Configuring Windows 2000 Server Security

CONFIGURING WINDOWS 2000 SERVER SECURITY
by Thomas W. Shinder, Debra Littlejohn Shinder, D. Lynn White
Technical Editor: Stace Cunningham

“Essential reading for your IT Security Organization.”
- Deena Joyce, Director of Information Technology and Network Security,
Casino
Magic

= = = = = = = = =

INCLUDES:

FREE MONTHLY TECHNOLOGY UPDATES
ONE YEAR VENDOR PRODUCT UPGRADE PROTECTION PLAN
FREE MEMBERSHIP TO ACCESS.GLOBALKNOWLEDGE

= = = = = = = = =

FROM THE PREFACE

“Security. What comes to your mind when you hear the word? Do you
think of
the person standing in the dark alley who wants to harm you as you walk by? Or
do you think about whether your house will be safe while you are on vacation?
These two answers are typical of what you would probably hear if you asked this
question of the “man on the street.” However, ask network manager or network
administrators the same question, and you will probably see them start sweating
profusely as they wonder whether any unauthorized people are currently sneaking
through their networks. They start wondering whether they have sealed up all the
possible openings that would allow an unauthorized person into one of their
organizations’ most critical resources: the computer network.

“Security has always been important to computer networks, but the
network
landscape has changed immensely over the last several years, with the public
swarming in droves to the Internet, organizations hooking their private networks to
the Internet, and the burgeoning effect of electronic commerce. Organizations must
make every effort possible to protect their data (such as new product information),
their business partners’ data (such as confidential agreements), and their
customers’ data (such as credit card information).

“There are now many “script kiddies” on the Internet, since the public has
unprecedented access to the Internet, unlike the old days, when only researchers
and scientists utilized ARPANET. The “script kiddies” can easily find the
information they seek, since it is freely available on underground Web sites. No
longer do they need an in-depth knowledge of programming languages and Unix.
They can simply download executable programs to help them work their way into
an organization’s network, or at least a portion of it.

“What can network managers and network administrators do about this
threat
to their organizations’ networks? Convince their management to cut all ties to the
Internet? I doubt that is going to happen; networks are strategic to organizations’
achieving their goals, as well as allowing them to maintain a competitive edge in
some circumstances. Should they switch from the operating system they are
using to a different operating system? Not really; all operating systems have
security vulnerabilities, regardless of what the operating system zealots say. The
only secure computer is the one that is not powered on, and that is locked in a
room with no windows! Managers and administrators must make sure to take every
precaution they can to ensure the security of their networks.

“Securing an organization’s network has been made easier with the
enhanced
security present in Windows 2000 Server. Don’t get me wrong; Windows 2000
Server greatly enhances the security available for a Windows-based network, but
Microsoft cannot allow it to become stagnant. For example, the key size used for
the Encrypting File System (EFS) must increase as technology advances. This is
necessary to protect the integrity of the information being protected by EFS. Also,
just because an organization rolls Windows 2000 Server out enterprise-wide, this
does not mean that it is now secure. Network managers and network
administrators must actively implement the security measures within Windows
2000 Server correctly for their particular organizations. Implementation must be
carefully considered, and this is why a network security plan is extremely
important. I cannot stress enough the importance of the network security plan. I
can imagine that Windows 2000 Server will probably receive some bad press from
organizations that do not take the time to properly develop a network security plan,
instead implementing it willy-nilly and then having it blow up in their faces. Imagine
an organization setting an IPSec policy that doesn’t allow any traffic from a
particular subnet through to another subnet, even though that is not what DW, the
network manager, wanted. However, DW didn’t know what Robert, the network
administrator, was doing since they did not have a network security plan. The
cause has to be that Windows 2000 is buggy, not that they didn’t have a plan for
implementing IPSec in their organization.

ORGANIZATION

“The book starts with a chapter on the security migration path for Windows
2000 Server and moves on to Chapter 2, which examines the default access
control settings. Chapters 3 through 9 deal with specific portions of the new
security features present in the operating system. Chapter 10 provides a Security
Fast Track to Windows 2000.

“Chapter 1. Provides a brief overview of Windows 2000 Server security.
Examines the problems and limitations of Windows 2000 Server security as well
as considerations for upgrading and migrating. Discusses the network security
plan.

“Chapter 2. Discusses the Access Control Settings for both the file
system and
registry that are configured during Windows 2000 Server setup. The chapter also
discusses the default user rights and group memberships for the different built-in
groups.

“Chapter 3. Provides an overview and history of the Kerberos protocol and
also
details the use of Kerberos within Windows 2000 Server.

“Chapter 4. Covers Windows 2000 Distributed Security Services, including
Active Directory and security, multiple security protocols, enterprise and Internet
Single Sign-on, Internet security, and interbusiness access for distributed partners.

