This book is known as the "bible" that points out "security holes" in the Windows 2000 system, as well as weaknesses that emerge from poor planning and lax administration. It places extra emphasis on Windows 2000 security issues raised by high-bandwidth connections to the Internet, with and without firewalls. Covers Windows 2000 security at system deployment and during routine system administration.
About the Author
Ian McLean, MCITP, MCDBA, MCT, has 40+ years of experience in the education and IT industries. He has coauthored numerous Self-Paced Training Kits covering Windows Server, Windows® client, Microsoft Exchange Server, and SQL Server® technologies.
Read an Excerpt
Chapter 1:Windows 2000 Security Features
Windows 2000 security is flexible and scalable-from the smallest company right up to multinational corporations in which strict security across wide area networks (WANs), including the Internet, is a major priority. Mostly, however, the new developments in Windows 2000 support the Internet-based enterprise. Security in large organizations is implemented through the use of the hierarchical Windows 2000 Active Directory. Other changes take advantage of the flexibility of the Windows security architecture to integrate authentication using Internet public key certificates, and interactive logon using smart cards. Windows 2000 combines ease of use, good administration tools, and a solid security infrastructure that supports both the enterprise and the Internet.
Windows 2000 Active Directory
Windows 2000 Active Directory stores all domain security policy and account information, provides replication and availability of this account information to multiple Domain Controllers (DCs) and facilitates remote administration. It supports a hierarchical namespace for user, group, and computer account information. Accounts can be grouped by Organizational Units (OUs) rather than the flat domain account namespace provided by Windows NT 4.
NOTE: In Windows NT 4 the domain name space consists of User, Global group, Local group and Computer accounts. There's no hierarchy in the Windows NT 4 domain name space-everything is at the same level. Global groups and Local groups can't be nested, although Global groups can be put into Local groups. A Global group can't inherit rights or permissions from another Global group at a higher level, because there isn't a higher level. This is known as a flat namespace. In contrast, the Windows 2000 namespace is hierarchical. OUs can inherit security policies from higher level OUs, and inheritance can be blocked or enforced. The Windows 2000 hierarchical namespace is discussed later in this chapter. Chapter 3 discusses OUs and Group Policy Objects (GPOs) in detail.
Administrative rights to create and manage user or group accounts can be delegated to the level of OUs. Access rights can be granted to individual properties on user objects to allow, for example, a specific individual or group to have the right to reset passwords but not to modify other account information. Active Directory replication allows account updates at any DC, where Windows NT 4 allowed updates only at the Primary Domain Controller (PDC). Multiple master replicas of Active Directory at other DCs are updated and synchronized automatically.
NOTE: Windows 2000 domains don't have PDCs-all Windows 2000 DCs are equal, although one DC in a domain assumes the role of PDC emulator. In a mixed domain, where there is a Windows NT 4 PDC, a Windows 2000 DC can act as a Backup Domain Controller (BDC) equivalent. This provides a smooth upgrade path from Windows NT 4 to Windows 2000.
Windows 2000 employs a new domain model that uses Active Directory to support a multilevel hierarchical tree of domains. Management of trust relationships between domains is simplified by using two-way transitive trusts (Kerberos trusts) throughout the domain tree. The Windows 2000 domain tree and Kerberos trusts enable Windows 2000 scalability, which is discussed in Chapter 2.
Distributed Security And Security Protocols
Windows security includes authentication based on Internet standard security protocols. Kerberos version 5, discussed in Chapter 4, is implemented as the default protocol, although Windows NT LAN Manager (NTLM) is also supported to provide backward-compatibility. The Transport Layer Security (TLS) protocol, based on Secure Sockets Layer version 3 (SSL3/TLS), supports client authentication by mapping user credentials in the form of public key certificates to existing Windows NT accounts, and provides enhanced feature support for public key protocols in Windows 2000. Public key security and SSL3/TLS are discussed in Chapter 6. Common administration tools are used to manage account information and access control, whether using shared secret authentication or public key security.
In addition to passwords, Windows 2000 supports the optional use of smart cards for interactive logon. Smart cards, which look just like magnetic-stripe bank cards used in Automatic Teller Machines (ATMs), but hold thousands of times more information, support cryptography and secure storage for private keys and certificates, enabling reliable distributed security authentication.
TIP: Some good basic information about smart cards, smart card types, what smart cards look like, and smart card terminology can be found at www.gemplus.com/basics/what.htm and www.gemplus.com/basics/terms.htm.
