Deploying Windows® 2000 Deploying Windows® 2000 Security in Corporate Security in Corporate NetworksNetworks

Brent LaneBrent LaneOakRidge Consulting GroupOakRidge Consulting Group

Session PrerequisitesSession Prerequisites

Familiarity with Windows 2000, beta Familiarity with Windows 2000, beta 3 or later3 or later

General knowledge of Windows General knowledge of Windows security and administration security and administration principlesprinciples

Topics CoveredTopics Covered

WindowsWindows®® 2000 default security 2000 default security Single Sign OnSingle Sign On Network authenticationNetwork authentication

Kerberos v5Kerberos v5 NTLM v2NTLM v2

Security InteroperabilitySecurity Interoperability Network data protectionNetwork data protection

Windows 2000 Default Windows 2000 Default Security SettingsSecurity Settings

Administrators Administrators Versus UsersVersus Users AdministratorsAdministrators

Full control of the operating systemFull control of the operating system Install system components, driversInstall system components, drivers Upgrade or repair the systemUpgrade or repair the system

UsersUsers Cannot compromise system integrityCannot compromise system integrity Read-only access to system resourcesRead-only access to system resources Interactive and network logon rightsInteractive and network logon rights Can shutdown desktop systemCan shutdown desktop system Legacy application issuesLegacy application issues

Power UsersPower Users Have sufficient access to run Have sufficient access to run

legacy applicationslegacy applications Can add files to system directory Can add files to system directory Cannot modify existing system filesCannot modify existing system files

Create, manage non-admin resources:Create, manage non-admin resources: Users and groups, file and print sharesUsers and groups, file and print shares

Default Group MembershipDefault Group Membership

Local Group Default Workstation Members

Default Server Members

Administrators Administrator Administrator

Power Users Interactive Users  

Users Authenticated Users

Authenticated Users

Secondary LogonSecondary Logon Run commands as another user Run commands as another user

without logoff - logonwithout logoff - logon RunAsRunAs

Command lineCommand line runas /user:MyDomain\Admin cmdrunas /user:MyDomain\Admin cmd

Shell supportShell support

Optional support for user profileOptional support for user profile Terminal Server – separate console for Terminal Server – separate console for

adminadmin

Windows Single Sign OnWindows Single Sign On

Single account store in Active Directory Single account store in Active Directory Easier to administer user accountsEasier to administer user accounts Single user id and passwordSingle user id and password Application integrationApplication integration

KerberosKerberosBasic ConceptsBasic Concepts

Authentication Authentication Key DistributionKey Distribution Session TicketsSession Tickets

Requested for each network connectionRequested for each network connection Contains authorization dataContains authorization data

Ticket Granting Ticket Ticket Granting Ticket Protected by user’s secret keyProtected by user’s secret key Contains session key for KDCContains session key for KDC

Active Active DirectoryDirectory

Key DistributionKey DistributionCenter (KDC)Center (KDC)

Windows Domain ControllerWindows Domain Controller

1.1. Locate KDC for domain Locate KDC for domain by DNS lookup forby DNS lookup forActive Directory Active Directory serviceservice

2.2. Use hash(pwd) Use hash(pwd) to sign pre-auth to sign pre-auth data in AS requestdata in AS request

3.3. Group membership Group membership expanded by KDC, expanded by KDC, added to TGT added to TGT auth dataauth data

TGTTGTTicket - NTWTicket - NTW

4.4. Send TGS request Send TGS request for service ticket to for service ticket to workstationworkstation

Kerberos AuthenticationKerberos Authentication Interactive domain logonInteractive domain logon

Application Server (target)Application Server (target)

3.3. Verifies session Verifies session

ticket issuedticket issuedby KDCby KDC

Active Active DirectoryDirectory

Key DistributionKey DistributionCenter (KDC)Center (KDC)

Windows domain controllerWindows domain controller

1.1. Send TGTSend TGTand request and request session session ticket from KDC ticket from KDC for target serverfor target server

TGTTGT

2.2. Present session ticketPresent session ticketat connection setupat connection setup

TargetTarget

Kerberos Authentication Kerberos Authentication Network server connectionNetwork server connection

Cross-realm Authorization Cross-realm Authorization Referral Referral

Kerberos Authentication UseKerberos Authentication Use

LDAP to Active DirectoryLDAP to Active Directory CIFS/SMB remote file accessCIFS/SMB remote file access Secure dynamic DNS updateSecure dynamic DNS update Distributed file system managementDistributed file system management Host-host authentication for IP securityHost-host authentication for IP security Secure Intranet web services in IISSecure Intranet web services in IIS Authenticate certificate request to Authenticate certificate request to

Enterprise CAEnterprise CA DCOM/RPC security providerDCOM/RPC security provider

Active DirectoryActive Directory

KDCKDC

Microsoft Microsoft DNS ServerDNS Server

DNSDNS

DHCPDHCP

157.55.20.10157.55.20.10

host.domain.company.comhost.domain.company.com

Secure Dynamic DNS Secure Dynamic DNS UpdateUpdate

Cross-platform InteroperabilityCross-platform Interoperability Based on Kerberos V5 ProtocolBased on Kerberos V5 Protocol Windows 2000 hosts the KDCWindows 2000 hosts the KDC

