The Binomial Bookstore

CONFIGURING WINDOWS 2000 SERVER SECURITY
by Thomas W. Shinder, Debra Littlejohn Shinder, D. Lynn White
Technical Editor: Stace Cunningham

“Essential reading for your IT Security Organization.”
- Deena Joyce, Director of Information Technology and Network Security, Casino Magic

= = = = = = = = =

INCLUDES:

FREE MONTHLY TECHNOLOGY UPDATES
ONE YEAR VENDOR PRODUCT UPGRADE PROTECTION PLAN
FREE MEMBERSHIP TO ACCESS.GLOBALKNOWLEDGE

= = = = = = = = =

FROM THE PREFACE

“Security. What comes to your mind when you hear the word? Do you think of the person
standing in the dark alley who wants to harm you as you walk by? Or do you think about
whether your house will be safe while you are on vacation? These two answers are typical of
what you would probably hear if you asked this question of the “man on the street.” However,
ask network manager or network administrators the same question, and you will probably see
them start sweating profusely as they wonder whether any unauthorized people are currently
sneaking through their networks. They start wondering whether they have sealed up all the
possible openings that would allow an unauthorized person into one of their organizations’
most critical resources: the computer network.

“Security has always been important to computer networks, but the network landscape
has changed immensely over the last several years, with the public swarming in droves to the
Internet, organizations hooking their private networks to the Internet, and the burgeoning
effect of electronic commerce. Organizations must make every effort possible to protect their
data (such as new product information), their business partners’ data (such as confidential
agreements), and their customers’ data (such as credit card information).

“There are now many “script kiddies” on the Internet, since the public has unprecedented
access to the Internet, unlike the old days, when only researchers and scientists utilized
ARPANET. The “script kiddies” can easily find the information they seek, since it is freely
available on underground Web sites. No longer do they need an in-depth knowledge of
programming languages and Unix. They can simply download executable programs to help
them work their way into an organization’s network, or at least a portion of it.

“What can network managers and network administrators do about this threat to their
organizations’ networks? Convince their management to cut all ties to the Internet? I doubt
that is going to happen; networks are strategic to organizations’ achieving their goals, as well
as allowing them to maintain a competitive edge in some circumstances. Should they switch
from the operating system they are using to a different operating system? Not really; all
operating systems have security vulnerabilities, regardless of what the operating system
zealots say. The only secure computer is the one that is not powered on, and that is locked
in a room with no windows! Managers and administrators must make sure to take every
precaution they can to ensure the security of their networks.

“Securing an organization’s network has been made easier with the enhanced security
present in Windows 2000 Server. Don’t get me wrong; Windows 2000 Server greatly
enhances the security available for a Windows-based network, but Microsoft cannot allow it
to become stagnant. For example, the key size used for the Encrypting File System (EFS)
must increase as technology advances. This is necessary to protect the integrity of the
information being protected by EFS. Also, just because an organization rolls Windows 2000
Server out enterprise-wide, this does not mean that it is now secure. Network managers and
network administrators must actively implement the security measures within Windows 2000
Server correctly for their particular organizations. Implementation must be carefully
considered, and this is why a network security plan is extremely important. I cannot stress
enough the importance of the network security plan. I can imagine that Windows 2000 Server
will probably receive some bad press from organizations that do not take the time to properly
develop a network security plan, instead implementing it willy-nilly and then having it blow up
in their faces. Imagine an organization setting an IPSec policy that doesn’t allow any traffic
from a particular subnet through to another subnet, even though that is not what DW, the
network manager, wanted. However, DW didn’t know what Robert, the network administrator,
was doing since they did not have a network security plan. The cause has to be that
Windows 2000 is buggy, not that they didn’t have a plan for implementing IPSec in their
organization.

ORGANIZATION

“The book starts with a chapter on the security migration path for Windows 2000 Server
and moves on to Chapter 2, which examines the default access control settings. Chapters 3
through 9 deal with specific portions of the new security features present in the operating
system. Chapter 10 provides a Security Fast Track to Windows 2000.

“Chapter 1. Provides a brief overview of Windows 2000 Server security. Examines the
problems and limitations of Windows 2000 Server security as well as considerations for
upgrading and migrating. Discusses the network security plan.

“Chapter 2. Discusses the Access Control Settings for both the file system and registry
that are configured during Windows 2000 Server setup. The chapter also discusses the
default user rights and group memberships for the different built-in groups.

“Chapter 3. Provides an overview and history of the Kerberos protocol and also details the
use of Kerberos within Windows 2000 Server.

“Chapter 4. Covers Windows 2000 Distributed Security Services, including Active
Directory and security, multiple security protocols, enterprise and Internet Single Sign-on,
Internet security, and interbusiness access for distributed partners.

