Windows 2000 Security T his chapter starts you off with a discussion on the need for powerful distributed security before introducing you to the specifics of Windows 2000 distributed security services. It also reviews the new Windows 2000 security protocols, and protection of services and data. Windows 2000 Security While the new era of computing and Windows 2000 will bring forth many benefits, it will also herald dastardly attempts to rob you, beat you up, and shut you down. There are many forces out there that have only one thing on their evil minds, and that is to find any way to break into your network to plun- der and pillage. Before you start building your new corporate infrastructure around Windows 2000, it will pay for you to become thor- oughly versed in the security mechanisms the operating sys- tem offers and how to go about locking down your assets. Without a doubt, it is probably the most secure operating sys- tem available today. Not only has it inherited the Windows NT C2 security compliance, which was a ton of work for Microsoft and set the stage for a secure Windows 2000, but also, if there were showbiz awards for security, Windows 2000 would clean up at the Oscars, the Golden Globes, the Grammies, and more. But before we get into Windows 2000 security specifics, let’s look at the problem holistically, then you can evaluate your current security status before devising a security plan. You have probably heard the term everywhere, so what does C2 security mean to you, the network or server administrator? Absolutely nothing. C2 security is nothing more than a U.S. government sanction. The United States keeps a series of “books” that grade the security levels of operating systems. Windows NT passed with distinction because it was able to 3 3 CHAPTER ✦✦✦✦ In This Chapter Encryption Kerberos IPSec Microsoft Certificate Services Logon and Authentication ✦✦✦✦ 4667-8 ch03.f.qc 5/15/00 1:57 PM Page 65 66 Part I ✦ Windows 2000 Server Architecture demonstrate compliance of the C2 specifications. These specifications include object ownership, object protection, audit trail, memory protection, and user identi- fication, all of which are discussed in various places in this book. C2 is defined in the so-called “Orange Book,” which is really titled the Trusted System Evaluation Criteria. C2 evaluation checks to see how secure a computer really is. However, C2 only applies to standalone computers. Microsoft is also testing to the specifications for network computers (Red Book and Blue Book). Microsoft has gone above and beyond C2 with Windows 2000. So the term is really meaningless. The operating system is not C2 out of the box. Everyone has access to everything. A vendor or security service provider has to set up a machine and the OS to be C2- compliant. This means locking down objects, setting up audit trails, creating user accounts with secure password philosophy, and so on. Only when a machine has been fully locked down can it be rated as C2-compliant . . . no matter if it’s a wash- ing machine or a file server. C2 security meant a lot to Windows NT, and whatever hoops and hurdles Microsoft went through and over to gain C2 security is not lost in Windows 2000. However, we are now playing away from home . . . the field is the Internet, and the game is e-commerce. You have high-powered security protocols to configure, and you have lots more room to drop the ball. Another reason that C2 is not important to you is that, as mentioned earlier, out of the box Windows 2000 is as locked down as the space above your head. You have to lock down every aspect of it; the network is only as secure as you make it. If Windows 2000 is not properly configured, claiming awards like C2 will not get you out of a jam when a hacker pulls your pants down on the Internet. We know we are being blunt, but security is part of the day-to-day life of a network administrator. If you don’t have a security problem, you don’t have a network. The Need for Security If you are new to network administration in general and Windows 2000 (and NT) in particular, then before you devise a security plan, you need to understand the risks to your network and yourself. Unless you plan to hire a security expert, you will probably have to come up with a plan yourself. Chances are your company will ask this of you . . . your superior will assume that you are well versed in the subject. If you are well versed in the security threat, you can skip this part and go directly to the section titled “Rising to the Challenge.” A company’s data is its lifeblood, and it needs to be vigorously protected. As the network administrator, you will be required to ensure that data is kept confidential and that it can be relied upon. There are numerous mechanisms in place to assist you with respect to data integrity and confidentiality, and they range from sensible access control policy to encryption, backup, and availability. Note 4667-8 ch03.f.qc 5/15/00 1:57 PM Page 66 67 Chapter 3 ✦ Windows 2000 Security Data Input Data is vulnerable to attack and capture from the moment a person types in a user ID and password. How often have