Windows 2000 Security (Networking)

TEAM LinG - Live, Informative, Non-cost and Genuine!

Microsoft

Windows 2000

Security


This page intentionally left blank


Rashi Gupta with

Microsoft

Windows 2000

Security


PublisherStacy L. Hiquet

Marketing ManagerHeather Hurley

Project EditorSandy Doell

Interior LayoutMarian Hartsough Associates

Cover DesignPhil Velikan

IndexerSharon Shock

2003 by Premier Press, a division of Course Technology. All rightsreserved. No part of this book may be reproduced or transmitted in anyform or by any means, electronic or mechanical, including photocopy-ing, recording, or by any information storage or retrieval system with-out written permission from Premier Press, except for the inclusion ofbrief quotations in a review.

The Premier Press logo and related trade dress are trade-marks of Premier Press, Inc. and may not be used withoutwritten permission.

Windows is a registered trademark of Microsoft Corporation.

All other trademarks are the property of their respective owners.

Important: Premier Press cannot provide software support. Please con-tact the appropriate software manufacturers technical support line orWeb site for assistance.

Premier Press and the author have attempted throughout this book todistinguish proprietary trademarks from descriptive terms by followingthe capitalization style used by the manufacturer.

Information contained in this book has been obtained by Premier Pressfrom sources believed to be reliable. However, because of the possibilityof human or mechanical error by our sources, Premier Press, or others,the Publisher does not guarantee the accuracy, adequacy, or complete-ness of any information and is not responsible for any errors or omis-sions or the results obtained from use of such information. Readersshould be particularly aware of the fact that the Internet is an ever-changing entity. Some facts may have changed since this book went topress.

ISBN: 1-931841-86-1Library of Congress Catalog Card Number: 2002106543Printed in the United States of America

03 04 05 06 07 BH 10 9 8 7 6 5 4 3 2 1

Premier Press, a division of Course Technology2645 Erie Avenue, Suite 41

Cincinnati, Ohio 45208


About NIIT

NIIT, a global training and software organization, offers customized and packagedmultimedia educational software products and training, training needs identification(TNI), systems integration, software solutions (for business, engineering, and manu-facturing), IT consulting and application software development to a range of audi-encesboth individuals and organizations.

The success of NIITs courses lies in its unique approach to education. NIITs Knowl-edge Solutions Business conceives, researches, and develops all the course material fora range of audiences. Each NIIT course has a definite aim. After finishing a course, thelearner should be able to do a set of tasks.

Besides being a large software development and consulting division, NIIT has one ofthe largest learning material development facilities in the world. NIIT trains over150,000 executives and learners each year in Information Technology areas usingStand-Up Training, Video-Aided Instruction, Computer-Based Training (CBT), andInternet-Based Training (IBT). NIIT has been featured in The Guinness Book of WorldRecords for the largest number of learners trained in one year!

NIIT has developed over 10,000 hours of Instructor-Led Training (ILT) and over3,000 hours of Internet-Based Training and Computer-Based Training. Through theinnovative use of training methods and its commitment to research and development,NIIT has been in the forefront of computer education and training.

NIIT has strategic partnerships with companies such as Microsoft, Computer Associ-ates, AT&T, NETg, Sybase, Intersolv, and Information Builders.


Acknowledgments

Thank you, Mom and Dad, for supporting me when I worked the night through forthis book. Thanks for your patience and the inspiration to make the best of my ability.

I am very grateful to my Team Leader Sripriya, who supported me when I was burn-ing the midnight oil. My Project Manager Anita Sastry helped me to arrange the bestof resources for the book.

Special thanks to A. Subramani for the technical reviews and valuable suggestions. Ireally appreciate your patience and your efforts to make the book better.

Thank you, Fran Hatton and Sandy Doell, for editing the book very well. Your com-ments and input have helped to improve the quality of the book. I would also like tothank Stacy Hiquet for making this book happen in the first place! She has providedactive support in all the development stages of the book.

I am especially grateful to Kartik Bhatnagar and Rahul Menon for helping me out withsome chapters of the book.


About the Author

RASHI GUPTA is an Advanced Diploma holder in Software Engineering. In her twoyears of work experience at NIIT, she has developed instructor-led training material onvarious technical and non-technical projects, such as Windows 2000 Security, AdobeIllustrator 9, FrontPage, Dreamweaver, and Fireworks. She has also authored a book onPython and has assisted various other authors in writing books on such subjects asASP.NET, XML, Linux, and Apache.

Her area of work primarily includes analysis, design, development, testing, and imple-mentation of books and articles. In addition, her responsibilities include training devel-opment executives, instruction, technical review, and ISO compliance.


Contents at a Glance

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

PART I WINDOWS 2000 SECURITYAN OVERVIEW . . . . . 11 Need for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Introducing Windows 2000 Security . . . . . . . . . . . . . . . . . . . 39

PART II AN INSIGHT INTO WINDOWS 2000 SECURITY FEATURES . . . . . . . . . . . . . . . . . . . . . 63

3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

4 Authorization and Access Control . . . . . . . . . . . . . . . . . . . . 101

5 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

PART III NETWORK SECURITY . . . . . . . . . . . . . . . . . . . . 1976 Public Key Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . 199

7 Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

8 Internet Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

9 Internet Information Server (IIS) . . . . . . . . . . . . . . . . . . . . 317

10 Remote Access and VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . 347

PART IV OTHER SECURITY FEATURES . . . . . . . . . . . . . . 39311 Reliability Features of Windows 2000 . . . . . . . . . . . . . . . . . 395

12 Securing Non-Microsoft Clients . . . . . . . . . . . . . . . . . . . . . 433


PART V APPENDIXES . . . . . . . . . . . . . . . . . . . . . . . . . . . 449A Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

B FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Contents at a Glance ix


Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

PART I WINDOWS 2000 SECURITYAN OVERVIEW. . . . . . . . . . . . . . . 1

Chapter 1 Need for Security. . . . . . . . . . . . . . . . . . . . . . . . 3What Is at Risk? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Threats and Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Relationship Between Threats, Vulnerabilities, and Risk . . . . . . . . . . 6

Purpose of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Types of Attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Internal Attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10External Attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Combined Effect of Internal and External Attackers . . . . . . . . . . . . 13

Security Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Assembling Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Damaging/Disrupting Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Modifying Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Windows 2000 Core Security FeaturesA Primer. . . . . . . . . . . . . . . . . 30Windows 2000 Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34


Chapter 2 Introducing Windows 2000 Security . . . . . . . . . 39Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Active Directory and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Active Directory Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Trust Relationship. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Kerberos V5 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Certificate Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48NTLM Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Secure Sockets Layer/Transport Layer Security (SSL/TLS)

