Although Windows 2000 is not necessarily more secure than previous versions of Windows NT, it does include new security features which can be quite effective if designed and implemented in a thoughtful and thorough way. The following sections discuss the fundamental aspects of Windows 2000 security.
Networks are traditionally divided into two basic types of computers: workstations and servers. One or more servers can handle a variety of tasks for the network: file and printer sharing, administration and security, and other services. Current network operating systems, including Windows 2000, allow the division of these responsibilities between several servers. The following sections discuss the different types of servers and clients that form the baseline of Windows 2000 security.
Windows NT uses domains (groups of servers that share a single security database) as the basic unit of security. Windows 2000 expands this system with Active Directory. In older Windows NT networks, servers could be assigned one of three roles:
- Primary domain controller
The authoritative controller for a domain. Only one PDC can be used per domain, and this is the only server that allows changes to the security database.
- Backup domain controller
One or more backup domain controllers (BDCs) provide redundancy and can be used for authentication. They cannot make changes to the security database.
- Member server
A server that does not act as a domain controller and has its own separate security database.
Windows 2000 still follows this basic system, with one exception: rather than PDCs and BDCs, all Windows 2000 domain controllers act as peers. Any domain controller can be used for authentication, and any controller can be used to make changes to the Active Directory database.
Although Windows 2000 domain controllers act as peers in most respects, certain operations require one server to act as an operations master. There are five separate roles held by operations masters, which may be one server or several different servers:
- Schema master
Acts as the authority for changes to the Active Directory schema (the specification of the object types and properties stored in the Directory). One server per forest acts as the schema master.
- Domain naming master
Manages additions, deletions, and changes to the domains contained within the Active Directory forest. One server per forest acts as domain naming master.
- Relative ID master
Manages the identifiers used to associate objects with containers and allows objects to be moved between containers. One server per domain acts as relative ID master.
- PDC emulator
Emulates a Windows NT 4.0 PDC for compatibility with older systems. One server per domain acts as PDC emulator.
- Infrastructure master
Manages associations between users and groups. One server per domain acts as infrastructure master.
Windows 2000 servers that will be used to share files and printers may require additional consideration in your security design. NTFS security and printer security should be configured to allow access to groups, and users should be assigned to those groups to allow them access.
Often, a Windows 2000 Server is dedicated to a specific application: for example, a database server. The security considerations for these servers depend on the application. Some applications, such as database servers, may have their own security systems separate from that of Windows 2000.
RAS (Remote Access Service) allows users to access Windows 2000 networks by dialing in to modems. RAS requires its own security considerations. RAS security can be configured in two ways:
From the Dial-in property page of each user account’s properties
From the Remote Access Policy settings in the Routing and Remote Access console
Another consideration is the type of authentication used by RAS. The available authentication methods are discussed later in this chapter.
Desktop computers are basic network clients and typically use such operating systems as Windows 95/98/Me or Windows 2000 Professional. You typically control the security of these computers’ activity on the network by managing the user accounts used to log on to the network.
Your security design should specify these settings, as well as basic security measures -- for example, training users to store data in a secure area of the network rather than on a local hard disk.
Portable computers are treated similarly to desktop computers, but introduce additional risks: for example, they can easily be lost or stolen, allowing unauthorized access to their disks and potentially to the network. Your security design should include a plan to deal with these risks.
Kiosks are application-specific computers or terminals. These may include special-purpose machines (such as point-of-sale terminals) as well as ordinary computers that are made available for public use running an application. These should be carefully secured by using a user account with the bare minimum of privileges needed, because they may be open to the public.
When a user logs on, the authentication process verifies the username and password, grants access to the user, and identifies subsequent network activities with the user account. The following sections discuss the various authentication methods used in Windows 2000 networks.
The most basic form of authentication uses clear-text (plain ASCII text) passwords transmitted across the network. This is the least secure method: because passwords are transmitted across the network as text, they are vulnerable to snooping.
Clear-text authentication is not used by any critical Windows 2000 services, but it may be required for certain applications. These include the following:
Windows 9x computers use the LM (LAN Manger) authentication protocol for user authentication. Windows NT and Windows 2000 use a more secure authentication protocol called NTLM . Windows NT and 2000 have to support the older, less secure LM protocol to be compatible with Windows 9x computers. There are a few important differences between LM and NTLM:
LM is not case sensitive; NTLM is, which makes LM passwords exponentially easier to crack.
