Chapter Architecting the Human Factor Solutions in this chapter: • • • • • Balancing Security and Usability Managing External Network Access Managing Partner and Vendor Networking Securing Sensitive Internal Networks Developing and Maintaining Organizational Awareness Chapter Creating Effective Corporate Security Policies Solutions in this Chapter: • The Founding Principles of a Good Security Policy • Safeguarding Against Future Attacks • Avoiding Shelfware Policies • Understanding Current Policy Standards • Creating Corporate Security Policies • Implementing and Enforcing Corporate Security Policies • Reviewing Corporate Security Policies Chapter Planning and Implementing an Active Directory Infrastructure Solutions in this chapter: • Plan a strategy for placing global catalog servers • Evaluate network traffic considerations when placing global catalog servers • Evaluate the need to enable universal group caching • Implement an Active Directory directory service forest and domain structure • Create the forest root domain • Create a child domain • Create and configure Application Data Partitions • Install and configure an Active Directory domain controller • Set an Active Directory forest and domain functional level based on requirements • Establish trust relationships Types of trust relationships might include external trusts, shortcut trusts, and cross-forest trusts Chapter Managing and Maintaining an Active Directory Infrastructure Solutions in this chapter: • • • • • • • • Manage an Active Directory forest and domain structure Manage trust relationships Manage schema modifications Managing UPN Suffixes Add or remove a UPN suffix Restore Active Directory directory services Perform an authoritative restore operation Perform a nonauthoritative restore operation Chapter Managing User Identity and Authentication Solutions in this chapter: Identity Management Identity Management with Microsoft’s Metadirectory MMS Architecture Password Policies User Authentication Single Sign-on Authentication Types Internet Authentication Service Creating a User Authorization Strategy Using Smart Cards Implementing Smart Cards Create a password policy for domain users 245_symantec_03.qxd 5/8/03 3:29 PM Page 77 Chapter Architecting the Human Factor Architecting the Human Factor Solutions in this chapter: • • • • • Balancing Security and Usability Managing External Network Access Managing Partner and Vendor Networking Securing Sensitive Internal Networks Developing and Maintaining Organizational Awareness Introduction Developing, implementing, and managing enterprise-wide security is a multiple discipline project As an organization continues to expand, management’s demand for usability and integration often takes precedence over security concerns New networks are brought up as quickly as the physical layer is in place, and in the ongoing firefight that most administrators and information security staff endure every day, little time is left for well-organized efforts to tighten the “soft and chewy center” that so many corporate networks exhibit In working to secure and support systems, networks, software packages, disaster recovery planning, and the host of other activities that make up most of our days, it is often forgotten that all of this effort is ultimately to support only one individual: the user In any capacity you might serve within an IT organization, your tasks (however esoteric they may seem) are engineered to provide your users with safe, reliable access to the resources they require to their jobs Users are the drivers of corporate technology, but are rarely factored when discussions of security come up When new threats are exposed, there is a rush to seal the gates, ensuring that threats are halted outside of the organization’s center It is this oversight that led to massive internal network disruptions during events as far back as the Melissa virus, and as recently as Nimda, Code Red, and the SQL Null Password worm Spida In this chapter, I provide you with some of the things I’ve learned in assisting organizations with the aftermath of these events, the lessons learned in post-mortem, and the justification they provide for improved internal security By exploring common security issues past and present and identifying common elements, I lay the foundation for instituting effective internal security, both through available technical means and organizational techniques Balancing Security and Usability The term “security” as it is used in this book refers to the process of ensuring the privacy, integrity, ownership, and accessibility of the intangibles commonly referred to as data Any failure to provide these four requirements will lead to a situation perceived as a security breach Whether the incident involves disclosure of payroll records (privacy), the unauthorized alteration of a publicly ID_MANAGE_01.doc disseminated press release (integrity), misappropriation of software code or hardware designs (ownership), or a system failure that results in staff members being unable to conduct their daily business (accessibility), an organization’s security personnel will be among the first responders and will likely be called to task in the aftermath Hang around any group of security-minded individuals long enough and eventually you will overhear someone say “Hey, well, they wanted it secured at all costs, so I unplugged it.” This flippant remark underscores the conflict between ensuring the privacy, integrity, and ownership of data while not impacting its accessibility If it were not for the necessity of access, we could all simply hit the big red emergency power button in the data-center and head for Maui, supremely confident that our data is secure As part of your role in securing your environment, you have undoubtedly seen security initiatives that have been criticized, scaled back, or eliminated altogether because they had an adverse impact on accessibility Upon implementation of such initiatives, a roar often goes up across the user community, leading to a managerial decree that legitimate business justification exists that exceed the benefit of your project What’s worse, these events can establish a precedent with both management and the user community, making it more difficult to implement future plans When you mount your next security initiative and submit your project plan for management approval, those in charge of reviewing your proposal will look right past the benefits of your project and remember only the spin control they had to conduct the last time you implemented changes in the name of security It is far too simple to become so wrapped up in implementing bulletproof security that you lose sight of the needs of the people you are responsible for supporting In order to avoid developing a reputation for causing problems rather than providing solutions, you need to make certain that you have looked at every potential security measure from all sides, including the perspectives of both upper management and the users who will be affected It sounds simple, but this aspect is all too often overlooked, and if you fail to consider the impact your projects will have on the organization, you will find it increasingly difficult