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Accessing Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Access Control Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Data Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Symmetric Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Asymmetric Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Encryption File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

PART II AN INSIGHT INTO WINDOWS 2000 SECURITY FEATURES. . . . . 63

Chapter 3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . 65Introduction to Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Interactive Logon and Network Authentication. . . . . . . . . . . . . . . . 67How Does Authentication Take Place? . . . . . . . . . . . . . . . . . . . . . . 70

Contents xi


Kerberos V5 Authentication Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . 72Advantages of Kerberos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72How Does Kerberos V5 Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Logging on Interactively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Smart Card Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Security Support Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Other Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Secure Sockets Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Extensible Authentication Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 96

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Chapter 4 Authorization and Access Control . . . . . . . . . . 101An Overview of Windows 2000 Access Control. . . . . . . . . . . . . . . . . . 102

Working of Access Control Mechanism . . . . . . . . . . . . . . . . . . . . 103Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Security Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Access Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Security Descriptors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Access Checking and Audit Generation . . . . . . . . . . . . . . . . . . . . 121

Configuring Access Control Permissions . . . . . . . . . . . . . . . . . . . . . . . 124Configuring Share Permissions on Folders. . . . . . . . . . . . . . . . . . . 124Configuring NTFS Permissions on Files and Folders. . . . . . . . . . . 126Combining NTFS and Share Permissions . . . . . . . . . . . . . . . . . . . 126Configuring Access Permissions for Active Directory Objects . . . . 126

Encryption File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Encryption Of Data Using EFS . . . . . . . . . . . . . . . . . . . . . . . . . . 133Decryption of EFS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135EFS Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Securing the Print Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Managing Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

xii Contents


Managing Documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Chapter 5 Security Policies . . . . . . . . . . . . . . . . . . . . . . 143Group PolicyAn Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Group Policy Objects and Active Directory . . . . . . . . . . . . . . . . . . 145Group Policy Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149MMC Snap-In Extension Model . . . . . . . . . . . . . . . . . . . . . . . . . 151Group Policy Snap-In Namespace . . . . . . . . . . . . . . . . . . . . . . . . . 151Group Policy Object Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Group Policy Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163How Group Policy Affects Startup and Logon . . . . . . . . . . . . . . . 163Synchronous versus Asynchronous Processing . . . . . . . . . . . . . . . . 164Refresh Frequency. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Using Group Policy Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Creating a Custom Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Creating a Group Policy Object . . . . . . . . . . . . . . . . . . . . . . . . . . 167Filtering GPO Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Group Policy Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Group Policy Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . 179

Windows 2000 Security TemplatesAn Overview . . . . . . . . . . . . . . . 180Predefined Security Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Custom Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Security Configuration and Analysis Tools. . . . . . . . . . . . . . . . . . . 187

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Check Your Understanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

PART III NETWORK SECURITY . . . . . . . . 197

Chapter 6 Public Key Infrastructure . . . . . . . . . . . . . . . . 199What Is Public Key Cryptography? . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Contents xiii


Windows 2000 PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206PKI Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Designing Windows 2000 PLI Architecture . . . . . . . . . . . . . . . . . 212Certificate Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Certificate to User Account Mapping . . . . . . . . . . . . . . . . . . . . . . 223


Chapter 7 Network Services . . . . . . . . . . . . . . . . . . . . . 237DNS: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Structure of DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239Windows 2000 DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239Threats Faced by DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Securing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

DHCP: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Configuring DHCP Dynamic Update. . . . . . . . . . . . . . . . . . . . . . 247Securing DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250SNMP: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250SNMP Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

RIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256RIS: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256RIS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Terminal Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262Terminal Services Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 262Terminal Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263


Chapter 8 Internet Security . . . . . . . . . . . . . . . . . . . . . . 269IPSec. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

IPSec Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271IPSec Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275Working of IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278Deploying IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

xiv Contents


Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294Functionality of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294DMZ Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303Secure Public Access to DMZs . . . . . . . . . . . . . . . . . . . . . . . . . . . 306


Chapter 9 Internet Information Server (IIS) . . . . . . . . . . . 317IIS: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Security Features of IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318Services Associated with IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

IIS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332Anonymous Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332Basic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334Digest Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334Integrated Windows Authentication . . . . . . . . . . . . . . . . . . . . . . . 335Certificate Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342Access Control Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343Access Control Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343


Chapter 10 Remote Access and VPN . . . . . . . . . . . . . . . . 347Remote Access Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Features of RRAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349RRAS Connection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350Remote Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351Installing and Configuring Remote Access Services . . . . . . . . . . . . 362

Virtual Private Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370VPN Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372Features of NPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373Knowing Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Contents xv


IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381IAS Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . 382RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383Tunneling with IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385


PART IV OTHER SECURITY FEATURES . . 393

Chapter 11 Reliability Features of Windows 2000 . . . . . . . 395Diagnostic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397System Monitor and Performance Logs and Alerts . . . . . . . . . . . . 400Task Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Windows File Protection Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Automatic Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412System File Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Windows Backup Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420System Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

Safe Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426Last Know Good Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 426Enable Boot Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427Recovery Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427


Chapter 12 Securing Non-Microsoft Clients . . . . . . . . . . . . 433Securing Access to UNIX Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Service for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434Authentication of UNIX Clients . . . . . . . . . . . . . . . . . . . . . . . . . . 436

xvi Contents


Securing Access with NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438Inoperability with NetWare Clients . . . . . . . . . . . . . . . . . . . . . . . . 439Authentication with NetWare Clients ad Servers. . . . . . . . . . . . . . 440Access to NetWare Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Securing Access with Macintosh Clients . . . . . . . . . . . . . . . . . . . . . . . 443Inoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444Secure Access to Windows 2000 Resources . . . . . . . . . . . . . . . . . . 445


PART V APPENDIXES . . . . . . . . . . . . . . 449

Appendix A Best Practices . . . . . . . . . . . . . . . . . . . . . . . 451Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452Securing CAs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453EFS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454Security Configuration and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 454Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455Acess Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458Software Installation and Management . . . . . . . . . . . . . . . . . . . . . . . . 459Folder Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460Distributed File System (Dfs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460Network and Dial-up Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . 461TCP/IP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463Server Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Internet DNS Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464Internet Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466Remote Access Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

Contents xvii


VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469Disk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470Backing Up and Restoring Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472Disk Fragmenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Appendix B FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

xviii Contents


Introduction

This book provides you with a comprehensive study of Windows 2000 Security. Thebook is aimed at readers who are familiar with Windows 2000 Server concepts but nowwant to gain a solid foundation in Windows 2000 security features. These readers areassumed to have a certain degree of networking experience and familiarity with generalconcepts on Active Directory, DNS, DHCP, OSI model, and TCP/IP. This book con-tains detailed explanatory concepts, hands-on exercises, and questions to check yourunderstanding at the end of each chapter.

