Security Settings You use the Security Configuration and Analysis tool to analyze a computer’s current security settings against those defined in a security template. The tool indicates whether a Windows 2000-based computer’s current security configuration matches the defined configuration in the security template. To perform the analysis, follow these steps: 1. Open the Local Security Policy Snap-in. Navigate to the Security Settings\Account Policies\Password Policy to view the current password settings in the local computer. 2. Right-click Security Configuration and Analysis, and from the context menu, choose Analyze Computer Now. 3. Specify the log file that you want to use, and Click OK. As the analysis continues, a progress bar appears as shown in Figure 5-23.


189

190

Part II


FIGURE 5-22 The Security Configuration and Analysis snap-in startup screen.

FIGURE 5-23 Analyzing System

Security progress bar.

4. Review the analysis information. The Security Configuration and Analysis snap-in indicates whether the individual security options match (by displaying a green check mark) or do not match (by displaying a red x). The configured security settings in the security template are shown in Figure 5-24.


SECURITY POLICIES

Chapter 5

FIGURE 5-24 Reviewing the analysis of the current security against a security template.

Configuring System Security Settings You can use the Security Configuration and Analysis tool to resolve any discrepancies revealed by the analysis. After making the required changes in the security template against which you want to configure the settings of the computer, perform the following steps: 1. Right-click Security Configuration and Analysis, and from the context menu, choose Configure Computer Now. A warning message box appears. Click OK 2. Specify the name of the log file. 3. Click OK. A progress bar appears indicating the progress of configuration. 4. Save and close the console window. To view the changed settings, open the Local Security Policy snap-in and navigate to the Security Settings\Account Policies\Password Policy to view the current password settings in the local computer. Notice that the settings are now changed as you specified in the template. (Refer to Figure 5-25.)


191

192

Part II


FIGURE 5-25 The Local Security Policy snap-in with applied settings.

Summary This chapter introduced Group Policy to configure user and computer settings that can be linked to sites, domains, and OUs in your Active Directory. The collection of security policies is called a GPO, which help you to create a specific desktop environment for groups of users and computers. You learned various Group Policy settings, which can be configured using the Group Policy snap-in. The root node of the Group Policy snap-in is divided into two nodes: Computer Configuration and User Configuration. You examined in detail how Group Policy affects startup and logon and how it is processed. You also examined how you can use the Group Policy tools to configure different aspects of the computer’s security. Finally, you were introduced to the basic concepts of security templates and how they allow you to deploy consistent security settings for computer and user groups. You learned about the Security Configuration and Analysis tool and how it aids in analyzing and configuring security settings.


SECURITY POLICIES

Chapter 5

Check Your Understanding Multiple Choice Questions 1. James as the network administrator of a company has to ensure that no policies override the GPO settings attached to the OU that has the President’s account. How will he do so? a. For all GPOs attached to the President’s account OU, specify the Block Policy Inheritance option. b. Top-level GPOs automatically override GPOs at lower levels, so no action is required to ensure that there are no conflicting policies. c. Do not set the Apply Group Policy Access Control Entry of the President’s user account to Allow. d. For all GPOs attached to the President’s OU, specify the No Override option. 2. A network administrator of a company is designing OUs and GPOs in Windows 2000 environment. What can he do to optimize their processing performance? (Choose all that apply.) a. Use cross-domain links sparingly. b. Limit the levels of OUs to 15 if GPOs are attached to them. c. Disable unused portions of all GPOs. d. None of the above. 3. At Velocity Express Inc., the board of directors decides to make Asset Management and Accounting departments of the branch office a part of the Finance department. Philip needs to ensure that all the users of the Asset Management and Accounting departments have similar access to resources such as printers and scanners. In addition, he needs to ensure that the changes in the security settings in the Finance department are reflected in Asset Management and Accounting departments. To ensure that the security settings defined in the Finance department are applied to the users and computers in the Asset Management and Accounting departments, what steps should Andrew take? a. Block inheritance in the Finance department. b. Specify the No Override option for all the GPOs in the Finance department.


193

194

Part II


c. Enable inheritance in the Finance department. d. Block inheritance in the Asset Management department. 4. In an OU, John is a user who is a member of Group_1 and Group_2. Peter is another user in the same OU and is a member of Group_2 and Group_3. GPO_1 is set to remove the My Documents folder from the Desktop. For GPO_1, the Apply Group Policy access control entry (ACE) is set to Allow for Group_1 and Group_3. The Apply Group Policy ACE is set to Deny for Group_2. Which of the following is true about John and Peter’s desktop? a. The My Documents folder will be visible on both John’s and Peter’s desktop. b. The My Documents folder will not be visible on both John and Peter’s desktop. c. The My Documents folder will not be visible on John’s desktop, but will be visible on Peter’s desktop. d. None of the above. 5. Laura is confused about the conflicting group policies on users and computers. Which of the following is true, when there is a conflict between the group policy settings of a user and a computer? a. Group policy settings of the computer take precedence. b. Group policy settings of the user take precedence. c. Conflicting policy settings are not applied to either the computer or the user. d. An error will be generated.

Short Questions 1. If conflicting policies are set at the domain and OU for a user object that is located in the OU, which security policies are finally applied to the user object? 2. James has Windows 2000 Professional installed on his computer. By auditing the account logon events, he noticed that somebody is trying to gain access to his computer. He wants to ensure that, after two unsuccessful attempts within five minutes, the account should be locked out. Which account policy should he configure?


SECURITY POLICIES

Chapter 5

3. Pete is the network administrator of a Windows 2000 domain. The domain has East and West groups as the member of the Sales OU. He needs to apply specific policy to the East group, but he does not want to create a new OU. What should he do to accomplish this task? 4. How does the Security Configuration and Analysis Snap-in perform security analysis? 5. Susan is an inquisitive user in Health Care Co. and has considerable knowledge of Active Directory. A group policy object, GPO_1, does not apply on Susan, but she has managed to read the contents of GPO_1. What could be the possible reason for this? 6. BCD Corp has computer running Windows 2000 Server on network, which is hosting Terminal Services. Jim notices that all users who access the terminal server are able to access common areas on the terminal server’s local file system. What will you recommend Jim if he wants to restrict access to individual user accounts?

Answers Multiple Choice Answers 1. d. By default, the policies on child OU will take precedence over the policies on the parent OU when a policy is applied on a child OU. You can force a policy on child objects by specifying the No Override option. By doing this, the group policy will be enforced on child objects even if they are configured to block policy inheritance or have a conflicting setting. 2. a, b, c. GPOs are connected at the domain level; therefore any link to an object in another domain requires a connection to the global catalog server. This hampers the processing performance of the GPOs. You should not have more than 15 levels of OUs. If GPOs are not attached to OUs, you should limit the levels of OUs to 5 because a large number of GPOs increase the processing time. You should divide the GPOs into user GPOs and computer GPOs, and then disable the user settings on computer GPOs and computer settings on user GPOs. 3. b. This will ensure that the policies applied to the Finance department are inherited by the Asset Management and Accounting departments.


195

196

Part II


4. b. Due to the membership in Group_2, both John and Peter are subject to the Deny ACE of GPO_1. This is because a Deny ACE takes precedence over any Allow ACE because of the membership in another group. 5. a. Group policy settings of the computer are applied at the time of startup and that of the user are applied when the user logs on. But, in case of a conflict, group policy settings of the computer take precedence.

Short Answers 1. If Group Policy follows the default processing order than the security setting at the OU take precedence than those set at the domain. 2. James should configure Account Lockout Policy. This policy defines what actions should be taken when a user enters incorrect passwords. 3. Pete can implement Group Policy filtering. Group Policy filtering can allow Pete to apply the policy settings to only the members of a specific group within a site, a domain, or an OU. 4. The Security Configuration and Analysis Snap-in performs security analysis by comparing the current system security against a basic configuration security template that you imported into a personal database. This template contains customized security settings for that system. 5. The Read permission for GPO_1 is allowed and the Apply Group Policy Permission is denied to Susan. When the Read permission is allowed for a user, the will process the GPO. Therefore, if the user has a considerable knowledge of Active Directory, she can manage to see the contents of the GPO. However, a GPO can apply to a user if Apply Group Policy permission is allowed. 6. Apply the Notssid.inf template. By default, Terminal Services applies consistent security settings to the Terminal Server Users group. The Notssid.inf template removes the Terminal Server Users SID from all DACLs. As a result, all security is applied based on the individual user’s SID and group membership.


III

PART

Network Security




Chapter 6 Public Key Infrastructure


KI makes it easy for businesses to provide secure authentication and encryption features that are based on public key cryptography. Public key cryptography is a key technology to protect valuable information resources for e-commerce, the Internet, intranets, and Web-enabled applications. The benefits of public key cryptography can be reaped only when it is properly implemented through an infrastructure, which is offered by PKI. PKI is a set of interconnected components that work together to provide public key-based security to applications and users.

P

This chapter introduces you to public key cryptography and PKI. The first part of the chapter explains how public key cryptography forms the basis of PKI by providing various security services, encryption techniques, and secure key exchanges. The latter part of the chapter discusses Windows 2000 PKI and its components. It also explains how you can implement PKI in Windows 2000.

What Is Public Key Cryptography? Chapter 2, “Introducing Windows 2000 Security,” explained the difference between symmetric and public key cryptography. However, popular belief about cryptography is that it is linked with secret-key cryptography, in which a single secret key is shared between two parties involved in data exchange and that key is used both to encrypt and decrypt data. This type of cryptography makes encrypted data vulnerable to attack if the key is lost or compromised. On the other hand, public key cryptography uses two keys: a public key, which can be shared, and a private key, which must be kept secret. These keys are complementary. If you encrypt something with the public key, it can only be decrypted with the corresponding private key and vice versa. A definite mathematical relationship exists between the public and private keys. Nobody can derive a public key from the private key or vice versa. There are two fundamental operations associated with public key cryptography, encryption and signing. ◆

Encryption. As discussed in Chapter 2, encryption hides data so that only the party it is intended for can read it. For example, if Bob sends data to Alice, encryption ensures that only Alice can decrypt it. Before sending


PUBLIC KEY INFRASTRUCTURE

Chapter 6

the data, Bob uses Alice’s public key to encrypt it. When Alice receives the encrypted data, she uses her private key to decrypt it. Alice distributes her public key freely, making it available for anyone to encrypt data that only she can decrypt. If another user wants to read the data sent to Alice, he cannot decrypt it because he does not have Alice’s private key. ◆

Signing. Signing also uses encryption to authenticate the origin of data. If Alice wants everybody else to know that the data was sent by her, she encrypts it using her private key and posts it for use by the public. This signed data can be decrypted only by Alice’s public key. Because private and public keys are related, decryption by the public key tells the world that it was Alice who had originally encrypted the message by using her private key.

These two operations can be used to provide four capabilities: confidentiality, authentication, integrity, and nonrepudiation. These capabilities allow e-commerce, intranets, extranets, and other Web-enabled business applications to be successfully deployed. ◆ Confidentiality. While encrypting data, it is important that the confi-

dentiality of the interacting entities be maintained, especially over the Internet where everyone is able to communicate with one another. Cryptography provides privacy through data encryption in situations where only authorized entities have information about encryption keys. For example, if a user on a remote network sends an encrypted e-mail message to another user, cryptography ensures that hackers do not alter the message while it is transmitted over the network. ◆

Authentication. When data is sent across a network, the identities of both the sender and the recipient need to be verified to ensure that the data is transmitted from a secure source. For example, before customers provide their credit card numbers to an e-commerce Web site, they will want to know that they are not communicating with an imposter. They also want to ensure that the data is not tampered with during transfer. This is done through the entity authentication capability of cryptography. For example, a Web browser might encrypt a piece of information using the site’s public key and ask the Web server to decrypt it, thereby demonstrating that the server has the right private key and establishing its identity.

◆

Integrity. Integrity ensures that the information is not corrupted or altered. Therefore, public key cryptography uses techniques and mecha-


201

202

Part III

NETWORK SECURITY

nisms to verify the integrity of information. For example, an intruder might alter a file, which will automatically change the unique digital fingerprint on the file. When the recipients receive the modified or corrupted information, they can detect the tampering by comparing the changed digital fingerprint to the digital fingerprint on the original contents. ◆

Nonrepudiation. Businesses of today require that both the parties involved in an exchange be bound by an agreement. Both customers and sellers need to be assured that if they enter into an agreement, the other party will not be able to repudiate the agreement in the future. Digital signatures can be used for nonrepudiation, which proves that the sender of a document is legally committed to the document. For example, the digital signatures on an electronic purchase order can prove that you actually used your credit card in a transaction.

Digital Signatures You know that in the business world, handwritten signatures or physical thumbprints are commonly used to uniquely verify the identity of people for legal proceedings or transactions. In electronic transactions also digital thumbprints, called digital signatures, can be used to identify electronic entities. A digital signature ensures the integrity of a digitally signed document and also uniquely identifies its sender. If Bob wants to digitally sign his e-mail, one possible method is that Bob can create the signature by encrypting all of the data with his private key and enclose the signature with the e-mail message. Because Bob’s public key is available to the world, anyone can decrypt the signature (using Bob’s public key) and compare the decrypted message to the original message. Anyone with Bob’s public key can decrypt the signature and compare the decrypted message to the original message. Because only Bob has his private key, only he can create the signature. The integrity of the message is confirmed when the decrypted message matches the original message. If an interceptor tampers with the original message during transmission, the signature changes and, as a result, does not match Bob’s original signature. However, encrypting all data to provide a digital signature is not practical because the cipher text signature is the same size as the corresponding plaintext. This leads to doubling of the size of messages, thereby consuming large amounts of bandwidth during transit.



Chapter 6

Before signing the data, it can be converted to its hash value, or message digest. A hash value is generated by using an algorithm called a hash algorithm, or hash function. A hash algorithm is a specially designed encoding scheme that converts a string into a fixed-length string. A hash is a one-way function, meaning that it is not possible to reverse a hash. The description of some of the most commonly used hash algorithms is as follows: ◆

Secure Hash Algorithm (SHA-1). Also known as Secure Hash Standard (SHS), this hash algorithm was published by the United States government. This algorithm can produce a 160-bit hash value. This algorithm has been well received by people and appreciated by experts.

◆

Message Digest v2 (MD2), Message Digest v4 (MD4). These algorithms were released by RSA Data Security Inc. Several security leakages have been discovered in these algorithms, and they are no longer used to implement encryption. Newer algorithms, such as MD5 have been developed.

◆

Message Digest v5 (MD5). Released by RSA Laboratories, this algorithm can produce an output with a 128-bit hash value. As in the case of MD4, some security loopholes have been found in MD5 too.

◆

RIPEMD-160. This hash algorithm was designed to replace MD4 and MD5 and provide better and safer hashing methodology. It can produce a 20-byte or 160-bit hash value.

In practice, the most common types of digital signatures today are created by signing message digests with the sender’s private key to create a signed version of the data. Message digests are smaller than the original message. Signing the message digest results in a shorter signature than signing all the original data. Therefore, digital signatures consume insignificant amounts of bandwidth. Digital signatures are not used to sign the entire data; they are used to sign only the message digest. To understand the practical usage, consider an example. Jim is a reputable software manufacturer and has released certain software that is freely downloadable. To assure anybody that the software he or she has downloaded is indeed made by Jim, and not by someone else, he digitally signs it. Therefore, when users download the software, they can match the digital signature to check that they have received the correct software. They can do this by generating a hash value for the software using the same hash algorithm Jim used, and then use Jim’s public key to decrypt Jim’s hash value. If the two hashes match, users can rest assured that the software is authentic. The most important point here is that the


203

204

Part III

NETWORK SECURITY

software itself is not encrypted. Jim is not bothered about restricting who will use the software; all he is bothered about is assuring people that the software they are using is actually the software Jim created and not from another person with the same name. There are certain algorithms used for creating digital signatures. One of the most commonly used algorithm for digital signatures is the Rivest Shamir Adleman (RSA) algorithm. The following section discusses the RSA algorithm.

RSA RSA refers to a particular implementation of public key cryptography; RSA has become the de facto standard in this field to the extent that RSA and public key encryption are often used as synonyms. The message is encrypted using the sender’s private key. The recipient, at the other end, retrieves the message using the sender’s public key. RSA’s digital signature process is as follows: 1. The public key of the sender is requested by the intended recipient and is forwarded to it. 2.

The sender uses a hash function and converts the public key into a message digest.

3. The sender encrypts the message digest with his private key. As a result, a unique digital signature is generated. 4. The message and the digital signature are combined and forwarded to the recipient. 5. On receiving the encrypted message, the recipient regenerates the message digest using the same hash function as the sender. 6. The recipient then decrypts the digital signature by using the sender’s public key. 7. The recipient then compares the regenerated message digest (step 5) and the message digest retrieved from the digital signature (step 6). If the two match, it is confirmed that data was not intercepted during transmission and the data is accepted. Otherwise, the data is rejected. The data exchange based on RSA algorithm is shown in Figure 6-1. The following are the features of RSA that have helped in achieving manageable and more secure transactions:



Chapter 6

FIGURE 6-1 Data exchange as defined by the RSA algorithm.

◆

Simplification of the problem of key management. In symmetric cryptography, n2 keys are required if n entities are involved in a transaction. In comparison, asymmetric cryptography only requires 2*n keys. The growth in the number of keys with the growth in the number of users is linear and therefore manageable even when there are a large number of users.

◆

Enhanced security of transactions. RSA algorithm increases the security offered by the keys. Every user must have a pair of keys that he or she generates. The private key does not require that it be shared with anyone, and so the problem of transmitting it does not arise; nor do the problems of having and managing secure channels arise. The public key, however, is shared with everyone (for example, in a catalog) and can be transmitted using the most convenient method, posing no problems regarding its privacy.


205

206

Part III

NETWORK SECURITY

Windows 2000 PKI Now that you understand public key cryptography and its capabilities, you can relate it with PKI. PKI gives you the ability to: ◆

Manage keys. PKI eases the process of issuance of new keys, revocation of existing keys, and management of the trust attached to keys received from different issuers.

◆

Publish keys. PKI offers a well-defined way for clients to request public keys and information about their validity. This allows the clients to use the public keys.

◆

Use keys. PKI provides an easy way for users to use keys by making them available when they are required and by providing applications that perform public key cryptographic operations. This makes it possible to provide security for e-mail, e-commerce, the Internet, and intranets.

PKI Components To explain the components of PKI, I will use the same example of Alice and Bob exchanging data with each other, wherein Alice uses Bob’s public key to encrypt the data she sends to him. Because Bob’s public key is available publicly, Alice might have obtained it through an unsecure mechanism. Therefore, she needs another mechanism to ensure that the public key she holds is Bob’s public key. One such mechanism is based on certificates issued by a certification authority (CA). In the following sections, I will talk about the components of PKI. These include: ◆

PKI client

◆

Certificates

◆

CA

◆

Certificate templates

◆

Certificate management tools

◆

Certificate distribution points

◆

Public key-enabled applications and services

PKI Client A PKI client is the entity that requests a certificate from the corresponding CA. Before a PKI client can participate in data transactions, it must obtain a certifi-



Chapter 6

cate. To do this, it issues a request for the certificate from the corresponding CA. When the client is authenticated successfully, it receives the certificate it requested. After receiving the certificate, the client uses it to identify itself. It is the sole responsibility of the client to safeguard the certificate.

Certificates Certificates are the foundation of PKI. Certificates are electronic credentials that are used to represent an entity on a network. They provide a mechanism for identifying the relationship between a public key and the entity possessing its corresponding private key. The entity can be a user, a computer, or a network service. A certificate is a particular type of digitally signed document. The subject of the document is a particular subject’s public key, and the certificate is signed by the issuer (the entity holding another pair of public and private keys). The subject’s public key holds information such as the PKI client’s name. This information might be related to the client’s identity, what he is allowed to do, or under what condition the certificate is valid. Therefore, when the issuer issues a certificate, it attests to the validity of the binding between the subject public key and the subject identity information.

CA A CA is nothing but the trusted authority or service that manages and issues certificates. A CA, as an issuer of certificates, acts as a guarantor of the binding between the subject public key and the subject identity information contained in a certificate. The CA issues certificates to clients based on a set of established criteria. The criteria that a CA uses when processing a request is referred to as CA policy. It is different from the general term policy that is commonly associated with Windows 2000 domain accounts. Each CA is responsible for deciding the attributes to be included in a certificate and the mechanism to be used to verify those attributes before issuing the certificate. In a Windows 2000 network, you can define CAs by installing Certificate Services on a machine running Windows 2000 Server or Windows 2000 Advanced Server. CAs also issue certificate revocation lists (CRLs). A CRL is a list of certificates that a CA revokes before a scheduled expiration date. A CA can revoke a certificate either because the owner’s private key has been compromised or because the


207

208

Part III

NETWORK SECURITY

holder is no longer associated with the issuer. The CA then publishes the CRLs for clients to check. This mechanism is analogous to the stolen credit card list that card issuers publish. Before any client can be authorized, it must first pass the check for absence of client’s name in the CRLs.

Certificate Templates You can simplify the process of issuing and administering certificates by using certificate templates, which are published in Active Directory and are global across a Windows 2000 forest. They define the information that goes into a certificate, the certificate extensions, and the origin of the information. They also simplify the use and management of the CA because they hide the technical details of certificate contents by defining attributes, such as the content and format of a certificate. You can issue specific certificates to specific types of users without their bothering about the type of certificate they need. A Windows 2000 Enterprise CA, discussed later in this chapter, uses certificate templates to control the contents of the certificates issued.

Certificate Management Tools PKI should have some management tools for controlling and monitoring issued certificates. For example, sites must keep track of certificates that were issued, the time of issuance, and the entity to which they were issued; old certificates may need to be archived so that encrypted e-mail messages can be read even after the certificates are no longer active. There also has to be some way to control and monitor how a CA is issuing and publishing certificates and CRLs. In Windows 2000 PKI, the certificate management tools are provided through the Certification Authority snap-in for the MMC. This snap-in allows you to revoke, issue, and audit all certificates that were issued by a CA, as shown in Figure 6-2. You can also use the Active Directory Sites and Services snap-in for certificate management. In the Active Directory Sites and Services snap-in, from the View menu, choose Show Services Node. Expand the Services\Public Key Service\Certificate template, as shown in Figure 6-3. You can protect certificate templates from unauthorized access by modifying the DACL to allow access only to users or groups with the Enroll permission in the Active Directory Sites and Services console, as shown in Figure 6-4.



Chapter 6

FIGURE 6-2 The Certification Authority snap-in.

FIGURE 6-3 The Certificate Templates node in the Active Directory Sites and Services

snap-in.


209

210

Part III

NETWORK SECURITY

FIGURE 6-4 Configuring access control on certificate templates.

Certificate Distribution Points Certificate distribution points are the locations from where certificates and CRLs can be retrieved by the clients participating in PKI. This makes the critical material needed to support PKI widely available. Publishers can use a directory service as a certificate publication point, such as X.500, Lightweight Directory Access Protocol (LDAP), or operating system directories. Certificates can also be published on smart cards, disks, or CD-ROM. In Windows 2000 certificate publication points include Active Directory, Web servers, FTP services, and the local file system.

Public Key-Enabled Applications and Services After your PKI is able to issue and manage certificates, the next step is to deploy applications that can use them. An application should be tightly integrated with the rest of the PKI components but should make the architecture and working of the PKI transparent to the user. Public key-enabled applications use digital certificates and can combine cryptographic functions, such as signing and encryption for securing e-commerce, network access, or other services. All Microsoft applications that use public key cryptography are public key-enabled by default. Examples of



Chapter 6

public key-enabled applications include Microsoft Outlook Express, Microsoft Internet Explorer, and Microsoft Internet Information Server. Examples of public key-enabled services include EFS, smart card logon, and IPSec. Figure 6-5 presents a top-level view of the components that make up the Windows 2000 PKI. These components allow you to deploy one or more Enterprise CAs integrated with Active Directory. Active Directory is a certificate distribution point, provides CA location information, and allows the use of certificates. The PKI works with DC and KDC services and provides trust and authorization mechanisms, increasing applications’ capability to address extranet and Internet requirements. In particular, the PKI addresses the need for scalable and distributed identification and authentication, integrity, and confidentiality. Windows 2000 PKI also provides support for creating, deploying, and managing public key-based applications on workstations and application servers running Windows NT, as well as workstations running Windows 95 and Windows 98.

FIGURE 6-5 Windows 2000 PKI components.


211

212

Part III

NETWORK SECURITY

Designing Windows 2000 PKI Architecture Some components of the Windows 2000 PKI, such as IPSec and EFS, are deployed immediately. The network administrator does not need to do anything special to provide the certificates of these services. However, other components, such as CAs, have to be deployed explicitly. You also need to decide what is going to be your Cryptographic Service Provider (CSP). A CSP is a software or hardware module that provides the encryption to your CA. It defines how cryptography algorithms are used for authentication, encoding, and encryption. Before deploying a CA, you need to decide on the CA hierarchy that you want to implement for your organization.

CA Hierarchies In Windows 2000 PKI, CAs are organized into hierarchies with the root CA at the top. A CA hierarchy can have multiple CAs that are arranged in a parent-child relationship, where the parent CA certifies the child CA. A well-planned hierarchical model of CA allows better administration of a Windows 2000 network.

Rooted CA Hierarchy In a rooted CA hierarchy, a root CA is a special class of CA, which is unconditionally trusted by a client and issues itself a certificate. This certificate is known as the self-signed certificate. A self-signed certificate is one where the public key in the certificate and the key used to verify the certificate are the same. A root CA certifies the subordinate CAs and itself. This is why a root CA is also called a selfsigned CA. All certificate chains terminate at a root CA. The decision to designate a CA as a root CA can be made at the enterprise level or locally by an individual. All the child CAs of a root CA are called subordinate CAs. A subordinate CA issues a certificate in which the public key in the certificate and the key used to verify the certificate are different. The intermediate CAs give certificates to issuing CAs, which are at a lower level in the hierarchy. Users and computers get certificates from these issuing CAs. In a Windows 2000 forest, a root CA is a point of trust. If a user trusts a root CA, then it also trusts all subordinate CAs, as shown in Figure 6-6.

Cross-Certification Hierarchy You can have a CA hierarchy span multiple forests to ensure the availability of at least one CA to provide certificate-related services. Such a CA hierarchy is called a cross-certification hierarchy. In a cross-certification hierarchy, a CA acts both as



Chapter 6

FIGURE 6-6 A rooted CA hierarchy.

the root CA and a subordinate CA. This is usually observed within the networks of partner organizations that have existing CA hierarchies. A cross-certification hierarchy allows existing CA structures to be maintained while allowing the addition of new CAs in the existing structures of the organizations’ networks. In a cross-certification hierarchy, a CA can act as the root CA of the organization and at the same time act as the subordinate CA of the partner organization. This CA will then have a self-signed certificate, as well as the subordinate certificate issued by the partner CA, as shown in Figure 6-7. A cross-certification hierarchy imposes a major risk of trusting the partner organization’s root CA, thereby trusting all subordinate CAs. This might lead to excess


213

214

Part III

NETWORK SECURITY

FIGURE 6-7 A cross-certification CA hierarchy.

trust between the organizations, and often the trust can be breached. This is also a disadvantage when you want to trust certificates issued by specific CAs located in the partner organization’s CA structure. When you start designing the business policy, you should first decide on the CAs, both internal and external, that will issue certificates. A typical CA hierarchy has a three-level architecture: root CA, intermediate CAs, and issuing CAs. It is recommended that you have one root CA, and it should be offline. You need an intermediate CA to implement certificate policy. This level also needs to be offline. The third level should be issuing CAs. You can have internal or external CAs at this level. You can have internal CAs for internal network authentication and data integrity. You can have external CAs for Internet transactions and software signing that might require third-party certificates in order to establish public trustworthiness. You should design a CA hierarchy depending on your organization’s structure and the number of applications and services that require certificates. Other things that you should consider while designing a CA hierarchy are the capacity of a CA database, the administration of CAs, the reorganization of the enterprise, the



Chapter 6

availability of service, and certificate publication. As per the CA design, a single CA database can support nearly 250,000 users. You can use Group Policy to delegate the administration of CAs to an administrator group. The CA hierarchy in Windows 2000 PKI is scalable. You can add or remove CAs and their users in a CA hierarchy depending on your organization’s need. However, you cannot move a group of users from one CA to another without re-enrolling them with the new CA.

Types of CAs You can deploy a commercial CA or a private CA to issue certificates in your organization. Commercial CAs are maintained by a certificate issuing company, which is a third party, while private CAs are internal to an organization. •

Commercial CA. Commercial CAs are external to an organization and provide certificates to millions of users. Some of the commercial CAs are Thawte, Verisign, Belsign, and GTE Cybertrust. You can use a commercial CA when most of your business customers are external and you do not want to manage certificate issuance and distribution internally. By using a commercial CA, you can take advantage of the service provider’s experience and expertise. The ISP can also help in increasing the confidence of clients to transact securely with the organization. You can use commercial CAs to implement certificate-based security immediately while you develop an internal PKI. Using a commercial CA also has few disadvantages, such as less control over the management of certificates and the cost per certificate.

•

Private CA. You can use a private CA when you conduct most of your business with partner organizations and want to manage certificate issuance and distribution internally. You need to define a plan for administering certificate issuance and root CA security. You also need to define and implement a certificate policy for managing certificate deployment in your organization. The certificate policy that you follow should be in line with your organization’s security policy. For internal CAs, your organization can set its own policy but you should be aware that other organizations might have very different policies than that of your organization.


215

216

Part III

NETWORK SECURITY

CA Security When planning for PKI security, the root CA’s security is an important consideration. You cannot compromise the security of a root CA as it results in compromising the security of subordinate CAs in the hierarchy. If the root CA is outsourced to a commercial CA, then the responsibility to maintain the security of the root CA does not depend on you, but if you want to deploy your own root CA, its security is your responsibility. Any online CA is vulnerable to attacks, so the most common approach is to keep the root CA offline. You can enhance the physical security of an offline root CA by keeping it in a safe location. You can also secure CAs by creating tough procedures for creating subordinate CAs, such as requiring multiple simultaneous operators to mutually confirm actions. A CA issuing certificates to end entities will use its private key to sign a large amount of data. The more a key is used to sign data, the more the opportunity for a cryptographic attack. It is therefore necessary for online CAs that are issuing certificates to end entities to frequently replace their signing keys.

CA Policy Models In Windows 2000, you can choose from two certificate policies, enterprise policy and Stand-alone policy. While configuring Certificate Services for a private CA, you need to select one of these CA policy models, as shown in Figure 6-8. Choosing a policy model will decide where the CA stores its issued databases and how the CA issues certificates. The selection of a CA policy model depends on your organization’s PKI requirements and will determine the way CAs will behave. Both policies differ in the way they handle authentication, Active Directory interactions, and using certificate templates.

Enterprise Policy The CA that follows an enterprise policy model is referred to as an Enterprise CA. You can go for an Enterprise CA if you use it to issue certificates to internal users and computers. Enterprise CAs are integrated with Active Directory and are used for getting information about users. You should have a domain account with proper permissions to request a certificate from an Enterprise CA. You can create an Enterprise CA if you are a member of Enterprise Admins group. Enterprise CAs use certificate templates to implement a consistent policy for certificate enrollment. When using templates to create certificates, you can choose from a single-purpose or a multipurpose template. A single-purpose template can be



Chapter 6

FIGURE 6-8 Choosing the Stand-alone or

Enterprise CA.

used only for a single application. For example, the Code Signing certificate template is used for code signing operations. A multipurpose template can be used to generate certificates for multiple applications. For example, a single template can be used to generate certificates for EFS and SSL. The use of certificate templates reduces the administrative burden on an Enterprise CA, thereby causing the lowest overhead per certificate. Certificate templates work with Active Directory and the Windows 2000 security model to provide a single point of management. Permissions for individual certificates are configured using Active Directory Sites and Services. An Enterprise CA uses Active Directory as its registration database. By default, all the users and computers in a forest are registered to all the Enterprise CAs in the forest, allowing all users with appropriate permissions to request a certificate from an Enterprise CA. Enterprise CAs publish certificates and CRLs to Active Directory. One of the major reasons in favor of deploying Enterprise CAs in your forest is that they are required for smart card logon, IPSec, and EFS deployment. Therefore, if you want to have these technologies on your network, you must deploy at least one Enterprise CA.

Stand-Alone Policy The CA that follows a Stand-alone policy model is referred to as a Stand-alone CA. A Stand-alone CA does not require Active Directory to get information TEAM LinG - Live, Informative, Non-cost and Genuine!

217

218

Part III

NETWORK SECURITY

about users. If you issue certificates to users and computers outside your organization, choose a Stand-alone CA. Unlike an Enterprise CA, a Stand-alone CA does not use certificate templates. To get a certificate from a Stand-alone CA, you need to give complete information about user identification and the type of certificate required. All requests requiring a decision to be made are placed in the Pending Requests store of the Certification Authority snap-in. The certificate is issued only when the administrator of the Stand-alone CA authenticates the identity of the applicant and accepts the request. You cannot get certificates for smart card authentication to a Windows 2000 domain from a Stand-alone CA. A Stand-alone CA should be deployed when you want to configure an offline root CA, which is not connected to the network, by default. The constant use of the Certificate Services database in Active Directory by the Enterprise CA prevents it from being configured as an offline root CA. You can integrate Windows 2000 Certificate Services with an Exchange 5.5 Key Management Server (KMS). The Exchange 5.5 Policy can be run only on a Stand-alone CA to use x.509 v3 certificates instead of the default x.509 v1 certificates. You can also configure a Stand-alone CA when you want to place a CA in a location where it cannot contact Active Directory.

NOTE Both Stand-alone and Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME, and authentication to a secure Web server using SSL/TLS.

Deploying Enterprise and Stand-Alone CAs in the Same Hierarchy You can deploy more than one Enterprise root CA in a Windows 2000-based domain, thus more than one hierarchy. It is also possible to mix and match Standalone and Enterprise CAs in a hierarchy based on your requirements. It is recommended that you create an offline Stand-alone root CA that issues certificates only to subordinate CAs. This is important because if the root CA is compromised all certificates issued by it, including the ones issued by the subordinate CAs, will be compromised. An offline root CA provides assurance that it cannot



Chapter 6

be easily compromised and any compromised subordinate CA on the network can be safely revoked. Subordinate CAs in a hierarchy can use a Stand-alone policy as well, but this would require greater administration, increasing the possibility of compromise. If the CAs will be supporting a Windows 2000 domain, configure them as Enterprise subordinate CAs and take advantage of the added security features the Enterprise policy provides. Figure 6-9 illustrates deploying Enterprise and Standalone CAs in the same hierarchy.

FIGURE 6-9 Enterprise and Stand-alone CAs in the same hierarchy.


219

220

Part III

NETWORK SECURITY

CA Hierarchy Plans You can plan CA hierarchy based on usage, organization, and geography. In a usage-based CA hierarchy, CAs are organized depending on the types of applications and services that require certificates from them. For example, you can have a CA that serves certificates only for secure Web communications. You can design a CA hierarchy based on the administrative structure of an organization. In this, CAs are organized on the basis of business relationships that users share with the organization, such as employees and customers. This model allows you to implement a higher level of security for a particular type of user. Finally, you can issue certificates to a user based on his location by following a CA hierarchy designed on the basis of geographical locations.

Certificate Life Cycle After you have established your optimal CA structure, you should plan the certificate life cycle. To meet the security requirements of your organization efficiently, you should properly define the certificate life cycle that includes certificate enrollment, distribution, revocation, renewal, and auditing.

Certificate Enrollment and Distribution Certificate enrollment defines the procedure of requesting and receiving a certificate. It is a process that an object, such as a user or a computer, initiates by providing unique information about its identity to a CA. The CA processes the request and issues the certificate after proper authentication. All issued certificates have a definite lifetime. The process followed for certificate enrollment is as follows: 1. The applicant is assigned a public and private key pair. 2. The identity information of the applicant is provided as required by the CA for authentication. 3. A request for certificate issuance is sent to the CA after encrypting it with the CA’s public key. The request consists of the applicant’s information that is necessary for processing the request. 4. The CA verifies the information in the request, as per the policy it follows. 5. After successful verification, the CA creates a certificate containing the applicant’s public key and name, the certificate’s expiration date, the certificate number, and the name and digital signatures of the CA.



Chapter 6

6. The certificate is finally sent or posted to the applicant, ending the certificate enrollment process. The process of certificate distribution of each CA differs. In case of a Windows 2000 Stand-alone CA, the CA administrator verifies the requests based on the information they contain. Until the administrator accepts a request, it is considered pending. You can check the status of a pending request by using the Certificate Services Web page. The Windows 2000 Enterprise CA uses Active Directory to verify the applicant’s credentials, which makes the process of certificate enrollment faster. The CA impersonates the user to obtain the correct security context. This enables the policy module to establish the rights of the user to the template and the CA. After successful verification, the certificate is issued to the user. You can also define which certificate templates will be requested automatically by the computer accounts within a site, a domain, or an OU. You can do this by creating a GPO where the computer accounts are defined, as shown in Figure 6-10. You can further configure the correct permissions for computers for each certificate template they acquire. Remember that there should be at least one Enterprise CA configured to issue the required certificate templates. All user certificates and some computer certificates must be requested manually from a CA. You can use the Certificate Request wizard in the Certificates snapin to request a certificate from a Windows 2000 Enterprise CA. In the wizard, you can select the type of certificate depending on the access right you have. You can also use the Certificate Services Web registration page to get a certificate from the Windows 2000 Enterprise or Stand-alone CA by connecting to http://CA server name/certsrv, where CA server name is the name of the server running Certificate Services.

Certificate Revocation A CA can revoke certificates before the expiration of their defined lifetime. A CA might need to revoke a certificate if the information contained in it is no longer valid. This can happen for many reasons, such as compromise in the private key of a certificate, compromise in CA security, change in the status of the individual holding a certificate, and fraud in obtaining the certificate. You can get information about revoked certificates from the CRLs, which are published in Active Directory. You use the Certification Authority snap-in to


221

222

Part III

NETWORK SECURITY

FIGURE 6-10 Configuring automatic certificate requests in Group Policy.

publish a CRL. You should control the frequency of CRL publications as it affects network traffic and server load. The entries in a CRL are removed after a revoked certificate expires, to keep the size of the CRL to a minimum. You can implement policies for revoking certificates and policies for CRLs. In the policies for revoking certificates, you can specify the circumstances in which a certificate has to be revoked. In a CRL policy, you can specify the location of CRLs and their publishing schedules.

Certificate Renewal After a certificate has expired, it is no longer in use. You can request a new certificate or renew an expired certificate from a CA. The lifetimes of the certificates that a CA issues fall within the lifetime of the CA’s own certificate. For example, if a CA’s certificate was only valid for a further six months, the longest validity period it would issue a certificate for is six months. This is to ensure that when a CA’s certificate reaches the end of its lifetime, all certificates it has issued will also have expired. You need to renew a certificate often if the lifetime of a CA’s



Chapter 6

certificate is small. Frequent renewals of a CA’s certificate with a new key make an attack on a key less possible. However, frequent renewals might be a burden to users and, hence, should be avoided. You can solve this problem by making sure that a CA’s certificate lifetime is sufficiently long.

Certificate Auditing You can use auditing to monitor all certificate-related activities on the certificate server. Audit trails keep records of all transactions, including certificate requests, issued certificates, and failed requests. They also include all the information contained in each issued certificate. You can use audit trails to meet the security requirements of your organization by using them to get information about a certificate that was used for an illegal activity or was part of a fraudulent transaction. Use the Certification Authority snap-in to view the Windows 2000 Certificate Services log and database.

Certificate to User Account Mapping You can allow access to external users who do not have an account in Active Directory by using certificate mapping. This can be done when you want to allow Web users to connect to your Web site protected by the SSL protocol. You can configure the Web site to require certificates for user authentication. The access is allowed on the basis of a user possessing a valid certificate from a third party, which your organization accepts. This allows for security of user name and password by transmitting only the certificate over the network. When the Web server receives a certificate, it looks at its own mapping table or the mapping table of Active Directory to determine the user account mapped with the certificate. The users are authenticated in Active Directory and are given necessary rights and permissions. Certificate mapping maps a single certificate or multiple certificates with similar properties to a single user account, referred as one-to-one or many-to-one mappings.

One-To-One Mapping You can map a user certificate to a single Windows 2000 user account by using one-to-one mapping. The user authentication happens based on the mapped user account, and the user is granted rights and permissions assigned for that account. One-to-one mapping involves administrative overhead and should be used only when there is less need for certificate to account mapping.


223

224

Part III

NETWORK SECURITY

Many-To-One Mapping When users who have certificates issued from a particular CA want to access the resources in your network, they are mapped to a single user account in your Windows 2000 network. This is many-to-one mapping. The users are authenticated based on the user account they are mapped to. After authentication, they are given the rights and permissions that are associated with that account. The CA issuing certificates to these users must be installed as a trusted root CA. Before a user having a certificate is mapped to a user account, his credentials are checked against mapping rules. Mapping rules are used to check the information in the user’s certificate. You can map different many-to-one mappings for different sets of users depending on the rights they require.

Summary In this chapter, you took a tour of public key cryptography and how it allows encryption and signing. These two operations can be used to provide four capabilities: confidentiality, authentication, integrity, and nonrepudiation. You were introduced to digital signatures and various hashing algorithms. You also learned how the RSA algorithm enables you to digitally sign data. Next, you learned about the components of Windows 2000 PKI and how they enable an effective and scalable management of encryption keys. Finally, you learned how you can use Windows 2000 Certificate Services with Active Directory to implement PKI.

Check Your Understanding Multiple Choice Questions 1. Charles wants to understand the concept of digital signing. He wants to send and receive digitally signed e-mail messages to and from Laura and he wants only Laura to read the message. He wants to know which keys will be used to encrypt a message and its message digest when he sends a digitally signed message to Laura. a. Charles’ public key b. Laura’s public key



Chapter 6

c. Charles’ private key d. Laura’s private key 2. Using the same scenario in question 1, which keys will Laura use to decrypt the message and its message digest when Charles sends a digitally signed message to her? a. Charles’ public key b. Laura’s public key c. Charles’ private key d. Laura’s private key 3. Which of the following applications are PKI-enabled? a. IIS b. Microsoft Outlook c. Microsoft Excel d. Internet Explorer 4. While James is setting up an Enterprise CA for his organization, the process fails. What could be the possible reason? a. The computer in use cannot access Active Directory. b. James is not a member of the Enterprise Admins group. c. James does not have a root CA installed. d. James is trying to install a subordinate CA on a member server, which must be installed on a domain controller.

Short Questions 1. What is a CSP? 2. In PKI, which entity verifies that the subject in the certificate possesses the private key associated with the public key? 3. Steve installs a Stand-alone root CA. He is trying to get a certificate for smart card authentication. The process fails. What could be the possible reason? 4. Catherine wants to establish an offline root CA. She installs an Enterprise root CA for the same. However, she is not able to issue certificates with it. What is the reason?


225

226

Part III

NETWORK SECURITY

Labs 1. Stronglock Inc. has decided to work in a secure environment for its daily business transactions. To accomplish this, the company has opted to implement the PKI security solution. Install an Enterprise root CA for the company. 2. A subordinate CA needs to retrieve the Enterprise CA certificate to add to its list of trusted CAs. The Enterprise CA can then act as a trusted CA for the subordinate CA. A certificate can be retrieved through the Web. Retrieve the Enterprise CA certificate and include the certificate in the list of trusted CAs. 3. Revoke the certificate you issued. 4. Publishing CRLs frequently is a good practice because they need to have updated information each time a certificate is revoked. Publish and view a CRL. 5. You know that certificates can be renewed by generating a new key pair or by using the existing key pair. Renew a certificate.

Answers Multiple Choice Answers 1. b, c. Charles must use Laura’s public key to encrypt the message and use his private key to decrypt the message. In public key cryptography, a sender must use the recipient’s public key to encrypt a message and his own private key to encrypt the message digest that is used to determine the authenticity of a digitally signed message. 2. d, a. Laura must use her private key to decrypt the message and use Charles’ public key to decrypt the message digest. In public key cryptography, the recipient of the encrypted message must use his own private key to decrypt the message and the sender’s public key to decrypt the message digest. 3. a, b, d. Microsoft Excel is not a PKI-enabled application. 4. a, b. An Enterprise CA stores the Certificate Services database in Active Directory. Therefore, an important requirement for setting up an Enterprise CA is that Active Directory be available. In addition, only an enterprise administrator can set up an Enterprise CA.



Chapter 6

Short Answers 1. A CSP is a software or hardware module that provides the encryption to your CA. It defines how cryptography algorithms are used for authentication, encoding, and encryption. 2. A CA is responsible for digitally signing the certificate and verifies that the public key and the private key are actually possessed by the subject specified in the certificate. 3. Smart card authentication requires at least one Enterprise CA to issue necessary certificates. Smart card authentication cannot be implemented using a Stand-alone root CA. 4. An Enterprise CA stores the Certificate Services database in Active Directory. An offline CA is not attached to the network. Therefore, an Enterprise CA that is removed from the network will not be able to access the Certificate Services database.

Solutions to Labs 1. To install the Enterprise root CA, you need to complete the Windows 2000 Server installation and perform the following steps: a. Log on as an enterprise administrator. b. Open the Control Panel window and double-click Add/Remove Programs. c. In the Add/Remove Programs dialog box, select the Add/Remove Windows Components tab to start the Windows Components wizard. d. In the Windows Components wizard, select Certificate Services. This wizard is displayed in Figure 6-11. A message appears stating that after installing certificate services, the computer cannot be renamed and the computer cannot join or be removed from a domain. Click Yes. e. Click Next. The wizard prompts you for the type of Certification Authority you need to install. Select Enterprise root CA since you will install an Enterprise root CA. The other types of CAs that you can install are Enterprise subordinate CA, Stand-alone root CA, and Stand-alone Subordinate CA. f. To change the default cryptographic settings, check the Advanced option on the Certificate Authority Type screen.


227

228

Part III

NETWORK SECURITY

FIGURE 6-11 The Windows Components Wizard.

g. Click Next. The Public and Private Key Pair screen of the wizard appears. This screen is displayed in Figure 6-12. On this screen, you can select the following options: • CSP. The CSP is required for generating the public and the private key pair and for performing all the cryptographic operations for the CA. • Key length for the public and private key pair. The longer the key the more secure it is. The recommended key length for an Enterprise CA is 1024 or 2048. The “Use Existing Keys” option allows you to use previously generated keys or reuse keys from a previously installed CA. • Hash algorithm. The hash algorithm you want the CA to use, such as MD2, MD4, MD5, and SHA-1. You can also import keys by specifying the location of a PKCS#12 file and the password for the file. h. Retain the default settings and click Next. The CA Identifying Information screen appears (Figure 6-13). Enter the identifying information. i. Click Next. The Data Storage Location screen appears. In this screen, you specify the storage location for the certificate database and the certificate database log. By default, the location for the certificates that are issued by CA and the certificate database log is \<systemroot>\system32\certlog.



Chapter 6

FIGURE 6-12 The Public and Private Key pair screen.

FIGURE 6-13 CA identifying information.

j. Accept the default values and click Next. If Internet Information Services (IIS) is running on the system, you will be prompted with a message to stop the IIS. Click OK to stop the IIS. k. Insert the Windows 2000 Server CD when prompted. After the required files are copied, the installation is complete. l. Click Finish to close the wizard. 2. Perform the following steps to retrieve the Enterprise CA certificate and include the certificate in the list of trusted CAs: a. Launch your browser window.


229

230

Part III

NETWORK SECURITY

b. In the Address bar, type http://<enterprise CA server name>/certsrv. c. The Microsoft Certificate Services window appears, prompting you to select a task, as shown in Figure 6-14. Select the Retrieve the CA certificate or certificate revocation list to retrieve the certificate of the Enterprise CA that has just been installed. The other two options available are Request a certificate (which sends a request to the CA for issuing a certificate) and Check on a pending certificate (which provides you with the status information of the required certificate). d. Click Next. The next screen enables you to specify the file to download, as shown in Figure 6-15. Click the Download CA certificate link to download the Enterprise CA certificate. The other two links that are available are Download CA certification path (which gives you the complete CA certification path) and Download latest certificate revocation list (which provides you with the latest CRL). e. The File Download dialog box appears. Select the Open this file from its current location option and click Next. To save the down-

FIGURE 6-14 Certificate services options for certificate retrieval.



Chapter 6

FIGURE 6-15 Download CA certificate link.

loaded file to your computer you can choose the other option, which is Save this file to disk. f. Click OK. A sample certificate is displayed in Figure 6-16. g. Click Install Certificate to install the CA certificate. The Certificate Import Wizard appears, which helps you to store your certificates and CRLs from your computer to a certificate store. Click Next. h. The Certificate Store screen appears. Ensure that the option Automatically select the certificate store based on the type of certificate is selected. This ensures that all the certificate information is stored in an appropriate location on the basis of the type of certificate. i. Click Finish. A message box appears informing you that the import was successful. Click OK to close the message box. j. On the Certification Services screen, click the Install this CA certification path link to install the certificate path of the Enterprise root CA. k. A screen appears stating that that CA certificate is installed.