you had to enter a password while someone was standing over your shoulder? You try to type as quickly as you can, but spies will watch you typing and pick up your passwords quicker than you think. Then, when you are not at your desk, they will get your user ID from the memo field at the sign- in screen and masquerade as you from any computer, anywhere. The new smart card technology has been introduced in Windows 2000 and is dis- cussed later in this chapter. With a smart card, the user is authenticated without risking being compromised because the thief needs the card to complete the hack. Smart card readers offer one of the most sophisticated domain authentication solu- tions available to Windows 2000. Data Transport The PC’s or input device’s operating system must transport the information down the network stack to the transport, all the way to the domain controller’s (DC’s) network interface and up the DC’s respective stack. All along this route, the data is vulnerable to interception. If the data is not encrypted, or is encrypted very lightly, there is a risk that a person tapping the network will be able to pick up conversa- tions between your input device and the domain controller, or any other partner for that matter. To counter this, Windows 2000 employs extensive encryption technology both in data and network communications, and in file storage and protection. Why the Threat Exists There are many reasons people threaten your security. Let’s look at a short list of threats that you are most likely to encounter during your life as a Windows 2000 Server administrator: 1. Espionage: People need to break into your communications realm to learn com- pany secrets, employee secrets, product plans, financial situation, strategy, and so forth. This level of threat is the most virulent. The attackers have strong motives to get the attack under way and to ensure they succeed. The attackers do not want to be discovered and will continue to hide in your environment as long as they need to. The damage is often irreparable if the attackers are undis- covered. This is the most difficult form of attack to counter because, for the most part, you do not know where they are hitting you or why. While bugging devices and spying are not usually the responsibility of the net- work or server administrator, espionage via the network is becoming more probable every day because it is so easy and it is where all the jewels are located. 4667-8 ch03.f.qc 5/15/00 1:57 PM Page 67 68 Part I ✦ Windows 2000 Server Architecture Over the network, hackers will read files and e-mail, and try to log in to data- bases wherever they can to steal credit card numbers, bank account numbers, and so forth. An attacker can, for example, find out the password of your voice mail system and then listen to your messages. 2. Denial of Service (DoS): These attackers are intent on destroying you. They can attack your physical premises or locations, which is becoming harder to do all the time, or they can target your network, which is becoming easier to do because you are connected to the Internet or because you provide users with remote access. This is fast becoming the favorable means of attack for stopping your work: firstly, because of the dependency your company has on the network, and secondly, because the attacker does not need to be physi- cally present for the attack. DoS attacks are made by flooding your network portal (targeting your gateway to the Internet) with massive floods of e-mail, or with syn attacks, which are the low-level communication barrages that suck up all the server’s resources, finally causing it to crash. Sometimes the objective is to crash the server just to trigger backdoor code that spawns a process. There could be a million places on a network to hide a sliver of code that gets executed when certain files are loaded. Good examples are the boot files and startup files like AUTOEXEC.BAT. 3. Hostile Applications: Hostile applications are placed on the Internet for unwary surfers to download. Upon execution of the code on your internal network, the application can begin its dirty work, which for a while might be to do nothing that can cause it to be detected, but rather to find information that would be valuable to the attacker. Such applications are also called Trojan horses. 4. Virus Attacks: By far, the most visible attack on the network comes in the form of viruses. Contrary to the claims that there are tens of thousands of viruses, only a handful of virus writers can actually claim to have invented one from start to finish. Most virus authors are not as brilliant as you may have been led to believe; they are just copycats. However, this information does not provide any relief. A lot of virus code is available on the Internet to be freely downloaded, manip- ulated, and enhanced or packed with a payload. This is the reason we see so many variations of viruses every month. Some can be detected by anti-virus software such as NetShield and cleaned up; others are more sinister, such as Backdoor-G, which can only be picked up by the anti-virus software after it has delivered its payload. Not only does it wreck your PC before it can be detected, but it also first attacks the anti-virus software. Threats emanate from two locales: the external environment and the internal envi- ronment. These two environments can be easily defined as follows: ✦ The external environment: The threat comes from people who have no con- tractual status with the enterprise. They are complete strangers. The attack comes from the outside. 