1. Lesson 17-Windows 2000/Windows 2003 Server Security Issues

2. Overview Set up the system. Special configuration issues for Windows 2003. Manage users. Manage the system. Use active directory.

3. Set up the System Windows 2000 adds some significant security features over those available under Windows NT. Windows 2000 is not secure out of the box. Configuration settings should be made before using the system to make it more secure.

4. Set up the System Configuration settings are divided into: Local security policy settings. System configuration settings.

5. Local Security Policy Settings Local policy editor GUI tool allows for setting local security policies. This tool should be used to make common Registry setting changes. Logon message can be configured using Message Text for Users Attempting to Log On or Message Title for Users Attempting to Log On settings.

6. Local Security Policy Settings Virtual memory pagefile contains important system information like encryption keys or password hashes. The Clear Virtual Memory Pagefile When System Shuts Down setting must be enabled to clear system pagefile on shutdown. The Allow System to Be Shut Down Without Having to Log On setting should be disabled.

7. Local Security Policy Settings LAN Manager Authentication system allows Windows 2000 servers to work with Windows 95 and Windows 98 clients. NT or Windows 2000 authentication systems are called NTLM v2. The use of NTLM v2 authentication must be enforced since LAN Manager Authentication system is weaker than NTLM v2.

8. Local Security Policy Settings Additional Restrictions for Anonymous Connections settings can prevent null user sessions from gaining information about users on a system. Windows 2003 Server has additional Software Restriction Policies that are not available in Windows 2000. An administrator can restrict the software run on local system, thus preventing untrusted software from running.

9. System Configuration Settings Windows 2000 introduces following new features: File systems. Network settings. Account settings and Service packs and hot-fixes.

10. File Systems FAT file systems should be converted to NTFS to allow for file permissions. Windows 2000 ships with a NTFS-5 version which comes with a new set of individual permissions. Encrypting File System (EFS) protects sensitive files if an intruder boots a system using another operating system.

11. Network Settings Administrative shares like C$, D$, IPC$, ADMIN$, and NETLOGON can be used to brute-force an attack, but should not be turned off. Windows 2000 have standard Windows ports (135, 138, and 139). Windows 2000 adds port 88 for Kerberos, port 445 for SMB over IP, port 464 for Kerberos kpasswd, and port 500 (UDP only) for Internet Key Exchange (IKE). Windows 2000 uses only domain controllers (DCs).

12. Account Settings and Service Packs and Hot-Fixes Windows NT comes with administrator and guest accounts by default. These accounts can be renamed by using the Local Security Settings tool.

13. Account Settings and Service Packs and Hot-Fixes Password policy and account lockout policy are configured using Local Security Settings tool as per the organization’s security policy. Service packs and hot-fixes should be implemented within an organization after appropriate testing.

14. Special configuration issues for Windows 2003 Following post-setup areas should be configured properly: Terminal Services. Software restrictions and.NET framework configurations.

15. Terminal Services By default, Windows 2003 Server provides Remote Desktop for Administration. Low, Client Compatible, High, and FIPS Compliant are levels of encryption used to protect data sent between client and server.

16. Terminal Services Logon settings can be used to specify logon credentials to be used by default when clients connect to the terminal server. Network Adapter settings can be used to determine which network adapters the service will listen on.

17. Software Restrictions and.NET Framework configurations Software restrictions must be configured properly post- setup..NET Framework Configuration tool can be used to control an application’s access to protected resources. Security systems use enterprise, machine, and user policy levels to determine the permissions that an assembly receives.

18. Manage Users Management of users on a Windows 2000 system is critical to the security of the system and the organization. Proper procedures must be there to identify the proper permissions each new user should receive. Procedures must make sure that an employee loses access rights to the organization’s systems after leaving the organization.

19. Manage Users Adding users to the system: User Management procedures should be used to add new users to the system. These procedures define who may request new accounts and who may approve these requests. New users are added to a system or domain through the Computer Management tool.

20. Manage Users Adding users to the system (continued): Each user should have a unique user ID and own account. Multiple users should not be given access to the same user ID. New users should be forced to change their password the first time they log in. An account must be added to the appropriate groups once it has been created.

21. Manage Users Setting file permissions and removing users from the system: Groups should be used to set permission on files and shares. When users leave an organization, their account must be disabled immediately using the Computer Management tool. In case the account contains any important files, the user’s superior should access and copy them within 30 days. After 30 days the account should be removed from the system.

22. Manage the System Security is important when a system is configured and set up as well as in day-to-day operations. The best security mechanism is an administrator who is paying attention to his systems. Auditing a system, using log files, and looking for suspicious signs enhances the administrator’s ability to detect security problems.

23. Manage the System The secedit command: secedit command can be used to manage the security policy on a large number of systems. It provides analysis, configuration, validation, refresh, and export capabilities. Analysis - The policy on the system in question is analyzed and compared to a provided policy.

24. Manage the System The secedit command (continued): Configuration - The policy on the system in question is changed to match a provided policy. Validation - A security configuration file can be validated. Refresh - secedit provides a mechanism to refresh the system security policy. Export - secedit can be used to export a configuration from a security database to a security template.

