MS WINDOWS SECURITY

The Business Side of the Story

Security Planning - Business Considerations

• Security planning involves tradeoffs: risk vs cost
• Different costs:
  • Monetary cost
  • Employee time
  • Company morale
  • Internal politics
• Factors to consider:
  • Company priorities
  • Legal considerations
  • Growth strategies
  • Profit and loss factors

Company Models

• Regional Model - likely issues: dial up access, WAN links
• National Model - likely issues: VPN, WAN links, Web site
• International Model - likely issues: VPN, Web site
• Subsidiary Model - likely issues: dial up access, VPN client, outgoing internet access
• Branch Office Model - likely issues: dial up access, VPN client, WAN links, outgoing internet access

Security Planning - Technical Considerations

• Ease of implementation
• Ease of maintenance
• Ease of administration
• Ease of upgrade
• Cost of implementation
• IT administrative structure
• Performance factors

Security planning process steps

• Information gathering
• Identification of needs and problems
• Analysis of the existing administrative structures
• Analysis of the technical requirements
• Design of the new solutions
• Implementation
• Assessment and evaluation
• Revision

Technical Requirements - Relevant Factors

• Company size
• User distribution
• Resource distribution
• Connectivity
• Net available bandwidth
• Performance requirements
• Methods for accessing resources
• Network roles and responsibilities
• Technical support structure
• Existing network structure
• Planned network structure

Security Related Costs in the context of TCO

• An Inventory of all the COSTS:
  • Equipment and Setup Costs
  • Operating Costs
  • Training Costs
  • Cycle Costs
  • Average Expenses
  • Costs of Loss due to security problems

IT Management Issues
Administration Models:

·  Centralized - limited by the number of objects in Active Directory

·  Decentralized - more leverage to individual sites

Buy or Make:

·  Outsourcing - readily expertise available, but less control

·  In-House - longer implementation time, but more control

The Broad Security Strategies

Life cycle for implementing secure networking

1. Requirements definition
2. Solution proposal
3. Design planning
4. Proof of concept
5. Implementation
6. Operations and monitoring
7. Optimization and maintenance
8. Retirement

Elements of Secure Networking

• Data Integrity against tampering of your data (via digital signature)
• Data Confidentiality against eavesdropping (via encryption)
• Single Sign-on - one username and password for accessing all authorized network resources (via Kerberos)
• Access Control (via assigning or denying permissions)
• Physical Security
• User Awareness (via education)

Types of Cryptography

• Secret key encryption - both parties use the same shared secret key
• Public key encryption - different but corresponding keys
• Digital signatures - use encrypted message digests

Security Risks - Means of Intrusion

• Identity interception
• Impersonation
• Replay attack
• Masquerading
• Data interception
• Repudiation
• Denial of service attacks
• Trojan horse

Protecting Against Outside Intrusion

• Locks on doors to server closets
• Use of secure media
• Firewalls
• Strict access control
• Limited assignment of administrative privileges
• File level encryption
• Regular Auditing

Protecting Against Internal Threats

• Strong password policies
• Encryption of network traffic
• Limited assignment of administrative privileges

User Classifications
Based on usage needs:

• Everyone
  • all people accessing your network
  • users cannot easily be identified
  • users accessing Web site should be included
• Staff
  • all people who work for your organization
  • can be easily identified
  • may be in local or remote locations
• Users
  • people who use applications to accomplish business functions
  • often organized into OUs
• Partners
  • people from the outside who have a unique relationship with your company
  • use network resources that are externalized
  • limited access

User Classifications
Based on locations:

• Local
  • access from the premises of the company
  • "physically attached" via LAN or wireless technologies
  • exclude the general public or members of the trusted partners
  • Primary security considerations:
    • the administration of user accounts, groups, policies, and permissions
    • ways for securing computers, files, folders, and network print resources
• Remote
  • requires the use of the Windows 2000 Routing and Remote Access Service secure access via the internet - use virtual private network VPN
  • secure dial-up networking - use modems, connection protocols (such as PPP) and authentication protocols (such as MS-CHAP)

