Your Complete Guide to Configuring a Secure Windows 2000 Network • Complete Coverage of Internet Information Services (IIS) 5.0 • Hundreds of Configuring & Implementing,Designing & Planning Sidebars, Security Alerts,and FAQs • Complete Coverage of Kerberos, Distributed Security Services, and Public Key Infrastructure Chad Todd Norris L. Johnson, Jr. Technical Editor From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK ™ 1YEAR UPGRADE BUYER PROTECTION PLAN From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK 181_HPnew_FC 9/20/01 11:51 AM Page 1 www.sharexxx.net - free books & magazines solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 181_SerSec2e_FM 9/20/01 1:07 PM Page i 181_SerSec2e_FM 9/20/01 1:07 PM Page ii From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK ™ 1YEAR UPGRADE BUYER PROTECTION PLAN From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK Chad Todd Norris L. Johnson, Jr. Technical Editor 181_SerSec2e_FM 9/20/01 1:07 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,” are registered trademarks of Syngress Media, Inc. “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” “Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 AJNR2U394F 002 BKAER9325R 003 ZLKRT9BSW4 004 VKF95TMKMD 005 BWE9SD4565 006 CAL44GMLSA 007 XD2KLFW3RM 008 QM4VLR39P6 009 5MVREM56PK 010 9VNLA2MER3 PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Windows 2000 Copyright © 2001 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-931836-49-3 Technical Editor: Norris L. Johnson, Jr. Cover Designer: Michael Kavish Co-Publisher: Richard Kristof Page Layout and Art by: Shannon Tozier Acquisitions Editor: Catherine B. Nolan Copy Editor: Darlene Bordwell Developmental Editor: Jonathan Babcok Indexer: Robert Saigh Freelance Editorial Manager: Maribeth Corona-Evans Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 181_SerSec2e_FM 9/20/01 1:07 PM Page iv v Acknowledgments v We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors, and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Eric Green, Dave Dahl, Elise Cannon, Chris Barnard, John Hofstetter, and Frida Yara of Publishers Group West for sharing their incredible marketing experience and expertise. In addition, a special thanks to Janis Carpenter, Kimberly Vanderheiden, and all of the PGW Reno staff for help on recent projects. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten and Annabel Dent of Harcourt Australia for all their help. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Joe Pisco, Helen Moyer, Paul Zanoli,Alan Steele, and the great folks at Graphic Services/InterCity Press for all their help. 181_SerSec2e_FM 9/20/01 1:07 PM Page v From the Author I would like to thank Paul Salas, coauthor of Administering Cisco QOS for IP Networks by Syngress Publishing, for introducing me to the folks at Syngress and Chris Jackson for his support and encouragement. I would also like to thank the authors of Configuring Windows 2000 Server Security, Thomas Shinder, Debra Shinder, and Lynn White, for providing the foundation for this book. Finally, a thank you to the editors that made this book possible—Jon Babcock, Catherine Nolan, Norris Johnson, Thomas Llewellyn, and Melissa Craft. I would also like to thank my wife Sarah who is a tremendous help in my work and supportive of the numerous hours spent on my various projects.Without Sarah’s loving support, I would not be able to accomplish my personal or professional goals. 181_SerSec2e_FM 9/20/01 1:07 PM Page vi vii Author Chad Todd (MCSE, MCT, CNE, CNA, A+, Network+, i-Net+) is a Systems Trainer for Ikon Education Services, a global provider of tech- nical training. He currently teaches Windows 2000 Security classes. In addition to training for Ikon, Chad also provides private consulting for small- to medium-sized companies. Chad writes practice tests for Boson Software and is the coauthor of Test 70-227: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition. Chad first earned his MCSE on Windows NT 4.0 and has been working with Windows 2000 since its first beta release. He was awarded Microsoft Charter Member 2000 for being one of the first 2000 engineers to attain Windows 2000 MCSE certification. Chad lives in Columbia, SC with his wife Sarah. Norris L. Johnson, Jr. (MCSE, MCT, CTT,A+, Network +) is a Technology Trainer and Owner of a consulting company in the Seattle- Tacoma area. His consultancies have included deployments and security planning for local firms and public agencies. He specializes in Windows NT 4.0 and Windows 2000 issues, providing planning and implementation and integration services. In addition to consulting work, Norris is a Trainer for the AATP