to implement new measures In many cases, you need to relate only the anticipated impact in your project plan, and perhaps prepare brief documentation to be distributed to those groups and individuals impacted Managers not like to be surprised, and in many cases surprise is met by frustration, distrust, and outrage If properly documented ahead of time, the same changes that would cause an uproar and frustration may simply result in quiet acceptance This planning and communication is the heart of balancing your security needs with your clients' usability expectations With this balance in mind, let’s take a look at some of the factors that have influenced internal security practices over the past few years These factors include the risks that personnel passively and actively introduce, the internal security model that a company follows, the role a security policy plays in user response to security measures, and the role that virus defense plays in the overall security strategy Personnel as a Security Risk Think of an incident that you’ve responded to in the past Trace back the sequence of events that triggered your involvement, and you will undoubtedly be ID_MANAGE_01.doc able to cite at least one critical juncture where human intervention contributed directly to the event, be it through ignorance, apathy, coercion, or malicious intent Quite often these miscues are entirely forgivable, regardless of the havoc they wreak The best example of user-initiated events comes from the immensely successful mail-borne viruses of the recent past, including Melissa, LoveLetter, and Kournikova These viruses, and their many imitators (LoveLetter and Kournikova were in and of themselves imitations of the original Melissa virus) made their way into the record books by compromising the end user, the most trusted element of corporate infrastructure Personnel are the autonomous processing engines of an organization Whether they are responsible for processing paperwork, managing projects, finessing public relations, establishing and shepherding corporate direction, or providing final product delivery, they all work as part of a massive system known collectively as the company The practices and philosophies guiding this intricate system of cogs, spindles, drivers, and output have evolved over decades Computers and networked systems were introduced to this system over the past thirty years, and systematic information security procedures have only begun in earnest over the past twenty years Your job as a security administrator is to design and implement checkpoints, controls, and defenses that can be applied to the organizational machine without disrupting the processes already in place You have probably heard of the principle of least privilege, an adage that states that for any task, the operator should have only the permissions necessary to complete the task In the case of macro viruses, usability enhancements present in the workgroup application suite were hijacked to help the code spread, and in many instances a lack of permissions on large-scale distribution lists led to disastrous consequences Small enhancements for usability were not counterbalanced with security measures, creating a pathway for hostile code Individuals can impact the organizational security posture in a variety of ways, both passive and active Worms, Trojans, and viruses tend to exploit the user passively, and so on a grand scale, which draws more attention to the issue However, individuals can actively contribute to security issues as well, such as when a technically savvy user installs his own wireless access point In the following case studies, you’ll see how both passive and active user involvement contributed to two different automated exploits Case Studies: Autonomous Intruders As security professionals, we have concerned ourselves with the unknown—the subtle, near indecipherable surgical attacks that have almost no impact on normal business proceedings, but can expose our most sensitive data to the world We have great respect for the researcher who discovers a remotely exploitable buffer overflow in a prominent HTTP server, but we loathe the deplorable script-kiddie who develops a macro-virus that collapses half our infrastructure overnight Many people who work in security even eschew virus incidents and defense as being more of a PC support issue However, viruses, worms, and Trojans have helped raise awareness about internal security, as we’ll see later in this chapter In this section, you’ll get a look at two such applications that have had an impact on internal security, and see how users were taken advantage of to help the code spread Although the progression of the events in the case studies are based on factual accounts, the names and other circumstances have been changed to protect the innocent ID_MANAGE_01.doc Study 1: Melissa On March 26, 1999, a document began appearing on a number of sexually oriented Usenet newsgroups, carrying within it a list of pornographic Web sites and passwords This document also contained one of the most potent Microsoft VBScript viruses to date, and upon opening the document hostile code would use well-documented hooks to create a new e-mail message, address it to the first 50 entries of the default address book, insert a compelling subject, attach the document, and deliver the e-mail Steve McGuinness had just logged into his system at a major financial institution in New York City He was always an early riser, and usually was in the office long before anyone else It was still dark, the sun had yet to inch it’s way over the artificial horizon imposed by Manhattan’s coastal skyline As Outlook opened, Steve began reviewing the subjects of the messages in bold, those that had arrived since his departure the night before Immediately Steve noticed that the messages were similar, and a quick review of the “From” addresses provided an additional hint that something was wrong, Steve hadn’t received so much as a friendly wave from Hank Strossen since the unfortunate Schaumsburg incident, yet here was a message from Hank with the subject, “Important Message From Hank Strossen” Steve also had “Important Messages” from Cheryl Fitzpatrick and Mario Andres to boot Steve knew instinctively something wasn’t right about this Four messages with the same subject meant a prank—one of the IT guys had probably sent out these messages as a reminder to always shut down your workstation, or at least use a password-protected screensaver Such pranks were not uncommon—Steve thought back to the morning he’d come into the office to find his laptop had been stolen, only to find that an IT manager had taken it hostage since it wasn’t locked down Steve clicked the paperclip to open the attached document, and upon seeing the list of pornographic Web sites, immediately closed the word processor He made a note to himself to contact IT when they got in (probably a couple of hours from now) and pulled up a spreadsheet he’d been working on While he worked, more and more of the messages popped up in his mailbox as Steve’s co-workers up and down the eastern seaboard began reviewing their email By 8:15 A.M., the corporate mail servers had become overwhelmed with Melissa