231

232

Part III

NETWORK SECURITY

FIGURE 6-16 A sample certificate.

Perform the following steps to request and install a user certificate from an Enterprise CA: a. Launch your browser window. b. In the Address bar, type http://<enterprise CA server name>/certsrv. c. Under Select a task, select the Request a certificate option. d. Click Next. A window appears prompting you for the type of request that you want to select. You can select User Certificate request or Advanced request. Select User certificate request and click Next. If you choose the other option, User Certificate request, then all the options of Advanced request will not appear. By choosing the Advanced request option, you can view all other options and request a certificate as per your requirements. e. On the Advanced Certificate Requests screen, select the Submit a certificate request to this CA using a form option, as shown in Figure 6-17. Click Next. f. The Advanced Certificate Request window appears, as shown in Figure 6-18. In this screen, from the Certificate Template list, select User. Scroll down and check the Use local machine store option. g. Click Submit. A window appears stating that the certificate has been issued.



Chapter 6

FIGURE 6-17 The Advanced Certificate Requests option.

FIGURE 6-18 The Advanced Certificate Request window.


233

234

Part III

NETWORK SECURITY

h. Click the Install this certificate link option to install the certificate. 3. Perform the following steps to revoke a certificate: a. Choose Start, Programs, Administrative Tools, Certification Authority. b. In the left pane of the Certification Authority snap-in, under Certification Authority [Local], expand Enterprise CA. c. Select Issued Certificates. The list of issued certificates appears, as shown in Figure 6-19. d. Right-click the certificate and choose All Tasks, Revoke Certificate from the context menu. The Reason Code dialog box appears prompting you to specify the reason for revoking the certificate. From the Reason code list, select Key Compromise. e. Click Yes to revoke the certificate. f. The certificate you revoked no longer exists in the Issued Certificates list. g. In the left pane, select Revoked Certificate. The certificate you revoked now appears in this list.

FIGURE 6-19 List of issued certificates.



Chapter 6

4. To publish a CRL, you need to perform the following steps: a. In the left pane of the Certification Authority snap-in, right-click Revoked Certificates, All Tasks, Publish. b. A message box appears stating that the last CRL is still valid and can be used by the clients. It asks you whether you still want to publish the new CRL. c. Click Yes to publish the CRL. d. To view a published CRL, choose Start, Programs, Administrative Tools, Certificates. e. In the left pane of the Certificates snap-in, expand the Certificates\Intermediate Certification Authorities node. f. Select Certificate Revocation List. In the right pane, double-click CRL to open Certificate Revocation List, as shown in Figure 6-20. Look at the value of the Effective date field in order to confirm that this is the latest CRL you published. g. Select the Revocation List tab. The certificate that you revoked now appears under Revoked certificates.

FIGURE 6-20 Certificate Revocation List Information.


235

236

Part III

NETWORK SECURITY

5. To renew a certificate, you need to perform the following steps: a. Open the Certificates snap-in. b. In the left pane of the Certificates snap-in, to view the objects under Certificates, expand Certificates if it is not already expanded. c. Under Certificates, expand Personal\Certificates. The right pane displays a list of certificates issued by Enterprise CA, as shown in Figure 6-21. d. Under Certificates, right-click the certificate <servername.domain name> and choose All Tasks, Renew Certificate with the Same Key from the shortcut menu. The Certificate Renewal Wizard appears. Click Next. e. In the Certificate Renewal Options dialog box, ensure that the option Yes, use default values is selected. f. Click Finish. A message box appears informing you that the certificate request was successful. g. Click OK.

FIGURE 6-21 Issued certificates list.


Chapter 7 Network Services


n a stand-alone system, there are limited chances and fewer possibilities of attacks. However, a system on a network is open to attacks from many directions. On a network, you use many network services to perform various tasks. The booming business communication over public networks has led to the revolution in IT security. In this respect, Windows 2000 Server is Microsoft’s endeavor to provide a secure enterprise server and the privacy of inter-business communications. In this chapter, my aim is to examine those Windows 2000 services that help in secure network communication. These include:

O

◆

Domain Name System (DNS)

◆

Dynamic Host Configuration Protocol (DHCP)

◆

Simple Network Management Protocol (SNMP)

◆

Remote Installation Services (RIS)

◆

Terminal Services

DNS: An Overview Domain Name Service (DNS) is a service that you use for resolving user-friendly names to IP addresses and vice versa. In addition, you can also use DNS to locate various services, such as the domain controller for logging on to the system. In a DNS, all the information, such as host names and domain names, is arranged in a hierarchical tree structure. This tree-like structure is referred to as domain name space.

NOTE The Windows 2000 DNS also supports Windows Internet Name Service (WINS). As a result, you can use both DNS and WINS for locating various network resources in a mixed mode environment.


NETWORK SERVICES

Chapter 7

Structure of DNS DNS is a hierarchical tree structure comprising multiple nodes. In a DNS tree structure, the root node is called the root domain and every node has a label associated with it. A label is an alphanumeric string that uniquely identifies a node. These labels, followed by a dot (.) and the DNS name, constitutes the path of the node in the DNS tree structure.

NOTE The complete reference of a host including its domain name and all sub domains is referred to a Fully Qualified Domain Name (FQDN).

The DNS consists of three main components: ◆

DNS database. The DNS database is a distributed and hierarchical database. It comprises the DNS tree and the records that identify resources within the DNS database.

◆

DNS server. The DNS server, or the name server, helps clients find a host within the DNS tree. The name server manages a portion of the domain name space.

◆

DNS client. The DNS client requests from the server the information of a host within the DNS tree.

The data in a DNS is organized into zones. DNS might consist of one or many zones. Inside a zone, the data is stored as records referred to as Resource Records (RR). Every RR has a Key RR associated with it. The key RR, in addition to containing the information about the entity of the RR, also contains the public key associated with the entity of the corresponding RR.

Windows 2000 DNS In Windows 2000, DNS maintains the namespace structure of the Active Directory and also stores information related to domain controllers and other services. The relevance of DNS in Windows 2000 can simply be judged from the fact that one of the primary requisites for running the Active Directory is accessing the


239

240

Part III

NETWORK SECURITY

DNS server. However, this DNS server should support dynamic updates. Dynamic updates in the DNS server help DNS clients and domain controllers to automatically register with the name server, modify the resource records, and at the same time send and receive dynamic updates. In addition to dynamic updates, in Windows 2000 you can secure DNS by using the Active Directory-integrated zone files and manage service (SRV) records. SRV records are those records that are used by DNS clients for locating services on the network. These records are automatically created and added in the DNS database by using the dynamic update feature. In Windows 2000, if the DNS zone is an Active Directory-integrated zone, all the DNS records are stored in the Active Directory. The following section discusses the types of DNS zones.

Types of DNS Zones in Windows 2000 All DNS data is organized into zones. The three types of DNS zones in Windows 2000 are: ◆

Standard Primary. The primary zone records all modifications that are made to the resource records. You can edit the records in the primary zone file.

◆

Standard Secondary. The secondary zone delegates and distributes tasks across computers. In addition, it is used to provide back up. You cannot edit records in the secondary zone file. In other words, the secondary zone is read-only. All the changes made in the primary zone are replicated in the secondary zone.

◆

Active Directory-integrated. The Active Directory-integrated zone is present only in Active Directory. All the information of this zone is maintained in the Active Directory. All updates in the Active Directoryintegrated zone occur at the time of Active Directory replication. However, in the Active Directory-integrated zone only the information pertaining to the domain in which the zone has been created is replicated.

Windows 2000 Zone Replication Replication of data in non-Windows 2000 DNS occurs from primary to secondary. In Windows 2000, however, the data is replicated by using Incremental


NETWORK SERVICES

Chapter 7

Zone Transfer (IXFR). In this process, information is replicated only in the zone file and not the complete zone. In Active Directory-integrated zones, replication occurs automatically at the time of Active Directory replication. You are not required to configure replication for the domain controllers of each domain separately. This is because each domain controller, configured as a DNS server, is updated dynamically with the changes that occur in the zone. In addition, you can use any of the domain controllers to update changes in the zone. This is in sharp contrast to traditional DNS replication, where primary zone replication is reflected in the secondary zone. In Windows 2000 Active Directory-integrated zone, you do not need a primary or a secondary zone.

NOTE Although you do not need to create a secondary zone in the Active Directoryintegrated zone, you can still create a secondary zone for remote sites where you do not want to have a domain controller. This helps you to provide local zone information as well as enabling provisions for backup services.

It can safely be concluded that DNS is central to the working of a Windows 2000-based system. As a result, there arises a paramount need for securing such a service. Although the services provided by the DNS run on a set of protocols that have been mainly defined by the Internet Engineering Task Force (IETF), unfortunately, the DNS is vulnerable to the security threats that envelop IP protocols. The following section discusses these in detail.

Threats Faced by DNS DNS is prone to a number of security threats. One of the many reasons DNS is so very vulnerable to attacks is that DNS is designed to serve as a public database. In fact, DNS is one of the main components of the Internet. Threats faced by DNS can be categorized into the following groups: ◆

Cache poisoning

◆

Client flooding

◆

Dynamic update vulnerability


241

242

Part III

NETWORK SECURITY

◆

Information leakage

◆

Compromise of the DNS server’s authoritative database

Cache Poisoning All addresses known during the name resolution process are stored in the local cache of the local name server. Whenever a server does not have the answer to a query within its cache, the server can pass the query on to another DNS server on behalf of the client. This is where DNS poisoning can occur. Suppose the other server contains incorrect information, whether placed there intentionally or unintentionally; that incorrect information will be passed on to the clients. Malicious cache poisoning is commonly referred to as DNS spoofing. Cache poisoning can be a significant threat because hackers can direct users to the wrong Web site, even though they may be specifying the correct address.

Client Flooding Client flooding occurs when a DNS client sends out a query to the DNS server. In response the client receives and accepts thousands of DNS responses from an attacker. The attack’s success is based upon lack of authentication of these responses. The attack is made to appear as if it is originating from the expected name server, but without strong authentication, the client does not have the capability to verify the origin of the response. This attack can be used instead of DNS spoofing when attempting to host name spoof an application.

Dynamic Update Vulnerability The DNS Dynamic Update protocol has provisions to control which systems are allowed to dynamically update a primary server. Even if it is employed, it is a weak form of access control and is vulnerable to threats such as IP spoofing of the system performing the updates or compromise of the system. An intruder, who is able to successfully accomplish either, can perform a variety of dynamic updating attacks against the primary server. They can range from DoS attacks, such as the deletion of records, to malicious re-direction, such as changing IP address information for an RR being sent in an update.

Information Leakage Other threats to the DNS include zone transfers that can leak information about internal networks to a potential intruder. Frequently, host names can represent


NETWORK SERVICES

Chapter 7

project names that may be of interest or reveal the operating system of a machine. An intruder can make use of DNS tools to automatically query every IP address in a domain space in an attempt to learn the DNS host name or to find IP addresses that are not assigned. If the intruder gets to know about the unassigned IP addresses, he can use IP spoofing to masquerade as a host of a trusted network. If a system trusts an entire IP network, that system may be vulnerable to an attack using an unassigned IP address.

Compromise of the DNS Server’s Authoritative Database The DNS server’s authoritative database can be compromised if an intruder gains administrative privileges for the database. He can then easily modify and maliciously update zone information for which the server is authoritative. All these threats are generally aimed at achieving the following objectives: ◆

DoS

◆

Masquerading

DoS DoS is accomplished in several ways. One takes advantage of negative responses (i.e., responses that indicate the DNS name in the query cannot be resolved). Sending back the negative response for a DNS name that could otherwise be resolved, results in a DoS for the client wishing to communicate in some manner with the DNS name in the query. The other way DoS is accomplished is for the rogue server to send a response that redirects the client to a different system that does not contain the service the client desires. A rogue server is the one that contains unauthenticated information and helps in facilitating attacks such as host name spoofing and DNS spoofing.

Masquerading The second and potentially more damaging attack reason is to redirect communications to masquerade as a trusted entity. If this is accomplished, an intruder can intercept, analyze, and/or intentionally corrupt the communications. The intruder can give the infected cache a short time to live, making it appear and disappear quickly enough to avoid detection. Masquerading attacks are possible simply because quite a number of IP-based applications use host names and/or IP addresses as a mechanism of providing


243

244

Part III

NETWORK SECURITY

host-based authentication. This burdens the DNS with the responsibility of maintaining up to date and accurate information, neither of which the DNS alone can assure. An attacker can make use of these shortcomings within the DNS to masquerade as a trusted host. Host based authentication is vulnerable to host name spoofing. After having discussed the various DNS attacks and their reasons, the following sections discuss how you can provide security to your DNS service.

Securing DNS Although several standards and mechanisms, such as RFC 2137 and RFC 2535 exist for securing DNS, Windows 2000 DNS security is based on Generic Security Service Application Programming Interface (GSS-API). This service has been defined in RFC 2078 and allows DNS to be secured by using the Windows 2000 standard authentication protocol, Kerberos. One of the most striking features of Windows 2000 DNS is its support for dynamic updates. However, this feature is prone to a number of vulnerabilities and, as a result, has been provided with a very secure mechanism. In fact, securing dynamic updates is the core security feature of Windows 2000 DNS security.

Securing Dynamic Updates For a secure dynamic update, both the DNS server and the DNS client need to agree upon a particular protocol and an exchange key. After the protocol and the key have been negotiated, the messages between the two contain a signature that authenticates them. Secured dynamic DNS updates are only supported by the Active Directoryintegrated zone. The following steps take place when a DNS client performs a secured dynamic update: 1. Dynamic updates can only be performed on the DNS server that is the authoritative server for the records that are being updated by the DNS clients. As a result, the DNS client first queries the local DNS server to find out the authoritative server. 2. In response, the local server replies back with the name of the client’s authoritative server and the zone in which the record is contained. 3. The client then sends a dynamic update request to the authoritative server to perform an unsecured update. If the zone that is to be updated


NETWORK SERVICES

Chapter 7

has been configured to accept only secured updates, the server rejects the request. 4. After the server has rejected the client’s request, the client then performs the secured dynamic update process. The client then sends a message containing a TKEY resource record. In reply, the server sends its own TKEY resource record. The TKEY resource record is used for establishing a secret key for DNS and transferring security tokens between the client and servers. After the messages have been exchanged, a negotiated session is established between the server and the client. 5. After a security session has been negotiated, the client sends another dynamic update request that contains a TSIG resource record. The TSIG resource record contains the negotiated key and the transaction signatures for DNS. The TSIG resource record and the negotiated security session are then used by the server for authenticating the corresponding DNS client. 6. After having authenticated the client, the server performs a dynamic update as per the requirements of the client. In this, the server updates the concerned Active Directory objects. 7. After the server has updated Active Directory, it sends a message to the client stating the same. This message also contains a TSIG resource record. In this way, the secured dynamic update process is completed.

Modifying the Default Security Settings of DNS Servers and Clients By default, the Active Directory-integrated zone accepts secured dynamic updates only. You can also configure a primary zone to accept secured dynamic updates. A primary zone, by default, is not configured to accept secured DNS requests. However, when you convert a primary zone into an Active Directory-integrated zone you need to manually configure the primary zone to support secured dynamic updates. In addition to configuring secured dynamic updates, you can also modify the permissions of users and groups for the dnsZone objects. By default, the Authenticated Users group has permissions to create the dnsNode objects in the zone. In Active Directory, each DNS zone is referred to as the dnsZone object. This dnsZone object further contains the DNS node objects referred to as the


245

246

Part III

NETWORK SECURITY

dnsNode objects. For example, if stronglock.com is a DNS zone object, the computers within the stornglock.com domain will be the dnsNode objects. Therefore, if Computers A and B are in the stronglock.com zone, stronglock.com will be a dnsZone object and Computer A and Computer B will be the dnsNode objects. By default, all DNS clients in the Windows 2000-based computers perform an unsecured dynamic update prior to performing a secured dynamic update. After this request is rejected by the servers that are configured for secured dynamic updates only, the clients perform a secured a dynamic update. You can change this default setting in DNS clients by modifying the following registry key and adding the value UpdateSecurityLevel: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

The UpdateSecurityLevel takes in the following three values: ◆

0. This is the default value and specifies that an unsecured dynamic update occurs first and a secured dynamic update occurs only if the unsecured dynamic update fails.

◆

16. This value specifies that only unsecured dynamic updates are accepted.

◆

256. This value specifies that only secured dynamic updates are accepted.

DHCP: An Overview The Dynamic Host Configuration Protocol (DHCP) is a service that assigns IP addresses to computers that are a part of the network. As a result, you do not have to manually assign IP addresses to each of your computers. In addition to automatic assigning of IP addresses, DHCP also helps in automatically configuring the TCP/IP settings for your computers. Whenever you boot your computer, it sends out a broadcast message to find a DHCP server on the local network. The DHCP server replies back to the broadcast message with a number of IP addresses and some configuration settings. The requesting computer then accepts one of the IP addresses and configures itself. At the same time, records in the DNS server also get dynamically updated. This updating can be done either by the DHCP server if it is configured, or by the client itself if the DHCP server has not been configured.


NETWORK SERVICES

Chapter 7

Configuring DHCP Dynamic Update By default, the DHCP server updates Windows 2000 clients in DNS. You can configure dynamic Update for the DHCP server by performing the following steps: 1. Choose Start, Programs, Administrative Tools, DHCP to open the DHCP console, as shown in Figure 7-1. 2. Right click the scope that you want to configure and select Properties from the short cut menu to open the properties dialog box, as shown in Figure 7-2. 3. Select the DNS tab, as shown in Figure 7-3. 4. You can choose any of the following options as per your requirements: • Automatically update DHCP client information in DNS. Under this option you can choose from updating the DNS only when requested by DHCP clients or always update DNS. • Enable updates for DNS clients that do not support dynamic updates. You can choose this option if your network is in a mixed mode.

FIGURE 7-1 The DHCP console.


247

248

Part III

NETWORK SECURITY

FIGURE 7-2 The DHCP properties

FIGURE 7-3 The DNS tab.

dialog box.

Securing DHCP DHCP eases the job of system administrators by automatically assigning IP addresses and configuring TCP/IP settings on computers in a network. As a result, DHCP is more suitable for larger TCP/IP networks where manually configuring each and every computer on the network is not possible. In very large networks, multiple DHCP servers can be deployed for better management and load balancing. In such a scenario, there can be a threat of rogue DHCP servers.

Rogue DHCP Servers Rogue DHCP servers are those servers that are actually not a part of the defined network architecture. These are unauthorized servers that are implemented in the network and run the DHCP software. A rogue DHCP server, if implemented in the network, can cause a lot of chaos in the network because it might: ◆

Duplicate authentic IP addresses

◆

Assign unauthorized and inappropriate IP addresses to computers

◆

Refuse to renew leases


NETWORK SERVICES

◆

Chapter 7

Cause DoS for those computers who have been assigned inappropriate IP addresses

To prevent rogue DHCP servers from wreaking havoc, Windows 2000 uses an Active Directory object type known as DhcpServer. This object contains a list of all those IP addresses that are authorized for performing DHCP services on the network. This authorization does not allow any server other than the specified server to provide DHCP services.

Authorizing the DHCP Server The following steps take place in authorizing a DHCP server: 1. When the DHCP server boots, it sends a DHCPINFORM broadcast. This broadcast uses the limited broadcast address 255.255.255.255. 2. On receiving the broadcast, all existing authorized DHCP servers respond with a DHCPACK message. This message specifies the root domain of which the responding server is aware. 3. On receiving the acknowledgement, the requesting server requests from Active Directory a list of all authorized DHCP servers in the network. 4. If it finds itself in the list, it starts the DHCP service; otherwise, it logs an error and ignores all client requests. 5. The DHCPINFORM broadcast messages are regularly sent by all DHCP servers to keep them updated with the status of other DHCP servers. However, there are certain conditions for authorization to be performed successfully. These conditions are: ◆

The first DHCP server should be a domain controller or a member server in a domain.

◆

The first DHCP server should not be in a workgroup.

◆

Only members of the EnterpriseAdmins security group can authorize a DHCPO server.

To authorize a DHCP server you need to perform the following steps: 1. Choose Start, Programs, Administrative Tools, DHCP to open the DHCP console.


249

250

Part III

NETWORK SECURITY

2. In the DHCP console, right-click DHCP and select Manage Authorized server to open the Manage Authorized Servers dialog box, as shown in Figure 7-4. 3. In the Authorized Server dialog box, click on the Authorize button to open the Authorize DHCP Server dialog box, as shown in Figure 7-5. 4. In the Name or IP address text box, specify the name or the IP address of the server that you want to authorize for DHCP services. 5. Click OK to add the server to the specified list of authorized servers. After having learned about DNS and DHCP, you’ll now learn about SNMP.

SNMP SNMP is a mechanism used for remote monitoring and management of network devices, such as hubs, routers, bridges, servers, and workstations. A central host is used to mange these devices for various tasks, such as starting up, shutting down, printing a job, and sending an e-mail. Before explaining the security issues related with SNMP, let me first give a brief overview of SNMP architecture.

SNMP: An Overview An administrator can use SNMP for network management, which in turn allows the administrator to manage resources and audit them. SNMP can be used to do the following:

FIGURE 7-5 The Authorize DHCP Server dialog box.

FIGURE 7-4 The Manage Authorized Servers dialog box.


NETWORK SERVICES

Chapter 7

◆

Configure remote devices. You can use SNMP to configure SNMP agents remotely.

◆

Monitor different levels of network performance. You can use SNMP to determine the network throughput and determine if the data is being transmitted successfully over the network. This information can be used to detect network faults.

◆

Detect network faults or unauthorized access. You can configure SNMP alerts to work as trigger alarms on network devices. These alarms are triggered when specific events take place, which can include a failed router, shut down or restart of a device, an authorized network access attempt, or a link failure.

◆

Audit network usage. You can monitor how the network is being used, identify user or group access, or types of usage for network devices and services. This information can be used to determine overused areas of the network.

SNMP is a 32-bit service that runs on a computer running TCP/IP or IPX protocols. To further explain the working of SNMP, I will now briefly explain the two components of SNMP. They include: ◆

SNMP management system. An SNMP management system is a computer with the SNMP management software running on it. The SNMP management system requests certain information from a managed computer, called an SNMP agent. This information can include the amount of hard disk space available or the number of active sessions. Its function is to query and manage an SNMP agent. The management software application does not need to run on the same host as the SNMP agent. The management system can also initiate a change to an agent’s configuration.

◆

SNMP agent. Any computer running SNMP agent software is an SNMP agent. The SNMP agent responds to management system requests for information. The SNMP Service can be configured to determine which statistics are tracked and which management systems are authorized to request information.

Windows 2000 was designed with an SNMP Service, though not installed by default, which functions as SNMP Agent software. Windows 2000 implements SNMP versions 1 and 2C. These versions are based on industry standards that define how network management information is structured, stored, and communicated


251

252

Part III

NETWORK SECURITY

between agents and management systems for TCP/IP-based networks. The Windows 2000 Operating System SNMP Agent Service responds to information requests from one or multiple management systems. In general, SNMP agents do not originate messages, but only respond to them. This response occurs via SNMP agent-initiated trap communications. A trap is an event like a system reboot or an illegal attempt to access an agent computer. Trap messages are sent by the agent computer to indicate that a defined event has taken place. The implementation of SNMP architecture is based upon the Management hosts and agents belonging to an SNMP community, which is a collection of hosts grouped together for administrative purposes. This collection of SNMP hosts and agents can be secured within a community by allowing only management systems and agents within the same community to communicate. Communities are identified by community names that are assigned during implementation. An SNMP Management host can belong to multiple communities at the same time, but an SNMP Agent cannot accept a request from a management system outside its list of acceptable community names. The role of community names is very critical in the implementation of the SNMP service security properties. While there is no relationship between community names and domain or workgroup names, SNMP community names represent a shared password for groups of network hosts, and should be selected and defined, as you would change any password protection system. To perform these tasks, the agent uses the messages listed in Table 7-1.

SNMP Security As discussed, SNMP allows you to query network devices and clients for configuration information. This information is sensitive and should be kept secure. If placed in wrong hands, it may be hazardous for the security of the network because the information might contain sensitive information, such as Active Directory account information or router configuration. To provide security for your organization’s SNMP deployment, you should take care that your design includes the following: ◆

Configure traps to do security checking.

◆

Configure SNMP communities for restricted management.

◆

Secure SNMP messages with IP security.

◆

Assign proper permissions to specific registry keys.


NETWORK SERVICES

Chapter 7

Table 7-1 SNMP Agent Messages SNMP Message

Description

Get

The basic SNMP request message. Sent by an SNMP management system, it requests information about a single MIB entry on an SNMP agent, for example, the amount of free drive space.

Get-next

An extended type of request message that can be used to browse the entire tree of management objects. When processing a Get-next request for a particular object, the agent returns the identity and value of the object, which logically follows the object from the request. The Get-next request is useful for dynamic tables, such as an internal IP route table.

Set

If Write access is permitted, this message can be used to send and assign an updated MIB value to the agent.

Getbulk

Requests that the data transferred by the host agent be as large as possible within given restraints of message size. This minimizes the number of protocol exchanges required to retrieve a large amount of management information. The maximum message size should not be larger than the path maximum transmission unit (MTU), the largest frame size allowed for a single frame on your network, or fragmentation can occur.

Trap

An unsolicited message sent by an SNMP agent to an SNMP management system when the agent detects that a certain type of event has occurred locally on the managed host. The SNMP management console that receives a trap message is known as a trap destination. For example, a trap message might be sent on a system restart event.

Configure Traps You can configure traps to trigger an action, such as an alarm when a specific event occurs. Such events can be requests for information from an unknown management system or an authorized event, such as startup or shutdown. A trap can be configured on the host that is running SNMP management software. You can configure SNMP agents to send messages to only a preconfigured management system. This helps in preventing unauthorized management systems from requesting information from SNMP agents. You can configure trap destinations, to which the SNMP agents will send trap messages, by using the Traps tab of the Microsoft SNMP Properties dialog box, as shown in Figure 7-6.


253

254

Part III

NETWORK SECURITY

Configure Communities As stated earlier, there is no relation between the Active Directory domains and SNMP communities, but there should be a relationship between the areas of management and SNMP communities. An SNMP agent can belong to multiple communities and you can configure rights for each community by using the Security tab of the SNMP properties dialog box, as shown in Figure 7-7. These rights can include the ones specified in Table 7-2. Notice that Figure 7-7 shows an SNMP agent configured to belong to two different communities, public and Home. Both these communities have different rights assigned to them. This dialog box can be used to enable authentication traps. An authentication trap will be sent to an authorized management system if a management system belonging to a community other than the one approved for this agent tries to manage the agent.

Secure SNMP Messages with IP Security SNMP status messages and SNMP trap messages are sent in clear text across the network. Therefore, you need to secure the SNMP communication so that a network sniffer cannot intercept to trap these messages. You can configure IPSec to require that SNMP trap messages and SNMP status messages be encrypted. However, when you implement IPSec all SNMP agents must support IPSec. By

FIGURE 7-6 Traps tab of the Microsoft SNMP Properties dialog box.

FIGURE 7-7 Security tab of the SNMP properties dialog box.


NETWORK SERVICES

Chapter 7

Table 7-2 SNMP Access Permissions SNMP Permission

Description

None or Notify

The SNMP agent will not discard any request from the management system in the community where the right is assigned.

Read Only

The SNMP agent discards all SET requests but processes all GET, GET-NEXT, and GET-BULK requests.

Read Create or Read Write

The SNMP agent processes all requests from the SNMP community.

default, IPSec will not encrypt the SNMP protocol messages; you will need to create an IP filter list for traffic between management systems and agents.

Assign Proper Permissions to Specific Registry Keys During the installation of Windows 2000 Operating System SNMP Service, incorrect permissions might get assigned to the SNMP Service registry key parameters listed in the registry location HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\SNMP\Parameters. This vulnerability, which allows a person access to the parameter key information, can be used to perform the following actions: ◆

Create a community consisting solely of their local machine, in order to gain the ability to take administrative actions on it.

◆

Obtain information about already-existing communities that the machine is a member of, and pose as a legitimate SNMP manager in order to monitor or reconfigure devices in the community.

As a countermeasure to this vulnerability, you should apply the correct permissions to the registry keys listed in the Table 7-3. Table 7-3 Permissions for Registry Keys Hive

Key

Permission

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet

Services\SNMP\Parameters\ PermittedManagers

Administrators, System, Creator Owner: Full

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet

Services\SNMP\Parameters\ ValidCommunities

Administrators, System, Creator Owner: Full


255

256

Part III

NETWORK SECURITY

RIS RIS is a new feature included in the Windows 2000 server. RIS helps you set up new clients remotely. This setup feature ensures that there is no need to physically visit a client during installation. For instance, you can install an operating system on a remote boot-enabled client by connecting the computer to the network, starting the client, and logging on with a valid user account. To use RIS, the services listed in Table 7-4 must be active and available either on individual servers or on the same server: Before examining the security issues related with RIS, let me give you an overview of RIS.

RIS: An Overview You can connect the remote installation clients to the remote installation server through the network. Clients can be identified on the network by their globally unique identifier (GUID), provided by the computer manufacturer. This GUID provides a unique identity to each computer. The GUID must be displayed in the form {dddddddd-dddd-dddd-dddddddddddddddd}, where d is a hexadecimal digit. The dashes are optional, and spaces are ignored. The GUID appears in the BIOS of the computer. You can also find a computer GUID on a label on the side of the computer case and a label within the computer case.

Components of the RIS server To perform remote installation, the RIS server should have the following major components: ◆

Client Installation Wizard. The Client Installation Wizard prompts you for a user name, password, and domain name. After verification of these values, the wizard displays the installation options that are available. You can select an option and then the selected operating system installation image is copied to the local hard disk of the client. The hard disk of the client is reformatted during the installation of the operating system. Therefore, all the locally stored files are removed from the client during installation. The Client Installation Wizard allows you to enter


NETWORK SERVICES

Chapter 7

Table 7-4 Prerequisites for RIS Network Service

RIS Function

DNS server

RIS needs the DNS server to locate the directory service.

DHCP server

DHCP is required to allocate IP addresses to client computers.

Active Directory services

RIS needs Active Directory to locate existing clients and existing RIS servers.

only standard ASCII characters for the user name, password, and domain name. The installation does not support extended ASCII character sets. ◆

Remote Installation Preparation (RIPrep) Wizard. RIPrep Wizard prepares an existing Windows 2000 Professional installation along with locally installed applications and specific configuration settings. The wizard also helps you to replicate it to an available RIS server on the network.

◆

Remote boot disk. You can use the boot disk to perform the Preboot Execution Environment (PXE) boot process for clients lacking a formal remote boot-enabled ROM.

◆

RIS administration. RIS administration provides you with a set of property pages that you can use to configure the RIS server. You can access the property pages by choosing Properties on the shortcut menu of the server object that you want to administer. Using the RIS property pages, you can set the various options. For instance, you can select the Verify Server option to check the integrity of the RIS-enabled server.

RIS Architecture RIS uses the DHCP service following the PXE architecture to bootstrap a client. When a new PXE remote boot-enabled client starts for the first time, the client sends out its GUID and requests the IP address of an active RIS server through DHCP. The client then receives the IP address of the boot server that will service the client. In the case of the Windows 2000 server, after the client request is made, the first RIS server to respond checks Active Directory to determine if the client has been


257

258

Part III

NETWORK SECURITY

pre-staged. RIS checks within Active Directory for a computer account object that has the unique GUID that was passed by the client in the initial request. If a computer account with that GUID does not exist, the server provides the client with the Client Installation Wizard. The wizard requests that the user log on to the network. RIS server authorization prevents the addition of unauthorized RIS servers to a network on which Windows 2000 and Active Directory are in use. Active Directory maintains a list of authorized remote installation servers. A remote installation server is authorized to start on a network only if its computer name or IP address is found in this list. If a match is not found, RIS does not respond. The DHCP server management console is used to authorize both the DHCP and RIS servers to provide the services on the network. To install an operating system on a client from a remote source, you use the PXE DHCP-based remote boot technology. The remote source or the RIS server contains the operating system image that is to be installed. This image can have one of two formats: ◆

Compact Disk (CD) format. This option is similar to setting up a client directly from the Windows 2000 Professional CD, except that the source files reside on an available RIS server.

◆

RIPrep Wizard image format. Use this option if you want to install and configure a client to fulfill certain specific commercial desktop standards that are unique to the organization. For instance, you might want to set the background bitmap to a company-based logo.

To prepare an existing Windows 2000 Professional installation and to replicate that image to an available RIS server on the network, you need to log in as the administrator and use the RIPrep Wizard. The process of preparing an existing Windows 2000 Professional installation and replicating the image to an available RIS server on the network is referred to as image conversion. The RIPrep Wizard configures the source computer in such a way that the wizard removes anything that is unique to the client installation, such as the unique SID of the computer, the computer name, and any registry settings unique to the source computer. The wizard prompts you for installation information, such as the location at which the client installation image should be replicated, the name of the directory to which the information should be copied on the server, and a


NETWORK SERVICES

Chapter 7

friendly description and associated Help text describing the installation image to the users running the Client Installation Wizard. After replication is complete, the installation image is automatically added to the list of available operating system installation options, and the installation image is available to the clients that use the remote boot technology.

RIS Security The three strategies used for designing Windows 2000 RIS security are: ◆

Configuring clients in Active Directory to use a specific RIS server.

◆

Creating computer accounts in a specific location.

◆

Restricting client installation options with Group Policy.

The following sections describe the strategies used for designing Windows 2000 security.

Prestaging Clients in Active Directory to Use a Specific RIS Server When you install RIS, the service will, by default, not respond to client requests for the service. For higher security, you should enable the RIS server to respond to installation requests, but restrict the responses to prestaged clients. Configuring a client in Active Directory to use a specific RIS server is referred to as prestaging. Prestaging clients prevents unauthorized installation and ensures that an RIS server can service only those computers that belong to the organization. RIS servers are configured to service only prestaged clients. This strategy is suited to organizations where clients install operating systems and applications from an RIS server. The strategy of prestaging computers is not practical in organizations where users need to set up their own computers. Such a strategy is impractical because the remote installation of an operating system needs to be performed using the same user account that was used to prestage the computer account.

Creating Computer Accounts in a Specific Location You can create computer accounts in a specific OU in organizations where administrators maintain the computer accounts that were created during remote


259

260

Part III

NETWORK SECURITY

installation separately from other computer accounts. You can determine that computer accounts will be created in three locations: ◆

The default location (in the Computers container) in the domain as the RIS server responding to the client request.

◆

The same location as the user account that is performing the client installation.

◆

In a specific OU provided by the administrator.

In some cases, you might want to restrict remote installation permissions to technical support personnel only. This restriction helps users to avoid installing the operating systems on unauthorized computers or destroying the data on their own computers. Grant Read permissions and Create Computer Object permissions to the users for the OU where the computer object is going to be created. You can use the Delegation of Control Wizard to grant these permissions.

Restricting Client Installation Options with Group Policy Restricting client installation options helps users to avoid configuring their computers incorrectly. For example, in organizations where users perform remote installations, restricting client installation options can be used to limit the tasks that the users can perform. You can restrict clients by using Group Policy. By default, RIS policy settings are applied in the Default Domain Policy GPO. You can use the Active Directory Users and Computers snap-in to apply Group Policy by performing the following steps: 1. Select the domain or the OU that contains the users you want to restrict. 2. Open the Properties dialog box and click the Group Policy tab. 3. Select the GPO you want to modify or create a new one, and click Edit. 4. Expand User Configuration\Windows Settings\Remote Installation Services. 5. In the right pane, double-click Choice Options. The Choice Options dialog box appears, which allows you to set RIS Group Policy options as shown in Figure 7-8. These options are described in Table 7-5. 6. Click OK.


NETWORK SERVICES

Chapter 7

FIGURE 7-8 Choice Options Properties

dialog box.

Table 7-5 RIS Group Policy Options Option

Description

Automatic Setup

This allows most of the options to be configured by the administrator. The user is not offered any Client Installation Wizard choices.

Custom Setup

This enables you to provide a unique name for the computer and also specify where the computer account will be created within Active Directory.

Restart Setup

This starts an operating installation attempt if it fails before completion.

Tools

This allows accessing the tools from the Client Installation Wizard.

Each of the options in the Choice Options properties dialog box can be configured as described in Table 7-6.


261

262

Part III

NETWORK SECURITY

Table 7-6 Policy Settings Option

Description

Allow

Choosing this setting for an option allows the user to access that option in The Client Installation wizard.

Don’t Care

Choosing this setting for an option accepts the Group Policy setting of the parent container.

Deny

Choosing this setting for an option will prevent users from accessing that option in the Client Installation Wizard.

Terminal Services Terminal Services is a software component that provides remote computers access to the Windows-based programs running on the server. It is an optional service that can be enabled on any Windows 2000 server. Terminal Services transmits only the user interface of the program to the client. The client then returns keyboard and mouse events to be processed by the server. Client software can run on a number of client hardware devices, including computers and Windows-based Terminals. Other devices, such as Macintosh computers or UNIX-based workstations, can also connect to a Terminal server with additional third-party software. Terminal Services allows computers to operate as both thin clients and full-featured personal computers at the same time. Computers can continue to run as they always have within the existing networks and also function as thin clients capable of emulating the Windows 2000 Professional desktop. Terminal Services allow the clients to connect to multiple servers so that client requests can be redirected to another server if one server crashes.

Terminal Services Configuration Terminal Services has five components. These are explained as follows: ◆

Multiuser kernel. The Terminal Services multiuser kernel is fully integrated as a standard part of the Windows 2000 Server family kernel. The multiuser kernel resides on the server at all times, regardless of whether or not Terminal Services is enabled.


NETWORK SERVICES

Chapter 7

◆

Remote Desktop protocol. The Remote Desktop protocol allows a client to communicate with the Terminal server over a network. This protocol supports all the three levels of encryption. The three levels of encryption are explained later in this section.

◆

Terminal Services Client. Windows 2000 Server includes the Terminal Services Client software that supports 16-bit and 32-bit Windows-based clients. The Terminal Services Client software displays the 32-bit Windows user interface on a client computer. The client software establishes and maintains the connection between a client and a server running Terminal Services. This software transmits all the input, such as keystrokes and mouse movements, from the user to the server. It also transmits all the output from the server, such as application display information.

◆

Terminal Services Licensing Service. For setting up a Terminal Services-enabled server as an application server, licensing is necessary. Each client must have Terminal Services Client Access License (CAL) and Windows 2000 Server CAL. The Terminal Services Licensing Service is required whenever Terminal Services is enabled in application server mode. The service allows Terminal Services to obtain and manage its Terminal Services CALs for connecting devices. This service can manage unlicensed, prelicensed, temporarily licensed, and CAL-licensed clients. It supports both ordinary CAL and Internet Connector Licensing for Terminal Services. The remote administration mode does not use the Terminal Services Licensing Service.

◆

Terminal Services Administration Tools. The Terminal Services Administration Tools are used to manage and administer users, functions, and sessions in Terminal Services. These tools include software for managing Terminal Services, such as Terminal Services Manager, Terminal Services Client Creator, Terminal Services Client Configuration, and Terminal Services License Manger.

Terminal Services Security When a Terminal Services client connects to a terminal server, it appears as if the client is sitting at the server itself. Therefore, it is important to secure Terminal Services. While securing Terminal Services, you should consider the following points:


263

264

Part III

NETWORK SECURITY

◆

Restricting remote administration

◆

Controlling access to the local file system

◆

Determining proper location to deploy terminal services

◆

Controlling user access

◆

Controlling logon attempts

◆

Encryption

The following sections elaborate on these points.

Restricting Remote Administration Terminal Services can be enabled in two different modes, application server mode and remote administration mode. In the Application server mode, Terminal Services provides an effective method to distribute Windows-based programs with a network server. The applications can be set up and managed from a central location, which helps save time spent on initial development, deployment, maintenance, and upgrades. If an application is set up using Terminal Services, many clients can connect through a remote access connection, LAN or WAN. These clients might or might not be Windows-based. The remote administration mode allows any Windows 2000 server, such as a domain controller, to be administrated remotely with full access to all the built-in GUI-based administrative tools. The ability to administer the server can be made available from any client devices, including MS DOS-based PCs, Windows 95 or Windows 98, Windows NT, or even non-Windows-based clients. This server management feature of Terminal Services provides quick and easy administration of large-scale and small-scale networks. For more security, you can configure Terminal Services in the remote administration mode. In this mode, only two concurrent connections are automatically allowed to log on. This mode allows only administrators to connect to the terminal server.

Controlling Access to the Local File System For Terminal Services clients, the file system on the terminal server is their local file system. Therefore, effective steps should be taken to protect the files and folders from unauthorized access. You can restrict the access of Terminal services clients to specific files and folders by configuring all volumes on the file system as NTFS volumes. In addition, you should assign appropriate permissions to files and folders.


NETWORK SERVICES

Chapter 7

Determining Proper Location to Deploy Terminal Services A terminal server configured in application server mode allows all users to log on locally. Therefore, you should not deploy Terminal Services on a domain controller in the application server mode. This will restrict users from the right to Log on Locally. This right allows users to log on locally on all the domain controllers and not just the one which has Terminal Services installed. For enhanced security, you should deploy Terminal Services on the member servers and not on domain controllers.

Controlling User Access By default, all users logged on to the terminal server using the remote desktop protocol client are automatically members of the Terminal Servers Users local group. You should control the individual user permissions to control access to the terminal server. To do so, you can apply the incremental security template Notssid.inf to remove the Terminal Servers Users group from all DACLs on the file system. You can then assign proper permissions to the users and groups to ensure that they get access to Terminal Services because of their individual and group permissions and not because they are connecting to the terminal server.

Controlling Logon Attempts Terminal Services allow administrators to limit the number of user logon attempts and the connection time. This capability prevents hackers from attacking a server. Terminal Services also allow the administrators to set up security restrictions for an entire server or individual users. For instance, an administrator can limit the ability of a server to redirect a request to the local devices.

Encryption A major security feature of Terminal Services is built-in encryption. Data encryption can be transmitted at three levels: ◆

Low level. The low level of encryption is used if the data to be transmitted is not critical. This level secures only the data that is sent from the client to the server and uses either a 56-bit or 40-bit key. A Windows 2000 Terminal server uses a 56-bit key for a Windows 2000 client and a 40-bit key for the clients of the previous versions of Windows.


265

266

Part III

NETWORK SECURITY

◆

Medium level. The medium, or default, level of encryption secures the data sent in both directions, from the client to the server and from the server to the client. This level uses a 56-bit or 40-bit key to encrypt data.

◆

High level. The high level of encryption uses the 128-bit key. This is the strongest level of encryption for the data transmitted in both directions, from the client to the server and from the server to the client.

Summary Network services form an important area, which require special security considerations. In this chapter, you analyzed five network services. First, you looked at the working of DNS, the threats related with it, and the security issues. Next, you examined how SNMP works, and then discussed various ways of securing SNMP. Finally, you examined RIS and Terminal services and how they can be secured.

Check Your Understanding Multiple Choice Questions 1. Which protocol is commonly used in TCP/IP and IPX networks? a. SNMP b. RIS c. Terminal Services d. DNS 2. What do you do to control RIS service? a. Prestage computer accounts in Active Directory. b. Restrict RIS policy option by configuring Group Policy settings. c. Allow users to log on locally. d. None of the above. 3. How will you ensure that the Terminal Services clients are allowed access only to resources based on their individual and group membership permissions? a. Apply the incremental security template Notssid.inf. b. Manually remove the Terminal Servers Users group from all DACLs on the file system.


NETWORK SERVICES

Chapter 7

c. Assign proper permissions to the users and groups to ensure that they get access to Terminal Services. 4. By default, secured dynamic updates are supported in which of the following zones? a. Primary b. Secondary c. Active Directory-integrated 5. Which of the following statements is TRUE for UpdateSecurityLevel? a. Its default value is 16, which specifies that the unsecured dynamic update should occur first. b. A value of 256 specifies that only unsecured dynamic updates are accepted. c. A value of 16 specifies that only secured dynamic updates are accepted. d. By default, its value is 0, which specifies that an unsecured dynamic update occurs first.

Short Questions 1. To whom does the SNMP management system send requests for information? 2. What are the services required to be running for using RIS? 3. You are required to manage a domain controller at a remote site on the network. However, you do not want non-administrators to use the terminal server. How will you ensure this?

Answers Multiple Choice Answers 1. a. 2. a, b. You should prestage computer accounts in Active Directory and restrict RIS policy options by configuring Group Policy settings. 3. a. By default, all users logged on to the terminal server using the remote desktop protocol client are automatically members of the Terminal


267

268

Part III

NETWORK SECURITY

Servers Users local group. You should control the individual user permissions to control access to the terminal server. To do so, you can apply the incremental security template Notssid.inf to remove the Terminal Servers Users group from all DACLs on the file system. 4. c. By default, the Active Directory-integrated zone supports secured dynamic updates. 5. d. By default, the value of UpdateSecurityLevel is 0, which specifies that unsecured dynamic updates occur first and secured dynamic updates occur only after the unsecured updates have failed.

Short Answers 1. The SNMP management system sends requests for information to the SNMP agents. 2. The following services need to running for using RIS: • Domain Naming Service (DNS) • Dynamic Host Configuration Protocol (DHCP) • Active Directory 3. A terminal server configured in application server mode allows all users to log on locally. Therefore, you should deploy Terminal Services on a domain controller in the remote administration mode.


Chapter 8 Internet Security


hen you connect a private network to the Internet, you are exposed to threats originating from the untrusted outside network. You should study the risk involved in accessing data from the Internet before implementing security measures in the internal network.

W

Common attacks and attempts from the Internet aim to interfere with network security by exploiting the known vulnerabilities of the system. As discussed in Chapter 1, “Need for Security,” some of the common threats to network security are social engineering, sniffing, IP spoofing, exploitation of unmonitored services, session hijacking, brute-force password attack, man-in-the-middle attacks, and DoS attacks. Most of these attacks affect the internal network through the Internet. Therefore, an organization needs to design a strategy for securing access to and from the Internet. In this chapter, I will discuss two security technologies, IPSec and firewalls.

IPSec The Internet and most corporate networks today have been using the Internet Protocol (IP) to transmit data. IP transmits data in the form of manageable chunks called packets. These packets are susceptible to security threats, such as spoofing, sniffing, session hijacking, and man-in-the-middle attacks. As a countermeasure for these security threats, IP Security (IPSec) protocol suite was developed by Internet Engineering Task Force (IETF). IPSec is an extension of IP that oversees security issues at the network level. Therefore, IPSec ensures the security of the network and, in turn, the applications that use the network. As a set of extensions to the IP protocol family, IPSec supports authentication, integrity, access control, and confidentiality of data packets at the network layer, unlike TLS/SSL, which operates at the application layer. The operation is completely transparent to the application. The application requires only a recognized port for IPSec to protect it. The application need not be an IPSec-aware application because the data transferred between the application at the client and the server ends is in plaintext. IPSec encrypts data only after the data leaves the application at the client end and


INTERNET SECURITY

Chapter 8

decrypts it after it reaches the application at the server end. The data that travels from the client to the server is encrypted at a network layer; therefore, it is transparent to applications. Figure 8-1 shows how an application is unaware of the IPSec protection taking place during the data transmission. The increasing use of the Internet and the ever-increasing risk of network security threats have heightened the need for IP security solutions for all businesses. Security protocols, such as SSL and S/MIME, provide security for only specific areas. For example, S/MIME is used only for messaging applications, and SSL is primarily used for secure communication with Web servers. There are applications over the Internet that are not security aware and are therefore prone to attacks. This creates a need for a security protocol that can benefit such applications.

IPSec Protocols IPSec adds security to other transport layer-based protocols in TCP/IP, such as TCP and User Datagram Protocol (UDP). IPSec consists of two protocols for

FIGURE 8-1 IPSe—Data security without the knowledge of the application.


271

272

Part III

NETWORK SECURITY

protection of transmitted data. These are Authentication Headers (AH) and Encapsulating Security Payloads (ESP). The AH protocol adds a header to the IP datagram. This header ensures the integrity and authenticity of the data. This provides data confidentiality by encrypting the data as well as the IP address in the IP datagram. ESP also ensures data integrity and authenticity.

AH An AH ensures data authentication by applying a one-way hash function to the data packets. An AH ensures that data reaches the correct destination and is not tampered with in transit or re-routed to another destination. It provides for authentication, integrity, and replay protection but not confidentiality or encryption. AH adds another header to the standard IP datagram. The AH header follows the original IP header, and precedes both the next header (TCP/UDP header) and the data generated by the application that created the packet, as shown in Figure 8-2. An AH header consists of many fields. The fields in AH are:

FIGURE 8-2 The AH packet fields.


INTERNET SECURITY

Chapter 8

◆

Next Header. This field indicates the protocol ID of the higher layer protocol. For example, the value of this field is 6 in case of a TCP packet and the value is 17 in case of a UDP packet.

◆

Length. This field indicates the length or size of the AH protocol header. The value of this field can vary depending upon the hash algorithm used.

◆

Security Parameter Index (SPI). This field along with the destination IP address identifies the AH security association. It contains a 32-bit value that identifies the security association.

