• • • • • • Table of Contents Index Reviews Reader Reviews Errata Academic Securing Windows Server 2003 By Mike Danseglio Publisher : O'Reilly Pub Date : November 2004 ISBN : 0-596-00685-3 Pages : 456 If you use Windows 2003 Server at a small to medium-sized organization, or use Microsoft's Small Business Server, this thorough yet concise tutorial offers the hands-on advice you need for securing your network Securing Windows Server 2003 not only shows you how to put Windows security tools to work, but guides you through ways to plan and implement a secure operating environment • • • • • • Table of Contents Index Reviews Reader Reviews Errata Academic Securing Windows Server 2003 By Mike Danseglio Publisher : O'Reilly Pub Date : November 2004 ISBN : 0-596-00685-3 Pages : 456 Copyright Preface What's in This Book? Audience About This Book Conventions Used in This Book Assumptions This Book Makes Comments and Questions Acknowledgments Chapter 1 Introduction to Windows Server 2003 Security Section 1.1 What Is Security? Section 1.2 What Is Windows Server 2003? Section 1.4 Security Features in the Windows Server 2003 Family Section 1.3 Security Design in Windows Server 2003 Section 1.5 Summary Chapter 2 Basics of Computer Security Section 2.1 Why Computer Security Is Important Section 2.2 Security Enforcement Mechanisms Section 2.3 POLA: The Principle of Least Access Section 2.5 Authorization and Authentication Section 2.7 Network Security Section 2.4 Key-Based Cryptography Section 2.6 Password Basics Section 2.8 Keeping Your Eyes Open Section 2.9 Summary Chapter 3 Physical Security Section 3.1 Identifying Physical Security Vulnerabilities Section 3.2 Protecting Physical Assets Section 3.3 Holistic Security: Best Practices Section 3.4 Summary Chapter 4 File System Security Section 4.1 Protecting Files with NTFS File Permissions Section 4.2 Protecting Data with the Encrypting File System Section 4.3 Protecting System Information with Syskey Section 4.4 Summary Chapter 5 Group Policy and Security Templates Section 5.1 What Is Group Policy? Section 5.2 How Group Policy Works Section 5.4 Using Group Policy to Enforce Security Section 5.3 How Do Security Templates Work? Section 5.5 Using Security Templates to Deploy Secure Configurations Section 5.6 Summary Chapter 6 Running Secure Code Section 6.1 Identifying Secure Code Section 6.2 Driver Signing Section 6.3 Software Restriction Policies Section 6.4 Summary Chapter 7 Authentication Section 7.1 LAN Manager and NTLM Section 7.2 Kerberos Section 7.3 Summary Chapter 8 IP Security Section 8.1 What Is IP Security? Section 8.2 How Does IPSec Work? Section 8.3 Microsoft's Implementation of IPSec in Windows Server 2003 Section 8.4 Using IPSec Correctly Section 8.5 Summary Chapter 9 Certificates and Public Key Infrastructure Section 9.1 What Are Certificates? Section 9.2 What Do I Do with Certificates? Section 9.3 What Is a Certification Authority? Section 9.5 Implementing a Public PKI Section 9.7 Implementing a Private Certification Hierarchy Section 9.4 Deciding Between Public and Private Certification Authorities Section 9.6 Planning Your Private Certification Hierarchy Section 9.8 Maintaining Your Hierarchy Section 9.9 Summary Chapter 10 Smart Card Technology Section 10.1 What Are Smart Cards? Section 10.2 Using Smart Cards Section 10.3 Summary Chapter 11 DHCP and DNS Security Section 11.1 DHCP Section 11.2 DNS Section 11.3 DNS and DHCP Together Section 11.4 Summary Chapter 12 Internet Information Services Security Section 12.1 What Is IIS? Section 12.2 How Does IIS Work? Section 12.3 Using IIS Securely Section 12.4 Summary Chapter 13 Active Directory Security Section 13.1 What Is Active Directory? Section 13.2 Structural Components of Active Directory Section 13.3 Domain Controllers Section 13.5 Providing Security for Domains Section 13.7 Providing Security for Active Directory Objects Section 13.4 Default Security Through GPOs Section 13.6 Providing Security for Forests Section 13.8 Providing Security for Domain Controllers Section 13.9 Summary Chapter 14 Remote Access Security Section 14.1 What Is Remote Access? Section 14.2 Controlling Access Section 14.3 Authentication and Encryption Protocols Section 14.4 Virtual Private Networks Section 14.5 Example Implementations for Remote Access Section 14.6 Summary Chapter 15 Auditing and Ongoing Security Section 15.1 Security Policies and Procedures Section 15.2 Auditing Section 15.3 Operating System Updates Section 15.4 Summary Appendix A Sending Secure Email Section A.1 What Is Secure Email? Section A.2 How Does Secure Email Work? Section A.4 Secure Email Implementation Section A.3 Considerations for Secure Email Section A.5 