instances, and the message stores began to fail In order to stem the flood of messages and put a halt to the rampant spread of the virus, the mail servers were pulled from the network, and business operations ground to a halt Although it could be argued that since Steve (and each of his co-workers) had to open the message attachment to activate the virus, their involvement was active, Melissa was socially engineered to take advantage of normal user behavior Since the body of the message didn’t contain any useful content, the user would open the attachment to see if there was anything meaningful within When confronted with a document full of links to pornographic Web sites, the user would simply close the document and not mention it out of embarrassment Study 2: Sadmind/IIS Worm In May of 2001, many Microsoft IIS Web site administrators began to find their Web sites being defaced with an anti–United States government slogan and an email address within the yahoo.com.cn domain It rapidly became clear that a new worm had entered the wild, and was having great success in attacking Microsoft Web servers ID_MANAGE_01.doc Chris Noonan had just started as a junior-level Solaris administrator with a large consulting firm After completing orientation, one of his first tasks was to build his Solaris Ultra-10 desktop to his liking Chris was ecstatic, at a previous job he had deployed an entire Internet presence using RedHat Linux, but by working with an old Sparc workstation he’d purchased from a friend, he’d been able to get this new job working with Solaris systems Chris spent much of the day downloading and compiling his favorite tools, and getting comfortable with his new surroundings By midday, Chris had configured his favorite Web browser, shell, and terminal emulator on his desktop, and spent lunch browsing some security Web sites for new tools he might want to load on his system On one site, he found a post with source-code for a Solaris buffer overflow against the Sun Solstice AdminSuite RPC program, sadmind Curious, and looking to score points with his new employers, Chris downloaded and compiled the code, and ran it against his own machine With a basic understanding of buffer overflows, Chris hoped the small program would provide him with a privileged shell, and then later this afternoon he could demonstrate the hack to his supervisor Instead, after announcing “buffer-overflow sent,” the tool simply exited Disappointed, Chris deleted the application and source code, and continued working Meanwhile, Chris’ system began making outbound connections on both TCP/80 and TCP/111 to random addresses both in and out of his corporate network A new service had been started as well, a root-shell listener on TCP/600, and his rhosts file had been appended with “+ +”, permitting the use of rtools to any host that could access the appropriate service port on Chris’ system Later in the afternoon, a senior Solaris administrator sounded the alarm that a worm was present on the network A cronjob on his workstation had alerted him via pager that his system had begun listening on port 600, and he quickly learned from the syslog that his sadmind task had crashed He noticed many outbound connections on port 111, and the network engineers began sniffing the network segments for other systems making similar outbound connections Altogether, three infected systems were identified and disconnected, among them Chris’ new workstation Offline, the creation times of the alternate inetd configuration file were compared for each system, and Chris’ system was determined to be the first infected The next day, the worm was found to have been responsible for two intranet Web server defacements, and two very irate network-abuse complaints had been filed from the ISP for their Internet segment This sequence of events represents the best-case scenario for a Sadmind/IIS worm In most cases, the Solaris hosts infected were workhorse machines, not subject to the same sort of scrutiny as that of the administrator who found the new listening port The exploit that the worm used to compromise Solaris systems was over two years old, so affected machines tended to be the neglected NTP server or fragile application servers whose admins were reluctant to keep up-to-date with patches Had it not been for the worm’s noisy IIS server defacements, this worm may have been quite successful at propagating quietly to lie dormant, triggering on a certain time or by some sort of passive network activation, such as bringing down a host that the worm has been pinging at specific intervals In this case, Chris’ excitement and efforts to impress his new co-workers led to his willful introduction of a worm Regardless of his intentions, Chris ID_MANAGE_01.doc actively obtained hostile code and executed it while on the corporate network, leading to a security incident The State of Internal Security Despite the NIPC statistics indicating that the vast majority of losses incurred by information security incidents originate within the corporate network, security administrators at many organizations still follow the “exoskeleton” approach to information security, continuing to devote the majority of their time to fortifying the gates, paying little attention to the extensive Web of sensitive systems distributed throughout their internal networks This concept is reinforced with every virus and worm that is discovered “in the wild”—since the majority of security threats start outside of the organization, the damage can be prevented by ensuring that they don’t get inside The exoskeleton security paradigm exists due to the evolution of the network When networks were first deployed in commercial environments, hackers and viruses were more or less the stuff of science fiction Before the Internet became a business requirement, a wide-area network (WAN) was actually a collection of point-to-point virtual private networks (VPNs) The idea of an employee wreaking havoc on her own company’s digital resources was laughable As the Internet grew and organizations began joining public networks to their previously independent systems, the media began to distribute stories of the “hacker”, the unshaven social misfit cola-addict whose technical genius was devoted entirely to ushering in an anarchic society by manipulating traffic on the information superhighway Executive orders were issued, and walls were built to protect the organization from the inhabitants of the digital jungle that existed beyond the phone closet The end result of this transition was an isolationist approach With a firewall defending the internal networks from intrusion by external interests, the organization was deemed secure Additional security measures were limited to defining access rights on public servers and ensuring e-mail privacy Internal users were not viewed as the same type of threat as the external influences beyond the corporate firewalls, so the same deterrents were not necessary to defend against them Thanks in large part to the wake-up call from the virus incidents of the past few years, many organizations have begun implementing some programs and controls to bolster security from the inside Some organizations have even begun