UNIX clients to Unix ServersUNIX clients to Unix Servers UNIX clients to Windows ServersUNIX clients to Windows Servers Windows NT clients to UNIX ServersWindows NT clients to UNIX Servers

Simple cross-realm authenticationSimple cross-realm authentication UNIX realm to Windows domainUNIX realm to Windows domain

Cross-platform StrategyCross-platform StrategyCommon Kerberos DomainCommon Kerberos Domain

Windows Windows DesktopDesktop

SSPISSPI

Kerberos SSPKerberos SSP

Application protocolApplication protocol

Windows Windows KDCKDC

TICKETTICKETGSS-APIGSS-API

Application protocolApplication protocol

GSS KerberosGSS Kerberosmechanismmechanism

UnixUnixServerServer

Windows 2000 Windows 2000 ProfessionalProfessional

Smart Card Smart Card LogonLogon

Windows Windows 2000 Server2000 Server

Web ServerWeb Server

SolarisSolarisUNIX ServerUNIX Server

Oracle Oracle ApplicationApplication

IISIISISAPIISAPI

ExtensionExtension

SSPI/KrbSSPI/Krb

AppAppServiceService

GSS/KrbGSS/Krb

IE5IE5

SSPI/KrbSSPI/Krb

HTTPHTTP TCPTCP

InteroperabilityInteroperabilityCross platform secure 3-tier appCross platform secure 3-tier app

1.1. NTLM challenge/responseNTLM challenge/response

Application server Application server

Windows NT domain controllerWindows NT domain controller

MSV1_0MSV1_0

NetlogonNetlogon

5. Server5. Serverimpersonatesimpersonates client client

2.2. Uses LSA Uses LSA to log onto log onto domainto domain

3.3. NetlogonNetlogonservice returnsservice returnsuser and groupuser and groupSIDs from domainSIDs from domaincontrollercontroller

Windows NTWindows NTDirectory ServiceDirectory Service

4. SP4 Netlogon4. SP4 Netlogon secure channel secure channel is protected is protected

NTLM Authentication NTLM Authentication Version 2Version 2

NTLMv2NTLMv2 Unique session key per connectionUnique session key per connection

Key exchange key protects session keyKey exchange key protects session key Generate unique keys for integrity and Generate unique keys for integrity and

encryption of session data encryption of session data Client -> Server, Server -> ClientClient -> Server, Server -> Client

NTLMv2 DeploymentNTLMv2 Deployment LMCompatibilityLevel = {0..5}LMCompatibilityLevel = {0..5} Upgrade DCs for user account domainsUpgrade DCs for user account domains Upgrade clients and servers Upgrade clients and servers

Use Level 1 to negotiate NTLMv2Use Level 1 to negotiate NTLMv2 Use Level 3 to eliminate LM supportUse Level 3 to eliminate LM support

If users never need to connect to If users never need to connect to pre-SP4 serverspre-SP4 servers Use Level 4 at the DC to refuse LM clientsUse Level 4 at the DC to refuse LM clients

Network Data ProtectionNetwork Data Protection Options to enable data integrity Options to enable data integrity

and privacyand privacy File ProtectionFile Protection

Protect systems and applications from Protect systems and applications from network attacksnetwork attacks

Strong network encryption availableStrong network encryption available 56-bit encryption world-wide56-bit encryption world-wide

IPSecIPSec

File Server EncryptionFile Server Encryption

Changed through BrowserChanged through Browser Can easily let Administrator lock files Can easily let Administrator lock files

or folders with encryptionor folders with encryption

IP SecurityIP Security

Host-to-host authentication and Host-to-host authentication and encryptionencryption Network layerNetwork layer

IP security policy with domain policyIP security policy with domain policy Negotiation policies, IP filtersNegotiation policies, IP filters

SummarySummary

WindowsWindows®® 2000 default security 2000 default security Single Sign OnSingle Sign On Network authenticationNetwork authentication Security InteroperabilitySecurity Interoperability Network data protectionNetwork data protection

For More InformationFor More Information

Refer to the TechNet website at Refer to the TechNet website at www.microsoft.com/technetwww.microsoft.com/technet

Web PagesWeb Pages http://www.microsoft.com/ntserver/http://www.microsoft.com/ntserver/

security/default.aspsecurity/default.asp http://www.http://www.microsoftmicrosoft.com/security.com/security

For More InformationFor More Information

http://www.microsoft.com/ntserver/http://www.microsoft.com/ntserver/security/default.aspsecurity/default.asp

http://www.microsoft.com/securityhttp://www.microsoft.com/security http://www.microsoft.com/technethttp://www.microsoft.com/technet http://msdn.microsoft.com/winlogo/http://msdn.microsoft.com/winlogo/

win2000.aspwin2000.asp

Session CreditsSession Credits

Author: Brent Lane Author: Brent Lane Producer/Editor: Alan MaierProducer/Editor: Alan Maier