Transcript Windows 2000 Security Audit & Control

Windows 2000 Security
Peter Wood
First•Base
Technologies
Active Directory
• Active Directory is the Windows 2000
directory service
• Security is an integral feature, with
authentication and object access controls
• With a single logon:
- Administrators can manage the directory for the
entire network
- Users can access resources anywhere on the
network
Slide 2
© First Base Technologies 2001
Objects
• Objects include shared resources such as
servers, files, printers, and the network user
and computer accounts
• Each object has attributes associated with it,
e.g. for a user, first name, last name,
description, e-mail address etc.
• Additional attributes can be added by
extending the schema…
Slide 3
© First Base Technologies 2001
Object Permissions
• Access to Active Directory objects is
controlled by permissions
• The permissions available depend upon the
object type
• E.g. there is a Reset Password permission
for a user but not for a computer
• Permissions can be granted or denied denied permissions take precedence
Slide 4
© First Base Technologies 2001
Organisational Units
• An OU is a container object used to
organise other objects into logical
administrative groups
• It can contain objects such as
users, groups, computers, and
other organisational units
• It can only contain
objects from its
parent domain
Slide 5
© First Base Technologies 2001
Domains
• Domains
- The core unit of the logical structure
- Domain design can reflect the organisation
- The directory includes one or more domains,
each having its own security policies and trust
relationships with other domains
- A domain therefore defines a security boundary
- Security policies and settings don’t cross from
one domain to another
Slide 6
© First Base Technologies 2001
Trees & Forests
• A Tree is one or more Windows
2000 domains that:
-
Form a hierarchy
Share a common schema
Share the same global catalog
Are connected by transitive,
bi-directional trust
• The hierarchical structure of
domains within a tree forms a
contiguous namespace
Slide 7
© First Base Technologies 2001
Trees & Forests
• Forests
- A forest consists of multiple domain trees
- The trees in a forest don’t form a contiguous namespace
- But a forest does have a root domain - the first domain
created in the forest
Slide 8
© First Base Technologies 2001
Trust Relationships
• Windows NT trusts were
limited to the two domains
involved
• The trust (and hence the
access) was one-way
• Two trust relationships were
needed for bi-directional
access
• Windows 2000 trusts are
transitive and two-way
Slide 9
© First Base Technologies 2001
Server Roles
• Domain Controller
- A computer running Windows 2000 Server that
provides Active Directory service to network
users and computers
- Domain controllers store directory data and
manage user authentication and directory
searches
Slide 10
© First Base Technologies 2001
Server Roles
• Member Server
- Runs Windows 2000 Server
- Member of a domain but not a domain controller
- Doesn’t handle user logon, doesn’t participate in
Active Directory replication, and doesn’t store
domain security policy information
- Contains a local security account database, the
Security Account Manager
- Can be moved between domains
Slide 11
© First Base Technologies 2001
Server Roles
• Member Servers typically function as :
Slide 12
File servers
Application servers
Database servers
Web servers
Remote access servers
Certificate servers
Firewalls
© First Base Technologies 2001
Server Roles
• Stand-alone Server
- A computer that is running Windows 2000
Server and is not a member of a Windows 2000
domain
- Stand-alone doesn’t necessarily mean it isn’t
connected to anything!
- Stand-alone servers can share resources with
other computers on the network, but they can’t
take advantage of Active Directory
Slide 13
© First Base Technologies 2001
Dynamic DNS
• Windows 2000 uses DNS to locate domain
controllers & resolve machine IP addresses
• DNS is integrated into Active Directory,
which is used to store and replicate DNS
zone information
• Dynamic DNS enables computers to register
and update their DNS records automatically
• This makes it much easier to use (like WINS)
Slide 14
© First Base Technologies 2001
User Accounts
Slide 15
© First Base Technologies 2001
Administrators
• Either: Member of
Administrators
(domain) local group
• Or: Member of
Domain Admins
global group
• Or: Member of
Enterprise Admins
universal group
Slide 16
© First Base Technologies 2001
Administrator - Good Practice
Create separate administrator-equivalent
accounts for each administrator
Rename the Administrator account
Set a difficult password on it
Lock the name and password under dual
control
Create a “sacrificial goat” administrator
account with no privileges
Slide 17
© First Base Technologies 2001
Network Guest Logon
Domain 2
Domain 1
Slide 18
• If a user from a non-trusted
domain attempts access
• Access is allowed if Guest is
enabled and has no password
• There is no challenge at all
• The Guest account is
disabled by default, but…
• This is not enough!
