Windows 2000 Security Little Black Book

Windows 2000 Security Little Black Book

by Ian McLean


$24.99 View All Available Formats & Editions

Temporarily Out of Stock Online

Eligible for FREE SHIPPING


Windows 2000 Security Little Black Book by Ian McLean

This book is known as the "bible" that points out "security holes" in the Windows 2000 system, as well as weaknesses that emerge from poor planning and lax administration. It places extra emphasis on Windows 2000 security issues raised by high-bandwidth connections to the Internet, with and without firewalls. Covers Windows 2000 security at system deployment and during routine system administration.

Product Details

ISBN-13: 9781932111286
Publisher: Paraglyph Press, Inc.
Publication date: 02/28/2000
Series: Little Black Books (Paraglyph Press) Series
Pages: 448
Product dimensions: 6.36(w) x 8.98(h) x 1.01(d)

About the Author

Ian McLean, MCITP, MCDBA, MCT, has 40+ years of experience in the education and IT industries. He has coauthored numerous Self-Paced Training Kits covering Windows Server, Windows® client, Microsoft Exchange Server, and SQL Server® technologies.

Read an Excerpt

Chapter 1:Windows 2000 Security Features

In Brief

Windows 2000 security is flexible and scalable-from the smallest company right up to multinational corporations in which strict security across wide area networks (WANs), including the Internet, is a major priority. Mostly, however, the new developments in Windows 2000 support the Internet-based enterprise. Security in large organizations is implemented through the use of the hierarchical Windows 2000 Active Directory. Other changes take advantage of the flexibility of the Windows security architecture to integrate authentication using Internet public key certificates, and interactive logon using smart cards. Windows 2000 combines ease of use, good administration tools, and a solid security infrastructure that supports both the enterprise and the Internet.

Windows 2000 Active Directory

Windows 2000 Active Directory stores all domain security policy and account information, provides replication and availability of this account information to multiple Domain Controllers (DCs) and facilitates remote administration. It supports a hierarchical namespace for user, group, and computer account information. Accounts can be grouped by Organizational Units (OUs) rather than the flat domain account namespace provided by Windows NT 4.

NOTE: In Windows NT 4 the domain name space consists of User, Global group, Local group and Computer accounts. There's no hierarchy in the Windows NT 4 domain name space-everything is at the same level. Global groups and Local groups can't be nested, although Global groups can be put into Local groups. A Global group can't inherit rights or permissions from another Global group at a higher level, because there isn't a higher level. This is known as a flat namespace. In contrast, the Windows 2000 namespace is hierarchical. OUs can inherit security policies from higher level OUs, and inheritance can be blocked or enforced. The Windows 2000 hierarchical namespace is discussed later in this chapter. Chapter 3 discusses OUs and Group Policy Objects (GPOs) in detail.

Administrative rights to create and manage user or group accounts can be delegated to the level of OUs. Access rights can be granted to individual properties on user objects to allow, for example, a specific individual or group to have the right to reset passwords but not to modify other account information. Active Directory replication allows account updates at any DC, where Windows NT 4 allowed updates only at the Primary Domain Controller (PDC). Multiple master replicas of Active Directory at other DCs are updated and synchronized automatically.

NOTE: Windows 2000 domains don't have PDCs-all Windows 2000 DCs are equal, although one DC in a domain assumes the role of PDC emulator. In a mixed domain, where there is a Windows NT 4 PDC, a Windows 2000 DC can act as a Backup Domain Controller (BDC) equivalent. This provides a smooth upgrade path from Windows NT 4 to Windows 2000.

Windows 2000 employs a new domain model that uses Active Directory to support a multilevel hierarchical tree of domains. Management of trust relationships between domains is simplified by using two-way transitive trusts (Kerberos trusts) throughout the domain tree. The Windows 2000 domain tree and Kerberos trusts enable Windows 2000 scalability, which is discussed in Chapter 2.

Distributed Security And Security Protocols

Windows security includes authentication based on Internet standard security protocols. Kerberos version 5, discussed in Chapter 4, is implemented as the default protocol, although Windows NT LAN Manager (NTLM) is also supported to provide backward-compatibility. The Transport Layer Security (TLS) protocol, based on Secure Sockets Layer version 3 (SSL3/TLS), supports client authentication by mapping user credentials in the form of public key certificates to existing Windows NT accounts, and provides enhanced feature support for public key protocols in Windows 2000. Public key security and SSL3/TLS are discussed in Chapter 6. Common administration tools are used to manage account information and access control, whether using shared secret authentication or public key security.