to apply the exoskeleton approach to some of their more sensitive departments, using techniques that we will discuss in the section, “Securing Sensitive Internal Networks.” But largely, the exoskeleton approach of “crunchy outside, chewy center” is still the norm The balance of security and usability generally follows a trend like a teeter-totter—at any time, usability is increasing and security implications are not countered, and so the balance shifts in favor of usability This makes sense, because usability follows the pace of business while security follows the pace of the threat So periodically, a substantial new threat is discovered, and security countermeasures bring the scales closer to even The threat of hackers compromising networks from the public Internet brought about the countermeasure of firewalls and exoskeleton security, and the threat of autonomous code brought about the introduction of anti-virus components ID_MANAGE_01.doc can promote this awareness through the simplest of measures: including a paragraph in an employee newsletter, sending bulletins to the user base when a new virus is becoming a threat, and the like (At the same time, though, you should avoid sending out so much information that your users become overwhelmed by it; a security bulletin that no one reads is no more useful than one that you don’t send at all.) By combining user education with technical measures such as password policies and strong network authentication, you will be well on your way to creating multiple layers of protection for your network and the data contained therein Using Smart Cards Smart cards provide a portable method of providing security on a network for such tasks as client authentication and securing user data In this section, we’ll provide an overview of smart card technology, as well as the steps involved in utilizing smart cards on your Windows 2003 network Smart card implementations rely in part on the Certificate Authority service, so we’ll spend some time discussing the use of certificates within Windows Server 2003 as well Support for smart cards is a key feature within the Windows Server 2003 family Smart cards provide tamper-resistant, safe storage for protecting your users’ private keys, which are used to encrypt and decrypt data, as well as other forms of your users’ personal information Smart cards also isolate security processes from the rest of the computer, providing heightened security since all authentication operations are performed on the smart card, rather than being transmitted to other parts of the computer or network that not need to be involved in the process Finally, smart cards will provide your users with a portable means of transmitting their logon credentials and other private information, regardless of their location Smart Cards in Action The use of smart cards for authentication and data encryption is a new but growing trend within enterprise networks The cards themselves can be used, not just for network authentication, but can be imprinted with employee information so that they can also serve as identification badges A good illustration of this type implementation is the RSA SecurID Card from www.rsatechnologies.com, shown in Figure 5.22.The RSA devices use an internal clock to generate a new PIN number every 60 seconds, creating a highly secure authentication method that is as portable and convenient as a common credit card or ATM card Figure 5.22:RSA SecurID Card In some cases, smart cards technology can also be integrated into an existing employee identification system by imprinting employee information onto a smart card Obviously, special care needs to be taken in implementations like this so that the smart card components not become damaged through everyday use The advantage to this type of smart card rollout is that users not have to remember to carry five different pieces of ID with them; the ID card that ID_MANAGE_05.doc Page 38 of 52 gets them in the door is the same one that logs them onto their computers You’ll also see smart cards that are configured as smaller “fobs” or “tags” that can be stored on a keychain, and some vendors are even considering integrating smart card technology into handheld devices and cellphones The smart card readers themselves can either be standalone readers, or else a smart card “fob” can be inserted directly into a workstation’s USB port Understanding Smart Cards Using a smart card for network logons provides extremely strong authentication because it requires two authentication factors: something the user knows (the PIN) along with something the user has (The smart card itself.) This provides stronger authentication than a password along, since a malicious user would need to have access to both the smart card and the PIN in order to impersonate a legitimate user It’s also difficult for an attacker to perform a smart card attack undetected, because the user would notice that their smart card was physically missing When to use Smart Cards Smart cards can provide security solutions for a number of business and technical processes within your organization When deciding whether or not to add smart cards to a given system, you’ll need to weigh the security benefits against the costs of deployment, both in terms of hardware costs and ongoing support Smart cards can secure any of the following processes within your business: • Using a smart card for interactive user logons will provide security and encryption for all logon credentials Relying on smart cards instead of passwords will mean that you will not need to worry about the quality and strength of user passwords • Requiring smart cards for remote access logons will prevent attackers from using dial-up or Internet connections to compromise your network, even if they gain physical access to a remote laptop or home computer • Administrator logons are ideal candidates for smart card authentication, since they have the potential to wreak far more havoc on a network installation than an account belonging to a less powerful network user By requiring your administrators to use smart cards, you can greatly reduce the possibility that an attacker can gain administrative access to your network However, keep in mind that some administrative tasks are not suited for smart card logons; as such, your administrators should have the option of logging on with a username/password combination when necessary • Digital signing and encryption of private user information such as email and other confidential files Implementing Smart Cards ID_MANAGE_05.doc Page 39 of 52 Utilizing smart cards on your network involves a number of preparatory steps that we’ll discuss in this section First we’ll look at the steps involved in establishing a Certificate Authority on your network, as well as a discussion of the related concepts and terminology Next we’ll examine the process of establishing security permissions for users and administrators to request certificates to use with their smart card and smart card readers Finally we’ll walk step-by-step through the process of setting up a smart card enrollment station to issue certificates to your end users, as well as the actual procedure to issue a smart card certificate to a