The first part of the book provides you with an overview of some basic security threatsand vulnerabilities against which you need to plan for security. The second chaptergives you a brief overview of the security features in Windows 2000.

After you have gotten a fair idea of the security issues youll encounter, the book moveson to an insight into Windows 2000 security. It covers topics that explain how Windows2000 authenticates and authorizes the client on the network. The book then talks aboutWindows 2000 security policies to assign consistent permissions across groups of users.

PKI is a key technology to protect valuable information resources for e-commerce, theInternet, intranets, and Web-enabled applications. This book provides you with anoverview of PKI and how Windows 2000 allows you to secure your network throughPKI and Certificate Services. Then the book moves on to how to secure network ser-vices, such as DNS, DHCP, SNMP, RIS, and Terminal Services. It also talks aboutsecuring Internet communication through IPSec and firewalls. Youll also learn aboutsecuring IIS, remote access, and VPNs.

Finally, the book contains other security features of Windows 2000 that harden Win-dows 2000 and features for securing communications with non-Microsoft clients.

The Appendixes section includes Best Practices and FAQs that provide you with real-life relevance about Windows 2000 security.

How to Use This BookThis book has been organized to facilitate your learning and give you a better grasp ofthe content covered here. The various conventions and special elements used in thebook include:

Notes. Notes give you additional information that may be of interest, but theinformation is not essential to performing the task at hand.


Tips. Tips have been used to provide special advice or unusual shortcuts.

Cautions. Cautions are used to warn you of possible disastrous results if youperform a task incorrectly.

New term definitions. All new terms are italicized and then defined as apart of the text.

xx Introduction


PART IWindows 2000SecurityAn Overview TEAM LinG - Live, Informative, Non-cost and Genuine!

This page intentionally left blank


Chapter 1Need for Security


Afew decades ago, computers were primarily used for storing information foran organizations daily functioning. They were used mainly as data storagedevices, and their use was limited to the organizations employees. Therefore, anythreat posed to the system was from the internal staff only. It wasnt hard to fightthreats because there was almost no chance of external interference. Only a fewforms of threats existed, such as misuse of accounts, theft of hardware, or datamanipulation by authorized users. These threats were carried out physically andso could be dealt with by keeping computers in locked rooms and manually veri-fying that data had not been tampered with.

Today, computers have radically changed the way organizations and individualsfunction. Organizations use computers to store data that can be accessed fromanywhere in the world. Individuals use computers to enhance the communicationthat takes place across the globe. Along with this expansion of the technology,threats to computer systems have also increased. A simple click of the mouse isenough to shake your infrastructure.

In the year 2001, the Computer Crime and Security Survey conducted by theComputer Security Institute (CSI) and the Federal Bureau of Investigation (FBI)showed that 85 percent of large organizations and government agencies detectedbreaches of security. In most cases, the loss was estimated to be over 2 million USdollars. Recently, a staggering number of attacks have been reported against ITenvironments, many of them through the Internet, and many of them targeted atsystems running the Windows operating system.

The threat to security from malicious insiders is as big as the threat to securityfrom sophisticated hackers. After all, in an enterprise-wide network, you cannotbe sure that, of the many employees accessing network-based resources, noneposes a threat to security.

What is security? Security is not a goal or a product. It is an endless process. Manycomputer enthusiasts maintain that security is the firewall at your network bound-ary or the virus scanner integrated into your mail server. Well, security is none ofthese. Put briefly, security is the process of allowing access to authorized usersonly. To design a secure system, it is important to have some understanding ofsecurity threats.


This chapter talks about the basic concepts of security and answers some impor-tant security-related questions, such as What is at risk?, What are we trying toprotect?, Who are the attackers?, and Where do they come from? This chap-ter will also introduce you to the core security features of Windows 2000 and theWindows 2000 security model.

What Is at Risk?A completely secure network environment does not exist. Even the most securenetworks of today are not free from risk, but risk can be minimized by improvingsecurity. On the other hand, an increase in the security measures in an organiza-tion results in an increase in the cost of both installing and maintaining them. Agreater amount of security might also add to the complexity of the system. Forexample, extra methods used to authenticate users in a bank might make the sys-tem so complex for the users that they do not take the trouble to use the systemas they should. The evaluated cost of this loss might be greater than the benefitsachieved from increased security.

Therefore, before examining the security measures for the network, you need toexamine the risks you currently face. To understand the principles of risk on yournetwork security, you need to understand some key terms used in the risk man-agement process. These include threats and vulnerabilities.

Threats and VulnerabilitiesA threat is anythinga circumstance, people, or eventthat has the potential tocause harm to your resources. Physical threats can be posed by employees, hackers,criminals, spies, and so on. Program threats might be intentional or unintentionaland can take the form of viruses, worms, Trojan horses, or attack scripts. Programthreats have the ability to cause greater harm than physical threat agents.

Vulnerability is a flaw or a loophole in a system or a program that facilitates anattacker to break into the security measures of a system. Vulnerabilities can beknown or unknown. Known vulnerabilities exist in the system and are known atthe time of manufacturing. Consider an example of known vulnerability. Supposethe operating systems that an organization is using have known manufacturingflaws in them. However, the organization is not aware of these flaws and contin-ues to use the operating systems without taking preventive measures against the

NEED FOR SECURITY Chapter 1 5


flaws. Intruders, who are aware of the loopholes in the operating systems, try totake maximum advantage of the situation and cause damage to the informationand systems of the organization.

Unknown vulnerabilities exist in the system but remain undetected by manufac-turers as well. Consider another example. Suppose an organization is using flawedoperating systems. However, these flaws are not known to the organization or themanufacturer of the operating system. An intruder who is trying to hack the network of this organization comes across the weaknesses and, through theseweaknesses, finds a way to access the information related to the organization. Inthis case, if the intruder is a white hat hacker, he may inform the organizationabout the flaw in the system. However, if the intruder has malicious intentions, hemay try to take advantage of the flaw to jeopardize the information system of theorganization.

Relationship Between Threats, Vulnerabilities, and RiskAfter identifying threats and vulnerabilities in your organization, you should ratethem based on the level of risk using a standard, such as low, medium, or high.This rating will help you identify the countermeasures and their intensity. Therating will vary between organizations and sometimes even within an organiza-tion depending on the type of organization, the kind of equipment, and their loca-tion. For example, the threat of earthquakes is significantly higher for offices neara major fault line than for those elsewhere. The vulnerability of physical damagewould be very high for an organization producing highly sophisticated and deli-cate electronic equipment. On the other hand, a construction company may havea lower physical vulnerability level. Thus, the level of risk that an organizationfaces increases as the threats and vulnerabilities increase.