Summary Colophon Index Copyright © 2005 O'Reilly Media, Inc All rights reserved Printed in the United States of America Published by O'Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O'Reilly books may be purchased for educational, business, or sales promotional use Online editions are also available for most titles (http://safari.oreilly.com) For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com Nutshell Handbook, the Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of O'Reilly Media, Inc Securing Windows Server 2003, the image of a wandering albatross, and related trade dress are trademarks of O'Reilly Media, Inc Microsoft, MSDN, the NET logo, Visual Basic, Visual C++, Visual Studio, and Windows are registered trademarks of Microsoft Corporation Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and O'Reilly Media, Inc was aware of a trademark claim, the designations have been printed in caps or initial caps While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein Preface As the title implies, this book is about security in the Windows Server 2003 operating system and how to put it to work on behalf of your organization and your users Windows Server 2003 has quite a number of uses It can serve in a network support role, supplying services such as DHCP and DNS It can take a more active part in object management, such as when used as an Active Directory domain controller It can also serve as a personal operating system, since it is so closely tied with its brother, Windows XP In this role, it might provide security of local data and host-based network communications I've broken down the book by technology Each chapter covers one or more of the technologies that Windows Server 2003 provides Most of thesesuch as IPSecare primarily securityfocused However, somesuch as DHCPare not Each chapter answers three questions about the technology it covers: What the technology is and how it's used Each chapter begins with a brief introduction to the technology If you have no idea what this technology does, this is a quick way to learn about it I don't bore you with marketing spin or polished terms I just tell you what the technology does and what a few of the most likely uses might be How the technology works To understand a technology's security implications, you usually need to know how it works This section is kept deliberately brief and sometimes excludes details that you don't need to know I do this, not to keep you in the dark, but to make sure that you're focused on how the thing works and that you don't bog down in minutia that, in your job and scope, would be useless and distracting How to use the technology properly to serve your system Through lots of research and direct interaction, the book's contributors and I have come up with a set of common uses for the technologies detailed in this book All of these are based on real experience, not theoretical environments or marketing-based blue sky scenarios I take you through these examples and show you exactly how to get the desired results In most cases, I provide a keystroke level of detail to ensure you don't miss a thing Of course, all possible scenarios can't be covered in this book Because the different Windows components can be configured so many ways, it would be impossible to present all approaches to all possible scenarios But the content of this book should provide more than enough information for you to make decisions on the technologies as well as test and understand them One thing you'll see in this book that you may not have seen before is Security Showdown sections This is a pointcounterpoint debate between myself and a semifictional coworker, Don I use it several times throughout the book to show that some debates about security methodologies and techniques are not easily answered Some of them are so contentious that they seem like religious debates at times You should understand that security-focused individuals tend to have opinions about security and that they like to argue with people who hold different values These are good-natured and often help explain both positions So please read these sections as I've intended, as an open discussion of the merits and hazards of multiple tactics to achieve the same goal What's in This Book? This book consists of 15 chapters and an appendix Here is a brief overview of each chapter: Chapter 1 This chapter sets the stage for the book by providing an introduction to Windows Server 2003 Chapter 2 This chapter covers basic computer security concepts, including cryptography and fundamental practices for security administrators Chapter 3 This chapter covers various aspects of physical