◆

Sequence number. This is a 32-bit counter that is always sent by the sender. It represents the anti-replay sequence number.

◆

Authentication data. This variable length field contains the integrity check value. AH applies a one-way hash function to data packets. After the hash function has been applied, a message digest is created. This message digest builds an Authentication Header, which is attached to a data packet. The packet is transmitted along with the AH. The recipient computes another hash function by hashing the packets. The two hash functions are then compared to check for authenticity. Even if one bit does not match, the hash output changes and the recipient gets to know that the message has been tampered with in transit.

AH does not encrypt the data. Therefore, the data is sent as plaintext. To encrypt the data, ESP is used.

ESP ESP is responsible for providing both encryption services and digital signing of the transmitted data. Similar to AH, the ESP header is inserted into the packet between the IP header and the packet contents. ESP is responsible for encrypting data packets to ensure that the data is not read or copied, thereby guaranteeing the confidentiality of data. In addition, it can provide authentication and integrity of the data. As shown in Figure 8-3, an ESP packet includes: ◆

An ESP header

◆

An ESP trailer

◆

An ESP authentication trailer


273

274

Part III

NETWORK SECURITY

FIGURE 8-3 The ESP packet fields.

The ESP header is added between the original IP header and the TCP or UDP header and comprises the following two fields: ◆

Security Parameter Index (SPI): This field contains a 32-bit value that, along with the source and destination IP addresses and the IPSec protocol (AH or ESP), identifies the Security Association (SA) for the datagram. This tells the receiver about the security association and its appropriateness in processing the packet.

◆

Sequence number: It represents the anti-replay sequence number. The sequence number in the ESP header is a 32-bit counter that gets incremented each time a packet is sent to the same address using the same SPI. This also shows how many packets have been sent with the same group of parameters along with the packets’ details. The sequence number also provides protection against replay attacks by ensuring that the packets were received no more than once. If a packet has the same sequence number as any previous packet, the packet is dropped.


INTERNET SECURITY

Chapter 8

The ESP trailer is composed of the following fields. ◆

Padding: This field ensures that data to be encrypted is in multiples of the cryptographic block size and the next header is 32 bits in length.

◆

Pad length: This field specifies the size of the padding field, which depends on the encryption algorithm used.

◆

Next Header: This field indicates the higher layer protocol, such as TCP or UDP.

The ESP trailer contains a single field: ◆

Authentication data: This variable length field contains the Integrity Check Value (ICV) and a message authentication code. These components work like digital signatures that verify the authenticity of the sender and ensure that the data was not modified in transit. The ICV uses an algorithm to digitally sign the packet, which is applied to the ESP header, TCP/UDP header, application data, and ESP trailer. The receiving system uses the same ICV to perform the calculation and compare the results with this value for verifying the packet’s integrity.

IPSec Modes AH can be used in two modes, transport mode and tunnel mode. In transport mode, the entire data packet except the mutable fields is protected. Mutable fields refer to the fields in the IP header that cannot be predicted by the receiver, such as the type of service and header checksum. This mode is used to provide end-to-end protection between systems that are on the same LAN or are connected by private WAN links. In this mode, both the receiving and sending hosts should be IPSec-aware but the intermediate systems need not be IPSec-aware because they simply forward the packets in the usual manner. Figure 8-4 shows communication in transport mode. Tunnel mode is used for gateway-to-gateway links on an unsecure network, such as those for virtual private networking through the Internet. In tunnel mode, a new header is created and used as the outermost header of the data packet. The authentication header is placed after this new header. The original data packet (the payload and the IP header) is placed after the authentication header. In tunnel mode, AH or ESP protect the entire data packet, and therefore any changes made to the data packet during transition can be easily identified.


275

276

Part III

NETWORK SECURITY

FIGURE 8-4 IPSec transport mode for end-to-end protection.

Because both the payload and the IP header are protected, tunnel mode is more secure than transport mode. The authentication of the header prevents hackers from tracing the actual source and destination of the packets, thereby preventing them from performing traffic analysis. As illustrated in Figure 8-5, when data is transmitted between two hosts using IPSec tunnel mode, they do not need to support IPSec; in fact, they do not even need to use TCP/IP. The host originating the communication sends the data packet to the initial gateway in an unprotected state. The protection is now applied to the data packet as specified in the AH or ESP, and the data packet is transmitted over the Internet to a gateway on another network. The receiving gateway decrypts and verifies the data packet and transmits it to the destination host in plaintext. This mode is appropriate when security of data is not required at the local networks.

FIGURE 8-5 IPSec tunnel mode for gateway-to-gateway connection.


INTERNET SECURITY

Chapter 8

IKE Before secured data can be exchanged, a contract between the two computers must be established. In this contract, called a security association (SA), both agree on how to exchange and protect information. An SA is a combination of a mutually agreedupon key, security protocol, and SPI, which together define the security that will be used to protect the communication from source computer to destination computer. To build this contract between the two computers, the IETF has established a standard and dynamic method of security association and key exchange resolution, called IKE. The characteristics of IKE are as follows: ◆

Centralizes security association management, reducing connection time.

◆

Enables dynamic authentication of peer devices.

◆

Generates and manages the authenticated keys used to secure the information.

This process protects not only end-to-end communications, but also protects remote computers that request secure access to a corporate network; or any situation in which the negotiation for the final destination computer is actually performed by a gateway (a security router or other proxy server). IKE allows you to specify the lifetime of an IPSec SA. Also, when you use IKE, you need not manually specify the IPSec SA parameters for the peer devices. The algorithms and mechanisms used by IKE are: ◆

DES. An encryption algorithm, which is used to encrypt data in the packets. IKE uses 56-bit DES and 3DES.

◆

MD5. A hash algorithm used to authenticate the data in packets.

◆

SHA. A hash algorithm used during IKE exchanges to authenticate packet data.

◆

Diffie-Hellman. A protocol that enables the creation of shared secret keys over an insecure channel. IKE uses this protocol to generate session keys.

◆

RSA signatures and encrypted nonces. Used by IKE to authenticate the peer devices. While RSA signatures provide non-repudiation, nonces provide repudiation.


277

278

Part III

NETWORK SECURITY

NOTE Nonce is a random value, which is used in encryption algorithms.

Working of IPSec The implementation of IPSec in Windows 2000 is composed of many elements. These include: ◆

IPSec policies. IPSec policies define the security environment in which the two hosts must communicate. These policies allow administrators to implement IPSec security by selecting the type of communication that should be allowed and deciding the method to protect that communication. These policies can then be associated with users, groups, or other Active Directory objects.

◆

IPSec policy agent. This is a service that runs on each computer supporting IPSec. It accesses the IPSec policy information stored in Active Directory and passes it to the IPSec driver.

◆

IPSec driver. This component is used to monitor, filter, and secure traffic. The driver receives the IP filter list from the active IPSec policy agent. If any entry in the filter list matches the outbound traffic, the driver commands the IKE to begin security negotiations with the target system. After a successful negotiation is complete, the IPSec driver receives the SA containing the session key from IKE on the source computer. It then inserts the SPI from the SA into the IPSec header and performs any necessary encryption tasks. Finally, it sends packets with SPI to the IP layer to be forwarded to the destination computer. Also on the destination computer, it performs similar calculations, checks the signature and decrypts the packets (if required), and sends packets through the TCP/IP driver to the receiving application.

◆

IPSec policy management. This is a snap-in for MMC used to create and manage IPSec policies.

◆

IKE. IKE is the protocol for creation of an SA and key exchanges between two computers using IPSec. IKE process consists of two phases. The first phase establishes a Phase I SA, which is a secure and authenticated communication channel between the computers. In this phase, the communicating entities decide on the encryption algorithm, signing


INTERNET SECURITY

Chapter 8

algorithm, hashing algorithm, and authentication method to be used between them, followed by the authentication itself. The second phase establishes the Phase II SAs for the IPSec service, one inbound and one outbound. This phase involves exchange of requirements for securing the data transfer between the IPSec computers, including the IPSec protocol (AH or ESP), the hash algorithm (MD5 or SHA), and the encryption algorithm (3DES or DES), if requested. IKE refreshes the authentication and encryption material, and new shared, or secret, keys are generated for authentication, and encryption (if negotiated), of the packets. Now that the function of each component has been explained individually, a comprehensive picture is necessary to complete an understanding of the architecture, as shown in Figure 8-6. For simplicity, this is an intranet computer example. Each computer has an active IPSec policy. 1. A user working on a data application on Host A sends a message to another user on Host B.

FIGURE 8-6 The IPSec Process.


279

280

Part III

NETWORK SECURITY

2. The IPSec driver on Host A compares the destination IP address or protocol with its stored IP filter lists to see whether the packets should be secured. 3. If a mapping is found in the IPSec policy, the driver on Host A notifies IKE to begin negotiations with Host B. 4. The IKE service on Host B receives a message requesting secure negotiation with Host A. 5. The two computers establish a Phase I SA and shared master key.

NOTE If Host A and Host B already have a Phase I SA in place from a previous communication, the two computers can go directly to establishing the Phase II SA.

6. A pair of Phase II SAs are negotiated, one inbound SA and one outbound SA. The SAs include the keys used to secure the information, and the SPI. 7. The IPSec driver on Host A uses the outbound SA to sign and/or encrypt the packets. The driver then passes the packets to the IP layer, which routes the packets toward Host B. 8. The network adapter driver of Host B receives the encrypted packets and passes them to its IPSec driver. 9. The IPSec driver on Host B uses the inbound SA to check the integrity signature and/or decrypt the packets. 10. The driver passes the decrypted packets to the TCP/IP driver, which passes them to the receiving application on Host B.

Deploying IPSec The most important point before deploying IPSec is deciding which communication needs to be secure. You can deploy IPSec to all parts of a network and for all types of network communication. However, you must remember that the deployment of IPSec increases your network overheads in numerous ways. The processes of encryption and signing impose a burden on the processors of both the


INTERNET SECURITY

Chapter 8

sending and the receiving hosts. Establishment of SA, IKE negotiations, and IPSec protocol headers impose a burden on the network. Therefore, you should consider these points while selecting computers and communication (or protocols) that you want to secure. IPSec security policies are based on filters that use IP addresses and ports to decide which packets should be secure.

IPSec Filters You must define filters to specify which protocols are to be protected with IPSec. Use IPSec filters that identify known characteristics of the protocols. A filter contains the following parameters: ◆

The source and destination address of the IP packet. These can be configured from a very minute level, such as a single IP address, to a global level that encompasses an entire subnet, or any address on the network.

◆

Protocol type. This is the protocol over which the packet is being transferred. By default, it covers all protocols in the TCP/IP protocol suite. However, it can be configured to an individual protocol level to meet special requirements, including custom protocol numbers. For example, Telnet protocol uses TCP as its transport protocol, so the protocol type in the IPSec filter will be specified as TCP.

◆

The source and destination ports of the protocol for TCP and UDP. By default, this also covers all ports, but can be configured only to packets sent or received on a specific protocol port. For example, the destination port for Telnet protocol is 23.

This enables the network administrator to define the IP traffic triggers that are secured, blocked, or passed through (unsecured). Each IP Filter List contains a list of filters. Each filter within an IP filter list describes a particular subset of network traffic to be secured, both for inbound and outbound traffic. These include: ◆

Inbound filters. These filters allow the receiving computer to match the incoming traffic with the IP filter list. Inbound filters respond to requests for secure communication or match the traffic with an existing SA and process the secured packets.

◆

Outbound filters. These filters apply to the outgoing traffic from a computer towards a destination and trigger a security negotiation that must take place before traffic is sent.


281

282

Part III

NETWORK SECURITY

You must have a filter to cover any traffic for which the associated rule applies. For example, if Computer A always wants to exchange data securely with Computer B, the following conditions should be satisfied: ◆

In order to send secured data to Computer B, Computer A’s IPSec policy must have a filter for any outbound packets going to Computer B.

◆

In order to receive secured data from Computer A, Computer B’s IPSec policy must have a filter for any inbound packets from Computer A.

The following section discusses the IPSec policies for secure communication between two computers.

IPSec Policies You can use the IP Security Policy snap-in to deploy IPSec on Windows 2000based computers. By default, the Local Security Settings snap-in contains the IP Security policies on the Local Machine node, which you can use to configure IPSec policies for the local machine. You can also add the IP Security Management snap-in to a custom MMC console for defining the IPSec policy of a local computer, local domain, another domain, or another computer. The right pane of this snap-in includes three predefined security policies, as shown in Figure 8-7. These include: ◆

Client (Respond Only). This policy does not allow a computer to initiate IPSec for specific protocols. It only allows the affected computer to negotiate an IPSec SA when another communicating computer requests IPSec security. This policy is used for the client computer you want to use for additional security when another computer containing sensitive information wants to communicate with the client.

◆

Secure Server (Require Security). This policy configures the computer to require security for all network traffic to or from the affected computer and deny the traffic that does not support IPSec. This policy is used for servers that contain extremely sensitive data.

◆

Server (Request Security). This policy is different from the Secure Server policy in that it only requests but does not require that IPSec security be applied. If the communicating client is non-IPSec aware, this policy allows unsecure communication to take place.

By default, these policies are not assigned. You can assign them by right-clicking them, and choosing Assign from the context menu. You can also create your own TEAM LinG - Live, Informative, Non-cost and Genuine!

INTERNET SECURITY

Chapter 8

FIGURE 8-7 The IP Security Policies snap-in.

policies by choosing Create IP Security Policy from the Action menu. This starts a wizard that leads you through the process of configuring an IPSec policy. You can also modify the policy once it is created by using various links in the wizard. An IPSec policy is composed of rules, IP filter lists, and filter actions. A rule provides the ability to trigger security negotiations for a communication based on the source, destination, and type of IP traffic. The process of triggering such security negotiation is called IP packet filtering. A rule is a combination of an IP filter list and a filter action. ◆

IP filter list. IP filter list is composed of filters containing IP addresses, protocols, and ports that identify the computers for which the rules are to be applied. For example, if a server hosts extremely important information, you can define an IPSec filter that specifies All IP Traffic for securing all client communication.

◆

Filter action. A filter action defines the type of security that will be imposed when the rule is applied. For example, if a client does not require special security, you can define IPSec filters on it for security only when the client supports IPSec; however, the rule allows communication even if the client does not support IPSec.


283

284

Part III

NETWORK SECURITY

The Secure Server (Require Security) policy contains the rules, as shown in Figure 8-8. Notice that the first filter specifies that all IP traffic must have this rule, and the filter action for the rule specifies that the computer must require IPSec security. You can change the setting for the filter list to apply the rule only to specific IP addresses and for the filter action to request security or permit all traffic.

Creating an IPSec Policy To create an IPSec policy, you need to perform the following steps: 1. To create a new IPSec security Policy, right-click the IP Security Policy on Local Machine and select the Create IP Security Policy option from the context menu. This starts the IP Security Policy Wizard. Click Next. 2. The wizard prompts you for the IP Security Policy name. By default, the name of the IP security policy is New IP Security Policy. Click Next. 3. In the Requests for Secure Communication screen, deselect the Activate the default response rule option. You will specify your own response rules when a security request is made. The default rules apply only when other response rules are not specified. This screen is displayed in Figure 8-9. Click Next.

FIGURE 8-8 The Secure Server (Require Security) Properties dialog box.


INTERNET SECURITY

Chapter 8

FIGURE 8-9 The Requests for Secure Communication

screen.

4. On the Completing the IP Security Policy Wizard screen, click Finish. The New IP Security Policy Properties dialog box appears. This dialog box allows you to create a rule. The following section elaborates on the steps to create a rule.

Creating a Rule You can create a rule by using the Rules tab of the IP security policy Properties dialog box, as shown in Figure 8-10. This dialog box appears automatically if the Edit properties option is selected in the last screen of the IP Security policy Wizard. You can also open this dialog box by right-clicking the security policy in the console window. To create a rule, perform the following steps: 1. In the New IP Security Policy Properties dialog box, click Add. (Ensure that the Use Add Wizard option is selected.) The Security Rule Wizard appears. Click Next. 2. The Tunnel Endpoint screen appears. On this screen, you can specify the rule for a computer that will be used as one end of the tunnel. Then you can specify the IP address for the network interface that will function as one end of the tunnel. If you want to set a security rule that does not specify a tunnel endpoint, select This rule does not specify a tunnel, as shown in Figure 8-11. Click Next.


285

286

Part III

NETWORK SECURITY

FIGURE 8-10 The New IP Security Policy


3. The Network Type screen appears. This screen displays the type of network to which you want to apply the security rule. Ensure that the All network connections option is selected, as shown in Figure 8-12. This option allows you to apply security rules over all types of network connections including LAN and Remote access. Click Next. 4. The Authentication Method screen appears, as shown in Figure 8-13. This screen prompts you for the initial authentication method for this security rule. The default is Kerberos V5 authentication protocol. You can also specify to use a certificate, a CA, or a preshared key. A preshared key is a shared, secret key, which is previously agreed upon by two computers. It is quick to use and does not require the client to run the Kerberos V5 protocol or have a public key certificate. Click Next.

CAUTION If you specify a string as a preshared key on the Authentication Method screen, remember to specify the same string while configuring the IPSec policy on the computer that will be communicating with this computer.


INTERNET SECURITY

Chapter 8

FIGURE 8-11 The Tunnel Endpoint screen.

FIGURE 8-12 The Network Type screen.

5. The IP Filter List screen appears, as shown in Figure 8-14. By using IP Filter List, you can specify the protocol to be monitored between the two hosts and the action to be performed. This dialog box contains two default filters: All ICMP Traffic and All IP Traffic. You can select one of these if you want to apply this rule to all the IP or ICMP traffic of the computer. You can also create new filter lists. Click Add.


287

288

Part III

NETWORK SECURITY

FIGURE 8-13 The Authentication Method screen.

FIGURE 8-14 The IP Filter List screen.

NOTE Internet Control Message Protocol (ICMP) is a maintenance protocol in the TCP/IP suite and is required in every TCP/IP implementation. It allows two nodes on an IP network to share IP status and error information.

6. The IP Filter List dialog box appears and prompts you for the name of the IP filter list, as shown in Figure 8-15. This dialog box allows you to specify the name of the filter and to add, modify, or remove filters.


INTERNET SECURITY

Chapter 8

Unless you want to manually add new filters, ensure that Use Add Wizard is checked to add filters using the Add Filter Wizard. Click Add. The IP Filter Wizard starts. Click Next. 7. The IP Traffic Source screen appears. On this screen, specify the IP address of the computer sending data that you want to secure. On this screen, from the Source address list, you can select from options shown in Figure 8-16. In this case, since the current computer will be sending the data, you select the source as My IP Address and click Next.

FIGURE 8-15 The IP Filter List dialog box.

FIGURE 8-16 The IP Traffic Source screen.


289

290

Part III

NETWORK SECURITY

8. The IP Traffic Destination screen appears. On this screen, you can specify the destination of the data. On this screen, from the Destination address list, select the A specific IP Address option and specify the IP address of the other computer, as shown Figure 8-17. Click Next. 9. The IP Protocol Type screen appears. Here, you can specify the type of traffic you want to secure. By default, the filter secures all traffic, but you can specify specific protocols to be secured. When you select TCP or UDP, you can cause certain port numbers to be secured. For example, if you want to secure all Internet communication, you can choose TCP as the protocol type and specify 23 as the port number. In this case, select the Any option (Figure 8-18) and click Next. 10. The Completing the IP Filter Wizard screen appears. Click Finish.

Creating a Filter Action After creating the filter list, you should create a filter action that specifies the type of security the rule should apply to the list. You can use a wizard to create the filter action or create it manually. If you follow the preceding steps, the Security Rule Wizard reappears. You can perform the following steps to create a filter action: 1. On the IP Filter List screen, select the New IP Filter List option and click Next. 2. The Filter Action screen appears. This screen allows you to choose from default filters. Ensure that the Use Add Wizard option is selected, as shown in Figure 8-19, and click Add.

FIGURE 8-17 The IP Traffic Destination address.


INTERNET SECURITY

Chapter 8

FIGURE 8-18 Selecting the IP Protocol Type.

FIGURE 8-19 The Filter Action screen.

3. The Filter Action Wizard starts. Click Next. 4. The Filter Action Name screen appears. On this screen, retain the default name of the filter action, and click Next. 5. The Filter Action General Options screen appears. This screen allows you to define the security settings for data transmission. These include: • Permit. This action allows packets to be transmitted without IPSec security between computers specified in the IP filter. • Block. This action prevents the protocol that matches the associated IPSec filter to exist between computers specified in the filter.


291

292

Part III

NETWORK SECURITY

• Negotiate Security. This option allows the systems specified in the IPSec filter to negotiate a common set of security parameters, such as desired encryption and integrity algorithms to secure data transmission. Select the Negotiate security option, as shown in Figure 8-20, and click Next. 6. The next screen gives you an option to communicate with a nonIPSec-enabled computer. It is recommended that you do not communicate with computers that do not support IPSec. Select an option, and click Next. 7. On the IP Traffic Security screen, you can select the Medium (Authentication Header) option to set medium security for your message. When you set a medium level security, the transmitted data remains authentic and unmodified but does not get encrypted. If you select High (Encapsulated Payload), in addition to the data remaining authentic and unmodified, it also gets encrypted. Select an option, as shown in Figure 8-21, and click Next. 8. The Completing the IP Security Filter Action Wizard screen appears. Ensure that the Edit properties option is not checked, and click Finish. 9. The Security Rule Wizard reappears. On the Filter Action screen, select the New Filter Action option, as shown in Figure 8-22, and click Next. 10. The Completing the New Rule Wizard screen appears. Ensure that the Edit properties option is unchecked and click Finish.

FIGURE 8-20 The Filter Action General Options screen.


INTERNET SECURITY

Chapter 8

FIGURE 8-21 The IP Traffic Security screen.

FIGURE 8-22 The Filter Action screen.

11. In the New IP Security Policy Properties dialog box, click OK to complete the process of configuring IP Security Policy, as shown in Figure 8-23.

NOTE You should confirm that you have completed all the steps described in the previous section on both the computers participating in an IPSec communication.


293

294

Part III

NETWORK SECURITY

FIGURE 8-23 New IP Security Policy


Firewalls With the Internet being used as a medium to access information from private networks, a network is actually directly connected to every other network on the Internet. At this point, there is no intrinsic central security control for private networks. Firewalls are the security mechanism employed at the boundaries of a private network and serve as a security checkpoints. Firewalls look over all the communication that takes place between two networks. While scrutinizing, if required, they drop the communication packets that do not match the policy rules defined in them. In a simple implementation, a firewall is placed between the internal and external network to secure the internal network from the external network, as shown in Figure 8-24. This implementation is called a single firewall. Firewalls are mostly set on servers that do not have a heavy network load.

Functionality of Firewalls Some functions of a firewall that ensure data security and integrity on networks are as follows: ◆

Packet filtering. Packet filtering refers to filtering of incoming and outgoing packets based on the protocol and address information of packets.


INTERNET SECURITY

Chapter 8

FIGURE 8-24 A single firewall.

The content of the packets is not checked. This is the most basic feature of a firewall. ◆

Network Address Translation. The Network Address Translation (NAT) feature of firewalls hides hosts on the internal network from hosts on the external network by translating the IP addresses and ports of internal hosts to a common external IP address of the firewall. Firewalls operating with this feature prevent internal hosts from being monitored by malicious hosts on the public network.

◆

Static address mapping. The static address mapping feature allows incoming packets to be redirected to servers using private network addressing.

◆

Stateful inspection. The stateful inspection feature ensures that sessions are not hijacked by attackers.

◆

Proxy service. Proxy service performs data exchange on behalf of the applications (client applications) with the remote systems. This hides the client computer behind the firewall, and to the remote system it appears as if proxy is interacting with it.

◆

User authentication. The user authentication features are handy when remote users (on a public network) use dynamic IPs to connect to private networks. For instance, consider a user who connects to the Internet using a modem to gain access to a private network. In this case, restriction based on IP addresses is not practical because the user will get a different IP address every time he connects. But the user authentication feature will ask for authentication before allowing public entry to the private network. As you can see, this is regardless of the source.


295

296

Part III

NETWORK SECURITY

◆

Tunneling. Firewalls provide a mechanism to establish a secure connection between two private networks operating on the Internet. By creating a virtual tunnel, this feature enables physically separate networks to use the Internet as a medium of communication. Such implementation of firewalls helps in deploying Virtual Private Networking (VPN).

Based on the functionalities that a firewall might be providing, firewalls can be classified as packet filtering firewalls, NAT firewalls, and application proxy firewalls. The following sections discuss these firewalls in detail.

Packet Filtering Firewalls Packet filtering firewalls are the most basic firewalls that operate on the network layer of the OSI and TCP/IP model. These firewalls filter packets based on rules that are defined in the firewall. If packets do not conform to the criteria specified in the firewall rules, they are simply dropped. Packet filtering can be implemented in routers or on a Network Operating System (NOS) with routing capabilities. You can apply packet filtering to a combination of source address, protocol, application, and message type. Defining packet filters determines which protocols are allowed to pass through a firewall, eliminating the risk of unknown protocols being able to access the network. A packet address contains information, such as source address, source port, destination address, destination port, and transport protocol. You can apply restrictions using any of the features as the criteria for filtering. You can base packet filtering on any or all of these fields. For example, using the source or destination address, you can block all packets from an address or set of addresses. You can also route to a set of addresses those packets you have allowed to enter. You can set packet filters for both incoming and outgoing protocols. All the successful sessions are defined in the packet filter. When an external client is allowed to connect to the Web server, the Web server replies back. The desired level of security determines your strategy for setting firewall rules. You must know which protocols should be filtered at the site. The two basic strategies to use when you create packet filter rules are: apply a “deny all” rule and define individual packet filters to allow access to the network, or first apply an “allow all” rule and then deny access to a few protocols. Implement the first option for a high-security network and the second for a low-security network.


INTERNET SECURITY

Chapter 8

Figure 8-25 displays a packet filter firewall rejecting undesired traffic based on the TCP port rule “All ports denied except TCP Port 80, TCP port 25, and TCP port 21.”

Stateful Packet Filtering Firewalls Stateful packet filters retain the state of connections by recording the session establishment information between two hosts across networks. Based on this information, filters decide whether the packets returned from a public network are from trusted hosts. In stateful packet filtering, a firewall examines which ports were used by a protocol while establishing the initial connection. It then opens those ports and closes the ports when the connection is terminated. If a hacker tries to hijack a session and tries to send or receive data on other ports than those listed in the filter, the firewall recognizes the attack and drops those packets. Stateful firewalls are handy when you have to filter connectionless traffic, such as SNMP, that is based on UDP. The firewall tracks client and server port information and allows only response packets to a valid host to pass through the firewall. The firewall does this by tracking the original ports used by the client application

FIGURE 8-25 Packet filtering firewalls.


297

298

Part III

NETWORK SECURITY

and ensures that the server-side application responds to the port used by the client application.

Downside of Packet Filters Packet filter firewalls impose some constraints that cause them to be not very commonly used. One of these constraints is that packet filters cannot check the content of packets for the presence of malicious data before passing them to an internal network. They rely on the header information to make pass or drop decisions on the data packets. Due to this constraint, packet filters alone do not represent an effective security measure for networks. They need to be combined with application-level proxy servers or circuit level firewalls to provide effective security.

Static Address Mapping Static address mapping is used to redirect incoming traffic to Internet accessible resources hidden behind a firewall. When a resource on the private network is accessed through a public network, the resource’s IP address is converted into a publicly addressable IP address. When the firewall receives the packet, it translates the destination address of the packet to the actual IP address of the resource and redirects the packet to that resource. The advantage of using static address mapping is that it hides the true IP address of the Internet-accessible resources from hackers that attack from the Internet using the IP address of the resource from the data packet.

NAT NAT was originally implemented as a solution to the scarcity of IP addresses for hosts on private networks. It converts IP addresses in a private network to globally unique IP addresses that can be used on the Internet. A firewall performs Network Address Translation functions by maintaining a translation table that contains the mapping of internal sockets (IP addresses and port numbers of hosts on a private network) with external firewall sockets (the IP address and port number of the firewall). When a host on a private network wants to establish a connection with the hosts on a public network, the firewall swaps the internal socket with the external socket and makes an entry in its translation table. This entry indicates the actual internal socket (socket of the host on the private network), the destination socket (socket of the host on the public network), and the external firewall socket.


INTERNET SECURITY

Chapter 8

After creating an entry in its table, the firewall sends a request to the external host on behalf of the internal client. To the external client, it appears that the request is coming from another computer on the Internet. Figure 8-26 illustrates how NAT swaps the internal socket with the external socket. In response to the request, when the host on the public network sends data packets back to the firewall, the firewall runs the reverse translation process. It tries to map the external host’s socket with the entries it has made in the translation table. If no entry is found for the external socket or if the IP address of the source (the host on the private network) is different than the address the firewall expects to see, the packet is dropped. Based on RFC1918, you can set the range of IP addresses of the internal network to: ◆

Class A. 10.0.0.0-10.255.255.255

◆

Class B. 172.16.0.0-172.31.255.255

◆

Class C. 192.168.0.0-192.168.255.255

You need to configure the firewall to recognize the addresses belonging to this range. Identifying authentic internal addresses helps prevent IP spoofing, and the server can immediately drop an external packet even if it contains the source address of an internal client.

FIGURE 8-26 NAT swaps the internal socket with the external socket.


299

300

Part III

NETWORK SECURITY

Downside of NAT NAT solves several problems associated with direct Internet connections that are made through packet filtering firewalls. However, because NAT operates on the Transport layer, it does not completely restrict the flow of malicious data packets. This is because it is not capable of checking the content of the data packets being transmitted. It is possible for higher level protocols to exploit the weaknesses in higher level traffic. Hackers can deploy network monitors to spy on the traffic coming out of a firewall to determine whether address translation is occurring in the firewall. After gaining such information, the hacker can hijack TCP sessions or spoof IP addresses from the firewall. To prevent this, you need to merge firewalls with proxy services that operate on the application layer.

Circuit Relay Circuit Relay, also called a Circuit Level Gateway, is a firewall methodology in which data connections are validated before the data is actually exchanged. This implies that the firewall not only performs the pass/reject function on data packets but also determines whether the connection between both ends is valid according to configurable rules. A firewall might validate a connection on the following basis: ◆ ◆ ◆ ◆ ◆ ◆

Destination IP address and/or port Source IP address and/or port Time of day Protocol User Password

After verifying the connection, the firewall opens a session and permits traffic to pass. Often the firewall also places restrictions on the time limit for the data to pass. Every session of data exchange is authenticated and monitored, and all traffic is allowed to pass during the time the connection is open. One of the advantages of a circuit relay firewall is that it covers up the limitations of the unreliable UDP protocol in which the source address is not validated as a function of the protocol. A circuit level firewall operates on the Transport layer. This sometimes becomes a disadvantage because it might require substantial modification of the programming that normally provides transport functions, such as Winsock.


INTERNET SECURITY

Chapter 8

Application Gateway The Application gateway firewall goes a step further in controlling traffic on the network. It acts as a proxy for applications by performing all data exchanges with the remote system on their behalf. Application gateway makes pass or reject decisions on the traffic based on specific rules, such as permitting some commands to a specific server (but not others), restricting file access to certain types, and changing rules according to authenticated users. This type of firewall also logs traffic details and monitors events on the host system. It can also be programmed to sound alarms or notify an operator under defined conditions. Application-level gateways are generally regarded as the most secure type of firewall. They are normally implemented on a separate computer on the network whose primary function is to provide proxy service. A disadvantage of application gateway is that its setup is very complex. Therefore, the individual applications that use the gateway might require detailed attention.

Application Proxy Firewalls Application proxy is a type of application gateway firewall. The word proxy actually means substituting for something. Proxy servers substitute the direct communication link between a client and a server with their services. Like NAT, proxy servers hide the client from the server without disturbing the communication link between the two. When a host on an internal network attempts to connect to a Web site on the Internet, a proxy server receives the request from the host. If the proxy server is also functioning as a cache server, it looks for the Web page requested in its memory. If the Web page exists in the cache memory, it sends the page back to the host. If the Web page does not exist, it forwards the request on behalf of its host. How do clients on the network interact with the proxy server? Clients access Web pages through browsers. Browsers are set up with the address of the proxy server. This implies that whenever a client sends a request through a browser, the browser automatically sends all Web page requests to the proxy server rather than resolving the IP address and processing the request directly. It is not necessary that a proxy server run on a firewall. Any server, placed either inside or outside a network, can perform the role of a proxy. Both a firewall without proxy services and a stand-alone proxy server cannot provide security services. A proxy server should have some sort of packet filtering to protect itself from


301

302

Part III

NETWORK SECURITY

network attacks, such as denial-of-service attacks. Similarly, a firewall should perform proxy services if it wants to provide true security features. Let me explore some functions of a proxy firewall: ◆

Proxy firewall with the IP filtering and masquerading feature. These firewalls can block direct outbound connection attempts to remote hosts. The proxy firewall then connects to the remote server and requests data on behalf of the client by IP masquerading (NAT functionality).

◆

Proxy firewalls with application-level filtering for specific content. Some proxy firewalls can be set with rules to look for contents in HTML pages that refer to Java- or ActiveX-embedded applets and drop these packets. This prevents the applets from executing on your machine and, therefore, avoids the accidental download of viruses and Trojan horses. Figure 8-27 illustrates a proxy firewall.

When an organization’s network contains resources that can be accessed through the Internet, security does not permit you to place those resources

FIGURE 8-27 Application proxy firewall.


INTERNET SECURITY

Chapter 8

within the private network. Instead, they should be placed in a network segment commonly known as Demilitarized Zone (DMZ), between the private and the public network. The following section will brief you on DMZ setup.

DMZ Setup In a DMZ setup, the first firewall is placed at the Internet connection, and the organization’s public servers are placed behind it. The second firewall is placed between the private network and the public servers of the organization. This setup provides security to the private network because the private network is now not connected with any external connections and its setup is completely hidden from the outside world. The area between the two firewalls is termed as the DMZ. Because the public servers are placed between the two firewalls, this setup is also called mid-ground DMZ. Figure 8-28 illustrates a mid-ground DMZ. In a DMZ setup, when a hacker tries to intrude into the network of an organization, he is blocked at two levels. If he manages to cross the first hurdle, he is stopped at the second level of security. The DMZ setup is considered to be the safest security mechanism for organizations.

FIGURE 8-28 A mid-ground DMZ setup.


303

304

Part III

NETWORK SECURITY

NOTE Other terms used interchangeably with DMZ are screened subnet and perimeter network.

Firewalls also allow the use of the virtual DMZ setup. Figure 8-29 illustrates a virtual DMZ created by a single firewall. In this setup, a firewall contains three interfaces connected to external network—external network, internal network, and public server network—with three different security policies. The security policies can be customized to block connection attempts to your internal network but bypass your public server network. This way you are making use of two firewalls through a single product. This type of firewall is also referred to as a trihomed firewall or a three-pronged firewall. Sometimes an organization might require deploying a hybrid DMZ in a network where more than one zone exists between the private and public networks. You can have a hybrid DMZ with a single firewall, as shown in Figure 8-30. In this scenario, you can create two DMZs to support IPSec connections and protect the

FIGURE 8-29 A virtual DMZ setup.


INTERNET SECURITY

Chapter 8

FIGURE 8-30 A hybrid DMZ with a single firewall.

private network-addressing configuration for all other Internet-accessible resources. In one DMZ, you can place a remote access server that accepts IPSec connections and uses public network addressing. In the other DMZ, you can place all the other Internet-accessible resources that use private network addressing. The firewall will perform static address mapping for all incoming traffic to the private network. Similarly, NAT is performed on all outgoing traffic from the zone that uses private address mapping. In another scenario, you can use multiple firewalls to create two or more DMZs between the private and public network, as shown in Figure 8-31. In the outermost DMZ, you can place a remote access server that accepts IPSec connections and uses public network addressing. In the innermost DMZ, you can place all the other Internet-accessible resources that use private network addressing.


305

306

Part III

NETWORK SECURITY

FIGURE 8-31 A hybrid DMZ with multiple firewalls.

Secure Public Access to DMZs To ensure that Internet users are able to access network services and applications in a secure manner you need to control public access to the DMZ. You can open specific ports on the external and internal firewalls and classify which protocols are allowed to access the resources on the private network through the DMZs. Different firewall rules need to be set for each kind of server in the DMZ. FTP protocol is allowed on an FTP server while HTTP or HTTPS protocol is allowed on a Web server. You need to properly configure a firewall to maintain functionality and security in a DMZ.

Secure Traffic to HTTP and FTP Servers Two of the most common protocols being used in Internet systems are HTTP and FTP protocols. You need to configure the external firewall to ensure that only the defined ports on the HTTP and FTP protocols are allowed to pass through the server hosting the HTTP and FTP services, as shown in Figure 8-32. You also


INTERNET SECURITY

Chapter 8

need to configure FTP and HTTP connections to request authentication. Clear text authentication poses the danger that anyone with a monitoring program, such as a sniffer, can access the password. HTTPS (HTTP SECURE) provides a more secure form of data transfer between the server and the client because encryption is used on the Web server. You need to configure both control stream and data stream to be able to pass through the firewall. The control stream uses TCP port 21 to send FTP commands from the FTP client to the FTP server while the data stream uses TCP port 20 to transfer files from the FTP server. You can also specify the return path in the firewall rules for some FTP clients. These types of clients are known as passive FTP clients. The return path needs to be specified so that the FTP server can send the result of the FTP command back to the client. While using HTTP, you need to create a connection to TCP port 80 to pass through the firewall. For a more secure HTTPS connection, TCP port 443 is used. This is the default configuration and default port being used for FTP and HTTP. Any hacker can misuse these default port numbers. For example, a hacker could upload a file to the machine and when the user tries to open the file, it could produce unexpected results.

FIGURE 8-32 Securing traffic to HTTP and FTP server.


307

308

Part III

NETWORK SECURITY

A better security approach is to disallow all TCP and UDP ports except the ports required by users. You could disable TCP port 80 for HTTP and configure a different port number. You can also configure the exchange server as a relay server. A relay mail server can pass mail to other servers. If one mail server has access to the Internet, you can configure the server to forward mail to other servers on the network. This way, even networks that do not have Internet access can receive Internet mail.

Secure Traffic to DNS Server When you design the DNS namespace, you should remember that the address available on the internal network must not be visible or accessible from the Internet. You will need to configure the internal DNS server to interact with the external DNS server and ensure that you do not expose any DNS resource records of the internal network. This kind of secure configuration is called the Split DNS implementation. Split DNS implementation means splitting the functionality of DNS on two different servers. The external DNS server is used by the Internet to resolve the organization’s domain information, and internal users use the internal DNS server. The external DNS server is placed on the protected DMZ while the internal DNS server is placed on the internal network. This protects the internal DNS server from being directly accessed by the Internet users. The internal DNS server has information, which can be used to map the internal network. An external DNS server performs two functions for the private network. It provides resolution for any internal resource that can be accessed from the Internet. It also provides resolution for Internet resources for the private network users. The external DNS server is placed in a DMZ, and the IP address that is exposed to the Internet is the one set by the firewall for static address mapping to the DNS server. The firewall rules set on the DNS server must allow connections to it using both TCP53 and UDP53. The IP address assigned to the internal DNS server is never exposed to Internet users. The private network uses this internal DNS server for name resolution within the network. The internal DNS server must be set up in a secure location on the private network and is required to host all necessary DNS resource records for Active Directory and all internal network resources. You will need to configure the internal server to forward all requests that it is unable to resolve to the external server. All internal clients use the internal server


INTERNET SECURITY

Chapter 8

to resolve Internet resources. Internal clients cannot directly pass requests to the external DNS server. Clients have to be configured to pass requests only to the internal DNS server, which in turn will forward the request to the external DNS server. Restrict zone transfers from the internal server so that only the servers that you defined earlier can request zone transfers from the internal server.

Secure Traffic to Microsoft Exchange Server If Microsoft Exchange is used to provide e-mail facility, you must decide which e-mail service you will implement for both the internal and external clients. You can enable the following services: ◆

Simple Mail Transfer Protocol (SMTP). You need to set additional restrictions on the Exchange server if SMTP is enabled for external users. You need to restrict the server’s ability to relay SMTP mail. Many types of restrictions can be set on the server, such as only mail received at the mailbox on the mail server can be sent. You must configure specific hosts on the internal network to relay these e-mail messages. You can use SMTP to do this and disallow all other hosts in other network ranges. The server can be configured to only allow authenticated users to send e-mail.

◆

Post Office Protocol version 3 (POP3). POP3 is used to enable users to access their accounts on the Exchange server and transfer their mail to their configured POP3 client software.

◆

Internet Message Access Protocol version 4 (IMAP4). IMAP4 is used to enable users accessing the mail server to access their mail, including mail stored in the sent items and public folders.

Outlook Express can also be used in addition to SMTP, POP3, or IMAP4 to connect to the Exchange server. You need to configure appropriate packet filters at the internal firewall to enable users to connect to the Exchange server. In addition, you should configure a packet filter at the external firewall to send e-mail messages to any server on the Internet, as shown in Figure 8-33.

Secure Traffic to an Application Server You can use application servers like Microsoft SQL Server to provide large-scale storage space for application. You need to ensure that confidential data stored on the application server should not be accessible to Internet users. You can ensure


309

310

Part III

NETWORK SECURITY

FIGURE 8-33 Securing traffic to Microsoft Exchange server.

that the data stored on the server is secure by restricting access to the application server by: ◆

Using Web-based front ends.

◆

Creating tunnels extending from the Internet to the private network.

◆

Using Terminal Service, which provides access to only specific applications.

The use of Web-based applications to connect to the application server ensures a secure method to access data from the application server located on the private network. Clients who use Web-based applications don’t need to install the application software on their individual machines to communicate with the application server. You can configure the external firewall to allow only external clients to connect to the Web server in the screen subnet. Only the Web server should have the right to connect to that application server. You should configure the external firewall to allow only HTTP and HTTPS to connect to the Web server in the screen subnet. HTTPS ensures that any client authentication and data transmission is encrypted. You should configure the internal firewall to allow only the Web server in the DMZ to connect to the application server on the internal network.


INTERNET SECURITY

Chapter 8

Secure PPTP Traffic to a Tunnel Server In some cases, such as providing rights to a partner organization to access resources on the internal network, you might require Internet users to access resources on the internal network but not physically connect to the network. To enable external clients to be able to connect to internal resources you will need to configure Routing and Remote access. The Point-to-Point tunneling protocol (PPTP) is a secure way for remote users to be able to access the private network across the Internet. After a client connects to the remote access server in the DMZ, he must be authenticated to find out if the remote access policies allow the connection to be created. One of the methods to authenticate users is to configure Routing and Remote Access (RRAS) to use RADIUS service. Once the user is authenticated, firewall filters control the level of access of the client to the private network based on the IP addresses assigned. PPTP uses the Generic Routing Encapsulation (GRE) packets to transport data across the Internet using TCP port 1723. If filters based on IP numbers are set on firewalls, you need to create a filter that allows only the protocol identifier 47 to pass through the firewall. The client can be assigned an IP address either by the DHCP server or from the address pool specified on the remote access server.

Secure L2TP Traffic to a Tunnel Server As an alternative to PPTP protocol, clients can also tunnel into the private network using the Layer Two Tunneling Protocol (L2TP), which is encrypted using IPSec. The combination of L2TP and IPSec protocols allows a remote client to securely access resources on the private network providing a higher level of security and encryption than that available with PPTP. The L2TP client software is only provided by Windows 2000, while computers using Windows 95, Windows 98, and Windows NT 4.0 use PPTP. Firewalls that implement NAT don’t allow IPSec to pass through them because NAT modifies the encrypted portion of each packet by changing the internal source address to a common external address, and IPSec packets cannot be modified. Because of this change in the address, the checksums change and IPSec packets are rejected. The tunnel server must have two network interfaces, one to connect to the Internet and another to connect to the DMZ. The external interface should be configured to only allow IPSec traffic into the DMZ. Once the packets are received at the external part of the tunnel server, the packets are decrypted and transmitted to


311

312

Part III

NETWORK SECURITY

the DMZ by using the internal interface of the tunnel server. After the client has been authenticated with the remote server, you need to configure the internal firewall to limit access to specific servers based on specific protocols.

Secure Traffic to a Terminal Server You can permit external terminal server clients to access an internal terminal server. The terminal server provides security by encrypting the transmission of data between remote clients and the terminal server. To provide additional security, you can restrict the remote client to be able to run only a single application on the terminal server rather than using the standard Windows 2000 desktop. By using terminal server, you can configure both the internal as well as external firewalls to provide access to the internal network. You can configure the external firewall to allow the MS-WBT server protocol to pass through the DMZ to the terminal server. This protocol transmits mouse and keyboard commands from the remote client to the terminal server, and in the same way, transmits screen information from the terminal server to the client interface. A domain server on the private network authenticates terminal server users. For the terminal server to be able to identify the domain controller, you must define a firewall rule that allows the terminal server to use the internal DNS server as its primary DNS server. The terminal server needs access to the Active Directory-related SRV records to find internal resources. After a user is authenticated, the firewall rules control the level of access to the private network based on the IP address of the terminal server. Because the terminal server client needs to access multiple servers, you must configure the rules for each server to be accessed. You should also set a rule that allows only a particular protocol to connect to the server in the private network and therefore increases security.

Summary In this chapter, you learned that IPSec is a set of protocols that supports secure exchange of data packets at the network layer. IPSec consists of the AH and ESP protocols. IPSec operates in two modes, transport mode and tunnel mode. The process of defining IPSec rules includes defining filter lists, defining filter actions,


INTERNET SECURITY

Chapter 8

defining IPSec modes and the protocol that is to be used, and identifying the authentication mechanism and the encryption algorithm. The second part of the chapter dealt with firewalls. Firewalls provide various functionalities, such as NAT, packet filtering, stateful packet filtering, static address mapping, circuit relay, and application gateway. The DMZ setup allows Internet-accessible resources to be placed securely. You should design your DMZs in such a manner that it allows only authorized protocols to pass through the firewall.

Check Your Understanding Multiple Choice Questions 1. The confidential information of your organization is stored in a database at the head office. Only valid users should be able to access the information. What IPSec policy should you use to secure the organization? a. Secure Server (Require Security) b. Client (Respond Only) c. Server (Request Security) d. Create your own policy 2. The network of your organization has a few Windows 2000 clients and a few non-Windows 2000 clients. What authentication methods should you use while configuring IPSec policy for two internal clients? a. Kerberos V5 authentication b. Preshared key c. Certificate from a CA d. NTLM 3. What filter action will you define for the network traffic that does not require IPSec security? a. Permit b. Block c. Negotiate Security


313

314

Part III

NETWORK SECURITY

4. InterShopping is a recently opened Internet-based shopping mart with its main office in Atlanta. All the Web servers are kept at the head office. You need to ensure the maximum level of security for the Web servers with the least amount of degradation on the performance of the network. Identify the best site where the Web servers should be set up in relation to the firewalls. a. You can position the Web server so that it is directly connected to the Internet. b. You can place the Web server in a DMZ. c. You can place the Web server on the internal firewall. d. You can place the Web server on the external firewall. 5. When designing filters, which of the following information is not needed for implementation? a. Source and destination address b. Application c. Name of the computer d. Protocol e. Source port

Short Questions 1. James is the network administrator for New Look Technologies. He is planning to deploy IPSec to ensure that the data packet transmitted, including the IP header and data payload, is protected for integrity and anti-replay. What authentication protocol does he require to ensure this authentication? 2. What mode would you use when you have a firewall that does not perform network address translation? 3. Jerry is the network administrator of Toyzone, Inc, a toy manufacturing company. He needs to provide the users on the internal network access to the Internet without exposing the addressing scheme implemented on the internal network. What component of a firewall does Jerry need to configure to allow internal users to securely access the Internet? 4. What is the difference between NAT and static address mapping?


INTERNET SECURITY

Chapter 8

5. You are a member of a team responsible for providing secure access to the servers on the network. You need to set up a database server, which has to be set up on the internal network but at the same time should be accessible to Internet users. The administrator asks you to configure firewalls to provide security instead of installing any additional software on the database server. How can you ensure both security and accessibility to the server?

Answers Multiple Choice Answers 1. a. You will use Secure Server (Require Security) because the server contains sensitive data that should be secured, and this policy configures the computer to require security for all network traffic to or from the affected computer and deny the traffic that does not support IPSec. 2. b. You will use a preshared key because two internal hosts can easily use a shared secret key as the authentication mechanism. You can use Kerberos V5 authentication only if the clients are running Kerberos V5 protocol. You can also use certificate-based authentication when the IPSec communication is with external partners or on the Internet or between computers using L2TP for communication. 3. a. This Permit action allows packets to be transmitted without IPSec security between computers specified in the IP filter. 4. b. 5. b, c. A filter contains source and destination address, source and destination ports, and protocol.

Short Answers 1. He should use Authentication Header (AH) protocol. 2. Transport mode. 3. NAT. 4. You can use NAT to hide the source IP address while in static address mapping, the destination computer’s address is mapped to a static IP address.


315

316

Part III

NETWORK SECURITY

5. One of the options is that you can configure a mid-ground screened subnet. The inner firewall will protect the internal network, and at the same time the external firewall will allow Internet users to access the database server, which is placed between both firewalls.