Purpose of SecurityWhile focusing on risks and security, you may wonder why one should worry somuch about security. It is important for one to understand what exactly one is try-ing to protect. Security begins and ends with people. The people in an enterprise,the partners of the enterprise, and all others connected with the enterprise useenterprise resources in some ways. This makes the resources in your environmentthe primary concern of security. Resources can include information, applications,servers, routers, and even people.

6 Part I WINDOWS 2000 SECURITYAN OVERVIEW


As a resource, information is very precious to any organization; it holds an orga-nization together and is the source from which any productivity arises. It should,therefore, be protected at all costs. The management of an organization just can-not allow an intruder to steal data from the organizational network or read thetrade secrets of the organization. Sometimes lost data cannot be replaced evenafter spending a huge amount of money.

Your computer systems may contain all your employee records, contracts, salesinformation, private arrangements, schedules, research, and other important andconfidential informationall of which, if placed in wrong hands, can lead to dis-astrous consequences. When deciding about data security, you should consider whoaccesses your data. Most of this information is shared by multiple users over a net-work. Your network is the most heavily used vehicle for distributing your organi-zations information. If your network is connected to the Internet, your networkopens up to the outside world and becomes vulnerable to a host of security threats.

Information security answers the following basic security needs of any organization:

Confidentiality Integrity Availability Authentication

ConfidentialityThe term confidentiality refers to preventing the disclosure of critical informationto unauthorized users. The extent to which confidentiality should be maintaineddepends on what type of information you are trying to secure. For example, a highlevel of confidentiality is required for a companys annual report that has not yetbeen made public. On the other hand, the confidentiality required for quarterlyreports that have already been released is relatively low.

Consider another example. The type of information an organization shares withits staff is more confidential than the type of information it shares with peopleoutside the organization. An organization can share all its policies, procedures,customer information, and other business-related information with its employees,but it may not share that same information with outsiders.

Similarly, there are different levels of confidentiality maintained for differenttypes of data among different employees within an organization. For instance,information about the appraisal of an employee will be accessible only to the



Human Resources department and the supervisors of the employee and not toother members of the staff.

A breach of confidentiality can cause heavy damages to the organization, depend-ing on the degree of importance of the information disclosed. For example, if thedetails of prospective customers and the offers made by an organization are passedon to its competitors, the organization can incur heavy business losses. In addi-tion, if the employees appraisal information is somehow leaked to the employees,the leakage may cause distrust and unrest among them. Therefore, you need toassign different levels of confidentiality to different types of information.


FIGURE 1-1 Ensuring Confidentiality, Integrity, Availability, and Authentication.


IntegrityIntegrity is the process of ensuring that data, whether in transit or stored on the net-work, is not tampered with in any way. An infringement of data integrity leads tomisrepresentation of the intended audience, and can, in turn, have very serious con-sequences. The following are a few common ways of breaching integrity of data:

Modification of an audit report

Modification of employee records

Modification of a companys accounts

Modification of the key factual material

Modification to the source data

Modification in bank accounts

A breach of data integrity can occur due to an inadvertent mistake made at thetime of entering and storing data in databases. For example, an accountant mayaccidentally delete vital financial information. His intention may not be question-able but his action may prove to be harmful. Data integrity may also be hamperedif the files or systems become corrupt or are completely destroyed. Corruptionmay occur if you use defective software or wrong programming techniques.

AvailabilityAvailability of information implies that the information is ready for use whenrequired. It essentially means designing the security framework in such a mannerthat it prevents unauthorized activity that results in nonavailability of informationto authorized users. The term availability means the existence and accessibility ofinformation. It also encompasses functionality of systems and other resources,hardware or software, required to access the information.

In addition, ensuring the availability of information means that users are notdenied services when they need to use them. A denial of service occurs when thenetwork is flooded with requests from unauthorized users and, consequently,authorized users are unable to access system services.

AuthenticationAuthentication is the mechanism of ensuring that an individual is what he or sheclaims to be. It can be used to provide the identity proof of the sender to thereceiver. Authentication ensures that only authorized users and computers are able



to gain access to network resources. It may also include establishing the identityof a resource to the user.

All the reasons discussed here form the core of any technology that provides secu-rity to computer systems. In other words, these are the main reasons why you needto have a secure network. Some of the other reasons include preventing:

Unauthorized access to network resources

Data manipulation

Interception of data in transit

Damage to system

Disruption of services

You now understand the various security needs of an organization. The next sec-tion elaborates on the attackers who pose a threat to the security.

Types of AttackersAll attacks on the information of an organization take place by using the organi-zations network. Network attackers fall under two categories:

Internal attackers. These are the employees of an organization and theypose a threat from within the network.

External attackers. These are the entities lying outside the organizationand they pose a threat to security by intruding into the network.

Internal AttackersOften, organizations direct their effort in tracing outsiders who may be a threatto security. While doing so, they forget that internal entities may be more harm-ful than outsiders; therefore it is more important to guard against insiders. In fact,statistics prove that attacks from internal agencies occur much more often thanexternal attacks. Studies show that unauthorized access of network users forms amajor part of all kinds of security threats. Figure 1-2 shows an employee of anorganization attacking a network.

An insider attack may be quite severe in nature because the insider already enjoysa certain amount of access to network resources. An internal attack can breach allthe purpose of data security. For example, an insider can plant Trojan horses or



browse through the contents of confidential files. These may jeopardize the confi-dentiality and integrity of data. Insiders can also affect availability of data by over-loading the systems processing or storage capacity or causing the system to crash.

These attacks are possible for a variety of reasons. The basic one is the ill will ofthe employee against the organization. The other reasons are as follows:

The access control settings of a resource may not reflect the organiza-tions security policies.

The employees may abuse the Internet access to browse throughrestricted sites.

An insider may exploit the operating system bugs and cause the systemto crash.

A user may use another users password to fiddle with the systems.

The devastating acts of a user may go undetected because audit trails areinadequate or ignored.

Now, the task is to resolve this problem. How does one decide which employeesto be considered threats to security? This question is surely difficult to answer.


FIGURE 1-2 Internal attackers.


Before you go on to discussing the methods that can be employed to control insid-ers, you need to identify the intruder. To start with, the focus of the organizationshould be on the employees who are well versed in IT. This is because employeeswho are responsible for creating, managing, and maintaining an IT infrastructurehave all the knowledge of the organizations critical resources. If they harbor anywrong intentions, they can pose a threat to the security of the entire system. Forexample, if an employee has root-level access to resources, then nothing can stophim or her from hacking the entire system. A disgruntled employee, even withlimited rights and permissions, can easily introduce malicious software, such asworms, Trojans, and viruses, on the network.

