SEC302
Windows Server 2003 Security
Enhancements
Ben Smith
Senior Security Strategist
Microsoft Corporation
Agenda
What We Did Differently
Security Enhancements in Windows Server
2003
IIS 6.0 Re-architecture
Changes with Permissions
System Services
Enhancements to IPSec
All new: Network Access Quarantine
Software Restriction Policies
Windows Server 2003 Security Guidance
What’s coming…
The Security Framework: SD3+C
Secure by Design





Mandatory training
Built threat models
Conducted code reviews and
penetration testing
Used automated code tools
Redesigned IIS 6.0 architecture
Secure by Deployment




New patch management tools
7 Microsoft Official Curriculum
courses available at launch
Official security configuration
guides
Integrated security tools
Secure by Default



60% less attack surface area by
default compared to Windows
NT 4.0 SP3
20+ services changed to be off
by default
Service install in a secure state
(IIS 6.0 Lockdown)
Communications

Writing Secure Code 2.0

Architecture webcasts
Security in Active Directory
Cross-Forest Trusts
Enables Administrators to create external forest-to-forest
trusts
Cross-Forest Authentication
Enables secure access to resources when the user
account is in one forest and the computer account is in
another forest.
Cross-Forest Authorization
Enables administrators to select users and groups from
trusted forests for inclusion in local groups or ACLs.
IAS and Cross-Forest Authentication
If Active Directory forests are in cross-forest mode with
two-way trusts, then IAS/RADIUS can authenticate the user
account in the other forest
PKI Enhancements
Cross–Certification Support
Role separation
Custom Certificate Templates (Version 2)
Delta CRLs
Key Archival/Recovery
Auto-enrollment
Auditing of admin operations
See: Windows Server 2003 PKI Operations Guide
http://www.microsoft.com/technet/prodtechnol/windows
server2003/maintain/operate/ws03pkog.asp
Miscellaneous Enhancements
DLL search order priority changed from
working directory to \windows\system32
AES-256-bit encryption default in EFS
Everyone group no longer includes
anonymous users (Users and Guests)
Accounts with blank passwords are
console-bound
Protected EAP (PEAP)
Detailed security auditing
RRAS Basic Firewall
Miscellaneous Enhancements
IIS 6.0 Lockdown mode
IIS Re-architecture
Authorization Manager (AuthMan)
Credential Manager (CredMan)
Constrained Delegation
.Net Framework 1.1 Code Access
Security
Administrator password complexity
Screen saver timeout
Miscellaneous Enhancements
Account Logon auditing enabled by default
Anonymous access restricted to:
SAM
Named Pipes
Shares
Remote registry decoupled from Server
service
NTLM Compatibility blocks LM from the wire
IE Lockdown
Terminal Server rights control
DPAPI Integration
Greatly improved Help file for security
IIS 5 Request Processing
INETINFO.exe
FTP
NNTP
X
Metabase
SMTP
User mode
Kernel mode
X
DLLHOST.exe
WinSock
AFD
TCP/IP
Request
DLLHOST.exe
Response
IIS 6.0 Request Processing
Inetinfo
WWW Service
FTP
NNTP
XML
Metabase
Application Pools
Administration
&
Monitoring
X
SMTP
…
User mode
Kernel mode
Queue
IIS 6.0
Cache
HTTP
TCP/IP
Request
Response
example
Detailed Security
Auditing
video
The Security
Framework
at Microsoft
The Security
Framework
STOP
There same
is no time for
this! video
(Yesat
– the
old
Microsoft
This is a level 300 session
you have seen before)
Permissions
Default NFTS permissions locked down
Was: Everyone Full Control
Now:
Everyone, Read and Execute (Root only)
Users Read and Execute, Create Folder, Create File
SYSTEM, Creator, Administrators Full Control
Default share permissions
Was: Everyone Full Control
Now: Everyone Read
New Features:
Effective Permissions Tool
Replace Owner through GUI
quick demo
Permissions
Seeing is believing!
What do all of these services
have in common?
Alerter
Clipbook
Distributed Link Tracking (Server)
Imapi CDROM Burning Service
Human Interface Devices
ICS/ICF
Intersite Messaging
KDC
License Logging Manager
Terminal Server Discovery Service
Windows Image Acquisition
Messenger
NetMeeting
NetDDE
NetDDE DSDM
RRAS
Telnet
Themes
WebClient
Windows Audio
Startup = Disabled
System Service Accounts
Local System