“Chapter 5. Provides a look into the Security Configuration tool set available for use in
Windows 2000. Aspects covered include configuring security, analyzing security, group
policy integration, and using the available tools.

“Chapter 6. Discusses the Encrypting File System, starting with using EFS, moves on to
user operations, and concludes with a look into the architecture that makes up EFS.

“Chapter 7. The discussion of IPSec includes an overview of several methods used to
break into networks, the architecture of IPSec, and concludes with information on deploying
Windows IPSec in the organization. This chapter includes a walkthrough exercise.

“Chapter 8. Provides a look into the use of smart cards in Windows 2000 including the
interoperability, smart card base components, and enhanced solutions.

“Chapter 9. A discussion of the concepts of Public Key Infrastructure (PKI) is followed by
a look at the components in Windows 2000 PKI, including certificate authorities, enabling
domain clients, and public key security policy. The chapter concludes with an applications
overview and instructions for preparing for Windows 2000 PKI.

“Chapter 10. Provides a fast-track look at Windows 2000 security and why you need to
know about it. The chapter includes a historical perspective of Windows NT security as well
as information on important features or design changes implemented in Windows 2000.

AUDIENCE

“This book is intended primarily for network managers and network administrators who are
responsible for implementing security in Windows 2000 environments. However, the book is
also useful for people that are interested in knowing more about the new security features
available in Windows 2000 Server. The book is designed to be read starting with Chapter 1
and ending with Chapter 10. Readers who want a quick understanding of the information
contained in the book can read Chapter 10 first.

= = = = = = = = =

CONTENTS

CHAPTER 1 THE WINDOWS 2000 SERVER SECURITY MIGRATION PATH
Brief Overview of Windows 2000 Server Security
Windows 2000 Server Security White Paper
Why the Change?
Differences in Windows 2000 Server Security
Problems with and Limitations
What Is the Same?
Upgrading/Migrating Considerations
Network Security Plan
How to Begin the Process
Getting Started
Issues to Present to Your Manager
Proper Analysis
Timing
Cost
Resources
Summary
FAQs

CHAPTER 2 DEFAULT ACCESS CONTROL SETTINGS
Introduction
Administrators Group
Users Group
Power Users Group
Configuring Security During Windows 2000 Setup
Default File System and Registry Permissions
Default User Rights
Default Group Membership
Summary
FAQs

CHAPTER 3 KERBEROS SERVER AUTHENTICATION
Introduction
Authentication in Windows 2000
Benefits of Kerberos Authentication
Standards for Kerberos Authentication
Extensions to the Kerberos Protocol
Overview of the Kerberos Protocol
Basic Concepts
Authenticators
Key Distribution Center
Session Tickets
Ticket-Granting Tickets
Services Provided by the Key Distribution Center
Subprotocols
AS Exchange
TGS Exchange
CS Exchange
Option Flags for KRB_AS_REQ and _KRB_TGS_REQ Messages
Tickets
Proxy Tickets and Forwarded Tickets
Kerberos and Windows 2000
Key Distribution Center
Kerberos Policy
Contents of a Microsoft Kerberos Ticket
Delegation of Authentication
Preauthentication
Security Support Providers
Credentials Cache
DNS Name Resolution
UDP and TCP Ports
Authorization Data
KDC and Authorization Data
Services and Authorization Data
Summary
FAQs

CHAPTER 4 SECURE NETWORKING USING WINDOWS 2000 DISTRIBUTED SECURITY
SERVICES
Introduction
The Way We Were: Security in NT
A Whole New World: Distributed Security in Windows 2000
Distributed Services
Open Standards
Windows 2000 Distributed Security Services
Active Directory and Security
Advantages of Active Directory Account Management
Managing Security via Object Properties
Managing Security via Group Memberships
Active Directory Object Permissions
Relationship between Directory and Security Services
Domain Trust Relationships
Delegation of Administration
Fine-Grain Access Rights
Inheritance of Access Rights
Multiple Security Protocols
NTLM Credentials
Kerberos Credentials
Getting a Ticket to Ride
Private/Public Key Pairs and Certificates
Other Supported Protocols
Enterprise and Internet Single Sign-on
Security Support Provider Interface
Internet Security for Windows 2000
Client Authentication with SSL 3.0
Authentication of External Users
Microsoft Certificate Services
CryptoAPI
Interbusiness Access: Distributed Partners
Summary
FAQs

