Windows 2000 Security Peter Wood First•Base Technologies Active Directory • Active Directory is the Windows 2000 directory service • Security is an integral feature, with authentication and object access controls • With a single logon: - Administrators can manage the directory for the entire network - Users can access resources anywhere on the network Slide 2 © First Base Technologies 2001 Objects • Objects include shared resources such as servers, files, printers, and the network user and computer accounts • Each object has attributes associated with it, e.g. for a user, first name, last name, description, e-mail address etc. • Additional attributes can be added by extending the schema… Slide 3 © First Base Technologies 2001 Object Permissions • Access to Active Directory objects is controlled by permissions • The permissions available depend upon the object type • E.g. there is a Reset Password permission for a user but not for a computer • Permissions can be granted or denied denied permissions take precedence Slide 4 © First Base Technologies 2001 Organisational Units • An OU is a container object used to organise other objects into logical administrative groups • It can contain objects such as users, groups, computers, and other organisational units • It can only contain objects from its parent domain Slide 5 © First Base Technologies 2001 Domains • Domains - The core unit of the logical structure - Domain design can reflect the organisation - The directory includes one or more domains, each having its own security policies and trust relationships with other domains - A domain therefore defines a security boundary - Security policies and settings don’t cross from one domain to another Slide 6 © First Base Technologies 2001 Trees & Forests • A Tree is one or more Windows 2000 domains that: - Form a hierarchy Share a common schema Share the same global catalog Are connected by transitive, bi-directional trust • The hierarchical structure of domains within a tree forms a contiguous namespace Slide 7 © First Base Technologies 2001 Trees & Forests • Forests - A forest consists of multiple domain trees - The trees in a forest don’t form a contiguous namespace - But a forest does have a root domain - the first domain created in the forest Slide 8 © First Base Technologies 2001 Trust Relationships • Windows NT trusts were limited to the two domains involved • The trust (and hence the access) was one-way • Two trust relationships were needed for bi-directional access • Windows 2000 trusts are transitive and two-way Slide 9 © First Base Technologies 2001 Server Roles • Domain Controller - A computer running Windows 2000 Server that provides Active Directory service to network users and computers - Domain controllers store directory data and manage user authentication and directory searches Slide 10 © First Base Technologies 2001 Server Roles • Member Server - Runs Windows 2000 Server - Member of a domain but not a domain controller - Doesn’t handle user logon, doesn’t participate in Active Directory replication, and doesn’t store domain security policy information - Contains a local security account database, the Security Account Manager - Can be moved between domains Slide 11 © First Base Technologies 2001 Server Roles • Member Servers typically function as : Slide 12 File servers Application servers Database servers Web servers Remote access servers Certificate servers Firewalls © First Base Technologies 2001 Server Roles • Stand-alone Server - A computer that is running Windows 2000 Server and is not a member of a Windows 2000 domain - Stand-alone doesn’t necessarily mean it isn’t connected to anything! - Stand-alone servers can share resources with other computers on the network, but they can’t take advantage of Active Directory Slide 13 © First Base Technologies 2001 Dynamic DNS • Windows 2000 uses DNS to locate domain controllers & resolve machine IP addresses • DNS is integrated into Active Directory, which is used to store and replicate DNS zone information • Dynamic DNS enables computers to register and update their DNS records automatically • This makes it much easier to use (like WINS) Slide 14 © First Base Technologies 2001 User Accounts Slide 15 © First Base Technologies 2001 Administrators • Either: Member of Administrators (domain) local group • Or: Member of Domain Admins global group • Or: Member of Enterprise Admins universal group Slide 16 © First Base Technologies 2001 Administrator - Good Practice Create separate administrator-equivalent accounts for each administrator Rename the Administrator account Set a difficult password on it Lock the name and password under dual control Create a “sacrificial goat” administrator account with no privileges Slide 17 © First Base Technologies 2001 Network Guest Logon Domain 2 Domain 1 Slide 18 • If a user from a non-trusted domain attempts access • Access is allowed if Guest is enabled and has no password • There is no challenge at all • The Guest account is disabled by default, but… • This is not enough! © First Base Technologies 2001 Guest - Good Practice Rename the account Set a difficult password on it Prevent Guest access to servers across the network with user rights assignments Restrict its logon hours to never Don’t use it and keep it disabled everywhere! Slide 19 © First Base Technologies 2001 Built-in Global Groups • Domain Users - Member of the Users domain local group - All new user accounts are automatically members • Domain Admins - Member of the Administrators domain local group - Initially contains the Administrator account • Domain Guests Slide 20 - Member of the Guests domain local group - Initially contains the Guest account © First Base Technologies 2001 Built-in Universal Groups • Enterprise Admins - Initially contains the Administrator account - Is a member of the Administrators domain local group of each domain in the forest - For individuals who need administrative control for the entire network • Schema Admins - Designated administrators of the schema Slide 21 © First Base Technologies 2001 Built-in System Groups • These groups have dynamic membership: Slide 22 Everyone Authenticated Users Creator Owner Network Interactive Anonymous Logon Dialup © First Base Technologies 2001 Everyone • An entity which automatically contains all people on the network • Not a regular group and does not appear in the list of groups, but... • Privileges can be (and are) assigned to Everyone Slide 23 © First Base Technologies 2001 Group Policy Slide 24 © First Base Technologies 2001 Security Policies • Microsoft defines a policy as a “set of rules that determine the interaction between a subject and an object” • Each Windows 2000 computer has a set of local policies • In a domain these are overruled by any domain-level policies that apply • These are known as Group Policies Slide 25 © First Base Technologies 2001 Group Policy • User policies are applied when a user logs on • Computer policies are applied at boot time • Unlike NT, security groups can’t have policies applied to them - only users and computers • Policy settings are contained in Group Policy Objects • You associate GPOs with Active Directory containers - i.e. sites, domains, and OUs Slide 26 © First Base Technologies 2001 Group Policy • Unlike NT System Policies, Group Policies can specify more than just registry settings • You can: - Manage registry-based policy using Administrative Templates - Specify security settings - Assign startup, shutdown, logon & logoff scripts - Redirect folders to network locations - Manage applications Slide 27 © First Base Technologies 2001 Administrative Templates • These specify registry-based policy settings • The settings available are determined by .adm template files • Windows 2000 ships with default .adm files • Information is saved in Registry.pol files under \WINNT\SYSVOL\sysvol\<domain> • They can include settings for applications as well as for Windows 2000 Slide 28 © First Base Technologies 2001 Security Settings • Allows you to specify security options, for example: Slide 29 Password policy Account lockout policy Audit policy User rights assignment Event log settings Public key policies © First Base Technologies 2001 Security Templates • Windows 2000 provides a number of security templates based on computer roles • Each contains a group of security settings appropriate to the role • They can be applied to a local computer or imported into a GPO for application via Group Policy Slide 30 © First Base Technologies 2001 Order of Policy Application • Policies are applied in this order: - Local Group Policy Object Site Group Policy Object Domain Group Policy Object OU Group Policy Objects, from parent to child down the OU hierarchy - Multiple GPOs associated with the same container are applied in the order specified by the Administrator Slide 31 © First Base Technologies 2001 Effective Policy • By default, policies applied later overwrite previously applied policies if they don’t match • Otherwise all policies applied contribute to the effective policy • Computer policies take precedence if they conflict with user policies • If group policies are removed, local policies resume effect - there is no registry “tattooing” Slide 32 © First Base Technologies 2001 Inheritance & Blocking • Policies that would otherwise be inherited from “higher up” can be blocked at any level • Policies that would otherwise be overwritten by policies “lower down” can be set to No Override • Policies set to No Override can’t be blocked Slide 33 © First Base Technologies 2001 Filtering Group Policy • Policy can be filtered by security group membership • A security group ACE on a GPO can be set to Not configured, Allowed or Denied • Denied overrides Allowed Slide 34 © First Base Technologies 2001 Additional Security Features Slide 35 © First Base Technologies 2001 Audit Policy • Auditing is enabled through Group Policy • An audit entry is written to the security event log whenever certain actions are performed • The entry shows the action performed, by whom, and when • You can audit both successful and failed attempts at actions • Auditing is turned off by default Slide 36 © First Base Technologies 2001 RunAs • The RunAs feature allows a user to launch processes with a different user context • Processes may include programs, MMC consoles or Control Panel applets • This allows privileged users to run processes from a non-privileged context - runas /user:username@domain program.exe - runas /user:domainname\username program.exe Slide 37 © First Base Technologies 2001 Delegating Administrative Control • You can delegate administration of a container - there are three options: - Delegate permissions to change properties on a particular container - Delegate permissions to create and delete objects of a specific type in an OU, e.g. users - Delegate permissions to manage specific properties on objects of a specific type in an OU, e.g. set a password on a user object Slide 38 © First Base Technologies 2001 Delegating Administrative Control • Delegation avoids the need for multiple administrators to have authority over an entire domain or site • … but you can delegate administration for an entire domain within a forest if you like Slide 39 © First Base Technologies 2001 Windows 2000 PKI • Key Windows 2000 PKI components include: Slide 40 Certificate Services Smart card support Encrypting File System (EFS) Kerberos authentication IP Security Virtual Private Networks (VPNs) © First Base Technologies 2001 Certificate Services • Windows 2000 Certificate Services can be used to create a CA which can: - Receive certificate requests - Verify the identity of the requester and the information in the request - Issue certificates - Revoke certificates - Provide key management Slide 41 © First Base Technologies 2001 Smart Cards • Windows 2000 supports logon using certificates stored on smart cards • Smart card based certificates are also supported for Web authentication, e-mail security and other public key cryptography-related activities • They allow users to roam easily within and outside a domain Slide 42 © First Base Technologies 2001 Supported Smart Cards • Windows 