Chapter 9 Internet Information Server (IIS)


ith the advent of the Information Technology Age, everything has changed. There is hardly any job today that has been left untouched by IT. However, all this wouldn’t have been possible if it weren’t supported by a sound and reliable infrastructural backbone. All vendors today ship in their products both hardware and software that are Internet compatible.

W

One of the many tools and services of Microsoft that enable you to use and explore the Internet is Internet Information Services, or IIS, which is a Windows 2000-based Web server. IIS not only acts as a Web server but also as an FTP server. This chapter provides you with a thorough understanding of IIS. You’ll learn how it provides security against the innumerable security attacks that plague your networks.

NOTE The current version of IIS is IIS 5.0. In this chapter, IIS 5.0 will be referred to as IIS, unless otherwise noted.

IIS: An Overview By default, all Windows 2000-based servers have IIS installed on them. IIS can be used both as a Web server and an FTP server. As a web server, IIS allows you to create and manage Web sites. You can also use it for publishing content on the Internet. As an FTP server, IIS allows you to upload and download files from FTP servers. IIS, as a part of Windows 2000, lays a special emphasis on providing paramount security to its users. It supports some strong encryption and authentication mechanisms, such as PKI, Kerberos, and SSL, to secure all the data that traverses through it.

Security Features of IIS The Internet is an open and public network and is prone to a number of security attacks. Any organization that connects to the Internet runs a risk of being


INTERNET INFORMATION SERVER (IIS)

Chapter 9

vulnerable to these attacks. IIS provides you with the following security features that help safeguard your network resources: ◆

Encryption. IIS contains some strong encryption techniques that provide integrity, authentication, and confidentiality to your data. The High Encryption Pack now comes installed with IIS. This encryption pack has enhanced the encryption capabilities in IIS. You can now use 128-bit encryption to export your data internationally.

◆

Authentication. Authentication is one of the core security features of IIS. The authentication mechanism in IIS authenticates users by mapping them to Windows 2000 user accounts. Some of the authentication mechanisms supported by IIS are anonymous authentication, digest authentication, Integrated Windows authentication, and certificate authentication.

◆

Access control. After a user is authenticated, access control mechanisms are usually deployed to determine the level of access that can be granted to the authenticated user. IIS does this by using several access control filters, such as file system permissions, network address permissions, and Web server access permissions to grant the right kind of rights and permissions to each user.

◆

Auditing. Auditing allows you to monitor your system as well as user accounts. Auditing in IIS allows you to keep track of authorized or unauthorized access to your resources.

◆

Certificate services. IIS uses the certificates of users mainly for authentication purposes. IIS supports SSL and TLS security protocols. IIS uses the SSL protocol’s client authentication feature to authenticate users.

You’ll learn about all these features in detail later in the chapter.

Services Associated with IIS To manage IIS, you need to use the Internet Services Manager. You can access the Internet Services Manager from the Administrative Tools start menu. Figure 9-1 shows the Internet Services Manager window. As you can see in the figure, IIS comprises the following services: ◆

FTP. Your FTP client can use FTP services to upload or download files from the FTP server by using the TC/IP protocol.


319

320

Part III

NETWORK SECURITY

FIGURE 9-1 The Internet Services Manager window.

◆

HTTP. You can use the HTTP service to access Web sites.

◆

SMTP. You can use SMTP to exchange mail between two SMTP systems.

◆

NNTP. You can use NNTP to enable newsgroup services between NNTP clients and servers.

Each of these services has its own set of security mechanisms. You can view their security mechanisms from their respective properties dialog boxes. The following section discusses these security mechanisms in detail.

FTP Security Mechanism You can use the Internet Services Manager to configure a number of security options for your FTP site. In the Internet Services Manager window, right click Default FTP Site and select Properties to open the Default FTP Site Properties dialog box, as shown in Figure 9-2. As you can see in the figure, the dialog box contains a number of tabs:



Chapter 9

FIGURE 9-2 The Default FTP Site Properties

dialog box. ◆

FTP Site. Allows you to specify the identification and connection details for your FTP service, as shown in Figure 9-2.

◆

Security Accounts. Allows you to specify the user accounts that can be used for anonymous access to your FTP server. In addition, you can specify the user’s account that can be granted operator privileges for this FTP site. Figure 9-3 shows the various security options available under the Security Accounts tab.

◆

Messages. Allows you to specify a welcome and exit message. You can also specify a message when the maximum connection limit is reached.

◆

Home Directory. Allows you to specify the FTP Site Directory and Directory Listing Style. In the Directory Listing Style, you can choose from either UNIX or MS-DOS.

◆

Directory Security. Allows you to specify TCP/IP access restrictions. By default, all computers are allowed access, as shown in Figure 9-4.

You can specify the computers that you want to deny access to. You can either mention a single computer or a group of computers to deny them access. When you specify a group of computers, you need to mention the subnet mask in addition to the network IP address. The two security mechanisms available for FTP services in the Internet Services Manager are Security Accounts and Directory Security.


321

322

Part III

NETWORK SECURITY

FIGURE 9-3 Security Accounts tab.

FIGURE 9-4 Directory Security tab.

HTTP Security Mechanism The Internet Services Manager provides you with a number of security mechanisms for managing the security of your Web site. In the Internet Services Manager window, right click Default Web Site and select Properties to open the Default Web Site Properties dialog box, as shown in Figure 9-5.



Chapter 9

FIGURE 9-5 The Default Web Site Properties

dialog box.

As you can see in the figure, the Default Web Site Properties dialog box contains a number of tabs that you can use for managing your Web site. Following is a list of tabs that are available in the Default Web Site Properties dialog box: ◆

Web Site. Allows you to specify the identification and connection details for your Web site, as shown in Figure 9-5.

◆

Operators. Allows you to specify the user accounts that can be granted operator privileges for your Web site.

◆

Performance. Allows you to specify Performance tuning, bandwidth throttling, and process throttling. If you specify the limit of bandwidth that can be granted to your Web site, this value overrides the value specified in the global settings in computer properties.

◆

ISAPI Filters. Allows you to specify Internet Server Application Programming Interface (ISAPI) filters. These filters are applied in the order in which they are listed.

◆

Home Directory. Allows you to specify the location from which the content will be picked for the Web site. You can also specify execute permissions, application protection, and application settings, as shown in Figure 9-6.


323

324

Part III

NETWORK SECURITY

FIGURE 9-6 Home Directory tab.

In the Application Protection option, you can choose low, medium, and high protection options. By default, the medium protection option is selected. ◆

Documents. Allows you to specify the default document that will appear when users access your Web site.

◆

Directory Security. Allows you to specify anonymous access and authentication control, IP address and domain name restrictions, and Secure communications, as shown in Figure 9-7. • To enable anonymous access and modify the authentication method, you need to click on the Edit button in the Anonymous access and authentication control section. When you do so, the Authentication Methods dialog box appears as shown in Figure 9-8. • As can be seen in Figure 9-8, you can choose from a number of authentication methods, namely Basic authentication, Digest authentication, and Integrated Windows authentication. You’ll learn about all these authentication methods in detail later in the chapter under the “IIS Authentication” section. • To specify access or deny permissions, you need to click on the Edit button in the IP address and domain name restrictions section. When you do so, the IP Address and Domain Name Restrictions dialog box appears as shown in Figure 9-9.



Chapter 9

FIGURE 9-7 Directory Security tab.

FIGURE 9-9 IP address and domain name restrictions dialog box. FIGURE 9-8 Authentication Methods

dialog box.

• This dialog box allows you to specify the computers that you want to deny access to. By default, all computers are allowed access. Recall that the Directory Security tab of the Default FTP Site was quite similar. In this dialog box, however, you also have the option of restricting access on the basis of the Internet domain name. This option is not available in Default FTP Site. • To enable secure communications, you can use the certificate services that are available. You can create and manage user certificates for


325

326

Part III

NETWORK SECURITY

added security by using the Web Server Certificate Wizard. You’ll learn more about certificate security later in this chapter in the “Certificate Authentication” section. ◆

HTTP Headers. Allows you to specify values, such as content expiration time and ratings based on the content provided by the site, as well as configure additional MIME types that can be sent in the HTTP header to the browsers by the Web Service.

◆

Custom Errors. Allows you to specify custom error messages in case of HTTP errors.

◆

Server Extensions. Allows you to specify whether the contents of the Web site can be edited by authoring or not. In addition, you can also specify how mail should be sent and whether to retain the global security settings for the Web site or to override them by checking the Don’t Inherit Security Settings checkbox.

SMTP Security Mechanism As with FTP and HTTP, there are a number of options for managing the security of your SMTP service. You can view these options in the Default SMTP Virtual Server Properties dialog box, as shown in Figure 9-10.

FIGURE 9-10 The Default SMTP

Virtual Server Properties dialog box.



Chapter 9

As you can see in Figure 9-10, the following tabs are present in the Default SMTP Virtual Server Properties dialog box: ◆

General. Allows you to specify the name, IP address, and connection information, as shown in Figure 9-10.

◆

Access. Allows you to configure a number of security mechanisms, such as access control, secure communication, connection control, and relay restrictions. Figure 9-11 displays the options available under the Access tab. The access control section allows you to enable anonymous access and modify the authentication methods. You can do so by clicking on the Authentication button, which opens the Authentication dialog box, as shown in Figure 9-12. In the Authentication dialog box, the available security options are Anonymous access, Basic authentication, TLS encryption and Windows security package. After the authentication section, the next section in the Default SMTP Virtual Sever Properties dialog box is for secure communication. This section allows you to manage secure communication methods for the SMTP server. You can click on the Certificate button and request a certificate. If a certificate has already been issued, you can

FIGURE 9-12 Authentication dialog box. FIGURE 9-11 Access tab.


327

328

Part III

NETWORK SECURITY

click on the communication button to open the Security dialog box, as shown in Figure 9-13. The security dialog box allows you to secure the communication by making it pass through a secured channel. In addition, you can provide strong 128-bit encryption to your communications. In the Default SMTP Virtual Server Properties box, you can control access on the basis of the IP address and the domain names. To do so, click on the Connection button to open the Connection dialog box, as shown in Figure 9-14. • In the Connection dialog box, you can specify a list of all the computers that you want to grant access to. By default, the All except the list below option is selected. This means that all computers, groups of computers, or Internet domain names mentioned in the list will be denied access. • The last security option in the Default SMTP Virtual Server Properties dialog box is grant or deny access to the relay e-mail thorough the SMTP virtual server. To do so, you need to click on the Relay button. This opens the Relay Restrictions dialog box, as shown in Figure 9-15. In the Relay Restrictions dialog box, you can specify a list of computers that you want to relay through the SMTP virtual server. By default, all computers that have been successfully authenticated to relay, irrespective of the list mentioned in the dialog box, are allowed. Notice that this option is at the bottom of the Relay Restrictions dialog box. ◆

Messages. Allows you to specify message information, such as the size of the messages, the size of the session, and so on.

FIGURE 9-13 Security dialog box. FIGURE 9-14 Connection dialog box.



Chapter 9

FIGURE 9-15 Relay Restrictions dialog

box.

◆

Delivery. Allows you to specify values for outbound as well as local communication, as shown in Figure 9-16. You can provide security to the outbound communication by clicking on the Outbound Security button. When you click on the Outbound Security button, the Outbound Security dialog box appears as shown in Figure 9-17.

FIGURE 9-17 Outbound Security dialog

box. FIGURE 9-16 Delivery tab.


329

330

Part III

NETWORK SECURITY

As can be seen in Figure 9-17, the various available security options are Anonymous access, Basic authentication, Windows security package, and TLS encryption. ◆

LDAP Routing. Allows you to enable LDAP routing.

◆

Security. Allows you to grant operator permissions to user accounts.

NNTP Security Mechanism You can use NNTP to enable newsgroup services between clients and services. These services are secured using the Internet Services Manager. Open the Default NNTP Virtual Server dialog box. Figure 9-18 displays the Default NNTP Virtual Server dialog box. As can be seen in Figure 9-18, the following options are available in the NNTP Properties dialog box: ◆

General. Allows you to specify the identification and connection details.

◆

Access. Allows you to specify the Access control, Secure communication, and Connection control methods, as shown in Figure 9-19. As with other IIS services, NNTP allows support of many authentication mechanisms. To select any of these mechanisms, click on the

FIGURE 9-18 The Default NNTP Virtual

FIGURE 9-19 Access tab.

Server Properties dialog box.



Chapter 9

Authentication button. You will see the Authentication Methods dialog box, as shown in Figure 9-20. The available authentication methods are Allow anonymous, Basic authentication, Windows security package, and Enable SSL client authentication.

NOTE The SSL client authentication method requires a server certificate. When you enable SSL authentication, you can choose from two options: Require SSL client authentication and mapping client certificates to Windows user accounts.

After the authentication section, the next section in the Default NNTP Virtual Sever Properties dialog box is for secure communication. This section allows you to manage secure communication methods for the NNTP server. The connection control mechanism in NNTP is the same as in SMTP. Here also you can grant or deny access based on the IP address or Internet domain names.

FIGURE 9-20 Authentication Methods

dialog box.


331

332

Part III

NETWORK SECURITY

◆

Settings. Allows you to specify values for managing your NNTP service. Some available options are limiting the post and the connection size for the client posting and the feed posting, allowing servers to pull news articles from the NNTP virtual server, and allowing control messages.

◆

Security. Allows you to grant operator permissions to user accounts.

After having looked at all the services and their security mechanism, you will now learn about the security features of IIS in detail.

IIS Authentication The IIS authentication mechanisms provide you with a comprehensive security solution. The process of authenticating users in IIS invariably involves mapping users to Windows user accounts. The authenticated users are then impersonated by IIS to access the various services, such as FTP, HTTP, SMTP, and NNTP. In this way, users accessing the resources are authenticated before they are granted any kind of access. Some of the authentication mechanisms supported by IIS are: ◆

Anonymous Authentication

◆

Basic Authentication

◆

Digest Authentication

◆

Integrated Windows Authentication

◆

Certificate Authentication

Anonymous Authentication Anonymous authentication is, in effect, not an authentication mechanism. This is because the user who is accessing the resources need not provide his identification details, such as username and password. In the anonymous authentication process, when a user tries to access any resource, IIS maps the user to a local account, referred to as IUSR_computername, where computername is the name of the computer on which IIS is running. IIS manages and controls the password for this account. This is because, by default, IIS is configured for password synchronization. As a result, in anonymous authentication, IIS impersonates the user and logon by using the ISUR_computername



Chapter 9

account. To do this the account needs to have the Access This Computer From The right. This account is defined with a very strong password at the time of setup. However you can change the account in the IIS administrative tool. To do so, you need to perform the following steps:

Network

1. Open the Internet Services Manager console. 2. Right-click Administrative Web Site and select properties to open the Administrative Web Site Properties dialog box. 3. In the dialog box, click the Directory Services tab. 4. In the Anonymous access and authentication control section, click on the Edit button. 5. The Authentication Methods dialog box appears. Ensure that Anonymous access is checked. 6. Click on the Edit button to open the Anonymous User Account dialog box, as shown in Figure 9-21. 7. Edit the Username and the Password textboxes to enter the new account name and the password.

TIP You might need to clear the Allow IIS to control password check box, if the password text box is unavailable.

It is recommended that you change the Anonymous User account if you’re hosting multiple Web sites. In this way, you can define one Anonymous User account per Web site.

FIGURE 9-21 Anonymous User Account dialog box.


333

334

Part III

NETWORK SECURITY

Basic Authentication Basic authentication, as is suggested by the name, is the most basic or simple form of authentication. In this authentication, the user is prompted for a username and password. After the user enters his username and password, the information is sent over the network. This is where this form of authentication suffers from some inherent vulnerabilities. The password is sent as base64-encoded, which is so weak that it is even referred to as plaintext or cleartext. As a result, Basic authentication is also known as Clear Text logon. For IIS implementation of Basic authentication, you need to have Windows 2000 accounts in the Active Directory. When a user connects to a Web site, IIS obtains the username and password information from the HTTP Authorization header, and calls the LogonUser API. IIS then impersonates the users to logon. The LogonUser API determines the manner in which the account has been logged on. For example, it can be logged locally or through an external or remote network.

NOTE When the account is logged on locally, the information about the users is maintained so that if the domain controller cannot be accessed the account can perform an offline logon.

Although Basic authentication is a very unsecured protocol, its weaknesses can be overcome by combining it with SSL/TLS protocols. When Basic authentication and SSL/TLS are working in conjunction, all the data is first encrypted by SSL/TLS. This adds a very strong security feature to the otherwise securitydeficient Basic authentication mechanism. Moreover, being a part of the HTTP suite, Basic authentication is supported by a large number of browsers.

Digest Authentication Digest Authentication is a part of the HTTP1.1 protocol. Digest authentication does not send a user’s credentials in clear text format. The following steps describe the working of the Digest algorithm:



Chapter 9

1. Some information is send from the server to the browser. This information, also referred to as the challenge, contains the identity of the client’s computer, the domain, and the time. 2. The browser prompts for username and password. 3. The password and the information are hashed to produce a digest. This digest is sent back to the server along with the information. 4. The server also hashes the password with the same information. 5. After the server receives the digest, it compares both the digests. 6. Only when both digests match is the authentication deemed successful.

Requirements for Digest Authentication For a proper Digest authentication to take place, the following points should be kept in mind: ◆

The computer running the Windows 2000 server should be an Active Directory Domain.

◆

Users should have their accounts in the Windows 2000 domain.

◆

All passwords should be reversibly encrypted before the domain controller stores them. This can be done by configuring all those accounts that use Digest authentication with the Store Password Using Reversible Encryption option enabled. After setting this option, the user needs to change her password. If the password is not changed, the complete process will not work.

◆

IIS should be configured to use Digest authentication.

◆

The IISSUBA.DLL file should be present in the domain controller.

Integrated Windows Authentication Integrated Windows Authentication consists of two protocols, namely KerberosV5 and Challenge-Response.

NOTE The Challenge-Response protocol was formerly referred to as the NTLM protocol.


335

336

Part III

NETWORK SECURITY

Kerberos V5 enjoys the following advantages over the Challenge-Response protocol: ◆

Kerberos V5 authenticates both the server and the clients, unlike Challenge-Response, which authenticates only the clients.

◆

Kerberos offers more security than Challenge-Response.

◆

It is faster than Challenge-Response.

◆

It allows delegation, that is, the identify of one client can be passed from one computer to another.

The Integrated Windows authentication is accomplished in the following manner: 1. If a user has logged on to a domain, the browser tries to gather the user’s credentials from the logon information itself. 2. If it is unsuccessful, that is, if the user has not logged on, the browser keeps on prompting the user for her credentials or returns an error.

Certificate Authentication To authenticate users, IIS can use the certificates of users and then map the user accounts with the users. For this, a user needs to obtain a certificate from a CA. After the user obtains the certificate, the browser can use this certificate to prove that it possesses the private key. IIS supports the SSL/TLS protocols for certificate authentication tasks. An SSLenabled IIS provides the following options:

Errors Two main errors are closely associated with HTTP requests. These are the HTTP 401 error and the HTTP 403 error. An HTTP 401 error is encountered when the credentials of the user are incorrect, such as if a username has been misspelled or the password is incorrect. An HTTP 403 error occurs when the credentials are correct but the user account does not have the required level of rights or permissions to access the resources.



Chapter 9

◆

Require Secure Channel (SSL). Allows you to communicate over the HTTPS interface only.

◆

Enable client certificate mapping. Allows you to map certificates to user accounts. You can edit these mappings in the following two ways: • One-to-one mapping. Allows you to specify a certificate and the user account to which it’ll be mapped. • Many-to-one mapping. Allows you to match a defined criteria, such as files of the certificates.

◆

Configure Client Authentication. Allows you to manage and configure client authentication with the following options: • Accept Client Certificates. Allows IIS to map the client’s certificate with Windows user accounts when the client accesses the network over an HTTPS interface and presents a certificate. • Require Client Certificates. IIS requires that the clients present a valid certificate before accessing the network. • Ignore Client Certificates. Allows the client to access the network without any certificate.

You can use the Web Server Certificate Wizard in the Internet Services Manager to create and manage server certificates. To create a certificate for a Web site, you need to perform the following steps: 1. Open the Administration Web Site Properties dialog box from the Internet Services Manager. 2. Select the Directory Security tab. 3. Click on the Server Certificate button to open the Web Server Certificate Wizard, as shown in Figure 9-22. 4. Click Next. You’ll assign a certificate to a Web site. As shown in Figure 9-23, you can choose from three methods to assign a certificate. These are Creating a new certificate, Assigning an existing certificate, and importing a certificate from a Key Manager backup file.


337

338

Part III

NETWORK SECURITY

FIGURE 9-22 Web Server Certificate Wizard.

FIGURE 9-23 Methods for assigning a server

certificate.

5. Click Next. As shown in Figure 9-24, you can send the certificate request later or immediately. 6. Click Next. As shown in Figure 9-25, you can specify the name of the certificate and the security settings.



Chapter 9

FIGURE 9-24 Sending the certificate request.

FIGURE 9-25 Specifying the name and security

settings.

7. Click Next. As shown in Figure 9-26, you need to give your organization’s name and the unit for which this certificate will be issued. 8. Click Next. As shown in Figure 9-27, you can give a common name to your site. This common name will be the fully qualified domain name.


339

340

Part III

NETWORK SECURITY

FIGURE 9-26 Specifying organizational information.

FIGURE 9-27 Specifying the common name.

9. Click Next. As shown in Figure 9-28, you need to give your geographical location. 10. Click Next. As shown in Figure 9-29, you can mention the certificate request file name.



Chapter 9

FIGURE 9-28 Specifying geographical location.

FIGURE 9-29 Specifying certificate request file name.

11. Click Next. The Request file summary appears as shown in Figure 9-30. 12. Click Next. As shown in Figure 9-31, your request for a certificate has been created and stored in the mentioned location. 13. Click Finish.


341

342

Part III

NETWORK SECURITY

FIGURE 9-30 Request file summary.

FIGURE 9-31 Completing the Web Server Certificate

Wizard screen.

After your certificate request has been created, you can send it to a CA that is trusted by your Web Server.

Access Control After authenticating the users, IIS uses some access control filters, such as Web server access permissions, file system permissions, and IP address permissions to control access. Before discussing each of these in detail, let me first describe the access control process.



Chapter 9

Access Control Process Following are the steps in the access control mechanism of IIS: 1. A client sends a request to access some resources from IIS. 2. The client might or might not be asked to authenticate itself by the IIS. 3. IIS verifies the IP address of the client. In the case of Web access, the client’s DNS is also verified. IIS might be configured to deny access to some particular IP addresses. As a result, in this step all those IP address that are denied access are filtered and an HTTP 403 error is returned to the client. 4. IIS checks the user account that has been mapped to the user during the authentication process. If the username and the password are valid, the process carries on; if not, an HTTP 403 error results. 5. IIS checks the compatibility between the Web or FTP access permissions and the type of access (read, write) requested by the client. 6. If any third party security modules have been specified by the administrators, IIS contacts them. 7. The last check performed by IIS is that of compatibility between NTFS permissions and the type of access requested. If any incompatibility is reported during a Web request, IIS reports an HTTP 401 request. 8. Finally, if all the conditions are satisfied, IIS agrees to the client’s request.

Access Control Filters IIS supports the following three types of access control filters: ◆

Network address access control

◆

Web Server permissions

◆

NTFS permissions

Network Address Access Control You can configure IIS to deny or permit access on the basis of IP addresses, range of IP addresses, and FQDNs. You can select either a single computer (identified by an IP address), a group of computers (identified by the IP address and the subnet mask), or a domain name (identified by the computer’s FQDN or a subdomain of the form *.subdomain.com).


343

344

Part III

NETWORK SECURITY

Web Server Permissions Web server permissions and FTP permissions allow you to specify the operations that can be carried on the resources. These permissions are applicable to all clients. If there are conflicting permissions, the permissions that are more restrictive take precedence.

NTFS Permissions NTFS permissions are applied after all other permissions have been applied. These are the permissions that are responsible for finally controlling access to resources. When you are configuring NTFS permissions, you need to first convert your disk partition from FAT to NTFS. This is because access control permissions that restrict access to resources are only available in the NTFS.

Summary IIS is a Windows 2000-based Web server that allows you to create and manage Web sites. IIS provides you with a number of security features, such as encryption, authentication, access control, auditing, and certificate services. In this chapter, you learned that IIS comprises a number of services, such as FTP, HTTP, SMTP, and NNTP. Each of these services provides you with certain security mechanisms that you can use to provide security to your network resources. You also learned that authentication is one of the core security features of IIS. As a result IIS supports many authentication mechanisms, such as anonymous, basic, digest, Integrated windows, and Certificate authentication.

Check Your Understanding Multiple Choice Questions 1. In which of the following tabs can you specify the identification and connection details for your FTP service? a. Home Directory b. FTP Site c. Directory Security d. Security Accounts



Chapter 9

2. Which of the following tabs in the Web Site Properties dialog box allows you to specify whether the contents of the Web site can be edited by authoring or not? a. Server Extensions b. HTTP Headers c. Directory Security d. Documents 3. In anonymous authentication, IIS maps the user to a local account known as __________ . a. IGST_computername b. IADM_computername c. IUSR_computername d. IUSR_domainname 4. An __________ error is encountered when the credentials of the user are incorrect. a. HTTP 410 b. HTTP 401 c. HTTP 403 d. HTTP 413

Answers Multiple Choice Answers 1. b. Under the FTP Site you can specify the identification and connection details for your FTP service. 2. a. The server extensions tab in the Web Site Properties dialog box allows you to specify whether the contents of the Web site can be edited by authoring or not. 3. c. The local account in the anonymous authentication is IUSR_computername. 4. b. An HTTP 401 error occurs when the credentials of the user are incorrect.


345



Chapter 10 Remote Access and VPN


ost of today’s organizations function with remote offices. Allowing remote access to your networks enables your organization’s employees to access corporate information from anywhere in the world. In such circumstances, it is important to provide security for remote access. The dial-up and VPN connections should be configured in a way that they allow only authenticated users to access data traffic between remote offices without exposing sensitive data. Windows 2000 contains many tools to secure remote communications and connections to and from networks.

M

In this chapter, you will find information about securing the remote access services and other aspects of securing remote connections, such as authentication and authorization over remote access connections, remote access policies, and authorization techniques. VPNs allow you to set up a connection over a public network to emulate a private link. The chapter further discusses types of VPN connections, features of VPNs, and VPN protocols. Finally, the chapter explains how the Remote Access Dial In User Service (RADIUS) protocol is implemented in Windows 2000 Internet Authentication Services (IAS).

Remote Access Services Windows 2000 offers a built-in service called Routing and Remote Access Service (RRAS) that allows users to log on to a Windows 2000-based network remotely. Using RRAS, users can log in to a remote network using a dial-up modem, an X.25 connection, or a WAN link. Clients can dial-in from remote locations and access resources as if they were physically attached to a network. RRAS allows remote clients to establish a transparent connection to a remote access server. This type of connection is called a point-to-point remote access connection. Clients can also transparently connect to a network to which the remote access server is connected. This is called point-to-LAN remote access connection. Windows 2000 Point-to-Point Protocol (PPP) connection supports the following: ◆

Dial-up remote access. Clients can connect to the RRAS server using telephone lines and a modem. Faster links are possible using Integrated


REMOTE ACCESS AND VPN

Chapter 10

Services Digital Network (ISDN). RRAS clients can also connect using X.25 or PPTP. Figure 10-1 shows a client connecting to the remote access server by using telephone lines and modem. ◆

VPN access. Remote clients connect to a listening TCP port on a remote access server by using PPTP or L2TP over IPSec. The VPN access requires an existing IP connection that could be a dedicated connection, such as a T1 link or a dial-up connection to an ISP by a remote access client.

RRAS is compatible with most major networking protocols, including TCP/IP, IPX, and NetBEUI.

Features of RRAS Important features of RRAS include the following: ◆

RRAS supports multi-protocol routing. The RRAS architecture allows clients to run any combination of the network protocols NetBEUI, TCP/IP, or IPX during a RRAS session.

◆

RRAS supports a high level of security. Dial-in users are authenticated by Windows 2000 Server standard security. Additional security is available through the callback facility, which can be used to check whether the number of the calling client computer is authentic.

◆

RRAS supports a variety of remote clients including Windows 9x, Windows NT/2000, MS DOS, and LAN Manager. Clients can also be nonMicrosoft PPP clients.

◆

RRAS supports various methods of WAN connectivity. Clients can connect to a RRAS server using PSTN and modems, ISDN, X.25, and PPTP.

FIGURE 10-1 A remote access client connected through PSTN and modem.


349

350

Part III

NETWORK SECURITY

WAN Connectivity Remote clients can access a RRAS server using various methods including dialup modems and WAN links. These methods are as follows: ◆

Public Switched Telephone Network (PSTN) and modems. RRAS uses standard modem connections over PSTNs. Windows 2000 can automatically detect modems. It is also possible to install a modem manually through the Phone and Modem options in the Control Panel.

◆

ISDN. ISDN offers a much faster communication speed than a standard telephone line. An ISDN line must be installed at both the server and the remote site. In addition, an ISDN card must also be installed in place of a modem in both the server and remote clients.

◆

X.25. X.25 is a standard packet-switching communication protocol designed for WAN connectivity. RRAS supports connections based on the X.25 standard by using Packet Assembler/Disassembler (PADs) and X.25 smart cards.

◆

PPTP. RRAS also allows access to remote users through the Internet by using PPTP.

When PSTN, ISDN, or X.25 is used, remote clients establish PPP connections with a RRAS server over a switched network. In contrast, when PPTP is used, instead of using a switching connection to send packets over a WAN, a transport protocol, such as TCP/IP, is used to send the PPP packets to the RRAS server over a virtual WAN.

RRAS Connection Methods When using dial-up connections, remote clients must be configured to support dial-up protocols. Windows 2000 supports the following dial-up protocols: ◆

PPP. PPP is a set of industry standard protocols that enables RRAS clients and servers to interoperate in a multi-vendor network. PPP support enables computers running Windows 2000 to dial in to remote networks through any server that complies with the PPP standard. The PPP architecture also enables clients to load any combination of protocols, such as IPX, TCP/IP, and NetBEUI. PPP also supports dynamic IP address assignment.

◆

SLIP. SLIP is a basic protocol developed mainly for the UNIX environment. SLIP has several limitations in comparison to PPP. It requires a



Chapter 10

static IP address and supports TCP/IP, but it does not support IPX/SPX or NetBEUI. ◆

Microsoft RAS Protocol. Microsoft RAS Protocol, also known as Asynchronous NetBEUI or AsyBEUI, is a remote access protocol that provides remote access to various Microsoft operating systems.

Remote Access Security Windows 2000 user accounts and domains provide security by using encrypted authentication. RRAS provides additional security features, such as callback and data encryption. Third-party security hosts can also be installed to prevent unauthorized access to the network through a remote access server. In the following sections, I discuss some security features of RRAS.

Authentication and Authorization A remote access server must authenticate remote users before they can access or generate traffic on the network. User passwords and authentication procedures should be encrypted when transmitted over telephone lines. Connection between a network and the user is established when the network authenticates the user by verifying the user ID and password. The connection is authorized if the user has the appropriate right defined in the remote access policies. The authentication and authorization can take place as follows by using the Windows 2000 authentication (Figure 10-2): 1. The client requests the remote access server by dialing into it.

FIGURE 10-2 Windows 2000 authentication and authorization for a RRAS server.


351

352

Part III

NETWORK SECURITY

2. The RRAS server verifies with the domain controller that the client is a valid client. 3. After the domain controller authenticates the client, the RRAS server checks the remote access policy to verify that the client is authorized. The RRAS server can also be configured to accept RADIUS. RADIUS is an Internet security protocol that is strongly based on the client/server model, where the machine accessing the network is the client and the RADIUS server at the network end authenticates the client. In this case, the dial-up credentials of the user are passed to the RADIUS server. Remote access policy is then configured on the RADIUS server and not on the RRAS server, as shown in Figure 10-3. Generally, a RADIUS server authenticates a user by using an internal username/password list that it maintains. In addition, RADIUS servers can also act as clients to other RADIUS servers. The authentication and authorization can take place as follows by using the Windows 2000 authentication: 1. The client requests the remote access server by dialing into it. 2. The RRAS server verifies with the RADIUS server that the client is a valid client. 3. The RADIUS server checks with the domain controller for authentication. 4. After the domain controller authenticates the client, the RADIUS server checks the remote access policy to check whether the client is authorized.

FIGURE 10-3 Windows 2000 authentication and authorization with RADIUS.



Chapter 10

Authentication Methods Windows 2000 RRAS supports the following authentication methods: ◆

Password Authentication Protocol (PAP). PAP provides a simple method for a remote client to establish its identity using a two-way handshake. It is not a secure authentication protocol because passwords are sent in clear text and there is no protection from replay or trial-anderror attacks.

◆

Shiva Password Authentication Protocol (SPAP). SPAP is used by remote access clients to authenticate itself to a Shiva remote access server or a Windows 2000 server. It is more secure than PAP but does not provide protection against server impersonation.

◆

CHAP. CHAP does not send passwords over the link. It sends an arbitrary challenge string from the server through a hashing algorithm. The server identifies the user, obtains the password from the directory, and performs the same hashing against the challenge. If the results match, it authenticates the user.

◆

Microsoft Challenge Handshake Authentication Protocol (MSCHAP). MS-CHAP is the Microsoft version of CHAP and is a nonreversible encrypted-password authentication protocol. It stores the user’s password in an MD4 hash; therefore, the RRAS server requires an MD4 hash of the password. This protocol is vulnerable to dictionary attacks.

◆

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). MS-CHAP v2 is a one-way, encrypted-password, mutual authentication process. Separate keys are used for transmitting and receiving data. It provides stronger encryption keys by deriving them from the user’s password and an arbitrary challenge string.

Internet Authentication Server (IAS) Windows 2000 implementation of RADIUS is called IAS. If an IAS server is used, the authentication occurs between the IAS server and the DC. Authorization happens with the help of dial-up properties configured for individual user accounts and remote access policies. The RRAS server acts as the RADIUS client and authenticates the IAS server.


353

354

Part III

NETWORK SECURITY

◆

EAP. EAP is an open standard and a source for support for Windows 2000 that allows authentication methods to be written for technologies including token cards and biometrics.

Remote Access Policies The Windows 2000 RRAS and Windows 2000 IAS both use remote access policies to determine whether to accept or reject connection attempts. With remote access policies, you can grant remote access by individual user account or through the configuration of specific remote access policies. The remote access policies can be configured using Routing and Remote Access snap-in. The default remote access policy denies connections unless access is allowed for individual users. You can deny or grant dial-in access to the remote clients by validating frequent connection attempts. The connection attempt is

NOTE If a network uses a RRAS server for client authentication, the remote access policies are set on the RRAS server. However, if an IAS server is used, the remote access policies are centrally managed and configured on the IAS server. Any policies configured on the RRAS server are ignored.

authorized only if it meets one of the requirements of authentication, encryption, or other connection of remote access policies. If the settings of the connection do not match any of the requirements of authentication or encryption, the connection fails. You can modify the default remote access policy by clicking the Edit button in its properties dialog box, as shown in Figure 10-4. Multiple remote access policies can be applied for different sets of conditions to different remote access clients for the following: ◆

Allow existing Windows 2000 security groups to allow or deny access to users.

◆

Set different time and day of the week when access clients can connect to the remote access server. If the connection attempt does not match the setting for the time and day, the connection attempt is rejected.



Chapter 10

FIGURE 10-4 Default remote access policy

properties dialog box.

◆

Configure different authentication methods for dial-up and VPN remote access clients. The remote access server needs to be configured for enabling authentication methods for providing connection.

◆

Set different authentication or encryption strengths for PPTP or L2TP connections.

◆

Configure settings for limiting the maximum session time for different user accounts based on group membership.

You can define remote access policies to allow or deny remote access based on specified conditions. The remote access server checks for the condition of the remote access request and then evaluates them against the remote access policy specified. The remote connection is made when the conditions match. You can define the conditions specified in Table 10-1 to specify which remote access policy should be applied to the remote connection. You can add these conditions by clicking the Add button in the remote access policy properties dialog box using the Select Attribute list, as shown in Figure 10-5. To standardize multiple policies across multiple RRAS servers, you should install an IAS server and configure each RRAS server as a RADIUS client. The RRAS servers will now receive their remote access policies from the IAS server.


355

356

Part III

NETWORK SECURITY

FIGURE 10-5 Select Attribute list.

Table 10.1 Remote Access Policy Conditions Condition

Description

Called-Station-ID

The phone number of the network access server connected to by the remote access client. This condition allows you to indicate the remote access policy to apply if a specific phone number is dialed by the remote access client.

Calling-Station-ID

The phone number from which the remote access client requested the connection.

Client-Friendly-Name

The name of the RADIUS client (NAS) that is forwarding the authentication request. This condition allows you to apply remote access policies based on the RADIUS client to which the remote access client is connected.

Client-IP Address

The IP address of the RADIUS client that forwarded the authentication request. This condition is used to identify RADIUS clients for VPN authentication requests.

Client-Vendor

Identifies the manufacturer of the RADIUS client that forwarded the authentication request. This condition can be used to apply manufacturer-specific remote access policies.

Day-And-TimeRestrictions

Allows you to restrict connections to specific days of the week or times of day.



Chapter 10

Table 10.1 Remote Access Policy Conditions (continued) Condition

Description

Framed Protocol

Allows you to define which remote access protocols are allowed for connections. For example, you could permit connections to use only PPP and X.25 and restrict SLIP.

NAS-Identifier

Allows you to identify the RADIUS client that forwarded the request by comparing the shared secret string sent by the RADIUS client to a shared secret string defined in the remote access policy.

NAS-IP-Address

Allows you to identify the RADIUS client by its IP address. This is useful if you want to apply different remote access policies to a specific VPN server.

NAS-Port-Type

Allows you to identify the medium used by the remote access client to request a connection. You can specify dial-up, ISDN, or VPN connections.

Service-Type

Allows you to identify the service requested by the client. For remote access clients, the type of service will typically be framed.

Tunnel-Type

Allows you to restrict which protocol a client uses for a VPN connection. You can restrict the connection to use PPTP or L2TP depending upon the existing network infrastructure.

Windows-Groups

Allows you to restrict access by Windows 2000 group membership. It’s recommended that you use Windows 2000 Universal groups as the group type.

Remote Access Policy Profiles Once a remote access connection attempt is found to match the conditions defined for a specific remote access policy, the remote access policy profile is applied to the connection. While conditions are used to identify a remote access connection attempt, the profile defines the security settings that the remote access connection must implement. These security settings can include the authentication method and encryption level required to proceed with the connection. You

NOTE VPN and RADIUS are discussed in detail in later sections.


357

358

Part III

NETWORK SECURITY

can define the properties for a remote access policy profile to secure remote access connection attempts by using the following tabs in the Edit Dial-in Profile dialog box, as shown in Figure 10-6: ◆

Dial-in Constraints. In this tab, you can define how long a connection can remain idle before it is disconnected, the maximum time for session lengths, day and time limits, dial-in number constraints, and dial-in media. You use the dial-in constraints to ensure that remote access sessions are terminated if they are idle for a long time.

◆

IP. In this tab, you can define packet filters to restrict access to the network for the remote access client. You can define the packet filters by permitting all traffic except for the listed protocols or denying all traffic except for the listed protocols.

◆

Multilink. No security-related settings can be defined for multilink attributes.

◆

Authentication. In this tab, you can define the authentication protocols required for a connection.

◆

Encryption. In this tab, you can define the required encryption levels. You can choose no encryption, basic encryption (40-bit keys for DES and MPPE), strong protection (56-bit keys for DES and MPPE), or strongest encryption (3DES and 128-bit MPPE).

◆

Advanced. In this tab, you can define advanced RADIUS attributes that are used when remote access connections use RADIUS authentication.

Dial-Up Permissions You can grant dial-up permissions for user accounts by changing the domain user’s account in the Dial-in tab of the User Properties box. For a stand-alone remote access server, permissions can be granted by changing the user’s account properties in the Local Users and Groups snap-in. You can also set dial-in properties for an Active Directory-based server by changing the Dial-in tab of the user account properties in the Active Directory Users and Computers snap-in. You can define the following settings to secure remote access for each user account: ◆

Remote Access Permission. You can set permissions for a user to allow access, deny access, or control access through remote access policy. Even if you select the Allow access policy, remote access policy will be checked to verify that the connection attempt matches the defined profile settings.



Chapter 10

FIGURE 10-6 Remote access policy profile

settings.

◆

Verify Caller-ID. If you specify a Caller ID value against this option, the phone number from which the remote access connection is requested can be verified against this value. If the phone number does not match, the connection is not allowed.

◆

Callback. RRAS also supports the callback feature, which ensures that only users from specific locations can access the remote access server. When using callback, the user initiates a call and connects with the remote access server, and disconnects. The server then calls the client back at a preset phone number or at a number that was provided during the initial call. You can choose to have no call back, have the remote access client provide the phone number, or require callbacks to a predetermined phone number.

◆

Assign a Static IP Address. This property can be used to assign a specific IP address to a client connection. However, specifying this option requires that the client always connect to the same remote access server.

◆

Assign Static Routes. This property can be used to define a series of static IP routes that are added to the routing table of the remote access server when a connection is made. This setting is designed for user accounts that Windows 2000 routers use for demand-dial routing.


359

360

Part III

NETWORK SECURITY

Remote Access Policy Models Windows 2000 has three models for remote access permissions and setting connections. The model you choose depends on your need for setting dial-up permissions and on your need for configuring Active Directory. Access by User In the access by user administrative model, remote access permissions are dependent on the remote access permission setting on the Dial-in tab of the user account. The user’s dial-in permissions can be enabled to allow or disallow access by setting remote access permission to Allow access or Deny access. If the user’s remote access permission is set to either Allow access or Deny access, you can override the remote access permission setting on the remote access policy. However, the remote access policy conditions can be enforced to set connection settings, such as encryption and idle time-outs by modifying the remote access policy. Access by Policy in a Windows 2000 Native-Mode Domain In the access by policy administrative model for a Windows 2000 native-mode domain, the remote access permissions can be configured to set each user account to Control Access through Remote Access Policy. This permission setting in the remote access policy defines whether to allow or deny remote access. Access by Policy in a Windows 2000 Mixed-Mode Model In the access by policy administrative model for a Windows 2000 mixed-mode domain, the remote access permission on each user account is set to Allow access. The Control Access through Remote Access Policy option is not available for a Windows 2000-based remote access server. After setting the Control Access through remote access policy feature, the default remote access policy is deleted, and separate remote access policies are created to define the types of connections allowed. In such a situation, if a connection attempt matches the conditions of a policy, the connection is accepted.

Remote Access Account Lockout The Account Lockout policy specifies how many times remote access authentication can fail against a valid user account before a user is denied access. It is not



Chapter 10

available by default. The Account Lockout feature prevents the system from dictionary attacks. The main drawback of this feature is that it does not differentiate between malicious user attempts and users who might have forgotten their passwords. Therefore, the account can be deliberately locked out by malicious users when they attempt multiple authentications, thereby preventing the authentic user from being able to log on until the account is unlocked by an administrator.

Authorization Techniques You can use remote dial-up authorization features when you need to verify that the connection attempt is allowed. For implementing these authorization features, there should be support from the entire phone system that the caller uses. This includes the phone system between the caller and the remote access server, and all the hardware used for communication. The process of authorization will fail, if any part of the connection does not support the authorization. Windows 2000 supports the following authorization methods: ◆

Automatic Number Identification/Calling Line Identification (ANI/CLI). You can use the ANI/CLI to specify the telephone number that the dial-up user can use while dialing to a remote access server. ANI/CLI is similar to caller ID security. You can configure caller ID as part of the dial-in properties of the dial-up client. The connection attempt is rejected if the user does not call from the specified telephone number. However, the user does not have to provide the credentials to establish a remote access connection using ANI/CLI as against caller ID where the caller ID is verified after the user credentials are supplied.

◆

Dialed Number Identification Service (DNIS). DNIS identifies the phone number dialed by a remote access client. DNIS allows you to apply different remote access policies based on the phone number dialed by the remote access client. This is useful for organizations such as an ISP that provides different phone numbers to different clients even though all clients call the same modem pool. DNIS allows the ISP to identify which company the client is calling from and applies the correct remote access policy to the client.

◆

Intermediary Security Hosts. RRAS supports various kinds of intermediary devices between the remote access client and the remote access server. These devices include modem pools, security hosts, and X.25 networks. A security host is a third-party authentication device that verifies whether a


361

362

Part III

NETWORK SECURITY

caller from a remote client is authorized to connect to the remote access server. This verification is in addition to the security provided by RRAS and the Windows 2000 server itself. The security host is between the remote user and the RRAS server and prompts the remote user to type a user name and a password before the connection is established.

Demand-Dial Routing Demand-dial routing is a remote access connection in which a calling router dials up an answering router connected over a physical PPP link, such as an analog phone modem or ISDN, or over a tunneling PPP link, such as L2TP or PPTP. The two routers, calling and answering, are connected to their respective networks. Demand-dial routing provides the following benefits: ◆

Provides connectivity to the Internet without the use of leased lines. Demand-dial routing involves the use of ISDN or PSTN to connect to an Internet or to the Internet through an ISP.

◆

Provides connections through ISDN or PSTN. These connections are fast and cost-effective because time spent in establishing a connection is less.

◆

Provides authentication and encryption for remote connections. Demand-dial routing prevents unauthorized computers from gaining access to the network by requiring the calling router to provide credentials like user name and password.

◆

Provides users with secure connections over the Internet. You can use the PPTP or L2TP connection for users to dial-up a local ISP and create a secure connection over the Internet.

PPTP Filtering Using PPTP filtering, only PPTP packets are allowed, and the network adapter for all other protocols is disabled. Clients outside the network can use PPTP to connect to the computer through the Internet and gain secure access to a remote network.

Installing and Configuring Remote Access Services In this section, you will learn how to install RRAS in a Windows 2000 environment. You will also learn how to configure the network settings, protocols, and communication ports.



Chapter 10

Hardware Requirements Before you begin installing RRAS on your system, you need to verify that you have all the required hardware. To install RRAS, you’ll need the following: ◆

A network adapter card with an NDIS driver.

◆

A compatible modem and an available COM port.

◆

If you use X.25 network, an X.25 smart card.

◆

An ISDN card if you use an ISDN line.

Installing RRAS When you install a Windows 2000 server, RRAS is automatically installed. However, it is disabled. You need to start the service. The service in Windows 2000 is called RRAS. If your computer is a part of an Active Directory domain, you need to add your computer to the RRAS and IAS servers security group. You, as an administrator, can do this by using the Active Directory Users and Computers option, or with the following command: netsh

ras add registeredserver

To enable RRAS and configure the settings, follow these steps: 1. Open the Routing and Remote Access console, as shown in Figure 10-7. 2. You can see that the local computer is listed by default as a RRAS server. To add another server, choose Action, Add Server. From the Add Server dialog box, select the appropriate option and select OK. The Server name appears in the Tree. 3. To enable RRAS, right-click the appropriate server in the Tree and select Configure and Enable Routing and Remote Access. 4. The Routing and Remote Access Server Setup Wizard appears. Click Next. 5. From the list of configuration options, select Remote access server, as shown in Figure 10-8, and then click Next. 6. Verify that the remote client protocols you need are listed. If not, add the protocols you want to use on the server for remote access and then click Next.


363

364

Part III

NETWORK SECURITY

FIGURE 10-7 The Routing and Remote Access console.

FIGURE 10-8 Common Configuration Options in the

Wizard.

7. Assign the IP addresses to remote clients. You can either use DHCP (Dynamic Host Configuration Protocol) to automatically assign the IP addresses or you can specify a range of addresses to be used for the remote clients. Click Next after you have specified the IP addresses.



Chapter 10

8. Select whether you want to use RADIUS for remote user authentication, as shown in Figure 10-9. Windows 2000 provides a RADIUS solution called the IAS as an optional component that you can install through Add/Remove Programs. If you want to use RADIUS for authentication, specify the name of the RADIUS server. Click Next after specifying the authentication method. 9. Select Finish to enable Routing and Remote Access on your computer. The server components appear in the Routing and Remote Access Microsoft Management Console, as shown in Figure 10-10. 10. Right-click the server in the RRAS MMC and select Properties. In the Properties dialog box shown in Figure 10-11, notice that your server is configured as a remote access server. 11. Select the Security tab shown in Figure 10-12. Here you can specify the authentication and accounting providers to be used. Select the Authentication Methods button to choose the authentication method you want to use for your remote clients. The available options are Windows authentication and RADIUS authentication. 12. Select the IP tab shown in Figure 10-13. You can specify the range of addresses to be used for your remote clients by selecting Static address pool and then selecting Add. If you need a range of more than 254 addresses, you need to span the address range across more than one subnet.

FIGURE 10-9 Managing Multiple Remote Access

Servers.


365

366

Part III

NETWORK SECURITY

FIGURE 10-10 The Remote Server Components in the RRAS MMC.

FIGURE 10-11 Remote Server Properties—The General Tab.