4667-8 ch03.f.qc 5/15/00 1:57 PM Page 68 69 Chapter 3 ✦ Windows 2000 Security ✦ The internal environment: The threat comes from people who have a rela- tionship with the company, from employees to contractors to customers. The attack usually comes from the inside. In some cases, it comes from the outside, with inside information. Other times, the threat is not born out of revenge or criminal intent, but ignorance. The External Environment Not too long ago, the only way to threaten or attack an organization, its people, or its business was through some sort of physical act. This is no longer the case. It costs far less money and is much safer for a hacker to stay in a safe haven and attempt to break into a network through a RAS portal or connection to the Internet. For many, it means the possibility of financial reward; for others, it has to do with some form of demented feeling of achievement. Now that many small companies can afford dedicated connections to the Internet, the pickings have become very attractive. While we have not yet realized the paper- less office, almost all data is placed on the network in share-points and databases. The network and server storage silos are thus loaded with valuable information. Attackers also no longer need to proactively choose their targets. They create hos- tile code that gets inadvertently downloaded from the Internet and gets executed by a number of mechanisms, from rebooting to the mere act of unzipping a file. The code then can gather intelligence and send it to its master. It is therefore essen- tial that you establish policy to ensure that code downloaded from the Internet is authenticated and signed with the digital signature (a public key) of a trusted soft- ware publisher. E-mail is now very much tangible property, and it can be used in court cases as evi- dence and as a source of information that can be used to plan an attack on a person or an organization. We all communicate more by e-mail than we do by snail mail, yet e-mail is treated like a postcard. We do not enclose our messages in an envelope and seal it. We just put it in the mail for anyone to look at. E-mail needs to be secured on two levels. We need to be sure that the people with whom we communicate are really who they say they are. And we need to be sure that our e-mail is not being read or changed as it traverses the net. It is very easy to trace the route a message takes over the Internet and penetrate e-mail systems. Securing e-mail is becoming essential and falls under the auspices of public key encryption, discussed shortly. The Internal Environment The internal environment threat comprises employees who are either malicious, stupid, or who make honest mistakes. Threats come in the form of outright misuse of privileges to total ignorance or stupidity. For example: The perpetrator of out- right misuse of privileges has administrative rights on the network and provides him or herself access to sensitive data. 4667-8 ch03.f.qc 5/15/00 1:57 PM Page 69 70 Part I ✦ Windows 2000 Server Architecture The ignorance factor often involves users failing to keep anti-virus software current, or downloading all forms of rubbish from the Internet, thereby introducing mali- cious content to the network from the external environment. Outright stupidity and honest mistakes that often cause headaches for administra- tors are usually deleted files, corrupted databases, deleted mailbox folders, and the like. Deleted data can usually be recovered from backups, as long as the backup regimen is well practiced in your company. Most of the time, recovering deleted files is just a waste of time spent doing administrative work to have to keep recov- ering files. Often, the problems are not user-related issues at all, but just bad man- agement on the part of a lazy network or server administrator. Rising to the Challenge Over the years, there has been a lot of discussion about the security capabilities of Windows NT. Microsoft has often been criticized for not delivering a more secure operating system when, in fact, the opposite is the case. But it has not been all Microsoft’s fault. For starters, the U.S. government has for years not allowed the export of 128K-bit encryption algorithms . . . although that did not deter many orga- nizations from smuggling out the software. And as for the comparison with UNIX, UNIX systems are more at risk today than Windows 2000. Since the UNIX source code is open for all to see, many hackers can read the code to look for weak points and plot their attacks. Server for server, there are still more UNIX machines on the Internet than Window NT or Windows 2000 machines. On Windows NT, hackers resort to scanning network