At the network level, Windows 2000 uses Internet Protocol Security (IPSec), which is discussed in Chapter 10. Chapter 11 discusses Virtual Private Networks (VPNs) used for remote access over Wide Area Networks (WANs), including the Internet. The protocols used to implement tunneling in VPNs, such as Point-to-Point Protocol (PPP), Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP), are discussed in Chapter 10.
I'll be discussing protocols throughout this book and have listed only the most significant in this introductory chapter. Protocol specifications are included in Request For Comment (RFC) documents. For example, if you want to find out more about Domain Name Systems Security Extensions (RFC 2535) or Security Association and Key Management Protocol (RFC 2408), then details may be found at and ftp://ftp.isi.edu/innotes/rfc2535.txt and ftp://ftp.isi.edu/ in-notes/rfc2408.txt respectively.
TIP: A list of RFCs in numerical order may be found at http://ercole.di.unito.it/CIE/RFC/rfc-ind.htm.
Deploying Smart Cards
Microsoft Certificate Server enables organizations to issue X.509 version 3 certificates to their employees or business partners. This includes the introduction of the Cryptographic Application Program Interface (CryptoAPI) for certificate management. Organizations may use public key certificates issued by a commercial Certificate Authority (CA), a third-party CA, or Microsoft Certificate Server. System administrators define which CAs are trusted in their environment and hence which certificates are accepted for client authentication and access to resources.
Using public key certificates and mapping to an existing Windows account can authenticate external users who don't have Windows 2000 accounts. Access rights defined for the Windows account determine the resources that the external users can use on the system. Client authentication using public key certificates allows Windows 2000 to authenticate external users based on certificates issued by trusted CAs.
Windows 2000 users have suitable tools and common interface dialog boxes for managing the private/public key pairs and the certificates that they use to access Internet-based resources. Storage of personal security credentials, which uses secure, disk-based storage, is easily transported with the industry-standard protocol Personal Information Exchange (PIE). Windows 2000 also has integrated support for smart card devices.
EncryptionThe operating system implements several encryption methods to take advantage of the use of digital signatures for providing authenticated data streams. In addition to signed ActiveX controls and Java classes for Internet Explorer, Windows 2000 uses digital signatures for image integrity of a variety of program components. In-house developers can also create signed software for distribution and virus protection.
Third-party suppliers are likely to host dynamic password authentication services on Windows 2000 Server and integrate dynamic passwords with Windows 2000 domain authentication. The Application Program Interfaces (APIs) and documentation to support these third-party products are available in the Microsoft Platform Software Development Kit (SDK).
The business world makes extensive use of the Internet, intranets, branch offices, and remote access. Sensitive information constantly crosses the networks. The challenge for administrators and other network professionals is to ensure data integrity, confidentiality and authentication. The data must be safe from the following:
- Modification while en route
- Interception, viewing, or copying
- Access by unauthenticated persons
To address these requirements, the Windows 2000 Server operating system includes an implementation of the IP Security Protocol (IPSec) as specified by the Internet Engineering Task Force (IETF). IPSec exists below the transport level, so that its security services are inherited transparently by applications. Microsoft Windows IP Security uses industry-standard encryption algorithms and a comprehensive security management approach to provide security for all TCP/IP communications on both sides of an organization's firewall. The result is a Windows 2000 Server end-to-end security strategy that defends against both external and internal attacks. IPSec is discussed in detail in Chapter 10.
Virtual Private Networks
A Virtual Private Network (VPN) enables a user to tunnel through the Internet or another public network, while maintaining the same level of security that would be provided by a private network. From the user's point of view, the VPN appears to be a point-to-point connection with the corporate server. A VPN must allow roaming or remote clients to connect to resources and be securely authenticated. The user's private address, name and password must be kept private and data must be encrypted. Encryption keys for both the client and the server must be generated and refreshed and the common protocols used in the public network must be supported.
WARNING! Nothing remains secure forever, and encryption keys are no exception. They therefore have an expiry time and require to be periodically refreshed. Precautions, such as an alternate data path, should be taken during a key refresh. If an unauthorized user intercepts a key refresh, then security is compromised.
Windows 2000 currently supports VPN solutions based on PPTP and the recently developed L2TP. IPSec also supports VPNs, but does not commonly meet all the requirements. VPNs are discussed in Chapter 11.
Security Configuration And Analysis Tools
Windows 2000 provides the Security Template and Security Configuration and Analysis snap-ins, plus the secedit command line utility, to configure and analyze security settings based on a series of standard templates that you can load, combine and edit to configure local security. The tools let you analyze your security settings by comparing them with the defaults, and to export the bespoke security templates you create for use in other machines on a network. They enable you to configure security at local machine level, or to amend a machine-type specific template that can then be applied to every machine of that type (workstation, member server and so on) in your network.