CHAPTER 5 SECURITY CONFIGURATION TOOL SET
Introduction
Security Configuration Tool Set Overview
Security Configuration Tool Set Components
Security Configuration and Analysis Snap-in
Security Setting Extensions to Group Policy
Security Templates
The secedit.exe Command Line Tool
Security Configurations
Security Configuration and Analysis Database
Security Configuration and Analysis Areas
Account Policies
Local Policies
Event Log
Restricted Groups
System Services
Registry
File System
Security Configuration Tool Set User Interfaces
Security Configuration and Analysis Snap-in
The Security Settings Extension to the Group Policy Editor
The secedit.exe Command Line Tool
Configuring Security
Account Policies
Local Policies and Event Log
Event Log
Restricted Groups
Registry Security
File System Security
System Services Security
Analyzing Security
Account and Local Policies
Restricted Group Management
Registry Security
File System Security
System Services Security
Group Policy Integration
Security Configuration in Group Policy Objects
Additional Security Policies
Using the Tools
Using the Security Configuration and Analysis Snap-in
Using Security Settings Extension to Group Policy Editor
Summary
FAQs

CHAPTER 6 ENCRYPTING FILE SYSTEM FOR WINDOWS 2000
Introduction
Using an Encrypting File System
Encryption Fundamentals
How EFS Works
User Operations
File Encryption
Assessing an Encrypted File
Copying an Encrypted File
COPY Command
Moving or Renaming an Encrypted File
Decrypting a File
Cipher Utility
Directory Encryption
Recovery Operations
EFS Architecture
EFS Components
The Encryption Process
The EFS File Information
The Decryption Process
Summary

CHAPTER 7 IP SECURITY FOR MICROSOFT WINDOWS 2000 SERVER
Introduction
Network Encroachment Methodologies
Snooping
Spoofing
TCP/IP Sequence Number Attack
Password Compromise
Denial of Service Attacks
TCP SYN Attack
SMURF Attack
Teardrop Attack
Ping of Death
Man-in-the-Middle Attacks
Application-Directed Attacks
Compromised Key Attacks
IPSec Architecture
Overview of IPSec Cryptographic Services
Message Integrity
Message Authentication
Confidentiality
IPSec Security Services
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Security Associations and IPSec Key Management Procedure
IPSec Key Management
Deploying Windows IP Security
Evaluating Information
Evaluating the “Enemy”
Determining Required Security Levels
Building Security Policies with Customized
Building an IPSec MMC
Flexible Security Policies
Rules
Flexible Negotiation Policies
Filters
Creating a Security Policy
Making the Rule
Compatibility Notes
Summary
FAQs

CHAPTER 8 SMART CARDS
Introduction
Interoperability
ISO 7816, EMV, and GSM
PC/SC Workgroup
The Microsoft Approach
A Standard Model for Interfacing Smart Card _readers and Cards with PCs
Device-Independent APIs for Enabling Smart-Card-Aware Applications
Integration with Various Microsoft Platforms
Smart Card Base Components
Service Providers
Cryptographic Service Providers
Smart Card Service Providers
Cards
Resource Manager
Enhanced Solutions
Client Authentication
Public-Key Interactive Logon
Smart Card Reader Installation
Smart Card Certificate Enrollment
Smart Card Logon
Secure E-Mail
Summary
FAQs

CHAPTER 9 MICROSOFT WINDOWS 2000 PUBLIC KEY INFRASTRUCTURE
Introduction
Concepts
Public Key Cryptography
Public Key Functionality
Digital Signatures
Authentication
Secret Key Agreement via Public Key
Bulk Data Encryption without
Protecting and Trusting Cryptographic Keys
Certificates
Certificate Authorities
Certificate Types
Trust and Validation
Windows 2000 PKI Components
Certificate Authorities
Certificate Hierarchies
Deploying an Enterprise CA
Trust in Multiple CA Hierarchies
Enabling Domain Clients
Generating Keys
Key Recovery
Certificate Enrollment
Renewal
Using Keys and Certificates
Roaming
Revocation
Trust
PK Security Policy in Windows 2000
Trusted CA Roots
Certificate Enrollment and Renewal
Smart Card Logon
Applications Overview
Web Security
Secure E-mail
Digitally-Signed Content
Encrypting File System
SmartCard Logon
IP Security (IPSec)
Preparing for Windows 2000 PKI
Summary
FAQs

CHAPTER 10 WINDOWS 2000 SERVER SECURITY FAST TRACK
Introduction
What Is Windows 2000 Server Security, and Why Do You Need to Know About It?
How Do You Spell “Security”?
Authentication
Authorization
Privacy
Integrity
Auditability
The Component Security Model
Bringing It All Together: A Security Policy
The Historical Perspective: A Review of
Authentication
Authorization
Privacy
Integrity
Auditability
Important Features or Design Changes
Industries and Companies Affected by Windows 2000 Security
Advantages and Disadvantages
Advantages of Windows 2000 Server Security
Problems with Windows 2000 Server Security
Windows 2000 and Security
FAQs

= = = = = = = = =

CONTRIBUTORS

“STACE CUNNINGHAM (CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS,
A+) is a Systems Engineer with SDC Consulting located in Biloxi, MS. He was an
instrumental force in the design, engineering, and implementation of an enterprise network
consisting of 12,000 nodes.