user on your network We’ll end this section with some best practices for providing technical support for the smart card users on your network PKI and Certificate Authorities Smart card authentication relies on certificates to control which users can access the network using their smart cards Certificates are digitally signed statements that verify the identity of a person, device or service Certificates can be used for a wide variety of functions, including Web authentication, securing email, verifying application code validity, and allowing for smart card authentication The machine that issues certificates is referred to as a certificate authority, and the person or device that received the certificate is referred to as the subject of the certificate Certificates will typically contain the following information: • The subject's public key value • Any identifying information, such as the username or email address • The length of time that the certificate will be considered valid • Identifier information for the company/server that issued the certificate • The digital signature of the issuer, which attests to the validity of the subject’s public key their identifying information Every certificate also contains a Valid From and Valid To date to prevent potential misuse stemming from employee turnover and the life Once a certificate has expired, the user needs to obtain a new certificate in order to continue to access the associated network resources Certificate authorities also maintain a certificate revocation list that can be used in case a certificate needs to be cancelled before its regular expiration date transpires Certificates are perhaps most useful to establish mutual authentication between two entities – users, computers, devices, etc – need to authenticate to one another and exchange information with a high level of confidence that each entity is who or what it claims to be Because of this need, many companies will install their own certificate authorities and issue certificates to their internal users and devices in order to heighten the security of their network environment This provides the assurance, not only that the user is who they say they are, but assures the user that their session is not being misdirected to a “phony” server being used to intercept sensitive information Support for smart cards is a key feature of the public key infrastructure that’s included with Windows Server 2003 You need to take several steps in order to prepare your Windows 2003 network to allow your company to use smart card devices The first step is to install Certificate Services on at least one of your Windows 2003 servers You can accomplish this through the ID_MANAGE_05.doc Page 40 of 52 Add/Remove Programs applet in the Control Panel; you’ll find the Certificate Server under the Add/Remove Windows Components screen This will establish the Windows 2003 server in question as a certificate authority for your Windows 2003 domain Once you’ve established your server as a certificate authority, you’ll need to create three types of certificate templates to allow for smart card use on your network Just like a document template in business application software like Microsoft Word, a certificate template allows multiple certificates to be created using the same basic settings This is critical for this purpose, as it ensures that all certificates issued will contain the same security information The security templates that you’ll need to create are: • Enrollment Agent Certificate This will allow a Windows 2003 machine to act as an enrollment station, creating certificates on behalf of smart card users who need to access the network • The Smart Card Logon Certificate will allow your users to authenticate to the network by using a smart card inserted into a smart card reader • Smart Card User Certificates will not be covered extensively in this section, but are used to provide the capability to secure email once a user has been authentication You’ll be prompted to create these certificate templates automatically the first time that you open the Certificate Template MMC console Click on Start | Run, then type certtmpl.msc and click OK When you’re prompted to install new certificate templates, click OK This step will also upgrade any existing templates on your server, if the machine was functioning as a certificate authority under a previous version of Windows Setting Security Permissions In order to implement PKI certificates, administrators and users need to have the appropriate permissions for the certificate templates that are installed on the certificate authority You can grant, edit or remove these permissions in the Certificate Templates management snap-in In order to edit these permissions, you need to be a member of the Enterprise Admins group, or the Domain Admins group in the forest root domain To manage permissions on your security templates, the following: Open the Certificate Templates MMC console by clicking on Start | Run, then typing certtmpl.msc and clicking OK You’ll see the screen shown in Figure 5.23 ID_MANAGE_05.doc Page 41 of 52 Figure 5.23 Managing Certificate Templates Right-click on the certificate template whose permissions you need to change and select Properties On the Security tab shown in Figure 5.24, add the users and groups who will need to request certificates based on this template Under the Allow column, place a check mark next to the Read and Enroll permission Click OK when you’ve set the appropriate permissions for all necessary users and groups ID_MANAGE_05.doc Page 42 of 52 Figure 5.24 Setting Permissions for Certificate Templates Enrollment Stations To distribute certificates and keys to your users, the Certificate Server that’s included with Windows Server 2003 includes a smart card enrollment station The enrollment station allows an administrator to request a smart card certificate on a user’s behalf so that it can be pre-installed onto their smart card The certificate server signs the certificate request that’s generated on behalf of the smart card user Before your users can request certificates, you need to prepare the enrollment station to generate certificates for their use A smart card administrator must have the appropriate security permissions to administer the Enrollment Agent certificate template, as detailed in the last section Any machine running Windows XP or Windows Server 2003 can act as an enrollment station Issuing Enrollment Agent certificates To prepare your certification authority to issue smart card certificates, you’ll first need to prepare the Enrollment Agent certificate Before you begin, make sure that your user account has been granted the Read and Enroll permissions as discussed in the last section To create an Enrollment Agent Certificate, follow the steps included here Open the Certificate Authority snap-in by clicking on Start | Programs | Administrative Tools | Certification Authority In the console tree, navigate to Certificate Authority | ComputerName | Certificate Templates From the Action menu, click on New | Certificate to Issue You’ll see the screen shown in Figure 5.25 Figure 5.25 Issuing a Certificate Template Select the Enrollment Agent template and click