Read an Excerpt
Chapter 1:Windows 2000 Security Features
Windows 2000 security is flexible and scalable-from the smallest company right up to multinational corporations in which strict security across wide area networks (WANs), including the Internet, is a major priority. Mostly, however, the new developments in Windows 2000 support the Internet-based enterprise. Security in large organizations is implemented through the use of the hierarchical Windows 2000 Active Directory. Other changes take advantage of the flexibility of the Windows security architecture to integrate authentication using Internet public key certificates, and interactive logon using smart cards. Windows 2000 combines ease of use, good administration tools, and a solid security infrastructure that supports both the enterprise and the Internet.
Windows 2000 Active Directory
Windows 2000 Active Directory stores all domain security policy and account information, provides replication and availability of this account information to multiple Domain Controllers (DCs) and facilitates remote administration. It supports a hierarchical namespace for user, group, and computer account information. Accounts can be grouped by Organizational Units (OUs) rather than the flat domain account namespace provided by Windows NT 4.
NOTE: In Windows NT 4 the domain name space consists of User, Global group, Local group and Computer accounts. There's no hierarchy in the Windows NT 4 domain name space-everything is at the same level. Global groups and Local groups can't be nested, although Global groups can be put into Local groups. A Global group can't inherit rights or permissions from another Global group at a higher level, because there isn't a higher level. This is known as a flat namespace. In contrast, the Windows 2000 namespace is hierarchical. OUs can inherit security policies from higher level OUs, and inheritance can be blocked or enforced. The Windows 2000 hierarchical namespace is discussed later in this chapter. Chapter 3 discusses OUs and Group Policy Objects (GPOs) in detail.
Administrative rights to create and manage user or group accounts can be delegated to the level of OUs. Access rights can be granted to individual properties on user objects to allow, for example, a specific individual or group to have the right to reset passwords but not to modify other account information. Active Directory replication allows account updates at any DC, where Windows NT 4 allowed updates only at the Primary Domain Controller (PDC). Multiple master replicas of Active Directory at other DCs are updated and synchronized automatically.
NOTE: Windows 2000 domains don't have PDCs-all Windows 2000 DCs are equal, although one DC in a domain assumes the role of PDC emulator. In a mixed domain, where there is a Windows NT 4 PDC, a Windows 2000 DC can act as a Backup Domain Controller (BDC) equivalent. This provides a smooth upgrade path from Windows NT 4 to Windows 2000.
Windows 2000 employs a new domain model that uses Active Directory to support a multilevel hierarchical tree of domains. Management of trust relationships between domains is simplified by using two-way transitive trusts (Kerberos trusts) throughout the domain tree. The Windows 2000 domain tree and Kerberos trusts enable Windows 2000 scalability, which is discussed in Chapter 2.
Distributed Security And Security Protocols
Windows security includes authentication based on Internet standard security protocols. Kerberos version 5, discussed in Chapter 4, is implemented as the default protocol, although Windows NT LAN Manager (NTLM) is also supported to provide backward-compatibility. The Transport Layer Security (TLS) protocol, based on Secure Sockets Layer version 3 (SSL3/TLS), supports client authentication by mapping user credentials in the form of public key certificates to existing Windows NT accounts, and provides enhanced feature support for public key protocols in Windows 2000. Public key security and SSL3/TLS are discussed in Chapter 6. Common administration tools are used to manage account information and access control, whether using shared secret authentication or public key security.
In addition to passwords, Windows 2000 supports the optional use of smart cards for interactive logon. Smart cards, which look just like magnetic-stripe bank cards used in Automatic Teller Machines (ATMs), but hold thousands of times more information, support cryptography and secure storage for private keys and certificates, enabling reliable distributed security authentication.
TIP: Some good basic information about smart cards, smart card types, what smart cards look like, and smart card terminology can be found at www.gemplus.com/basics/what.htm and www.gemplus.com/basics/terms.htm.
At the network level, Windows 2000 uses Internet Protocol Security (IPSec), which is discussed in Chapter 10. Chapter 11 discusses Virtual Private Networks (VPNs) used for remote access over Wide Area Networks (WANs), including the Internet. The protocols used to implement tunneling in VPNs, such as Point-to-Point Protocol (PPP), Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP), are discussed in Chapter 10.
I'll be discussing protocols throughout this book and have listed only the most significant in this introductory chapter. Protocol specifications are included in Request For Comment (RFC) documents. For example, if you want to find out more about Domain Name Systems Security Extensions (RFC 2535) or Security Association and Key Management Protocol (RFC 2408), then details may be found at and ftp://ftp.isi.edu/innotes/rfc2535.txt and ftp://ftp.isi.edu/ in-notes/rfc2408.txt respectively.