In addition to passwords, Windows 2000 supports the optional use of smart cards for interactive logon. Smart cards, which look just like magnetic-stripe bank cards used in Automatic Teller Machines (ATMs), but hold thousands of times more information, support cryptography and secure storage for private keys and certificates, enabling reliable distributed security authentication.

TIP: Some good basic information about smart cards, smart card types, what smart cards look like, and smart card terminology can be found at and

At the network level, Windows 2000 uses Internet Protocol Security (IPSec), which is discussed in Chapter 10. Chapter 11 discusses Virtual Private Networks (VPNs) used for remote access over Wide Area Networks (WANs), including the Internet. The protocols used to implement tunneling in VPNs, such as Point-to-Point Protocol (PPP), Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP), are discussed in Chapter 10.

I'll be discussing protocols throughout this book and have listed only the most significant in this introductory chapter. Protocol specifications are included in Request For Comment (RFC) documents. For example, if you want to find out more about Domain Name Systems Security Extensions (RFC 2535) or Security Association and Key Management Protocol (RFC 2408), then details may be found at and and in-notes/rfc2408.txt respectively.

TIP: A list of RFCs in numerical order may be found at

Deploying Smart Cards

Microsoft Certificate Server enables organizations to issue X.509 version 3 certificates to their employees or business partners. This includes the introduction of the Cryptographic Application Program Interface (CryptoAPI) for certificate management. Organizations may use public key certificates issued by a commercial Certificate Authority (CA), a third-party CA, or Microsoft Certificate Server. System administrators define which CAs are trusted in their environment and hence which certificates are accepted for client authentication and access to resources.

Using public key certificates and mapping to an existing Windows account can authenticate external users who don't have Windows 2000 accounts. Access rights defined for the Windows account determine the resources that the external users can use on the system. Client authentication using public key certificates allows Windows 2000 to authenticate external users based on certificates issued by trusted CAs.

Windows 2000 users have suitable tools and common interface dialog boxes for managing the private/public key pairs and the certificates that they use to access Internet-based resources. Storage of personal security credentials, which uses secure, disk-based storage, is easily transported with the industry-standard protocol Personal Information Exchange (PIE). Windows 2000 also has integrated support for smart card devices.


The operating system implements several encryption methods to take advantage of the use of digital signatures for providing authenticated data streams. In addition to signed ActiveX controls and Java classes for Internet Explorer, Windows 2000 uses digital signatures for image integrity of a variety of program components. In-house developers can also create signed software for distribution and virus protection.

Third-party suppliers are likely to host dynamic password authentication services on Windows 2000 Server and integrate dynamic passwords with Windows 2000 domain authentication. The Application Program Interfaces (APIs) and documentation to support these third-party products are available in the Microsoft Platform Software Development Kit (SDK).

IP Security

The business world makes extensive use of the Internet, intranets, branch offices, and remote access. Sensitive information constantly crosses the networks. The challenge for administrators and other network professionals is to ensure data integrity, confidentiality and authentication. The data must be safe from the following:

  • Modification while en route

  • Interception, viewing, or copying

  • Access by unauthenticated persons

To address these requirements, the Windows 2000 Server operating system includes an implementation of the IP Security Protocol (IPSec) as specified by the Internet Engineering Task Force (IETF). IPSec exists below the transport level, so that its security services are inherited transparently by applications. Microsoft Windows IP Security uses industry-standard encryption algorithms and a comprehensive security management approach to provide security for all TCP/IP communications on both sides of an organization's firewall. The result is a Windows 2000 Server end-to-end security strategy that defends against both external and internal attacks. IPSec is discussed in detail in Chapter 10.

Virtual Private Networks

A Virtual Private Network (VPN) enables a user to tunnel through the Internet or another public network, while maintaining the same level of security that would be provided by a private network. From the user's point of view, the VPN appears to be a point-to-point connection with the corporate server. A VPN must allow roaming or remote clients to connect to resources and be securely authenticated. The user's private address, name and password must be kept private and data must be encrypted. Encryption keys for both the client and the server must be generated and refreshed and the common protocols used in the public network must be supported.

WARNING! Nothing remains secure forever, and encryption keys are no exception. They therefore have an expiry time and require to be periodically refreshed. Precautions, such as an alternate data path, should be taken during a key refresh. If an unauthorized user intercepts a key refresh, then security is compromised.

Windows 2000 currently supports VPN solutions based on PPTP and the recently developed L2TP. IPSec also supports VPNs, but does not commonly meet all the requirements. VPNs are discussed in Chapter 11.