Although Windows NT 4 provides numerous graphical tools that can be used individually to configure various aspects of system security, these tools are not centralized-an administrator may need to open three or four applications to configure security for one computer. Security configuration can be complex-and with the distributed security features added in Windows 2000, this complexity has increased.
The security configuration tools are designed to meet the need for central security configuration, and to provide enterprise-level security analysis...
Table of Contents
|Chapter 1||Windows 2000 Security Features||1|
|Windows 2000 Active Directory||2|
|Distributed Security And Security Protocols||3|
|Deploying Smart Cards||4|
|Virtual Private Networks||6|
|Security Configuration And Analysis Tools||7|
|Understanding The Active Directory Structure||8|
|Integrating Security Account Management||9|
|Using Transitive Two-Way Trusts||10|
|Using The Access Control List To Implement Fine-Grain Access Rights||13|
|Using Security Protocols||14|
|Using The Security Support Provider Interface||16|
|Using The Kerberos 5 Authentication Protocol||18|
|Using Public Key Certificates For Internet Security||23|
|Implementing Interbusiness Access||29|
|Providing An Enterprise Solution||30|
|Using NTLM Credentials||31|
|Using Kerberos Credentials||31|
|Using Private/Public Key Pairs And Certificates||32|
|Using Internet Protocol Security||33|
|Using Virtual Private Networks||34|
|Using The Security Configuration Tools||36|
|Migrating From NT 4 To Windows 2000||38|
|Chapter 2||Active Directory And The Access Control List||41|
|Windows 2000 Active Directory||42|
|Supporting Open Standards||46|
|Supporting Standard Name Formats||47|
|Using Application Programming Interfaces||48|
|Using The Windows Scripting Host||51|
|Using Distributed Security||60|
|Using The Security Settings Extension Of The Group Policy Editor||61|
|Analyzing Default Access Control Settings||64|
|Analyzing Default Group Membership||67|
|Switching Between User Contexts||69|
|Synchronizing Upgraded Machines With The Default Security Settings||70|
|Using The Security Templates Snap-in||70|
|Using The Access Control List Editor||74|
|Chapter 3||Group Policy||77|
|Group Policy Capabilities And Benefits||78|
|Group Policy And Active Directory||79|
|Linking Group Policy With The Active Directory Structure||83|
|Configuring A Group Policy Management Snap-in||84|
|Accessing Group Policy For A Domain Or OU||85|
|Creating A Group Policy Object||86|
|Editing A Group Policy Object||88|
|Giving A User The Log-on Locally Right On A Domain Controller||89|
|Managing Group Policy||91|
|Adding Or Browsing A Group Policy Object||92|
|Setting Inheritance And Override||93|
|Disabling Portions Of A GPO||97|
|Linking A Single GPO To Multiple Sites, Domains, And OUs||98|
|Administering Registry-Based Policies||100|
|Setting Up Scripts||104|
|Using Security Group Filtering||106|
|Using Loopback Processing To Make Policies Computer-Specific||109|
|Setting Up An Audit Policy||113|
|Chapter 4||Security Protocols||115|
|Setting Up A Shared Secrets Protocol||119|
|Using A Key Distribution Center||122|
|Understanding Kerberos Subprotocols||126|
|Analyzing Kerberos Tickets||137|
|Configuring Kerberos Domain Policy||141|
|Using The Security Support Provider Interface||143|
|Chapter 5||The Encrypting File System||149|
|Why Data Encryption Is Necessary||150|
|The Encrypting File System||151|
|Using The Cipher Command-Line Utility||157|
|Encrypting A Folder Or File||158|
|Decrypting A Folder Or File||160|
|Copying, Moving, And Renaming An Encrypted Folder Or File||161|
|Backing Up An Encrypted Folder Or File||162|
|Restoring An Encrypted Folder Or File||164|
|Restoring Files To A Different Computer||166|
|Securing The Default Recovery Key On A Standalone Computer||170|
|Securing The Default Recovery Key For The Domain||172|
|Adding Recovery Agents||172|
|Setting A Recovery Policy For A Specific OU||175|
|Recovering A File Or Folder||176|
|Disabling EFS For A Specific Set Of Computers||176|
|Chapter 6||Public Keys||179|
|Public Key Cryptography||180|
|Protecting And Trusting Cryptographic Keys||182|
|The Windows 2000 PKI Components||184|
|Enabling Domain Clients||189|