TIP: A list of RFCs in numerical order may be found at http://ercole.di.unito.it/CIE/RFC/rfc-ind.htm.
Deploying Smart Cards
Microsoft Certificate Server enables organizations to issue X.509 version 3 certificates to their employees or business partners. This includes the introduction of the Cryptographic Application Program Interface (CryptoAPI) for certificate management. Organizations may use public key certificates issued by a commercial Certificate Authority (CA), a third-party CA, or Microsoft Certificate Server. System administrators define which CAs are trusted in their environment and hence which certificates are accepted for client authentication and access to resources.
Using public key certificates and mapping to an existing Windows account can authenticate external users who don't have Windows 2000 accounts. Access rights defined for the Windows account determine the resources that the external users can use on the system. Client authentication using public key certificates allows Windows 2000 to authenticate external users based on certificates issued by trusted CAs.
Windows 2000 users have suitable tools and common interface dialog boxes for managing the private/public key pairs and the certificates that they use to access Internet-based resources. Storage of personal security credentials, which uses secure, disk-based storage, is easily transported with the industry-standard protocol Personal Information Exchange (PIE). Windows 2000 also has integrated support for smart card devices.
EncryptionThe operating system implements several encryption methods to take advantage of the use of digital signatures for providing authenticated data streams. In addition to signed ActiveX controls and Java classes for Internet Explorer, Windows 2000 uses digital signatures for image integrity of a variety of program components. In-house developers can also create signed software for distribution and virus protection.
Third-party suppliers are likely to host dynamic password authentication services on Windows 2000 Server and integrate dynamic passwords with Windows 2000 domain authentication. The Application Program Interfaces (APIs) and documentation to support these third-party products are available in the Microsoft Platform Software Development Kit (SDK).
The business world makes extensive use of the Internet, intranets, branch offices, and remote access. Sensitive information constantly crosses the networks. The challenge for administrators and other network professionals is to ensure data integrity, confidentiality and authentication. The data must be safe from the following:
- Modification while en route
- Interception, viewing, or copying
- Access by unauthenticated persons
To address these requirements, the Windows 2000 Server operating system includes an implementation of the IP Security Protocol (IPSec) as specified by the Internet Engineering Task Force (IETF). IPSec exists below the transport level, so that its security services are inherited transparently by applications. Microsoft Windows IP Security uses industry-standard encryption algorithms and a comprehensive security management approach to provide security for all TCP/IP communications on both sides of an organization's firewall. The result is a Windows 2000 Server end-to-end security strategy that defends against both external and internal attacks. IPSec is discussed in detail in Chapter 10.
Virtual Private Networks
A Virtual Private Network (VPN) enables a user to tunnel through the Internet or another public network, while maintaining the same level of security that would be provided by a private network. From the user's point of view, the VPN appears to be a point-to-point connection with the corporate server. A VPN must allow roaming or remote clients to connect to resources and be securely authenticated. The user's private address, name and password must be kept private and data must be encrypted. Encryption keys for both the client and the server must be generated and refreshed and the common protocols used in the public network must be supported.
WARNING! Nothing remains secure forever, and encryption keys are no exception. They therefore have an expiry time and require to be periodically refreshed. Precautions, such as an alternate data path, should be taken during a key refresh. If an unauthorized user intercepts a key refresh, then security is compromised.
Windows 2000 currently supports VPN solutions based on PPTP and the recently developed L2TP. IPSec also supports VPNs, but does not commonly meet all the requirements. VPNs are discussed in Chapter 11.
Security Configuration And Analysis Tools
Windows 2000 provides the Security Template and Security Configuration and Analysis snap-ins, plus the secedit command line utility, to configure and analyze security settings based on a series of standard templates that you can load, combine and edit to configure local security. The tools let you analyze your security settings by comparing them with the defaults, and to export the bespoke security templates you create for use in other machines on a network. They enable you to configure security at local machine level, or to amend a machine-type specific template that can then be applied to every machine of that type (workstation, member server and so on) in your network.
Although Windows NT 4 provides numerous graphical tools that can be used individually to configure various aspects of system security, these tools are not centralized-an administrator may need to open three or four applications to configure security for one computer. Security configuration can be complex-and with the distributed security features added in Windows 2000, this complexity has increased.
The security configuration tools are designed to meet the need for central security configuration, and to provide enterprise-level security analysis...