Security Strategies for the Computers

• For Laptops
  • Use password-protected screen savers
  • Lock the computer while away
  • Use Security templates to restrict access to the registry hives
  • Use EFS!!!
• For workstations
  • Use password-protected screen savers
  • Lock the computer while away
  • Use Security templates to restrict access to the registry hives
• For Kiosk computers
  • Disable all guest account and anonymous access.
  • Use ACLs to prohibit changes to files
  • Use registry ACLs to restrict access to computer registry
  • Use restrictive password
  • Use account lockout policy
  • Deploy extensive system auditing.
  • Rename the local administrator and guest accounts.
  • Use C2 certification security options.

For servers

• Limit physical access to servers
• Limit the use of the Administrator accounts
• Avoid logging on as Administrator for routine tasks, use the runas command instead
• Proper auditing - keep in mind, do not audit too much, or performance will be degraded

The Matching of Risks and Strategies

Types of Remote Connections and Their Drawbacks

·  Dial-up - slow

·  Digital subscriber line DSL - may be vulnerable if file and print sharing is on

·  Cable Modem - may be vulnerable if file and print sharing is on

The Windows 2000 Specific Technologies

Common Authentication Methods

• Certificate-based authentication
• Kerberos
• Clear-text passwords (not recommended)
• Digest authentication
• Smart card authentication
• NTLM authentication (backward compatibility)
• Remote Authentication Dial-In User Service
• Secure Sockets Layer

Elements of Strong Password Policy

• Length must be greater than X characters (8 is the recommended minimum)
• Require upper and lower case, numbers, and symbols
• Password uniqueness
• Password cannot contain user ID
• Passwords cannot be repeated
• Password must be changed at first logon

Preconfigured Security Templates

• Compatible: for running older programs, not secure
• Secure: secure areas of Windows 2000 that are not secured by the default settings.
• High secure: requires all network communication to be digitally signed and encrypted, very secure but poor compatibility

Considerations for the Configuration of the Security Policy Template

• Account Policies
• Local Policies
• Event Log
• Restricted Groups
• System Services
• Registry
• File System

IP Monitoring

• SNMP is used for network management.
• SNMP agent is installed on the hosts to be monitored.
• Agents report back to the SNMP management console.
• Full blown SNMP Management console is available separately. SMS is an example.
• You use Network Monitor to capture and analyze frames.
• Capture filter is available in Network Monitor to ease the analysis process.
• Components of a frame:
  • Source address of sender
  • Destination address of recipient
  • Protocol headers
  • Payload
• Network Monitor that comes with Windows 2000 can only capture frames destined to or send from this particular computer.
• System Monitor can be used to generate statistics.
• You do NOT use System Monitor to capture frames.

Encryption Options

• No encryption
  • Everything in plain text
  • Should NEVER be used
• Basic
  • Uses 40-bit Microsoft Point-to-Point Encryption (MPPE) key.
  • Good for servers working as VPN
  • You may use PPTP or L2TP
  • L2TP uses 56-bit key, which is more secure.
• Strong
  • Uses a 56-bit Data Encryption Standard DES key
  • Safest among the available choices
  • Legal in the U.S

IPSec

• Defined by IETF
• Operates at layer 3 of the OSI model
• Encrypts and decrypts message for online transmission
• Supported by Windows 2000
• NOT supported by many pre-Windows 2000 clients
• Secret key cryptography uses single preshared key
• Public key cryptography uses key pair with one for encryption and the other for decryption
• Security Association is established with ISAKMP/Oakley.
• IPSec policy has a collection of rules and key exchange settings concluded in a domain security policy or an individual computer's security policy.
• IPSec policy can be created with the IPSec Management MMC snap-in
• Use IPSECMON.EXE to monitor and troubleshoot IPSec
• Use Network Monitor V2.0's parser for IPSec to capture IPSec related information transferred over a network interface
• L2TP + IPSec is usually the best combination for VPN of pure Windows 2000 computers