“Chapter 5. Provides a look into the Security Configuration tool set
available for
use in Windows 2000. Aspects covered include configuring security, analyzing
security, group policy integration, and using the available tools.

“Chapter 6. Discusses the Encrypting File System, starting with using
EFS,
moves on to user operations, and concludes with a look into the architecture that
makes up EFS.

“Chapter 7. The discussion of IPSec includes an overview of several
methods
used to break into networks, the architecture of IPSec, and concludes with
information on deploying Windows IPSec in the organization. This chapter includes
a walkthrough exercise.

“Chapter 8. Provides a look into the use of smart cards in Windows 2000
including the interoperability, smart card base components, and enhanced
solutions.

“Chapter 9. A discussion of the concepts of Public Key Infrastructure (PKI)
is
followed by a look at the components in Windows 2000 PKI, including certificate
authorities, enabling domain clients, and public key security policy. The chapter
concludes with an applications overview and instructions for preparing for Windows
2000 PKI.

“Chapter 10. Provides a fast-track look at Windows 2000 security and why
you
need to know about it. The chapter includes a historical perspective of Windows
NT security as well as information on important features or design changes
implemented in Windows 2000.

AUDIENCE

“This book is intended primarily for network managers and network
administrators who are responsible for implementing security in Windows 2000
environments. However, the book is also useful for people that are interested in
knowing more about the new security features available in Windows 2000 Server.
The book is designed to be read starting with Chapter 1 and ending with Chapter
10. Readers who want a quick understanding of the information contained in the
book can read Chapter 10 first.

= = = = = = = = =

CONTENTS

CHAPTER 1 THE WINDOWS 2000 SERVER SECURITY MIGRATION PATH
Brief Overview of Windows 2000 Server Security
Windows 2000 Server Security White Paper
Why the Change?
Differences in Windows 2000 Server Security
Problems with and Limitations
What Is the Same?
Upgrading/Migrating Considerations
Network Security Plan
How to Begin the Process
Getting Started
Issues to Present to Your Manager
Proper Analysis
Timing
Cost
Resources
Summary
FAQs

CHAPTER 2 DEFAULT ACCESS CONTROL SETTINGS
Introduction
Administrators Group
Users Group
Power Users Group
Configuring Security During Windows 2000 Setup
Default File System and Registry Permissions
Default User Rights
Default Group Membership
Summary
FAQs

CHAPTER 3 KERBEROS SERVER AUTHENTICATION
Introduction
Authentication in Windows 2000
Benefits of Kerberos Authentication
Standards for Kerberos Authentication
Extensions to the Kerberos Protocol
Overview of the Kerberos Protocol
Basic Concepts
Authenticators
Key Distribution Center
Session Tickets
Ticket-Granting Tickets
Services Provided by the Key Distribution Center
Subprotocols
AS Exchange
TGS Exchange
CS Exchange
Option Flags for KRB_AS_REQ and _KRB_TGS_REQ Messages
Tickets
Proxy Tickets and Forwarded Tickets
Kerberos and Windows 2000
Key Distribution Center
Kerberos Policy
Contents of a Microsoft Kerberos Ticket
Delegation of Authentication
Preauthentication
Security Support Providers
Credentials Cache
DNS Name Resolution
UDP and TCP Ports
Authorization Data
KDC and Authorization Data
Services and Authorization Data
Summary
FAQs

CHAPTER 4 SECURE NETWORKING USING WINDOWS 2000 DISTRIBUTED
SECURITY SERVICES
Introduction
The Way We Were: Security in NT
A Whole New World: Distributed Security in Windows 2000
Distributed Services
Open Standards
Windows 2000 Distributed Security Services
Active Directory and Security
Advantages of Active Directory Account Management
Managing Security via Object Properties
Managing Security via Group Memberships
Active Directory Object Permissions
Relationship between Directory and Security Services
Domain Trust Relationships
Delegation of Administration
Fine-Grain Access Rights
Inheritance of Access Rights
Multiple Security Protocols
NTLM Credentials
Kerberos Credentials
Getting a Ticket to Ride
Private/Public Key Pairs and Certificates
Other Supported Protocols
Enterprise and Internet Single Sign-on
Security Support Provider Interface
Internet Security for Windows 2000
Client Authentication with SSL 3.0
Authentication of External Users
Microsoft Certificate Services
CryptoAPI
Interbusiness Access: Distributed Partners
Summary
FAQs