LM passwords can be cracked seven digits at a time, even for passwords longer than seven digits.
Windows NT and 2000 may store a copy of the NTLM password in the easier-to-crack LM format. If the LM password is cracked, all that needs to be done to crack the corresponding NTLM password is to try changing the case of letters in the LM password.
Windows 2000 introduces Kerberos authentication, a new system that can be used instead of NTLM if both clients and servers are running Windows 2000 and are configured to use Kerberos. Kerberos is based on RFC 1510. When a client attempts to log on to the network in this system, the following process occurs:
The client encrypts the current time using the password entered and sends a packet containing the result and the user ID to the authenticating server.
The server looks up the user in the Active Directory database and uses the key stored with the user to encrypt the time. If the result matches the client’s result, access is allowed.
When the user attempts to access a file or printer, a session key is sent if the client is allowed access. This enables the client to access that resource without further authentication until logout.
Digest authentication is an alternate means of authenticating users accessing resources on Internet Information Server (IIS). Normally, users trying to access protected files on IIS must have a user account on either IIS itself or another server that IIS has a trust relationship with.
There are many security issues both with the standard Windows authentication and with digest authentication. Neither IIS nor Windows (any version) has a reputation of having impenetrable security, so you’ll usually have to balance security, convenience, and interoperability when designing a networking solution. There are pros and cons to both types of IIS authentication:
Standard Windows authentication transmits passwords as clear text. This makes them especially vulnerable to capture on an Ethernet network.
Digest authentication doesn’t send passwords as clear text, but it requires the server to permit the use of passwords that can’t be encrypted.
There are a few things to check to make sure that the domain controller and user accounts are set up to work with digest authentication:
Users won’t be able to use digest authentication until they have changed their passwords. Digest authentication can be set up with Windows 2000 and IIS 5.0 by using the following steps:
In the Microsoft Management Console, choose either the IIS or Computer Management Console.
Right click on the IIS tree for the whole server or the specific web site you want to use digest authentication with.
Choose Properties, select the Server tab, and click the Edit button.
Select the Directory Security tab and click the Edit button under the Anonymous Access and Authentication Control.
Choose Digest Authentication for Windows Domain Servers and click OK.
Smart cards are credit card-sized devices with enough storage to contain numerous encryption and authentication keys, as well as encrypted data. For example, the encryption key used to store EFS files can actually be stored on the smart card, so that files cannot be decrypted without it. Smart cards are meant to address some of the inherent security limitations of the traditional username/password, but there are also drawbacks. The physical card and a personal identification number (PIN) are used together for identification, just as the username and password are used together. Table 33-1 addresses some of the advantages of smart cards.
Table 33-1. Smart Cards Versus Usernames and Passwords
|
Issue |
Smart Card |
Username and Password |
|---|---|---|
|
Stolen identification |
The PIN is useless without the card. |
Account is compromised in most cases. |
|
Temptation to write the password down |
Because the PIN is usually a lot shorter than a good password and is usually never changed, most people will memorize the PIN. |
If you enforce a strong password policy of random numbers, letters, and symbols changed on a regular basis, many people will write down their passwords. |
|
Loss of card/forgotten password |
It’s more difficult and expensive to issue a new card than to look up a user’s password. |
Passwords can be easily reset or given to users if forgotten. |
|
Cost |
More expensive and needs physical equipment and special software. |
Included in Windows 2000; no special hardware or software is needed. |
Smart cards don’t have to be deployed as the only means of authentication on a network. You can use smart cards for only those resources that require additional security and continue to use usernames and passwords in other areas.
The first thing you should do before proceeding in implementing a smart card authentication system is map out which resources would be more secure in a smart card environment. After you determine where they will be used and who will use them, you can figure out how much equipment you need to buy.
Once you have the physical equipment (the smart cards and the smart card readers), you can get started with converting some or all computers to require smart card authentication. There a few steps you’ll need to do in order to get the system up and running:
Install Microsoft Certificate Services and set up a certificate authority (CA).
