Lesson 17-Windows 2000/Windows 2003 Server Security Issues.

Lesson 17-Windows 2000/Windows 2003 Server Security Issues

Overview

Set up the system.

Special configuration issues for Windows 2003.

Manage users.

Manage the system.

Use active directory.

Set up the System

Windows 2000 adds some significant security features over

those available under Windows NT.

Windows 2000 is not secure out of the box.

Configuration settings should be made before using the

system to make it more secure.

Set up the System

Configuration settings are divided into:

Local security policy settings.

System configuration settings.

Local Security Policy Settings

Local policy editor GUI tool allows for setting local security

policies.

This tool should be used to make common Registry setting

changes.

Logon message can be configured using Message Text for

Users Attempting to Log On or Message Title for Users

Attempting to Log On settings.

Local Security Policy Settings

Virtual memory pagefile contains important system

information like encryption keys or password hashes.

The Clear Virtual Memory Pagefile When System Shuts

Down setting must be enabled to clear system pagefile on

shutdown.

The Allow System to Be Shut Down Without Having to Log

On setting should be disabled.

Local Security Policy Settings

LAN Manager Authentication system allows Windows 2000

servers to work with Windows 95 and Windows 98 clients.

NT or Windows 2000 authentication systems are called

NTLM v2.

The use of NTLM v2 authentication must be enforced since

LAN Manager Authentication system is weaker than NTLM

v2.

Local Security Policy Settings

Additional Restrictions for Anonymous Connections settings

can prevent null user sessions from gaining information

about users on a system.

Windows 2003 Server has additional Software Restriction

Policies that are not available in Windows 2000.

An administrator can restrict the software run on local

system, thus preventing untrusted software from running.

System Configuration Settings

Windows 2000 introduces following new features:

File systems.

Network settings.

Account settings and Service packs and hot-fixes.

File Systems

FAT file systems should be converted to NTFS to allow for

file permissions.

Windows 2000 ships with a NTFS-5 version which comes

with a new set of individual permissions.

Encrypting File System (EFS) protects sensitive files if an

intruder boots a system using another operating system.

Network Settings

Administrative shares like C$, D$, IPC$, ADMIN$, and

NETLOGON can be used to brute-force an attack, but should

not be turned off. Windows 2000 have standard Windows

ports (135, 138, and 139).

Windows 2000 adds port 88 for Kerberos, port 445 for SMB

over IP, port 464 for Kerberos kpasswd, and port 500 (UDP

only) for Internet Key Exchange (IKE).

Windows 2000 uses only domain controllers (DCs).

Account Settings and Service Packs and Hot-Fixes

Windows NT comes with administrator and guest accounts

by default.

These accounts can be renamed by using the Local Security

Settings tool.

Account Settings and Service Packs and Hot-Fixes

Password policy and account lockout policy are configured

using Local Security Settings tool as per the organization’s

security policy.

Service packs and hot-fixes should be implemented within

an organization after appropriate testing.

Special configuration issues for Windows 2003

Following post-setup areas should be configured properly:

Terminal Services.

Software restrictions and .NET framework configurations.

Terminal Services

By default, Windows 2003 Server provides Remote Desktop

for Administration.

Low, Client Compatible, High, and FIPS Compliant are levels

of encryption used to protect data sent between client and

server.

Terminal Services

Logon settings can be used to specify logon credentials to

be used by default when clients connect to the terminal

server.

Network Adapter settings can be used to determine which

network adapters the service will listen on.

Software Restrictions and .NET Framework configurations

Software restrictions must be configured properly post-

setup.

.NET Framework Configuration tool can be used to control

an application’s access to protected resources.

Security systems use enterprise, machine, and user policy

levels to determine the permissions that an assembly

receives.

Manage Users

Management of users on a Windows 2000 system is critical

to the security of the system and the organization.

Proper procedures must be there to identify the proper

permissions each new user should receive.

Procedures must make sure that an employee loses access

rights to the organization’s systems after leaving the

organization.

Manage Users

Adding users to the system:

User Management procedures should be used to add new

users to the system.

These procedures define who may request new accounts and

who may approve these requests.

New users are added to a system or domain through the

Computer Management tool.

Manage Users

Adding users to the system (continued):

Each user should have a unique user ID and own account.

Multiple users should not be given access to the same user ID.

New users should be forced to change their password the first

time they log in.

An account must be added to the appropriate groups once it

has been created.

Manage Users

Setting file permissions and removing users from the system:

Groups should be used to set permission on files and shares.

When users leave an organization, their account must be

disabled immediately using the Computer Management tool.

In case the account contains any important files, the user’s

superior should access and copy them within 30 days.

After 30 days the account should be removed from the system.

Manage the System

Security is important when a system is configured and set

up as well as in day-to-day operations.

The best security mechanism is an administrator who is

paying attention to his systems.

Auditing a system, using log files, and looking for suspicious

signs enhances the administrator’s ability to detect security

problems.

Manage the System

The secedit command:

secedit command can be used to manage the security policy

on a large number of systems.

It provides analysis, configuration, validation, refresh, and

export capabilities.

Analysis - The policy on the system in question is analyzed and

compared to a provided policy.

Manage the System

The secedit command (continued):

Configuration - The policy on the system in question is

changed to match a provided policy.

Validation - A security configuration file can be validated.

Refresh - secedit provides a mechanism to refresh the system

security policy.

Export - secedit can be used to export a configuration from a

security database to a security template.