DNS - Active Directory Integrated Zone

• The best zone type to use
• Offer security for zone transfer
• Use Active Directory replication to transfer zone data
• Zone transfer based on changes

DHCP Configuration

• The Windows 2000 DHCP server itself must have a static IP address.
• The Windows 2000 DHCP server itself must be authorized in Active Directory in order to distribute IP addresses.
• The DHCP service must be set with at least one DHCP scope to function.
• You can, in the scope, have certain IP addresses excluded from the range.
• You should adjust the lease time to fit your organization needs.
• You can set the scope options to provide other addresses (such as WINS server addresses, DNS server addresses…..etc) for the clients to use.
• You can use User classes to differentiate the settings for different groups of computers on the same scope.
• For redundancy, always have at least two DHCP servers on the network
• You must manually avoid any addressing conflicts between multiple DHCP servers.

Dial-In Access

• User can use modem to connect to the server.
• PPP is the ideal protocol for dial in.
• PPP supports multi-protocols.
• RRAS can obtain dynamic IP addresses from DHCP and then assign to the dial in clients.
• To configure security for dial in connections, you can use:
  • Caller ID
  • Call back to a number specified by the user
  • Call back to a predefined number

RADIUS

• Without RADIUS, you need to configure every single RAS server for authentication.
• With RADIUS, a centralized authentication server can be used to authenticate all the dial in requests.
• For a large network with lots of RAS servers, use the RADIUS solution.
• For a large network that needs centralized accounting for RAS, use the RADIUS solution.
• IAS stands for Internet Authentication Service and is the central component acting as the host for RADIUS.
• IAS is responsible for the following centralized activities:
  • Authentication
  • Auditing
  • Accounting

Authentication Protocols supported by RADIUS

• Challenge Handshake Authentication Protocol (CHAP)
• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
• Password Authentication Protocol (PAP)
• Shiva Password Authentication Protocol (SPAP)
• Extensible Authentication Protocol (EAP) which is for use for SmartCards.
• PAP is not secure as it uses clear text.
• MS-CHAP is almost always the choice for dial in windows clients.

Virtual Private Networks (VPN)

• Use the internet for private connection.
• If you have MULTIPLE SITES to connect, use VPN instead of dedicated point to point links.
• The minimum requirement to implement VPN for a network is a single VPN server.
• Two choices of Tunneling Protocols:
  • PPTP
  • L2TP
• PPTP is supported by pre-Windows 2000 clients.
• L2TP is supported only by Windows 2000.
• L2TP itself does not encrypt the payload.
• Use IPSec together with L2TP for securing the VPN connections.
• Clients should use the virtual VPN adaptor to connect to the VPN server.

Choices for Dial-up or VPN Remote Access Permissions

·  Allow Access

·  Deny Access

·  Control via RAP

Certificate Authority (CA)

• Responsible for issuing certificates.
• One way of authentication and identification on the network.
• 4 types of certificate authorities in a Windows 2000 network:
  • Enterprise root CA
  • Enterprise subordinate CA
  • Stand-alone root CA
  • Stand-alone subordinate CA
• If you do not have Active Directory, use a Stand Alone Root CA for your internal needs.
• If you have a big organization, use at least one Root CA plus other subordinate CAs to share the load and administration tasks for your internal needs.
• If you are doing business on the internet, establish a relationship with a third party CA and use the certificates issued by that third party CA.
• You can revoke the certificates you publish.
• Certificates should be set with expiration date.
• The more frequent a certificate will expire, the more secure it is for the network.

Security Across Networks

·  In a LAN - Create own Enterprise CA

·  In WAN - Use L2TP/IPSec to implement a site-to-site VPN connection

·  Across a Public Network - for maximum compatibility, use IPSec in tunnel mode, and optionally encrypt the data

Remote Installation Service (RIS)

·  Distribute images of built systems via a central server

·  The key: ensure that your security settings transfer completely

·  When creating installation scripts, carefully plan for the assess rights to be granted to your users

Placement and Inheritance of Security Policies
You need to determine the method to best and most efficiently pass down your policies without sacrificing security.