|Applying Windows 2000 Public Key Security||194|
|Setting World Wide Web Security||196|
|Using PK-Based Authentication In Internet Explorer||198|
|Setting Up Microsoft Outlook To Use The Secure Sockets Layer||200|
|Setting Up PK-Based Secure Email||202|
|Configuring Outlook Express To Use PK Security||203|
|Configuring Outlook To Use PK Security||208|
|Chapter 7||Certificate Services||215|
|Deploying An Enterprise CA||219|
|Trust In Multiple CA Hierarchies||220|
|Setting Up A Certification Authority||222|
|Using The Certificate Service Web Pages||225|
|Installing CA Certificates||227|
|Requesting An Advanced Certificate||231|
|Enrolling Using A PKCS #10 Request File||234|
|Configuring A Domain To Trust An External CA||235|
|Setting Up An Automatic Certificate Request For Computers||237|
|Starting And Stopping Certificate Services||238|
|Backing Up And Restoring The Certificate Services Service||239|
|Displaying The Certificate Services Log And Database||241|
|Revoking Issued Certificates And Publishing A CRL||243|
|Configuring The Policy And Exit Modules For Certificate Services||245|
|Chapter 8||Mapping Certificates To User Accounts||249|
|Why Certificate Mapping Is Needed||250|
|Types Of Mapping||251|
|Where Mapping Occurs||252|
|Installing A User Certificate||253|
|Exporting A Certificate||256|
|Installing A CA Certificate||257|
|Configuring Active Directory For UPN Mapping||259|
|Configuring Active Directory For One-To-One Mapping||264|
|Configuring IIS For One-To-One Mapping||265|
|Configuring Active Directory For Many-To-One Mapping||267|
|Configuring IIS For Many-To-One Mapping||268|
|Testing The Mapping||269|
|Chapter 9||Smart Cards||273|
|What Is A Smart Card?||274|
|Smart Card Interoperability||275|
|Supported Smart Cards||279|
|Supported Smart Card Readers||279|
|Installing A Smart Card Reader||281|
|Setting Up A Smart Card Enrollment Station||283|
|Issuing Smart Cards||286|
|Logging On Using A Smart Card||289|
|Deploying Smart Cards||295|
|Resolving Smart Card-Related Issues||297|
|Securing The Smart Card Enrollment Station||299|
|Putting Applications On Smart Cards||300|
|Using The Smart Card Software Development Kit||301|
|Using The Microsoft APIs||307|
|Using The Java Card API 2.1||309|
|Using The OpenCard Framework||311|
|Chapter 10||IP Security||313|
|IP Security Protection||314|
|Analyzing IPSec Operations||320|
|Specifying IPSec Settings||321|
|Configuring IPSec On Individual Computers||325|
|Configuring IPSec For A Domain||329|
|Changing The Security Method||331|
|Configuring IPSec For An OU||332|
|Chapter 11||Virtual Private Networks||335|
|Using Virtual Private Networks||336|
|Comparing PPTP And L2TP||341|
|The Remote Authentication Dial-in User Service||341|
|Specifying A VPN Strategy||343|
|Setting Up A VPN Server||349|
|Configuring A VPN Server||351|
|Configuring A VPN Client||353|
|Organizing Remote Access User Accounts||355|
|Creating A Remote Access Policy For Router-To-Router VPN Connections||356|
|Enabling Mutual Authentication||357|
|Obtaining A Computer Certificate Automatically||358|
|Adding L2TP And PPTP Ports||359|
|Setting Up A RADIUS Server||360|
|Chapter 12||Security Configuration And Analysis Tools||363|
|The Configuration Tools||364|
|Security Template Settings||365|
|Predefined Security Templates||367|
|Creating And Analyzing A Security Configuration||370|
|Editing A Security Configuration||371|
|Exporting A Security Configuration||373|
|Editing Security Templates||374|
|Using The Secedit Command||376|
Security technologies are developing rapidly. Public key certificates and dynamic passwords help meet the security needs of the enterprise environment. Remote access over public networks, and Internet access for business-to-business communication, are driving the evolution of security technology. Smart cards are replacing password security where the use of the latter has proven to be problematical, and biometrics--the use of a unique physical characteristic such as a fingerprint or retina scan instead of a PIN--provides a sound basis for account security combined with ease of use. This book covers the new features that Windows 2000 provides to assist the security professional to set up a sound but useable security framework--always remembering that nothing's infallible!