communications to look for information with which to replay attacks. Data interception was and still is a common form of attack against an NT network. For Windows 2000 to compete and even excel over the competition in the risky and exposed world of e-commerce, it needed to be the most secure operating system. The following sections explore the standard Windows 2000 security mechanisms Microsoft has implemented in Windows 2000: ✦ Kerberos ✦ IPSec ✦ PKI ✦ NT LAN Manager (NTLM) All the fancy encryption algorithms you use will be useless if your server stands in the middle of an open-plan office for anyone to plunder or sneak out. Unless a server or key systems and data storage are locked up behind secured barriers, you might as well forget the rest of this chapter. Note 4667-8 ch03.f.qc 5/15/00 1:57 PM Page 70 71 Chapter 3 ✦ Windows 2000 Security Before you tackle the protocols, you need to get up to speed on the cloak-and- dagger stuff. Encryption 101 This is a true story. A man walked into a diner one morning and ordered fried eggs. When the eggs were delivered, he changed his mind and advised the waitress that he had ordered scrambled eggs. The waitress, peeved at the cheek of the client, picked up a fork and with a quick whipping movement rendered the eggs into an unrecognizable heap. “There, now they are scrambled,” she said, and stormed off. The action of rendering the eggs into an unintelligible mess is known as scrambling. Data is scrambled in similar fashion; we call it encryption. At first, the data is in whole recognizable form, often called plain text, like the fried eggs. The motion to scramble them is known as the algorithm . . . and the result is often termed cipher text. In the anecdote, the algorithm is the technique, style, or “recipe” by which the waitress used her wrist and fork to turn a perfect pair of sunny-side-ups into a mound of yolk and white. If she only took a few stabs at the eggs, the patron might be able to claim he still had fried eggs (not a strong encryption algorithm). Knowing the key that reverses the process is vital to the recovery of the data, but that is the only difference between egg scrambling and data scrambling. If we knew how to unscramble eggs, Humpty Dumpty might still be alive, and our world would be very different. In computer science, the standard that governs the techniques and recipes for encryption of data is known as the Data Encryption Standard (DES). DES data encryption algorithms (DEAs) specify how to encrypt data and how to decrypt that data. A number of important bodies, such as ANSI and the National Institute of Standards and Technology (NIST), govern the specifications for DES. Each algo- rithm is rated according to the strength of its encryption ability (and resistance to duplication, attack of the encryption/decryption key). DES, actually the DEAs, needs to be continuously improved because the codes are often cracked by encryption experts (for science and crime). New standards are on the horizon, and soon the Advanced Encryption Standard (EAS) will replace DES. Other standards governed by these bodies include the Digital Signature Standard (DSS) and the Digital Signature Algorithm (DSA). Incidentally, the U.S. government does not regulate encryption. For more information on encryption standards, see the RSA Laboratories Web site at www.rsasecurity.com. Note 4667-8 ch03.f.qc 5/15/00 1:57 PM Page 71 72 Part I ✦ Windows 2000 Server Architecture Cryptography Cryptography dates back more than 4,000 years. Over the past millennia, it has protected many a culture’s communications and has brought them through wars, treaties with neighbors, and more. In recent years, electronic data communications have escalated to such volume and importance in our lives that without electronic or digital cryptography we would not be able to continue on our logical course. In fact, we owe our computerized environment to cryptography. If you have time during the locking down of your networks, you should read the biography of Alan Turing, who directed the British to build the first digital computers to break the German’s Enigma code. Pretty Good Privacy (PGP) is a software program written originally and distributed illegally for no financial gain by Phil Zimmerman, who believed that the cryptography algorithms that were being protected by patents should be made public property . . . worldwide. He created PGP back in 1991, and over the years, it was disseminated around the world on the “undernet.” Even though its export was expressly forbidden by the U.S. government’s International Traffic in Arms Regulations, which classified his software as a munition, it became available everywhere on bulletin board systems and the first pioneer sites of the World Wide Web. In the last decade, PGP was pretty much the only means of securing data and communications on the Internet and cor- porate networks of the world. But encrypting data always required a user to make an effort to secure communica- tions. Lethargy and lack of knowledge have always left room for error and holes. Only with the incorporation of the encryption algorithms in the very core