FIGURE 10-12 Remote Server Properties — The Security Tab.



Chapter 10

13. Select the IPX tab. You can specify whether demand-dial connection should be enabled. You can also assign IPX network numbers for the clients, or you can let the server assign the network numbers automatically. 14. Select the PPP tab shown in Figure 10-14. You can enable multilink connections here. 15. Select the Event Logging tab shown in Figure 10-15. Select Log the maximum amount of information for help in troubleshooting connectivity problems. 16. Click OK to close the Properties dialog. 17. Right-click Ports in the RRAS MMC and select Properties. In the Port Properties dialog shown in Figure 10-16, you can configure your ports to use PPTP or L2TP. Use L2TP if you want to use IPSec. 18. Select WAN Miniport (PPTP) and then select Configure. From the Configure Device—WAN Miniport (PPTP) dialog box, select Remote access connections (inbound only). This dialog box is shown in Figure 10-17. Select the number of ports you want. You can configure up to 16,384 ports. Click OK.

FIGURE 10-13 Remote Server

FIGURE 10-14 Remote Server Properties — The PPP Tab.

Properties — The IP Tab.


367

368

Part III

NETWORK SECURITY

FIGURE 10-15 Remote Server Properties — The Event Logging Tab.

FIGURE 10-16 Port Properties.

19. Click OK in the Ports Properties dialog box. You can see the ports that you defined in the RRAS MMC. 20. From the RRAS MMC, select Remote Access Logging. 21. In the right pane, right-click Local File and select Properties. 22. Select Log authentication requests, as shown in Figure 10-18 and click OK. This logs all attempts to connect to the server. This completes the configuration of your RRAS server, the network settings, RRAS protocols, and the ports.

Configuring Dial-up Networking To access services provided by a RRAS server, you need to enable dial-up connections on the client machine. You need to create a new connection using the Network and Dial-up Connections option in the Control Panel. To create a new dial-up connection: 1. Open the Control Panel and double-click Network and Dial-up Connections. 2. Double-click Make New Connection to start the Network Connection Wizard and click Next.



Chapter 10

FIGURE 10-17 PPTP Port

Configuration.

FIGURE 10-18 Local File Properties.

3. Select Dial-up to private network and click Next. 4. Specify the phone number you want to dial to. If you want to specify the area code and the country you want to dial to, select Use dialing rules. Click Next to specify the connection availability. 5. Specify whether you want to make this connection available to all users and then click Next. 6. Specify whether you want to enable Internet connection sharing and click Next. 7. Specify a suitable name for the connection and then click Finish. To configure this connection, perform the following steps: 1. Right-click the new connection and select Properties. In the General tab you can configure the modem. You can also change the connection information. 2. Select the Options tab, as shown in Figure 10-19. Here you can specify the dialing and redialing options. If you have an X.25 connection, you can configure it by selecting the X.25 button. 3. Select the Security tab, as shown in Figure 10-20. Select Advanced (custom settings). Select the Settings button. You can specify the authentication protocols to be used for this connection.


369

370

Part III

NETWORK SECURITY

FIGURE 10-19 New Connection Properties — Options Tab.

FIGURE 10-20 New Connection Properties—Security Tab.

4. Select the Networking tab, as shown in Figure 10-21. You can specify the protocols and services available for this connection. 5. Select the Sharing tab, as shown in Figure 10-22. You can enable Internet connection sharing for this connection. 6. Select OK to configure your dial-up connection. In this section we saw what RRAS is and how to configure a RRAS server. You also learned how to configure a dial-up connection to access a RRAS server. Another popular remote connectivity solution is provided by Virtual Private Networking or VPN.

Virtual Private Networking You can use VPN to securely transfer data between remote offices over a private or public network, such as the Internet, so that it emulates a point-to-point link between two ends through which data is transmitted. If you need to secure transmission of data between remote offices, you should know how to implement VPN in a private intranet and public network. You can secure data transmitted not only over a public network but also within an organization by using VPN, as shown in Figure 10-23. For example, assume that



FIGURE 10-21 New Connection Properties—Networking Tab.

Chapter 10

FIGURE 10-22 New Connection Properties—Sharing Tab.

your organization has a department which is so sensitive that you have put it on a separate network segment. You can use VPN to connect this segment to the rest of your network, so that access to this department is restricted. Thus, you can also connect users who are not physically connected to the separate network to access resources in it. To do so, you can establish a remote VPN connection to the VPN server on the isolated network and gain access to the resources. The data transmitted over this connection is encrypted to provide security. A VPN differs from a private network in the following ways: ◆

In a VPN, any valid user can connect to the central organizational network in a manner that is quite similar to local users of the central network. For example, remote users can use the same addressing scheme to connect to the organizational network as is used by the local users of the network.

◆

The organization’s network also authenticates its own users who connect to the public network. This authentication process is in addition to the authentication that is done by the public network.

◆

On the basis of the software used by the remote users, ISPs provide a unique dial-up telephone number to each of their customers. This number distinguishes the services of one ISP from another.


371

372

Part III

NETWORK SECURITY

FIGURE 10-23 VPN connection between remote offices using a private and a public network.

An organization uses a public network, the Internet in this case, to connect different remote users and networks or simple remote clients. But when the data is being transferred over a public network, how is its security ensured? A VPN uses tunnels to provide connectivity between two ends of the network in a manner similar to point-to-point communication. Tunneling is the process of encapsulating a data packet in a tunneling protocol, such as IPSec, PPTP, or L2TP. After the packet has been encapsulated, it is packaged into an IP packet and then sent to the destination address. Tunneling is carried out with the help of logical dedicated channels referred to as tunnels.

VPN Connections In VPN technology, two types of connections are possible, the remote access connection and router-to-router connection. A remote access connection is made



Chapter 10

between a single Windows 2000 client and the RRAS server. The VPN server provides access to all the resources that it is attached to. Security is provided by a client authenticating itself to the VPN server. In this type of connection, a separate tunnel is created for each client. A router-to-router VPN connection is used to connect two networks over the intranet. You can go for this type of VPN when you have two departments in separate locations that transmit sensitive data. The computers that are used to establish the VPN connection on both ends should be configured to act as routers. After the connection is established, you can transfer data safely. The transmitted data is encrypted. In this case, the calling router becomes the VPN client. You can also use router-to-router VPN connection to connect two remote offices over the Internet by creating a secure tunnel between both ends. The VPN routers at both ends connect to a local ISP before they establish a VPN connection. You can use a dial-up or dedicated connection to connect to an ISP.

Features of VPNs VPNs should incorporate the following features for ensuring data security and reliability: ◆

Encapsulation. A VPN solution must encapsulate private data with a header before transmitting it over the public network.

◆

Authentication. A VPN solution must ensure authentication to verify that the tunnels are established only between those peers who have a proven identity. A secure VPN solution can authenticate encryption devices as well as users. This would ensure that only authenticated users can establish a tunnel. Though password protection is the most commonly used authentication method, it is inherently insecure because passwords can be easily broken or hacked. This is the reason most VPNs support X.509 digital certificates.

◆

Encryption. To ensure that the data that travels over the public network is secure, it should be encrypted by the sender and decrypted by the recipient. Encryption is essentially carried out with the help of tunneling protocols.

◆

Key management. A good VPN solution should have automated key management. Automated key management defines the validity or lifetime of session keys. Most VPN solutions require these keys to be entered on each network device manually. However, as the number of


373

374

Part III

NETWORK SECURITY

network devices increase, manually entering keys on each device becomes cumbersome. In addition, manual entry of keys is insecure. A VPN solution that has the ability to set the lifetime or validity of the keys is preferred because the keys are recycled at definite intervals of time. When the keys are recycled at set time intervals, the hackers get less time to break the keys and thus gain access to the information. ◆

Address allocation. When configured, a VPN server establishes a virtual interface that represents the interface on which the connections are made. The VPN server must assign IP addresses to the virtual interfaces. By default, the VPN sever gets these addresses for itself and the clients using DNS and WINS servers. If the VPN server approves the connection, it delivers this information to the client.

Knowing Tunneling Protocols The tunneling process involves three basic steps. In the first step, data packets are encapsulated within a tunneling protocol packet. Next, these encapsulated packets are transmitted across the network. When these encapsulated data packets reach the end of the tunnel, the final step is to extract the original data from the encapsulated packet and forward it to its final destination. You can configure Windows 2000 VPNs by using any (or a combination) of the following tunneling protocols: ◆

PPTP. Inherits the features and limitations of PPP. PPTP supports multi-protocol networking over public networks, such as the Internet.

◆

L2TP over IPSec. Combines the best features of PPTP and Layer 2 Forwarding (L2F) and incorporates them for use over PPP. This protocol provides for strong encryption and authentication features over the remote access connection.

◆

IPSec tunnel mode. Provides encryption security services to ensure integrity and authenticity of data packets that travel over the Internet.

You’ll now learn these tunneling protocols in detail in the following sections.

PPTP PPTP, with the extensions or modifications made in PPP, provides implementation of VPNs through public data networks such as the Internet. PPTP enables remote



Chapter 10

users to access their organizational networks and applications by dialing or connecting to the local ISP, instead of dialing directly into the organization’s network. PPTP does not specify any changes to the PPP protocol. However, it describes a new mode for carrying PPP. PPTP specifies a call-control and management protocol, which allows the server to control access for dial-in circuit, switch calls originating from a PSTN or ISDN, to initiate outbound circuit-switched connections.

PPTP Tunneling Process When the PPTP server receives a packet from the routing network, it obtains the necessary information (such as private network computer name or address information) in the encapsulated PPP packet. It then sends the encapsulated data packet across the private network to the destination computer. PPTP allows only IP, IPX, or NetBEUI datagrams to be encapsulated inside an IP packet. The multi-protocol support with PPTP is shown in Figure 10-24.

FIGURE 10-24 A PPTP multi-protocol support.


375

376

Part III

NETWORK SECURITY

Where the Internet is used as the intermediate public network, PPTP encapsulates the encrypted and compressed PPP frames into IP datagrams for transmission over the Internet. These IP datagrams are routed over the Internet until they reach the PPTP server connected to the Internet and the private network. The PPTP server disassembles the IP datagram into a PPP frame and then decrypts the PPP frame using the network protocol of the private network. After the PPTP control session has been established, Generic Routing Encapsulation (GRE) protocol serves to encapsulate the data or payload in a secure manner. A typical PPTP packet encapsulated using the Internet Generic Routing Encapsulation protocol is shown in Figure 10-25. The data or payload passing through the tunnel is given a PPP header and then placed inside a GRE packet. The GRE packet carries the data between the two tunnel endpoints. After the GRE packet has arrived at the endpoint of the tunnel, it is discarded and the encapsulated packet is transmitted to its final destination. The client typically establishes a PPP connection to the client-side Network Access Server (NAS) at the ISP, and connects through the Internet to the PPTP-enabled destination. After the connection is established, you can implement and perform standard network validations, and all protocol-specific applications operate as if the user had dialed directly into a remote access server utilizing PPP. The target application server is reached only when the PPTP server has validated the PPP client utilizing RRAS authentication as initial security. Figure 10-26 shows how the PPP datagram is incorporated into the PPTP session.

FIGURE 10-25 GRE encapsulated PPTP packet.



Chapter 10

NOTE Remote access servers are often commonly known as NASs.

The user attempting the PPTP connection is authenticated using PPP-based user authentication protocols, such as EAP, MS-CHAP, CHAP, SPAP, and PAP. For PPTP connections, EAP-TLS using smart cards or MS-CHAP version 2 is highly recommended for authentication because they provide mutual authentication and are the most secure methods of exchanging credentials. PPTP provides encryption of data by using Microsoft Point to Point Encryption

FIGURE 10-26 PPTP tunneling process.


377

378

Part III

NETWORK SECURITY

(MPPE) if EAP-TLS or MS-CHAP is used. MPPE uses the RSA-RC4 stream cipher. MPPE can use 40-bit, 56-bit, or 128-bit encryption keys. The 40-bit key provides compatibility with client computers that are running earlier Microsoft operating systems than Windows 2000. For a VPN connection, you can specify PPTP when: ◆

You require backward compatibility for remote access clients running Windows NT 4.0 or Microsoft Windows 98, which support VPN only as PPTP.

◆

You require all data transmission to pass through a NAT server. PPTP is the only protocol that can pass through NAT because fields that the NAT process modifies are not encrypted by MPPE.

◆

L2TP over IPSec is not supported by network routers.

◆

No additional computer-based authentication is required, and therefore user-based authentication is adequate. PPTP does not support the authentication of the computers used in the remote access connection.

◆

Kerberos V5 or PKI does not exist.

In this section, you learned about the PPTP process; in the next section, you’ll learn about the benefits of PPTP.

Benefits of PPTP PPTP solves many problems for the network administrator who must accommodate remote users and avoid building and maintaining a relatively costly Wide Area Network through private lines. Because PPTP tunnels encapsulate IP, IPX, and NetBEUI protocols inside IP packets, users can run applications dependent upon certain network protocols. The tunnel also allows the target server to perform security checks and validations, and enables administrators and clients to encrypt data. This ensures the safety of the data transmitted over non-secure networks. If the ISP equipment supports PPTP, no additional software or hardware is required on the client end. It requires only standard PPP connection support.

L2TP L2TP combines the best features of PPTP and L2F tunneling protocols. This protocol is documented in RFC 2661. It encapsulates PPP frames to be transported over IP, X.25, Frame Relay, or ATM networks. Thus, L2TP can reliably



Chapter 10

transport all Network-layer protocols supported by PPP. You can even use L2TP as a tunneling protocol over the Internet. In L2TP, the PPP tunnel connection extends to the destination access gateway instead of being terminated at the ISP. The tunnel can be initiated from either the remote system or the ISP’s gateway access. In traditional dial-up networking services, the hosts connecting to the ISP are given registered IP addresses, which are used for communicating. This limits the applications that can be implemented in VPN. Because L2TP extends the PPP tunnels to the destination access gateway, it supports unregistered and privately administered IP addresses over the Internet. This provides flexibility in the use of the existing access infrastructure, such as the Internet, modems, access servers, and ISDN terminal adapters.

L2TP Tunneling Process Unlike PPTP, L2TP tunnel maintenance is not performed over a separate TCP connection. L2TP call control and management traffic is sent as UDP messages between the L2TP client and the L2TP server. In Windows 2000, the L2TP client and the L2TP server both use UDP port 1701. Windows 2000 implements L2TP over IPSec in which L2TP packets are sent as UDP datagrams and are encrypted using IPSec ESP as illustrated in Figure 10-27. Because a TCP connection is not used, L2TP uses message sequencing to ensure delivery of L2TP messages. Out-of-sequence packets are dropped. L2TP supports multiple calls for each tunnel. In the L2TP control message and the L2TP header for tunneled data is a Tunnel ID that identifies the tunnel and a Call ID that identifies a call within the tunnel.

FIGURE 10-27 L2TP packet.


379

380

Part III

NETWORK SECURITY

L2TP data tunneling is performed through multiple levels of encapsulation. Figure 10-28 shows the resulting structure of L2TP over IPSec tunneled data. The L2TP packet encapsulation occurs in the following sequence: 1. The initial PPP payload is encapsulated with a PPP header and an L2TP header. 2. The L2TP encapsulated packet is then encapsulated with a UDP header with the source and destination ports set to 1701. 3. Based on IPSec policy, the UDP message is encrypted and encapsulated with an IPSec ESP header and trailer and an IPSec Authentication trailer. 4. The IPSec packet is encapsulated with a final IP header containing the source and destination IP addresses of the VPN client and the VPN server. 5. To be sent on a LAN or WAN link, the IP datagram is finally encapsulated with a header and trailer for the data-link physical interface. For example, when IP datagrams are sent on an Ethernet interface, the IP datagram is encapsulated with an Ethernet header and trailer. When IP datagrams are sent over a point-to-point WAN link such as an analog phone line or ISDN, the IP datagram is encapsulated with a PPP header and trailer. You can specify L2TP over IPSec for VPN connections when: ◆

Stronger security than PPTP is required. L2TP by it itself does not provide encryption; IPSec is automatically used in the Windows 2000 L2TP

FIGURE 10-28 L2TP packet encapsulation.



Chapter 10

tunnel to negotiate SA between client computers. Encryption is provided by IPSec using both DES 56-bit and DES encryption algorithms. ◆

Added computer-based authentication is required. In L2TP communication, both computer and user authentication is performed. The mutual authentication between the VPN client computer and the VPN server computer is accomplished using IPSec certificates. For IPSec to authenticate the two ends, both of them should be configured for IPSec. User authentication occurs in a fashion similar to PPTP.

◆

You do not require all data transmission to pass through a NAT server. IPSec in L2TP protects the fields in L2TP packets, which prevents NAT from modifying the IP address and port information in the IP packet. Therefore, NAT drops these IP packets at the VPN server.

IAS ISPs and corporations maintaining wide networks face the increasing challenge of managing all remote access from a single point of administration—irrespective of the type of remote access equipment employed. The RADIUS standard supports this functionality in a homogeneous, as well as heterogeneous environment. IAS is the Windows 2000 implementation of RADIUS. When a remote clients requests a connection, the IAS server has access to user account information and can check remote access authentication credentials. If the user’s credentials are authentic, the IAS server authorizes the user’s access, based on specified conditions, and logs the remote access connections as accounting events. The main purpose of IAS is to allow the remote access user authentication, authorization, and accounting data to be maintained in a centralized location, rather than on each NAS. Users connect to RADIUS-compliant NASs, which, in turn, forward authentication requests to the centralized IAS server.

NOTE For more information about the RADIUS protocol, see RFCs 2138 and 2139.

IAS also allows companies to outsource remote access infrastructure to ISPs while retaining control over user authentication and authorization, as well as accounting.


381

382

Part III

NETWORK SECURITY

Different types of IAS configurations can be created for using Internet technology, such as configurations that enable: ◆

Dial-up access to your network.

◆

Internet access.

◆

Extranet access for business partners.

◆

VPN management.

◆

Outsourced corporate access through ISPs.

IAS Authentication and Authorization When attempting remote access, users do not connect directly to the IAS server. A user first connects to the NAS, which, in turn, operates as a client of an IAS server. The client passes user information to designated IAS servers, and then acts on the response. The IAS server receives user connection requests, authenticates the user, authorizes the connection attempt, and then returns all configuration information necessary for the RADIUS client to deliver service to the user. Figure 10-29 illustrates the standard IAS authentication and authorization process: When a user attempts to connect to a network through a dial-up connection or a VPN, the authentication request is processed as follows: 1. The remote access client dials the NAS. The NAS attempts to negotiate a connection with the client by using the most secure protocol first and then the next most secure protocol, continuing to the least secure proto-

FIGURE 10-29 The IAS Authentication Process.



Chapter 10

col. For example, a RRAS server tries to negotiate EAP, MS-CHAP v2, MS-CHAP, CHAP, SPAP, and lastly PAP. 2. The NAS acts as the RADIUS client and forwards the authentication request to an IAS server in the form of a RADIUS Access-Request packet. 3. The IAS server verifies that the RADIUS Access-Request packet is sent from a valid RADIUS client by checking the source IP address. If the RADIUS client is valid and digital signatures are enabled for the RADIUS client, the digital signature in the packet is checked using the shared secret. Each IAS server must possess a shared secret for each NAS or other IAS server that forwards RADIUS requests to it. 4. If a digital signature is present, IAS verifies the signature. If the verification of the digital signature fails, IAS silently discards the packet and sends a RADIUS Access-Reject message to the NAS. If the verification of digital signature succeeds, the IAS server queries the Windows 2000based domain controller, validating the user’s credentials. 5. If the user credentials are authentic, the IAS server evaluates the connection attempt against the configured remote access policies and the dial-in properties of the user’s account to determine whether to authorize the request. If the connection attempt matches the conditions, IAS sends a RADIUS Access-Accept message back to the NAS. The Access-Accept message authorizes the connection but also contains connection parameters based on the remote access policy profile settings and the dial-in properties of the user account. The NAS interprets this authorization data to determine the connection parameters that the IAS server has authorized. If the user is not authentic or the user’s attempt to connect either does not match conditions in at least one policy or is denied by a remote access policy, IAS sends a RADIUS Access-Reject message to the NAS, and the NAS disconnects the user.

RADIUS RADIUS is a common method of authenticating and authorizing dial-up and tunneled network remote clients. It can process requests from both Microsoft and non-Microsoft clients. It also provides a method for centralized configuration of multiple remote access servers.


383

384

Part III

NETWORK SECURITY

You can centralize the authentication and allow users to connect to an organization with an ISP using a single sign-on by using a RADIUS server. By installing the IAS on a remote access server, you can install and configure a RADIUS server.

Components of a RADIUS Environment A RADIUS infrastructure contains servers that play different roles in the RADIUS authentication process. The following are the components of a RADIUS environment: ◆

RADIUS server. A RADIUS server is a server on which IAS and IIS are configured. It is the central location, which provides user authentication, authorization, and accounting data.

◆

RADIUS client. A RADIUS client is a server on which a remote access server is configured. A RADIUS client receives RADIUS authentication requests from remote access users and forwards them to a RADIUS server. A RADIUS client can be a remote access server, a tunnel server, or a NAS that can accept remote access connections.

◆

Dial-up client. A dial-up client is the remote access client connecting to the network using dial-up or VPN connections. Remote access clients may have to provide a prefix or suffix to identify the RADIUS server that a RADIUS proxy must forward the RADIUS authentication request to.

◆

RADIUS proxy. In some cases, an organization such as an ISP may have NASs that forward authentication requests to RADIUS servers from multiple organizations. A RADIUS proxy checks prefixes and suffixes in the user name provided by the remote access clients to determine the correct RADIUS server.

Single Sign-on Capability You can provide sign-on capabilities to remote access clients for providing authentication. Using the single sign-on feature, the remote access user supplies a single ID to authenticate the user, which both the ISP and Active Directory can use. The RADIUS authentication process involves the RADIUS client creating an Access request message, which includes the username, password, client ID, and port ID. This Access Request message is sent to the RADIUS server via the



Chapter 10

network. The RADIUS server receives and validates the shared secret. If the access request message is returned, it will have the configuration data needed by the client to access services on the network.

Tunneling with IAS The benefit of using IAS with tunnels is that IAS can be configured to direct traffic from the client through a tunnel to a particular location. Depending on the category of authenticating user, a tunnel can be created to different parts of the corporate network. Tunnels can be created in different ways. The following sections describe the two main tunnel types: voluntary tunneling and compulsory tunneling.

Voluntary Tunneling In voluntary tunneling, the client computer issues a VPN request to create a voluntary tunnel. In such a tunneling, the client computer is the tunnel end-point. The client computer uses tunneling client software to create a VPN tunnel to the target tunnel server. To accomplish this, an appropriate tunneling protocol should be installed on the client computer. In a dial-up situation, the client must establish a dial-up connection with the internetwork before it can establish a tunnel. If the client is on the organization’s network, that client is already connected to an internetwork. In voluntary tunneling, a separate tunnel is created for each client. Figure 10-30 shows a voluntary tunnel created between a dial-up user and a tunnel server. The voluntary tunneling process takes place in the following sequence: 1. A dial-up client establishes a dial-up connection to a NAS with an ISP. 2. Based on the dial-up connection parameters, the NAS dialed by the dialup client sends an Access-Request packet to a configured RADIUS proxy server. 3. The RADIUS proxy server, based on the realm name in the User-Name attribute, forwards the Access-Request packet to the IAS server of the corporate network situated behind a firewall, which is accessible over the Internet. 4. The corporate network IAS server authenticates and authorizes the connection attempt of the dial-up client and sends an Access-Accept packet back to the RADIUS proxy.


385

386

Part III

NETWORK SECURITY

FIGURE 10-30 Voluntary tunneling.

5. The RADIUS proxy forwards the Access-Accept packet to the ISP NAS and the ISP NAS connects the dial-up client to the Internet. 6. After the connection is established on the Internet, the dial-up client tries to establish a tunnel connection with the corporate network’s tunnel server on the Internet. 7. Based on the tunnel connection parameters, the tunnel server sends an Access-Request packet to the organization IAS server. 8. The organization IAS server authenticates and authorizes the connection attempt of the tunnel client and sends an Access-Accept packet back to the tunnel server. 9. The tunnel server accomplishes the tunnel creation, and the tunnel client can now send packets to the organization’s intranet through the tunnel.

Compulsory Tunneling In compulsory tunneling, a computer between the client computer and the server or a network device creates a secure tunnel on behalf of the client computer. As a result, the client computer is not the tunnel end-point. Also, the client computer does not require the tunneling software. The computer or the network



Chapter 10

device that creates a tunnel on behalf of the client computer is called a Front End Processor (FEP). To create a tunnel, an appropriate protocol must be installed on the FEP. A organization can use the services of an ISP to deploy a nationwide set of FEPs. These FEPs can establish separate tunnels across the Internet to a tunnel server connected to the corporate network, thereby consolidating calls from geographically diverse locations into a single Internet connection at the corporate network. Figure 10-31 shows the client computer attempting a dial-up call to a tunnelingenabled NAS at the ISP, to authenticate against an IAS server on the other side of the tunnel. The compulsory tunneling process takes place in the following sequence: 1. A dial-up client establishes a dial-up connection with an ISP. 2. Based on the dial-up connection parameters, the NAS dialed by the dialup client sends an Access-Request packet to a configured IAS server. 3. The ISP IAS server authorizes the tunnel connection and sends back an Access-Accept packet with a series of tunnel attributes. If required, the

FIGURE 10-31 Compulsory tunneling.


387

388

Part III

NETWORK SECURITY

IAS NAS creates a tunnel to the organization’s tunnel server on the Internet. 4. The ISP NAS then sends a PPP message to the dial-up client to restart the authentication process so that the dial-up client can be authenticated against the corporate network’s tunnel server. 5. The dial-up client sends its authentication information to the IAS NAS, which encapsulates it and sends it through the tunnel to the tunnel server. 6. After the tunnel server receives the authentication credentials, the tunnel server sends an Access-Request packet to the organization’s IAS server. 7. The corporate network IAS server authenticates and authorizes the connection of the dial-up client to the tunnel server and sends an AccessAccept packet to the tunnel server. 8. Finally, the tunnel server completes the connection to the dial-up client. All data that is sent by the dial-up client is automatically sent through the tunnel to the tunnel server by the ISP NAS. This configuration is known as compulsory tunneling because the client is forced to use the tunnel created by the FEP. After the initial connection is made, all network traffic to and from the client is automatically sent through the tunnel. Rather than creating separate tunnels for each voluntary client, a compulsory tunnel between the FEP and tunnel server can be shared by multiple dial-up clients. When a second client dials into the access server (the FEP) to reach a destination for which a tunnel already exists, the existing tunnel is used to transfer the data traffic.

Summary To allow users to securely access your organization’s network, you should carefully plan the security of remote access services. This chapter examined several tools provided by Windows 2000 to secure the remote connections and design a solution that best meets your requirements. In this chapter you learned how RRAS can be used to secure your network by authenticating users using remote access policies and dial-in properties. You also learned how VPNs allow you to establish a secure connection over a public network emulating a private link. Lastly, you learned how IAS performs the authentication and authorization of remote users. The implementation of RADIUS in IAS allows single sign-on and different types of tunneling to be implemented during remote access.



Chapter 10

Check Your Understanding Multiple Choice Questions 1. From the following statements about intranet-based VPNs, identify the true ones. a. They can be used to enable users of a private network to access the Internet. b. They can be used to connect remote users to a private network. c. They can be used to connect two private networks through a common VPN tunnel. d. They can be used to connect different remote users to each other through a VPN tunnel. 2. How can demand-dial connection be secured? a. By setting the call back number b. By enabling data encryption c. By requiring a secured password d. All of the above 3. Which condition is used to identify the IP address of the RADIUS client for VPN authentication requests? a. Client-Friendly-Name b. Client-IP Address c. NAS-Identifier d. NAS-IP-Address 4. Which of the following modes the PPTP control connection commands would be initiated at the client end? a. Compulsory tunneling b. Client-initiated tunneling c. Voluntary tunneling d. NAS-initiated tunneling 5. After the PPTP control session has been established, which protocol serves to encapsulate the data or payload in a secure manner? a. IPSec b. GRE


389

390

Part III

NETWORK SECURITY

c. MPPE d. PPP

Short Questions 1. Jim is the network administrator in Softy, Inc., which has offices in Washington, D.C., Boston, and New York. He is responsible for securing data transfer between these offices. The data should be encrypted before it is transferred. What should he do to accomplish this task? 2. Mary is the network administrator of Soft-chip, a computer chip manufacturing company. The company has a global presence and its head office is situated in Chicago. The company has opened a new office in Atlanta, and the payroll department has shifted to this office. The new office will be a part of the local intranet of the head office. The payroll department in Atlanta works with confidential employee data, so its network cannot be connected to the intranet. The department needs access to that data to create a long-term payroll structure for the organization, but the organization is hesitant to give all the employees at the new office access to the intranet due to the fear of security breaches. Suggest a solution to this problem? 3. What is a RADIUS client? 4. The headquarters of your organization situated in New York is planning to set up a VPN to access a new temporary office in Chicago. How does the configuration of your organization’s DMZ at the headquarters affect which protocol will be used for VPN tunneling.

Answers Multiple Choice Answers 1. b, c. 2. d. All the techniques listed in the chapter can be used to secure a demand-dial connection. 3. b. Client-IP Address is the IP address of the RADIUS client that forwarded the authentication request. This condition is used to identify RADIUS clients for VPN authentication requests.



Chapter 10

4. c. In voluntary tunneling mode the PPTP control connection commands would be initiated at the client end. 5. b. After the PPTP control session has been established, the GRE protocol serves to encapsulate the data or payload in a secure manner.

Short Answers 1. Jim should use Virtual Private Network over a private or public network for secured data transfer between remote offices. 2. A possible solution could be assigning specific users appropriate permissions to establish a VPN connection with a VPN server placed on the intranet so as to allow them to access the payroll department’s confidential data. In this case, the VPN server would not provide a direct physical route between the intranet and the payroll department’s network, so the chances of security leaks are greatly reduced. 3. A RADIUS client is a server on which a remote access server is configured. A RADIUS client receives RADIUS authentication requests from remote access users and forwards them to a RADIUS server. A RADIUS client can be a remote access server, a tunnel server, or a NAS that can accept remote access connections. 4. If the firewall protecting the DMZ implements NAT, you can only use PPTP as the VPN tunneling protocol because L2TP over IPSec and IPSec tunnel mode packets cannot cross a firewall.


391



PART

IV Other Security Features




Chapter 11 Reliability Features of Windows 2000


n operating system should provide reliability and durability for the hardware and software on the computer. It should be robust enough to handle the hardware and software changes that users make in the system. It should also have the tools that will help users monitor and tune the hardware, applications, and services running in the system. An operating system should have capabilities to safeguard the data stored on it. The system data, configuration files, and user data should always be protected against any contingencies and there should be tools available to back them up.

A

Windows 2000 offers excellent support in all these regards as it does in others. It is one of the most reliable and robust operating systems available; it includes diagnostics tools that help users garner information on various resources used by the operating system. Windows 2000 prevents the modification and deletion of critical system files by using the Windows File Protection mechanism. In addition, Windows 2000 provides various tools that help you maintain the disk drives and other storage media and tools to back up your data and restore it in case of disaster. Thus, Windows 2000 helps you optimize the use of various resources and take preventive measures that help to solve any problems that might arise. This chapter will explain the various diagnostics tools available in Windows 2000 that are used to monitor performance. Next, the chapter will explain the Windows File Protection mechanism. It will also discuss the various disk management tools available in Windows 2000 and examine Dynamic Disks. Finally, this chapter will explain the various backup and recovery tools used in Windows 2000 to protect and restore your system in case of a disaster.

Diagnostic Tools The diagnostics, or performance monitoring, tools help you gather information on various resources that the operating system uses. Using these tools, you can troubleshoot and tune any component that might not be functioning and configure it to perform to its optimum capacity. The diagnostic tools available for monitoring and tuning Windows 2000 are:


RELIABILITY FEATURES OF WINDOWS 2000

◆

Event Viewer

◆

System Monitor and Performance Logs and Alerts

◆

Task Manager

◆

Network Monitor

Chapter 11

The following sections elaborate on these tools.

Event Viewer Event Viewer helps users monitor events generated in the Application, Security, and System logs. These event logs of Event Viewer gather information about the hardware, software, and system problems in the following ways, as shown in Figure 11-1: ◆

Application log. This log contains events logged by applications or programs. For example, Internet Explorer crashing unexpectedly will generate a file error in the application log.

◆

System log. This log contains events logged by the Windows 2000 system components. For example, an unexpected shutdown of the system will be logged in the system log.

◆

Security log. This log contains logs information regarding the auditing of local or group policies. For example, an invalid logon attempt will be logged in the security log.

NOTE By default, security logging is not enabled. You can use Group Policy to enable security logging.

NOTE The Windows 2000 domain controller includes the DNS server, File Replication Service, and Directory Service logs in addition to the Application, Security, and System logs.


397

398

Part IV

OTHER SECURITY FEATURES

FIGURE 11-1 The Event Viewer snap-in.

Event Viewer also monitors security events, such as success or failure audit events, in Windows 2000. It generates the following five types of events: ◆

Error. The Error event indicates failure of a component, application, or service start. For example, a hardware failure during startup will be logged as an error.

◆

Information. The Information event indicates the successful completion of an action. For example, a successful remote access connection to the ISP will be logged as information.

◆

Warning. The Warning event indicates a red flag situation. It describes a situation that might cause problems in the future. For example, if the system is running low on disk space, this will be logged as a warning.

◆

Success Audit. The Success Audit event indicates the successful completion of an audited security access attempt. For example, a successful user logon event on the system will be logged as a Success Audit attempt.



◆

Chapter 11

Failure Audit. The Failure Audit event indicates the failure attempt of an audited security access. For example, an unsuccessful access to a remote system by the user will be logged as a Failure Audit attempt.

The Event Log service is automatically started when Windows 2000 starts. All users can view the application and system logs. However, access to the security logs is given only to administrators. In addition to events, Event Viewer also provides the following information: ◆

Date. Provides the date on which the event occurred.

◆

Time. Provides the time at which the event occurred.

◆

Type. Provides a classification of the event, whether it is Information, Warning, or Error.

◆

Computer. Provides the name of the computer where the event occurred. This option is useful when you are monitoring the events of other computers.

◆

Category. Provides a classification of the event by the source. This option is used in conjunction with related event types and to provide information on them.

◆

Source. Provides a description about the component, service, or application that generated the event.

◆

Event ID. Provides the number of the particular event type. This is a unique number that is generated for specific events and is used to troubleshoot system problems.

Event ID and Source provide useful information in determining which application generated an error. Through the event type, you can diagnose the cause of the error. When you double-click a particular event in the Event Properties dialog box, which provides all the mentioned information, such as Event ID, Source, and the others, a Description field that provides brief information about the event also appears. You can use the Event Log options to control the size of the event logs, archive the logs, handle the logging of the events, and set other options. Application and system logging are started automatically when Windows 2000 starts. As events are generated, the event log becomes full and reaches its maximum capacity.


399

400

Part IV


Before new events can be added to the logs, you must clear the event log. By default, event logs have a maximum file size of 512 MB, but you can choose to increase this file size and customize how to log the events.

System Monitor and Performance Logs and Alerts To optimize the performance of the Windows 2000 operating system, you must monitor and track the services and other critical subsystems used. Windows 2000 uses the System Monitor and Performance Logs and Alerts tools to measure the performance of your computer system. These tools help in determining how the system is performing and which resources are causing bottlenecks (the resources that are not performing to optimum levels and are causing the system to run slow). System Monitor is used to collect and view data that is available either through the Performance Logs and Alerts or real time data. The Performance Logs and Alerts tool is used to collect data over a period of time. Both these monitoring tools are used to determine the system’s current performance levels. You can set the performance level for each component so that it can be measured against actual performance. Creating an initial performance level is called a baseline. After a baseline is created, you can monitor the bottlenecks. Using System Monitor, you can measure the performance of various components of your system and identify these bottlenecks. After you have created baselines, you need to check them on a regular basis. You need to identify trends from the data that is available and take actions to prevent bottlenecks. This helps in maintaining the performance of the system at peak levels and reduces the downtime in the system. You can also choose to create an alert. An alert is issued whenever a baseline value is reached or exceeded. I will discuss both the System Monitor and Performance Logs and Alerts in detail in the following sections.

System Monitor The System Monitor tool is used to collect and view performance data from a log file. The performance data is for the usage of the hardware components and the system services running on the system. Using System Monitor, you can display data in various ways, such as graphs, histograms, or reports. To view the data saved in System Monitor, you can use any text editor, word processing software, or spreadsheet application.



Chapter 11

System Monitor is accessible through the Performance Monitor console (Figure 112). To open the Performance Monitor console, choose Performance from the Administrative Tools menu. When you open the Performance monitor console for the first time, it appears as a blank console screen. This is because no events or components are tracked by default in System Monitor. You must configure it to track the system activity that you want to monitor, using the following components: ◆

Object. An object refers to any hardware component, such as a hard disk, memory, or processor. It can also mean a logical component, such as disk volume, a software program, a process, or a thread.

◆

Instance. An instance refers to the number of occurrences of an object running on the system.

◆

Counter. A counter is a measurable unit of an object. You must add counters to use System Monitor. Counters have several features that include the performance counter, performance object, and the performance instance. You can monitor counters on either the local computer or other specific computers on the network.

FIGURE 11-2 The System Monitor tool.


401

402

Part IV


To add a counter to System Monitor, click the Add button on the System Monitor toolbar. This opens the Add Counters dialog box, as shown in Figure 11-3. All the system resources are monitored as performance objects, such as Processor, Memory, and Physical Disk. A performance object has a specified set of counters that are used to track specific information regarding the object. You need to choose the performance that you want to add counters to. For example, you can add a counter to the physical disk to check the read time percentage. After the counter is added, it appears in the System Monitor Console, as shown in Figure 11-4. Following are the various properties for counters available in the System Monitor console. ◆

General. Use this tab to change the display of the System Monitor. There are three types of views in the System Monitor. These three views are Chart View, Histogram View, and Report View. The buttons on the System Monitor toolbar can be used to change to the view you want to display. In addition, you can choose how the data will be displayed, whether it will be default, average, current, minimum, or maximum. The appearance can be changed to 3-D or flat. You can choose how often (in seconds) the data is updated.

◆

Source. Use this tab to specify the data source you want to view. The data source can either be the data collected from a log file or real time data.

◆

Data. Use this tab to add and remove counters. You can also choose to change the color, width, scale, and style of the counter that you want to track.

FIGURE 11-3 The Select Counters

dialog box.



Chapter 11

FIGURE 11-4 The System Monitor console with an added counter.

◆

Graph. Use this tab to change the vertical axis label, title, vertical scale numbers, and other settings in the chart or the histogram view.

◆

Color. Use this tab to change the color settings of the System Monitor.

◆

Font. Use this tab to change the font settings of the System Monitor.

The following section elaborates on the Performance Logs and Alerts tool.

Performance Logs and Alerts The Performance Logs and Alerts tool helps you to collect performance data from local or remote computer. You can create the following using this tool, as shown in Figure 11-5: ◆

Counter logs. Used to record data about hardware usage and system service activity.

◆

Trace logs. Trace logs are event-driven activities that are used to record monitored data. Traced events are recorded in Trace logs.


403

404

Part IV


FIGURE 11-5 The Performance Logs and Alerts tool.

◆

Alerts. Alerts are used to monitor counters and are generated when they exceed or fall below the user specified value. You can configure an alert to send a message, run an application, or generate a more detailed log.

Counter Logs To create a new counter log, expand the Performance Logs and Alerts\Counter Logs node and choose New Log Settings from the Action menu. Specify the suitable name and proceed. In the properties dialog box that appears, click the Add button to open the Select Counters dialog box. This dialog box allows you to add counters for the objects you want to track. You can choose to add more than one counter at a time. All you need to do is select the counter, click the Add button, and, when you are done, click the Close button. Each counter that you have added has three tabs on its properties dialog box: ◆

General. On the General tab, you can view the counters you have added and specify the sampling intervals for the data to be logged, shown in Figure 11-6.



Chapter 11

FIGURE 11-6 The General tab of the

properties dialog box of a sample counter.

◆

Log Files. On the Log Files tab, you can specify the following options, as shown in Figure 11-7. • Location. This option specifies the location to store the logs. By default, they are stored in the \Perflogs folder in the boot partition of the Windows 2000 operating system. • File name. This option displays the name of the log file. You can choose to edit the filename of the log file in the File Name box. • File type. This option specifies the format in which the log file is saved. You can choose to save the data in Comma-Delimited File (.CSV), Tab-Delimited File (.TSV), or Binary File. CSV and TSV log all the data at one instance; they do not allow recording data instances that stop and resume after the log has begun running. Both the CSV and TSV log files can be opened in a spreadsheet application, such as Microsoft Excel. Binary File allows recording data instances that stop and resume after the log has begun running.

◆

Schedule. This option allows you to specify the start and the stop timing of the log file. This limits the amount of information collected in the log file that you can examine easily. By default, the log starts generating when you create it and can be stopped manually.


405

406

Part IV


FIGURE 11-7 The Log Files tab of the

FIGURE 11-8 The Schedule tab of the



Trace Logs Trace logs record and collect data that is provided by the system provider and by nonsystem providers. A system provider, such as the Windows kernel trace provider, is defined by the operating system. The Windows kernel trace provider is the default provider and is used to monitor processes, threads, and other system events. A nonsystem provider is not specific to the operating system and includes programs and other nonsystem activities, such as Active Directory, NetLogon, LSA, and NTLM security protocol. Trace logs are created in the same manner as counter logs. The properties dialog box for a trace log contains all the tabs that are available in the properties dialog box for a counter log, such as General, Tab, and Schedule. In addition to these tabs, there is an Advanced tab that is used to specify the buffer settings, as shown in Figure 11-9.

Alerts You can set an alert to detect when the value of a predefined counter rises above or falls below the specified value. Alerts are created in the same manner as trace or counter logs. The General tab allows you to add the counters that you want to monitor. After you have added the counters, you must specify the threshold value for the counter. An alert will be generated when the counter exceeds the



Chapter 11

FIGURE 11-9 The Advanced tab of the

properties dialog box of a sample trace log.

threshold value. On the Action Tab, you can specify the appropriate steps that should be performed when an alert is generated. You can choose to send a network message, run a program, or start a performance log. The Schedule tab is similar to one in the counter or trace logs.

Task Manager What do you do to find out about the processes and applications currently running on your system? Or what do you do when a program stops responding? Windows 2000 provides Task Manager to stop any unresponsive programs and related processes. Task Manager offers more functionality than just closing errant programs. It provides the status of all the programs running on your system, lists all the processes running on your system, and monitors the CPU and memory usage automatically, unlike System Monitor where you must add counters for these functions. You can start Task Manager using any of the following methods: ◆

Press CTRL+ SHIFT+ESC

◆

Right-click the taskbar, and then select the Task Manager option.

◆

Press Ctrl+Alt+ Del, and in the Windows Security dialog box, click the Task Manager button.


407

408

Part IV


Task Manager contains three tabs: Applications, Process, and Performance. Each of these tabs is used to display and monitor the active programs running on the system, the processes running, and the memory usage and CPU usage. The tabs are discussed as follows: ◆

Applications tab. This tab displays all the programs running on the system, as shown in Figure 11-10. You can use it to close any unresponsive programs, start a new instance of the program, and switch from any running program to another.

◆

Processes tab. This tab lists all the processes running on the system, as shown Figure 11-11. Some of these processes, such as Explorer.exe, Lsass.exe, and Mstask.exe, start automatically when the Windows 2000 operating system starts, and you cannot end them through Task Manager. Other processes are related to the programs currently running on the system. Sometimes when a program does not respond, the Process tab allows you to end that program and any related child processes. To do so, right-click that particular process and choose End Process Tree from the context menu.

◆

Performance tab. This tab displays dynamic graphical and numerical listing of the processor and memory usage, as shown in Figure 11-12. CPU Usage shows the percentage of processor use. Memory Usage

FIGURE 11-10 Applications tab of Task

FIGURE 11-11 Processes tab of Task

Manager

Manager.



Chapter 11

FIGURE 11-12 Performance tab of Task

Manager.

shows the virtual memory used in kilobytes. The Performance tab has other various counts to check both the CPU and Memory performance, such as Physical Memory, Kernel Memory, and Commit Charge.

Network Monitor What do you do to determine if data sent from your system reaches the correct destination? Windows 2000 provides a tool called Network Monitor to detect and troubleshoot network problems on a Windows 2000 system. Network Monitor consists of an administrative tool, Network Monitor, and a network protocol called the Network Monitor driver. Both these components are used to capture, display, and analyze network packets. The network packets are also called frames. Network Monitor can only be installed on computers running Windows 2000 Server. The Network Monitor driver is automatically installed on a Windows 2000 Server when you install Network Monitor. Network Monitor allows you to capture and display packets that a computer running on Windows 2000 receives from the local area network. The Network Monitor driver helps Network Monitor receive packets from a network adapter and allows it to capture and display packets from a remote computer. Frames, or packets, are made up of several different pieces that can be analyzed separately. A few


409

410

Part IV


of these pieces contain data that Network Monitor uses to troubleshoot networking problems. Network Monitor captures information about the broadcast frames, multicast frames, network utilization, total bytes received per second, and total frames per second. Using Network Monitor, you can diagnose hardware and software problems that might cause communication problems between the server and other computers on the network. To install Network Monitor, you will need to do the following: 1. Open the Add/Remove Programs and click on the Add/Remove Windows Components button. 2. In the Windows Components wizard, select Management and Monitoring Tools, and click on the Details button. 3. In the Management and Monitoring Tools dialog box, select Network Monitor, and click OK. 4. If you are prompted for additional files, insert your Windows 2000 Server compact disc, or type a path to the location of the files on the network. To install the Network Monitor driver on other Windows 2000 systems, perform the following steps: 1. Open the Network and Dial-up Connections window. 2. In the Network and Dial-up Connections window, right-click Local Area Connection and from the context menu choose Properties. 3. In the Local Area Connection Properties dialog box, click the Install button. 4. In the Select Network Component Type dialog box, select Protocol, and click Add. 5. In the Select Network Protocol dialog box, click Network Monitor Driver, and click OK. 6. If you are prompted for additional files, insert your Windows 2000 compact disc, or type a path to the location of the files on the network. To use Network Monitor, perform the following steps: 1. Open the Administrative Tools console. 2. Double-click Network Monitor to open the Microsoft Network Monitor



Chapter 11

console, as shown in Figure 11-13. Select the default network on which you wish to capture frames. Then select the Start option in the Capture menu to capture frames.

Window File Protection Feature Some programs that you install on the operating system modify the system files and DLL files. Such modifications can cause other programs that use the system files or DLLs to crash because these files have been altered. This problem was very persistent in the Windows 9x operating system and earlier versions of Windows. In Windows 9x and earlier versions, most software and programs, when installed, modify or overwrite the operating system files and cause the operating system to become unstable or generate other errors. Windows 2000 uses the Windows File Protection feature that prevents the modification of system files and file version mismatches. This feature uses file signatures in which all the system files and DLLs are signed by Microsoft. This verifies whether protected system files are the correct Microsoft versions. The Windows File Protection feature uses the Automatic Restoration mechanism and the System

FIGURE 11-13 The Network Monitor console.


411

412

Part IV


File Checker (SFC) utility to protect system files. Both of these are discussed in the following sections.

Automatic Restoration The Automatic Restoration mechanism runs in the background. In an event where the system files are modified, the Windows File Protection feature checks the file signature in a catalog file to determine whether the new file is the correct Microsoft version. If the file is not the correct Microsoft version, it is replaced from the Dllcache folder (if it is in the Dllcache folder) or from the Windows 2000 CD. Whenever a modification occurs in the system folder, a message box containing information about the changed file and the status of the restoration appears.

System File Checker SFC is a command-line utility that verifies the integrity of system files. This utility scans the system for changed, deleted, or corrupt files. This utility scans all protected files to ensure that programs installed on the system do not modify them. It also checks all catalog files that are used to track correct file versions. If any of the catalog files is missing or damaged, the Windows File Protection feature renames the affected catalog file and retrieves a cached version of that file from the Dllcache folder. If a cached copy of the catalog file is not available in the Dllcache folder, the Windows File Protection feature prompts you to insert the Windows 2000 CD and uses it to retrieve a new copy of the catalog file. Using the SFC utility, the administrator can scan all the protected files to verify their versions. The SFC utility also checks and repopulates the Dllcache folder. If the Dllcache folder becomes damaged or unusable, you can use either the sfc /scanonce or sfc /scanboot commands at the command prompt to repair the contents of the folder. The command-line syntax for SFC is as follows: sfc [/scannow] [/scanonce] [/scanboot] [/cancel] [/enable] [/purgecache] [/cache size=x] [/quiet]

The following list describes the SFC syntax: ◆ /Scannow.

Scans all protected system files and replaces incorrect versions of system files with correct Microsoft versions.

◆ /Scanonce.

Scans all protected system files once.



Chapter 11

FIGURE 11-14 Syntax of SFC. ◆ /Scanboot.

