Lesson 17-Windows 2000/Windows 2003 Server Security Issues
Jan 16, 2016
Lesson 17-Windows 2000/Windows 2003 Server Security Issues
Overview
Set up the system.
Special configuration issues for Windows 2003.
Manage users.
Manage the system.
Use active directory.
Set up the System
Windows 2000 adds some significant security features over
those available under Windows NT.
Windows 2000 is not secure out of the box.
Configuration settings should be made before using the
system to make it more secure.
Set up the System
Configuration settings are divided into:
Local security policy settings.
System configuration settings.
Local Security Policy Settings
Local policy editor GUI tool allows for setting local security
policies.
This tool should be used to make common Registry setting
changes.
Logon message can be configured using Message Text for
Users Attempting to Log On or Message Title for Users
Attempting to Log On settings.
Local Security Policy Settings
Virtual memory pagefile contains important system
information like encryption keys or password hashes.
The Clear Virtual Memory Pagefile When System Shuts
Down setting must be enabled to clear system pagefile on
shutdown.
The Allow System to Be Shut Down Without Having to Log
On setting should be disabled.
Local Security Policy Settings
LAN Manager Authentication system allows Windows 2000
servers to work with Windows 95 and Windows 98 clients.
NT or Windows 2000 authentication systems are called
NTLM v2.
The use of NTLM v2 authentication must be enforced since
LAN Manager Authentication system is weaker than NTLM
v2.
Local Security Policy Settings
Additional Restrictions for Anonymous Connections settings
can prevent null user sessions from gaining information
about users on a system.
Windows 2003 Server has additional Software Restriction
Policies that are not available in Windows 2000.
An administrator can restrict the software run on local
system, thus preventing untrusted software from running.
System Configuration Settings
Windows 2000 introduces following new features:
File systems.
Network settings.
Account settings and Service packs and hot-fixes.
File Systems
FAT file systems should be converted to NTFS to allow for
file permissions.
Windows 2000 ships with a NTFS-5 version which comes
with a new set of individual permissions.
Encrypting File System (EFS) protects sensitive files if an
intruder boots a system using another operating system.
Network Settings
Administrative shares like C$, D$, IPC$, ADMIN$, and
NETLOGON can be used to brute-force an attack, but should
not be turned off. Windows 2000 have standard Windows
ports (135, 138, and 139).
Windows 2000 adds port 88 for Kerberos, port 445 for SMB
over IP, port 464 for Kerberos kpasswd, and port 500 (UDP
only) for Internet Key Exchange (IKE).
Windows 2000 uses only domain controllers (DCs).
Account Settings and Service Packs and Hot-Fixes
Windows NT comes with administrator and guest accounts
by default.
These accounts can be renamed by using the Local Security
Settings tool.
Account Settings and Service Packs and Hot-Fixes
Password policy and account lockout policy are configured
using Local Security Settings tool as per the organization’s
security policy.
Service packs and hot-fixes should be implemented within
an organization after appropriate testing.
Special configuration issues for Windows 2003
Following post-setup areas should be configured properly:
Terminal Services.
Software restrictions and .NET framework configurations.
Terminal Services
By default, Windows 2003 Server provides Remote Desktop
for Administration.
Low, Client Compatible, High, and FIPS Compliant are levels
of encryption used to protect data sent between client and
server.
Terminal Services
Logon settings can be used to specify logon credentials to
be used by default when clients connect to the terminal
server.
Network Adapter settings can be used to determine which
network adapters the service will listen on.
Software Restrictions and .NET Framework configurations
Software restrictions must be configured properly post-
setup.
.NET Framework Configuration tool can be used to control
an application’s access to protected resources.
Security systems use enterprise, machine, and user policy
levels to determine the permissions that an assembly
receives.
Manage Users
Management of users on a Windows 2000 system is critical
to the security of the system and the organization.
Proper procedures must be there to identify the proper
permissions each new user should receive.
Procedures must make sure that an employee loses access
rights to the organization’s systems after leaving the
organization.
Manage Users
Adding users to the system:
User Management procedures should be used to add new
users to the system.
These procedures define who may request new accounts and
who may approve these requests.
New users are added to a system or domain through the
Computer Management tool.
Manage Users
Adding users to the system (continued):
Each user should have a unique user ID and own account.
Multiple users should not be given access to the same user ID.
New users should be forced to change their password the first
time they log in.
An account must be added to the appropriate groups once it
has been created.
Manage Users
Setting file permissions and removing users from the system:
Groups should be used to set permission on files and shares.
When users leave an organization, their account must be
disabled immediately using the Computer Management tool.
In case the account contains any important files, the user’s
superior should access and copy them within 30 days.
After 30 days the account should be removed from the system.
Manage the System
Security is important when a system is configured and set
up as well as in day-to-day operations.
The best security mechanism is an administrator who is
paying attention to his systems.
Auditing a system, using log files, and looking for suspicious
signs enhances the administrator’s ability to detect security
problems.
Manage the System
The secedit command:
secedit command can be used to manage the security policy
on a large number of systems.
It provides analysis, configuration, validation, refresh, and
export capabilities.
Analysis - The policy on the system in question is analyzed and
compared to a provided policy.
Manage the System
The secedit command (continued):
Configuration - The policy on the system in question is
changed to match a provided policy.
Validation - A security configuration file can be validated.
Refresh - secedit provides a mechanism to refresh the system
security policy.
Export - secedit can be used to export a configuration from a
security database to a security template.