No password to manage
Bypasses security checks
User Accounts
 Run
with less privilege than Local System
 Stores password as an LSA secret
 Can be complex to configure
Local Service and Network Service
 No
password to manage
 Runs with only slightly more permissions than Authenticated
User
 Local Service cannot authenticate across the network,
Network Service authenticates as the computer account
quick demo
Enumerating
Services with WMIC
What’s New with IPSec?
Management
IP Security Monitor
 Command-line management with Netsh
 Logical addresses for local IP configuration

Security
Stronger cryptographic master key (Diffie-Hellman)
 Computer startup security
 Persistent policy for enhanced security
 Ability to exclude the name of the CA from certificate requests
 Better default exemption handling

Interoperability
IPSec functionality over network address translation (NAT)
 Improved IPSec integration with Network Load Balancing

Default Exempt Rules in IPSec
Stored in the registry value:
HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt
NoDefaultExempt
values
0
1
2
RSVP
IKE
Kerberos
Multicast
Broadcast
IKE
Multicast
Broadcast
RSVP
IKE
Kerberos
RSVP
IKE
Kerberos
Multicast
Broadcast
IKE
Multicast
Broadcast
X
3
IKE
X
demo
Managing IPSec with Netsh
Options not available through the UI:
Configure default exemptions
Enable CRL checking
Enable IKE logging
Enable IPsec driver dynamic logging
Enable persistent policy
Configure startup exemptions
announcing…
Network Access
Quarantine for RRAS
What is Network Access Quarantine?
Remote access
client authenticates
1. RAS client fails
policy check
2. Quarantine timeout
Reached
RAS client
disconnected
RAS client placed in
Quarantine
RAS client meets
Quarantine policies
RAS client
gets full
access to
network
What are policy rules?
Quarantine policy rules are
configurable, common rules may
include:
Service packs or the latest hotfixes installed
Antivirus software installed
Antivirus signature files updated
Routing disabled on RAS client
Internet Connection Firewall enabled
A password-protected screensaver enabled
Quarantine Architecture
Quarantine
Internet
RAS Client
CM Profile
• Runs customizable
post connect script
• Script runs RQC
notifier
with “results
string”
RRAS Server
Listener
• RQS receives Notifier
“results string”
• Compares results to
possible results
• Removes time-out if
response received but
client out of date
• Removes quarantine filter
if client up to date
RQC.exe and RQS.exe are in the Windows
Server 2003 Resource Kit
IAS
Server
Quarantine VSAs
• Timer limits time
window to receive
notify before auto
disconnect
• Q-filter sets
temporary route
filter to quarantine
access
Detailed Quarantine Process
Quarantine
RAS Client
Internet
RRAS Server
IAS Server
Connect
Authenticate
Authorize
Quarantine VSA
+ Normal Filters
Quarantine
Access
Policy Check
Result
Full Access
Remove Quarantine
Software Restriction Policies
Two modes: Disallowed, Unrestricted
Control executable code:
.ADE
.ADP
.BAS
.BAT
.CHM
.CMD
.CPL
.CRT
.EXE
.HLP
.HTA
.INF
.INS
.ISP
.JS
.JSE
.LNK
.MDB
.MDE
.MSC
.MSI
.MSP
.MST
.PCD
.PIF
.REG
.SCR
.SCT
.SHS
.URL
.VB
.VBE
.VBS
.WSC
.WSF
.WSH
What SRP do not protect
against
Drivers or other kernel mode software
Cannot protect against SYSTEM
Any program run by the SYSTEM account.
Cannot protect against SYSTEM
Macros inside of Microsoft Office 2000 or Office
XP documents
Use Macro security settings
Programs written for the common language
runtime.
These programs use the Code Access Security
Types of SRP Rules
Hash Rule