25. Manage the System Auditing a system - The audit policy should be set according to the organization’s security policy using Local Security Settings tool. Log files - Administrators should look at the log files and back them up on a regular basis.

26. Manage the System Looking for suspicious signs: Security event log shows failed login attempt entries which indicate brute-force intrusion. File access failures may indicate an authorized user who is attempting to access sensitive files. On Windows 2000 system with audit turned on, the event logs should never be empty.

27. Manage the System Looking for suspicious signs (continued): Missing log files may indicate intrusion. If an intruder attempts to modify entries in log files, a gap would be found in the log file. System administrators should periodically examine the Task Manager to see if any unknown processes like CMD are running.

28. Use Active Directory Active Directory (AD) is the center of Windows 2000/2003 security. AD is a directory service with scalable domain structure. Each domain in AD has its own security policies and security relationships with other domains. Key components of AD are Global Catalog, schema, domain, organizational unit (OU), Group Policies, and trust relationships.

29. Use Active Directory All domains in the AD share a common configuration, schema, and Global Catalog (GC). GC contains replica of domains, schema, and configuration naming contexts. Schema defines what objects and attributes can be stored in the AD. Domain is a group of computers that form administrative boundary for users, groups, computers, and organizational units.

30. Use Active Directory OUs are smallest atomic administrative units that exist in the AD and form security boundaries. Group Policies provide the ability to group security and configuration settings into templates. Trust relationships allow information, such as user security IDs, in one domain to be used in another.

31. Use Active Directory Secure setup and installation. Administration. Group policy and security. AD user and group management.

32. Secure Setup and Installation Selection of the Permissions Compatible with Pre-Windows 2000 Server option is an important security issue when setting up AD. This option should not be set if supporting pre-Windows 2000 system is not required. It must be ensured that users have strong passwords and systems are protected from untrusted networks.

33. Administration Primary tools for administration: Active Directory Domains and Trusts. Active Directory Sites and Services. Active Directory Users and Computers. ADSIEdit.

34. Group Policy and Security Configurations Options and Default GPOs. Configuration Settings in the Group Policy. Group Policy Additions in Windows 2003 Group Policy. Precedence and loopback. Inheritance. Group Policy Management Tools.

35. Configurations Options and Default GPOs Group Policies are split into User and Computer sections. User configuration includes the desktop settings, security settings, and logon/logoff scripts. Computer configuration configures the running system environment, including service settings, security settings, and startup/shutdown scripts. Default Group Policies are Default Domain Policy and Default Domain Controller Policy.

36. Configuration Settings in the Group Policy Group Policy Object Editor

37. Configuration Settings in the Group Policy User configuration includes: Windows Settings: Internet Explorer Maintenance: Security. Windows Settings: Scripts. Administrative Templates: Windows Components: Windows Explorer.

38. Configuration Settings in the Group Policy User configuration includes: Administrative Templates: Windows Components: Windows Installer. Administrative Templates: Start Menu and Taskbar. Administrative Templates: Desktop. System: Group Policy.

39. Configuration Settings in the Group Policy Computer configuration includes: Account Policies: Password Policy Account Policies: Account Lockout Policy Local Policies: Audit Policies Local Policies: User Rights Assignment

40. Configuration Settings in the Group Policy Computer configuration includes (continued): Local Policies: Security Options Event Log: Settings for Event Logs Restricted Groups: Members of Restricted Group Restricted Groups: Restricted Group Is Member Of IP Security Policies

41. Group Policy Additions in Windows 2003 Group Policy Two items of Group Policy are Software Restriction Policies and Wireless Network (IEEE 802.11) Policies. Wireless Network Policies allow administrators to manage wireless network policies, define preferred wireless networks, and define 802.1X authentication for any system.

42. Precedence and Loopback The system follows the order of precedence, on system boot and on user login, in Group Policy evaluation/application. By default, GPs are applied on the basis of the location of the object being configured. Loopback processing overrides this feature for users.

43. Inheritance Policies are inherited from the furthest to the closest with the closer (lower) having precedence. Order of evaluation is Local Security Policy, Site Group Policies, Domain Group Policies, and OU Group Policies.

44. Group Policy Management Tools Group Policy Management Console tool is MMC snap-in and set of scripts. Scripts are intended to provide a single interface to manage Group Policy across an enterprise.

45. Group Policy Management Tools Group Policy Management Console provides a tool for determining “resultant” policy for a given user and/or system. Resultant Set of Policy (RSoP) is a tool to make implementing and troubleshooting policies easier.

46. AD User and Group Management Account Policy via Group Policy and user restrictions in the User account properties ensure appropriate security settings. Active Directory Users and Computers snap-in is used to manage the users, groups, and things such as OUs for domains.

47. Summary Configuration settings like Local security policy settings and System configuration settings make the system more secure. Local policy editor GUI tool allows for setting local security policies. System Configuration Settings include file systems, network settings, account settings, and service packs and hot-fixes.

48. Summary Managing users in a system involves adding and removing users and setting file permissions. Managing a system includes auditing a system, using log files, and looking for suspicious signs to detect security problems.

49. Summary secedit command provides analysis, configuration, validation, refresh, and export capabilities to manage the security policy. Active Directory (AD) is the center of Windows 2000/2003 security.