Use the CA to issue certificates and configure the level of security needed for each location.
Issue the physical cards and install the readers on the appropriate machines. Be sure to set up a PIN for each card.
Test each location and card to be sure they are all working properly.
The RADIUS client-server authentication protocol is commonly used by Internet Service Providers to authenticate incoming connections. RADIUS is an acronym for Remote Authentication Dial-In User Service and is often used in conjunction with other authentication protocols, such as Point-to-Point Protocol (PPP).
As with Kerberos, Microsoft has its own implementation of RADIUS that differs slightly from the standard. The most significant difference is that the Microsoft version, called Internet Authentication Service (IAS), uses Active Directory to authenticate users.
You won’t need to memorize each step of the authentication process for the exam, but you should be familiar with the basic process that happens during authentication. Following is a list of the steps involved with IAS authentication on a Windows 2000 RAS server:
When the remote user either dials in (via PPP) or attempts to connect via a virtual private network (VPN), the RAS server sends a RADIUS Access Request packet to the IAS server.
The IAS server tries to find the user account in Active Directory. If found, and if the user’s permissions are valid for that type of connection, the IAS server sends an Access-Accept packet to the RAS server. Otherwise, the connection is terminated.
To determine the level of access granted to the user, the RAS server uses permissions information that was included in the Access-Accept packet.
The RAS server sends an Accounting-Start packet to the IAS server, requesting it to monitor the connection. This continues until the session is disconnected and the RAS server sends an Accounting-Stop packet.
A few options will cause this list of steps to vary. If at any time the RAS server doesn’t receive a response from the IAS server, the RAS server will automatically try to connect to a backup IAS server. Also, the RAS server will attempt to connect the user with the most secure protocol possible. Its first choice is Extensible Authentication Protocol (EAP), which can be used with smart cards and certificates, MS-CHAP, CHAP, and PAP.
Certificates are documents that include identification and a public key used for encryption. These provide a more secure method of authentication than basic authentication methods, such as Kerberos. Certificates are discussed further in the next section of this chapter.
SSL (Secure Sockets Layer) is an encrypted protocol used to access secure web documents. IIS supports SSL with compatible browsers. SSL uses public-key encryption, using certificates granted by a certificate authority.
Despite Microsoft’s positioning of Windows 2000 as the answer to all networking questions, many networks still include non-Windows systems. Your security design should include policies for these systems. The following are third-party systems supported by Windows 2000:
The current AppleTalk protocol allows Macintosh clients to access Windows 2000 shares without the need for File Services for Macintosh. Further interoperability is made possible with Print Services for Macintosh.
NetWare servers are supported by Microsoft Services for NetWare.
Unix computers can be interconnected using Microsoft Services for Unix and for such Unix-based systems as Samba.
IBM mainframe and mini (AS/400) computers are supported by SNA Server 4.0.
Windows 2000 uses Kerberos for most authentication duties, as long as it’s supported by both parties. In the case of a mixed-mode environment, where there are both Windows 2000 and Windows NT computers, NTLM authentication can be used.
Although Kerberos is more secure than NTLM, certificate-based authentication is even more secure, and it can be used by many operating systems and within several third-party programs. To use certificates, there has to be a certificateauthority to issue them. You can create a certificate authority on your own local network or use a third-party certificate authority, like VeriSign. In either case, you’ll have to plan ahead to make sure that you design a system that actually works with no loopholes.
Certificate-based authentication uses private and public keys for the verification of identity. Public and private keys always come in matching pairs. Data encrypted with the public key can only be decrypted by the matching private key. Certificate authorities use a special private key called a root key . Root keys are combined with a user’s public key to make a certificate. Keys are discussed in more detail in Section 33.3 later in this chapter.
A certificate authority verifies the identity of users and issues certificates using a key-based system. Windows 2000 comes with Certificate Services, which can be used for issuing certificates. It’s also used to help manage EFS encryption and smart card authentication. The use of certificate services allows you to become your own certificate authority. Assuming you’re logged with an administrator account, you can install certificate services by performing the following steps:
Choose Start → Settings → Control Panel.
Double click on Add/Remove Programs.
On the Windows Components tab, click the Components button.
Select Certificate Services, click Yes to acknowledge the name change warning, and then click the Next button.