In order to safeguard an organization against internal attackers, one must educateand train the employees. They should know about the dangers that result fromsharing usernames/passwords, opening anonymous e-mail attachments, and hav-ing conventional or predictable passwords. The rights and permissions granted toa user must be in accordance with the security policy of the organization.

External AttackersExternal attackers are intruders who attack your network while sitting well awayfrom it. These intruders can be either professional hackers or amateurs who try togain access to your organizations network just for fun.

During the past few years, the definition of a hacker has changed tremendously.Initially, the term hacker referred to a person who enjoyed getting the most outof the system he was using. A hacker would use and study a system extensivelyuntil he became proficient in all its functions and features. Today, the term hack-ers refers to people who can enter systems for which they are not authorized orintentionally infringe their bounds over systems for which they do not have alegitimate access. Figure 1-3 illustrates an external attack on a network.

The reasons for external security threats can be many. A few of them are:

Enjoyment/fun. The primary aim of a hacker might be just to have fun.

Ex-employees. An organization might face a threat due to an ex-employee turning hostile. Such a person is already aware of the organiza-tions network and resources and can gain access without much difficulty.

Curiosity. An intruder might break into your network because of curios-ity or because of the intruders desire to face an interesting challenge.



Competitors. Rival organizations may hire professional hackers to raidyour network.

As against preventing internal attacks, many options are available to safeguardagainst external security threats. The most commonly employed ones are firewalls,intrusion detection systems, various authentication protocols, and access controllists. These topics are covered in later chapters.

Combined Effect of Internal and External AttackersAn organization faces the most serious threat when both internal and externalattackers join hands. Lapses in your internal security may allow intruders to breakin, steal information, or plant viruses in your systems. Another rival organizationmight hire your disgruntled ex-employee and work together to wreak havoc onyour network.


FIGURE 1-3 External attackers.


Figure 1-4 illustrates the combined attack by internal and external attackers onthe network.

Security ThreatsYou know that the information on your network is prone to a variety of threatsincluding computer fraud, espionage, vandalism, defacement, computer viruses,and hackers. With an increase in the worlds reliance on computer systems, thesethreats have become extremely pervasive and sophisticated. I have categorizedthreats on information according to their nature and source. The categories are:

Assembling information

Damaging/Disrupting network

Modifying information

The following section focuses on these security threats.


FIGURE 1-4 Internal and External Attackers.


Assembling InformationAssembling information or simply gathering information is the kind of threat thatoccurs when an entity gathers information from your network and sends it out.This entity can be either a person or an application.

Six kinds of security lapses fall into this category. They are:

Password cracking Session hijacking Impersonation Adware Social engineering IP Spoofing

Let me now discuss each of these lapses in detail.

Password CrackingPassword cracking is a common method that is used to furtively acquire the pass-word of another users account to gain system access. This is a common methodof hacking used by intruders when the user assigns a weak password. The majorweaknesses in passwords exist in situations when passwords can be easily guessed(for example, passwords based on the users name or date of birth) or when pass-words can be cracked using a dictionary.

Session HijackingDue to the vulnerabilities of the HTTP protocol, the Web is prone to threats suchas session hijacking. A session with a Web site begins when a user connects to theInternet and ends only when a user closes that site. HTTP is a stateless protocol.Therefore, to maintain a session with a Web application, it grants session IDs to bindthe user activities with the Web server. In session hijacking, the attacker (by access-ing the data on servers and networks) gets session IDs of the Web sessions. Then,with the help of these session IDs, he takes over the session of the other person.

ImpersonationImpersonation occurs when an unauthorized user accesses critical resources by pos-ing as an authorized user. This unauthorized user can then bring spurious contentinto the network of an organization or capture confidential information; as a



result, the security of the network is compromised. Figure 1-5 illustrates how anunauthorized user can gain access to the network of your organization by imper-sonating an authorized user.

A related concept to impersonation is that of sniffing. Sniffing is the process ofintercepting data packets traveling to and fro on the network. Software that cancapture and decode all packets entering and leaving the network cables is called asniffer. For example, sniffing is used to attack information when a user logs on toa remote server by using a remote access service. The impersonator can use a net-work utility or hacking software to capture the username and the password. Hecan later use the captured credentials to gain access to the remote server.

Attempts of impersonation can be controlled by strictly restricting the access tonetwork resources to only a limited number of users and using digital signatureson data packets. Access lists can also be used to define the level of access to users.


FIGURE 1-5 Security threat due to impersonation.


AdwareAdvertising Supporting Software (Adware) is an application that is used to displayadvertisement banners while an application is running. Many times, while open-ing a Web page in your browser, various other browser windows appear automat-ically. These windows are mainly used for advertisements, and it is the Adwaresoftware that executes them.

How can these seemingly harmless advertisement banners prove to be dangerous?These advertisement applications can sometimes include some additional appli-cations. These additional applications, known as Spyware, capture informationfrom your computer and pass it on to other networks without your knowledge.

Social EngineeringMany attackers and hackers employ social engineering, which may be defined asthe art of using interpersonal skills for extracting confidential information fromvendors or employees, to bypass even the most stern defense systems on networks.The outsider who employs social engineering fools the organizations personnelinto providing proprietary information or allowing unauthorized access toresources. This is why social engineering is popularly known as people hacking.

The following are the most common techniques used in social engineering:

Direct approach. In direct approach, the social engineer may directly askthe target for some information. However, in most cases, this approachdoes not succeed because people have become more security conscious.

Authority figure. Another technique of social engineering is pretendingto be a senior official or an authority figure in an organization. Forexample, the intruder may impersonate an authority figure and pressurethe system operator to extract important information. The informationmay be about the type of remote access software used in the organiza-tion, ways of configuring it, the telephone numbers of the RAS server todial, and the user name and the password to log on to the server. Afterobtaining the information, the intruder may set up remote access to theorganizations network.

Naive employee. In this case, the intruder pretends to be an employeewho needs help to access the resources of the organization. The attacker,for instance, can call the secretary pretending to be a naive employee



who is having trouble accessing the organizations network. The secre-tary, not wanting to appear incompetent or offensive, may help by givingaway the username and the password of an active account or his or herown account.

Consider another example. An intruder pretends to belong to the orga-nizations technical support team that is trying to solve a network prob-lem and extracts information from a naive employee.

Reverse social engineering (RSE). RSE is another form of social engi-neering. In RSE, the user is influenced to ask the intruder questionsthat, in turn, automatically reveal information about the organization. Inthis approach, the attacker is mistaken for a senior official.