CHAPTER 5 SECURITY CONFIGURATION TOOL SET
Introduction
Security Configuration Tool Set Overview
Security Configuration Tool Set Components
Security Configuration and Analysis Snap-in
Security Setting Extensions to Group Policy
Security Templates
The secedit.exe Command Line Tool
Security Configurations
Security Configuration and Analysis Database
Security Configuration and Analysis Areas
Account Policies
Local Policies
Event Log
Restricted Groups
System Services
Registry
File System
Security Configuration Tool Set User Interfaces
Security Configuration and Analysis Snap-in
The Security Settings Extension to the Group Policy
Editor
The secedit.exe Command Line Tool
Configuring Security
Account Policies
Local Policies and Event Log
Event Log
Restricted Groups
Registry Security
File System Security
System Services Security
Analyzing Security
Account and Local Policies
Restricted Group Management
Registry Security
File System Security
System Services Security
Group Policy Integration
Security Configuration in Group Policy Objects
Additional Security Policies
Using the Tools
Using the Security Configuration and Analysis Snap-in
Using Security Settings Extension to Group Policy Editor
Summary
FAQs

CHAPTER 6 ENCRYPTING FILE SYSTEM FOR WINDOWS 2000
Introduction
Using an Encrypting File System
Encryption Fundamentals
How EFS Works
User Operations
File Encryption
Assessing an Encrypted File
Copying an Encrypted File
COPY Command
Moving or Renaming an Encrypted File
Decrypting a File
Cipher Utility
Directory Encryption
Recovery Operations
EFS Architecture
EFS Components
The Encryption Process
The EFS File Information
The Decryption Process
Summary

CHAPTER 7 IP SECURITY FOR MICROSOFT WINDOWS 2000 SERVER
Introduction
Network Encroachment Methodologies
Snooping
Spoofing
TCP/IP Sequence Number Attack
Password Compromise
Denial of Service Attacks
TCP SYN Attack
SMURF Attack
Teardrop Attack
Ping of Death
Man-in-the-Middle Attacks
Application-Directed Attacks
Compromised Key Attacks
IPSec Architecture
Overview of IPSec Cryptographic Services
Message Integrity
Message Authentication
Confidentiality
IPSec Security Services
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Security Associations and IPSec Key Management Procedure
IPSec Key Management
Deploying Windows IP Security
Evaluating Information
Evaluating the “Enemy”
Determining Required Security Levels
Building Security Policies with Customized
Building an IPSec MMC
Flexible Security Policies
Rules
Flexible Negotiation Policies
Filters
Creating a Security Policy
Making the Rule
Compatibility Notes
Summary
FAQs

CHAPTER 8 SMART CARDS
Introduction
Interoperability
ISO 7816, EMV, and GSM
PC/SC Workgroup
The Microsoft Approach
A Standard Model for Interfacing Smart Card _readers and
Cards with
PCs
Device-Independent APIs for Enabling Smart-Card-Aware
Applications
Integration with Various Microsoft Platforms
Smart Card Base Components
Service Providers
Cryptographic Service Providers
Smart Card Service Providers
Cards
Resource Manager
Enhanced Solutions
Client Authentication
Public-Key Interactive Logon
Smart Card Reader Installation
Smart Card Certificate Enrollment
Smart Card Logon
Secure E-Mail
Summary
FAQs

CHAPTER 9 MICROSOFT WINDOWS 2000 PUBLIC KEY INFRASTRUCTURE
Introduction
Concepts
Public Key Cryptography
Public Key Functionality
Digital Signatures
Authentication
Secret Key Agreement via Public Key
Bulk Data Encryption without
Protecting and Trusting Cryptographic Keys
Certificates
Certificate Authorities
Certificate Types
Trust and Validation
Windows 2000 PKI Components
Certificate Authorities
Certificate Hierarchies
Deploying an Enterprise CA
Trust in Multiple CA Hierarchies
Enabling Domain Clients
Generating Keys
Key Recovery
Certificate Enrollment
Renewal
Using Keys and Certificates
Roaming
Revocation
Trust
PK Security Policy in Windows 2000
Trusted CA Roots
Certificate Enrollment and Renewal
Smart Card Logon
Applications Overview
Web Security
Secure E-mail
Digitally-Signed Content
Encrypting File System
SmartCard Logon
IP Security (IPSec)
Preparing for Windows 2000 PKI
Summary
FAQs

CHAPTER 10 WINDOWS 2000 SERVER SECURITY FAST TRACK
Introduction
What Is Windows 2000 Server Security, and Why Do You Need to Know
About
It?
How Do You Spell “Security”?
Authentication
Authorization
Privacy
Integrity
Auditability
The Component Security Model
Bringing It All Together: A Security Policy
The Historical Perspective: A Review of
Authentication
Authorization
Privacy
Integrity
Auditability
Important Features or Design Changes
Industries and Companies Affected by Windows 2000 Security
Advantages and Disadvantages
Advantages of Windows 2000 Server Security
Problems with Windows 2000 Server Security
Windows 2000 and Security
FAQs

= = = = = = = = =

CONTRIBUTORS

“STACE CUNNINGHAM (CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I,
CLSA,
MCPS, A+) is a Systems Engineer with SDC Consulting located in Biloxi, MS. He
was an instrumental force in the design, engineering, and implementation of an
enterprise network consisting of 12,000 nodes.