Scans all protected system files every time you start your

computer. ◆ /Cancel.

Cancels all pending scans of protected system files.

◆ /Enable.

Enables Windows File Protection for normal operation.

◆ /Cachesize=X. Sets

the file cache size in MB. This requires a reboot followed by a /Purgecache command to adjust the size of the on-disk cache.

◆ /Purgecache.

Purges the file cache and scans all protected system files immediately. This command is required after running the /Cachesize=X command.

◆ /Quiet.

Replaces all incorrect file versions without prompting the user for action.

NOTE Some of these options require access to the Windows 2000 installation source files that are available in the Windows 2000 installation disk, or you will need to provide the path to them.


413

414

Part IV


Fault Tolerance An operating system should be able to provide a safe and reliable method to store and protect the data on the disk. It should offer read and write data quickly, enable fault tolerance, and provide convenience of data storage. Windows 2000 has many features that help in data management, security, and fault tolerance. It provides several features, such as disk management, disk compression, disk quotas, and file and folder encryption, to manage disk resources and to enhance performance and protect data. Disk Management is a GUI-based tool that is used to manage the volumes and disks in Windows 2000. To use the Disk Management tool, open the Computer Management console using the Administrative Tools menu. Expand the Storage node to use the Disk Management tool, as shown in Figure 11-15. The Disk management tool allows you to: ◆

Create and delete partitions in the hard disks.

◆

Create logical drives in the partitions.

FIGURE 11-15 Disk Management tool.



Chapter 11

◆

Display information regarding the size of the partition and the amount of free space left.

◆

Display information regarding the drive letters, volume labels, and file system type.

◆

Change the drive letter and format any volume.

There are many more features available in the Disk Management tool that help you to manage your physical and logical disk. Using the Disk Management tool, you can check the volume for errors, store files contiguously on the hard drive, back up the files on the volume, and delete unnecessary files. Windows 2000 supports the Basic and Dynamic configuration for the physical hard disk. You can configure the physical disk for either basic storage or dynamic storage, also called basic disks and dynamic disks. ◆

Basic storage. This is the configuration of the hard disk into primary, extended, and logical partitions. Basic storage is compatible with older operating systems, such as Windows 9x, Windows NT, and other operating systems. It conforms to the four-partition limit, and therefore, you can have only four primary and extended partitions. Basic storage lacks fault tolerance and does not support Windows 2000 Redundant Array of Inexpensive Disks (RAID) technology. To use RAID, you must convert basic disks to dynamic disks.

NOTE RAID allows you to group multiple smaller, or inexpensive, disk drives into larger logical disk devices. Adding RAID to a server’s disk I/O subsystem is commonly used as a technology for enterprise servers to increase performance, disk management, and availability.

◆

Dynamic storage. This is the division of the hard disk into dynamic volumes. Dynamic volumes do not contain any partitions and are not accessible through DOS. Windows 2000 supports five types of dynamic volumes: simple volumes, spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes. You can create a dynamic disk or upgrade from a basic disk to a dynamic disk. After you have created the dynamic disks, you create the dynamic volumes within the disk.


415

416

Part IV


Following are the different types of disk volumes available in Windows 2000: ◆

Simple Volumes. This volume consists of space from a single dynamic disk. The space can be contiguous or noncontiguous. This volume is not fault tolerant and is not useful when you want to recreate lost data.

◆

Spanned Volumes. This volume consists of space from two or more dynamic disks. The data is written sequentially in spanned volumes. If space on one physical drive is full, data writing continues to the space on the next physical drive in the spanned volumes set. The physical space allocated to the volume sets on each physical drive does not need to be equal. The spanned volumes are also not fault tolerant because data in the volume is lost when one disk in the spanned volume set fails.

◆

Striped Volumes. This volume consists of equal space between two or more dynamic disks. The data is written sequentially in the stripes; it is written on all disks; a portion of the data is written on the first disk, another portion on the second disk, and so on. The striped volumes are not fault tolerant because you lose access to data in all the striped volume in case of failure of one disk in the striped volume set.

◆

Mirrored Volumes. This volume consists of two drives, primary and secondary. The data written on the primary drive is replicated to the secondary drive. Mirrored volumes are fault tolerant because even if one drive in the mirrored volume fails, the other drive continues to function without any loss of data or interruption of service.

◆

RAID-5 volumes. This volume also writes data across different drives, as is the case with striped volumes. However, RAID-5 volumes are superior and more fault tolerant than striped volumes because they place parity across the volume. Parity is a mathematical calculation performed on the data that provides information to rebuild data in case of a disk failure. RAID-5 volumes require at least three physical drives (up to a maximum of 32).

To manage the properties of the volumes or local disk, right-click a drive and select Properties from the context menu. This will open the Properties dialog box, as shown in Figure 11-16 that contains the following tabs: ◆

General

◆

Sharing

◆

Tools

◆

Security



◆

Hardware

◆

Web sharing

◆

Chapter 11

Quota

NOTE The Security and Quota tab appear only on NTFS partitions and volumes. These features are not available on the FAT partitions and volumes.

On the General Tab, you can view the volume’s label, type, file system, used and free space, and capacity. You can delete unnecessary files and free disk space using the Disk Cleanup utility. The Disk Cleanup utility checks the system for all the temporary files, internet cache files, files in the recycle bin, and unnecessary program files, and then calculates the amount of hard disk space that can be freed by deleting these files. To open the Disk Cleanup utility, click the Disk Cleanup button to open the Disk Cleanup dialog box. You can then select the desired files and delete them. You can check the volume for errors, store files contiguously on the hard drive, and back up the files on the volume using the utilities available in the Tools tab on the Properties dialog box. There are three utilities available on the Tools tab.

FIGURE 11-16 The Properties dialog box of the hard disk drive.


417

418

Part IV


The following is a brief description of these utilities: ◆

Check Disk. The Check Disk utility is used to check the volume for errors and can be run by clicking the Check Now button. The Check Disk will check for bad sectors in the hard disk. If bad sectors are found, then it will mark the sector as a bad sector, move the data from the bad sector to a good one, and repair the data links.

◆

Backup Wizard. The Backup Wizard guides you through the process of backing up the files on the volume. You can start the wizard by clicking the Backup Now button. You will learn about the Backup wizard later in the Backup Wizard section.

◆

Disk Defragmenter. The Disk Defragmenter utility checks the hard disk for fragmented files, contiguous files, system files, and free space. Disk defragmentation optimizes and speeds up access to the files on the volume or hard disk. You can click the Defragment Now button to run the Disk Defragmenter utility, as shown in Figure 11-17. Disk Defragmenter can be used to analyze your hard disk. You can create a report by clicking the Analyze button. After performing the analysis, Disk Defragmenter appears as shown in Figure 11-18. It also displays a dialog box where it asks whether you want to create a report, defragment, or close the dialog box.

NOTE Fragmentation on the hard disk consumes time. This is because data is stored on the hard disk in a noncontiguous manner; and the operating system searches through the entire hard disk to find all the portions of the file, which slows down the process of data access on the hard disk.

To improve disk performance, you should do the following: ◆

Use faster disks and controllers.

◆

Use Disk striping to benefit from multiple I/O channels.

◆

Add another disk controller for load balancing.

◆

Enable all the disk counters using the DISKPERF command that tracks the logical disk counters.



Chapter 11

FIGURE 11-17 Disk Defragmenter utility.

FIGURE 11-18 Disk Defragmenter after performing the analysis.


419

420

Part IV


Backup An unforeseen calamity or disaster might lead your operating system to crash, and you might lose all data on your system. Therefore, it is important to back up data for such eventualities. Windows 2000 has tools, such as Windows Backup and Emergency Repair Disk, that help to manage and secure the System State data and user data. The following sections elaborate on these.

Windows Backup Program The Windows Backup program is used to make regular backups of all the System State data. The System State data is a collection of system-specific configurations. It includes the following information: ◆

The Registry

◆

Com+ Class Registration Database

◆

System boot files

◆

Certificate Services database (only on a Windows 2000 server)

◆

Active Directory services database (only on a Windows 2000 domain controllers)

◆

The SYSVOL folder (only on a Windows 2000 domain controllers)

To open the Windows Backup tool, choose Start, Programs, Accessories, System Tools, and click the Backup option. The Backup program appears, as shown in Figure 11-19. The various buttons in the Windows Backup program are: ◆

Backup Wizard. Used to back up data.

◆

Restore Wizard. Used to restore data.

◆

Emergency Repair Disk (ERD). Used to create a repair disk.

The following sections discuss in detail how you can use these options.

Backup Wizard If you want to make some changes to the registry or system files, you should make sure that the data on your system is safely backed up. The Backup Wizard allows you to make a backup of the data on your system. When you click the Backup Wizard button in the Welcome tab of the Backup program window, Backup Wizard starts to guide you through the process of making a backup. You can also use



Chapter 11

FIGURE 11-19 The Backup program.

the Backup tab of the Windows Backup program to specify the files and folders which you want to back up and the location where you want to create the backup, as shown in Figure 11-20. You can choose to back up the entire data on the computer, back up selected files, drives, or data from the network, or choose to back up the System State data. The

FIGURE 11-20 Specifying items to back up in the

Backup Wizard.


421

422

Part IV


wizard will also require you to specify the media and the path where you want to save the files. On the last screen of the wizard, you can click the Advanced button to configure the advanced options. Using the advanced options, as shown in Figure 11-21, you can choose from normal, incremental, differential, copy, or daily backup. You can choose to verify that data is copied correctly. If the backup media already contains data, you can choose to append data to it or choose to replace that backup. The backup can also be scheduled to run at a particular time. Following are descriptions of the various backup types: ◆

Normal. Copies all the selected files and then sets the archive bit as marked for each file that is copied.

◆

Copy. Copies all the selected files but does not reset the archive bit.

◆

Daily. Copies all the selected files that were modified on the day of backup. It does not set the archive bit as marked for each file that is copied.

◆

Incremental. Copies the selected files with the archive bit set and then sets the archive bit as marked for each file that is copied.

◆

Differential. Copies the selected files with the archive bit set, but does not set the archive bit as marked for each file that is copied.

Restore Wizard After you perform the necessary changes to the system files or the registry, you might want to restore the data you backed up from the backup media. The

FIGURE 11-21 Choosing a backup type.



Chapter 11

Restore Wizard guides you through the process of restoring data from the backup media. To start the Restore Wizard, click the Restore Wizard button on the Welcome tab of the Windows Backup dialog box. You can also use the Restore tab of the Backup program window, as shown in Figure 11-22, to restore the backup. The options available in the Restore Wizard depend upon the backup media used. You can choose to restore the entire contents or select the files you want to restore. You can also use the advanced options to specify a new location to restore the data to, change the restoration options for the files already backed up, and choose remote storage options. If you are replacing data from an NTFS backup drive to an NTFS drive, then you have the option to restore the security settings that were attached to the files when they were backup files. The System State data can only be restored to the server from where the System State backup data was originally created.

ERD An ERD is used to restore the system configuration information when the operating system will not start or if the system files have been deleted. An ERD can also be used as a boot disk to run the repair tools from the Windows 2000 CD.

FIGURE 11-22 The Restore tab.


423

424

Part IV


You can use the ERD to repair the following items: ◆

The system files

◆

The partition boot sector

◆

The startup environment

◆

The registry

To create an ERD, you need to click the Emergency Repair Disk button in the Windows Backup program. You will be prompted to insert a blank, formatted floppy disk into the floppy disk drive in the Emergency Repair Diskette dialog box. You can also choose to back up the registry onto the ERD provided there is enough space on the floppy disk to save the registry. The Emergency Repair Diskette dialog box is shown in Figure 11-23. You have examined the various options in the Windows 2000 operating system to prevent system failure and loss of system data, and system configuration settings. Now, you will learn how to prepare your computer for unforeseen circumstances and plan for disaster recovery.

System Recovery Disaster can occur if there is hardware failure when a hardware component fails or the addition of new hardware causes the system to crash. Installation of new software or corruption of a software program can lead to the operating system not booting up. Virus attacks can play havoc on the operating system; virus attacks are often the cause of system crashes.

FIGURE 11-23 The Emergency Repair Diskette dialog box.



Chapter 11

Windows 2000 has several methods to repair and recover the operating system. To recover from disaster, you should take the following precautions: ◆

Make regular system backups.

◆

Use a virus scanning software and update its virus definitions regularly.

◆

Regularly perform administrative functions and monitor the logs in the Event Viewer.

If disaster strikes your system, Windows 2000 provides many utilities that help you recover the system. You need to use the Advanced options menu by pressing F8 during system startup to use these utilities. These utilities are described below: ◆

Safe mode. If Windows 2000 is not loading normally, it is a safe bet to boot into Windows 2000 through safe mode. Safe mode starts the system using the minimal set of drivers and services needed to boot into Windows 2000. Once you are in safe mode, you can troubleshoot the errant device, service, or program that is preventing Windows 2000 from booting normally.

◆

Last Known Good Configuration. This option can be used when you have made changes to the system configuration files or installed software, which does not let you boot into the system. Using the Last Known Good Configuration, you can boot into the system using the configuration used the last time you successfully booted into the system.

◆

Windows 2000 Server Boot disk. When the Windows 2000 system is loading due to missing or corrupted boot files, you can use the Windows 2000 Server Boot disk to load all the Windows 2000 boot files. You can then restore the necessary files from the Emergency Repair Disk.

◆

Emergency Repair Disk. Use this option to correct configuration errors or to repair system files. The ERD contains the system files, a copy of the partition boot sector, information regarding the startup environment, and the registry.

◆

Windows Backup. Using this utility, you can back up your system and user data, restore data, and create ERD.

◆

Recovery Console. Use this option when all other options have failed. Using the recovery console, you can restore and replace files and start and stop services.


425

426

Part IV


◆

Directory Services Restore mode. Use this option when you need to recover the Active Directory database on the Windows 2000 domain controller.

◆

Event Viewer. This option displays all errors, warnings, and other information using the various logs generated by Event Viewer.

I’ll discuss some of these options in detail in the following sections.

Safe Mode When the Windows 2000 system does not boot properly and cannot be loaded, you can use the safe mode option. Safe mode simplifies the Windows 2000 bootup because it only uses the basic configuration to load the operating system. In safe mode, only the basic drivers and services are loaded, and you do not have access to all the features and devices that are available when the system boots in normal mode. When you are in safe mode, you can uninstall any program or unload any driver that might be causing the problem. Following are the various safe mode options available in Windows 2000: ◆

Safe Mode with Networking. This option in safe mode provides networking capabilities. Using the network, you can copy or download drivers, service packs, or system files.

◆

Safe Mode with Command Prompt. This option is the command line version of safe mode. The Windows 2000 graphical interface is not available in this option. This option replaces the Explorer.exe shell with the Cmd.exe shell. In this version of safe mode, you can run all the options that you can in safe mode, even GUI applications. This option is used when a problem with Explorer prevents the Windows 2000 operating system from starting.

◆

Enable VGA mode. This option can be used when you have installed an incompatible or incorrect video driver and lost video in your system. This option will load Windows 2000 in safe mode with the standard VGA drivers so that you can uninstall the incorrect or incompatible driver.

Last Known Good Configuration If you have improperly configured the computer and cannot successfully reboot, you can use the Last Known Good Configuration option. The last known good configuration uses the registry information that was saved the last time Windows



Chapter 11

2000 booted successfully. The only thing to remember is that there should have been no system critical errors, such as problems with drivers or system files. The last known good configuration is stored in the HKEY_LOCAL_MACHINE\System \CurrentControlSet. Windows 2000 stores a backup copy of this information, and this backup is used when the current set becomes corrupt and unusable. Using the last known good configuration, you can choose from three different startup options: ◆

Use the current configuration.

◆

Use the configuration that was loaded when Windows 2000 booted successfully.

◆

Restart the computer.

Enable Boot Logging Using this option, you can create a log file that logs and tracks information about the loading of drivers and services. All the processes that take place during a normal boot sequence are logged in this file and can be used to troubleshoot problems with the boot process. The log file created is saved as ntbtlog.txt in the system root directory (\%systemroot%\ntbtlog.txt).

Recovery Console Recovery Console is the utility that is used when all other utilities have failed. To use Recovery Console, you need to log on as an administrator. Recovery Console starts without a graphical user interface and provides limited access to the FAT 16, FAT 32, and NTFS volumes. You can perform the following tasks using Recovery Console. ◆

Copy, replace, or rename the operating system files and folders. This should be used in case of missing or corrupt files.

◆

Disable or enable a particular service from starting when the computer is restarted.

◆

Repair the Master boot record or the file system boot sector.

◆

Create and format partitions on the drives.

To install the Recovery Console utility, you need to use the Windows 2000 operating system CD, open the Run tool, and type d:\i386\winnt32 \cmdcons where


427

428

Part IV


d: is the drive letter of your installation CD. After the installation is over, you will

be prompted to restart your system. After you restart the computer, Recovery Console appears in the Startup menu. The Recovery Console utility provides only limited access to the files and folders on the disk drives. You can access only the following folders through the recovery console. ◆

Root

◆ %system root%

and the subfolders of Windows 2000

◆

CMDCONS

◆

Removable media drives

NOTE In Recovery Console, you can copy files from a floppy disk or CD to the hard disk or from one hard disk to another, but for security purposes, you cannot copy files from the hard disk to a floppy disk.

Summary In this chapter, you were introduced to the reliability features of Windows 2000. You learned about the various diagnostics tools available in Windows 2000 used to monitor performance. You learned about the various disk management tools available in Windows 2000 and about the Windows File Protection mechanism. Finally, you learned to use the various backup and recovery tools available in Windows 2000 to protect and restore your system in case of a disaster.

Check Your Understanding Multiple Choice Questions 1. You were running multiple applications and now your system has stopped responding. You want to find out which application is causing the problem and close it. Which Windows 2000 utility will you use? a. System Monitor b. Disk Defragmenter



Chapter 11

c. Task Manager d. Performance Monitor 2. You were browsing the Net using Internet Explorer when an error message was generated and the browser window closed suddenly. Where will you find information regarding the error and the reason Internet Explorer closed? a. Temporary Internet Files b. Performance Logs and Alerts c. Event Viewer d. Task Manager 3. You have been noticing that your system is running slow and think that the bottleneck is in memory. You want to check whether memory is indeed causing the problem. What will you do? a. Add the Memory: Pages/Input sec counter in the System Monitor. b. Add the Memory: Pages/ sec counter in the System Monitor. c. Add the Memory: Commit Limit counter in the System Monitor. d. Add the Memory: Available Bytes counter in the System Monitor. 4. Your server was affected by a virus attack that modified the system files and corrupted the system DLLs. You want to get the system back on track with as little downtime possible. What should you do? a. Use an emergency repair disk b. Use Recovery Console c. Use the System File Checker utility d. Use the last known good configuration 5. You have modified certain system files in a Windows 2000 server. When you try to reboot your system, the process fails. What should you do to boot into Windows 2000? a. Start the computer in safe mode b. Use Recovery Console c. Use the last known good configuration d. Use the ERD to boot into Windows 2000


429

430

Part IV


Short Questions 1. You want to view data that has been tracked in the System Monitor during a defined period. Which view would be the most appropriate to view such data in the system? 2. What does the System State data consist of? 3. You want to capture data to determine how much disk usage is on your server. Which counters will you add? Also, the hard disk is taking a lot of time to retrieve data. Which utility will you use? 4. You want a message to be sent to the users when a counter exceeds a given value. What should you do? 5. What are the advanced startup options available in Windows 2000?

Answers Multiple Choice Answers 1. c. 2. c. 3. d. Memory: Available Bytes counter records the memory currently available on the server. A low value indicates that your server is running low on memory. 4. c. 5. e.

Short Answers 1. Chart View. In this view, you can see how the data is being tracked during the defined time period. Another advantage is that you can track a small number of counters in a graphical format. 2. The System State Data consists of the registry, Com+ Class Registration database, System boot files, Certificates Services database, Active Directory services database, and SYSVOL. 3. You will add the physical disk counters in System Monitor. These counters are: Physical Disk\ Disk Reads/sec and Disk Writes/sec, Physical Disk\ Current Disk Queue Length, Physical Disk\ % Disk Time,



Chapter 11

LogicalDisk\ % Free Space. You will use Disk Defragmenter to defragment files and folders because huge files and folders increase the access time required by Windows 2000 to read from the hard disk drive. 4. You will need to set up an alert on the counter and define the message to be sent to the user. Expand the Performance Logs and Alerts option, right-click Alerts, select the Alerts file’s Properties box and click the action tab to define the alert message. 5. The following are advanced options available in Windows 2000: a. Safe Mode b. Safe Mode with Networking c. Safe Mode with Command Prompt d. Enable Boot Logging e. Enable VGA Mode f. Last Known Good Configuration g. Directory Services Restore Mode h. Debugging Mode i. Boot Normally


431



Chapter 12 Securing Non-Microsoft Clients


etworks rarely contain just Windows platforms. Many servers and clients might be running other operating systems, such as UNIX, Netware, or Macintosh. In such a scenario, Windows 2000-based clients might need to access resources on other networks based on different platforms. Additionally, nonMicrosoft clients might need to access shared resources. You need to secure both the resource access by non-Microsoft clients to the resources on the Windows 2000-based network and the access of Windows 2000 clients to the resources kept on non-Microsoft servers and networks.

N

This chapter examines the services that allow Windows 2000 to provide both authentication and resource access capabilities to other clients, such as UNIX, Macintosh, and NetWare. The chapter also discusses the considerations that should be followed while designing a secure access to resources.

Securing Access to UNIX Clients You can access a Windows 2000 network using a UNIX client with the help of available tools and utilities. As an administrator of the Windows 2000 network, you need to authenticate the UNIX client to ensure the security of the network. You will have to protect the common software and protocols that UNIX uses to access resources in a network. Server Message Block (SMB), Network File System (NFS), and TCP/IP are the three common and important file systems and protocols that UNIX uses.

Services for UNIX Microsoft Services for UNIX 2.0 includes tools that integrate UNIX and Windows networks. You can use these services for improving interaction between the UNIX clients and Windows 2000 networks. Services for UNIX include the following: ◆

NFS. Network File System (NFS) software is used by UNIX servers and clients. The client software allows Windows 2000-based clients to


SECURING NON-MICROSOFT CLIENTS

Chapter 12

interact with UNIX servers, and the server software allows the UNIX clients to interact with Windows 2000-based servers. The server for NFS is a 32-bit, Windows-based, multithreaded kernel program that enables a computer running a Microsoft Windows operating system to act as an NFS server. The NFS gateway allows a Windows 2000 server to publish UNIX NFS data as a Windows 2000 share so that Windows 2000-based computers can access UNIX NFS resources without the help of any special software. ◆

Network administration tools. Services for UNIX MMC console and ActivePerl are administrative tools included in Services for UNIX. Services for UNIX MMC console allows management of various services for UNIX utilities. ActivePerl is a tool that allows you to automate network administration tasks by enabling scripts to use the Windows Management Instrumentation (WMI).

◆

Telnet services. Windows 2000 provides Telnet Services containing Telnet Server and Telnet Clients. Windows 2000 Telnet Server allows Telnet clients to connect to a server, log on to that server, and run character-mode applications. The Telnet server provided with Windows 2000 supports a maximum of two Telnet client connections at any given time. Telnet client software, Telnetc.exe, allows a computer to connect to a remote computer.

◆

Account management tools. These tools help you to manage accounts easily. They include: • NIS (Network Information Services). Allows you to move UNIX NIS from the NIS domain source files to Active Directory. • Server for NIS. Integrates an NIS and a Windows 2000 network by allowing a Windows 2000 domain controller to act as a server for NIS. This allows you to manage both domains through Active Directory. • Password Synchronization. Allows you to synchronize passwords and thus have one password for both Active Directory and UNIX systems. This features clearly enhances the interoperability of the two systems. • User Name Mapping service. Allows you to use the services in one kind of network from the other network without having to provide credentials for logging on to the systems.


435

436

Part IV


Authentication of UNIX Clients Windows 2000 authenticates UNIX clients depending on the application that the client uses. You can authenticate a UNIX client using the Kerberos V5 or NTLM protocol, certificate-based authentication, or a clear-text authentication. ◆

Kerberos V5 protocol. A UNIX client uses a Windows 2000 domain controller as its KDC to get authenticated. It could also configure a realm-trust between the Kerberos and Windows 2000 domains. For both methods, you need to create UNIX accounts in Active Directory and map the accounts in both domains. When you map accounts, a Windows 2000 SID is defined in the UNIX domain.

◆

NTLM protocol. This protocol can be used by UNIX clients that use Secure Message Block (SMB) and Common Internet File System (CIFS), such as LAN Manager for UNIX or Samba, a third-party product.

◆

Certificate-based authentication. This authentication allows a UNIX client to access Web sites that are protected by SSL or TLS. You need a CA, trusted by both the UNIX client and the Web server, to distribute certificates.

◆

Clear-text authentication. UNIX clients using TCP/IP, FTP, or HTTP can use this method for authentication in Active Directory, although this method can be intercepted by anyone. You can secure the text by using SSL encryption or implementing IPSec between UNIX clients and a Windows 2000 server.

SMB Client You can connect to Windows 2000 resource if you are using a UNIX client with SMB software. Following are the guidelines for designing a secure resource access: ◆

You can use NTLM to protect passwords. Samba 2.0.6 and later supports this method, but earlier versions use the clear-text method.

◆

You can create separate accounts for every UNIX client in different OUs in Active Directory.

◆

You can encrypt the text with IPSec if you use the clear-text method to authenticate. This method is set by enabling the Send unencrypted password to connect to third-party SMB servers Group Policy setting. The path of this setting is: Computer Configuration/ Windows Settings/Security Settings/Local Policies/ Security Options.



Chapter 12

All UNIX-based operating systems include server and client software. Windows does not include these by default, but you can access a Windows 2000-based resource using this Server for NFS. Before accessing a resource, the UNIX client gets authenticated with an NIS server. The authenticating NIS server gives a user ID (UID) and group ID (GID) to the client, which are mapped to corresponding accounts in Active Directory. The SID of a user and group account is given to the UNIX account so that it can access the resources. Following are the guidelines that you can refer to when you design a secure resource access: ◆

Identify the UNIX UIDs and GIDs that you need to map to Windows 2000 user and group accounts. If you do not include an ID, that ID will not be able to access the resources on the Windows 2000-based NFS server.

◆

Use the mapped and group accounts to set permissions on NFS resources.

Security of TCP/IP-Based Applications UNIX clients can also use some TCP/IP-based applications to access Windows 2000-based resources. You need to use the clear-text method and encrypt data to authenticate these applications.

Access Data with FTP Windows 2000 supports FTP client and server software. You can use the following guidelines to implement security: ◆

Store non-sensitive data on FTP servers and configure them to allow anonymous access because Windows 2000 does not allow important Active Directory data to be transmitted across the network.

◆

Use IPSec to encrypt data when sending it from the FTP server to UNIX FTP clients if you have to access sensitive data on the FTP server.

Security of HTTP-Based Applications You can use Web browsers that use HTTP on UNIX-based computers to access data from a Windows 2000-based computer that has IIS. IIS uses NTFS to secure data. The guidelines to use HTTP protocol are:


437

438

Part IV


◆

Configure the IIS server to implement SSL and encrypt critical data.

◆

Implement basic authentication in IIS and use SSL to encrypt the cleartext passwords if you need to access the Web site.

◆

You can use certificate-based authentication for additional security.

Telnet Security Services for UNIX provides two of the following methods of authentication: ◆

UNIX authentication. Uses the UNIX login and password that is sent as plaintext. This may be a security hazard because other network users may be able to sneak this transmission.

◆

NTLM. For authentication between a Services for UNIX Telnet Client and a Services for UNIX Telnet Server. NTLM uses pass-through authentication, in which the security credentials, such as domain name, user name, and hashed password, are passed through domain controllers for connections between trusted domains. The user is not prompted for login and password. This method is integrated with Windows security. Using NTLM, a user can use Telnet to connect to a remote computer and access resources on that computer; however, the user cannot access other resources on the network without being authenticated again.

You can run utilities at the command-line from a Telnet client that is connected to a Windows 2000-based Telnet server. Authentication happens by default, in clear-text. However, the clear-text data is open to being intercepted during transfer. If you want your UNIX client to manage a Windows 2000-based server using Telnet, you should encrypt the Telnet protocol transmission with IPSec. You can also allow NTM access or allow NTLM access and then use clear text. NTLM settings can be adjusted in the registry or by using the Telnet server Administration tool.

Securing Access with NetWare When a NetWare client tries to access a Windows 2000 network, you need to ensure that the networks are authenticated form both ends. The services provided by Microsoft to enable a Windows 2000-based client to connect to a NetWare network are Gateway Services for NetWare and Client Service for NetWare.



Chapter 12

These allow you to access NetWare services on the NetWare bindery-based servers or Novell Directory Services (NDS)-based servers. Services for NetWare allow the clients to access a Windows 2000 network.

Interoperability with NetWare Clients Windows 2000-based computers can interact with NetWare clients and servers using one of the three software services provided. These are NWLink Protocol, Client Service for NetWare, and Gateway Service for NetWare. ◆

NWLink protocol. You can use the Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) protocol provided by Novell to enable a NetWare server to communicate with the Windows 2000-based server that runs NWLink or Microsoft’s implementation of IPX/SPX.

◆

Client Service for NetWare. You can access NetWare resources from Windows 2000 clients using the Client Service for NetWare service. This service needs to be installed on individual Windows 2000 Professional-based clients to access NetWare resources and directory services.

◆

Gateway Service for NetWare. Multiple Windows-based clients can access NetWare resources with a single authenticated account on the NetWare server called the Gateway Service for NetWare. The clients use the server-based software service to make the connection. Therefore, you do not have to install the NetWare client software on all the workstations. Just as the Client Service for NetWare allows direct access from the client computer, you can access the NetWare service from the computer providing the gateway.

◆

Services for NetWare. Services for NetWare is an add-on product that provides utilities for integrating the Novell NetWare and Windows networks. The utilities included in this service are: • Microsoft Directory Synchronization Services (MSDSS). You can use this service to access both Active Directory and NDS information. This is advantageous because it reduces cost without your having to replace or manage separate directories. • Microsoft File Migration Utility. Use this service to transfer data from the NetWare resource servers to a Windows 2000-based server keeping the directory structures and security permissions intact.


439

440

Part IV


• File and Print Services for NetWare. Use this service to allow NetWare clients to access the resources on a Windows 2000-based computer. The server appears the same as a NetWare server would to a NetWare client. No modifications to the NetWare client software are required.

Authentication with NetWare Clients and Servers Access to NetWare file and print resources and directory services from a Windows 2000-based computer can be allowed using the Gateway Service for NetWare or Client Service for NetWare. To allow users to log on to a Windows 2000 domain using a Netware client, configure user accounts as NetWare-enabled accounts in the Active Directory Users and Computers snap-in. You can configure NetWare specific properties for a NetWare-enabled account. For example, you can specify a logon script for a user logging on to a Netware client in a Windows 2000-based domain.

Authorization with the Gateway Service for NetWare To access NetWare resources from a Windows 2000-based computer using the Gateway Service for NetWare, the Administrator creates a gateway service account in the Ntgateway group on the NetWare network. All access to the NetWare server is performed using the credentials defined for the gateway. Therefore, it is important to control access to the NetWare servers by creating user and group accounts and by assigning appropriate permissions to them. The gateway accounts or Ntgateway group permissions are applied to the clients when they access the NetWare resources. You can apply different levels of permissions to gateway accounts if multiple Gateway Service for NetWare service is configured to access the server. If all the servers with the service require the same level of permissions, you apply the permissions to the Ntgateway group. If you plan to use Gateway Services for NetWare to provide access to NetWare resources, consider the following guidelines when designing your security plan: ◆

Only members of the Ntgateway group can provide gateway services to the NetWare resources. Therefore, the user account that the Gateway Services for NetWare service uses to connect to the NetWare environment must be a member of the Ntgateway group on the NetWare server.

◆

Individual users cannot be identified when accessing NetWare resources through the Gateway Services for NetWare gateway. Varying levels of



Chapter 12

access to NetWare resources can be allowed by configuring multiple Gateway Services for NetWare servers. Each Gateway Services for NetWare server will have a unique gateway user account. All the gateway accounts must be members of the Ntgateway group on the NetWare server. You can, however, assign different trustee rights to each gateway account. ◆

The NetWare administrator should define Share permissions at the GSNW server at the maximum level of trustee rights granted to the gateway account on the NetWare server. The most restrictive Share permissions and NetWare trustee rights will be the effective permissions.

◆

IPX/SPX must be run in the NetWare environment because Gateway Services for NetWare requires that IPX/SPX be used for connecting to the NetWare server.

◆

Drive letters limit the number of Gateway Services for NetWare shares. You can connect to NetWare servers as long as available drive letters exist at the Gateway Services for NetWare server. If no drive letters are available, you cannot establish further connections.

◆

Sometimes, for requirements of interoperability, NetWare accounts might have administrative rights on the NetWare server, which is a security risk. Give minimum access rights and privileges to clients keeping in mind organizational needs. Use the toughest password possible for the gateway account.

Authorization with the Client Service for NetWare To access NetWare resources from a Windows 2000-based computer using the Client Service for NetWare, you need to create accounts and groups to control access on the NetWare network and allow Windows clients to access NetWare resources. You can use MSDSS, which synchronizes Active Directory with NDS and NetWare 3.x, to manage a large number of accounts on both networks. Install MDSS with Services for NetWare 5.x.

Authorization with the File and Print Services for NetWare As discussed earlier, File and Print Services for NetWare allows a NetWare client to access a Windows 2000-based server. A NetWare 3.12 server that authenticates the client is emulated when the File and Print Services for NetWare service is executed on the Windows 2000-based server. The client’s credentials are then checked against Active Directory to verify its authenticity.


441

442

Part IV


Access to NetWare Resources The transport services for most NetWare servers are performed by IPX/SPX, just as TCP/IP uses IP, TCP, and UDP. NetWare Core Protocol (NCP) is used for clients to access the NetWare server. In a network using both TCP/IP and IPX/SPX, the Gateway Services for NetWare and Client Services for NetWare provide the protocols you need for administrating and authenticating users. Following are the pointers for designing secure access to NetWare resources: ◆

Using the NWLinks Protocol. Do not use too many protocols, and route the protocols to reduce the risk of unauthorized access to data. The problem with using the IPX/SPX and IP protocols is that these protocols do not support the same security options. When you use IPX/SPX on a NetWare server, keep in mind that the availability status of the server is displayed over the network. This data could be accessed by unauthorized users.

◆

Using Client Service for NetWare. If Client Service for Netware is used, login identities for all clients are created with permissions at the user and group levels. You can create multiple accounts for synchronizing the two networks with additional administrative responsibilities.

◆

Using Gateway Service for NetWare. If Gateway Services for NetWare is used, administering the security permissions is easier because there is only one account. You need not set user-level permissions because all the clients access the computer through one authenticated account.

◆

Risk of using services for NetWare. The File and Print Services emulates a NetWare server on the Windows 2000-based server to authenticate the client. Each time a NetWare client connects to a server, the credentials are checked. These can be stored in clear-text. If a NetWare client connects to a Windows 2000-based server, Active Directory accounts and passwords might be transmitted in clear-text posing a risk to the security.

Securing File Access File access to NetWare clients can be granted by defining Novell volumes in the Computer Management snap-in. You restrict access to authorized users by setting permissions on NetWare volumes. Alternatively, you can define NTFS permissions on folders and files within the NetWare volume to alter effective



Chapter 12

permissions. As with Windows 2000 native access, the most restrictive volume and NTFS permissions are the effective permissions for resources.

Securing Print Access All shared printers configured on the Windows 2000–based server running File and Print Services for NetWare can be accessed both by Windows and NetWare client computers. NetWare clients use the share name defined for the printer as the printer queue name. You can control printer access by assigning Print permissions to groups that contain the NetWare-enabled user accounts. Having learned how to secure access with NetWare clients, you will now learn about securing access with Macintosh clients.

Securing Access with Macintosh Clients Windows 2000 provides AppleTalk Network Integration Services for interoperability with Macintosh networks. This service provides both authentication and resource access capabilities to the two types of operating systems in a heterogeneous network. You can authenticate users either using a Macintosh or Windowsbased method.

Interoperability You can use the AppleTalk integration services to enable Windows 2000 and Macintosh clients to access Windows 2000-based servers. The services include: ◆

File services. You can use the File Services for Macintosh to enable Macintosh or Windows clients to access shares on a computer that has Windows 2000 Server running on it. This service for Macintosh requires that Macintosh clients authenticate using accounts stored in Active Directory.

◆

Print services. You can print documents from a Macintosh client to a printer that is connected to a Windows 2000-based server. From a Macintosh and Windows client you can send documents for printing to any printer on the AppleTalk network.


443

444

Part IV


◆

Protocol. You can use the AppleTalk Phase 2 or the TCP/IP protocol to enable the Files and Print Services of Macintosh and the Macintosh network clients to communicate. Both protocols are supported by Windows 2000. You can run Files Services for Macintosh without using the AppleTalk protocol if it is available over TCP/IP. When you install both TCP/IP and AppleTalk on a computer, then the Macintosh client tries to start a connection using TCP/IP.

Authentication You can use encryption or user authentication methods to secure an AppleTalk network. When Macintosh users require authentication on a Windows 2000 network, any of the following authentication methods can be used: ◆

No authentication

◆

Encrypted password

Let me now elaborate on each of the preceding methods.

No Authentication When you access resources on a Windows 2000 network, simple and nonencrypted passwords are used, by default, by the Macintosh clients. Use this method when data is to be accessed by anonymous users. Following are the two ways in which you can configure a Windows 2000 network to authenticate a Macintosh user: ◆

Guest users. Use this authentication for servers with low security configurations where the data does not require audit or security permissions. A password is not required if the guest access is enabled. As a guest, you can access any resources defined for the guest account.

◆

Clear text passwords. On Macintosh computers that have AppleShare client or Macintosh System 7 operating systems, the clear text password protection is available by default.

Encrypted Password You can use any of the following methods of encryption supported by Files Services for Macintosh:



Chapter 12

◆

Apple Standard Encryption. Use passwords that are eight characters in length. Though passwords are encrypted, you can decode them because of their short length.

◆

Microsoft User Authentication Module (MS-UAM). You need to install the AppleShare client 3.8 at each Macintosh client to support stronger encryption of authentication credentials. This method allows a password of 14 characters. This is the recommended method for authentication.

When these two methods are used, the Macintosh client uses the encryption method. Kerberos-based authentication is not supported by AppleTalk network integration services.

Secure Access to Windows 2000 Resources You can use the AppleTalk integration services to enable Windows 2000 and Macintosh clients to access Windows 2000-based servers. These services allow Macintosh clients to securely access resources stored on Windows 2000-based servers without having to install additional software on the Macintosh clients. The following are the guidelines that you can follow for file security and printer security.

File Security You can store files on a Windows server in a volume that can be accessed by a Macintosh and a Windows client. These Mac-accessible volumes allow you to access an NTFS volume on a Windows 2000-based server. You can secure Macaccessible volumes by setting the permissions on it and the NTFS permissions on the folders and files within the Mac-accessible volume. The user’s effective permissions for the Mac-accessible volume will be defined by their Active Directory user account and primary group. You can also use volume passwords provided by the File Services for Macintosh as an extra level of security. Volume passwords are case sensitive and you assign them while creating volumes on a Macintosh computer. You have to enter the volume password other than the user logon password to access the volume.

Printer Security AppleTalk cannot authenticate a printing client because the network does not support security for printing. You cannot implement user-level security for Macintosh


445

446

Part IV


printers. Macintosh clients therefore assume that security is not required for accessing printers, and so they do not send their credentials to the printers. Print security can be implemented by changing the service account associated with the MacPrint service to a specific user account rather than the default of the System account. You can then assign the new service account Print permissions only to the printers that are accessible to Macintosh users.

Summary In this chapter, you learned how Windows 2000 allows security between Windows 2000 and UNIX. Microsoft Services for UNIX 2.0 includes tools that allow interoperability of UNIX and Windows networks. Windows 2000 authenticates UNIX clients depending on the application that the client uses. Services for UNIX provides the two following methods of authentication: UNIX authentication and NTLM authentication. Next, you learned that Windows 2000-based computers can interact with NetWare clients and servers using one of the three software services provided. These are NWLink Protocol, Client Service for NetWare and Gateway Service for NetWare. Access to NetWare file and print resources and directory services from a Windows 2000-based computer can be allowed using the Gateway Service for NetWare or Client Service for NetWare. The File and Print Services for NetWare allows a NetWare client to access a Windows 2000-based server. Finally, the AppleTalk integration services enable Windows 2000 and Macintosh clients to access Windows 2000-based servers. When Macintosh users require authentication on a Windows 2000 network, no authentication or encrypted password authentication methods can be used:

Check Your Understanding Short Questions 1. Your organization has software stored in the corporate office that is to be accessed by UNIX and Macintosh users in different branch offices. How will your organization accomplish this? 2. Why is Telnet a security risk, and what can be done to make it secure?



Chapter 12

3. An administrator in your organization wants to provide gateway services to NetWare resources. He is not able to do so. Why not?

Answers Short Answers 1. Install Services for UNIX and Services for Macintosh and configure appropriate protocols on the server. To ensure secure access, install MSUAM on the Macintosh clients to ensure secure passwords up to 14 characters. 2. Telnet uses clear text while transmitting data. To secure Telnet communication, you can configure the Telnet server to require NTLM authentication. In addition, you can use IPSec to encrypt all IPSec communication. 3. Only members of the Ntgateway group can provide gateway services to the NetWare resources. Therefore, the user account that the Gateway Services for NetWare service uses to connect to the NetWare environment must be a member of the Ntgateway group on the NetWare server.


447



PART

V Appendixes




Appendix A Best Practices


y now you must have a fairly good idea of the various security threats faced by your networks. Windows 2000 provides you with a number of mechanisms and tools for safeguarding your network against the havoc caused by these threats. However, despite the best security mechanisms implemented by us, many times we find ourselves so very vulnerable to these attacks. Following are the best practices that an administrator should follow to harden Windows 2000.

B

Auditing ◆

Assign the amount of disk space for the security log. You need to identify and select the files and folders to be audited; the security log is limited in size. Auditing an item records all the events that are generated in the security log, therefore increasing the size of the security log unnecessarily.

◆

Do not add too many items to be audited; auditing uses a lot of system resources. Auditing requires read/write operations to the disk, and this can drain system resources.

◆

Listed below are the events that you should monitor. • Audit for the failure of a logon. • Audit for the success of a logon/logoff. • Audit for the successful change to user rights, user and group management, security change policies, restart, shutdown, and system policies. • Set up a success and failure audit for file access and object access events. • Set up an audit of successes and failures for file-access printers and object-access events. • Set up an audit of successes and failures of write access for program files (.EXE and .DLL extensions). Set up an audit of successes and failures for process tracking.


BEST PRACTICES

Appendix A

Securing CAs ◆

Identify and define your PKI before deploying CAs.

◆

The root CA should be kept offline and its signing key should be secured by hardware and kept in a vault to minimize the potential for key compromise.

◆

If you are going to deploy a custom policy module for a Windows 2000 certification authority, you should install Certificate Services using a stand-alone policy. You should thereafter replace this stand-alone policy with your custom policy. You cannot replace an enterprise policy on a CA with a custom policy. This is not supported and may cause unpredictable results.

◆

You should change security permissions for the CA using only the Certification Authority snap-in. Applying permissions using other mechanisms, such as the Active Directory Sites and Services snap-in, may create problems for users attempting to access and request certificates from the certification authority.

◆

Certificates to users or computers should not be issued directly from the root CA. You should deploy at least a three-level CA hierarchy compromised of Root-Intermediate-Issuer CAs. This will provide flexibility and protect the root certification authority from attempts to compromise its private key by intruders.

◆

Back up the CA database, the CA certificate, and the CA keys to protect against the loss of critical data. You should make backups of the CA on a regular basis, daily, weekly, and monthly. The backups should be based on the number of certificates issued over the same interval. If the number of certificates issued over an interval is high, then the backups should be taken more regularly.

◆

You should review the security permissions and access control in Windows because enterprise certification authorities issue certificates based on the security permissions of the certificate requester.


453

454

Part V

APPENDIXES

EFS ◆

The My Documents folder should be encrypted if it is the default location where users save most of their documents. This ensures that the user’s personal documents are encrypted by default.

◆

The Temp folder used by users should be encrypted. This will automatically encrypt any temporary files created by programs.

◆

Encrypt folders instead of individual files. This will automatically encrypt any temporary files created by programs during editing.

◆

The designated recovery agent should export the data recovery certificate. It should then be secured in a safe place, and deleted from the hard disk. Using this procedure, only the user who has physical access to the data recovery certificate can recover data for the system.

◆

When data recovery is required, the recovery agent can obtain the data recovery certificate from the safe storage location and import the certificate back into the system. With the data recovery certificate on the system, the recovery agent can perform recovery of the data from the user’s encrypted file. After completing the data recovery task, the recovery agent should again delete the data recovery certificate from the system.

Security Configuration and Analysis ◆

The Secedit.exe command line tool may be used as a method of batch analysis. This command line tool is used if frequent analysis of a large number of computers is required, as in the case of a domain-based infrastructure. The analysis results still must be viewed with Security Configuration and Analysis.

◆

Create personal databases into which you can import templates for analysis. This import process can be repeated and used to load multiple templates that will be merged into one composite template. It might be useful to save the composite template for future analysis or configuration of other systems. The export feature provides the ability to save the stored configuration as a new template.

◆

The Use Configure System Now option should be used to modify security areas that are not affected by Group Policy settings, such as security


BEST PRACTICES

Appendix A

on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, they will take precedence over local settings. By rule, do not use the Configure System Now option when you are analyzing security for domain-based clients because you will have to go to each client individually. In this scenario, you should use the Security Templates snap-in to modify the template and reapply it to the appropriate Group Policy object. ◆

You should modify the base template in your working database. The changes are made to a copy of the template. This will help you avoid continued flagging of settings that you have investigated and determined to be reasonable.

Security Templates ◆

Account policies should not be configured for organizational units that do not contain any computers. The organizational units that contain only users will always receive account policy from the domain.

◆

When setting account policies in Active Directory, be aware that Windows 2000 only allows one domain account policy; this is the account policy applied at the root domain of a domain tree.

◆

When upgrading Windows 2000 Professional on computers that are members of a Windows 2000 domain, the account and password policies will take precedence over the local policy on any domain controllers, servers, and workstations in the domain.

◆

Predefined security templates should not be applied to production systems without testing to ensure that the right level of application functionality is maintained for your network and system architecture.

◆

Event Log settings should be implemented at the site, domain, or organizational unit level to take advantage of Group Policy settings. Event Log size and log wrapping should be defined to match the business and security requirements you determined when designing your enterprise security plan.

◆

Perform adequate testing before you set the system service startup to automatic. This will ensure that the services can start without user intervention.


455

456

Part V

APPENDIXES

◆

You should track the system services used on a computer. Unnecessary or unused services should be run through manual intervention. This will ensure optimum performance.

◆

When security settings are imported to a Group Policy object in Active Directory, the local security settings of the computer accounts to which that Group Policy object is applied will be affected.

◆

When a security template is imported to a Group Policy object, any accounts to which the Group Policy object is applied automatically receive the template’s security settings when the Group Policy settings are refreshed.

Access Control ◆

User rights are assigned on a group basis.

◆

Rely on inheritance from group assignments. Maintaining user accounts directly is not very efficient, so assigning rights on a user basis should be the exception.

◆

Rights should be assigned as high in the container tree as possible. In this way, you achieve the maximum breadth of effect with the least effort. The rights you establish should be adequate for the majority of the security principals.

◆

Inheritance should be applied to propagate rights through the container tree. Just as applying access control from a higher level of the tree provides breadth of scope, inheritance provides depth. You can quickly and effectively apply access control settings to all children of a parent object.

◆

Administrators who manage the computers where the containers reside should be delegated the administrators of the containers. By delegating authority to administer the rights for a container, you can decentralize administrative operations and issues. This reduces the cost of ownership by distributing administration closer to its point of service.

◆

You must address the default level of security to be used when you deploy Windows 2000 in your organization. The main issue is the installed base of applications you need to support on workstations.


BEST PRACTICES

◆

Appendix A

Windows 2000 defines three levels of security for clean-installed systems: Users, Power Users, and Administrators. By default, all end-users who are members of the Users group are able run certified Windows 2000 applications. If you need to support applications that have not been certified for Windows 2000, you must do one of the following: • Change all of your end users to Power Users rather than Users. • Modify the default security settings to increase the privileges granted to Users.

◆

There are additional issues with computers that have been upgraded to Windows 2000 Server from Windows NT: • Security is not modified during the upgrade. Therefore, applications not certified for Windows 2000 will continue to run without modification after the upgrade. • To make the upgraded computer use the new Windows 2000 security defaults, the Windows 2000 default security settings are supplied in systemroot\security\templates\basicwk.inf.

Active Directory ◆

Use the Run as command to perform administrative tasks. You are not required to log on with administrative rights. Log on as a normal user and then use the Run as command to perform administrative tasks. Using the Run as command, you can run administrative tools with administrative rights and permissions while logged on as a normal user.