security, which is essential for any data security to succeed Chapter 4 This chapter is all about securing files with Encrypting File System and other file-oriented technologies Chapter 5 technology-based enforcing with Group Policy for files, provided by NTFS importance of lack of, in DHCP layered for networks physical [See physical security] problems with web servers providing for Active Directory objects domain controllers domains forests remote access and its risks smart cards and for wireless networks Security Accounts Manager [See SAM] Security Association (SA) and IPSec drivers security breaches, reducing likelihood of Security Configuration and Analysis (SCA) toolset analyzing security settings creating SCA console creating security databases importing security templates security databases analyzing security settings creating creating templates from importing security templates security design in Windows Server 2003 security enhancements in Windows Server 2003 Enterprise Server Edition Standard Server Edition and Windows XP 2nd security features in Windows Server 2003 security identifiers (SIDs) Security Log verifying IPSec operation with IKE logging security policies 2nd attributes of benefits of common characteristics of components of creating keeping passwords secret monitoring political aspects of security procedures benefits of creating monitoring security settings analyzing audit policy, controlling built-in security templates and controlling identifying security needs password policy, controlling Security Showdown EFS data recovery strategies Group Policy philosophy two-tier vs three-tier PKI security templates built-in creating your own deploying secure configurations with deploying, using Group Policy effective use of Group Policy and how they work importing not available on older systems upgrading domain controllers and use with caution vs Group Policy security tokens on client computers selective authentication self-signed certificates senior management creating security policies obtaining approval of defined procedures server certificates Server Side Includes, security risks with servers as risk factors DHCP interactions with clients restricting to highly secure communication securing 2nd security auditing for storing shared encrypted files on service accounts avoid using Administrator accounts as for DHCP servers, creating protecting service tickets, maximum life for services needed for domain controller replication for IPSec traffic across firewalls session key perfect forward secrecy (PFS) Setup Security template setupsecurity.inf template shared computers, local file security for shared encrypted files, storing on file servers shared files, setting permissions for shared secret key cryptography supported by Windows Server 2003 for IPSec communication shoulder surfing sid2user tool SIDs (security identifiers) disallowing SID/name translation object security and ACLs SID filtering signed code dangers of unsigned code device drivers and how it works Simple Certification Enrollment Protocol (SCEP) sites (Active Directory) skew time smart card readers smart cards 2nd Active Directory security and authenticators and biometric technology and blank, purchasing cryptography, ideal for deploying PKI first distributing enrolling users of how they work implementing issuing logon process lost/damaged preparing to issue private keys and 2nd reauthenticating removal from reader, setting policy for requirements for using simplifying security for users vs passwords 2nd in Windows Server 2003 improvements to SMB file sharing SMB signing vs IPSec SMTP (Simple Mail Transport Protocol) software patches for security vulnerabilities software publishing certificates Software Restriction Policy [See SRP] Software Update Services (SUS) configuring clients installing/configuring server integrating with MBSA splitf.exe file spoofing attacks on DHCP servers on DNS servers 2nd SRP (Software Restriction Policy) 2nd best practices for configuring Group Policy and SSL (Secure Sockets Layer) IIS (Internet Information Services) and public key encryption and vs IP Security stale accounts, cleaning up standalone CA (certification authority) standard DNS zones restricting zone transfers Standard Server Edition of Windows Server 2003, security enhancements in standards vs policies/procedures stolen computers, reality of strong passwords choosing 2nd forcing users with weak passwords to change laptops and for Syskey structural components of Active Directory subnets and sites SUS (Software Update Services) configuring clients installing/configuring server integrating with MBSA suspicious activities, report to security symmetric