© First Base Technologies 2001
Guest - Good Practice
Rename the account
Set a difficult password on it
Prevent Guest access to servers across
the network with user rights assignments
Restrict its logon hours to never
Don’t use it and keep it disabled
everywhere!
Slide 19
© First Base Technologies 2001
Built-in Global Groups
• Domain Users
- Member of the Users domain local group
- All new user accounts are automatically members
• Domain Admins
- Member of the Administrators domain local group
- Initially contains the Administrator account
• Domain Guests
Slide 20
- Member of the Guests domain local group
- Initially contains the Guest account © First Base Technologies 2001
Built-in Universal Groups
• Enterprise Admins
- Initially contains the Administrator account
- Is a member of the Administrators domain local
group of each domain in the forest
- For individuals who need administrative control
for the entire network
• Schema Admins
- Designated administrators of the schema
Slide 21
© First Base Technologies 2001
Built-in System Groups
• These groups have
dynamic membership:
Slide 22
Everyone
Authenticated Users
Creator Owner
Network
Interactive
Anonymous Logon
Dialup
© First Base Technologies 2001
Everyone
• An entity which
automatically contains all
people on the network
• Not a regular group and
does not appear in the list of
groups, but...
• Privileges can be (and are)
assigned to Everyone
Slide 23
© First Base Technologies 2001
Group Policy
Slide 24
© First Base Technologies 2001
Security Policies
• Microsoft defines a policy as a “set of rules
that determine the interaction between a
subject and an object”
• Each Windows 2000 computer has a set of
local policies
• In a domain these are overruled by any
domain-level policies that apply
• These are known as Group Policies
Slide 25
© First Base Technologies 2001
Group Policy
• User policies are applied when a user logs on
• Computer policies are applied at boot time
• Unlike NT, security groups can’t have policies
applied to them - only users and computers
• Policy settings are contained in Group Policy
Objects
• You associate GPOs with Active Directory
containers - i.e. sites, domains, and OUs
Slide 26
© First Base Technologies 2001
Group Policy
• Unlike NT System Policies, Group Policies
can specify more than just registry settings
• You can:
- Manage registry-based policy using
Administrative Templates
- Specify security settings
- Assign startup, shutdown, logon & logoff scripts
- Redirect folders to network locations
- Manage applications
Slide 27
© First Base Technologies 2001
Administrative Templates
• These specify registry-based policy settings
• The settings available are determined by
.adm template files
• Windows 2000 ships with default .adm files
• Information is saved in Registry.pol files
under \WINNT\SYSVOL\sysvol\<domain>
• They can include settings for applications as
well as for Windows 2000
Slide 28
© First Base Technologies 2001
Security Settings
• Allows you to specify security options, for
example:
Slide 29
Password policy
Account lockout policy
Audit policy
User rights assignment
Event log settings
Public key policies
© First Base Technologies 2001
Security Templates
• Windows 2000 provides a number of
security templates based on computer
roles
• Each contains a group of
security settings appropriate
to the role
• They can be applied to a local
computer or imported into a GPO for
application via Group Policy
Slide 30
© First Base Technologies 2001
Order of Policy Application
• Policies are applied in this order:
-
Local Group Policy Object
Site Group Policy Object
Domain Group Policy Object
OU Group Policy Objects, from parent to child
down the OU hierarchy
- Multiple GPOs associated with the same
container are applied in the order specified by
the Administrator
Slide 31
© First Base Technologies 2001
Effective Policy
• By default, policies applied later overwrite
previously applied policies if they don’t match
• Otherwise all policies applied contribute to the
effective policy
• Computer policies take precedence if they
conflict with user policies
• If group policies are removed, local policies
resume effect - there is no registry “tattooing”
Slide 32
© First Base Technologies 2001
Inheritance & Blocking
• Policies that would otherwise be