◆

All geographic areas that require fast access to the latest directory information should be established as sites. Establishing areas that require immediate access to up-to-date Active Directory information as separate sites will provide the resources required to meet your needs.

◆

Place at least one domain controller at each site; at least one domain controller at each site should be configured as a global catalog. Sites that do not have their own domain controllers and at least one global catalog are dependent on other sites for directory information and are less efficient.


457

458

Part V

APPENDIXES

◆

Configure all site links as transitive and ignore schedules for replication. Transitive site links maximize available connections between sites and the times the connections can be used.

◆

Establish a preferred bridgehead server when you are using a firewall or if you want to dedicate a computer to inter-site replication. A bridgehead server serves as a proxy for communication with other sites outside of a firewall.

◆

All sites must be associated with at least one subnet and at least one site link, or they will not be usable.

Group Policy ◆

All unused parts of a Group Policy object should be disabled. If a Group Policy object has, under the User Configuration or Computer Configuration node of the console, only settings that are Not Configured, then you can avoid processing those settings by disabling the node. This speeds up startup and logon for those users and computers subject to the Group Policy object.

◆

Use the Block Policy Inheritance and No Override features less frequently and marginally. Routine use of these features makes it difficult to troubleshoot policy.

◆

The number of Group Policy objects associated with users in domains or organizational units should be minimized. The more Group Policy objects that are applied to a user, the longer it takes the user to log on.

◆

Use a filtering policy based on security group membership. Users who do not have an ACE directing that a particular Group Policy object be applied to them can avoid the associated logon delay because the Group Policy object will not be processed for those users.

◆

Filtering can only be done using membership in security groups.

◆

The ACEs appear on the Security tab on the Properties page of a Group Policy object.

◆

Override user-based Group Policy with computer-based Group Policy only when required. Do this only if you need the desktop configuration to be the same regardless of who logs on.


BEST PRACTICES

◆

Appendix A

Avoid cross-domain Group Policy object assignments. The processing of Group Policy objects will slow logon and startup if Group Policy is obtained from another domain.

Software Installation and Management ◆

Specify application categories for your organization. Using categories makes it easier for users to find an application in Add/Remove Programs in Control Panel.

◆

The Windows Installer packages should be correctly transformed before they are published or assigned. Transforms are applied to packages at the time of assignment or publication. Transforms, or .mst files, are customizations applied to Windows Installer packages. A transform is applied at the time of assignment or publication, not at the time of installation.

◆

A Group Policy object should be assigned or published just once.

◆

A Windows Installer package should be assigned or published no more than once in the same Group Policy object.

◆

Make use of authoring tools. Users or developers familiar with the files, registry entries, and other requirements for an application to work properly can program native Windows Installer packages using tools available from various software vendors.

◆

You can repackage existing software. You can use commercially available tools to create Windows Installer packages for software that does not include natively authored .msi files. These work by comparing a computer’s state before and after installation. For best results, install the package on a computer free of other application software.

◆

Use SMS and Dfs. The Microsoft Systems Management Server (SMS) and the Windows 2000 Distributed File System (Dfs) are used in managing the network shares from where users install their managed software.

◆

Assign or publish at a high level in the Active Directory hierarchy. Because Group Policy settings are applied by default to child Active Directory containers, it is efficient to assign or publish by linking a


459

460

Part V

APPENDIXES

Group Policy object to a parent organizational unit or domain. Use access control entries, or ACEs, on the Group Policy object for finer control over who receives the software. ◆

Use Windows Installer package properties for stricter control. Use the Software Installation node, right-click the package in the details pane and click Properties. Use this for assigning or publishing a single package.

Folder Redirection ◆

Enable client-side caching. This is especially important for users with laptops.

◆

Add %username% into fully qualified universal naming convention (UNC) paths. This allows users to have their own folders. For example, \\server\share\%username%\ Userdocs.

◆

Configure the My Pictures folder to follow the My Documents folder. This format is advised unless there is a reason not to, such as file share scalability.

◆

Identify how policy removal will affect the Folder Redirection policies.

◆

Accept the default Folder Redirection settings.

Distributed File System (Dfs) ◆

Do not install Dfs on a FAT file system; replication is only available on the NTFS file system and not on FAT file system.

◆

Add all Dfs links and Dfs shared folders for the first Dfs root before creating other Dfs roots when setting up your Dfs topology.

◆

To maintain a balanced load on your server, you should consider the schedule of synchronization. This sets the replication policy. The schedule of synchronization requires that you understand the following: • The topology between the participating servers. • How network performance may be affected, based on available bandwidth. • The quantity of replication traffic likely to occur. Connections are optimized for DNS-based connection requests. A Dfs link automati-


BEST PRACTICES

Appendix A

cally selects the nearest Dfs shared folder, based on site topology information. The members of a set of Dfs shared folders must still be synchronized. • Replication schedules for the distributed file system, as well as the replication schedules for any other distributed file systems in the same site. ◆

Perform daily administration as follows: • Save the console file for future use after you have created a Dfs console for the Dfs roots that you administer. • Use a shorter cache time-out period to ensure that clients refresh the data. for Dfs shared folders in which the content in the shared folders frequently changes. You can extend the cache time-out period for shared folders in which the content in the shares seldom changes. • Perform status checks on common Dfs shared folders periodically to ensure that the shared folders are still valid.

◆

Users should be sure that the administrator (you) is aware of the shared folders they commonly use. They should request that the shared folders be added to a Dfs root if the shared folders do not already reside in a distributed file system.

Network and Dial-up Connections ◆

The required connection settings should be verified with your Internet service provider (ISP). A connection to your ISP may require one or more of the following settings: • A specific IP address. • IP header compression (for PPP). • DNS addresses and domain names. • Optional settings, such as Internet Protocol security (IPSec).

◆

Automated IP settings (DHCP) should be used whenever possible. You should use automated IP settings for the following reasons: • DHCP is enabled by default. • When your location changes, you do not have to modify your IP settings. • Automated IP settings are used for all connections, and they eliminate the need to configure settings such as DNS, WINS, and so on.


461

462

Part V

APPENDIXES

◆

Rename each local area connection when using multiple network adapters. Windows 2000 detects network adapters and automatically creates a local area connection in the Network and Dial-up Connections folder for each network adapter. If more than one network adapter is installed, you can eliminate possible confusion by immediately renaming each local area connection to reflect the network that it connects to. You need to add or enable the network clients, services, and protocols that are required for each connection. By doing so, the client, service, or protocol is added or enabled in all other network and dial-up connections.

◆

Set up multiple dial-up, VPN, or direct connections by copying them in the Network and Dial-up Connections folder. After you copy the connections, you can rename them and modify the connection settings. By doing so, you can easily create different connections to accommodate multiple modems, ISPs, dialing profiles, and so on.

◆

Enable or disable the network components for each LAN connection when using one network adapter and connecting to multiple LANs. If your computer has one network adapter and you need to connect to multiple LANs, your local area connection network components need to be enabled or disabled each time you connect to a different LAN.

◆

List the order in which Windows 2000 accesses network providers and protocols. By changing the order of protocols bound to those providers, you can improve performance.

◆

Only install and enable the network protocols that you require. Limiting the number of protocols on your computer enhances network performance and reduces network traffic.

◆

Windows 2000 attempts to establish connectivity by using every network protocol that is installed whenever it encounters a problem with network connectivity. By only installing and enabling the protocols that your system can use, Windows 2000 does not attempt to connect with protocols it cannot use, and returns status information to you more efficiently.

TCP/IP Protocol ◆

Develop a comprehensive IP addressing plan for your network if your network does not already use TCP/IP. You need to answer the following questions to help make a workable plan:


BEST PRACTICES

Appendix A

1. How many physically separate network segments will be contained within your network? 2. How many host systems on each network segment will use TCP/IP? 3. How will your network be connected to the Internet? • Will your network be directly connected to the Internet by a router (which uses public addresses allocated by your Internet service provider)? Or will it be indirectly connected to the Internet using a network address translator (NAT) or an application layer gateway, such as a proxy server (which uses private addresses)? • If not, then it is technically possible to use any IP addressing scheme. However, it is highly recommended that you use private addresses so that an eventual connection to the Internet does not force you to renumber your network. ◆

Use addresses from the private address ranges reserved by the Internet Assigned Numbers Authority (IANA) when you are using private IP addressing.

◆

Configure a default gateway on only one network adapter. This practice reduces confusion and assures the results you intended.

◆

Enter the correct e-mail address of the responsible person for each zone you add to or manage on a DNS server. This field is used by applications to notify DNS administrators for a variety of reasons.

◆

Be conservative in adding alias records to zones. Avoid using CNAME resource records (RRs) where they are not needed to alias a host name used in a host (A) resource record. Ensure that any alias names that you use are not used in other RRs.

◆

When designing your DNS network, use standard guidelines and follow preferred practices for managing your DNS infrastructure. DNS was designed to provide a level of fault tolerance for resolving names. If possible, you should have at least two name servers hosting each zone.

◆

DNS was designed to provide a level of fault tolerance for resolving names. If possible, you should have at least two name servers hosting each zone.

DNS


463

464

Part V

APPENDIXES

Server Best Practices ◆

Use directory-integrated storage for your zones for best results and simplified deployment and troubleshooting if you are using Active Directory. By integrating zones, you can simplify network planning.

◆

Standard primary type zones are required to create and manage zones in your DNS namespace if you are not using Active Directory. In this case, a single-master update model applies, with one DNS server designated as the primary server for a zone. Only the primary server, as determined in the SOA record properties for the zone, can process an update to the zone.

◆

Use secondary or caching-only servers for your zones to assist in offloading DNS query traffic wherever it makes sense. Secondary servers can be used as backups for DNS clients or as the preferred DNS servers for legacy DNS clients. For mixed-mode environments, this allows you to use secondary servers as a means to load balance DNS query traffic on your network, and reserve your DNS-enabled primary servers for use only by those clients that need them to perform dynamic registration and updates of their A and PTR RRs.

Internet DNS Best Practices ◆

The Internet Engineering Task Force (IETF) has published several Request for Comment (RFC) documents that cover best practices for DNS, as recommended by various DNS architects and planners for the Internet. It is useful to review these RFCs, particularly if you are planning a large DNS design, such as for a large Internet service provider (ISP) that supports the use of DNS name service. Current RFCs that cover Internet DNS best practices include those listed in the following: • RFC 1912-Common DNS Operational and Configuration Errors • RFC 2182-Selection and Operation of Secondary DNS Servers • RFC 2219-Use of DNS Aliases for Network Services

DHCP ◆

The 80/20 design rule should be used for balancing scope distribution of addresses where multiple DHCP servers are deployed to service the


BEST PRACTICES

Appendix A

same scope. Using more than one DHCP server on the same subnet provides increased fault tolerance for servicing DHCP clients located on it. With two DHCP servers, if one server is unavailable, the other server can take its place and continue to lease new addresses or renew existing clients. ◆

Scopes should be deactivated only when you remove a scope permanently from service. Once you activate a scope, it should not be deactivated until you are ready to retire the scope and its included range of addresses from use on your network.

◆

Server-side conflict detection on DHCP servers should be used only when it is needed. Either DHCP servers or clients determine whether an IP address is already in use on the network before leasing or using the address that can use conflict detection.

◆

DHCP is disk-intensive, therefore you should purchase hardware with optimal disk performance characteristics. DHCP causes frequent and intensive activity on server hard disks. To provide the best performance, consider RAID when purchasing hardware solutions that improve disk access time for your server computer.

◆

The lease times for DHCP clients that use RRAS for remote access should be reduced. If Routing and Remote Access service is used on your network to support dial-up clients, you can adjust the lease time on scopes that service these clients to less than the default of three days. For Windows 2000, one recommended way to support remote access clients in your scopes is to add and configure the built-in Microsoft vendor class provided for identifying them.

◆

DHCP should be integrated with other services, such as WINS and DNS. WINS and DNS can both be used for registering dynamic nameto-address mappings on your network. To provide name resolution services, you must plan for interoperability of DHCP with these services. Most network administrators implementing DHCP also plan a strategy for implementing DNS and WINS servers.

◆

Use relay agents or set appropriate timers to prevent undesired forwarding and relay of BOOTP and DHCP message traffic for routed networks. If you have multiple physical networks connected through routers, the routers must be capable of relaying BOOTP and DHCP traffic.


465

466

Part V

APPENDIXES

◆

Use the default client preference settings for dynamic updates performed by the DHCP service. For Windows 2000 Server, the DHCP service performs dynamic updates for DHCP clients based on how clients request that they be done.

◆

Before you install a DHCP server, identify the following: • The hardware and storage requirements for the DHCP server. • Which computers you can immediately configure as DHCP clients for dynamic TCP/IP configuration and which computers you should manually configure with static TCP/IP configuration parameters, including static IP addresses. • The DHCP option types and their values to be predefined for DHCP clients.

Internet Authentication Services ◆

Install and test each of your network access servers (through local use) before making them RADIUS clients.

◆

After you install and configure IAS, back up the IAS database file Ias.mdb before you run IAS for the first time. The Ias.mdb file is stored in the systemroot\System32\ias folder, where systemroot is the folder in which Windows 2000 system files are located, typically C:\Winnt.

◆

Install IAS on a computer dedicated solely as a RADIUS server, to eliminate the possibility of unauthorized users gaining access to the system.

◆

The IAS computer should also be physically secured. To avoid tampering, install a key switch on the power switch and restrict physical access to the computer.

◆

You should protect your IAS server with a firewall. When you configure your firewall, make sure that the ports you are using for RADIUS authentication and accounting are open and allow UDP packet transmission.

◆

Use long shared secrets. The longer the secret, the more secure it will be.

◆

Turn on the account lockout feature.

◆

You can also set up your network access servers to try to negotiate a connection using the most secure protocol first, and then the next less secure, and so on to the least secure.


BEST PRACTICES

Appendix A

◆

All authentication protocols that your users will not be using should be disabled.

◆

Initially, turn on logging of both authentication and accounting records. Modify these selections after you have determined what is appropriate for your environment.

◆

Ensure that event logging is configured with sufficient capacity to maintain your logs. The default is 512KB and, depending on your configuration, should be at least double this size.

◆

Back up all log files on a regular basis because logs cannot be recreated if they are damaged or deleted.

◆

Use the class attribute to track usage and simplify identification of which department or user to charge for usage. Although the class attribute is unique for each request, duplicate records may exist in cases where a response to the NAS is lost and the NAS re-sends the request. Depending on how you implement your tracking process, you may need to delete the duplicate requests from your logs to accurately track usage.

◆

IAS uses the global catalog in Windows 2000 domains to authenticate users. To minimize latency, install IAS on a server near your global catalog server.

◆

If you are using remote access policies to restrict access for all but certain groups, create a Universal Group for all the users to whom you want to allow access, and create a remote access policy that grants access for that universal group. Do not put all your users directly in the Universal Group, especially if you have a large number of users on your network. Create groups within the Universal Group, and add the users in those groups.

◆

Use a user principal name to refer to users whenever possible. A user can have the same user principal name regardless of what domain the user belongs to. This indirection provides scalability that may be required in organizations with a large number of domains.

◆

If the IAS server is receiving a very large number of authentication requests per second, you can improve throughput by increasing the number of concurrent authentication calls in progress at one time between the IAS server and the domain controller.


467

468

Part V

APPENDIXES

Remote Access Server ◆

DHCP should be used to obtain IP addresses. If you installed a DHCP server, configure the remote access server to use DHCP to obtain IP addresses for remote access clients. If you did not install a DHCP server, configure the remote access server with a static IP address pool, which is a subset of addresses from the subnet to which the remote access server is attached.

◆

Strong authentication should be used.

◆

Use strong passwords more than 8 characters long that contain a mixture of uppercase and lowercase letters, numbers, and permitted punctuation. Do not use passwords based on names or words. Strong passwords are more resistant to a dictionary attack, where an unauthorized user attempts to crack a password by sending a series of commonly used names and words.

◆

Although EAP-TLS works with registry-based certificates, for security reasons it is highly recommended that you only use EAP-TLS with smart cards.

◆

If you are using MS-CHAP, use MS-CHAP version 2. You can obtain the latest MS-CHAP updates for Windows NT version 4.0, Windows 98, and Windows 95, or Windows NT remote access clients from Microsoft.

◆

Automatic allocation for IPX network IDs should be used. Configure the remote access server to automatically allocate the same IPX network ID to all remote access clients.

◆

Avoid configuring different remote access policies for the same user. If a user dials in by using a multi-link connection, all connections beyond the first are made by using the remote access policy that matched the first connection.

VPNs ◆

DHCP should be used to obtain IP addresses. If you installed a DHCP server, configure the VPN server to use DHCP to obtain IP addresses for VPN clients. If you did not install a DHCP server and you have a single subnet, configure the VPN server with a static IP address pool


BEST PRACTICES

Appendix A

that is a subset of addresses for the subnet to which the VPN server is attached. If you did not install a DHCP server and you have multiple subnets and a routed infrastructure, configure the VPN server with a static IP address pool that consists of ranges of addresses that are a separate subnet from the subnet to which the VPN server is attached. Then, either add the static routes that represent the address ranges to the routing tables of neighboring routers or enable the routing protocol of your routed infrastructure on the VPN server. ◆

Strong authentication should be used.

◆

Use strong passwords more than 8 characters long that contain a mixture of uppercase and lowercase letters, numbers, and permitted punctuation. Do not use passwords based on names or words. Strong passwords are more resistant to a dictionary attack, where an unauthorized user attempts to crack a password by sending a series of commonly used names and words.

◆

Although EAP-TLS works with registry-based certificates, it is highly recommended that you only use EAP-TLS with smart cards for remote access to VPN connections.

◆

If you are using MS-CHAP, use MS-CHAP version 2. You can obtain the latest MS-CHAP updates for Windows NT version 4.0, Windows 98, and Windows 95 VPN clients from Microsoft.

◆

Use the strongest level of encryption that your situation allows. For VPN connections within North America, use strong or strongest encryption. For VPN connections outside of North America, use basic encryption. Strongest encryption is only available on North American versions of Windows 2000.

◆

Automatic allocation for IPX network IDs should be used. Configure the VPN server to automatically allocate the same IPX network ID to all VPN clients.

IPSec Policy ◆

Evaluate the type of information being sent over your network. Identify whether the information is sensitive financial data, proprietary information, or electronic mail. Because of their function, some departments may require a higher level of security than the majority of the enterprise.


469

470

Part V

APPENDIXES

◆

Determine where your information is stored, how it is routed through the network, and from what computers it will be accessed. This provides information about the speed, capacity, and utilization of the network prior to implementation, which is helpful for performance optimization.

◆

Evaluate your vulnerability to network attacks.

◆

Design and document an enterprise-wide network security plan. Take into account the security framework of Windows, including the Active Directory model, and how security is applied to Group Policy.

◆

Design, create, and test the IPSec policies, to clarify and refine what policies and policy structures are truly necessary. During testing of your deployment scenarios, run normal workloads on applications to gain realistic feedback. During initial tests, if you want to view the packet contents with Network Monitor or a sniffer, use the Medium security method level or a custom security method set to AH, since using High or ESP will prevent viewing of the packet.

◆

Reduce administrative overhead spent on policy by using the predefined policies, rules, and filter actions whenever possible. They can be activated, modified, or used as a template for defining your own.

Disk Management ◆

Back up the disk contents before deleting or creating partitions or volumes destroys any existing data. As with any major change to disk contents, you should back up the entire contents of the hard disk before working with partitions or volumes, even if you plan to leave one or more of your partitions or volumes alone.

◆

Several Windows 2000 features require the NTFS file system. Therefore, you need to format volumes using the NTFS file system.

◆

Several Disk Management tasks can be performed only with dynamic disks, including the ability to create fault-tolerant disks. Therefore you need to use dynamic disks.

Backing Up and Restoring Data ◆

Identify and develop the backup and restore strategies and test them. A good plan ensures that you can quickly recover your data if it is lost.


BEST PRACTICES

Appendix A

◆

Train appropriate personnel to back up and restore data. In minimumsecurity and medium-security networks, grant backup rights to one user and restore rights to a different user. Train personnel with restore rights to perform all of the restore tasks if the administrator is unavailable. In a high-security network, only administrators should restore files.

◆

Back up an entire volume to prepare for the unlikely event of a disk failure. It is more efficient to restore the entire volume in one operation.

◆

Back up the directory services database on a domain controller to prevent the loss of user account and security information.

◆

Create and print a backup log for each backup. Keep a book of logs to make it easier to locate specific files. The backup log is helpful when restoring data; you can print it or read it from any text editor. Also, if the tape containing the backup set catalog is corrupted, the printed log can help you locate a file.

◆

Keep three copies of the media. Keep at least one copy offsite in a properly controlled environment.

◆

Perform a trial restoration periodically to verify that your files were properly backed up. A trial restoration can uncover hardware problems that do not show up with software verifications.

◆

Secure both the storage device and the backup media. It is possible for someone to access the data from a stolen medium by restoring the data to another server for which they are an administrator.

Fault Tolerance ◆

Mirror the boot and system volumes onto another disk. If one of the disks containing the boot and system volumes fails, you can start the computer from the disk containing the mirrors of these volumes.

◆

Upgrade basic disks that belong to RAID arrays to dynamic disks. If a member disk of a RAID array fails, you can add a new disk to the computer and then rebuild the new member without rebooting the computer, thereby saving time.

◆

Select a UPS device that not only includes a battery, but can also take advantage of the alerting features of the Windows UPS service in the event of a power failure. These features include main-power failure detection, low-battery detection, and UPS shutdown.


471

472

Part V

APPENDIXES

◆

Test the UPS device by simulating a power failure. You can do this by disconnecting the power to the device. This will enable you to determine whether the UPS is configured correctly, and how long the computer will run before the battery runs out of energy.

◆

If you set Power Options to execute a command file following main power failure, make sure the command file finishes running in 30 seconds. A run time that is greater than 30 seconds threatens the capability of Windows to complete a graceful system shutdown.

Disaster Recovery ◆

Separate the boot and system volumes. Put the Windows 2000 Server system and boot volumes and the data volumes on separate drives. This greatly simplifies recovery if a disk is damaged.

◆

Save the disk configuration data each time you change the configuration using Disk Management.

◆

Keep a written record of disk volumes and their sizes to have during disk recovery. Attach this information to the front of each disk drive.

Network Monitor ◆

Run Network Monitor at low-usage times or for short periods of time. This decreases the effect on system performance caused by Network Monitor.

◆

Capture only as many statistics as you need for evaluation. This prevents you from capturing too much information to make a reasonably quick diagnosis of the problem.

Performance Monitoring ◆

Configure Performance Logs and Alerts to report data for the recommended counters at regular intervals, such as every 10 to 15 minutes. Retain logs over extended periods of time, store data in a database, and query the data to report on and analyze the data as needed for overall performance assessment, trend analysis, and capacity planning. For best


BEST PRACTICES

Appendix A

results, do the following before starting System Monitor or Performance Logs and Alerts on the computer you want to monitor for diagnostic purposes: • Stop screen-saver programs. • Turn off services that are not essential or relevant to monitoring. • Increase the paging file to physical memory size plus 100 MB. • Using Registry Editor, view the settings for the following and make note of all keys that have nonzero values: • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet Control\SessionManager\Memory Management

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\LanmanServer\Parameters ◆

If the server in question has halted or is not responding, run System Monitor from another computer.

◆

Keep monitoring overhead low. In general, the performance tools are designed for minimal overhead. However, you may find the overhead increases under each of the following conditions: • You are running System Monitor in graph view. • You have selected an option other than the default (current value) for a report view. • You are sampling at very frequent intervals (less than three seconds apart). • Many different objects and counters are selected.

◆

Other aspects of performance tool operation that affect performance include file size and disk space taken up by log files. To reduce file size and related disk space usage, extend the update interval. Also, log to a disk other than the one you are monitoring. Frequent logging also adds demand on disk input and output (I/O).

◆

If monitoring overhead is a concern, run only the Performance Logs and Alerts service and do not monitor using a System Monitor graph.

◆

During remote logging, frequent updating can slow performance due to network transport. In this case, it is recommended that you log continuously on remote computers but upload logs infrequently—for example, once a day.


473

474

Part V

APPENDIXES

◆

Analyze performance results and establish a performance baseline. Review logged data by graphing it using the System Monitor display or exporting it for printing. Compare the values against the counter thresholds shown in Analyzing performance to verify that resource usage or other activity is within acceptable limits. Set your baseline according to the level of performance that you consider satisfactory for your typical workload.

◆

Set alerts according to the counter values you consider being unacceptable, as defined by baseline evaluation.

◆

Tune system settings and workload to improve performance and repeat monitoring to examine tuning results.

◆

Monitor trends for capacity planning and add or upgrade components as needed. Maintain logged data in a database and observe changes to identify changes in resource requirements. After you observe changes in activity or resource demand, you can identify where you may require additional resources.

Disk Defragmenter ◆

Analyze volumes before defragmenting them. This will tell you if you need to take the time to defragment the volume.

◆

Analyze after large file deletion. Volumes might become excessively fragmented when users delete a large number of files or folders, so be sure to analyze volumes after this happens. Generally, volumes on busy file servers should be defragmented more often than those on single-user workstations.

◆

Defragment file server volumes during low-volume usage periods to minimize the effect that the defragmentation process has on file server performance. The time that Disk Defragmenter takes to defragment a volume depends on several factors, including the size of the volume, the number of files on the volume, the number of fragmented files, and available system resources.


Appendix B FAQs


Can I create a Kerberos-based trust between two domains in different forests?

Q.

A. When you manually create trusts, you can select either Kerberos V5 or NTLM authentication protocol. Kerberos trust relationships are two-way transitive within the same forest. For cross-forest trust relationships, you can only use NTLM because Kerberos V5 is available only within a domain. This limitation is only present in the Microsoft implementation of Kerberos. If you use a thirdparty Kerberos implementation, such as MIT, Kerberos can be used for cross-forest trusts. Q. How can I change the ticket lifetime used by Kerberos? A. The default lifetime for a Kerberos ticket is defined by the group policy for the domain, which is 10 hours, by default. Ten hours is usually sufficient (unless people work very long days). However, you can take the following steps to change the setting: 1. Open the Active Directory Users and Computers snap-in. 2. Right click the domain and select Properties from the context menu. 3. Click the Group Policy tab, select the domain GPO and click Edit. 4. Expand the Computer Configuration\Windows Settings\Security Settings\Kerberos Policy node. 5. Double click the time you wish to change, modify, and click OK. 6. Close the group policy editor. Q. What is a digital signature and how does it work? A. Public-private keys are to provide authentication that a sender is who they say they are. It does not protect the contents of the message; it only proves it is from the user who claims to have sent it. It provides authentication and integrity but does not provide confidentiality; data is sent as normal but acts like a normal signature we use on a letter. A digital signature works by running the entire message through a hash algorithm to create a message digest, which ranges between a 128-bit and a 256-bit number.


FAQS

Appendix B

This generated number is then encrypted by using the sender’s private key and added to the end of the message. When the recipient receives the message, he runs the message through the same hash algorithm and generates the message digest number. The recipient then decrypts the signature using the sender’s public key and if the two numbers match, the recipient comes to know that the message is from the person it says it’s from and that it has not been modified or tampered with. Q. How can users be restricted from changing their passwords except when Windows 2000 prompts them to? A. You can configure your domain via a group policy so that users can change their passwords only when the system prompts them: 1. Open the Active Directory Users and Computers snap-in. 2. Right-click the container (site, domain, or OU) you want to enforce the policy on, and select Properties from the context menu. 3. Select the Group Policy tab. 4. Select the GPO and click Edit. 5. Expand the User Configuration\Administrative Templates\System\Logon/Logoff. 6. Double-click Disable Change Password, and on the Policy tab, select Enabled. 7. Click Apply, then OK. 8. Close all dialog boxes. Refresh the policy with the following command: C:\> secedit /refreshpolicy user_policy

If you want to enforce this feature for a user, you can perform the following steps: 1. Run regedit.exe to start the registry editor. 2. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

3. If the System key already exists, select it. Otherwise, create it by choosing Edit, New, Key, System. 4. Under System, choose Edit, New, DWORD value to create a new value of type DWORD.


477

478

Part V

APPENDIXES

5. Type a name of DisableChangePassword, and press Enter. 6. Double-click the new value, and set it to 1. Click OK. 7. Close Regedit. The change takes effect immediately without restarting the system. Q. How do I view/clear the security log? A. Log on as the Administrator and perform the following steps: 1. Choose Start, Programs, Administrative Tools, Event Viewer to start Event Viewer. 2. From the Log menu, choose Security. 3. To clear, select Log and clear all events. You will be prompted to save the info. Click No. 4. It will prompt again; asking if you are sure, click Yes. 5. Close Event Viewer. Q. Can I configure the system to stop when the security log is full? How? A. Configuring the system to halt when the security log becomes full anyone but the Administrators from logging on; the Administrator can then archive the log and purge. 1. Start the registry editor. 2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa 3. If CrashOnAuditFail exists then skip this step. If it does not exist, from the Edit menu, select New - DWORD value and enter a name of CrashOnAuditFail. Click OK. 4. Double click on CrashOnAuditFail and in the Value data box enter either of the following values. a. This value stops the system if the audit log is full. b. This is set by the operating system just before the system crashes due to a full audit log. When this value is set to 2 only the administrator can logon. c. Close the registry editor.


FAQS

Appendix B

Q. How can I restrict access to MMC snap-ins? A. It is possible to restrict access to MMC snap-ins using the Group Policy settings: 1. Open the Active Directory Users and Computers snap-in. 2. Right click the domain or OU with the Group Policy set and select Properties 3. Click the Group Policies tab. 4. Select the Group Policy you wish to modify and click Edit. 5. Expand the User Configuration\Administrative Templates\Windows Components\Microsoft Management Console node. 6. Double click Restrict Users to the explicitly permitted list of snap-ins. 7. Set to Enabled or Disabled. You can then expand Restricted/Permitted snap-ins and enable or disable specific snap-ins. Q. How can I add additional templates to a Group Policy Object? A. Windows 2000 includes three .adm files: System.adm (General system settings), Inetres.adm (Internet Explorer specific settings), and Conf.adm (NetMeeting settings), which contain all the settings initially displayed in the Administrative Templates node. When a .adm file is applied to a GPO, it is copied from the %systemroot%\inf folder to the %systemroot%\SYSVOL\domain\Policies\\Adm folder. To add/remove a new template to a GPO, perform the following: 1. Start the Active Directory Users and Computers snap-in. 2. Open the Group Policy snap-in for the GPO that you want to edit. 3. Under User or Computer configuration, right-click Administrative Templates and choose Add/Remove Templates. 4. Click Add (or to remove select one and click Remove). 5. Select the template to add and click Open. 6. Click Close. The new options will now be available. The ADM file will be copied from the template’s Adm folder to the GPO’s Adm folder.


479

480

Part V

APPENDIXES

Q. Why don’t Password policies assigned to an OU or a site GPO work? A. Although the password policy branch is available for all GPOs, it is only implemented for GPOs at the domain level, so even if you make settings for a GPO for an OU or a site, it will have no effect. The only way to apply password settings is as follows: 1. Open the Active Directory Users and Computers snap-in. 2. Right click the domain and choose Properties from the context menu. 3. Select the Group Policy tab. 4. Select the domain GPO and click Edit. 5. Expand the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy node. You can now specify the various settings. Q. How can I host multiple Web sites on a single IP address? A. You can host multiple Web sites on a single IIS server. Usually, each Web site is tied to an IP address. However, if the machine has only one IP address, it can still be configured to host multiple Web sites by specifying a host header name for each Web site. Before doing so, you should ensure that you have multiple DNS entries all pointing to the IP address of the machine. Specify the host header name as follows: 1. Open the Internet Information Services snap-in. 2. Expand the server, right-click on the Web site, and choose Properties. 3. Click the Advanced button next to the IP address (ensuring the actual IP address is selected). 4. Select the IP address entry and click Edit. 5. Enter the DNS host entry for the Web site and set the port to 80, as shown in Figure A-01. 6. Click OK. 7. Click OK to the main dialog. 8. Repeat for all other web sites. When the client connects to the Web site, the DNS name requested is passed in the header as the host name. If the Web site requested in the host header is stopped, the default Web site opens for the client. Therefore, it is recommended


FAQS

Appendix B

FIGURE B-1 Advanced Web Site Identification dialog box.

that an ISP should use the default Web site as the ISP home page, rather than for a customer site. Multiple sites on a single Professional installation are not supported. Q. How can I stop DNS spoofing? A. DNS spoofing can be used to redirect queries to a rogue DNS server and can be malicious in nature. Windows 2000 DNS can be configured to filter out responses to unsecured records by performing the following: 1. Start the registry editor. 2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\ Parameters. 3. From the Edit menu select New— DWORD value. 4. Enter a name of SecureResponses and press Enter. 5. Double click the new value and set to 1. Click OK.


481



Index Numbers and Symbols . (dot), 239 2*n keys, 205 128-bit hash value, 203 160- bit hash value, 203

A access dial-up remote, 348 file system, controlling, 264 remote access connections, 372 point-to-LAN connections, 348 point-to-point connections, 348 policies, 354–355 policy models, 360 policy profiles, 357–358 securing with Macintosh clients, 443–446 with NetWare, 438–443 for UNIX clients, 434–438 VPN, 349 access-allowed, object-specific ACE, 107 access-allowed ACE, 107 access checking, 122–123 access control Active Directory objects and, 102 best practices, 456–457 configuring, on certificate templates, 210 default DACL source of, 116 IIS and, 319, 342–344 network address access control filter, 343 NTFS permissions, 344 object manager source, 117 owner source of, 116 parent object source, 117 primary group source of, 116 settings internal attacks and, 11 object-based, 41

subject source of, 116 user attempt for, authorizing, 104 web server permissions, 344 access control entry (ACE), 51 access-allowed, 107 access-allowed, object-specific, 107 access control information, 106 access-denied, 107 access-denied, object-specific, 107 canonical order, 120 object-specific versus generic, 108 system-audit, 107 system-audit, object-specific, 107 access control lists (ACLs) components and structure of, 106–107 defined, 106 access control model access control lists, 51 DACL (Discretionary Access Control List), 50 SACL (System Access Control List), 50 SID (security identifier), 50–51 unauthorized access, restricting, 50 Access Control Settings dialog box Auditing tab, 131 Owner tab, 132–133 access-denied, object-specific ACE, 107 access-denied ACE, 107 access masks defined, 109 generic access rights, 109 object-specific access rights, 110 SACL access rights, 110 standard access rights, 109 access permissions. See permissions Access-Request packet, 386 access rights. See rights Access tab Default NNTP Virtual Server dialog box, 330–331 Default SMTP Virtual Server Properties dialog box, 327–328


484

Index

access tokens, 50–51 contents of, 114 defined, 111, 113 SID attributes, 113 AccessCheckAndAuditAlarm function, 121–124 Account Lockout policy, 360–361 Account Policies subnode, 155 accounts, creating in specific location, 259–260 ACE (access control entry), 51 access-allowed, 107 access-allowed, object-specific, 107 access control information, 106 access-denied, 107 access-denied, object-specific, 107 canonical order, 120 object-specific versus generic, 108 system-audit, 107 system-audit, object-specific, 107 ACLs (access control lists) components and structure of, 106–107 defined, 106 Active Directory best practices, 457–458 GPOs (Group Policy objects) and, 43–44, 145 hierarchy, 41–43 integrated zone files, 240 object-based access control, 41 overview, 31, 40–41 Security tab, 126–127 trust relationships, 44–45 user authentication, 41 Active Directory objects access control and, 102 configuring permissions for auditing, 131 editing permissions, 128–131 overview, 126–127 ownership, changing, 132–133 Active Directory Replication Monitor tool, 180 Active Directory Sites and Services snap-in, 208 active spoofing, 19 Add Counters dialog box, 402 Add/Remove Programs dialog box, 227 Add/Remove Snap-In dialog box, 188 Add Standalone Snap-In dialog box, 166–167 address allocation, VPNs and, 373–374 Administration Web Site Properties dialog box, 337

Administrative Templates node (Group Policy snap-in), 156–158, 162 Administrative Tools menu (Group Policy), 166 Administrative Web Site Properties dialog box, 333 Advanced Attributes dialog box, 134 Advanced Features command (View menu), 126 Advanced tab (Edit Dial-in Profile dialog box), 358 advertising, 18 Advertising Supporting Software (Adware), 17 Adware (Advertising Supporting Software), 17 agent messages, SNMP, 253 agent software, SNMP, 251 AH (Authentication Headers), 272–273 alerts defined, 400 Performance Logs and Alerts tool, 406–407 all access right, 109 Allow access permission, 360 Allow inheritable permission, 129 Allow policy setting, 262 ANI/CLI (Automatic Number Identification/ Calling Line Identification), 361 anonymous authentication, 332–333 anonymous impersonation level, 115 Anonymous User Account dialog box, 333 antivirus measures, 21–22 API (Application Programming Interface), 32 Application desktop, 69 Application gateway firewall, 301 Application log (Event Viewer), 397 application order (Group Policy), 146 Application Programming Interface (API), 32 application proxy firewalls, 301–303 application server mode (Terminal Services), 264 application servers, secure traffic to, 309–310 applications assigning, 152 HTTP-Tunnel, 20 public key-enabled, 210–211 publishing, 153 Applications tab (Task Manager), 408 Apply Group Policy permission, 172–173 AS (authentication service), 74 assembling information threats Adware (Advertising Supporting Software), 17 impersonation, 15–16 password cracking, 15


Index

session hijacking, 15 sniffing, 16 social engineering, 17–18 spoofing, 18–19 Assign a Static IP Address permission, 359 Assign Static Routes permission, 359 assigning applications, 152 assisting, 18 AsyBEUI, 351 asymmetric key encryption, 57 Asynchronous NetBEUI, 351 asynchronous processing, 164–165 attacks. See also threats DoS (Denial-of-service) attacks, 24, 28 external, 12–14 internal, 10–12 Intrusion Detection Systems, 28 man-in-the-middle, 23–24 ping of death, 27 smurf DoS, 26 spoofing, 18–19 SYN flood, 25–26 Tripwire tool, 29 audit generation, 121–124 auditing best practices for, 452 certificates, 223 IIS and, 319 Auditing tab (Access Control Settings dialog box), 131 Authenticated Users security group, 174 authentication across domain boundaries, 80–83 anonymous, 332–333 authentication database, 71 authentication package, 70–71 authorization versus, 66 basic, 334 CAs (certification authorities), 48 certificate, 336–342 CHAP (Challenge Handshake Protocol), 98 client, 96 digest, 334–335 EAP (Extensible Authentication Protocol), 96–97 encrypted connection, 96 GINA (Graphical Identification and Authentication), 68 IAS, 382–383

IIS and, 319 Integrated Windows, 335–336 interactive logon process, 46 interactive logon to local machine, 71 network components, list of, 68 security principals, 67–68 Kerberos authentication protocol, 47 functionality of, 73, 75–76 key distribution, 75–77 policy settings, 83–84 service tickets, securing, 78 TGT (ticket granting ticket), 78–80 Kerberos V5, certification-based authentication, 40 Kerberos V5 authentication protocol, 72–73 local security authority, 71 MS-CHAP (Microsoft Challenge Handshake Protocol), 98 network administration logon process, 46 NTLM protocol, 49, 94 overview, 9–10, 46 PAP (Password Authentication Protocol), 98 PPP (Point-to-Point protocol), 96 public key cryptography and, 201 remote access security, 351–354 server, 95 smart-card, 46 SSL, 94–96 SSL/TLS, 49 SSP (security support provider), 92–93 TGS (ticket granting service), 74 TGT (ticket granting ticket), 74 of UNIX clients, 436 user authentication, 41, 295 VPNs and, 373 Authentication Headers (AH), 272–273 Authentication Methods dialog box, 333 authentication service (AS), 74 Authentication tab (Edit Dial-in Profile dialog box), 358 authority figures, social engineering approach, 17 authorization authentication versus, 66 defined, 66 DHCP servers, 249–250 with Gateway Service for NetWare, 440–441 IAS, 382–383 remote access security, 351–354


485

486

Index

Authorize DHCP Server dialog box, 250 Automatic Number Identification/Calling Line Identification (ANI/CLI), 361 Automatic Restoration mechanism (Windows File Protection feature, 411–412 Automatic Setup Group Policy option, 261 availability, 9

B Backup Wizard, 418, 420–422 backups best practices, 470–471 security measures and, 22 Windows Backup program Backup Wizard, 418, 420–422 ERD (Emergency Repair Disk), 423–424 Restore Wizard, 422–423 System State data, 420 baseline, defined, 400 basic authentication, 334 basic security templates, 184 basic storage, 415 best practices access control, 456–457 Active Directory, 457–458 auditing, 452 backups, 470–471 CAs, 453 Dfs, 460–461 DHCP, 464–466 diagnostic tools, 472–474 dial-up connections, 461–462 disaster recovery, 472 Disk Defragmenter, 474 disk management, 470 DNS, 463 EFS, 454 fault tolerance, 471–472 folder redirection, 460 Group Policy, 458–459 IAS, 466–467 IPSec, 469–470 Network Monitor, 472 RAS, 468 restoration, 470–471 templates, 455–456 VPNs, 468–469

Binary files, 405 blind spoofing, 19 Block filter action, 291 block inheritance, 149 Block Policy Inheritance option, 169–170 boot disk, remote, 257 breach of confidentiality, 8 breach of data integrity, 9 broadcast storms, 26 Builtin break up value, 112–113

C cache poisoning, 242 CAL (Client Access License), 263 Callback permission, 359 Called-Station-ID remote access policy condition, 356 Calling-Station-ID remote access policy condition, 356 canonical order, 120 CAs (certification authorities). See also certificates, 48 best practices, 453 commercial, 215 cross-certification hierarchy, 212–213 enterprise policy, 216–219 issuing, 212 policies, 207 private, 215 public key infrastructure, 207–208 root CA hierarchy, 212 stand-alone policy, 217–219 subordinate, 212 usage-based hierarchy, 220 category information (Event Viewer), 399 CD-ROM file system (CDFS), 124 CDFS (CD-ROM file system), 124 certificate authentication, 336–342 certificate distribution points, 210 certificate management tools, 208–209 certificate publication points, 210 Certificate Renewal Options dialog box, 236 certificate services, IIS and, 319 certificate templates configuring access control on, 210 protecting from unauthorized access, 208


Index

certificates. See also CAs auditing, 223 Code Signing, 217 defined, 207 enrollment and distribution, 220–221 including in trusted CAs list, 229–231 issuer, 207 many-to-one mapping, 224 Microsoft Certificate Services, 60 one-to-one mapping, 223 renewing, 222–223, 236 revocation, 221–222, 234 self-signed, 212 subject’s public key, 207 for Web sites, creating, 337–341 certification authorities (CAs), 48 best practices, 453 commercial, 215 cross-certification hierarchy, 212–215 enterprise policy, 216–219 issuing, 212 private, 215 public key infrastructure, 207–208 root CA hierarchy, 212 stand-alone policy, 217–219 subordinate, 212 usage-based hierarchy, 220 Certification Authority snap-in, 208–209 Certification Revocation Lists (CRLs), 61 certification authority and, 207–208 publishing, 235 Challenge Handshake Protocol (CHAP), 98, 353 Challenge-Response protocol, 335–336 change share permission, 125 CHAP (Challenge Handshake Protocol), 8, 353 Check Disk utility, 418 child object, defined, 105 Choice Options dialog box, 260 Circuit Level Gateway firewalls, 300 Circuit Relay firewall, 300 Clear Text logon, 334 Client Access License (CAL), 263 client authentication, 96 client flooding, 242 Client-Friendly-Name remote access policy condition, 356

Client Installation Wizard, 256–257 Client-IP Address remote access policy condition, 356 Client-Vendor remote access policy condition, 356 clients installation options, restricting, 260–262 prestage, 259 RADIUS, 384 Code Signing certificate templates, 217 Color tab (System Monitor console), 403 Comma-Delimited file (.CSV), 405 commands Start menu, Run, 166 View menu Advanced Features, 126 Show Services Node, 208 commercial CAs, 215 Common.adm file, 157 communities, configuring, 254 Compatws.inf template, 185 competitors, external attacks and, 13 compulsory tunneling, 386–388 computer accounts. See accounts Computer Configuration node (Group Policy snap-in), 151–152 Computer Crime and Security Survey, 4 computer information (Event Viewer), 399 computer local groups, 55 Computer Security Institute (CSI), 4 Conf.adm file, 157 confidentiality overview, 7–8 public key cryptography and, 201 Configure Device-WAN Miniport (PPTP) dialog box, 367 configuring communities, 254 DHCP dynamic update, 247 permissions, for Active Directory objects auditing, 131 editing permissions, 128–131 overview, 126–127 ownership, changing, 132–133 traps, 253 Connection dialog box, 328 connections dial-up, creating, 368–370 encrypted connection, 96


487

488

Index

connections (continued) Kerberos and, 73 point-to-LAN remote access, 348 point-to-point remote access, 348 PPP, 350 remote access, 372 router-to-router, 372 WAN, 350 CONTAINER_INHERIT_ACE flag, 120 containers, defined, 41 copy backup type, 422 counter component (System Monitor tool), 401 counter logs, 405 Create Computer Object permission, 260 CREATOR OWNER security group, 174 CRLs (Certification Revocation Lists), 61 certification authority and, 207–208 publishing, 235 cross-certification hierarchy, 212–215 cross-link trust relationship, 45 cryptographic algorithm, 55 cryptographic key, 55 Cryptographic Service Provider (CSP), 212 CSI (Computer Security Institute), 4 CSP (Cryptographic Service Provider), 212 .CSV (Comma-Delimited file), 405 Custom Errors tab (Default Web Site Properties dialog box), 324 custom security templates, 186 Custom Setup Group Policy option, 261

D DACL (Discretionary Access Control List), 50–51 DACL field (security descriptor), 118 daily backup type, 422 damaging/disrupting network threats antivirus measures, 21–22 broadcast storms, 26 DoS (Denial-of-service) attacks, 24 mail bombs, 27–28 man-in-the-middle attacks, 23–24 ping of death, 27 smurf DoS attack, 26 spam mailing, 28 SYN flood, 25–26 Trojan Horses, 20–21 tunneling, 20

types of, 19 viruses, 20–21 worms, 20–21 Data Decryption Field (DDF), 59 data encryption. See encryption data privacy, 31 Data tab (System Monitor console), 402 date information (Event Viewer), 399 Day-And-Time-Restrictions remote access policy condition, 356 DC security.inf template, 185 DDF (Data Decryption Field), 59 decryption, EFS data, 135–136 defacing Web sites, 30 default ACL source of access control, 116 Default DACL field (access token), 114 Default Domain policy, 137 Default FTP Site Properties dialog box, 320–321 Default NNTP Virtual Server dialog box, 330–332 default security templates, 183 Default SMTP Virtual Server Properties dialog box, 326–330 Default Web Site Properties dialog box, 322–323 delegate impersonation level, 116 delegation, Group Policy creation of GPOs, 176–177 links, managing for sites, domain, or OU, 175 using security groups, 174 Delegation of Control Wizard, 175 delete access right, 109 Delivery tab (Default SMTP Virtual Server Properties dialog box), 329 demand-dial routing, 362 demilitarized zones (DMZs), secure public access to application servers, 309–310 DNS server, 308–309 HTTP and FTP servers, 306–308 Microsoft Exchange server, 309 terminal servers, 312 tunnel server, secure L2TP traffic to, 311 tunnel server, secure PPTP traffic to, 311 Denial-of-service attacks. See DoS attacks denied permissions, 104–105 Deny access permission, 360 Deny policy setting, 262 deployment IPSec, 280–281 Terminal Services, 265


Index

DES encryption algorithm, 277 Dfs (Distributed File System), 460–461 DHCP (Dynamic Host Configuration Protocol), 364 best practices, 464–466 dynamic update, configuring, 247 overview, 246 securing rogue DHCP servers, 248–249 servers, authorizing, 249–250 DHCP properties dialog box, 247–248 DhcpServer, 249 diagnostic tools best practices, 472–474 Event Viewer, 397–400 Network Monitor, 409–411 overview, 396 System Monitor and Performance Logs and Alerts Performance Logs and Alerts, 403–407 System Monitor, 400–403 Task Manager, 407–409 Dial-in Constraints tab (Edit Dial-in Profile dialog box), 358 dial-up connections best practices, 461–462 creating, 368–370 Dial-up Connections Properties dialog box, 371 dial-up permissions, 358–359 dial-up remote access, 348 Dialed Number Identification Service (DNIS), 361 dialog boxes Access Control Settings Auditing tab, 131 Owner tab, 132–133 Add Counters, 402 Add/Remove Programs, 227 Add/Remove Snap-In, 188 Add Standalone Snap-In, 166–167 Administration Web Site Properties, 333, 337 Advanced Attributes, 134 Anonymous User Account, 333 Authentication Methods, 333 Authorize DHCP Server, 250 Certificate Renewal Options, 236 Choice Options, 260 Configure Device-WAN Miniport (PPTP), 367 Connection, 328