Who the Book Is For This book is for network professionals, possibly with a Windows NT 4.0, NetWare or Unix background, who are administering or intend to administer Windows 2000 networks--and specifically to set up Windows 2000 security. It would also be of use to technical support personnel and to consultants and designers tasked with developing and setting up security on a network. The book's structure makes it ideal for those who want to learn the facts, carryout the procedures and solve the problems--fast.
The book assumes that readers know how an NT 4 trust works, have come across User Manager for Domains, Server Manager, System Policy Editor and Event Viewer, have a working knowledge of TCP/IP and know the limitations of 10BaseT.
How the Book Is OrganizedThe first chapter takes a broad-brush approach, introducing the topics that will be described in detail later in the book, and the terms and acronyms that the reader will come across time and time again when implementing Windows 2000 security. The purpose of the chapter is to provide an overview, familiarize the reader with the concepts, and let him or her decide which of the subsequent chapters is of particular interest. This book is about solving problems. Chapter 1 addresses the problem of knowing where to start, what to look for, and where to find it.
Chapter 2 describes Active Directory, which defines the structure of a Windows 2000 network, and provides the means to implement structured, multi-level security zones with a finer granularity of control than was possible with previous Microsoft Windows implementations. The chapter demonstrates how Active Directory can be customized and Access Control Settings configured, and introduces the Microsoft Management Console (MMC) snap-ins that are used to configure and administer all aspects of Windows 2000, including security policies.
Chapter 3 describes group policy, and the methods by which the settings contained in Group Policy Objects (GPOs) can be applied to Active Directory objects such as sites, domains and Organizational Units (OUs). The chapter discusses policy inheritance, how domain-level policies may be enforced or blocked at lower levels in the Active Directory structure, and how security group filtering enables the certain administrative tasks to be delegated without compromising of overall domain security policy.
Chapter 4 looks at the various Windows 2000 Security Protocols and how these are used. In particular, the chapter highlights Kerberos 5, the Windows 2000 default authentication protocol. The chapter describes how mutual authentication is achieved using a shared secret protocol, and discusses shared keys, session keys, key distribution centers, Kerberos tickets, the ticket granting service, and cross-domain authentication. The principles and practice described in this chapter are central to the entire concept of Windows 2000 security.
In Chapter 5, the problem of unauthorized access to sensitive data id outlined, and the Windows 2000 solution, the Encrypting File System (EFS) is described. EFS is normally invisible to the user, who can access and edit his or her own files in the usual manner, while the files remain inaccessible to any other user. This has its own problems, and the use of recovery agents to retrieve encrypted files is also discussed.
Chapters 6 and 7 are interlinked. The use public keys, private keys, and security certificates provides strong security when sensitive data is being sent over a hostile environment such as the Internet. Chapter 6 discusses the Windows 2000 public key infrastructure (PKI), the use of the SSL3 protocol to set up a secure Web site, and the use of digital signatures and encryption to protect sensitive e-mail traffic. Chapter 7 discusses certificate authorities (CAs), including Microsoft Certificate Services and third party CAs such as VeriSign and Thawte. The chapter describes how to set up a CA, how to obtain certificates, and how to set up a certificate revocation list (CRL).
Chapter 8 discusses certificate mapping, which implements certificate-based security for logons over a hostile environment, such as the Internet, and provides a method of authenticating logons by employees of a partner or subsidiary organization who don't have individual accounts in a domain.
Smart cards, discussed in Chapter 9, are rapidly becoming the authentication method of choice, particularly for large organizations that have found password security difficult to manage in the past.
Sensitive data is at its most vulnerable when travelling across a network. While SSL3 encryption can be used by (for example) browsers, it requires applications to be SSL3 aware. Internet Protocol Security (IPSec), discussed in Chapter 10, provides a method, invisible to the user, of securing all network traffic against both outsiders and malicious insiders.
Where traffic passes over a foreign network, such as the Internet, tunneling through Virtual Private Networks (VPNs), discussed in Chapter 11, provides a cost-effective answer to security concerns.
Chapter 12 looks at the tools provided for configuring local security using security templates, editing security parameters, creating new templates, and analyzing security settings
Finally there's a glossary that lists and explains the technical terms used in the book, and a comprehensive index to enable the reader to search for specific terms and topics, making the use of the book even quicker and more effective.
How the Book Can Be UsedThis book can be read through from start to finish, and will give an excellent grounding in Windows 2000 security. However, the reader may feel it's more appropriate to skip around, finding examples and procedures that will help with current tasks or with any problems he or she may encounter. The book is a reference resource, to be used in the way best suited to the reader's needs and experience.