inherited from “higher up” can
be blocked at any level
• Policies that would otherwise be
overwritten by policies “lower
down” can be set to No
Override
• Policies set to No Override can’t
be blocked
Slide 33
© First Base Technologies 2001
Filtering Group Policy
• Policy can be filtered
by security group
membership
• A security group ACE
on a GPO can be set to
Not configured,
Allowed or Denied
• Denied overrides
Allowed
Slide 34
© First Base Technologies 2001
Additional Security Features
Slide 35
© First Base Technologies 2001
Audit Policy
• Auditing is enabled through Group Policy
• An audit entry is written to the security event
log whenever certain actions are performed
• The entry shows the action performed, by
whom, and when
• You can audit both successful and failed
attempts at actions
• Auditing is turned off by default
Slide 36
© First Base Technologies 2001
RunAs
• The RunAs feature allows a user to launch
processes with a different user context
• Processes may include programs, MMC
consoles or Control Panel applets
• This allows privileged users to run processes
from a non-privileged context
- runas /user:username@domain program.exe
- runas /user:domainname\username program.exe
Slide 37
© First Base Technologies 2001
Delegating Administrative
Control
• You can delegate administration of a
container - there are three options:
- Delegate permissions to change properties on a
particular container
- Delegate permissions to create and delete
objects of a specific type in an OU, e.g. users
- Delegate permissions to manage specific
properties on objects of a specific type in an
OU, e.g. set a password on a user object
Slide 38
© First Base Technologies 2001
Delegating Administrative
Control
• Delegation avoids the need for multiple
administrators to have authority over an entire
domain or site
• … but you can delegate administration for an
entire domain within a forest if you like
Slide 39
© First Base Technologies 2001
Windows 2000 PKI
• Key Windows 2000 PKI components
include:
Slide 40
Certificate Services
Smart card support
Encrypting File System (EFS)
Kerberos authentication
IP Security
Virtual Private Networks (VPNs)
© First Base Technologies 2001
Certificate Services
• Windows 2000 Certificate Services can be
used to create a CA which can:
- Receive certificate requests
- Verify the identity of the requester and the
information in the request
- Issue certificates
- Revoke certificates
- Provide key management
Slide 41
© First Base Technologies 2001
Smart Cards
• Windows 2000 supports logon using
certificates stored on smart cards
• Smart card based certificates are also
supported for Web authentication,
e-mail security and other public key
cryptography-related activities
• They allow users to roam easily within and
outside a domain
Slide 42
© First Base Technologies 2001
Supported Smart Cards
• Windows 2000 Supports Gemplus GemSAFE
and Schlumberger Cryptoflex smart cards
• Other RSA-based smart cards will work if the
vendor has developed software support for
the card
• PIN management is the responsibility of the
support software and the user - Windows
2000 does not manage PINs
Slide 43
© First Base Technologies 2001
Encrypting File System
• Encrypting File System enables users to
encrypt and decrypt files
• Encryption (and decryption) of files is
transparent to the user
• It allows users to store data securely on local
computers
• Because EFS is integrated with the file system
it is easy to manage but difficult to attack
Slide 44
© First Base Technologies 2001
Encrypting File System
• EFS is particularly useful
for securing data on
computers that are
vulnerable to theft, like
laptops
• It does not support the
sharing of encrypted data
• It is not supported on FAT
volumes
Slide 45
© First Base Technologies 2001
EFS Encryption
• Each file has a unique DESX encryption
key which is also used to decrypt the data
• The data is encrypted with the unique key
• The file encryption key is itself encrypted
with the user’s public key
• It is also encrypted with the public key of an
authorised recovery agent
• Both encrypted keys are stored with the file
Slide 46
© First Base Technologies 2001
EFS Decryption
• First the file encryption key is decrypted
• This can either be achieved with the users
private key...