OK Return to the Action menu, and select New | Certificate to Issue Select one of the following options: ID_MANAGE_05.doc Page 43 of 52 • To create certificates that will only be valid for user authorization, select the Smart Card Logon certificate template and click OK • For certificates that can be used both for logon and to encrypt user information like email, click on the Smart Card User certificate template, then click OK Once you’ve created the Enrollment Agent certificate, anyone with access to that certificate can generate a smart card on behalf of all users in your organization The resulting smart card could then be used to log on to the network and impersonate the real user Because of the capabilities of this certificate, you need to maintain strict controls over who has access to them Requesting an Enrollment Agent Certificate In the following exercise, we’ll prepare a Windows Server 2003 machine to act as a smart cart enrollment station Be sure that the user account you’re using to log on has been granted the Read and Enroll permissions for the Enrollment Agent certificate template EXERCISE 5.07 CREATING A SMART CARD CERTIFICATE ENROLLMENT STATION Log onto the machine as the user who will be installing the certificates Create a blank MMC console by clicking Start | Run, then type mmc and click OK From the console window, click File | Add/Remove Snap-in, then select Add Double-click on the Certificates snap-in Click Close and then OK You’ll see the Certificates snap-in shown in Figure 5.26 ID_MANAGE_05.doc Page 44 of 52 Figure 5.26 The Certificates Management Console In the right-hand pane, click on Certificates | Current User | Personal Click on Action | All Tasks, and then select Request New Certificate Click Next to bypass the Welcome screen Select the Enrollment Agent certificate template and enter a description for the certificate, in this case “Smart Card Enrollment Certificate.” Click Next to continue Click Finish to complete the installation of the enrollment agent Enrolling Users The process of setting up your company’s employees to use smart cards includes hardware, software, and administrative considerations On the hardware side, you’ll need to purchase and install smart card readers for all of your users’ workstations Assuming that the reader is plug-and-play compatible, the hardware installation process should be fairly uncomplicated Once the necessary hardware is in place, you’ll then use the Enrollment Station to install smart card logon or user certificates for each user’s smart card, as well as setting an initial PIN number for them to use Along with these technical pieces, you will also be required to create and document policies regarding identification requirements to receive a smart card or reset a forgotten PIN number Finally, you’ll need to train your users on the new procedure to log onto a smart card-protected workstation, since the familiar Ctrl+Alt+Del key sequence will be a thing of the past Installing a Smart Card Reader Most smart card readers are Plug-and-Play compatible under the Windows Server 2003 software family, so the actual installation of them is relatively straightforward If you’re using a reader that is not Plug-and-Play compatible or that has not been tested by Microsoft, you’ll need to obtain installation instructions from the manufacturer of the card reader As of this writing, the smart card readers listed in Table 5.1 are supported by Windows XP and Windows Server 2003 The corresponding device drivers will be installed on the workstation or server when the card reader has been detected by the operating system Brand American Express Bull Compaq Gemplus Gemplus Gemplus Hewlett Packard Litronic ID_MANAGE_05.doc Smart card reader GCR435 SmarTLP3 Serial reader GCR410P GPR400 GemPC430 ProtectTools 220P Interface Device driver USB Serial Serial Serial PCMCIA USB Serial Serial Grclass.sys Bulltlp3.sys grserial.sys Grserial.sys Gpr400.sys Grclass.sys Scr111.sys Lit220p.sys Page 45 of 52 Schlumberger Schlumberger Schlumberger SCM Microsystems SCM Microsystems SCM Microsystems SCM Microsystems Systemneeds Omnikey AG Omnikey AG Omnikey AG Reflex 20 Reflex 72 Reflex Lite SCR111 SCR200 SCR120 SCR300 External 2010 2020 4000 PCMCIA Serial Serial Serial Serial PCMCIA USB Serial Serial USB PCMCIA Pscr.sys Scmstcs.sys Scr111.sys Scr111.sys Scmstcs.sys Pscr.sys Stcusb.sys Scr111.sys Sccmn50m.sys Sccmusbm.sys Cmbp0wdm.sys Table 5.1 Supported Smart Card Readers under Windows 2003 To install a smart card reader on your computer, simply attach the reader to an available port, either serial or USB, or insert the reader into an available PCMCIA slot on a laptop If the driver for the reader is preinstalled in Windows 2003, the installation will take place automatically Otherwise the Add Hardware Wizard will prompt you for the installation disk from the card reader manufacturer Issuing Smart Card Certificates Once you’ve established the appropriate security for the certificate templates and installed smart card readers on your users’ workstations, you can begin the process of issuing the smart card certificates that your users will need to access the network This enrollment process needs to be a controlled procedure In much the same way that employee access cards are monitored to ensure that unidentified persons not gain physical access to your facility, smart card certificates need to be monitored to ensure that only authorized users can view network resources In the following exercise, we will use the Web Enrollment application to set up a smart card with a Logon Certificate EXERCISE 5.08 SETTING UP A SMART CARD FOR USER LOGON Log onto your workstation with a user account with rights to the Enrollment Agent Certificate template in the domain where the user's account is located Open Internet Explorer, and browse to http://servername, where servername is the name of the Certificate Authority on your network Click on Request a certificate, then Advanced Certificate Request You’ll need to choose one of the following options: • Smart Card Logon certificate if you want to issue a certificate that will only be valid for authenticating to the Windows domain • A Smart Card User certificate will allow the user to secure email and personal information, as well as logging onto the Windows 2003 domain ID_MANAGE_05.doc Page 46 of 52 Under Certificate Authority, select the name of the CA for your domain If there are multiple CA’s in your domain, click on the one that you wish to issue the smart card certificate For Cryptographic Service Provider, select the cryptographic service provider (CSP) of the smart card’s manufacturer This is specific to the smart card hardware; consult the manufacturer’s documentation if you are uncertain In Administrator Signing Certificate, select the Enrollment Agent certificate that will sign the certificate enrollment request Click Next to continue On the User to Enroll screen, click Select User to browse to the user account for which you are creating the smart card certificate Click Enroll to create a certificate for this user You’ll be prompted to insert the user’s smart card into the reader on your system When you click OK to proceed, you’ll be prompted to set an initial