Manage the System
Auditing a system - The audit policy should be set according
to the organization’s security policy using Local Security
Settings tool.
Log files - Administrators should look at the log files and
back them up on a regular basis.
Manage the System
Looking for suspicious signs:
Security event log shows failed login attempt entries which
indicate brute-force intrusion.
File access failures may indicate an authorized user who is
attempting to access sensitive files.
On Windows 2000 system with audit turned on, the event logs
should never be empty.
Manage the System
Looking for suspicious signs (continued):
Missing log files may indicate intrusion.
If an intruder attempts to modify entries in log files, a gap
would be found in the log file.
System administrators should periodically examine the Task
Manager to see if any unknown processes like CMD are
running.
Use Active Directory
Active Directory (AD) is the center of Windows 2000/2003
security.
AD is a directory service with scalable domain structure.
Each domain in AD has its own security policies and security
relationships with other domains.
Key components of AD are Global Catalog, schema, domain,
organizational unit (OU), Group Policies, and trust relationships.
Use Active Directory
All domains in the AD share a common configuration, schema,
and Global Catalog (GC).
GC contains replica of domains, schema, and configuration
naming contexts.
Schema defines what objects and attributes can be stored in the
AD.
Domain is a group of computers that form administrative
boundary for users, groups, computers, and organizational units.
Use Active Directory
OUs are smallest atomic administrative units that exist in
the AD and form security boundaries.
Group Policies provide the ability to group security and
configuration settings into templates.
Trust relationships allow information, such as user security
IDs, in one domain to be used in another.
Use Active Directory
Secure setup and installation.
Administration.
Group policy and security.
AD user and group management.
Secure Setup and Installation
Selection of the Permissions Compatible with Pre-Windows
2000 Server option is an important security issue when
setting up AD.
This option should not be set if supporting pre-Windows
2000 system is not required.
It must be ensured that users have strong passwords and
systems are protected from untrusted networks.
Administration
Primary tools for administration:
Active Directory Domains and Trusts.
Active Directory Sites and Services.
Active Directory Users and Computers.
ADSIEdit.
Group Policy and Security
Configurations Options and Default GPOs.
Configuration Settings in the Group Policy.
Group Policy Additions in Windows 2003 Group Policy.
Precedence and loopback.
Inheritance.
Group Policy Management Tools.
Configurations Options and Default GPOs
Group Policies are split into User and Computer sections.
User configuration includes the desktop settings, security
settings, and logon/logoff scripts.
Computer configuration configures the running system
environment, including service settings, security settings, and
startup/shutdown scripts.
Default Group Policies are Default Domain Policy and Default
Domain Controller Policy.
Configuration Settings in the Group Policy
Group Policy Object Editor
Configuration Settings in the Group Policy
User configuration includes:
Windows Settings: Internet Explorer Maintenance: Security.
Windows Settings: Scripts.
Administrative Templates: Windows Components: Windows
Explorer.
Configuration Settings in the Group Policy
User configuration includes:
Administrative Templates: Windows Components: Windows
Installer.
Administrative Templates: Start Menu and Taskbar.
Administrative Templates: Desktop.
System: Group Policy.
Configuration Settings in the Group Policy
Computer configuration includes:
Account Policies: Password Policy
Account Policies: Account Lockout Policy
Local Policies: Audit Policies
Local Policies: User Rights Assignment
Configuration Settings in the Group Policy
Computer configuration includes (continued):
Local Policies: Security Options
Event Log: Settings for Event Logs
Restricted Groups: Members of Restricted Group
Restricted Groups: Restricted Group Is Member Of
IP Security Policies
Group Policy Additions in Windows 2003 Group Policy
Two items of Group Policy are Software Restriction Policies
and Wireless Network (IEEE 802.11) Policies.
Wireless Network Policies allow administrators to manage
wireless network policies, define preferred wireless
networks, and define 802.1X authentication for any system.
Precedence and Loopback
The system follows the order of precedence, on system
boot and on user login, in Group Policy
evaluation/application.
By default, GPs are applied on the basis of the location of
the object being configured.
Loopback processing overrides this feature for users.
Inheritance
Policies are inherited from the furthest to the closest with
the closer (lower) having precedence.
Order of evaluation is Local Security Policy, Site Group
Policies, Domain Group Policies, and OU Group Policies.
Group Policy Management Tools
Group Policy Management Console tool is MMC snap-in and
set of scripts.
Scripts are intended to provide a single interface to manage
Group Policy across an enterprise.
Group Policy Management Tools
Group Policy Management Console provides a tool for
determining “resultant” policy for a given user and/or
system.
Resultant Set of Policy (RSoP) is a tool to make
implementing and troubleshooting policies easier.
AD User and Group Management
Account Policy via Group Policy and user restrictions in the
User account properties ensure appropriate security
settings.
Active Directory Users and Computers snap-in is used to
manage the users, groups, and things such as OUs for
domains.
Summary
Configuration settings like Local security policy settings and
System configuration settings make the system more
secure.
Local policy editor GUI tool allows for setting local security
policies.
System Configuration Settings include file systems, network
settings, account settings, and service packs and hot-fixes.
Summary
Managing users in a system involves adding and removing
users and setting file permissions.
Managing a system includes auditing a system, using log
files, and looking for suspicious signs to detect security
problems.
Summary
secedit command provides analysis, configuration,
validation, refresh, and export capabilities to manage the
security policy.
Active Directory (AD) is the center of Windows 2000/2003
security.