• Or using the recovery agent’s private key
• Once the file encryption key is decrypted it
can be used by either the user or the
recovery agent to decrypt the data
Slide 47
© First Base Technologies 2001
File Recovery Certificates
Export the file recovery certificate and
master key to removable media
Delete the certificate from the machine (this
doesn’t stop users from encrypting data)
Import the certificate only when necessary
to perform file recovery
Make sure you remove it again afterwards
Slide 48
© First Base Technologies 2001
EFS Good Practice
Make several copies of file recovery
certificates removed from systems
Store them very securely - you won’t be able
to recover files if they’re lost!
This is particularly important with laptops
Make sure files are also protected by adequate
permissions - otherwise they can be deleted
Slide 49
© First Base Technologies 2001
Encryption and Servers
• Windows 2000 supports the storage of
encrypted files on servers...
• But not remote sharing of encrypted files
• Encrypted files are not encrypted over the
network - only when stored on disk...
• An administrator must designate a server as
“trusted for delegation” before users can
encrypt files that reside there
Slide 50
© First Base Technologies 2001
Kerberos Authentication
• Kerberos V5 is a standard security protocol
for authenticating user and system identity
• It is the primary protocol for Windows 2000
domain authentication
• It uses three parties in validation:
- A user trying to access a target server
- The target server needing to validate the user
- A server that holds credentials for both of them
Slide 51
© First Base Technologies 2001
Security Analysis
• Security Configuration and Analysis is a
snap-in for analysing and configuring local
system security
• It uses a database to perform analysis and
configuration functions
• The database is personalised by importing
security templates
• Multiple security templates can be combined
into a composite template
Slide 52
© First Base Technologies 2001
Security Analysis
• The tool compares current system security
settings against the database
• It displays the results for each security
attribute as follows:
- A red X indicates a difference
- A green  indicates consistency
- No icon indicates that security attribute wasn’t
analysed because it wasn’t part of your database
Slide 53
© First Base Technologies 2001
Security Analysis
• You can choose to modify the database to
match the system...
• And then export the results as a new
template if you like
• Or you can modify the system to match the
database
• This is not recommended for domain
members - use Group Policy instead
Slide 54
© First Base Technologies 2001
Service Packs & Patches
• Service Packs are issued periodically by
Microsoft and contain:
- Fixes for known bugs
- Additional operating system features
• You can get them via download, on CD,
from TechNet…
• The latest Windows 2000 Service Pack
release is SP2
Slide 55
© First Base Technologies 2001
Service Packs & Patches
• They update all files older than those
included in the Service Pack
• Service Pack releases are cumulative and
contain all previous Service Pack fixes
• You no longer have to re-apply them after
making changes to system services
• Before installing a Service Pack make sure
you read the README file very thoroughly!
Slide 56
© First Base Technologies 2001
Good Practice
Keep the number of privileged users to a
minimum
Give each admin user two accounts - one
with admin privilege and one “regular” one
Insist on using RunAs
Delegate administrative privilege at OU
level where possible
Slide 57
© First Base Technologies 2001
References - www.sans.org
• SANS Securing Windows 2000 Step-by-Step Guide ($299)
• A Discussion of Best Practices for Microsoft’s Encrypted
File System
• Basic Security Issues of Active Directory
• Role-Based Administration for Windows 2000
• Securing Windows 2000 Server
• Securing Windows 2000
• Windows 2000 Known Vulnerabilities and Their Fixes
• Windows 2000 Security Standards
Slide 58
© First Base Technologies 2001
References
• Hardening Windows 2000 (www.SystemExperts.com)
• Top 10 Security Threats for Windows 2000 and Active
Directory (www.BindView.com)
• The Definitive Guide to Windows 2000 Security
(www.BindView.com)
• NSA Windows 2000 Security Recommendations Guides
(http://nsa1.www.conxion.com/win2k/download.htm)
• BindView bv-Control & bv-Admin (www.BindView.com)
Slide 59
© First Base Technologies 2001
Need more information?
First•Base Technologies
The Old Courthouse
38 High Street Steyning
West Sussex BN44 3YE
+44 (0)1903 879879
[email protected]
www.firstbase.co.uk
Slide 60
© First Base Technologies 2001