Security Configuration And Analysis Tools

Windows 2000 provides the Security Template and Security Configuration and Analysis snap-ins, plus the secedit command line utility, to configure and analyze security settings based on a series of standard templates that you can load, combine and edit to configure local security. The tools let you analyze your security settings by comparing them with the defaults, and to export the bespoke security templates you create for use in other machines on a network. They enable you to configure security at local machine level, or to amend a machine-type specific template that can then be applied to every machine of that type (workstation, member server and so on) in your network.

Although Windows NT 4 provides numerous graphical tools that can be used individually to configure various aspects of system security, these tools are not centralized-an administrator may need to open three or four applications to configure security for one computer. Security configuration can be complex-and with the distributed security features added in Windows 2000, this complexity has increased.

The security configuration tools are designed to meet the need for central security configuration, and to provide enterprise-level security analysis...

Table of Contents

Chapter 1Windows 2000 Security Features1
In Brief
Windows 2000 Active Directory2
Distributed Security And Security Protocols3
Deploying Smart Cards4
IP Security6
Virtual Private Networks6
Security Configuration And Analysis Tools7
Immediate Solutions
Understanding The Active Directory Structure8
Integrating Security Account Management9
Using Transitive Two-Way Trusts10
Delegating Administration12
Using The Access Control List To Implement Fine-Grain Access Rights13
Using Security Protocols14
Using The Security Support Provider Interface16
Using The Kerberos 5 Authentication Protocol18
Using Public Key Certificates For Internet Security23
Implementing Interbusiness Access29
Providing An Enterprise Solution30
Using NTLM Credentials31
Using Kerberos Credentials31
Using Private/Public Key Pairs And Certificates32
Using Internet Protocol Security33
Using Virtual Private Networks34
Using The Security Configuration Tools36
Migrating From NT 4 To Windows 200038
Chapter 2Active Directory And The Access Control List41
In Brief
Windows 2000 Active Directory42
Immediate Solutions
Supporting Open Standards46
Supporting Standard Name Formats47
Using Application Programming Interfaces48
Using The Windows Scripting Host51
Enabling Scalability54
Using Distributed Security60
Using The Security Settings Extension Of The Group Policy Editor61
Analyzing Default Access Control Settings64
Analyzing Default Group Membership67
Switching Between User Contexts69
Synchronizing Upgraded Machines With The Default Security Settings70
Using The Security Templates Snap-in70
Using The Access Control List Editor74
Chapter 3Group Policy77
In Brief
Group Policy Capabilities And Benefits78
Group Policy And Active Directory79
Immediate Solutions
Linking Group Policy With The Active Directory Structure83
Configuring A Group Policy Management Snap-in84
Accessing Group Policy For A Domain Or OU85
Creating A Group Policy Object86
Editing A Group Policy Object88
Giving A User The Log-on Locally Right On A Domain Controller89
Managing Group Policy91
Adding Or Browsing A Group Policy Object92
Setting Inheritance And Override93
Disabling Portions Of A GPO97
Linking A Single GPO To Multiple Sites, Domains, And OUs98
Administering Registry-Based Policies100
Setting Up Scripts104
Using Security Group Filtering106
Using Loopback Processing To Make Policies Computer-Specific109
Setting Up An Audit Policy113
Chapter 4Security Protocols115
In Brief
Immediate Solutions
Setting Up A Shared Secrets Protocol119
Using A Key Distribution Center122
Understanding Kerberos Subprotocols126
Authenticating Logons130
Analyzing Kerberos Tickets137
Delegating Authentication140
Configuring Kerberos Domain Policy141
Using The Security Support Provider Interface143
Chapter 5The Encrypting File System149
In Brief
Why Data Encryption Is Necessary150
The Encrypting File System151