An RSE attack consists of three parts, sabotage, advertising, and assisting.During sabotage, the attacker corrupts the workstation of the user orgives it an appearance of being corrupted. Seeing this, the user looks forhelp. To ensure that the user calls the attacker for help, the attackeradvertises his presence by either leaving his business card at the usersworkstation or by displaying his contact number in the error message.Finally, the attacker assists the target in solving the problem, and, in theprocess, obtains information that he requires.

E-mail cons. An e-mail con is another technique that is based on socialpsychology. It involves the use of contemporary subjects to elicit emo-tions. This leads to unconscious participation from the user.

Internet fraud. Internet fraud is a popular means deployed for socialengineering. In this, the user, through conversation, is persuaded to dis-close important and personal information. Internet frauds commonlyoccur on Internet chats. For example, an intruder enters a chat room andinvites people to chat. The intruder might carry the conversation fromgeneral topics to subjects of the victims interest and make him or herreveal maximum confidential details of the victim.

SpoofingSpoofing is an attack in which one computer masquerades as a different computeron the target computers network. The aim of masquerading is to trick the othercomputer into believing that the pretender computer is the original computerwith which it is supposed to interact. The intention is to lure the other computerinto sharing or sending data or gaining data modification rights.



Spoofing can either be blind or active. Blind spoofing is a method in which ahacker is not able to view the responses sent from the target computer. This isbecause the hacker does not have complete information about the network con-ditions. That is, it probably does not have the information about the IP address ofthe computer that it wishes to masquerade or the access rights that the comput-ers share. In such a situation, the hacker uses all possible techniques to gain accessto the network. It is like throwing darts in the dark.

In active spoofing, a hacker has information about the access rights sharedbetween the host computer (that it intends to imitate) and the target computer.This information helps the hacker view the responses from the target compu-ter. Because the hacker computer can view the responses, the data can be easilycorrupted, modified, and passed to other destinations on the network.

One form of network spoofing attack is IP spoofing. IP spoofing is a method inwhich the hacker accesses the target computer by using a spoofed IP address of atrusted host. Hackers perform IP spoofing by using either blind or active spoof-ing. An IP spoofing attack (also called IP sequence guessing spoofing attack) ismade at the time of three-way handshake connection process. To start an IPspoofing attack, the hacker first needs to forge the IP address of a trusted host onthe network. He then needs to maintain a sequence number with the target com-puter. At this time, the hacker needs to insert the initial sequence number in theheader information of the data packets. This task is highly complicated becausewhen the target sends the initial sequence number as acknowledgement, theattacker must accordingly respond with a correct response, which can be accom-plished only if the attacker is successfully able to guess the TCP initial sequencenumber.

Damaging/Disrupting NetworkAn intruder can cause substantial damage to the network of your organization byeither physically damaging the resources or causing the network services to be dis-rupted. In this section, you will learn about the four most common securitythreats. These are:

Tunneling

Viruses, Worms, and Trojan Horses

Man-in-the-middle attack

Denial of service (DoS) attacks



TunnelingTunneling allows an organizations personnel to access those resources from theorganizations intranet that cannot be accessed due to firewalls or proxy servers.Proxy servers can prevent employees from accessing certain unauthorized Websites or passing on critical organization information to an outsider.

However, there are a number of applications that enable employees to access anyWeb site in spite of a proxy server or a firewall. An example of such an applica-tion is HTTP-Tunnel that allows access to any Internet application.

Viruses, Worms, and Trojan HorsesThe use of viruses, worms, and Trojan Horses has become increasingly commonto disrupt network services and corrupt or completely remove important informa-tion. A virus is a software application that starts replicating itself after being intro-duced on your computer either deliberately or inadvertently. A virus can attachitself to any file; when that file is accessed the virus is also stimulated. By repli-cating itself multiple times, a virus eats away all your system resources. The fol-lowing are the most common mediums through which viruses can spread:

Floppy disks and CDs

Files downloaded from the Internet

Attachments in e-mails

A worm is a special type of virus. Although it replicates itself just like a virus, it isdifferent from a virus in the sense that it does not attach itself to any program andruns independently on your computer. Trojan horses are applications that do notreplicate themselves. Instead, they secretly collect information from your com-puter and pass it on to the external networks.


The HTTP-Tunnel application runs as a SOCKS server to connect to the Internet. Itcan also use port mapping to tunnel both TCP and UDP traffic. SOCKS is a protocolthat enables machines without Internet connectivity to connect to the Internet. Forthis it uses only a single machine, referred to as the SOCKS server, which is con-nected to the Internet. All other machines can access the Internet by using thismachine. A Proxy server is an example of a SOCKS server.

NOTE


Recovering after a virus attack may be quite painful depending on the intensity ofloss. Therefore, it is always suggested that you take proper measures to ensuresecurity against virus attacks. The following section elaborates on some of thesemeasures.

Prevention Is Better Than CureThe best way of protecting network and stand-alone computers against viruses isto apply the following antivirus measures:

Educate users. Most importantly, each user on the network should havesome understanding of the various types of viruses and their functionality.This awareness would help users evade the general threats that arise fromviruses. For instance, Word and Excel documents contain macros and,therefore, are more prone to macro virus threats. When sending docu-ments through mails, you should ensure that the attachment being sent issaved in Rich Text Format (RTF). RTF files do not contain macros and,therefore, the possibility of a virus infecting such files is bleak.

Check Internet downloads. You should avoid downloading software,applications, and other materials from unknown sources on the Web. Toprevent virus infection from such unknown sources, it is preferable todownload the material or software on a floppy disk and then scan thefloppy disk for viruses before finally transferring the content on the harddisk. To avoid these hassles, it is preferable to buy software and programsfrom trusted authorized dealers.

Avoid purchasing pirated and illegal software. Pirated and illegal soft-ware that is not purchased from reliable sources might also containviruses. As mentioned earlier, it is preferable to purchase software fromtrusted authorized dealers.

Disable floppy disk booting. You should disable floppy disk booting bychanging the CMOS boot sequence stored in the CMOS memory. Mostcomputers now allow you to do this. This eliminates the risk of the bootsector virus getting transferred from a floppy disk that is left unattendedin the drive accidentally.

Scan e-mails from unknown senders. You should avoid opening e-mailmessages and the attachments in those messages if the sender of themessage is unknown. Before opening e-mail messages, it is advisable toscan them for viruses by using antivirus software.



Scan storage media. If you share floppy disks and CDs with other users,scan them with an antivirus scanner before you transfer any data fromthem.

Make regular backups. Another security measure that can deflate theconsequences of a virus infection on a personal computer is making regular backups of hard disks. In case of an organization, you can set up backup servers on the network where users can make regular backups. Organizations can make backups on multiple computers onthe network as well. They can also make backups on floppy disks ortapes. However, while making backups on floppy disks, you shouldensure that the disks are write-protected. Viruses cannot infect write-protected disks.