algorithms symmetric keys synchronization schedules, configuring Syskey utility mode 2, configuring for laptops modes of protection system information, protecting with Syskey System Monitor tool [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [X] [Z] TCP/IP port filtering, configuring TCP/IP stack and IIS (Internet Information Services) TechNet, decrypting descriptions for logged entries technology-based security mechanisms telephone lines as risk factors controlling security vulnerability for templates, security [See security templates] temporary remote access TGTs (ticket-granting tickets) accessing resources on file servers forwardable tickets theft of computers, reality of ticket-granting tickets (TGTs) accessing resources on file servers tickets forwardable maximum life for renewals of user tickets service tickets user tickets proxiable tokens, security traffic, network [See network traffic] transitive trusts Active Directory Windows NT transmissions, securing Transport Layer Security (TLS) and public key encryption traveling with laptops, educating users about trees (Active Directory) triple-DES (3DES) encryption algorithm trojan horses, installed by unsigned code trust relationships, securing trusted forests trusted root certificates Trusted Root Certification Authorities store trusts Active Directory Windows NT two-way trusts (Active Directory) [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [X] [Z] UDP (user datagram protocol) port 500 2nd unauthorized DHCP servers, monitoring network for unencrypted data, running cipher.exe /w on 2nd unsigned code, dangers of unsigned drivers, restricting use of upgrades, default security for USB drives as risk factors controlling security vulnerabilities user accounts cleaning up, if stale configuring, to access resources group nesting structures, configuring correctly protecting user contexts user datagram protocol (UDP) port 500 2nd user rights, assigning in Default Domain Controller Policy user tickets, maximum life for user2sid tool [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [X] [Z] VeriSign certification authority virtual network adapters Virtual Private Networks (VPNs) 2nd increasing security for operating theory of protocols setting up VPN server viruses Disallowed security level vs antivirus software preventing from running voice prints, scanned by biometric devices VPNs (Virtual Private Networks) 2nd increasing security for operating theory of placing VPN server behind firewalls 2nd protocols setting up VPN server [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [X] [Z] weak passwords, forcing users to change web servers log files, reviewing securing, with IP address restrictions security problems with using port filtering on Web Service Extensions, enabling IIS advanced functionality web sites, configuring to use alternate port numbers web-based enrollment WebDAV file sharing WebDAV publishing service, security risks with WebTrends tool whoami command Windows Certificates snap-in Windows Event Log Windows Server 2003 authentication for IPSec communication customizing CA (certificate authority) DHCP Administrators user group security design in security enhancements in Enterprise Server Edition Standard Server Edition security features in Windows XP, common base with Windows Update Windows Update Services (WUS) Windows XP configuring autoenrollment for 2nd security enhancements in 2nd Windows Server 2003, common base with Windows-integrated authentication 2nd wipe command 2nd wireless networks encryption capabilities a must security measures for wiring closets as risk factors securing working group for creating security policies World Wide Web Service WUS (Windows Update Services) [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [X] [Z] X.509 version 3 (X.509v3) certificate [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [X] [Z] zone replication control zones (DNS) controlling data replication enabling secure dynamic updates restricting zone transfers setting permissions on ... Introduction to Windows Server 2003 Security Section 1.1 What Is Security? Section 1.2 What Is Windows Server 2003? Section 1.4 Security Features in the Windows Server 2003 Family Section 1.3... If software works on Windows XP, it'll work on Windows Server 2003 More stable core All the work done to make Windows XP a solid and stable operating system benefits Windows Server 2003, as it's simply an extension of that work... discussed in depth in Chapter 10 1.4.1 Security Enhancements in Windows XP and the Windows Server 2003 Family During the development of Windows XP and Windows Server 2003, Microsoft gave close scrutiny to all security components