Manage the System

Auditing a system - The audit policy should be set according

to the organization’s security policy using Local Security

Settings tool.

Log files - Administrators should look at the log files and

back them up on a regular basis.

Manage the System

Looking for suspicious signs:

Security event log shows failed login attempt entries which

indicate brute-force intrusion.

File access failures may indicate an authorized user who is

attempting to access sensitive files.

On Windows 2000 system with audit turned on, the event logs

should never be empty.

Manage the System

Looking for suspicious signs (continued):

Missing log files may indicate intrusion.

If an intruder attempts to modify entries in log files, a gap

would be found in the log file.

System administrators should periodically examine the Task

Manager to see if any unknown processes like CMD are

running.

Use Active Directory

Active Directory (AD) is the center of Windows 2000/2003

security.

AD is a directory service with scalable domain structure.

Each domain in AD has its own security policies and security

relationships with other domains.

Key components of AD are Global Catalog, schema, domain,

organizational unit (OU), Group Policies, and trust relationships.

Use Active Directory

All domains in the AD share a common configuration, schema,

and Global Catalog (GC).

GC contains replica of domains, schema, and configuration

naming contexts.

Schema defines what objects and attributes can be stored in the

AD.

Domain is a group of computers that form administrative

boundary for users, groups, computers, and organizational units.

Use Active Directory

OUs are smallest atomic administrative units that exist in

the AD and form security boundaries.

Group Policies provide the ability to group security and

configuration settings into templates.

Trust relationships allow information, such as user security

IDs, in one domain to be used in another.

Use Active Directory

Secure setup and installation.

Administration.

Group policy and security.

AD user and group management.

Secure Setup and Installation

Selection of the Permissions Compatible with Pre-Windows

2000 Server option is an important security issue when

setting up AD.

This option should not be set if supporting pre-Windows

2000 system is not required.

It must be ensured that users have strong passwords and

systems are protected from untrusted networks.

Administration

Primary tools for administration:

Active Directory Domains and Trusts.

Active Directory Sites and Services.

Active Directory Users and Computers.

ADSIEdit.

Group Policy and Security

Configurations Options and Default GPOs.

Configuration Settings in the Group Policy.

Group Policy Additions in Windows 2003 Group Policy.

Precedence and loopback.

Inheritance.

Group Policy Management Tools.

Configurations Options and Default GPOs

Group Policies are split into User and Computer sections.

User configuration includes the desktop settings, security

settings, and logon/logoff scripts.

Computer configuration configures the running system

environment, including service settings, security settings, and

startup/shutdown scripts.

Default Group Policies are Default Domain Policy and Default

Domain Controller Policy.

Configuration Settings in the Group Policy

Group Policy Object Editor

Configuration Settings in the Group Policy

User configuration includes:

Windows Settings: Internet Explorer Maintenance: Security.

Windows Settings: Scripts.

Administrative Templates: Windows Components: Windows

Explorer.

Configuration Settings in the Group Policy

User configuration includes:

Administrative Templates: Windows Components: Windows

Installer.

Administrative Templates: Start Menu and Taskbar.

Administrative Templates: Desktop.

System: Group Policy.

Configuration Settings in the Group Policy

Computer configuration includes:

Account Policies: Password Policy

Account Policies: Account Lockout Policy

Local Policies: Audit Policies

Local Policies: User Rights Assignment

Configuration Settings in the Group Policy

Computer configuration includes (continued):

Local Policies: Security Options

Event Log: Settings for Event Logs

Restricted Groups: Members of Restricted Group

Restricted Groups: Restricted Group Is Member Of

IP Security Policies

Group Policy Additions in Windows 2003 Group Policy

Two items of Group Policy are Software Restriction Policies

and Wireless Network (IEEE 802.11) Policies.

Wireless Network Policies allow administrators to manage

wireless network policies, define preferred wireless

networks, and define 802.1X authentication for any system.

Precedence and Loopback

The system follows the order of precedence, on system

boot and on user login, in Group Policy

evaluation/application.

By default, GPs are applied on the basis of the location of

the object being configured.

Loopback processing overrides this feature for users.

Inheritance

Policies are inherited from the furthest to the closest with

the closer (lower) having precedence.

Order of evaluation is Local Security Policy, Site Group

Policies, Domain Group Policies, and OU Group Policies.

Group Policy Management Tools

Group Policy Management Console tool is MMC snap-in and

set of scripts.

Scripts are intended to provide a single interface to manage

Group Policy across an enterprise.

Group Policy Management Tools

Group Policy Management Console provides a tool for

determining “resultant” policy for a given user and/or

system.

Resultant Set of Policy (RSoP) is a tool to make

implementing and troubleshooting policies easier.

AD User and Group Management

Account Policy via Group Policy and user restrictions in the

User account properties ensure appropriate security

settings.

Active Directory Users and Computers snap-in is used to

manage the users, groups, and things such as OUs for

domains.

Summary

Configuration settings like Local security policy settings and

System configuration settings make the system more

secure.

Local policy editor GUI tool allows for setting local security

policies.

System Configuration Settings include file systems, network

settings, account settings, and service packs and hot-fixes.

Summary

Managing users in a system involves adding and removing

users and setting file permissions.

Managing a system includes auditing a system, using log

files, and looking for suspicious signs to detect security

problems.

Summary

secedit command provides analysis, configuration,

validation, refresh, and export capabilities to manage the

security policy.

Active Directory (AD) is the center of Windows 2000/2003

security.