2000 Supports Gemplus GemSAFE and Schlumberger Cryptoflex smart cards • Other RSA-based smart cards will work if the vendor has developed software support for the card • PIN management is the responsibility of the support software and the user - Windows 2000 does not manage PINs Slide 43 © First Base Technologies 2001 Encrypting File System • Encrypting File System enables users to encrypt and decrypt files • Encryption (and decryption) of files is transparent to the user • It allows users to store data securely on local computers • Because EFS is integrated with the file system it is easy to manage but difficult to attack Slide 44 © First Base Technologies 2001 Encrypting File System • EFS is particularly useful for securing data on computers that are vulnerable to theft, like laptops • It does not support the sharing of encrypted data • It is not supported on FAT volumes Slide 45 © First Base Technologies 2001 EFS Encryption • Each file has a unique DESX encryption key which is also used to decrypt the data • The data is encrypted with the unique key • The file encryption key is itself encrypted with the user’s public key • It is also encrypted with the public key of an authorised recovery agent • Both encrypted keys are stored with the file Slide 46 © First Base Technologies 2001 EFS Decryption • First the file encryption key is decrypted • This can either be achieved with the users private key... • Or using the recovery agent’s private key • Once the file encryption key is decrypted it can be used by either the user or the recovery agent to decrypt the data Slide 47 © First Base Technologies 2001 File Recovery Certificates Export the file recovery certificate and master key to removable media Delete the certificate from the machine (this doesn’t stop users from encrypting data) Import the certificate only when necessary to perform file recovery Make sure you remove it again afterwards Slide 48 © First Base Technologies 2001 EFS Good Practice Make several copies of file recovery certificates removed from systems Store them very securely - you won’t be able to recover files if they’re lost! This is particularly important with laptops Make sure files are also protected by adequate permissions - otherwise they can be deleted Slide 49 © First Base Technologies 2001 Encryption and Servers • Windows 2000 supports the storage of encrypted files on servers... • But not remote sharing of encrypted files • Encrypted files are not encrypted over the network - only when stored on disk... • An administrator must designate a server as “trusted for delegation” before users can encrypt files that reside there Slide 50 © First Base Technologies 2001 Kerberos Authentication • Kerberos V5 is a standard security protocol for authenticating user and system identity • It is the primary protocol for Windows 2000 domain authentication • It uses three parties in validation: - A user trying to access a target server - The target server needing to validate the user - A server that holds credentials for both of them Slide 51 © First Base Technologies 2001 Security Analysis • Security Configuration and Analysis is a snap-in for analysing and configuring local system security • It uses a database to perform analysis and configuration functions • The database is personalised by importing security templates • Multiple security templates can be combined into a composite template Slide 52 © First Base Technologies 2001 Security Analysis • The tool compares current system security settings against the database • It displays the results for each security attribute as follows: - A red X indicates a difference - A green indicates consistency - No icon indicates that security attribute wasn’t analysed because it wasn’t part of your database Slide 53 © First Base Technologies 2001 Security Analysis • You can choose to modify the database to match the system... • And then export the results as a new template if you like • Or you can modify the system to match the database • This is not recommended for domain members - use Group Policy instead Slide 54 © First Base Technologies 2001 Service Packs & Patches • Service Packs are issued periodically by Microsoft and contain: - Fixes for known bugs - Additional operating system features • You can get them via download, on CD, from TechNet… • The latest Windows 2000 Service Pack release is SP2 Slide 55 © First Base Technologies 2001 Service Packs & Patches • They update all files older than those included in the Service Pack • Service Pack releases are cumulative and contain all previous Service Pack fixes • You no longer have to re-apply them after making changes to system services • Before installing a Service Pack make sure you read the README file very thoroughly! Slide 56 © First Base Technologies 2001 Good Practice Keep the number of privileged users to a minimum Give each admin user two accounts - one with admin privilege and one “regular” one Insist on using RunAs Delegate administrative privilege at OU level where possible Slide 57 © First Base Technologies 2001 References - www.sans.org • SANS Securing Windows 2000 Step-by-Step Guide ($299) • A Discussion of Best Practices for Microsoft’s Encrypted File System • Basic Security Issues of Active Directory • Role-Based Administration for Windows 2000 • Securing Windows 2000 Server • Securing Windows 2000 • Windows 2000 Known Vulnerabilities and Their Fixes • Windows 2000 Security Standards Slide 58 © First Base Technologies 2001 References • Hardening Windows 2000 (www.SystemExperts.com) • Top 10 Security Threats for Windows 2000 and Active Directory (www.BindView.com) • The Definitive Guide to Windows 2000 Security (www.BindView.com) • NSA Windows 2000 Security Recommendations Guides (http://nsa1.www.conxion.com/win2k/download.htm) • BindView bv-Control & bv-Admin (www.BindView.com) Slide 59 © First Base Technologies 2001 Need more information? First•Base Technologies The Old Courthouse 38 High Street Steyning West Sussex BN44 3YE +44 (0)1903 879879 peterw@firstbase.co.uk www.firstbase.co.uk Slide 60 © First Base Technologies 2001