“Stace received his MCSE in 1996 and is also certified as a Certified
Cisco
Network Associate, IBM Certified Lan Server Engineer, IBM Certified OS/2
Engineer, IBM Certified Lan Server Administrator, Microsoft Certified Product
Specialist, IBM Certified Lan Server Instructor, IBM Certified OS/2 Instructor, and
also through the A+ Certification Program.
Network security and operating system security have always intrigued Stace, so
he has constantly stayed on top of the changes in this ever-evolving field,
beginning at the time that he held the positions of Network Security Officer and
Computer Systems Security Officer while serving in the U.S. Air Force. He also
was an active contributor to The SANS Institute booklet “Windows NT Security
Step by Step.” Stace has been working with Windows 2000 since Microsoft
released the first beta and is pleased to see the new security features present in
the operating system.
Stace has participated as a Technical Contributor for the IIS 3.0 exam, SMS 1.2
exam, Proxy Server 1.0 exam, Exchange Server 5.0 and 5.5 exams, Proxy Server
2.0 exam, IIS 4.0 exam, IEAK exam, and the revised Windows 95 exam. In
addition, he has coauthored 16 books published by Microsoft Press,
Osborne/McGraw-Hill, and Syngress Media as well as being technical reviewer for
several books published by these companies.

“His wife, Martha, and daughter, Marissa, are supportive of his work and
tolerant of the time he spends on the network of computers located in the family
home. Without their love and support he would not be able to accomplish the goals
he has set for himself.

- - - - - - - - -
-

“GARRICK OLSEN (A+, Network+, MCP+I, MCSE+I, CNE) currently
works for
MicroAge in Anchorage, AL, as a Network Technician. He has been using
computers since he was eight years old and is completely self-taught. He obtained
his A+, Network+, MCP+Internet, MCSE+Internet, and CNE before the age of 20
and enjoys computers and snowmachining.

- - - - - - - - -
-

“DEBRA LITTLEJOHN SHINDER (MCSE, MCP+I, MCT) is an instructor in
the
AATP program at Eastfield College, Dallas County Community College District,
where she has taught since 1992. She is Webmaster for the cities of Seagoville
and Sunnyvale, TX, as well as the family Web site at www.shinder.net. She and
her husband, Dr. Thomas W. Shinder, provide consulting and technical support
services to Dallas-area organizations. She is also the proud mom of a daughter,
Kristen, who is currently serving in the U.S. Navy in Italy, and a son, Kris, who is a
high school chess champion. Deb has been a writer for most her life, and has
published numerous articles in both technical and nontechnical fields.

- - - - - - - - -
-

“THOMAS W. SHINDER, M.D. (MCSE, MCP+I, MCT), is a technology
trainer
and consultant in the Dallas-Ft. Worth metroplex. Dr. Shinder has consulted with
major firms including Xerox, Lucent Technologies, and FINA Oil, assisting in the
development and implementation of IP-based communications strategies. Dr.
Shinder attended medical school at the University of Illinois in Chicago, and trained
in Neurology at the Oregon Health Sciences Center in Portland, OR. His
fascination with interneuronal communication ultimately melded with his interest in
internetworking and led him to take down his shingle and focus on systems
engineering. Tom works passionately with his beloved wife, Deb Shinder, to design
elegant and cost-efficient solutions for small and medium-sized businesses based
on Windows NT/2000 platforms.

- - - - - - - - -
-

“BRIAN M. COLLINS (MCNE, CNI, MCSE, MCT, CTT) is a technical
trainer for
Network Appliance Inc (NASDAQ: NTAP), a premier provider of Network Attached
Storage, as well as a consultant and trainer through his own company, Collins
Network Engineering. Brian is an 18-year veteran of technology industries and has
worked as a network engineer, trainer, software developer, and consultant for
government, Fortune 500 companies, and small business. His hobbies include
hiking, golf, and operating systems. Brian lives in the redwood forest of Boulder
Creek, CA, 30 miles from California’s Silicon Valley.

- - - - - - - - -
-

“D. LYNN WHITE (MCPS, MCSE, MCT, MCP+I) is president of
Independent
Network Consultants, Inc. Lynn has more than 14 years’ experience in
programming and networking. She has been a system manager in the mainframe
environment as well as a software developer for a process control company. She is
a technical author, editor, trainer, and consultant in the field of networking and
computer-related technologies. Lynn has been presenting mainframe,
Microsoft-official curriculum and other networking courses in and outside the
United States for more than 12 years.”

= = = = = = = = =

2000, 400 pages. Order #DR546.

The Disaster Center Bookstore

Info, Network Security, Info Protection

Disaster Center Bookstore-a service of Rothstein Associates