Immediate Solutions
Using The Cipher Command-Line Utility157
Encrypting A Folder Or File158
Decrypting A Folder Or File160
Copying, Moving, And Renaming An Encrypted Folder Or File161
Backing Up An Encrypted Folder Or File162
Restoring An Encrypted Folder Or File164
Restoring Files To A Different Computer166
Securing The Default Recovery Key On A Standalone Computer170
Securing The Default Recovery Key For The Domain172
Adding Recovery Agents172
Setting A Recovery Policy For A Specific OU175
Recovering A File Or Folder176
Disabling EFS For A Specific Set Of Computers176
Chapter 6Public Keys179
In Brief
Public Key Cryptography180
Protecting And Trusting Cryptographic Keys182
The Windows 2000 PKI Components184
Immediate Solutions
Enabling Domain Clients189
Applying Windows 2000 Public Key Security194
Setting World Wide Web Security196
Using PK-Based Authentication In Internet Explorer198
Setting Up Microsoft Outlook To Use The Secure Sockets Layer200
Setting Up PK-Based Secure Email202
Configuring Outlook Express To Use PK Security203
Configuring Outlook To Use PK Security208
Achieving Interoperability211
Chapter 7Certificate Services215
In Brief
Deploying An Enterprise CA219
Trust In Multiple CA Hierarchies220
Immediate Solutions
Setting Up A Certification Authority222
Using The Certificate Service Web Pages225
Installing CA Certificates227
Requesting An Advanced Certificate231
Enrolling Using A PKCS #10 Request File234
Configuring A Domain To Trust An External CA235
Setting Up An Automatic Certificate Request For Computers237
Starting And Stopping Certificate Services238
Backing Up And Restoring The Certificate Services Service239
Displaying The Certificate Services Log And Database241
Revoking Issued Certificates And Publishing A CRL243
Configuring The Policy And Exit Modules For Certificate Services245
Chapter 8Mapping Certificates To User Accounts249
In Brief
Why Certificate Mapping Is Needed250
Types Of Mapping251
Where Mapping Occurs252
Immediate Solutions
Installing A User Certificate253
Exporting A Certificate256
Installing A CA Certificate257
Configuring Active Directory For UPN Mapping259
Configuring Active Directory For One-To-One Mapping264
Configuring IIS For One-To-One Mapping265
Configuring Active Directory For Many-To-One Mapping267
Configuring IIS For Many-To-One Mapping268
Testing The Mapping269
Chapter 9Smart Cards273
In Brief
What Is A Smart Card?274
Smart Card Interoperability275
Supported Smart Cards279
Supported Smart Card Readers279
Immediate Solutions
Installing A Smart Card Reader281
Setting Up A Smart Card Enrollment Station283
Issuing Smart Cards286
Logging On Using A Smart Card289
Deploying Smart Cards295
Resolving Smart Card-Related Issues297
Securing The Smart Card Enrollment Station299
Putting Applications On Smart Cards300
Using The Smart Card Software Development Kit301
Using The Microsoft APIs307
Using The Java Card API 2.1309
Using The OpenCard Framework311
Chapter 10IP Security313
In Brief
IP Security Protection314
IPSec Features314
Security Associations317
Immediate Solutions
Analyzing IPSec Operations320
Specifying IPSec Settings321
Configuring IPSec On Individual Computers325
Configuring IPSec For A Domain329
Changing The Security Method331
Configuring IPSec For An OU332
Chapter 11Virtual Private Networks335
In Brief
Using Virtual Private Networks336
Comparing PPTP And L2TP341
The Remote Authentication Dial-in User Service341
Immediate Solutions
Specifying A VPN Strategy343
Setting Up A VPN Server349
Configuring A VPN Server351
Configuring A VPN Client353
Organizing Remote Access User Accounts355
Creating A Remote Access Policy For Router-To-Router VPN Connections356
Enabling Mutual Authentication357
Obtaining A Computer Certificate Automatically358
Adding L2TP And PPTP Ports359
Setting Up A RADIUS Server360
Chapter 12Security Configuration And Analysis Tools363
In Brief
The Configuration Tools364
Security Template Settings365
Predefined Security Templates367
Immediate Solutions
Creating And Analyzing A Security Configuration370
Editing A Security Configuration371
Exporting A Security Configuration373
Editing Security Templates374
Using The Secedit Command376