program at Highline Community College’s Federal Way,WA campus and has taught in the vocational education arena at Bates Technical College in Tacoma,WA. Norris holds a bachelor’s degree from Washington State University. He is deeply appreciative of the guidance and support pro- vided by his parents and wife Cindy while transitioning to a career in Information Technology. Technical Editor 181_SerSec2e_FM 9/20/01 1:07 PM Page vii viii Contributors Dr.Thomas W. Shinder, M.D. (MCSE, MCP+I, MCT) is a Technology Trainer and Consultant in the Dallas-Ft.Worth metroplex. He has consulted with major firms, including Xerox, Lucent Technologies, and FINA Oil, assisting in the development and implementation of IP-based communica- tions strategies.Tom is a Windows 2000 editor for Brainbuzz.com, a Windows 2000 columnist for Swynk.com, and is the author of Syngress’s bestselling Configuring ISA Server 2000 (1-928994-29-6). Tom attended medical school at the University of Illinois in Chicago and trained in neurology at the Oregon Health Sciences Center in Portland, OR. His fascination with interneuronal communication ulti- mately melded with his interest in internetworking and led him to focus on systems engineering.Tom and his wife, Debra Littlejohn Shinder, design elegant and cost-efficient solutions for small- and medium-sized businesses based on Windows NT/2000 platforms.Tom has contributed to several Syngress titles, including Configuring Windows 2000 Server Security (ISBN: 1-928994-02-4), and Managing Windows 2000 Network Services (ISBN: 1-928994-06-7), and is the coauthor of Troubleshooting Windows 2000 TCP/IP (1-928994-11-3). Debra Littlejohn Shinder (MCSE, MCT, MCP+I), is an Independent Technology Trainer,Author, and Consultant who works in conjunction with her husband, Dr.Thomas Shinder, in the Dallas-Ft.Worth area. She has been an instructor in the Dallas County Community College District since 1992, and is the Webmaster for the cities of Seagoville and Sunnyvale,TX. Deb is a featured Windows 2000 columnist for Brainbuzz.com and a regular contributor to TechRepublic’s TechProGuild. She and Tom have authored numerous online courses for DigitalThink (www.digitalthink.com) and have given presentations at technical confer- ences on Microsoft certification and Windows NT and 2000 topics. Deb is also the Series Editor for the Syngress/Osborne McGraw-Hill 181_SerSec2e_FM 9/20/01 1:07 PM Page viii ix Windows 20000 MCSE study guides. She is a member of the Author’s Guild, the IEEE IPv6 Task Force, and local professional organizations. Deb and Tom met online and married in 1994.They opened a net- working consulting business and developed the curriculum for the MCSE training program at Eastfield College before becoming full-time tech- nology writers. Deb is the coauthor of Syngress’s bestselling Configuring ISA Server 2000 (1-928994-29-6). She has also coauthored Syngress’s Troubleshooting Windows 2000 TCP/IP (ISBN: 1-928994-11-3) and has contributed to several Syngress titles, including Managing Windows 2000 Network Services (ISBN: 1-928994-06-7) and Configuring Windows 2000 Server Security (ISBN: 1-928994-02-4). Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS,A+) is a Security Consultant. He has assisted sev- eral clients, including a casino, in the development and implementation of network security plans for their organizations. He has held the positions of Network Security Officer and Computer Systems Security Officer while serving in the United States Air Force. While in the Air Force, Stace was also heavily involved for over 14 years in installing, troubleshooting, and protecting long-haul circuits with the appropriate level of cryptography necessary to protect the level of information traversing the circuit as well as protecting the circuits from TEMPEST hazards.This not only included American equipment but also equipment from Britain and Germany while he was assigned to Allied Forces Southern Europe (NATO). Stace was an active contributor to The SANS Institute booklet “Windows NT Security Step by Step.” In addition, he has coauthored over 18 books published by Osborne/McGraw-Hill, Syngress Media, and Microsoft Press. He has also performed as Technical Editor for various other books and is a published author in Internet Security Advisor magazine. His wife Martha and daughter Marissa are very supportive of the time he spends with his computers, routers, and firewalls in the “lab” of their house.Without their love and support he would not be able to accomplish the goals he has set for himself. 181_SerSec2e_FM 9/20/01 1:07 PM Page ix [...]