Install antivirus software. You should ensure that antivirus software isinstalled and updated regularly to detect, report, and disinfect viruses onall computers on the network.

In addition to the preceding measures, organizations should take the followingprecautions to ensure that the network is completely secure from all channels:

The network should be set up in such a manner that only authorizedusers are able to access network resources. To implement this, organiza-tions may use various tools that prevent unauthorized access to comput-ers on the network.

Keep dedicated machines to test new software, files, and disks.

Transfer of executable files to and from external sources should beblocked.

Organizations can also protect computers on the network from virusattacks by using computers that do not have a floppy disk drive. Thisprevents computers from using infected floppy disks and ensures that avirus is not passed to the network.

Network should be divided into a private network, a public network, andextranets to provide security to each part of the network. For example,for a private network, you can use Group Policy Objects (GPOs). GPOsare explained in detail in Chapter 5, Security Policies. For a public net-work you can use firewalls, and for extranets you can use perimeter sub-nets or demilitarized zones (DMZs). These are explained in detail inChapter 8, Internet Security.



CureIn the present scenario of security threats, almost all administrators are well awareof the threats and take proper preventive measures, but still virus attacks occur andcause heavy damages to a network. To ensure that you have successfully recoveredfrom a virus attack, you need to perform the following steps:

Assess the extent of damage caused. After you are sure that a virus hasinfected your computer, identify how many other computers on the net-work are affected with the virus and the other locations that can beaffected. The infected computers should then be isolated from the net-work so that the virus does not spread. To prevent any further virusattacks, you also need to identify the source from which the virus hasoriginated. You can do this by monitoring the log files on client andserver computers.

Check the backup servers for virus infection. After you have removedthe infected computers from the network, you need to check the backupservers for virus infection. To eliminate the remotest possibility of a virusattacking the backup servers, you should also remove the servers fromthe network. Next, clean the servers by using antivirus software. How-ever, before cleaning the backup server, it is preferable to make a backupof the data stored in this server as well so that if there is data loss whilecleaning, you can still try and recover data from the backup.

Disinfect all computers on the network. The next step is to disinfect allother computers on the network. You should restart the computer with afresh startup floppy disk. Next, identify the data and programs that areinfected by virus by using scanners. Disinfect the computer by usingantivirus software.

Man-in-the-Middle AttackAs the name indicates, the main idea behind the man-in-the-middle attack is thatbefore the two authorized entities exchange data, a third non-trusted party inter-cepts to monitor, capture, or control the communication transparently. For exam-ple, the attacker can re-direct the data between the two authorized entities.

In a man-in-the-middle attack, an attacker assumes the identity of an authorizedentity and reads the data meant for that entity. The sender of that data on the other end might believe it is the intended recipient because the attacker might



be responding well to the communication to continue the exchange and gain moreinformation.

Denial-of-Service AttacksDenial-of-service (DoS) attacks are quite different from other kinds of networkattacks. An intruder might use other network attacks, such as impersonation,Adware, and viruses, to access resources or damage them. On the other hand, DoSattacks are used for making some services or target computers inaccessible.

DoS attacks are becoming quite common these days, because they do not requireany special software or access to the network. They are based on the concept ofnetwork congestion. Any intruder can cause network congestion by sending loadsof junk data over the network. As a result, the target computers are inaccessiblefor some time because all routes to reach the computers are blocked. It can evenlead to crashing of the target computers.

Figure 1-6 illustrates how hackers can cause network congestion by introducingspurious data over your network.

DoS attacks enjoy many advantages. They can easily be kept anonymous. DoSattacks come in a variety of forms and can target many network services. Anintruder can initiate a DoS attack in many ways, such as sending a large numberof junk mails or a large number of IP request packets. However, there exists nosingle measure to determine the identity of the intruder. Intruders employingDoS attacks make use of some innate lapses in communication technologies andthe IP protocol. In fact, a DoS attack can be executed from any IP packet that issent over a network.

You will now learn about some of the commonly used methods for initiating DoSattacks. These DoS attacks are:

SYN flood

Broadcast storm

Smurf DoS

Ping of death

Mail bomb

Spam mailing



SYN FloodSYN flood is an attack where the firewall is locked up by flooding it with incom-plete TCP sessions. In this type of attack, all your TCP connections are used up.This prevents authorized users from accessing resources by using TCP connec-tion. Let us first consider the working of a TCP connection. Let me first brieflydiscuss the working of a TCP connection.

To initiate a session, TCP uses a three-way handshake mechanism. The stepsinvolved in establishing a TCP connection are as follows:

1. A host sends a data packet to some other host on the network. This datapacket contains the host ID and is referred to as Synchronize SequenceNumber (SYN).


FIGURE 1-6 Network congestion by hackers.


2. The recipient host acknowledges the receipt of the data and checks forthe authenticity of the host ID. After authenticating the host ID, itreplies to the host by sending a data packet known as Acknowledgement(ACK), along with the received SYN packet. Both these data packetscombine to form the SYN-ACK data packet.

3. After receiving the SYN-ACK data packet from the recipient, the firsthost sends back the third data packet or ACK.

The complete process involves only three steps (thus the term three-way hand-shake). TCP connections can lead to network congestion if someone sends a fakeID in the SYN packet. If a fake ID is sent, the receiving host can never receive anacknowledgement. Eventually, the connection times out and the incoming chan-nel becomes free to receive another request.

In a SYN flood attack, so many packets with fake IDs are sent that all incomingchannels are tied up waiting for acknowledgements. As a result, there is no inter-face available for authorized users.

Broadcast StormsA broadcast is a message that is sent to every computer on a network. Excessivebroadcasts over a network increase network traffic. Such a condition is referred toas a broadcast storm.

In a broadcast storm, an intruder puts a large number of broadcast packets ontoyour network. However, these packets contain fake destination addresses. As aresult, each computer forwards these packets to the specified fake destinationaddress. These packets remain on the network, moving from one computer toanother, until they completely choke the network. You can use or misuse tools,such as finger, asping, and sendmail, to initiate such broadcast storms.

Smurf DoSIn this DoS attack, an intruder uses a spoofed IP address and sends a large num-ber of IP echo requests to the broadcast IP address of the network. Other com-puters on the network send their IP echo reply messages in response to thebroadcast IP echo request. This results in an enormous amount of congestion onthe network.