Choose the type of root certificate server and click the Next button.
Fill in the required identification information and click the Next button.
Choose a secure area for the data storage location and click the Next button.
After the required files are copied and verified, click the Finish button.
Most large organizations will need more than one server to handle all the certificate traffic. Certificate authority servers are arranged in a trust hierarchy, with a root certificate authority being the master. Certificate Services allows the following CA server roles:
- Enterprise root CA
If you are using Active Directory, this is the master CA. It issues the certificates for the enterprise subordinate CA servers, so its security must not be compromised. Otherwise, your whole certificate system can be compromised by hijacked or impersonated CA servers. The enterprise root CA requires both Active Directory and Windows 2000 DNS.
- Standalone root CA
If you’re not using Active Directory, this is the master CA. It issues the certificates for the standalone subordinate CA servers, so its security must not be compromised. Otherwise, your whole certificate system can be compromised by hijacked or impersonated CA servers.
- Enterprise subordinate CA
Receives its authorization certificate from the enterprise root CA and can issue certificates to users. An enterprise root CA can be responsible for many enterprise subordinate CA servers.
- Standalone subordinate CA
Receives its authorization from the standalone root CA or another standalone subordinate CA. It can issue certificates to users or issue a certificate to authorize other standalone subordinate CA servers.
Certificates can be managed using the Microsoft Management Console (MMC). Some certificates will have a time limit and expire automatically; on occasion, a certificate may even have to be revoked. The CA server handles most of the certificate issuing and expiring by itself, and a certificate revocation list (CRL) is published periodically by the CA.
The easiest way to manage a large number of certificates is by creating policies and templates. You’ll need to create a public key policy to allow computers to automatically receive certificates from a CA. You can do this by using the following steps:
Start the Active Directory Users and Computers snap-in.
Choose the Organizational Unit for the computer you want to authorize and open its properties.
Choose Group Policy and click the New button. Select Edit to edit the current policy. The Group Policy dialog is displayed, as shown in Figure 33-1.
Browse to the Public Key Policies folder and right-click on Automatic Certificate Request Settings.
Choose New, then choose Automatic Certificate Request and click the Next button.
Choose the computer you want to authorize, assign it a CA, and click the Finish button.
Follow those steps for all the computers you want to authorize. If you ever need to check to see if a certificate was processed, you can look at all the pending certificate requests in the certification authority snap-in of the MMC. There is a pending requests folder that lists all the requests that have not been processed yet. If a requested certificate isn’t in the pending folder, it should be in either the issued or revoked folder, both of which are located in the same place as the pending folder.
Outside users or groups of users, connecting from another domain or another Active Directory, can be authenticated with the use of certificates, but the outside certificate must be linked to an actual user account in the local Active Directory. This mapping is required to allow Windows 2000 to employ its native user management security while also having the additional security of a certificate issued by a trusted CA.
There a few different ways to map certificates, depending on how many people you want to authorize and the level of monitoring required. Table 33-2 lists the different certificate mapping options.
Table 33-2. Mapping Certificates
|
Name |
Relationship |
Description |
|---|---|---|
|
Standard |
One-to-one |
One certificate is mapped to one account. |
|
Use Issuer for Alternate Security Identity |
Many-to-one |
All certificates for a given CA are mapped to a given account. |
|
Use Subject for Alternate Security Identity |
Many-to-one |
All certificates with the same subject (purpose) are mapped to a given account. |
Some companies need to have a very high level of security, and some companies don’t have the personnel needed to manage the certificate process efficiently. If you don’t have the resources or time to securely manage certificates, you can hire an outside organization to handle your certificates. In any case, you can outsource the CA process.
Although Windows 2000 can work with outside certificate authorities, many of the tools and options are unavailable when you use an outside certificate authority. One example is that computer certificates cannot be automatically granted or renewed. Another is that smart card certificates must be issued from a CA within its own Active Directory.
If an outside company is used as the certificate authority, you also risk that the company can go out of business or have a catastrophic security failure. Also, the reason you have certificates in the first place is to have a higher level of security. If your company’s business plan is dependent on keeping information private, keep in mind that with an outside certificate authority another company is potentially holding the keys to your network.