of the operating systems and standards-based network protocols would encryption become as pervasive and as transparent as air. We have come a long way since Phil Zimmerman risked detention to make the slo- gan encryption for everyone a reality. Today, Windows 2000 incorporates it exten- sively. Only you, the administrator, need to ensure that it is configured correctly, through security policy, and everyone on the network will be able to use it, without even knowing it exists. Before we look at this native support for cryptography in Windows 2000 and how it is used, here is some cryptography 101. Keys Cryptography is a lock, a means of securing information by rendering it undeci- pherable without a key. The key, or cryptographic key, is held closely by people sending and receiving the communication. The following is the simplest example of cryptography: 4667-8 ch03.f.qc 5/15/00 1:57 PM Page 72 73 Chapter 3 ✦ Windows 2000 Security The communication: Package color baby burger The Key: Package = meet color = same baby = grand central station burger = 14:00 hours Deciphered: meet me at the same place at Grand Central station at 2 p.m. Obviously, if you have the key, you can unlock the code and decipher the message. Private Keys Private key encryption is also known as Symmetric Key Encryption or just conven- tional cryptography. This encryption uses the same key to decrypt and encrypt the data. In other words, the key you use to lock the door is the same key you use to unlock the door. In the previous example, both the sender of the message and the receiver share a common codebook or key. The sender encodes the message with the key, and the receiver decodes the message with the same key. This form of encryption is not the most secure in the public domain, because for widespread communications, numerous parties must hold the key. As soon as the key falls into wrong hands, then all bets are off. But it can be used in network authentication where the compromising of a key is highly unlikely. Public Keys Public key encryption uses two keys. One key is public, and the other is private. Both keys can encrypt data, but only the private key can decrypt the data. To be pervasive, the technology depends on a public key infrastructure (PKI), which Windows 2000 now supports (more about PKI later). A mathematical process is used to generate the two keys, and the keys are related to each other by the product of that mathematical process. So the message encrypted with one key can be decrypted only with the other. This is how it works: You want to send an encrypted message. The receiver has a public key, which he or she makes publicly available for encrypting messages. You encrypt the message using the public key and send it. When the receiver gets your message, he or she can decrypt it using the private key, which is mathematically related to the public key. No one, including you, can decrypt the message with the public key. It goes without saying that the private key must be closely held or your messages will be compromised. 4667-8 ch03.f.qc 5/15/00 1:57 PM Page 73 74 Part I ✦ Windows 2000 Server Architecture Session Keys The chief problem in making public keys widely available is that the encryption algorithms used to generate public keys are too slow for the majority of just-in-time communications (there are numerous algorithms used to create the keys, but the technology is beyond the scope of this book). For this reason, a simpler session key is generated, and it in turn holds the “key” to the encrypted data. 1. A session key is randomly generated for every communication that requires encryption. A key distribution authority (or the originator of the communica- tion, or a vouchsafe process) creates the session key for the communication or message. 2. The data is encrypted with the session key. 3. The session key is then encrypted with the recipient’s public key. The encryption of the data by the session key is a thousand times faster than the encryption of the data by the public key. 4. The encrypted data and the encrypted session key are then sent to the receiver, who can decrypt both by first decrypting the session key with the secret key and then decrypting the data with the session key. Key Certificates Key certificates are containers for public keys. Key certificates usually contain the public key of the recipient, the identity of the creator of the public key, the date the key was created, and a list of digital signatures. Digital Signatures We sign most things we do in the material world, so why not in the digital world? Most of us spend our working lives in cyberspace. Our customers deal with us on the net, they buy from us on the net, and they expect that when they send us confi- dential communications, they are sending it to the right people. We also want to know that when someone sends us a message, hits our Web site, or connects to our computers that they are who they say they are. We also need to use digital signa- tures to prevent repudiation. In other words, if someone places an order with you over the World Wide Web or via e-mail, or enters into some form of contract with you, they should sign the document so that they cannot turn around later and repu- diate the transaction. It is also not always necessary to encrypt a message, which taxes computer resources. Sometimes, the message or data content or information is not sensitive. Sending someone a publicly available encrypted price list would be an absurd idea. But what if someone intercepted that message and changed the content, which would affect the relationship? What if someone sent you a message saying, “Mary just had a little lamb,” and a jokester intercepted the message and changed the con- tent to read, “Mary just ate her little lamb?” The effects could be devastating. 