Ping of DeathPing of death refers to the DoS attack where an intruder floods the network withmany large-sized Internet Control Message Protocol (ICMP) packets. These pack-ets are sent to specific computers, though, not as broadcasts. The specific com-puter receives the ping command in fragments. On receiving the ping command,the computer tries to reassemble the packet into one big packet. However, the sizeof the data packets is so large that they cannot fit into the computers buffer. As aresult, these large-sized ICMP packets cause overflow, which might even lead tosystem damage, such as system crashing, frequent reboots, or protocol hangs.

Mail BombA mail bomb attack is targeted towards your mail server and disrupting its servicesby sending excessive mails. In this attack, attackers subscribe to various mailing


Smurf attacks assume large proportions in case of a multi-access broadcast storm.This is because, in such a situation, if there are hundreds of computers on a network,then each and every computer will reply to each echo request.

NOTE

Intruders can send these large-sized ICMP packets from computers running Windows95 or NT. The following command is used for this purpose:

ping -l 65500 -s 1

In this command,

-1 65500 is used to set the buffer size to 65500.

-s 1 is used to specify the time stamp for hop counts.

You can counter a ping attack by blocking pings to your computer. However, blockingall regular pings is not an advisable solution. Instead of blocking all pings, you canblock only the fragmented pings. When you block fragmented pings, all pings that arebigger than the maximum transmission unit (MTU) size of your link are stopped. Inaddition, it allows regular pings of 64 bytes through most systems.

NOTE


lists on the Internet by using the e-mail IDs of numerous other users. Due to sub-scription, identical copies of e-mail are sent to the e-mail addresses. In addition,mails that are capable of replicating themselves at the server end are sent. Thiscauses the mail server to process all incoming mails.

A mail server might not be capable of handling such a large amount of traffic dueto low bandwidth, low disk space, or other processing constraints. This puts themailing server in a looping process and might even lead to a server crash.

Spam MailingWhile a mail bomb attack is aimed at the mail server, Spam mailing is aimed atusers. Any unsolicited mail is called spam. For example, an attacker sends thesame e-mail repeatedly to a user, containing different subject headings to get aprompt reply from the user. The user has to read through this unwanted mail.

Spam mailing can also use fake reply addresses in e-mail messages. It can alsoinclude creation of unattended e-mail accounts. When you receive an e-mail fromsuch accounts and reply to these messages, the reply bounces back because of non-existence of e-mail addresses or because the account is never accessed. Many replyaddresses in the Spam mail or a self-replicating Spam mail, affects mail servicesby causing congestion on the mail server.

Countermeasures for DoS AttacksDoS attacks are becoming very popular with hackers. However, you can take thefollowing measures to counter their attack:

Disable unused or unneeded services on the network.

Maintain regular backup.

Create, maintain, and monitor daily logs.

Create appropriate password policies.

Implement an Intrusion Detection System.

Implement route filters to filter fragmented ICMP packets.

Monitor physical security of your network resources.

Configure filters for IP-spoofed packets.

Install patches and fixes for TCP SYN attacks.

Partition the file system to separate application-specific files from regular data.



Deploy tools, such as Tripwire, which detect changes in configurationinformation or other files.

Modifying InformationThe most common reasons for modifying information are:

Spreading rumors. Hackers can modify the contents of a Web site tospread false rumors.

Undermine organization effectiveness. Databases contain importantinformation. The effectiveness of this data is the basis for the organiza-tions future plans. If the contents of the database are modified, it canaffect the present and future working of the organization. Therefore, toundermine the effectiveness of an organization, hackers can either enterfalse data or modify the contents of the existing data.

Figure 1-7 illustrates how a hacker can intercept information in transit andchange its contents.


FIGURE 1-7 Modifying information.


To modify information, hackers can utilize the following two security lapses:

Defacing Web sites

DNS poisoning

Defacing Web SitesUnauthorized modifications to the contents of a Web site, or defacing a Web site,have become a widespread menace. It has been commonly used for propaganda,spreading misinformation, and rumors. To overcome this menace, organizationsneed to:

Make their servers read-only.

Separate their Web servers from application and database servers.

Implement a strong authentication mechanism.

DNS PoisoningDNS poisoning is a process in which the DNS server is given false informationabout the IP addresses in a domain. In other words, the DNS server is made tobelieve that the domain maps to different IP addresses. To prevent DNS poison-ing, use the latest security features of DNS, password protect the DNS, and allowonly a few authorized persons to view the DNS information.

Thus, the list of ways and means to attack a system for hijacking the informationor disrupting network services is never ending. Windows 2000 is a powerful oper-ating system with the architecture to provide a strong and flexible security frame-work. The following section will introduce you to the Windows 2000 core securityfeatures.

Windows 2000 Core SecurityFeaturesA Primer

Extensive access to public networks and the Internet by organizations and indi-viduals call for a powerful operating system to build the security infrastructure. Toaddress this, Windows 2000 delivers an integrated set of tools and services. Thesetools allow administrators to control insider access to network resources as well as



to protect the privacy of intercompany communications. Following are the func-tions provided by Windows 2000 Server:

Security management. Windows 2000 Server provides for security management by using Active Directory directory service. Active Directoryis a central place for storing information about the users, hardware,applications, and data on the network. It provides for management ofuser accounts, their access rights, and delegation of security administra-tion. Active Directory also integrates the Windows 2000 security ser-vices, such as Encryption File System (EFS), the Security ConfigurationManager, Group Policy, public key infrastructure, and delegated administration.

Security at network logon. Windows 2000 starts data privacy andintegrity at logon. Windows 2000 provides strong password and singlesign-on on all network resources by using the Kerberos V5 authentica-tion protocol.

Data security on the network. Windows 2000 ensures security of data onyour network by using authentication protocols. You can also encryptyour data traveling on the network for additional security. For data secu-rity in applications, encryption is provided by Secure Sockets Layer (SSL)authentication protocol. All network communication can also beencrypted between all or specific clients by using Internet Protocol Secu-rity (IPSec).

Data security for communication across networks. Windows 2000 alsoprovides support for data transmission taking place on internal networks,over the Internet, and over virtual private networks. Besides protectingthe transactions happening within an organizations network, the organi-zation can also protect business transactions across its network, set secu-rity limits for temporary employees, and restrict access to externalpartners.


The security features introduced in the previous section are detailed in subsequentchapters of this book.

NOTE


Windows 2000 Security ModelThe Windows 2000 operating system provides two process accessor modes toensure that applications are not able to access the system hardware and operatingsystem source code directly. These modes are user and kernel. User mode is usedto run applications, and kernel mode is used to run operating system functions.

This division ensures security in Windows 2000-based computers because it pre-vents applications from accessing low-level system drivers that are located in ker-nel mode. Access to kernel mode is secured. When an application needs to requestsystem services located in kernel mo

Windows 2000 Security (Networking)

Documents

Transcript of Windows 2000 Security (Networking)