This book discusses network security on a Microsoft Windows 2000 network, although many of the principles of good security are product independent. It's a technical book, addressing technical issues--but it doesn't lose sight of the fact that security is as much a people problem as a technical one. It's designed to help the administrator to balance security and usability, and to set security criteria that colleagues accept as workable and sensible.

Security technologies are developing rapidly. Public key certificates and dynamic passwords help meet the security needs of the enterprise environment. Remote access over public networks, and Internet access for business-to-business communication, are driving the evolution of security technology. Smart cards are replacing password security where the use of the latter has proven to be problematical, and biometrics--the use of a unique physical characteristic such as a fingerprint or retina scan instead of a PIN--provides a sound basis for account security combined with ease of use. This book covers the new features that Windows 2000 provides to assist the security professional to set up a sound but useable security framework--always remembering that nothing's infallible!

Who the Book Is For This book is for network professionals, possibly with a Windows NT 4.0, NetWare or Unix background, who are administering or intend to administer Windows 2000 networks--and specifically to set up Windows 2000 security. It would also be of use to technical support personnel and to consultants and designers tasked with developing and setting up security on a network. The book's structure makes it ideal for those who want to learn the facts, carryout the procedures and solve the problems--fast.

The book assumes that readers know how an NT 4 trust works, have come across User Manager for Domains, Server Manager, System Policy Editor and Event Viewer, have a working knowledge of TCP/IP and know the limitations of 10BaseT.

How the Book Is Organized

The first chapter takes a broad-brush approach, introducing the topics that will be described in detail later in the book, and the terms and acronyms that the reader will come across time and time again when implementing Windows 2000 security. The purpose of the chapter is to provide an overview, familiarize the reader with the concepts, and let him or her decide which of the subsequent chapters is of particular interest. This book is about solving problems. Chapter 1 addresses the problem of knowing where to start, what to look for, and where to find it.

Chapter 2 describes Active Directory, which defines the structure of a Windows 2000 network, and provides the means to implement structured, multi-level security zones with a finer granularity of control than was possible with previous Microsoft Windows implementations. The chapter demonstrates how Active Directory can be customized and Access Control Settings configured, and introduces the Microsoft Management Console (MMC) snap-ins that are used to configure and administer all aspects of Windows 2000, including security policies.

Chapter 3 describes group policy, and the methods by which the settings contained in Group Policy Objects (GPOs) can be applied to Active Directory objects such as sites, domains and Organizational Units (OUs). The chapter discusses policy inheritance, how domain-level policies may be enforced or blocked at lower levels in the Active Directory structure, and how security group filtering enables the certain administrative tasks to be delegated without compromising of overall domain security policy.

Chapter 4 looks at the various Windows 2000 Security Protocols and how these are used. In particular, the chapter highlights Kerberos 5, the Windows 2000 default authentication protocol. The chapter describes how mutual authentication is achieved using a shared secret protocol, and discusses shared keys, session keys, key distribution centers, Kerberos tickets, the ticket granting service, and cross-domain authentication. The principles and practice described in this chapter are central to the entire concept of Windows 2000 security.

In Chapter 5, the problem of unauthorized access to sensitive data id outlined, and the Windows 2000 solution, the Encrypting File System (EFS) is described. EFS is normally invisible to the user, who can access and edit his or her own files in the usual manner, while the files remain inaccessible to any other user. This has its own problems, and the use of recovery agents to retrieve encrypted files is also discussed.

Chapters 6 and 7 are interlinked. The use public keys, private keys, and security certificates provides strong security when sensitive data is being sent over a hostile environment such as the Internet. Chapter 6 discusses the Windows 2000 public key infrastructure (PKI), the use of the SSL3 protocol to set up a secure Web site, and the use of digital signatures and encryption to protect sensitive e-mail traffic. Chapter 7 discusses certificate authorities (CAs), including Microsoft Certificate Services and third party CAs such as VeriSign and Thawte. The chapter describes how to set up a CA, how to obtain certificates, and how to set up a certificate revocation list (CRL).

Chapter 8 discusses certificate mapping, which implements certificate-based security for logons over a hostile environment, such as the Internet, and provides a method of authenticating logons by employees of a partner or subsidiary organization who don't have individual accounts in a domain.

Smart cards, discussed in Chapter 9, are rapidly becoming the authentication method of choice, particularly for large organizations that have found password security difficult to manage in the past.

Sensitive data is at its most vulnerable when travelling across a network. While SSL3 encryption can be used by (for example) browsers, it requires applications to be SSL3 aware. Internet Protocol Security (IPSec), discussed in Chapter 10, provides a method, invisible to the user, of securing all network traffic against both outsiders and malicious insiders.

Where traffic passes over a foreign network, such as the Internet, tunneling through Virtual Private Networks (VPNs), discussed in Chapter 11, provides a cost-effective answer to security concerns.

Chapter 12 looks at the tools provided for configuring local security using security templates, editing security parameters, creating new templates, and analyzing security settings

Finally there's a glossary that lists and explains the technical terms used in the book, and a comprehensive index to enable the reader to search for specific terms and topics, making the use of the book even quicker and more effective.

How the Book Can Be Used

This book can be read through from start to finish, and will give an excellent grounding in Windows 2000 security. However, the reader may feel it's more appropriate to skip around, finding examples and procedures that will help with current tasks or with any problems he or she may encounter. The book is a reference resource, to be used in the way best suited to the reader's needs and experience.

Customer Reviews

Most Helpful Customer Reviews

See All Customer Reviews