“Stace received his MCSE in 1996 and is also certified as a Certified Cisco Network
Associate, IBM Certified Lan Server Engineer, IBM Certified OS/2 Engineer, IBM Certified Lan
Server Administrator, Microsoft Certified Product Specialist, IBM Certified Lan Server
Instructor, IBM Certified OS/2 Instructor, and also through the A+ Certification Program.
Network security and operating system security have always intrigued Stace, so he has
constantly stayed on top of the changes in this ever-evolving field, beginning at the time that
he held the positions of Network Security Officer and Computer Systems Security Officer
while serving in the U.S. Air Force. He also was an active contributor to The SANS Institute
booklet “Windows NT Security Step by Step.” Stace has been working with Windows 2000
since Microsoft released the first beta and is pleased to see the new security features
present in the operating system.
Stace has participated as a Technical Contributor for the IIS 3.0 exam, SMS 1.2 exam, Proxy
Server 1.0 exam, Exchange Server 5.0 and 5.5 exams, Proxy Server 2.0 exam, IIS 4.0 exam,
IEAK exam, and the revised Windows 95 exam. In addition, he has coauthored 16 books
published by Microsoft Press, Osborne/McGraw-Hill, and Syngress Media as well as being
technical reviewer for several books published by these companies.

“His wife, Martha, and daughter, Marissa, are supportive of his work and tolerant of the
time he spends on the network of computers located in the family home. Without their love
and support he would not be able to accomplish the goals he has set for himself.

- - - - - - - - - -

“GARRICK OLSEN (A+, Network+, MCP+I, MCSE+I, CNE) currently works for MicroAge
in Anchorage, AL, as a Network Technician. He has been using computers since he was
eight years old and is completely self-taught. He obtained his A+, Network+, MCP+Internet,
MCSE+Internet, and CNE before the age of 20 and enjoys computers and snowmachining.

- - - - - - - - - -

“DEBRA LITTLEJOHN SHINDER (MCSE, MCP+I, MCT) is an instructor in the AATP
program at Eastfield College, Dallas County Community College District, where she has
taught since 1992. She is Webmaster for the cities of Seagoville and Sunnyvale, TX, as well
as the family Web site at www.shinder.net. She and her husband, Dr. Thomas W. Shinder,
provide consulting and technical support services to Dallas-area organizations. She is also
the proud mom of a daughter, Kristen, who is currently serving in the U.S. Navy in Italy, and a
son, Kris, who is a high school chess champion. Deb has been a writer for most her life, and
has published numerous articles in both technical and nontechnical fields.

- - - - - - - - - -

“THOMAS W. SHINDER, M.D. (MCSE, MCP+I, MCT), is a technology trainer and
consultant in the Dallas-Ft. Worth metroplex. Dr. Shinder has consulted with major firms
including Xerox, Lucent Technologies, and FINA Oil, assisting in the development and
implementation of IP-based communications strategies. Dr. Shinder attended medical school
at the University of Illinois in Chicago, and trained in Neurology at the Oregon Health
Sciences Center in Portland, OR. His fascination with interneuronal communication ultimately
melded with his interest in internetworking and led him to take down his shingle and focus on
systems engineering. Tom works passionately with his beloved wife, Deb Shinder, to design
elegant and cost-efficient solutions for small and medium-sized businesses based on
Windows NT/2000 platforms.

- - - - - - - - - -

“BRIAN M. COLLINS (MCNE, CNI, MCSE, MCT, CTT) is a technical trainer for Network
Appliance Inc (NASDAQ: NTAP), a premier provider of Network Attached Storage, as well as
a consultant and trainer through his own company, Collins Network Engineering. Brian is an
18-year veteran of technology industries and has worked as a network engineer, trainer,
software developer, and consultant for government, Fortune 500 companies, and small
business. His hobbies include hiking, golf, and operating systems. Brian lives in the redwood
forest of Boulder Creek, CA, 30 miles from California’s Silicon Valley.

- - - - - - - - - -

“D. LYNN WHITE (MCPS, MCSE, MCT, MCP+I) is president of Independent Network
Consultants, Inc. Lynn has more than 14 years’ experience in programming and networking.
She has been a system manager in the mainframe environment as well as a software
developer for a process control company. She is a technical author, editor, trainer, and
consultant in the field of networking and computer-related technologies. Lynn has been
presenting mainframe, Microsoft-official curriculum and other networking courses in and
outside the United States for more than 12 years.”

= = = = = = = = =

2000, 400 pages. Order #DR546.

The Binomial Bookstore

Info & Network Security, Info Protection

Rothstein Associates Inc.