Compares the MD5 or SHA1
hash of a file to the one
attempted to be run
Use when you want to
allow/prohibit a certain version
of a file from being run
Path Rule



Compares path of file being
run to an allowed path list
Use when you have a folder
with many files for the same
application
Essential in when SRPs are
strict
Certificate Rule


Checks for digital signature on
application (i.e. Authenticode)
Use when you want to restrict
both win32 applications and
ActiveX content
Internet Zone Rule


Controls how Internet Zones
can be accessed
Use when in high security
environments to control
access to web applications
Rule Precedence
What happens when multiple rules match a
program?
Trying to run Windows Calculator
c:\winnt
Unrestricted
A6A44A0E8A76C7B2174DE68C5B0F724D:114688:32771
Disallowed
c:\winnt\system32\calc.exe
Disallowed
Most specific matching rule wins:
1.
2.
3.
4.
Hash rule
Certificate rule
Path rule
Zone rule
How to Develop Policies?
List allowed applications
Start them up
Consult system info (msinfo32.exe)
Software Environment → Running Tasks
Software Environment → Loaded Modules
Software Environment → Startup Programs
Create Rules
Refine Rules
Generalize rules
C:\winnt → %WINDIR%
C:\app\dir1, c:\app\dir2 → c:\app
Policy Gotchas
Make sure you include the following:
Some programs consist of many EXE’s
Powerpnt.exe (clip art launches mstore.exe)
Login Scripts
Startup folders and registry keys
Anti-virus
Program Add-ins
Have you allowed too much?
Check ACL’s
demo
Software Restriction Policies
Windows Server 2003 Security
Configuration Guide
Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14846
Threats and Countermeasures: Security Settings
in Windows Server 2003 and Windows XP
http://go.microsoft.com/fwlink/?LinkId=15160
comments
“We commend Microsoft for
providing enhanced security
guidance to its customers as well
as for soliciting user input as part of
the process of producing that
guidance“
Clint Kreitner
President/CEO
“NIST reviewed and provided
technical comments & advice, that
was incorporated in this guidance”
Timothy Grance
Manager
Systems and Network
Security Group
Keep an eye out for…
Security Configuration Wizard (SCW)
The SCW will help administrators maximize the
security of servers with common roles without
sacrificing required functionality. Administrators
can use the Security Configuration Wizard in SCE
to construct security policies for their different
types of servers, and perform Lockdown Testing to
verify that systems function as expected.
Microsoft Audit Collection Services (MACS)
MACS is a tool to monitor and audit systems in a
centralized manner. MACS collects security events
in a compressed, signed, encrypted manner and
loads the events into a SQL database for analysis.
Suggested Reading And Resources
The tools you need to put technology to work!
TITLE
Available
Microsoft® Windows® Security
Resource Kit
Today
Writing Secure Code 2
Today
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
appendix. . .
Quarantine Whitepaper:
Network Access Quarantine Whitepaper:
http://www.microsoft.com/windowsserver2003/techinfo/overview/qu
arantine.mspx
Software Restriction Policy
http://www.microsoft.com/windows2000/technologies/security/redirwnetsafer.asp
Windows Server 2003 Resource Kit Tools Download:
http://go.microsoft.com/fwlink/?LinkId=4544
Community Resources
Community Resources
http://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)
http://www.mvp.support.microsoft.com/
Newsgroups
Converse online with Microsoft Newsgroups, including Worldwide
http://www.microsoft.com/communities/newsgroups/default.mspx
User Groups
Meet and learn with your peers
http://www.microsoft.com/communities/usergroups/default.mspx
evaluations
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.