PIN number for the card If another user has previously used the smart card that you’re preparing, a message will appear indicating that another certificate already exists on the card Click Yes to replace the existing certificate with the one you just created 10 On the final screen, you’ll have the option to either view the certificate you just created, or to begin a new certificate request 11 Close your browser when you’ve finished creating certificate requests so that no extraneous certificates can be created if you walk away from the enrollment station Assigning Smart Cards Once you’ve pre-configured your users’ smart cards, you’ll need to establish guidelines defining how cards are assigned to those who require them This part of your smart card deployment plan is more procedural than technical, as you need to determine acceptable policies and service level agreements for your smart cards and smart card readers For example, what type of identification will you require in order for a user to obtain their smart card? Even if this is a small enough organization that you recognize all of your users on sight, you should still record information from a driver’s license or another piece of photo identification for auditing purposes Another set of issues revolves around your users’ PINs How many unsuccessful logon attempts will you allow before locking out the smart card? While this will vary according to your individual business requirements, three or four PIN entry attempts are usually more than sufficient Next, you’ll need to decide whether you will allow users to reset their own PINs, or if they’ll need to provide personal information to security or help desk personnel to have them reset by the IT staff The former will be more convenient for your user base, but that convenience will come at the expense of potential security liabilities If user PINs need to be reset by the IT staff, decide what type of information the user ID_MANAGE_05.doc Page 47 of 52 will need to present in order to verify their identity Document all applicable security policies and distribute them to your administration and security personnel, and make sure that your users are aware of them before they take possession of their smart cards Logon Procedures To log on to a computer using a smart card, your users will no longer need to enter the CTRL+ALT+DEL key sequence Rather, they’ll simply insert the smart card into the smart card reader, at which point they’ll be prompted to enter their PIN number Once the PIN is accepted, the user will have access to all local and network resources that their Active Directory user account has been granted permissions to Revoking Smart Cards Along with creating policies for issuing and configuring smart cards, you should consider how your organization will handle revoking the smart card of an employee who resigns or is terminated To be successful, this should be viewed as a joint effort between your company’s administrative processes like payroll and human resources along with the IT department Just as an employee needs to return ID badges and keys as part of the exit process, they should also be required to return their smart card to the company (As an added incentive, some companies will withhold the employee’s final paycheck until these items are returned.) Whether the employee exits the company in a graceful manner or not, you should add their smart card certificate(s) to your CA’s certificate revocation list (CRL) at the same time that you disable or delete their other logon IDs and credentials Depending on the manufacturer of the smart card itself, you may have an option to physically disable the smart card itself on the basis of a serial number or other unique identifier Planning for Smart Card Support Like any device or technology used to enhance network security, you’ll need to make plans to educate your users on how to use smart cards, as well as providing administrative tools to support their ongoing use First, make sure that your users understand the purpose of deploying smart cards; you’ll receive a much better response if they comprehend the importance of the added security, rather than if they’re simply handed a smart card and told to use it Emphasize that the smart card is a valuable resource to protect the company and its assets, rather than simply another corporate procedure designed to annoy them or waste their time They should know whom they should call or for help and technical support, if this is different from their usual support contacts, as well as what to if their card is lost or stolen Maintain a printed version of this information, and distribute it to your users when they receive their smart cards You can also publish this on your corporate intranet if you have one When orienting your users to the use of smart card, make sure that you cover the following key points: • Protect the external smart card chip If the chip itself becomes scratched, dented, or otherwise damaged, the smart card reader might not be able to read the data on the chip (This is similar to the magnetic strip on a credit card or an ATM card.) ID_MANAGE_05.doc Page 48 of 52 • Do not bend the card, as it can destroy the internal components of the card This can extend to something as simple as a user putting the smart card in their back pocket, because they might sit on the card and break its internal components • Avoid exposing the card to extreme temperatures Leaving a smart card on the dashboard of your car on a hot day can melt or warp the card, while extremes of cold can make the card brittle and cause it to break • Keep the smart card away from magnetic sources like credit cards and scanners at retail stores • Keep the smart card away from young children and pets, as it presents a potential swallowing or choking hazard Along with user education, there are several settings within Active Directory Group Policy that can simplify the administration of smart cards on your network Some of these, like account lockout policies and restricted login times, will impact users by default if they rely on their smart cards for domain logons Other policy settings are specific to managing mart cards on your network Within Group Policy, you can enable the following settings: • Smart card required for interactive logon This prevents a user account from logging onto the network by presenting a username/password combination; they will only be able to authenticate by using a smart card This provides strict security for your users; however, you should plan for an alternate means of authentication in case your smart card implementation becomes unavailable for any reason This policy is not appropriate for users who need to perform administrative tasks like installing Active Directory on a server or joining computers to a Windows 2003 domain • On smart card removal allows you to mandate that, when a user removes their smart card from the reader, their session is either logged off or locked to prevent them from leaving an active session running when they walk away User education is critical if you select the forced logoff option, as users will need to make sure that they’ve saved changes to any of their documents and files before they remove