... release, but in Windows 2000 Server it has replaced the default authentication with Kerberos v5 for an all -Windows 2000- based network (clients and servers) www.syngress.com 3 181_SerSec2e_01 4 9/5/01 1:43 PM Page 4 Chapter 1 • The Windows 2000 Server Security Migration Path Differences in Windows 2000 Server Security One of the enhancements to Windows 2000 Server security is that Windows 2000 Server supports... Chapter 1 • The Windows 2000 Server Security Migration Path s A Windows NT 4.0 Workstation system authenticating to a Windows NT 4.0 PDC or BDC s A Windows 2000 computer authenticating to a Windows 2000 standalone server s A Windows 2000 computer authenticating to a Windows NT computer s A properly configured Windows 9X computer with the dsclient installed authenticating to a Windows 2000 domain controller... differences between some of the tools used in Windows NT 4.0 and those used in Windows 2000 Server Figure 1.1 Active Directory Users and Computers Continued www.syngress.com 5 181_SerSec2e_01 6 9/5/01 1:43 PM Page 6 Chapter 1 • The Windows 2000 Server Security Migration Path Table 1.1 Windows NT 4.0 and Windows 2000 Server Tools Windows NT 4.0 Windows 2000 Server User Manager for Domains Active Directory... enable my Windows 98 clients to use Kerberos v5 authentication? A: Down-level clients (Windows 9x and NT 4.0) do not support Kerberos v5 authentication The only way to use Kerberos would be to upgrade your Windows 98 clients to Windows 2000 Professional Chapter 1 The Windows 2000 Server Security Migration Path Introduction Windows 2000 Server Security Why the Change? Differences in Windows 2000 Server. .. Windows NT 3.51 presents another problem Even though it is possible to upgrade Windows NT 3.51 to Windows 2000 Server, Microsoft does not recommend running Windows NT Server 3.51 in a Windows 2000 Server domain, because Windows NT 3.51 has problems with authentication of groups and users in domains other than the logon domain www.syngress.com 181_SerSec2e_01 9/5/01 1:43 PM Page 9 The Windows 2000 Server. .. in Service Pack 4 for Windows NT 4, is supported in Windows 2000 if you properly configure the clients and servers (see Chapter 10, “Supporting Non -Windows 2000 Clients and Servers,” for details) Figure 1.2 shows a packet capture of a Windows 98 client logging on to a Windows 2000 Server domain.The Windows 98 machine is sending out a broadcast LM1.0/2.0 LOGON request Figure 1.2 A Windows 98 Client Sending... Figure 1.3 shows a Windows 2000 Server responding to the Windows 98 client’s request.The Windows 2000 Server responds with an LM2.0 response to the logon request NTLM is used to authenticate Windows NT 4.0, but LM is used to authenticate Windows 95 and Windows 98 systems NTLM is used to authenticate logons in these cases: s A Windows NT 4.0 Workstation system authenticating to a Windows 2000 domain controller... applicable only to Windows 2000 Server- only domains (See Chapter 4.) Windows 2000 Server depends heavily on Public Key Infrastructure (PKI) PKI consists of several components: public keys, private keys, certificates, and certificate authorities (CAs) (See Chapter 9, “Microsoft Windows 2000 Public Key Infrastructure.”) www.syngress.com 181_SerSec2e_01 9/5/01 1:43 PM Page 5 The Windows 2000 Server Security... is not available for a Windows 2000 machine authenticating to a Windows 2000 domain controller Figure 1.3 Windows 2000 Server Responding with an LM2.0 Response The difficulty with using NTLM or LM as authentication protocols cannot be overcome easily.The only way to get around using NTLM or LM at the moment is to replace the systems using earlier versions of Windows with Windows 2000 systems.This solution... UNIX Kerberos Windows 2000 MacIntosh SSL Web Clients SNA Lan Manager NTLM Novell Other Windows 3.x Windows NT Windows 95 Windows 98 Mainframe (AS/400) xiii 86 88 88 89 89 90 90 91 92 92 92 92 93 96 100 101 103 Chapter 4 Secure Networking Using Windows 2000 Distributed Security Services 105 Introduction 106 The Way We Were: Security in NT 106 A Whole New World: Distributed Security in Windows 2000 106 Distributed . x Contents xi Chapter 1 The Windows 2000 Server Security Migration Path 1 Introduction 2 Windows 2000 Server Security 3 Why the Change? 3 Differences in Windows 2000 Server Security 4 Authentication. medium-sized businesses based on Windows NT /2000 platforms.Tom has contributed to several Syngress titles, including Configuring Windows 2000 Server Security (ISBN: 1-928994-02-4), and Managing Windows 2000 Network Services. (ISA) Server 2000, Enterprise Edition. Chad first earned his MCSE on Windows NT 4.0 and has been working with Windows 2000 since its first beta release. He was awarded Microsoft Charter Member 2000