Default FTP Site Properties, 320–321 Default NNTP Virtual Server, 330–332 Default SMTP Virtual Server Properties, 326–330 Default Web Site Properties, 322–323 DHCP properties, 247–248 Dial-up Connections Properties, 371 Edit Dial-in Profile, 358 File Download, 230 IP Filter List, 285–286 Local Area Connection Properties, 410 Local File Properties, 369 Manage Authorized Servers, 250 Management and Monitoring Tools, 410 Microsoft SNMP Properties, 253–254 New IP Security Policy Properties, 285, 293 Options, 170 Outbound Security, 329 Permission Entry, 130 Port Properties, 367–368 Reason Code, 234 Run, 166 Select Counters, 402 Select Network Component Type, 410 Select Network Protocol, 410 User Group Policy Loopback Processing Mode, 171 differential backup type, 422 Diffie-Hellman protocol, 277 digest authentication, 334–335 digital signatures frequently asked questions, 476–477 overview, 202–204 RSA process, 204 direct approach, social engineering approach and, 17 Directory Security tab Default FTP Site Properties dialog box, 321 Default Web Site Properties dialog box, 324 directory service. See Active Directory Directory Service module (Windows 2000 security model), 33 Directory Services Restore mode utility (system recovery), 425 disaster recovery. See system recovery Discretionary Access Control List (DACL), 50–51 Disk Defragmenter utility, 418, 474 disk management, best practices, 470


489

490

Index

Disk Management tool Backup Wizard, 418 Check Disk utility, 418 configuring physical disk using, 415 Disk Defragmenter utility, 418 functions of, 414–415 Properties dialog box, 417 Disk Quotas subnode, 158 disk volumes, list of, 416 disrupting threats. See damaging/disrupting threats Distributed File System (Dfs), 460–461 distribution, certificates, 220–221 DMZ setup firewalls, 303–305 DMZs (demilitarized zones), 22 secure public assess to application servers, 309–310 DNS server, 308–309 HTTP and FTP servers, 306–308 Microsoft Exchange server, 309 terminal servers, 312 tunnel server, secure L2TP traffic to, 311 tunnel server, secure PPTP traffic to, 311 DNIS (Dialed Number Identification Service), 361 DNS Client subnode, 158 DNS (Domain Name Service) Active Directory-integrated zone, 240 best practices, 463 overview, 238 primary zone, 240 secondaryzone, 240 securing DNS servers and clients, modifying security settings for, 245–246 dynamic updates, 244–245 structure of, 239 threats faced by cache poisoning, 242 client flooding, 242 DNS server’s authoritative database, compromise of, 243 DoS, 243 dynamic update vulnerability, 242 information leakage, 242–243 list of, 241–242 masquerading, 243–244 DNS poisoning, 30

DNS server, secure traffic to, 308–309 DNS spoofing, 242, 481 dnsZone objects, 245–246 documents, EFS-protected, 57 Documents tab (Default Web Site Properties dialog box), 324 Domain Administrators security group, 174 Domain Controller Security Policy, 166 domain identifiers, defined, 112 domain local groups, features of, 53 Domain Name Service (DNS) Active Directory-integrated zone, 240 best practices, 463 overview, 238 primary zone, 240 secondary zone, 240 securing DNS servers and clients, modifying security settings for, 245–246 dynamic updates, 244–245 structure of, 239 threats faced by cache poisoning, 242 client flooding, 242 DNS server’s authoritative database, compromise of, 243 DoS, 243 dynamic update vulnerability, 242 information leakage, 242–243 list of, 241–242 masquerading, 243–244 domain name space, defined, 238 Don’t Care policy setting, 262 DoS (Denial-of-service) attacks, 24, 28 dot (.), 239 drivers, IPSec, 278 Dynamic Host Configuration Protocol (DHCP), 364 best practices, 464–466 dynamic update, configuring, 247 overview, 246 securing rogue DHCP servers, 248–249 servers, authorizing, 249–250 dynamic storage, 415 Dynamic Update protocol, 242


Index

dynamic updates configuring, 247 defined, 240 securing, 244–245

E EAP (Extensible Authentication Protocol) EAP-MD5, 97 EAP-Transport Layer Security, 97 overview, 96–97 Edit Dial-in Profile dialog box, 358 EFS (Encryption File System), 31 best practices, 454 encryption of data using, 133–135 encryption of stored data by using, 59 encryption of transmitted data by using, 59–60 overview, 58 process of, 133 recovery agent’s, 135 recovery plan, 136–137 EFS-protected documents, 57 e-mail icons, social engineering and, 18 scanning, 21 Emergency Repair Disk (ERD), 423–424 employees abuse to Internet access, 11 naive, 17–18 enable boot logging utility (system recovery), 427 Encapsulating Security Payloads (ESP), 272 header fields, 274 packet fields, 273–274 trailer fields, 275 encapsulation, 373 encrypted connection, 96 encryption asymmetric key, 57 defined, 200–201 DES encryption algorithm, 277 EFS (Encryption File System) encryption of stored data by using, 59 encryption of transmitted data by using, 59–60 overview, 58 FEK (File Encryption Key), 133 high level, 266

IIS and, 319 low level, 265 medium level, 266 MPPE (Microsoft Point to Point Encryption), 377–378 Nonce value, 278 overview, 55 private key, 57 public key, 40, 57 concepts related to, 60–62 group policies containing, 62 symmetric, 40 symmetric key encryption, 55–56 VPNs and, 373 Encryption File Security, 40 Encryption File System (EFS), 31 best practices, 454 data, decryption of, 135–136 encryption of data using, 133–135 encryption of stored data by using, 59 encryption of transmitted data by using, 59–60 overview, 58 process of, 133 recovery agent’s, 135 recovery plan, 136–137 Encryption tab (Edit Dial-in Profile dialog box), 358 enrollment, certificates, 220–221 Enterprise Administrators security group, 174 Enterprise CAs, 216–219 Enterprise root CA, installing, 227–229 ERD (Emergency Repair Disk), 423–424 error events (Event Viewer), 398 ESP (Encapsulating Security Payloads), 272 header fields, 274 packet fields, 273–274 trailer fields, 275 event ID information (Event Viewer), 399 Event Log subnode, 155 Event Viewer, 397–400 execute access right, 109 exported recovery key, 137 Extensible Authentication Protocol (EAP) EAP-MD5, 97 EAP-Transport Layer Security, 97 overview, 96–97


491

492

Index

external attacks in combination with internal attacks, 13–14 reasons for, 12 external trust relationships, 45–46

F Failure Audit event (Event Viewer), 399 FAQs (frequently asked questions) DNS spoofing, 481 frequently asked questions, 476–477 GPOs, 479 Kerberos, 476 MMC snap-ins, 479 passwords, 477–478 FAT (file allocation table), 124 fault tolerance, 414–419, 471–472 FBI (Federal Bureau of Investigation), 4 FEK (File Encryption Key), 133 fields AH (Authentication Headers), 272–273 ESP (Encapsulating Security Payloads), 273–274 file allocation table (FAT), 124 File Download dialog box, 230 File Encryption Key (FEK), 133 file system access, controlling, 264 File System subnode, 156 files Common.adm, 157 Conf.adm, 157 Inentres.adm, 157 NTFS permissions, 126 System.adm, 157 Windows.adm, 157 Winnt.adm, 157 files object type, 117 Filter Action Wizard, 291–292 filtering IP packet, 283 packet filtering, 294–295 PPTP, 362 scope of SPO, 172–173 filters actions, creating, 290, 293 Block, 291 Negotiate Security, 292 Permit, 291 inbound, 281 IPSec, 281–282

outbound, 281 parameters of, 281 Filters Services (Macintosh), 443 firewalls Application gateway, 301 application proxy, 301–303 Circuit Level Gateway, 300 Circuit Relay, 300 DMZ setup, 303–305 functions of, 294–296 overview, 294 packet filtering constraints of, 298 overview, 296 stateful, 297–298 single, 294 three-pronged, 304 trihomed, 304 flags, inheritance, 119–120 folder object type, 117 folder redirection, 460 Folder redirection subnode (Group Policy snap-in), 160 folders NTFS permissions, 126 share permissions, 124–126 Font tab (System Monitor console), 403 Framed Protocol remote access policy condition, 357 frames, defined, 409 frequently asked questions (FAQs) digital signatures, 476–477 DNS spooling, 481 GPOs, 479 Kerberos, 476 MMC snap-ins, 479 passwords, 477–478 FTP security mechanism, IIS and, 320–321 FTP server, securing traffic to, 307 FTP Site tab (Default FTP Site Properties dialog box), 321 full control share permission, 125

G General tab Default NNTP Virtual Server dialog box, 330 Default SMTP Virtual Server Properties dialog box, 327


Index

System Monitor console, 402 generic access rights, 109 Generic Routing Encapsulation (GRE), 311, 376 Get message, 253 Get-next message, 253 Getbulk message, 253 GINA (Graphical Identification and Authentication), 68 global groups, 54 globally unique identifier (GUID), 256 GPOs (Group Policy Objects), 22 Active Directory and, 145 application order, sample of, 147 characteristics of, 43–44 creating, 144 editing, 177 frequently asked questions, 479 linking to other containers, 171–172 to sites, 162 processing exceptions, specifying, 169–171 scope, filtering, 172–173 GPOTool.exe, 179 GPresult Tool, 179 GPResult.exe, 179 Grant Read permission, 260 Graph tab (System Monitor console), 403 Graphical Identification and Authentication (GINA), 68 GRE (Generic Routing Encapsulation), 311, 376 Group Policy Active Directory Replication Monitor tool, 180 Administrative Tools menu, 166 application order, 146 best practices, 458–459 container, 148 creating, to specific container, 167–168 custom console, creating, 166–167 delegation creation of GPOs, 176–177 links, managing for sites, domain, or OU, 175 using security groups, 174 GPOTool, 179 GPresult tool, 179 hierarchy, 145–147 inheritance exceptions to, 149 loopback setting, 150

loopback feature, 150 LPGO (local Group Policy object), 145 Network Diagnostics tool, 179 processing sequence refresh frequency, 165 startup and logon, 163–164 synchronous versus asynchronous processing, 164–165 viewing, 165 restricting client installation options with, 260–262 setting for Active Directory container, 147–148 settings, specifying, 168 snap-ins access to, controlling, 178 Administrative Templates node, 156–158, 162 Computer Configuration node, 151–152 Internet Explorer Maintenance subnode, 161–162 Networks subnode, 158 overview, 151 permitted, restricting access to, 177–178 Printers subnode, 158 Scripts node, 154, 162 Security Settings node, 154–156, 162 Software Installation subnode, 160 Software Settings node, 152–153, 159–162 System subnode, 158 User Configuration node, 159 Windows Components subnode, 158 Windows Settings node, 153–156, 160–162 template, 148 User Group Policy Loopback Processing Mode, 171 Group Policy Microsoft Management Console (MMC) snap-in, 144, 151 Group Policy Objects (GPOs), 22 Active Directory and, 145 application order, sample of, 147 characteristics of, 43–44 creating, 144 editing, 177 frequently asked questions, 479 linking to other containers, 171–172 to sites, 162 local and non-local, 148 scope, filtering, 172–173


493

494

Index

Groups field (access token), 114 GUID (globally unique identifier), 256

H hacking information interception, illustration of, 29 spoofing, 19 hardware requirements, RRAS, 363 hash algorithm, 203 hash function, 203 hash value, 203 header field (security descriptor), 118 Hide Screen Saver tab, 168 hierarchies Active Directory, 41–43 Group Policy, 145–147 high level encryption, 266 High Secure template, 185 Hisecdc.inf template, 185 Hisecws.inf template, 185 HKEY_LOCAL_MACHINE/SYSTEM/ CurrentControlSet permission, 255 Home communities, 254 Home Directory tab Default FTP Site Properties dialog box, 321 Default Web Site Properties dialog box, 323 HTTP Headers tab (Default Web Site Properties dialog box), 324 HTTP security mechanism, IIS and, 322–326 HTTP server, securing traffic to, 307 HTTP-Tunnel application, 20 HTTPS (HTTP SECURE), 307

I IANA (Internet Assigned Numbers Authority), 463 IAS (Internet Authentication Services), 348, 353 authentication and authorization, 382–383 best practices, 466–467 configurations, 382 tunneling with, 385–388 ICMP (Internet Control Message Protocol), 27, 288 ICV (Integrity Check Value), 275 identify impersonation level, 115 IETF (Internet Engineering Task Force), 241

IIS (Internet Information Services) access control, 342–344 authentication anonymous, 332–333 basic, 334 certificate, 336–342 digest, 334–335 Integrated Windows, 335–336 FTP security mechanism, 320–321 HTTP security mechanism, 322–326 NNTP security mechanism, 330–332 overview, 318 security features of, 318–319 services associated with, 319–320 SMTP security mechanism, 326–330 IKE, 277 illegal software, 21 IMAP (Internet Message Access Protocol), 309 impersonate impersonation level, 116 impersonation, 15–16 available levels of, 115–116 overview, 115 Impersonation Level field (access token), 114 impersonation token, 115 inbound filters, 281 incremental backup type, 422 incremental security templates, 184–185 Incremental Zone Transfer (IXFR), 240–241 Inentres.adm file, 157 information events (Event Viewer), 398 information leakage, 242–243 inheritance block, 149 Block Policy Inheritance option, 169–170 flags and rules, 119–120 of Group Policy, 149 no override, 149 No Override option, 170 process of, 119 INHERITED_ACE flag, 119 INHERIT_ONLY_ACE flag, 119–120, 123 Initial DC Configuration template, 185 installation options, restricting, 260–262 installing Enterprise root CA, 227–229 RRAS (Routing and Remote Access), 363, 365–368 instance component (System Monitor tool), 401


Index

Integrated Services Digital Network (ISDN), 348–349 Integrated Windows authentication, 335–336 integrity overview, 9 public key cryptography and, 201–202 Integrity Check Value (ICV), 275 interactive logon process, authentication and, 46 interactive logon to local machine, 71 network components, list of, 68 security principals, 67–68 intermediary security hosts, 361–362 intermediate CA, 48 internal attacks, 10–14 Internet, employees abuse of, 11 Internet Assigned Numbers Authority (IANA), 463 Internet Authentication Services (IAS), 348, 353 authentication and authorization, 382–383 best practices, 466–467 configurations, 382 tunneling with, 385–388 Internet Control Message Protocol (ICMP), 27, 288 Internet Engineering Task Force (IETF), 241 Internet Explorer Maintenance subnode (Group Policy snap-in), 161–162 Internet fraud, social engineering and, 18 Internet Information Services (IIS) access control, 342–344 authentication anonymous, 332–333 basic, 334 certificate, 336–342 digest, 334–335 Integrated Windows, 335–336 FTP security mechanism, 320–321 HTTP security mechanism, 322–326 NNTP security mechanism, 330–332 overview, 318 security features of, 318–319 services associated with, 319–320 SMTP security mechanism, 326–330 Internet Message Access Protocol (IMAP), 309 Internet Packet Exchange/Sequenced Packet Exchange (IPX/SPX), 439 Internet Protocol (IP), 270 Internet Protocol Security (IPSec), 31, 56 AH (Authentication Headers), 272 architecture of, 278–280 best practices, 469–470

deploying, 280–281 drivers, 278 ESP (Encapsulating Security Payloads), 272 filters, 281–282 overview, 270–271 policies creating, 284–285 overview, 278 Request Security, 282 Require Security, 282 Respond Only, 282 rules, creating, 285–290 policy agent, 278 policy management, 278 securing SNMP messages with, 254–255 transport mode, 275–276 tunnel mode, 275–276, 374 UDP (User Datagram Protocol), 271 Intrusion Detection Systems, 28 IP address, 299 IP Filter List dialog box, 285–286 IP (Internet Protocol), 270 IP packet filtering, 283 IP Security Policies on Active Directory subnode, 156 IP Security Policy Wizard, 284–285 IP tab (Edit Dial-in Profile dialog box), 358 IPSec (Internet Protocol Security), 31, 56 AH (Authentication Headers), 272 architecture of, 278–280 best practices, 469–470 deploying, 280–281 drivers, 278 EFS and, 59 ESP (Encapsulating Security Payloads), 272 filters, 281–282 overview, 270–271 policies creating, 284–285 overview, 278 Request Security, 282 Require Security, 282 Respond Only, 282 rules, creating, 285–290 policy agent, 278 policy management, 278 securing SNMP messages with, 254–255 transport mode, 275–276 tunnel mode, 275–276, 374 UDP (User Datagram Protocol), 271


495

496

Index

IPX/SPX (Internetwork Packet Exchange/Sequenced Packet Exchange), 439 ISAPI Filters tab (Default Web Site Properties dialog box), 323 ISDN (Integrated Services Digital Network), 348–349 issuer (certificates), 207 IXFR (Incremental Zone Transfer), 240–241

K KDC (Key Distribution Center), 47, 70 Kerberos authentication protocol (Windows 2000 security model), 32, 47 across domain boundaries, 80–83 advantages of, 72–73 frequently asked questions, 476 functionality of, 73, 75–76 key distribution, 75–77 policy settings, 83–84 service tickets, securing, 78 TGT (ticket granting ticket), 78–80 Kerberos Key Distribution Center service (Windows 2000 security model), 33 Kerberos SSP, 92 Kerberos V5, certification-based authentication, 40 kernels, 262 Key Distribution Center (KDC), 47, 70 key management, VPNs and, 373–374 Key Management Server (KMS), 218 keys 2*n, 205 managing, 206 n2, 205 publishing, 206 KMS (Key Management Server), 218 known vulnerabilities, 5

L L2F (Layer 2 Forwarding), 374 L2TP (Layer Two Tunneling Protocol), 311 packets, 379–381 tunneling process, 379–381 VPNs and, 378–379 Last Known Good Configuration utility (system recovery), 425–427 Layer 2 Forwarding (L2F), 374

Layer Two Tunneling Protocol (L2TP), 311 packets, 379–381 tunneling process, 379–381 VPNs and, 378–379 LDAP (Lightweight Directory Access Protocol), 33–34, 210 LDAP Routing tab (Default SMTP Virtual Server Properties dialog box), 330 Length field (AH), 273 levels, encryption levels, 265 licenses, Terminal Services, 263 Lightweight Directory Access Protocol (LDAP), 33, 210 linking GPOs to other containers, 171–172 to sites, 162 Local Area Connection Properties dialog box, 410 Local File Properties dialog box, 369 local Group Policy object (LPGO), 145, 148 local machine, interactive logon to, 71 Local Policies, 181 Local Policies subnode, 155 Local Security Authority (LSA), 41, 67, 71 logged-off state (Winlogon), 69 logged-on state (Winlogon), 69 logon attempts, controlling, 265 Clear Text, 334 Group Policy processing sequence, 163–164 interactive process, 46 multiple-domain, 85–87 network authentication process, 46 network logon, security at, 31 to networks, 88 rights, 105 single-domain, 85 smart card, 61, 90–91 logon session key, 79 Logon subnode, 158 Logon User API, 334 logs counter, 405 trace, 406 long-term key, 79 loopback feature, 150 lost data, 7 low level encryption, 265 LPGO (local Group Policy object), 145


Index

LSA (Local Security Authority), 41, 67 LSA server service (Windows 2000 security model), 33

M Macintosh clients, securing access with, 443–446 mail bombs, 27–28 man-in-the-middle attacks, 23–24 Manage auditing and security log privilege, 122 Manage Authorized Servers dialog box, 250 Manage Documents permission, 138 Manage Printers permission, 138 Management and Monitoring Tools dialog box, 410 management systems, SNMP, 251 managing keys, 206 many-to-one mapping, 224 masquerading, 243–244 master key, 79 maximum transmission unit (MTU), 27 MD2 (Message Digest v2), 203 MD4 (Message Digest v4), 203 MD5 (Message Digest v5), 203 medium level encryption, 266 merge mode (Group Policy loopback feature), 150 message digest, defined, 203 Message Digest v2 (MD2), 203 Message Digest v4 (MD4), 203 Message Digest v5 (MD5), 203 messages Get, 253 Get-next, 253 Getbulk, 253 Set, 253 SNMP, securing with IP security, 254–255 Trap, 253 Messages tab Default FTP Site Properties dialog box, 321 Default SMTP Virtual Server Properties dialog box, 328 Microsoft Certificate Services, 60 Microsoft Challenge Handshake Protocol (MSCHAP), 98, 353 Microsoft Directory Synchronization Services (MSDSS), 439 Microsoft Exchange server, secure traffic to, 309 Microsoft Point to Point Encryption (MPPE), 377–378

Microsoft SNMP Properties dialog box, 253–254 mirrored disk volumes, 416 MMC (Group Policy Microsoft Management Console) snap-in, 144, 479 modifying information, reasons for, 29 MPPE (Microsoft Point to Point Encryption), 377–378 MS-CHAP (Microsoft Challenge Handshake Protocol), 98, 353 MSDSS (Microsoft Directory Synchronization Services), 439 MTU (maximum transmission unit), 27 Multilink tab (Edit Dial-in Profile dialog box), 358 Multiple Authentication Provider (Windows 2000 security model), 34 multiple-domain logon, 85–89 Multiple Universal Service Name Provider (MUP), 163 multipurpose templates, 216–217 multiuser kernels, 262 MUP (Multiple Universal Service Name Provider), 163

N n2 keys, 205 naive employees, social engineering approach, 17 NAS-Identifier remote access policy condition, 357 NAS-IP-Address remote access policy condition, 357 NAS (Network Access Server), 376 NAS-Port-Type remote access policy condition, 357 NAT (Network Address Translation), 295 constraints of, 300 overview, 298–299 NCP (NetWare Core Protocol), 442 Negotiate Security filter action, 292 NetBEUI programs, 375 Netdiag.exe, 179 Netlogon service (Windows 2000 security model), 32 NetWare, securing access with, 438–443 NetWare Core Protocol (NCP), 442 Network Access Server (NAS), 376 network address access control, 343 Network Address Translation (NAT), 295 constraints of, 300 overview, 298–299


497

498

Index

Network Diagnostics tool, 179 Network File System (NFS), 434 network logon, 31 in multiple-domain environment, 88 in single-domain environment, 88 Network Monitor tool, 409–411, 472 Network Operating System (NOS), 296 network provider DLL, 68 Networking tab (Dial-up Connection Properties dialog box), 371 Networks subnode (Group Policy snap-in), 158 New IP Security Policy Properties dialog box, 285, 293 New Rule Wizard, 292 Next Header field (AH), 273 next header field (ESP), 275 NFS (Network File System), 434 NNTP security mechanism, IIS and, 330–332 no override inheritance, 149 No Override option, 170 No Terminal Saver SID template, 184 non-local Group Policy objects, 148 Nonce value, 278 None permission, 255 nonreproduction capabilities, public key cryptography, 202 nontransitive trust relationship, 44 NO_PROPOGATE_INHERIT_ACE flag, 120 normal backup type, 422 NOS (Network Operating System), 296 Notify permission, 255 Notssid.inf template, 184, 265 NT Authority break up value, 112 NT LAN Manager (NTLM), 40, 67 authentication and, 94 uses of, 49 NTFS permissions, 126, 344 NTLM authentication protocol (Windows 2000 security model), 32, 49, 94 NTLM (NT LAN Manager), 40, 67 NTLM SSP, 92 NWLink protocol, 439

O object-based access control, 41 Object component (System Monitor tool), 401

object manager source of access control, 117 object-specific access rights, 110 OBJECT_INHERIT_ACE flag, 120 objects defined, 41 dnsZone, 245–246 Ocfilesw.inf_and Ocfiles.inf template, 185 one-to-one mapping, 223 open standards (Kerberos), 73 Operators tab (Default Web Site Properties dialog box), 323 Optional Components template, 185 Options dialog box, 170 OUs (Organizational Units), 42–43 outbound filters, 281 Outbound Security dialog box, 329 Owner field access token, 114 security descriptor, 118 owner source of access control, 116 Owner tab (Access Control Settings dialog box), 132–133

P Packet Assembler/Disassemblers (PADs), 350 packet filtering, 294–295 packet filtering firewalls constraints of, 298 overview, 296 stateful, 297–298 packets Access-Request, 386 L2TP, 379–381 pad length field (ESP), 275 padding field (ESP), 275 PADs (Packet Assembler/Disassemblers), 350 PAP (Password Authentication Protocol), 98, 353 parent object source of access control, 117 partitioning, 28 passive FTP clients, 307 Password Authentication Protocol (PAP), 98, 353 password cracking, 15 passwords frequently asked questions, 477–478 synchronization, 435 people hacking. See social engineering


Index

Performance Logs and Alerts tool alerts, 406–407 counter logs, 405 trace logs, 406 performance monitoring tools. See diagnostic tools Performance tab Default Web Site Properties dialog box, 323 Task Manager, 408 Permission Entry dialog box, 130 permissions. See also rights adding, 129–130 Allow, 262 Allow access, 360 Apply Group Policy, 172–173 Assign a Static IP Address, 359 Assign Static Routes, 359 assigning to registry keys, 255 Callback, 359 child objects, 105 computer local groups, 55 configuring for Active Directory objects auditing, 131 overview, 126–127 Create Computer Object, 260 defined, 104 denied, 104–105 Deny, 262 Deny access, 360 dial-up, 358–359 domain local groups, 53 Don’t Care, 262 Grant Read, 260 local groups, 54 Manage Documents permission, 138 Manage Printers permission, 138 None, 255 Notify, 255 NTFS on files and folders, 126, 344 NTFS/shared combination, 126 at OU level, 42–43 permission inheritance, 105 Print permission, 138 Read Create, 255 Read Only, 255 Read Write, 255 Remote Access, 358 removing, 129–130

share permissions on folders, 124–126 universal groups, 54 Verify Caller-ID, 359 Web server, 344 Permit filter action, 291 personal identification number (PIN), 47, 90 physical threats, 5 PIN (personal identification number), 47, 90 ping of death attack, 27 PKI client, 206–207 PKI (Public Key Infrastructure), 40 components of CA (certification authority), 207–208 certificate distribution points, 210 certificate management tools, 208–209 certificate template, 208 certificates, 207 PKI client, 206–207 public key-enable applications and services, 210–211 features of, 206 point-to-LAN remote access connections, 348 Point-to-Point Protocol (PPP), 96, 348, 350 point-to-point remote access connections, 348 Point-to-Point Tunneling Protocol (PPTP), 311, 374 benefits of, 378 filtering, 362 tunneling process, 375–378 VPNs and, 374–375 policies Account Lockout, 360–361 creating, 284–285 defined, 207 Enterprise CAs, 216–217 IPSec (Internet Protocol Security), 278 remote access, 354–355 remote access policy profiles, 357–358 Request Security, 282 Require Security, 282 Respond Only, 282 Stand-alone CAs, 217–218 policy management, IPSec, 278 policy settings, Kerberos, 83–84 POP (Post Office Protocol), 309 Port Properties dialog box, 367–368 Post Office Protocol (POP), 309


499

500

Index

PPP (Point-to-Point Protocol), 96, 348, 350 PPTP (Point-to-Point Tunneling Protocol), 311, 374 benefits of, 378 filtering, 362 tunneling process, 375–378 VPNs and, 374–375 Preboot Execution Environment (PXE), 257 prestage clients, 259 prevention, antivirus measures, 21–22 primary access tokens, 115 Primary Group field access token, 114 security descriptor, 118 primary group source of access control, 116 primary zones, 240 Print permission, 138 Print services (Macintosh), 443 Printers subnode (Group Policy snap-in), 158 private CAs, 215 private key encryption, 57 privileges defined, 105 Manage auditing and security log, 122 Privileges field (access token), 114 Process tab (Task Manager), 408 processing sequence, Group Policy refresh frequency, 165 startup and logon, 163–164 synchronous versus asynchronous processing, 164–165 viewing, 165 program threats, 5 proxy service overview, 295 RADIUS, 384 PSTN (Public Switched Telephone Network), 350 public communities, 254 public key cryptography authentication capabilities, 201 benefits of, 200 confidentiality capabilities, 201 defined, 200 digital signatures, 202–204 encryption, 200–201 integrity capabilities, 201–202 nonreproduction capabilities, 202 signing, 201

public key-enabled applications and services, 210–211 public key encryption, 40, 57 concepts related to, 60–62 group policies containing, 62 Public Key Infrastructure (PKI), 40 components of CA (certification authority), 207–208 certificate distribution points, 210 certificate management tools, 208–209 certificate templates, 208 certificates, 207 PKI client, 206–207 public key-enabled applications and services, 210–211 features of, 206 Public Key Policies subnode, 156 Public Switched Telephone Network (PSTN), 350 publishing applications, 153 certificate publication points, 210 CRLs (Certification Revocation Lists), 235 keys, 206 PXE (Preboot Execution Environment), 257

R R component (SID), 112 RADIUS (Remote Access Dial In User Service), 348 infrastructure, 384 single sign-on capabilities, 384–385 RAID-5 disk volumes, 416 RAID (Redundant Array of Inexpensive Disks), 415 RAS (Remote Access Server), 468 rating scales, risks, 6 read access right, 109 Read Create permission, 255 Read Only permission, 255 read share permission, 126 Read Write permission, 255 Reason Code dialog box, 234 records SRV (service), 240 TKEY resource records, 245 TSIG resource record, 245 recovery. See system recovery Recovery Console utility (system recovery), 427–428


Index

recovery station, 137 Redundant Array of Inexpensive Disks (RAID), 415 referral tickets, 83 refresh GPO settings, 165 registry keys, 117, 255 Registry subnode, 155 relative identifiers, 112 remote access. See access Remote Access Dial In User Service (RADIUS), 348, 383–384 Remote Access Server (RAS), 468 remote administration mode (Terminal Services), 264 Remote Desktop protocol, 263 Remote Installation Preparation (RIPrep) Wizard, 257 Remote Installation Services (RIS) architecture, 257–259 Group Policy options, 261 overview, 256 prerequisites, 257 securing client, prestaging in Active Directory, 259 client installation options, restricting, 260–262 computer accounts, creating in specific location, 260 server, components of, 256 Remote Procedure Call System Service (RPCSS), 163 renewing certificates, 222–223, 236 replace mode (Group Policy loopback feature), 150 replication, zones, 240–241 Replmon.exe, 180 Request for Comment (RFC), 464 Request Security policy, 282 Require Security policy, 282 resource groups. See domain local groups resource records. See records Resource Records (RR), 239 Respond Only policy, 282 Restart Setup Group Policy option, 261 restoration, best practices, 470–471 Restore Wizard, 422–423 Restricted Groups subnode, 155 restricting access to permitted snap-ins, 177–178 unauthorized, 50

Restricting SIDs field (access token), 114 reverse social engineering (RSE), 18 revocation, certificates, 221–222, 234 RFC (Request for Comment), 464 Rich Text Format (RTF), 21 rights. See also permissions generic access rights, 109 logon rights, 105 object-specific access rights, 110 privileges, 105 SACL access rights, 110 standard access rights, 109 RIPEMD-160, 203 RIS (Remote Installation Services) architecture, 257–259 Group Policy options, 261 overview, 256 prerequisites for, 257 securing client, prestaging in Active Directory, 259 client installation options, restricting, 260–262 computer accounts, creating in specific location, 259–260 server, components of, 256 risks, 5–6 Rivest Shamir Adleman (RSA) data exchange by, 205 defined, 204 digital signature process, 204 features of, 205 rogue server, 243, 248–249 root CA, 212–213 router-to-router connections, 372 Routing and Remote Access (RRAS), 311 Account Lockout policy, 360–361 authorization, remote dial-up, 360–361 connection methods, 350–351 demand-dial routing, 362 dial-up connections, creating, 368–370 dial-up permissions, 358–359 features of, 349 hardware requirements, 363 installing, 363, 365–368 overview, 348 remote access policies, 354–355 remote access policy models, 360 remote access policy profiles, 357–358


501

502

Index

RPCSS (Remote Procedure Call System Service), 163 RR (Resource Records), 239 RRAS (Routing and Remote Access), 311 Account Lockout policy, 360–361 authentication and authorization, 351–354 authorization, remote dial-up, 360–361 connection methods, 350–351 demand-dial routing, 362 dial-up connections, creating, 368–370 dial-up permissions, 358–359 features of, 349 hardware requirements, 363 installing, 363, 365–368 overview, 348 remote access policies, 354–355 remote access policy models, 360 remote access policy profiles, 357–358 RSA (Rivest Shamir Adleman) data exchange by, 205 defined, 204 digital signature process, 204 features of, 205 RSE (reverse social engineering), 18 RTF (Rich Text Format), 21 rules, inheritance, 119–120 Run dialog box, 166

S S component (SID), 112 S/MIME (Secure Multipurpose Internet Mail Extension), 56 SA (security association), 277 sabotage, 18 SACL access rights, 110 SACL field (security descriptor), 119 SACL (System Access Control List), 50–51 safe mode utility (system recovery), 425–426 SAM (Security Accounts Manager), 41 SAS (secure attention sequence), 68 scanning e-mail from unknown users, 21 SChannel SSP, 93 scope, GPO, filtering, 172–173 screen saver desktop, 69 Scripts node (Group Policy snap-in), 154, 162 secondary zones, 240

secret key encryption. See symmetric encryption secure attention sequence (SAS), 68 Secure Hash Algorithm (SHS), 203 Secure Multipurpose Internet Mail Extension (S/MIME), 56 Secure Sockets Layer (SSL), 31, 67 Secure templates, 185 Secureedc.inf template, 185 Securews.inf template, 185 security at network logon, 31 purpose of, 6 authentication, 9–10 availability, 9 confidentiality, 7–8 integrity, 9 SSL authentication protocol, 32 Security Accounts Manager (SAM), 41 Security Accounts tab (Default FTP Site Properties dialog box), 321 security association (SA), 277 Security Configuration and Analysis tool, 52 analysis, performing, 189–190 defined, 187 snap-in, loading, 188 system security settings, configuring, 191 templates, importing/exporting, 189 security descriptors access control information, sources of, 116–118 DACL field, 118 defined, 103, 111 header field, 118 owner field, 118 primary group field, 118 SACL field, 119 structure of, 118–119 security groups computer local, 55 domain local, 53 global groups, 54 list of, 52 universal, 54 security identifiers (SIDs), 40, 50 access control components, 111 break up values, 112 defined, 110 R component, 112


Index

S component, 112 structure of, 111 X component, 112 Y component, 112 Security log (Event Viewer), 397 security model Directory Service module, 33 Kerberos authentication protocol, 32 Kerberos Key Distribution Center service, 33 LSA server service, 33 Multiple Authentication Provider, 34 Netlogon service, 32 NTLM authentication protocol, 32 Security Parameter Index (SPI) field AH, 273 ESP, 274 security policies, defined, 144 security principals, 67–68 Security Quality of Service (SQoS), 115 Security Rule Wizard, 285 Security Settings node (Group Policy snap-in), 154–156, 162 Security Support Provider Interface (SSPI), 67, 92 Security Support Provider (SSP), 66 Kerberos, 92 NTLM, 92 SChannel, 93 Security tab Active Directory, 126–127 Default NNTP Virtual Server dialog box, 332 Default SMTP Virtual Server Properties dialog box, 330 security templates. See templates Security Templates MMC snap-in, 52 Security Templates tool, 52 SE_GROUP_ENABLED attribute, 113 SE_GROUP_USE_FOR_DENY_ONLY attribute, 113 Select Counters dialog box, 402 Select Network Component Type dialog box, 410 Select Network Protocol dialog box, 410 self-signed certificate, 212 Sequence number field AH, 273 ESP, 274 server authentication, 95

Server Extensions tab (Default Web Site Properties dialog box), 324 Server Message Block (SMS), 434 servers application, secure traffic to, 309–310 DHCP, authorizing, 249–250 DNS, secure traffic to, 308–309 Microsoft Exchange, secure traffic to, 309 RADIUS, 384 RIS, components of, 256 rogue, 243 terminal, secure traffic to, 312 service (SRV) records, 240 service tickets, securing, 78 Service-Type remote access policy condition, 357 services, public key-enabled, 210–211 services object type, 117 Services/Public Key Service/Certificate template, 208 session hijacking, 15 Session ID field (access token), 114 Set message, 253 Settings tab (Default NNTP Virtual Server dialog box), 332 SFC (System File Checker), 411–413 share permissions combined with NTFS permissions, 126 on folders, 124–126 shared secret key, 56 shares object type, 117 Sharing tab (Dial-up Connection Properties dialog box), 371 Shiva Password Authentication Protocol (SPAP), 353 shortcut trust relationships, 44–45 Show Services Node command (View menu), 208 SHS (Secure Hash Algorithm), 203 SIDs (security identifiers), 40, 50 access control components, 111 break up values, 112 defined, 110 R component, 112 S component, 112 structure of, 111 X component, 112 Y component, 112 signing, 201


503

504

Index

simple disk volumes, 416 Simple Network Management Protocol (SNMP) agent messages, list of, 253 agent software, 251 features of, 251 management system component, 251 overview, 250 securing communities, configuring, 254 messages, securing with IP security, 254–255 overview, 252 permissions, assigning to registry keys, 255 traps, configuring, 253 SNMP community, 252 single-domain logon, 85, 88 single firewalls, 294 single-purpose templates, 216–217 single sign-ons, 67, 384–385 sites. See Web sites SLIP protocol, 350 smart-card authentication, 46 smart card logon, 61, 90–91 SMB (Server Message Block), 434 SMTP security mechanism, IIS and, 326–330 smurf DoS attack, 26 snap-ins access to, controlling, 178 Active Directory Sites and Services, 208 Certification Authority, 208–209 Group Policy Administrative Templates node, 156–158, 162 Computer Configuration node, 151–152 Internet Explorer Maintenance subnode, 161–162 Networks subnode, 158 overview, 151 Printers subnode, 158 Scripts node, 154, 162 Security Settings node, 154–156, 162 Software Installation subnode, 160 Software Settings node, 152–153, 159–162 System subnode, 158 User Configuration node, 159 Windows Components subnode, 158 Windows Settings node, 153–156, 160–162 MMC (Group Policy Microsoft Management Console), 144, 479 permitted, restricting access to, 177–178

Security Configuration and Analysis, 188 Security Templates, 182 sniffing, 16 SNMP (Simple Network Management Protocol) agent messages, list of, 253 agent software, 251 features of, 251 management system component, 251 overview, 250 securing communities, configuring, 254 messages, securing with IP security, 254–255 overview, 252 permissions, assigning to registry keys, 255 traps, configuring, 253 SNMP community, 252 social engineering defined, 17 RSE (reverse social engineering), 18 techniques used in, 17–18 software antivirus, 22 SNMP agent, 251 Terminal Services Client, 263 Software Installation subnode (Group Policy snap-in), 160 Software Settings node (Group Policy snap-in), 152–153, 159–162 Source field (access token), 114 source information (Event Viewer), 399 Source tab (System Monitor console), 402 spam mailing, 28 spanned disk volumes, 416 SPAP (Shiva Password Authentication Protocol), 353 SPI (Security Parameter Index) field AH, 273 ESP, 274 Split DNS implementation, 308 spoofing active, 19 blind, 19 DNS, 242 frequently asked questions, 481 overview, 18–19 Spyware, 17 SQoS (Security Quality of Service), 115 SRV (service) records, 240


Index

SSL authentication protocol (Windows 2000 security model), 32, 49, 60, 94–96 SSL handshake, 95 SSL (Secure Sockets Layer), 31, 67 SSP (Security Support Provider), 66 Kerberos, 92 NTLM, 92 SChannel, 93 SSPI (Security Support Provider Interface), 67, 92 Stand-alone CAs, 217–219 standard access rights, 109 Start menu command, Run, 166 startup, Group Policy processing sequence, 163–164 stateful inspection, 295 stateful packet filtering firewalls, 297–298 static address mapping, 295, 298 Statistics field (access token), 114 storage domain, 162 striped disk volumes, 416 subject source of access control, 116 subject’s public key, 207 subordinate CAs, 48, 212 success audit event (Event Viewer), 398 symmetric encryption, 40, 55–56 symmetric key encryption, 55 SYN flood attack, 25–26 synchronize access right, 109 synchronous processing, 164–165 System Access Control List (SACL), 50–51 system-audit, object-specific ACE, 107 system-audit ACE, 107 System File Checker (SFC), 411–413 System log (Event Viewer), 397 System Monitor and Performance Logs and Alerts tool Performance Logs and Alerts alerts, 406–407 counter logs, 404–405 overview, 403 trace logs, 406 System Monitor, 400–403 system recovery best practices, 472 disaster precautions, 425 enable boot logging utility, 427 Last Known Good Configuration utility, 426–427 overview, 424

Recovery Console utility, 427–428 safe mode utility, 426 utilities for, list of, 425–426 SYSTEM security group, 174 System Services subnode, 155 System State data, 420 System subnode (Group Policy snap-in), 158 System.adm file, 157

T Tab-Delimited File (.TSV), 405 Task Manager tool, 407–409 Telnet security, UNIX access, securing, 438 templates Account Policies category, 180–181 basic, 184 best practices, 455–456 certificate configuring access control on, 210 protecting from unauthorized access, 208 Code Signing certificate, 217 default, 183 incremental, 184–185 Local Polices category, 181 multipurpose, 216 Notssid.inf, 265 predefined, customizing, 186 security settings, exporting, 186 Services/Public Key Service/Certificate, 208 single-purpose, 216 snap-in, loading, 182 terminal servers, secure traffic to, 312 Terminal Services Administration Tools, 263 licensing, 263 multiuser kernels, 262 overview, 262 Remote Desktop protocol, 263 securing deployment, 265 encryption, levels of, 265–266 local file system access, controlling, 264 logon attempts, controlling, 265 overview, 263 remote administration, restricting, 264 user access, controlling, 265 Terminal Services Client software, 263


505

506

Index

TGS (ticket granting service), 74 TGTs (ticket granting tickets), 74–75 threats assembling information threats Adware, 17 impersonation, 15–16 password cracking, 15 session hijacking, 15 sniffing, 16 social engineering, 17–18 spoofing, 18–19 cache poisoning, 242 client flooding, 242 damaging/disrupting network threats antivirus measures, 21–22 broadcast storms, 26 DoS (Denial-of-service) attacks, 24 mail bombs, 27–28 man-in-the-middle attacks, 23–24 ping of death, 27 smurf DoS attack, 26 spam mailing, 28 SYN flood, 25–26 Trojan Horses, 20–21 tunneling, 20 types of, 19 viruses, 20–21 worms, 20–21 defined, 5, 103 DoS attacks, 243 information leakage, 242–243 masquerading, 243–244 modifying information threats, 29–30 physical, 5 program, 5 rating scales for, 6 three-pronged firewall, 304 three-way hand-shake, 26 ticket granting service (TGS), 74 ticket granting tickets (TGTs), 74–75 time information (Event Viewer), 399 time stamps, 74 TKEY resource records, 245 TLS (Transport Layer Security), 49, 56 EAP and, 97 EFS and, 60

tools Disk Management Backup Wizard, 418 Check Disk utility, 418 configuring physical disk using, 415 Disk Defragmenter utility, 418 functions of, 414–415 Properties dialog box, 417 Event Viewer, 397–400 Network Monitor, 409–411, 472 Security Configuration and Analysis, 52 analysis, performing, 189–190 defined, 187 system security settings, configuring, 191 templates, importing/exporting, 189 Security Templates, 52 System Monitor and Performance Logs and Alerts Performance Logs and Alerts, 403–407 System Monitor, 400–403 Task Manager, 407–409 Tools Group Policy option, 261 trace logs, 406 transactions, enhanced security of, 205 transitive trust relationship, 44, 73 Transport Layer Security (TLS), 49, 56 EAP and, 97 EFS and, 60 transport mode (IPSec), 275–276 Trap message, 253 traps, configuring, 253 trihomed firewall, 304 Tripwire, 29 Trojan Horses, 20–21 trust path, defined, 44 trust relationships cross-link, 45 external trusts, 45–46 nontransitive trust relationship, 44 shortcut trust, 44–45 simplified, 73 transitive trust, 44, 73 trusted domain, defined, 44 TSIG resource record, 245 .TSV (Tab-Delimited File), 405 tunnel mode (IPSec), 275–276, 374


Index

Tunnel-Type remote access policy condition, 357 tunneling compulsory, 386–388 HTTP-Tunnel application, 20 overview, 20, 296 voluntary, 385–386 tunnels, 372 Type field (access token), 114 type information (Event Viewer), 399

U UDP (User Datagram Protocol), 271 unauthorized access, restricting, 50 universal groups, 54 UNIX clients, securing access for, 434–438 UNIX KDC, 47 unknown vulnerabilities, 6 UpdateSecurity Level setting, 246 usage-based CA hierarchy, 220 user authentication, 41, 295 User Configuration node (Group Policy snap-in), 159 User Datagram Protocol (UDP), 271 User field (access token), 114 User Group Policy Loopback Processing Mode dialog box, 171

V Verify Caller-ID permission, 359 View menu commands Advanced Features, 126 Show Services Node, 208 virtual DMZ setup, 304 Virtual Private Networking (VPN) access, 349 best practices, 468–469 connections, 372–373 features of, 373–374 firewalls and, 296 overview, 370–371 private networks versus, 371 viruses antivirus measures, 21–22 cures for, 23

mediums of, 21 voluntary tunneling, 385–386 VPN (Virtual Private Networking) access, 349 best practices, 468–469 connections, 372–373 features of, 373–374 firewalls and, 296 overview, 370–371 private networks versus, 371 vulnerabilities, 5–6

W WAN connectivity, 350 warning events (Event Viewer), 398 Web server permissions, 344 Web Site tab (Default Web Site Properties dialog box), 323 Web sites certificates for, creating, 337–341 defacing, 30 Windows 2000 security model. See security model Windows 2000 Server, functions provided by, 31 Windows 2000 Server Boot disk utility (system recovery), 425 Windows Backup program Backup Wizard, 420–422 ERD (Emergency Repair Disk), 423–424 Restore Wizard, 422–423 System State data, 420 Windows Components subnode (Group Policy snap-in), 158 Windows File Protection feature, 411–413 Windows File Protection subnode, 158 Windows-Groups remote access policy condition, 357 Windows Internet Name Service (WINS), 238 Windows Management Instrumentation (WMI), 434 Windows NT 4.0 Compatible Security template, 185 Windows Settings node (Group Policy snap-in), 153–156, 160–162 Windows.adm file, 157 Winlogon, 67–69


507

508

Index

Winnt.adm file, 157 WINS (Windows Internet Name Service), 238 wizards Backup, 418, 420–422 Client Installation, 256–257 Delegation of Control, 175 Filter Action, 291–292 IP Security Policy, 284–285 New Rule, 292 Remote Installation Preparation (RIPrep), 257 Restore, 422–423 Security Rule, 285 WMI (Windows Management Instrumentation), 434 workstation-locked state (Winlogon), 69 worms, 20–21 write access right, 109–110

X X component (SID), 112

Y Y component (SID), 112

Z zones Active Directory-integrated zone files, 240 defined, 239 dnsZone objects, 245–246 primary, 240 replication, 240–241 secondary, 240


Windows 2000 Security (Networking)

Maximum Windows 2000 Security (Maximum Security)

Configuring Windows 2000 Server Security

Configuring Windows 2000 Server Security

MCSE: Windows 2000 Network Security Design

Microsoft Windows Networking Essentials

Solaris 9 Security (Networking)

Windows 2000: Quick Fixes

Windows 2000 Configuration Wizards

Mastering Windows 2000 Server

DHCP for Windows 2000

DNS on Windows 2000

Inside Microsoft Windows 2000

Windows 2000 Performance Guide

DNS on Windows 2000

Windows 2000 Professional

Windows 2000 Configuration Wizards

Windows 2000 API SuperBible

Windows 2000 Configuration Wizards

Windows 2000 im Netzwerkeinsatz

Windows 2000 Server - Kompendium

DHCP for windows 2000

Windows 2000 (Hacking Exposed)

Microsoft Windows 2000 Professional

Windows 2000 Server 24Seven

Mastering Windows 2000 registry

Windows Server 2003 Networking Recipes

Microsoft Windows Security Inside Out for Windows XP and Windows 2000

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

MCSE: Windows 2000 Network Security Design Study Guide

Windows 2000 Security (Networking)

Maximum Windows 2000 Security (Maximum Security)

Configuring Windows 2000 Server Security

Configuring Windows 2000 Server Security

MCSE: Windows 2000 Network Security Design

Microsoft Windows Networking Essentials

Solaris 9 Security (Networking)

Windows 2000: Quick Fixes

Windows 2000 Configuration Wizards

Mastering Windows 2000 Server

DHCP for Windows 2000

DNS on Windows 2000

Inside Microsoft Windows 2000

Windows 2000 Performance Guide

DNS on Windows 2000

Windows 2000 Professional

Windows 2000 Configuration Wizards

Windows 2000 API SuperBible

Windows 2000 Configuration Wizards

Windows 2000 im Netzwerkeinsatz

Windows 2000 Server - Kompendium

DHCP for windows 2000

Windows 2000 (Hacking Exposed)

Microsoft Windows 2000 Professional

Windows 2000 Server 24Seven

Mastering Windows 2000 registry

Windows Server 2003 Networking Recipes

Microsoft Windows Security Inside Out for Windows XP and Windows 2000

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

MCSE: Windows 2000 Network Security Design Study Guide

Recommend Documents