• Sites:
  • Represents a physical location in a LAN or WAN
  • Can vary in their geographical scope from regional, to national, to international.
  • By breaking a network into multiple smaller sites, there will be increased network efficiency, and will be able to avoid authentication over WAN
• Domains:
  • Every Windows 2000 network can be based on one or more domains.
  • The security boundary
  • You may break up a domain:
    • geographically
    • by department
    • by function
    • by product
  • The key: only keep people that need to access the same data or exchange data in the same domain
• Organizational Units:
  • Good for delegating a limited subset of your security administration duties
  • If multiple domains are too much for your organization, deploy multiple OUs under a domain instead
  • People with different data access needs should be kept in separate OUs

Conflicts

·  OU policies override domain and site policies.

·  Domain policies override site policies.

·  A user policy in the profile will override any of the other policies.

Group Policy Filtering

• Group policy can be filtered by security group membership.
• Policies apply only to the users who have Read permission for that GPO.
• You can filter the scope of the GPO by creating security groups and assigning Read permissions selectively
• You can block the inheritance of policies be propagated from the higher sites
• You can force child containers to inherit policies from their higher-level container objects

Remote User Profile Components

• Dial-In Constraints:
  • Day and time allowed
  • Idle Disconnect Time
  • Maximum Session Length
  • Dial-In Number
  • Dial-In media
• IP Properties - Define remote access policy filtering
• Multilink - Define Bandwidth Allocation Protocol (BAP) policies
• Authentication:
  • Specify the EAP type
  • By default, MS-CHAP and MS-CHAPv2 are enabled.
• Encryption:
  • Basic - dial-up and PPTP-based connections: use Microsoft Point-to-Point Encryption with a 40-bit key
  • Basic - L2TP over IPSec-based connections, use 56-bit DES encryption
  • Strong - dial-up and PPTP-based connections, use MPPE with a 56-bit key
  • Strong - L2TP over IPSec-based connections, use 56-bit DES encryption.
  • Strongest - dial-up and PPTP-based connections, use MPPE with a 128-bit key
  • Strongest - L2TP over IPSec-based connections, use 3DES encryption
• Advanced - Specify the RADIUS attributes

Remote Access Policies (RAP)

• Stored locally in the IAS.MDB file of the RAS server.
• A fancy way to define who has remote access to the network as well as what the characteristics of that connection will be.
• Conditions for accepting or rejecting connections can be based on:
  • Day
  • Time
  • Group membership
  • Type of services

Network Address Translation (NAT)

• Good for large network that needs to conceal the internal IP structure.
• Allows computers on a small network to share a single Internet connection.
• Also for hiding the internal IP addressing scheme.
• If PERFORMANCE is NOT a concern, use NAT rather than Proxy Server.
• If COST is a concern, use NAT rather than Proxy Server.

Proxy Server / ISA Server

• Provides NAT functions.
• Also provides caching function to enhance performance.
• Proxy Array provides redundancy and load balancing for Proxy Servers.
• If PERFORMANCE is also a concern, use Proxy Server.
• Can provide traffic filtering on incoming traffic.
• Can control outgoing access.
• Its next version - ISA Server provides much better firewall functionalities.

Further Readings

Understand enterprise security issues, counter-measures, technologies, and best practices - Click here

Limit your organization's vulnerability with a comprehensive security strategy - Click here

Understand principles of smart cards and plan for deployment - Click here

Microsoft ISA Server Features: Security - Click here

The Common Criteria: Providing a Reliable Security Standard - Click here

Get and Stay Secure - Click here

Windows 2000 Security Services Features - Click here

Microsoft Windows 2000 Public Key Infrastructure - Click here

Encrypting File System for Windows 2000 - Click here

Designing Authentication for a Windows 2000 Network - Click here

Internet Information Services 5 Security Overview - Click here