4667-8 ch03.f.qc 5/15/00 1:57 PM Page 74 [...]... these protocols have to offer Windows 2000 security is also so extensive that it is possible to get bamboozled in your efforts to provide the ultimate security As you learn more about the capabilities of Windows 2000, you’ll discover that the adage “less is more” applies to many Windows 2000 Server components in general and Windows 2000 security in particular The subject of security planning is therefore... 86 5/15/00 1:57 PM Page 86 Part I ✦ Windows 2000 Server Architecture In Windows 2000, the default authentication and security protocol between Windows 2000 machines is Kerberos By continuing to support down-level or legacy Windows technology, you obviously leave room for infiltrators to maneuver; but that does not mean NTLM is a weak protocol After all, it has kept Windows NT networks together for many... formalize a treaty before the two forests and domains will be able to trust each other Windows NT does not have a treaty with Windows 2000, partly because it speaks the wrong security language; that is, NTLM In order for Windows 2000 and Windows NT users to exchange vows, you have to set up a bilateral trust Windows 2000 will talk to NT using NTLM Setting up trusts is awkward, and whenever mistrusting... controllers can explicitly vouch for the users Trusts between Windows 2000 forests, Windows 2000 and Windows NT, and Windows 2000 and other realms involve manual setup between each domain’s or realm’s respective administrator The process that takes place in the UNIX or IRIX realm may be very different to the setup that takes place between Windows 2000 realms When planning the physical layout of the network,... users, it will pay for itself in TCO and security Note For further information on smart cards and Windows 2000, see the Smart Card White Paper “Smart Cards” at www.microsoft.com/technet/win2000/smtcard asp RSA Laboratories at www.rsasecurity.com is also a good starting point for smart card research 4667-8 ch03.f.qc 5/15/00 1:57 PM Page 87 Chapter 3 ✦ Windows 2000 Security Domains Let’s look at the basics... customs Windows 2000 Logon When a user or machine logs onto a domain, he or she or it interacts with a collection of functions that make up the Windows Logon service, better known in development circles as WinLogon WinLogon is now fully integrated with Kerberos, which provides the initial Single Sign-On architecture now part of Windows 2000 87 4667-8 ch03.f.qc 88 5/15/00 1:57 PM Page 88 Part I ✦ Windows 2000. .. resource 75 4667-8 ch03.f.qc 76 5/15/00 1:57 PM Page 76 Part I ✦ Windows 2000 Server Architecture The implementation of Kerberos in Windows 2000 is fully compliant with the Internet Engineering Task Force’s (IETF) Kerberos v5, which was originally developed by MIT This specification is supported by many, which means that tickets issued in a Windows 2000 domain (now also known as a Kerberos realm) can be passed... network applications and services Made possible by Kerberos and Active Directory, Single Sign-On is supported in SQL Server 2000 and Exchange 2000, and is supported by trusts set up between realms implemented by other operating systems and Windows 2000 It is the very reason that Windows 2000 trusts — between domains that share a common root or forest — are transitive Psst This Is How Kerberos Works Kerberos... located In a Windows 2000 domain, the KDC is usually installed on the Active Directory server They are not connected in terms of application process space and run as separate services However, since the KDC is always installed on the DC, it is possible to resolve a KDC by looking up the host address of a domain controller It is also possible to install Windows 2000 servers in non -Windows 2000 domains,... attached to the security protocol its client software best understands, which could be Kerberos, NTLM, or Secure Sockets Layer/Transport Layer Security These protocols transparently move the user’s identity around the network The authentication model of Windows 2000 is the same as Windows NT and almost every computer system in the world (Refer to Chapter 10 for a discussion on the Local Security Authority.) . of Windows 2000 distributed security services. It also reviews the new Windows 2000 security protocols, and protection of services and data. Windows 2000. explicitly vouch for the users. Trusts between Windows 2000 forests, Windows 2000 and Windows NT, and Windows 2000 and other realms involve manual setup between