their smart cards • Do not allow smart card device redirection will prevent your users from using smart card to log onto a Terminal Services session Set this policy if you’re concerned about conserving network resources associated with your Terminal Server environment Account lockout threshold While this setting is not specific to smart cards, smart card PINs are more susceptible to password attacks, so your lockout threshold settings should be adjusted accordingly From an administrative standpoint, there are several other important considerations in creating a support structure for smart card use You need to identify the persons within your organization who will be able to perform security-related tasks like resetting PINs or distributing temporary cards to • ID_MANAGE_05.doc Page 49 of 52 replace those that are lost or forgotten You’ll also need to decide how you’ll handle personnel changes like name changes, changes in employments status, as well as any special procedures for high-level employees, traveling users and support personnel Fast Track Password Policies • • • According to Microsoft, complex passwords consist of at least seven characters, including three of the following four character types: uppercase letters, lowercase letters, numeric digits and non alphanumeric characters like & $ * ! Password policies, including password length and complexity as well as account lockout policies, are set at the domain level If you have a subset of your userbase that requires a different set of account policies and other security settings, you should create a separate domain to meet their requirements Be sure that you understand the implications of an account lockout policy before you enable one in a production environment User Authentication • • • Kerberos is the default communication method between two machines that are both running Windows 2000 or better For down level clients and servers, NTLM authentication will be used Internet Authentication Service can be used for a variety of applications: as a RADIUS server or proxy, to authenticate network hardware like switches, and to provide remote access and VPN authentication To provide authentication for web applications, you can implement either SSL/TLS for standards-based encryption that is recognized by a wide range of browsers and platforms, or Microsoft Digest that is specific to Internet Explorer version or later Using Smart Cards • • • Microsoft Windows 2003 relies on its Public Key Infrastructure (PKI) and Certificate Services to facilitate smart card authentication Smart Card certificates are based on the following three certificate templates: the Enrollment Agent certificate used to create certificates for smart card users, the Smart Card Logon certificate that provides user authentication only, and the Smart Card User certificate that allows for both authentication as well as data encryption Several Group Policy settings are specific to smart card implementations, while other account policy settings will also affect smart card users Frequently Asked Questions ID_MANAGE_05.doc Page 50 of 52 Q: How can I configure a smart card user to be able to temporarily log onto the network if they’ve forgotten their card? A: In the user’s Properties sheet within Active Directory Users and Computers, make the following changes on the Account tab: Clear the check-mark next to Smart Card is Required for Interactive Logon Place a check-mark next to User Must Change Password at NextLogon Finally, right-click on the user object and select Reset Password Inform the user of their new password, and that they will need to change it the first time they log on Q: What weaknesses does the Kerberos authentication protocol possess? A: The largest concern to be aware of when using Kerberos authentication centers on the physical security of your Key Distribution Centers, as well as your local workstations Since Kerberos attempts to provide single sign-on capabilities for your users, an attacker who gains access to your workstation console will be able to access the same resources that you yourself are able to Kerberos also does not protect against stolen passwords; if a malicious user obtains a legitimate password, he or she will be able to impersonate a legitimate user on your network Q: What are the advantages of implementing a “soft lockout” policy versus a “hard lockout” within the account lockout policies? A: A hard lockout policy refers to an account lockout that must be manually cleared by an administrator This provides the highest level of security, but carries with it the risk that legitimate users will be unable to access network resources – you can effectively create a denial-of-service attack against your own network A soft lockout that expires after a set amount of time will still help to avert password attacks against your network, while still allowing legitimate users a reasonable chance to get their jobs done For example, if your account lockout policy specifies that accounts should be locked out for one hour after two bad logon attempts, this will render even an automated password-guessing utility so slow as to be nearly ineffective Q: My organization is in the planning stages of a smart card rollout What are the security considerations involved when setting up a smart card enrollment station? A: Since a smart card enrollment station will allow you to create certificates on behalf of any user within your Windows Server 2003 domain, you should secure these machines heavily, both in terms of physical location and software patches Imagine the damage that could be wrought if a malicious user were able to create a smart card logon certificate for a member of the Domain Admins group, and use it to log onto your network at will Q: How can I convince my users that the company’s new smart card rollout is something that is protecting them, rather than simply “yet another stupid rule to follow”? A: One of the most critical components of any network security policy is securing “buy-in” from your users: a security mechanism that is not followed ID_MANAGE_05.doc Page 51 of 52 is little more useful than not having one to begin with Try to explain the value of smart card authentication from the end-user’s perspectives: if you work in a sales organization, ask your sales force how they would feel if their client contacts, price quotes and contracts fell into the hands of their main competitor In a situation like this, providing a good answer to “What’s in it for me?” can mean the difference between a successful security structure and a failed one ID_MANAGE_05.doc Page 52 of 52 ... Understanding Current Policy Standards • Creating Corporate Security Policies • Implementing and Enforcing Corporate Security Policies • Reviewing Corporate Security Policies Chapter Planning and Implementing. .. shortcut trusts, and cross-forest trusts Chapter Managing and Maintaining an Active Directory Infrastructure Solutions in this chapter: • • • • • • • • Manage an Active Directory forest and domain... Identity and Authentication Solutions in this chapter: Identity Management Identity Management with Microsoft’s Metadirectory MMS Architecture Password Policies User Authentication Single Sign-on Authentication